Solidity Security Vulnerabilities: Short Address/Parameter Attack

Prior to Solidity v0.5.0, Smart Contracts suffered from vulnerability resulting from attacker using a shorter than required address as function parameter. The vulnerability resulted from EVM’s tendency to append zero’s at the end of calldata in case a parameter(in this case, an address) was shorter in length than it is by definition.

Looking at example presented at:

Consider the transfer() of an ERC20 contract: function transfer(address to, uint tokens) public returns (bool success);

Suppose the attacker passes an address that is only 19 Bytes long. So the EVM would append extra an 00 at the end of calldata to preserve the size of calldata:

Calldata with a 20 Byte address::

Calldata with a 19 Byte address:

Note the 20 Byte address 000000000000000000000000deaddeaddeaddeaddeaddeaddeaddeaddeaddead is longer than the 19 Byte address 000000000000000000000000deaddeaddeaddeaddeaddeaddeaddeaddeadde. Also the last parameter (uint tokens) has changed from 0000000000000000000000000000000000000000000000056bc75e2d63100000 (100 tokens) to 00000000000000000000000000000000000000000000056bc75e2d6310000000 (25600 tokens)

However, with Solidity version >= 0.5.0, the transaction would simply revert if a parameter is shorter than expected: