What about the UPS pattern, is it immune of this kind of exploit?
Thanks
Hey @tinchoabbate, thanks for a great article!
It seems that it's not possible to reproduce the exploit with current compiler (0.8.14) and given parameter values as there are some type checking going on under the hood.
When calling abi.encodeWithSignature("burn(uint256)", 1) to burn 1 token (no decimals) we get following calldata: 0x42966c680000000000000000000000000000000000000000000000000000000000000001
It's being "intercepted" by collate_propagate_storage(bytes16) which checks if the parameter is bytes16 by performing AND opcode to
0x0000000000000000000000000000000000000000000000000000000000000001 0xffffffffffffffffffffffffffffffff00000000000000000000000000000000
and checking if the result is equal to initial value
0x0000000000000000000000000000000000000000000000000000000000000000
0x0000000000000000000000000000000000000000000000000000000000000001
which is not
The writeups are awesome and informative! Thanks!