Move language reference security module has an integer overflow vulnerability

Recently, a serious integer overflow vulnerability has been discovered in the reference safety module of the Move language. This vulnerability could lead to denial of service attacks and poses a potential threat to the security of the Move language.

The Move language performs code verification before executing bytecode, which is divided into multiple steps. This vulnerability occurs in the reference_safety step, which is responsible for verifying the safety of references, including checking for dangling references and whether mutable reference access is safe.

The root of the vulnerability lies in an integer overflow issue in the security module. When the sum of the number of function parameters and local variables exceeds 256, the use of the u8 type to iterate over local variables can lead to an integer overflow. This overflow may be exploited to bypass security checks, ultimately resulting in a denial of service attack.

Specifically, the vulnerability exploitation process is as follows:

1. Construct a Move code block that contains a loop to execute it multiple times.

2. Set a large number of function parameters and local variables, making their total exceed 256.

3. During the first execution, due to integer overflow, the length of the new locals map will become a very small value.

4. Attempting to access a non-existent local variable index during subsequent execution causes panic and program crash.

This vulnerability exposes that even languages like Move, which prioritize security, may have overlooked security risks. It reminds us of the importance of code auditing and the need for more comprehensive security considerations in language design.

For users and developers of the Move language, it is recommended to closely monitor official security updates. At the same time, when writing Move code, pay attention to controlling the number of function parameters and local variables to avoid triggering such boundary situations.

From a more macro perspective, this vulnerability also reflects that relying solely on static verification may be insufficient to ensure complete security. In the future, the Move language may need to incorporate more dynamic checks at runtime to prevent similar security issues.

Overall, the discovery of this vulnerability once again proves the importance of ongoing security research in enhancing the safety of blockchain technology. As the application of the Move language continues to expand in the Web3 space, we look forward to seeing more security improvements introduced to build a more robust and reliable smart contract ecosystem.