Fix callee onchain balance

[Raz0r]

Hello, this pull request fixes a problem with initial balance when making a call.

self.next_slot will contain the actual balance of the receiver address only if there was a prior execution of the BALANCE opcode. In the call() handler the balance of the never seen receiver address is not initialized (self.next_slot is 0). In this patch if the address' balance was never queried we obtain the balance using Onchain middleware. This fixed a reentrancy test case for me. Not sure if this way of calling the middleware is elegant enough though.

[fuzzland-bot]

Found: 17

Project Name	Vulnerability Found	Time Taken	Log
BIGFI_exp.txt	✅ Price Manipulation	0h-1m-22s	Log File
Shadowfi_exp.txt	❌	-1	Log File
SEAMAN_exp.txt	✅ Fund Loss	0h-2m-28s	Log File
BEGO_exp.txt	✅ Fund Loss	0h-0m-27s	Log File
cftoken_exp.txt	✅ Fund Loss	0h-0m-50s	Log File
Carrot_exp.txt	✅ Arbitrary Call	0h-0m-26s	Log File
MBC_ZZSH_exp.txt	❌‼️ Crashed	-1	Log File
AUR_exp.txt	❌	-1	Log File
SellToken_exp.txt	✅ Fund Loss	0h-0m-27s	Log File
ROI_exp.txt	✅ Fund Loss	0h-0m-26s	Log File
GPT_exp.txt	❌	-1	Log File
OLIFE_exp.txt	❌	-1	Log File
THB_exp.txt	❌	-1	Log File
VerilogCTF.txt	❌‼️ Crashed	-1	Log File
CS_exp.txt	✅ Price Manipulation	0h-1m-43s	Log File
MintoFinance_exp.txt	✅ Fund Loss	0h-1m-14s	Log File
Novo_exp.txt	❌	-1	Log File
SELLC03_exp.txt	❌‼️ Crashed	-1	Log File
Yyds_exp.txt	✅ Fund Loss	0h-1m-29s	Log File
DYNA_exp.txt	❌	-1	Log File
EAC_exp.txt	✅ Fund Loss	0h-2m-17s	Log File
Annex_exp.txt	❌	-1	Log File
PLTD_exp.txt	✅ Price Manipulation	0h-2m-14s	Log File
ApeDAO_exp.txt	✅ Price Manipulation	0h-0m-32s	Log File
GSS_exp.txt	✅ Fund Loss	0h-2m-7s	Log File
Axioma_exp.txt	✅ Fund Loss	0h-1m-2s	Log File
RFB_exp.txt	✅ Fund Loss	0h-2m-39s	Log File
HEALTH_exp.txt	✅ Price Manipulation	0h-0m-15s	Log File

[Raz0r]

Found out that this is not a good solution, since middleware is cloned meaning balance cache is not preserved. Will think how to use the same instance of middleware.

[Raz0r]

Did more debugging, the balance for the call target is actually fetched in src/evm/onchain/mod.rs when handling CALL opcode. The issue is that the onchain balance is fetched for the caller, instead of the callee. There is even a hint:

// Get balance of the callee

Now the issue should be fixed.

[fuzzland-bot]

Found: 11

Project Name	Vulnerability Found	Time Taken	Log
BIGFI_exp.txt	❌‼️ Crashed	-1	Log File
Shadowfi_exp.txt	❌	-1	Log File
SEAMAN_exp.txt	✅ Fund Loss	0h-2m-2s	Log File
BEGO_exp.txt	✅ Fund Loss	0h-1m-12s	Log File
cftoken_exp.txt	✅ Price Manipulation	0h-1m-4s	Log File
Carrot_exp.txt	✅ Arbitrary Call	0h-0m-57s	Log File
MBC_ZZSH_exp.txt	❌	-1	Log File
AUR_exp.txt	❌‼️ Crashed	-1	Log File
SellToken_exp.txt	❌‼️ Crashed	-1	Log File
ROI_exp.txt	✅ Fund Loss	0h-0m-52s	Log File
GPT_exp.txt	❌‼️ Crashed	-1	Log File
OLIFE_exp.txt	❌	-1	Log File
THB_exp.txt	❌	-1	Log File
VerilogCTF.txt	❌‼️ Crashed	-1	Log File
CS_exp.txt	✅ Price Manipulation	0h-2m-5s	Log File
MintoFinance_exp.txt	❌‼️ Crashed	-1	Log File
Novo_exp.txt	✅ Price Manipulation	0h-4m-18s	Log File
SELLC03_exp.txt	❌‼️ Crashed	-1	Log File
Yyds_exp.txt	✅ Fund Loss	0h-4m-55s	Log File
DYNA_exp.txt	❌	-1	Log File
EAC_exp.txt	✅ Fund Loss	0h-4m-8s	Log File
Annex_exp.txt	❌	-1	Log File
PLTD_exp.txt	❌‼️ Crashed	-1	Log File
ApeDAO_exp.txt	❌‼️ Crashed	-1	Log File
GSS_exp.txt	✅ Fund Loss	0h-4m-53s	Log File
Axioma_exp.txt	✅ Fund Loss	0h-2m-41s	Log File
RFB_exp.txt	❌‼️ Crashed	-1	Log File
HEALTH_exp.txt	❌‼️ Crashed	-1	Log File

[fuzzland-bot]

Found: 3

Project Name	Vulnerability Found	Time Taken	Log
BIGFI_exp.txt	❌‼️ Crashed	-1	Log File
Shadowfi_exp.txt	❌	-1	Log File
SEAMAN_exp.txt	❌‼️ Crashed	-1	Log File
BEGO_exp.txt	✅ Fund Loss	0h-1m-6s	Log File
cftoken_exp.txt	❌‼️ Crashed	-1	Log File
Carrot_exp.txt	❌‼️ Crashed	-1	Log File
MBC_ZZSH_exp.txt	❌‼️ Crashed	-1	Log File
AUR_exp.txt	❌	-1	Log File
SellToken_exp.txt	❌‼️ Crashed	-1	Log File
ROI_exp.txt	✅ Fund Loss	0h-1m-14s	Log File
GPT_exp.txt	❌‼️ Crashed	-1	Log File
OLIFE_exp.txt	❌	-1	Log File
THB_exp.txt	❌‼️ Crashed	-1	Log File
VerilogCTF.txt	❌‼️ Crashed	-1	Log File
CS_exp.txt	❌‼️ Crashed	-1	Log File
MintoFinance_exp.txt	❌‼️ Crashed	-1	Log File
Novo_exp.txt	❌‼️ Crashed	-1	Log File
SELLC03_exp.txt	❌‼️ Crashed	-1	Log File
Yyds_exp.txt	❌‼️ Crashed	-1	Log File
DYNA_exp.txt	❌	-1	Log File
EAC_exp.txt	❌‼️ Crashed	-1	Log File
Annex_exp.txt	❌‼️ Crashed	-1	Log File
PLTD_exp.txt	❌‼️ Crashed	-1	Log File
ApeDAO_exp.txt	❌‼️ Crashed	-1	Log File
GSS_exp.txt	❌‼️ Crashed	-1	Log File
Axioma_exp.txt	❌‼️ Crashed	-1	Log File
RFB_exp.txt	❌‼️ Crashed	-1	Log File
HEALTH_exp.txt	✅ Price Manipulation	0h-0m-29s	Log File