In the blog, the Foundation stated that they had received a report on the “flaw” in the “new experimental ABI encoder,” also known as ABIEncoderV2 via the bug bounty program. It went on to say,
“Upon investigation, it was found that the component suffers from a few different variations of the same type. The first part of this announcement explains this bug in detail. The new ABI encoder is still marked as experimental, but we nevertheless think that this deserves a prominent announcement since it is already used on mainnet.”
The team further revealed that there were two bugs discovered in Solidity Optimizer over the past two weeks. However, these bugs had “low-impact”. It also stated that these bugs were introduced in Solidity version 0.5.5, which was released on March 5. Out of the two, one of the bugs was fixed in Solidity version 0.5.6.
Further, the blog stated that Solidity’s latest version 0.5.7, released yesterday, “contained the fixes to all the bugs.” It also stated that these bugs ought to be “easily visible in tests that touch the relevant code paths, at least when run with all combinations of zero and nonzero values.”
The blog post further went on to clarify:
It further stated,
“Additionally, there are a number of requirements for the bug to trigger. See technical details further below for more information. As far as we can tell, there are about 2500 contracts live on mainnet that use the experimental ABIEncoderV2. It is not clear how many of them contain the bug.”
In terms of the bug’s likely outcomes, the Foundation stated that the probability of these bugs leading to a malfunction was more than one, resulting in an exploitability. The Foundation said, “the bug, when triggered, will under certain circumstances send corrupt parameters on method invocations to other contracts.”