crytic
diff --git a/‎.github/workflows/echidna.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/echidna.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎SUMMARY.md‎
Lines changed: 2 additions & 0 deletions b/‎SUMMARY.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎learn_evm/arithmetic-checks.md‎
Lines changed: 40 additions & 43 deletions b/‎learn_evm/arithmetic-checks.md‎
Lines changed: 40 additions & 43 deletions
diff --git a/‎not-so-smart-contracts/algorand/README.md‎
Lines changed: 13 additions & 11 deletions b/‎not-so-smart-contracts/algorand/README.md‎
Lines changed: 13 additions & 11 deletions
diff --git a/‎not-so-smart-contracts/algorand/clear_state_transaction_check/README.md‎
Lines changed: 40 additions & 0 deletions b/‎not-so-smart-contracts/algorand/clear_state_transaction_check/README.md‎
Lines changed: 40 additions & 0 deletions
@@ -167,7 +167,7 @@ jobs:
           contract: ${{ matrix.contract }}
           config: ${{ matrix.config }}
           output-file: ${{ matrix.files }}.out
-          solc-version: ${{ matrix.solc-version || '0.5.11' }}
+          solc-version: ${{ matrix.solc-version || '0.8.0' }}
           echidna-workdir: ${{ matrix.workdir }}
           echidna-version: edge
           crytic-args: ${{ matrix.crytic-args || '' }}
 
@@ -27,6 +27,8 @@
     - [Access Controls](./not-so-smart-contracts/algorand/access_controls/README.md)
     - [Asset Id Check](./not-so-smart-contracts/algorand/asset_id_check/README.md)
     - [Denial of Service](./not-so-smart-contracts/algorand/denial_of_service/README.md)
+    - [Inner Transaction Fee](./not-so-smart-contracts/algorand/inner_transaction_fee/README.md)
+    - [Clear State Transaction Check](./not-so-smart-contracts/algorand/clear_state_transaction_check/README.md)
   - [Cairo](./not-so-smart-contracts/cairo/README.md)
     - [Improper access controls](./not-so-smart-contracts/cairo/access_controls/README.md)
     - [Integer division errors](./not-so-smart-contracts/cairo/integer_division/README.md)
 
@@ -7,7 +7,7 @@ these features are absent in the EVM.
 Consequently, these safeguards must be incorporated within the machine's constraints.
 
 Starting with Solidity version 0.8.0 the compiler automatically includes over and underflow protection in all arithmetic operations.
-Prior to version 0.8.0, developers were required to implement these checks manually, often using a library known as [SafeMath](https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/math/SafeMath.sol), originally developed by OpenZeppelin.
+Prior to version 0.8.0, developers were required to implement these checks manually, often using a library known as [SafeMath](https://github.com/OpenZeppelin/openzeppelin-contracts/blob/v4.9.2/contracts/utils/math/SafeMath.sol), originally developed by OpenZeppelin.
 The compiler incorporates arithmetic checks in a manner similar to SafeMath, through additional operations.
 
 As the Solidity language has evolved, the compiler has generated increasingly optimized code for arithmetic checks. This trend is also observed in smart contract development in general, where highly optimized arithmetic code written in low-level assembly is becoming more common. However, there is still a lack of comprehensive resources explaining the nuances of how the EVM handles arithmetic for signed and unsigned integers of 256 bits and less.
@@ -154,25 +154,25 @@ The first bit of an integer represents the sign, with `0` indicating a positive
 For positive integers (those with a sign bit of `0`), their binary representation is the same as their unsigned bit representation.
 However, the negative domain is shifted to lie "above" the positive domain.
 
-$$uint256 \text{ domain}$$
+$$\text{uint256 domain}$$
 
 $$
-├\underset{0}{─}────────────────────────────\underset{\hskip -2em 2^{256} - 1}{─}┤
+├\underset{\hskip -0.5em 0}{─}────────────────────────────\underset{\hskip -3em 2^{256} - 1}{─}┤
 $$
 
 ```solidity
 0x0000000000000000000000000000000000000000000000000000000000000000 // 0
 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff // uint256_max
 ```
 
-$$int256 \text{ domain}$$
+$$\text{int256 domain}$$
 
 $$
-\overset{\hskip 1em positive}{
-    ├\underset{0}{─}────────────\underset{\hskip -2em 2^{255} - 1}{─}┤
+\overset{positive}{
+    ├\underset{\hskip -0.5em 0}{─}────────────\underset{\hskip -3em 2^{255} - 1}{─}┤
 }
-\overset{\hskip 1em negative}{
-    ├────\underset{\hskip -3.5em - 2^{255}}─────────\underset{\hskip -0.4 em -1}{─}┤
+\overset{negative}{
+    ├──\underset{\hskip -2.1em - 2^{255}}{─}──────────\underset{\hskip -1 em -1}{─}┤
 }
 $$
 
@@ -184,11 +184,11 @@ $$
 ```
 
 The maximum positive integer that can be represented in a two's complement system using 256 bits is
-`0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff` which is roughly equal to half of the maximum value that can be represented using uint256.
+`0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff` which is roughly equal to half of the maximum value that can be represented using `uint256`.
 The most significant bit of this number is `0`, while all other bits are `1`.
 
 On the other hand, all negative numbers start with a `1` as their first bit.
-If we look at the underlying hex representation of these numbers, they are all greater than or equal to the smallest integer that can be represented using int256, which is `0x8000000000000000000000000000000000000000000000000000000000000000`. The integer's binary representation is a `1` followed by 255 `0`'s.
+If we look at the underlying hex representation of these numbers, they are all greater than or equal to the smallest integer that can be represented using `int256`, which is `0x8000000000000000000000000000000000000000000000000000000000000000`. The integer's binary representation is a `1` followed by 255 `0`'s.
 
 To obtain the negative value of an integer in a two's complement system, we flip the underlying bits and add `1`: `-a = ~a + 1`.
 An example illustrates this.
@@ -421,7 +421,7 @@ On a 64-bit system, integer addition works in the same way as before.
 = 0x0000000000000001 // int64(1)
 ```
 
-However, when performing the same calculations on a 256-bit machine, we need to extend the sign of the int64 value over all unused bits,
+However, when performing the same calculations on a 256-bit machine, we need to extend the sign of the `int64` value over all unused bits,
 otherwise the value won't be interpreted correctly.
 
 ```solidity
@@ -505,60 +505,56 @@ function overflowInt64(int256 value) public pure returns (bool overflow) {
 ```
 
 We can simplify the expression to a single comparison if we can shift the disjointed number domain back so that it's connected.
-To accomplish this, we subtract the smallest negative int64 `type(int64).min` from a value (or add the underlying unsigned value).
-A better way to understand this is by visualizing the signed integer number domain in relation to the unsigned domain (which is demonstrated here using int128).
+To accomplish this, we subtract the smallest negative `int64` (`type(int64).min`) from a value (or add the underlying unsigned value).
+A better way to understand this is by visualizing the signed integer number domain in relation to the unsigned domain (which is demonstrated here using `int128`).
 
-$$uint256 \text{ domain}$$
+$$\text{uint256 domain}$$
 
 $$
-├\underset{0}{─}────────────────────────────\underset{\hskip -2em 2^{256} - 1}{─}┤
+├\underset{\hskip -0.5em 0}{─}────────────────────────────\underset{\hskip -3em 2^{256} - 1}{─}┤
 $$
 
-$$int256 \text{ domain}$$
+$$\text{int256 domain}$$
 
 $$
-\overset{\hskip 1em positive}{
-    ├\underset{0}{─}────────────\underset{\hskip -2em 2^{255} - 1}{─}┤
+\overset{positive}{
+    ├\underset{\hskip -0.5em 0}{─}────────────\underset{\hskip -3em 2^{255} - 1}{─}┤
 }
-\overset{\hskip 1em negative}{
-    ├────\underset{\hskip -3.5em - 2^{255}}─────────\underset{\hskip -0.4 em -1}{─}┤
+\overset{negative}{
+    ├──\underset{\hskip -2.1em - 2^{255}}{─}──────────\underset{\hskip -1 em -1}{─}┤
 }
 $$
 
-The domain for uint128/int128 can be visualized as follows.
+The domain for `uint128`/`int128` can be visualized as follows.
 
-$$uint128 \text{ domain}$$
+$$\text{uint128 domain}$$
 
 $$
-├\underset{0}─────────────\underset{\hskip -2em 2^{128}-1}─┤
-\phantom{───────────────}┆
+├\underset{\hskip -0.5em 0}─────────────\underset{\hskip -3em 2^{128}-1}─┤
+\hskip 7em┆
 $$
 
-$$int128 \text{ domain}$$
+$$\text{int128 domain}$$
 
 $$
-\overset{\hskip 1em positive}{
-    ├\underset{0}{─}────\underset{\hskip -2em 2^{127} - 1}{─}┤
-}
-\phantom{────────────────}
-\overset{\hskip 1em negative}{
-    ├────\underset{\hskip -3.5em - 2^{127}}─\underset{\hskip -0.4 em -1}{─}┤
-}
+├\underset{\hskip -0.5em 0}{─}────\underset{\hskip -3em 2^{127} - 1}─\overset{\hskip -3em positive}{┤}
+\hskip 7em
+├──\underset{\hskip -2.1em - 2^{127}}───\underset{\hskip -1 em -1}{─}\overset{\hskip -3em negative}{┤}
 $$
 
 Note that the scales of the number ranges in the previous section do not accurately depict the magnitude of numbers that are representable with the different types and only serve as a visualization. We can represent twice as many numbers with only one additional bit, yet the uint256 domain has twice the number of bits compared to uint128.
 
-After subtracting `type(int128).min` (or adding $2^{127}$) and essentially shifting the domains to the right, we get the following, connected set of values.
+After subtracting `type(int128).min` (or adding `2**127`) and essentially shifting the domains to the right, we get the following, connected set of values.
 
 $$
-├\underset{0}─────────────\underset{\hskip -2em 2^{128}-1}─┤
-\phantom{───────────────}┆
+├\underset{\hskip -0.5em 0}{─}────────────\underset{\hskip -3em 2^{128}-1}─┤
+\hskip 7em┆
 $$
 
 $$
-\overset{\hskip 1em negative}{├──────┤}
-\overset{\hskip 1em positive}{├──────┤}
-\phantom{───────────────}┆
+├──────\overset{\hskip -3em negative}{┤}
+├──────\overset{\hskip -3em positive}{┤}
+\hskip 7em┆
 $$
 
 If we interpret the shifted value as an unsigned integer, we only need to check whether it exceeds the maximum unsigned integer `type(uint128).max`.
@@ -685,7 +681,7 @@ An example might help explain the second case.
 ```solidity
   0xffffffffffffffff800000000000000000000000000000000000000000000000 // type(int192).min
 * 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff // -1
-= 0x0000000000000000800000000000000000000000000000000000000000000000 // type(int192).min (when seen as a int192)
+= 0x0000000000000000800000000000000000000000000000000000000000000000 // type(int192).min (when looking at the first 192 bits)
 ```
 
 A method to address this issue is to always start by sign-extending or cleaning the result before attempting to reconstruct the other multiplicand.
@@ -715,9 +711,10 @@ function checkedMulInt192_2(int192 a, int192 b) public pure returns (int192 c) {
 In conclusion, we hope this article has served as an informative guide on signed integer arithmetic within the EVM and the two's complement system.
 We have explored:
 
-- the added complexity from handling signed over unsigned integers
-- the intricacies involved in managing sub 32-byte types
-- the significance of `signextend` and opcodes related to signed integers
-- the importance of bit-cleaning
+- How the EVM makes use of the two's complement representation
+- How integer values are interpreted as signed or unsigned depending on the opcodes used
+- The added complexity from handling arithmetic for signed vs. unsigned integers
+- The intricacies involved in managing sub 32-byte types
+- The importance of bit-cleaning and the significance of `signextend`
 
 While low-level optimizations are attractive, they are also heavily error-prone. This article aims to deepen one's understanding of low-level arithmetic, to reduce these risks. Nevertheless, it is crucial to integrate custom low-level optimizations only after thorough manual analysis, automated testing, and to document any non-obvious assumptions.
@@ -14,17 +14,19 @@ Each _Not So Smart Contract_ includes a standard set of information:
 
 ## Vulnerabilities
 
-| Not So Smart Contract                                   | Description                                                                    | Applicable to smart signatures | Applicable to smart contracts |
-| ------------------------------------------------------- | ------------------------------------------------------------------------------ | ------------------------------ | ----------------------------- |
-| [Rekeying](rekeying)                                    | Attacker rekeys an account                                                     | yes                            | yes                           |
-| [Unchecked Transaction Fees](unchecked_transaction_fee) | Attacker sets excessive fees for smart signature transactions                  | yes                            | no                            |
-| [Closing Account](closing_account)                      | Attacker closes smart signature accounts                                       | yes                            | no                            |
-| [Closing Asset](closing_asset)                          | Attacker transfers entire asset balance of a smart signature                   | yes                            | no                            |
-| [Group Size Check](group_size_check)                    | Contract does not check transaction group size                                 | yes                            | yes                           |
-| [Time-based Replay Attack](time_based_replay_attack)    | Contract does not use lease for periodic payments                              | yes                            | no                            |
-| [Access Controls](access_controls)                      | Contract does not enfore access controls for updating and deleting application | no                             | yes                           |
-| [Asset Id Check](asset_id_check)                        | Contract does not check asset id for asset transfer operations                 | yes                            | yes                           |
-| [Denial of Service](denial_of_service)                  | Attacker stalls contract execution by opting out of a asset                    | yes                            | yes                           |
+| Not So Smart Contract                                          | Description                                                                    | Applicable to smart signatures | Applicable to smart contracts |
+| -------------------------------------------------------------- | ------------------------------------------------------------------------------ | ------------------------------ | ----------------------------- |
+| [Rekeying](rekeying)                                           | Attacker rekeys an account                                                     | yes                            | yes                           |
+| [Unchecked Transaction Fees](unchecked_transaction_fee)        | Attacker sets excessive fees for smart signature transactions                  | yes                            | no                            |
+| [Closing Account](closing_account)                             | Attacker closes smart signature accounts                                       | yes                            | no                            |
+| [Closing Asset](closing_asset)                                 | Attacker transfers entire asset balance of a smart signature                   | yes                            | no                            |
+| [Group Size Check](group_size_check)                           | Contract does not check transaction group size                                 | yes                            | yes                           |
+| [Time-based Replay Attack](time_based_replay_attack)           | Contract does not use lease for periodic payments                              | yes                            | no                            |
+| [Access Controls](access_controls)                             | Contract does not enfore access controls for updating and deleting application | no                             | yes                           |
+| [Asset Id Check](asset_id_check)                               | Contract does not check asset id for asset transfer operations                 | yes                            | yes                           |
+| [Denial of Service](denial_of_service)                         | Attacker stalls contract execution by opting out of a asset                    | yes                            | yes                           |
+| [Inner Transaction Fee](inner_transaction_fee)                 | Inner transaction fee should be set to zero                                    | no                             | yes                           |
+| [Clear State Transaction Check](clear_state_transaction_check) | Contract does not check OnComplete field of an Application Call                | yes                            | yes                           |
 
 ## Credits
 
 
@@ -0,0 +1,40 @@
+# Clear State Transaction Check
+
+The lack of checks on the OnComplete field of the application calls might allow an attacker to execute the clear state program instead of the approval program, breaking core validations.
+
+## Description
+
+Algorand applications make use of group transactions to realize operations that may not be possible using a single transaction model. Some operations require that other transactions in the group call certain methods and applications. These requirements are asserted by validating that the transactions are ApplicationCall transactions. However, the OnComplete field of these transactions is not always validated, allowing an attacker to submit ClearState ApplicationCall transactions. The ClearState transaction invokes the clear state program instead of the intended approval program of the application.
+
+## Exploit Scenario
+
+A protocol offers flash loans from a liquidity pool. The flash loan operation is implemented using two methods: `take_flash_loan` and `pay_flash_loan`. `take_flash_loan` method transfers the assets to the user and `pay_flash_loan` verifies that the user has returned the borrowed assets. `take_flash_loan` verifies that a later transaction in the group calls the `pay_flash_loan` method. However, It does not validate the OnComplete field.
+
+```py
+@router.method(no_op=CallConfig.CALL)
+def take_flash_loan(offset: abi.Uint64, amount: abi.Uint64) -> Expr:
+    return Seq([
+        # Ensure the pay_flash_loan method is called
+        Assert(And(
+            Gtxn[Txn.group_index() + offset.get()].type_enum == TxnType.ApplicationCall,
+            Gtxn[Txn.group_index() + offset.get()].application_id() == Global.current_application_id(),
+            Gtxn[Txn.group_index() + offset.get()].application_args[0] == MethodSignature("pay_flash_loan(uint64)")
+        )),
+        # Perform other validations, transfer assets to the user, update the global state
+        # [...]
+    ])
+
+@router.method(no_op=CallConfig.CALL)
+def pay_flash_loan(offset: abi.Uint64) -> Expr:
+    return Seq([
+        # Validate the "take_flash_loan" transaction at `Txn.group_index() - offset.get()`
+        # Ensure the user has returned the funds to the pool along with the fee. Fail the transaction otherwise
+        # [...]
+    ])
+```
+
+An attacker constructs a valid group transaction for flash loan but sets the OnComplete field of `pay_flash_loan` call to ClearState. The clear state program is executed for complete_flash_loan call, which does not validate that the attacker has returned the funds. The attacker steals all the assets in the pool.
+
+## Recommendations
+
+Validate the OnComplete field of the ApplicationCall transactions.