bug test case: eth:0x000000000090d2b159528c290616CF919B24e1d9

Question

bug test case: eth:0x000000000090d2b159528c290616CF919B24e1d9

shazow opened this issue 5 months ago · comments

Failing to capture selector: '0xfd9f1e10': 'cancel((address,address,(uint8,address,uint256,uint256,uint256)[],(uint8,address,uint256,uint256,uint256,address)[],uint8,uint256,uint256,bytes32,uint256,bytes32,uint256)[])',

Andrey Petrov · Answer 1 · Mon Feb 05 2024 05:16:50 GMT+0800 (China Standard Time)

Trying to figure this one out... There's a SUB instruction I'm not sure what it does, breaking our heuristic.

    93	0x00b9	DUP1	
    94	0x00ba	PUSH4	0xf47b7740
    95	0x00bf	EQ	
    96	0x00c0	PUSH2	0x00ee
    97	0x00c3	JUMPI	
    98	0x00c4	DUP1	
    99	0x00c5	PUSH4	0xfb0f3ee1
   100	0x00ca	EQ	
   101	0x00cb	PUSH2	0x00e5
   102	0x00ce	JUMPI	             <--- Normal jump table until here
   103	0x00cf	PUSH4	0xfd9f1e10   <--- Selector in quesiton
   104	0x00d4	SUB	             <--- Weird SUB, not sure what it does?
   105	0x00d5	PUSH2	0x000e
   106	0x00d8	JUMPI	
   107	0x00d9	PUSH2	0x00e0
   108	0x00dc	PUSH2	0x1040
   109	0x00df	JUMP

Andrey Petrov · Answer 2 · Mon Feb 05 2024 05:28:00 GMT+0800 (China Standard Time)

Ah I guess it's doing SUB(0xfd9f1e10, 0xfd9f1e10) -> 0 rather than EQ to invert the outcome.