FINDING-001
CRITICAL (CVSS 10.0)
Firedancer VM Sandbox Escape
DeFi Category
MEMORY_SAFETY
Verified Payout
$1,000,000+
Механизъм
fd_ulong_sat_sub(offset, vaddr_offset) когато offset < vaddr_offset → returns 0 → bounds check bypass → offset - vaddr_offset unsigned underflow → write BEFORE account buffer
Въздействие
Attacker overwrites lamports/owner fields → Loss of Funds + Consensus Divergence
Решение / Код
fd_ulong_sat_sub(offset, vaddr_offset) when offset < vaddr_offset -> returns 0 -> bounds check bypass -> offset underflow -> write BEFORE account buffer.