diff --git a/entries/docs/SWC-100.md b/entries/docs/SWC-100.md index 8f0cacaf..d9bb2cc5 100644 --- a/entries/docs/SWC-100.md +++ b/entries/docs/SWC-100.md @@ -4,10 +4,10 @@ The content of the SWC registry has not been thoroughly updated since 2020. It i For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the [EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an -[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, that represents the latest work of the group developing the specification. -General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the [Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). # Title @@ -17,7 +17,8 @@ Function Default Visibility ## Relationships - [CWE-710: Improper Adherence to Coding Standards](https://cwe.mitre.org/data/definitions/710.html) -- [EthTrust Security Levels **[Q] Code Linting**](https://entethalliance.org/specs/ethtrust-sl/#req-3-linted) +- EthTrust Security Levels: + - [**[Q] Code Linting**](https://entethalliance.org/specs/ethtrust-sl/#req-3-linted) ## Description @@ -39,7 +40,7 @@ Functions can be specified as being `external`, `public`, `internal` or `private ```solidity /* * @source: https://github.com/sigp/solidity-security-blog#visibility - * @author: SigmaPrime + * @author: SigmaPrime * Modified by Gerhard Wagner */ @@ -48,7 +49,7 @@ pragma solidity ^0.4.24; contract HashForEther { function withdrawWinnings() { - // Winner if the last 8 hex characters of the address are 0. + // Winner if the last 8 hex characters of the address are 0. require(uint32(msg.sender) == 0); _sendWinnings(); } @@ -64,7 +65,7 @@ contract HashForEther { The function declarations in lines 11 and 17 do not set the visibility of the functions. At least for Solidity 0.4.24 (as specified in the `pragma` statement), this means they will default to being treated as `public`. -This allows anyone to call the `_sendWinings()` function and take the money. +This allows anyone to call the `_sendWinings()` function and take the money. Instead, the fixed version below restricts the `_sendWinnings()` function visibility to `internal`, so it can only be activated by the `WithdrawWinnings()` function that enforces a check diff --git a/entries/docs/SWC-101.md b/entries/docs/SWC-101.md index 296d505f..6e62c58b 100644 --- a/entries/docs/SWC-101.md +++ b/entries/docs/SWC-101.md @@ -1,10 +1,26 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Integer Overflow and Underflow ## Relationships -[CWE-682: Incorrect Calculation](https://cwe.mitre.org/data/definitions/682.html) +- [CWE-682: Incorrect Calculation](https://cwe.mitre.org/data/definitions/682.html) +- EthTrust Security Levels: + - [**[S] No Overflow/Underflow**](https://entethalliance.org/specs/ethtrust-sl/#req-1-overflow-underflow) + - [**[M] Safe Overflow/Underflow**](https://entethalliance.org/specs/ethtrust-sl/#req-2-overflow-underflow) + - [**[M] Documented Defensive Coding**](https://entethalliance.org/specs/ethtrust-sl/#req-2-documented) ## Description @@ -650,7 +666,7 @@ contract PausableToken is StandardToken, Pausable { function approve(address _spender, uint256 _value) public whenNotPaused returns (bool) { return super.approve(_spender, _value); } - + function batchTransfer(address[] _receivers, uint256 _value) public whenNotPaused returns (bool) { uint cnt = _receivers.length; uint256 amount = uint256(cnt) * _value; diff --git a/entries/docs/SWC-102.md b/entries/docs/SWC-102.md index 6ecded67..f12d9cc5 100644 --- a/entries/docs/SWC-102.md +++ b/entries/docs/SWC-102.md @@ -4,10 +4,10 @@ The content of the SWC registry has not been thoroughly updated since 2020. It i For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the [EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an -[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, that represents the latest work of the group developing the specification. -General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the [Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). # Title @@ -16,7 +16,12 @@ Outdated Compiler Version ## Relationships -[CWE-937: Using Components with Known Vulnerabilities](http://cwe.mitre.org/data/definitions/937.html) +- [CWE-937: Using Components with Known Vulnerabilities](http://cwe.mitre.org/data/definitions/937.html) +- EEA EthTrust Security Levels: + - [**Level [S]** Improved Compilers](https://entethalliance.org/specs/ethtrust-sl/#sec-1-compile-improvements) + - [**Level [S]** Compiler Security Bugs](https://entethalliance.org/specs/ethtrust-sl/#sec-1-compiler-bugs) + - [**Level [M]** Compiler Bugs and Overriding Requirements](https://entethalliance.org/specs/ethtrust-sl/#sec-level-2-compiler-bugs) + - [**Recommended Practice** Use the Latest Compiler](https://entethalliance.org/specs/ethtrust-sl/#req-R-use-latest-compiler) ## Description @@ -30,11 +35,6 @@ It is recommended to use a recent version of the Solidity compiler. - [Solidity Release Notes](https://github.com/ethereum/solidity/releases) - [Etherscan Solidity Bug Info](https://etherscan.io/solcbuginfo) -- EEA EthTrust Security Levels: - - [**Level [S]** Compiler Security Bugs](https://entethalliance.org/specs/ethtrust-sl/#sec-1-compiler-bugs) - - [**Level [S]** Improved Compilers](https://entethalliance.org/specs/ethtrust-sl/#sec-1-compile-improvements) - - [**Level [M]** Compiler Bugs and Overriding Requirements](https://entethalliance.org/specs/ethtrust-sl/#sec-level-2-compiler-bugs) - - [**Recommended Practice** Use the Latest Compiler](https://entethalliance.org/specs/ethtrust-sl/#req-R-use-latest-compiler) ## Samples @@ -52,10 +52,9 @@ contract OutdatedCompilerVersion { #### Comments As of August 2023 the current version of the compiler is 0.8.21. There are several dozen compiler bugs that have been fixed between that and version 0.4.13, -each of which can lead to data being corrupted, contracts not functioning as expected, or unexpected vulnerabilities in contracts. +each of which can lead to data being corrupted, contracts not functioning as expected, or unexpected vulnerabilities in contracts. There have also been significant improvements in compiler capabilities to protect against errors. See also the sections [**Level [S]** Compiler Security Bugs](https://entethalliance.org/specs/ethtrust-sl/#sec-1-compiler-bugs), [**Level [S]** Improved Compilers](https://entethalliance.org/specs/ethtrust-sl/#sec-1-compile-improvements), and [**Level [M]** Compiler Bugs and Overriding Requirements](https://entethalliance.org/specs/ethtrust-sl/#sec-level-2-compiler-bugs) - diff --git a/entries/docs/SWC-103.md b/entries/docs/SWC-103.md index 701e4149..281224d5 100644 --- a/entries/docs/SWC-103.md +++ b/entries/docs/SWC-103.md @@ -1,10 +1,27 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Floating Pragma ## Relationships -[CWE-664: Improper Control of a Resource Through its Lifetime](https://cwe.mitre.org/data/definitions/664.html) +- [CWE-664: Improper Control of a Resource Through its Lifetime](https://cwe.mitre.org/data/definitions/664.html) +- EEA EthTrust Security Levels: + - [**Level [S]** Improved Compilers](https://entethalliance.org/specs/ethtrust-sl/#sec-1-compile-improvements) + - [**Level [S]** Compiler Security Bugs](https://entethalliance.org/specs/ethtrust-sl/#sec-1-compiler-bugs) + - [**Level [M]** Compiler Bugs and Overriding Requirements](https://entethalliance.org/specs/ethtrust-sl/#sec-level-2-compiler-bugs) + - [**Recommended Practice** Use the Latest Compiler](https://entethalliance.org/specs/ethtrust-sl/#req-R-use-latest-compiler) ## Description diff --git a/entries/docs/SWC-104.md b/entries/docs/SWC-104.md index 696dcf7e..27c7f27e 100644 --- a/entries/docs/SWC-104.md +++ b/entries/docs/SWC-104.md @@ -1,10 +1,24 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Unchecked Call Return Value ## Relationships -[CWE-252: Unchecked Return Value](https://cwe.mitre.org/data/definitions/252.html) +- [CWE-252: Unchecked Return Value](https://cwe.mitre.org/data/definitions/252.html) +- EthTrust Security Levels: + - [**[M] Handle External Call Returns**](https://entethalliance.github.io/eta-registry/security-levels-spec.html#req-2-handle-return) ## Description diff --git a/entries/docs/SWC-105.md b/entries/docs/SWC-105.md index 1ca26cf6..9d69b8da 100644 --- a/entries/docs/SWC-105.md +++ b/entries/docs/SWC-105.md @@ -1,10 +1,25 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Unprotected Ether Withdrawal ## Relationships -[CWE-284: Improper Access Control](https://cwe.mitre.org/data/definitions/284.html) +- [CWE-284: Improper Access Control](https://cwe.mitre.org/data/definitions/284.html) +- EthTrust Security Levels: + - [**[M] Protect Self-destruction**](https://entethalliance.github.io/eta-registry/security-levels-spec.html#req-2-self-destruct) + - [**[Q] Enforce Least Privilege**](https://entethalliance.github.io/eta-registry/security-levels-spec.html#req-3-access-control) ## Description @@ -230,7 +245,7 @@ pragma solidity ^0.4.23; contract MultiOwnable { address public root; mapping (address => address) public owners; // owner => parent of owner - + /** * @dev The Ownable constructor sets the original `owner` of the contract to the sender * account. @@ -239,7 +254,7 @@ contract MultiOwnable { root = msg.sender; owners[root] = root; } - + /** * @dev Throws if called by any account other than the owner. */ @@ -247,17 +262,17 @@ contract MultiOwnable { require(owners[msg.sender] != 0); _; } - + /** * @dev Adding new owners * Note that the "onlyOwner" modifier is used here. - */ + */ function newOwner(address _owner) onlyOwner external returns (bool) { require(_owner != 0); owners[_owner] = msg.sender; return true; } - + /** * @dev Deleting owners */ @@ -269,7 +284,7 @@ contract MultiOwnable { } contract TestContract is MultiOwnable { - + function withdrawAll() onlyOwner { msg.sender.transfer(this.balance); } @@ -292,7 +307,7 @@ pragma solidity ^0.4.23; contract MultiOwnable { address public root; mapping (address => address) public owners; // owner => parent of owner - + /** * @dev The Ownable constructor sets the original `owner` of the contract to the sender * account. @@ -301,7 +316,7 @@ contract MultiOwnable { root = msg.sender; owners[root] = root; } - + /** * @dev Throws if called by any account other than the owner. */ @@ -309,17 +324,17 @@ contract MultiOwnable { require(owners[msg.sender] != 0); _; } - + /** * @dev Adding new owners * Note that the "onlyOwner" modifier is missing here. - */ + */ function newOwner(address _owner) external returns (bool) { require(_owner != 0); owners[_owner] = msg.sender; return true; } - + /** * @dev Deleting owners */ @@ -331,7 +346,7 @@ contract MultiOwnable { } contract TestContract is MultiOwnable { - + function withdrawAll() onlyOwner { msg.sender.transfer(this.balance); } @@ -371,7 +386,7 @@ pragma solidity ^0.4.24; contract Wallet { address creator; - + mapping(address => uint256) balances; constructor() public { @@ -382,7 +397,7 @@ contract Wallet { assert(balances[msg.sender] + msg.value > balances[msg.sender]); balances[msg.sender] += msg.value; } - + function withdraw(uint256 amount) public { require(amount <= balances[msg.sender]); msg.sender.transfer(amount); @@ -417,7 +432,7 @@ pragma solidity ^0.4.24; contract Wallet { address creator; - + mapping(address => uint256) balances; constructor() public { @@ -428,7 +443,7 @@ contract Wallet { assert(balances[msg.sender] + msg.value > balances[msg.sender]); balances[msg.sender] += msg.value; } - + function withdraw(uint256 amount) public { require(amount <= balances[msg.sender]); msg.sender.transfer(amount); @@ -461,7 +476,7 @@ pragma solidity ^0.4.24; contract Wallet { address creator; - + mapping(address => uint256) balances; function initWallet() public { @@ -472,7 +487,7 @@ contract Wallet { assert(balances[msg.sender] + msg.value > balances[msg.sender]); balances[msg.sender] += msg.value; } - + function withdraw(uint256 amount) public { require(amount <= balances[msg.sender]); msg.sender.transfer(amount); @@ -496,13 +511,13 @@ contract Wallet { pragma solidity ^0.4.24; /* User can add pay in and withdraw Ether. - Unfortunatelty, the developer was drunk and used the wrong comparison operator in "withdraw()" + Unfortunately, the developer was drunk and used the wrong comparison operator in "withdraw()" Anybody can withdraw arbitrary amounts of Ether :() */ contract Wallet { address creator; - + mapping(address => uint256) balances; constructor() public { @@ -513,7 +528,7 @@ contract Wallet { assert(balances[msg.sender] + msg.value > balances[msg.sender]); balances[msg.sender] += msg.value; } - + function withdraw(uint256 amount) public { require(amount >= balances[msg.sender]); msg.sender.transfer(amount); diff --git a/entries/docs/SWC-106.md b/entries/docs/SWC-106.md index 33b8958e..8e6ddd50 100644 --- a/entries/docs/SWC-106.md +++ b/entries/docs/SWC-106.md @@ -1,10 +1,25 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Unprotected SELFDESTRUCT Instruction ## Relationships -[CWE-284: Improper Access Control](https://cwe.mitre.org/data/definitions/284.html) +- [CWE-284: Improper Access Control](https://cwe.mitre.org/data/definitions/284.html) +- EthTrust Security Levels: + - [**[M] Protect Self-destruction**](https://entethalliance.github.io/eta-registry/security-levels-spec.html#req-2-self-destruct) + - [**[Q] Enforce Least Privilege**](https://entethalliance.github.io/eta-registry/security-levels-spec.html#req-3-access-control) ## Description diff --git a/entries/docs/SWC-107.md b/entries/docs/SWC-107.md index d7535025..6e014fbe 100644 --- a/entries/docs/SWC-107.md +++ b/entries/docs/SWC-107.md @@ -1,3 +1,15 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Reentrancy @@ -33,7 +45,7 @@ contract ModifierEntrancy { mapping (address => uint) public tokenBalance; string constant name = "Nu Token"; Bank bank; - + constructor() public{ bank = new Bank(); } @@ -42,13 +54,13 @@ contract ModifierEntrancy { function airDrop() hasNoBalance supportsToken public{ tokenBalance[msg.sender] += 20; } - + //Checks that the contract responds the way we want modifier supportsToken() { require(keccak256(abi.encodePacked("Nu Token")) == bank.supportsToken()); _; } - + //Checks that the caller has a zero balance modifier hasNoBalance { require(tokenBalance[msg.sender] == 0); @@ -117,11 +129,11 @@ pragma solidity 0.4.24; contract SimpleDAO { mapping (address => uint) public credit; - + function donate(address to) payable public{ credit[to] += msg.value; } - + function withdraw(uint amount) public{ if (credit[msg.sender]>= amount) { require(msg.sender.call.value(amount)()); @@ -148,11 +160,11 @@ pragma solidity 0.4.24; contract SimpleDAO { mapping (address => uint) public credit; - + function donate(address to) payable public{ credit[to] += msg.value; } - + function withdraw(uint amount) public { if (credit[msg.sender]>= amount) { credit[msg.sender]-=amount; diff --git a/entries/docs/SWC-108.md b/entries/docs/SWC-108.md index 3604d2b5..b0228423 100644 --- a/entries/docs/SWC-108.md +++ b/entries/docs/SWC-108.md @@ -1,3 +1,15 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title State Variable Default Visibility @@ -29,17 +41,17 @@ contract TestStorage { uint storeduint1 = 15; uint constant constuint = 16; - uint32 investmentsDeadlineTimeStamp = uint32(now); + uint32 investmentsDeadlineTimeStamp = uint32(now); - bytes16 string1 = "test1"; - bytes32 private string2 = "test1236"; - string public string3 = "lets string something"; + bytes16 string1 = "test1"; + bytes32 private string2 = "test1236"; + string public string3 = "lets string something"; - mapping (address => uint) public uints1; - mapping (address => DeviceData) structs1; + mapping (address => uint) public uints1; + mapping (address => DeviceData) structs1; - uint[] uintarray; - DeviceData[] deviceDataArray; + uint[] uintarray; + DeviceData[] deviceDataArray; struct DeviceData { string deviceBrand; diff --git a/entries/docs/SWC-109.md b/entries/docs/SWC-109.md index ae5ff4f2..4b16d4b9 100644 --- a/entries/docs/SWC-109.md +++ b/entries/docs/SWC-109.md @@ -1,3 +1,15 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Uninitialized Storage Pointer diff --git a/entries/docs/SWC-110.md b/entries/docs/SWC-110.md index 0493302e..e8e774f8 100644 --- a/entries/docs/SWC-110.md +++ b/entries/docs/SWC-110.md @@ -1,3 +1,15 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Assert Violation @@ -405,7 +417,7 @@ contract ReturnMemory { everMatched = slates[slate] == nay; } } - + function checkAnInvariant() public returns (bool) { assert(!everMatched); } @@ -681,7 +693,7 @@ contract SimpleDSChief { bytes32 senderSlate = votes[msg.sender]; address option = slates[senderSlate]; uint256 senderDeposit = deposits[msg.sender]; - + assert(approvals[option] >= senderDeposit); } } diff --git a/entries/docs/SWC-111.md b/entries/docs/SWC-111.md index 8d8ab8b1..981f4934 100644 --- a/entries/docs/SWC-111.md +++ b/entries/docs/SWC-111.md @@ -1,3 +1,15 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Use of Deprecated Solidity Functions diff --git a/entries/docs/SWC-112.md b/entries/docs/SWC-112.md index 4d86b814..7ace0e58 100644 --- a/entries/docs/SWC-112.md +++ b/entries/docs/SWC-112.md @@ -1,3 +1,15 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Delegatecall to Untrusted Callee @@ -92,10 +104,10 @@ contract proxy{ require(msg.sender == owner); msg.sender.transfer(address(this).balance); } -} +} /* -You can't use proxyCall to change the owner address as either: +You can't use proxyCall to change the owner address as either: 1) the delegatecall reverts and thus does not change owner 2) the delegatecall does not revert and therefore will cause the proxyCall to revert and preventing owner from changing diff --git a/entries/docs/SWC-113.md b/entries/docs/SWC-113.md index e4985182..fd2d50bf 100644 --- a/entries/docs/SWC-113.md +++ b/entries/docs/SWC-113.md @@ -1,3 +1,15 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title DoS with Failed Call @@ -36,7 +48,7 @@ It is recommended to follow call best practices: pragma solidity 0.4.24; contract Refunder { - + address[] private refundAddresses; mapping (address => uint) public refunds; diff --git a/entries/docs/SWC-114.md b/entries/docs/SWC-114.md index 5f0f16b5..56bf4687 100644 --- a/entries/docs/SWC-114.md +++ b/entries/docs/SWC-114.md @@ -1,3 +1,15 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Transaction Order Dependence diff --git a/entries/docs/SWC-115.md b/entries/docs/SWC-115.md index bf058abe..6f9cc077 100644 --- a/entries/docs/SWC-115.md +++ b/entries/docs/SWC-115.md @@ -1,10 +1,25 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Authorization through tx.origin ## Relationships -[CWE-477: Use of Obsolete Function](https://cwe.mitre.org/data/definitions/477.html) +- [CWE-477: Use of Obsolete Function](https://cwe.mitre.org/data/definitions/477.html) +- EEA EthTrust Security Levels: + - [**[S] No `tx.origin`**](https://entethalliance.github.io/eta-registry/security-levels-spec.html#req-1-no-tx.origin) + - [**[Q] Verify `tx.origin` Usage**](https://entethalliance.github.io/eta-registry/security-levels-spec.html#req-3-verify-tx.origin) ## Description diff --git a/entries/docs/SWC-116.md b/entries/docs/SWC-116.md index 9ce9d876..35927a65 100644 --- a/entries/docs/SWC-116.md +++ b/entries/docs/SWC-116.md @@ -1,10 +1,24 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Block values as a proxy for time ## Relationships -[CWE-829: Inclusion of Functionality from Untrusted Control Sphere](https://cwe.mitre.org/data/definitions/829.html) +- [CWE-829: Inclusion of Functionality from Untrusted Control Sphere](https://cwe.mitre.org/data/definitions/829.html) + - [**[M] Document Special Code Use**](https://entethalliance.org/specs/ethtrust-sl/#req-2-documented) + - [**[M] Don't Misuse Block Data**](https://entethalliance.org/specs/ethtrust-sl/#req-2-block-data-misuse) ## Description diff --git a/entries/docs/SWC-117.md b/entries/docs/SWC-117.md index 86a247eb..171d3ffa 100644 --- a/entries/docs/SWC-117.md +++ b/entries/docs/SWC-117.md @@ -1,3 +1,15 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Signature Malleability diff --git a/entries/docs/SWC-118.md b/entries/docs/SWC-118.md index ba8e6142..b7cbd6c0 100644 --- a/entries/docs/SWC-118.md +++ b/entries/docs/SWC-118.md @@ -6,7 +6,7 @@ For currently maintained guidance on known Smart Contract vulnerabilities writte [EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an [Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, that represents the latest work of the group developing the specification. -General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the [Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). # Title @@ -15,7 +15,10 @@ Incorrect Constructor Name ## Relationships -[CWE-665: Improper Initialization](http://cwe.mitre.org/data/definitions/665.html) +- [CWE-665: Improper Initialization](http://cwe.mitre.org/data/definitions/665.html) +- EthTrust Security Levels + - [**[S] Use a Modern Compiler**](https://entethalliance.org/specs/ethtrust-sl/#req-1-compiler-060) + - [**[Q] Code Linting**](https://entethalliance.org/specs/ethtrust-sl/#req-3-linted) ## Description @@ -30,11 +33,6 @@ Solidity version 0.4.22 introduces a new `constructor` keyword that make a const - [SigmaPrime - Constructors with Care](https://blog.sigmaprime.io/solidity-security.html#constructors) -### EEA EthTrust Security Levels Specification - -- [**[S] Use a Modern Compiler**](https://entethalliance.org/specs/ethtrust-sl/#req-1-compiler-060) -- [**[Q] Code Linting**](https://entethalliance.org/specs/ethtrust-sl/#req-3-linted) - ## Samples ### incorrect_constructor_name1.sol @@ -56,17 +54,17 @@ contract Missing{ require(msg.sender==owner); _; } - + function missing() - public + public { owner = msg.sender; } - function () payable {} + function () payable {} - function withdraw() - public + function withdraw() + public onlyowner { owner.transfer(this.balance); @@ -133,15 +131,15 @@ contract Missing{ } function Constructor() - public + public { owner = msg.sender; } - function () payable {} + function () payable {} - function withdraw() - public + function withdraw() + public onlyowner { owner.transfer(this.balance); diff --git a/entries/docs/SWC-119.md b/entries/docs/SWC-119.md index d0129a47..56de3f60 100644 --- a/entries/docs/SWC-119.md +++ b/entries/docs/SWC-119.md @@ -4,18 +4,22 @@ The content of the SWC registry has not been thoroughly updated since 2020. It i For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the [EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an -[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, that represents the latest work of the group developing the specification. -General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the -[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS).# Title +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + +# Title Shadowing State Variables ## Relationships -[CWE-710: Improper Adherence to Coding Standards](http://cwe.mitre.org/data/definitions/710.html) - +- [CWE-710: Improper Adherence to Coding Standards](http://cwe.mitre.org/data/definitions/710.html) +- EthTrust Security Levels: + - [**[Q] Implement as Documented**](https://entethalliance.org/specs/ethtrust-sl/#req-3-implement-as-documented) + ## Description Solidity allows for ambiguous naming of state variables when inheritance is used. Contract `A` with a variable `x` could inherit contract `B` that also has a state variable `x` defined. This would result in two separate versions of `x`, one of them being accessed from contract `A` and the other one from contract `B`. In more complex contract systems this condition could go unnoticed and subsequently lead to security issues. @@ -31,9 +35,8 @@ Review storage variable layouts for your contract systems carefully and remove a - [Issue on Solidity's Github - Shadowing of inherited state variables should be an error (override keyword)](https://github.com/ethereum/solidity/issues/2563) - [Issue on Solidity's Github - Warn about shadowing state variables](https://github.com/ethereum/solidity/issues/973) -### EEA EthTrust Security Levels Specification - -- [**[Q] Implement as Documented**](https://entethalliance.org/specs/ethtrust-sl/#req-3-implement-as-documented) +EthTrust Security Levels: + - [**[Q] Implement as Documented**](https://entethalliance.org/specs/ethtrust-sl/#req-3-implement-as-documented) ## Samples diff --git a/entries/docs/SWC-120.md b/entries/docs/SWC-120.md index 5c1480fc..093eb7f6 100644 --- a/entries/docs/SWC-120.md +++ b/entries/docs/SWC-120.md @@ -4,10 +4,10 @@ The content of the SWC registry has not been thoroughly updated since 2020. It i For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the [EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an -[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, that represents the latest work of the group developing the specification. -General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the [Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). # Title @@ -16,7 +16,11 @@ Weak Sources of Randomness from Chain Attributes ## Relationships -[CWE-330: Use of Insufficiently Random Values](https://cwe.mitre.org/data/definitions/330.html) +- [CWE-330: Use of Insufficiently Random Values](https://cwe.mitre.org/data/definitions/330.html) +- EthTrust Security Levels: + - [**[M] Sources of Randomness**](https://entethalliance.org/specs/ethtrust-sl/#req-2-random-enough) + - [**[M] Document Special Code Use**](https://entethalliance.org/specs/ethtrust-sl/#req-2-documented) + ## Description @@ -35,11 +39,6 @@ Ability to generate random numbers is very helpful in all kinds of applications. - [When can BLOCKHASH be safely used for a random number? When would it be unsafe?](https://ethereum.stackexchange.com/questions/419/when-can-blockhash-be-safely-used-for-a-random-number-when-would-it-be-unsafe) - [The Run smart contract](https://etherscan.io/address/0xcac337492149bdb66b088bf5914bedfbf78ccc18) -### EEA EthTrust Security Levels Specification - -- [**[M] Sources of Randomness**](https://entethalliance.org/specs/ethtrust-sl/#req-2-random-enough) -- [**[M] Document Special Code Use**](https://entethalliance.org/specs/ethtrust-sl/#req-2-documented) - ## Samples ### guess_the_random_number.sol diff --git a/entries/docs/SWC-121.md b/entries/docs/SWC-121.md index 9c6165a1..f8be09ad 100644 --- a/entries/docs/SWC-121.md +++ b/entries/docs/SWC-121.md @@ -1,3 +1,15 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Missing Protection against Signature Replay Attacks diff --git a/entries/docs/SWC-122.md b/entries/docs/SWC-122.md index d16d0cda..42835ef2 100644 --- a/entries/docs/SWC-122.md +++ b/entries/docs/SWC-122.md @@ -1,3 +1,15 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Lack of Proper Signature Verification diff --git a/entries/docs/SWC-123.md b/entries/docs/SWC-123.md index a40e84d2..8469e2e7 100644 --- a/entries/docs/SWC-123.md +++ b/entries/docs/SWC-123.md @@ -1,3 +1,15 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Requirement Violation diff --git a/entries/docs/SWC-124.md b/entries/docs/SWC-124.md index 816e5400..253baa70 100644 --- a/entries/docs/SWC-124.md +++ b/entries/docs/SWC-124.md @@ -1,3 +1,15 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Write to Arbitrary Storage Location diff --git a/entries/docs/SWC-125.md b/entries/docs/SWC-125.md index e6404d3a..3cfdb5ab 100644 --- a/entries/docs/SWC-125.md +++ b/entries/docs/SWC-125.md @@ -1,3 +1,15 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Incorrect Inheritance Order diff --git a/entries/docs/SWC-126.md b/entries/docs/SWC-126.md index e484d4f7..c93b9661 100644 --- a/entries/docs/SWC-126.md +++ b/entries/docs/SWC-126.md @@ -1,10 +1,25 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Insufficient Gas Griefing ## Relationships -[CWE-691: Insufficient Control Flow Management](https://cwe.mitre.org/data/definitions/691.html) +- [CWE-691: Insufficient Control Flow Management](https://cwe.mitre.org/data/definitions/691.html) +- EEA EthTrust Security Levels: + - [**[Q] Manage Gas Usage Increases**](https://entethalliance.github.io/eta-registry/security-levels-spec.html#req-3-enough-gas) + - [**[Q] Protect Gas Usage**](https://entethalliance.github.io/eta-registry/security-levels-spec.html#req-3-protect-gas) ## Description diff --git a/entries/docs/SWC-127.md b/entries/docs/SWC-127.md index 9bbf9de0..6eeeac53 100644 --- a/entries/docs/SWC-127.md +++ b/entries/docs/SWC-127.md @@ -1,10 +1,25 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Arbitrary Jump with Function Type Variable ## Relationships -[CWE-695: Use of Low-Level Functionality](https://cwe.mitre.org/data/definitions/695.html) +- [CWE-695: Use of Low-Level Functionality](https://cwe.mitre.org/data/definitions/695.html) +- EEA EthTrust Security Levels: + - [**[S] No `assembly {}`**](https://entethalliance.github.io/eta-registry/security-levels-spec.html#req-1-no-assembly) + - [**[M] Avoid Common `assembly {}` Attack Vectors**](https://entethalliance.github.io/eta-registry/security-levels-spec.html#req-2-safe-assembly) ## Description @@ -35,19 +50,19 @@ The use of assembly should be minimal. A developer should not allow a user to as pragma solidity ^0.4.25; contract FunctionTypes { - + constructor() public payable { require(msg.value != 0); } - + function withdraw() private { require(msg.value == 0, 'dont send funds!'); address(msg.sender).transfer(address(this).balance); } - + function frwd() internal { withdraw(); } - + struct Func { function () internal f; } - + function breakIt() public payable { require(msg.value != 0, 'send funds!'); Func memory func; diff --git a/entries/docs/SWC-128.md b/entries/docs/SWC-128.md index 7505b3c3..5091016f 100644 --- a/entries/docs/SWC-128.md +++ b/entries/docs/SWC-128.md @@ -1,11 +1,25 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title DoS With Block Gas Limit ## Relationships -[CWE-400: Uncontrolled Resource Consumption](https://cwe.mitre.org/data/definitions/400.html) - +- [CWE-400: Uncontrolled Resource Consumption](https://cwe.mitre.org/data/definitions/400.html) +- EEA EthTrust Security Levels: + - [**[Q] Manage Gas Usage Increases**](https://entethalliance.github.io/eta-registry/security-levels-spec.html#req-3-enough-gas) + ## Description When smart contracts are deployed or functions inside them are called, the execution of these actions always requires a certain amount of gas, based of how much computation is needed to complete them. The Ethereum network specifies a block gas limit and the sum of all transactions included in a block can not exceed the threshold. diff --git a/entries/docs/SWC-129.md b/entries/docs/SWC-129.md index b57e4654..42df8f84 100644 --- a/entries/docs/SWC-129.md +++ b/entries/docs/SWC-129.md @@ -1,10 +1,24 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Typographical Error ## Relationships -[CWE-480: Use of Incorrect Operator](https://cwe.mitre.org/data/definitions/480.html) +- [CWE-480: Use of Incorrect Operator](https://cwe.mitre.org/data/definitions/480.html) +- EEA EthTrust Security Levels: + - [**[Q] Implement as Documented**](https://entethalliance.github.io/eta-registry/security-levels-spec.html#req-3-implement-as-documented) ## Description @@ -152,7 +166,7 @@ contract TypoSimple { win = true; } } - + function iWin() view public returns (bool) { return win; } diff --git a/entries/docs/SWC-130.md b/entries/docs/SWC-130.md index b06689c3..7368e3c9 100644 --- a/entries/docs/SWC-130.md +++ b/entries/docs/SWC-130.md @@ -6,7 +6,7 @@ For currently maintained guidance on known Smart Contract vulnerabilities writte [EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an [Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, that represents the latest work of the group developing the specification. -General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the [Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). # Title @@ -15,8 +15,11 @@ Right-To-Left-Override control character (U+202E) ## Relationships -[CWE-451: User Interface (UI) Misrepresentation of Critical Information](http://cwe.mitre.org/data/definitions/451.html) - +- [CWE-451: User Interface (UI) Misrepresentation of Critical Information](http://cwe.mitre.org/data/definitions/451.html) +- EEA EthTrust Security Levels specification: + - [**[S] No Unicode Direction Control Characters**](https://entethalliance.org/specs/ethtrust-sl/#req-1-unicode-bdo) + - [**[M] No Unnecessary Unicode Controls**](https://entethalliance.org/specs/ethtrust-sl/#req-2-unicode-bdo) + - [**[M] No Homoglyph-style Attack**](https://entethalliance.org/specs/ethtrust-sl/#req-2-no-homoglyph-attack) ## Description @@ -30,11 +33,6 @@ There are very few legitimate uses of the U+202E character. It should not appear - [Outsmarting Smart Contracts](https://youtu.be/P_Mtd5Fc_3E?t=1813) -EEA EthTrust Security Levels specification: - -- [**[S] No Unicode Direction Control Characters**](https://entethalliance.org/specs/ethtrust-sl/#req-1-unicode-bdo) -- [**[M] No Unnecessary Unicode Controls**](https://entethalliance.org/specs/ethtrust-sl/#req-2-unicode-bdo) -- [**[M] No Homoglyph-style Attack**](https://entethalliance.org/specs/ethtrust-sl/#req-2-no-homoglyph-attack) ## Samples @@ -106,7 +104,7 @@ checkAndTransferPrize(/*The prizeā€®/*rebmun desseug*/n , p/* inside the function `guess(uint n)` uses invisible direction control characters, so what is present on the screen misrepresents the order of the parameters - the function is called with parameters `n, p, address`, which is the **logical order** of characters, -but some are displayed from right to left, so that the segment 'n, p' appears in reverse order to a reader, +but some are displayed from right to left, so that the segment 'n, p' appears in reverse order to a reader, because invisible direction control characters are included in the code. Selecting the text character by character will usually show this - the selection suddenly jumps to the end of the right-to-left text, diff --git a/entries/docs/SWC-131.md b/entries/docs/SWC-131.md index 2d2ed376..efa60d69 100644 --- a/entries/docs/SWC-131.md +++ b/entries/docs/SWC-131.md @@ -1,10 +1,23 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Presence of unused variables ## Relationships -[CWE-1164: Irrelevant Code](https://cwe.mitre.org/data/definitions/1164.html) +- [CWE-1164: Irrelevant Code](https://cwe.mitre.org/data/definitions/1164.html) +- EthTrust Security Levels: + - [**[Q] Code Linting**](https://entethalliance.org/specs/ethtrust-sl/#req-3-linted) ## Description @@ -38,11 +51,11 @@ contract DerivedA is Base { A i = A(1); int internal j = 500; - + function call(int a) public { assign1(a); } - + function assign3(A memory x) public returns (uint) { return g[1] + x.a + uint(j); } @@ -51,7 +64,7 @@ contract DerivedA is Base { return this.e(); } - + } ``` @@ -66,11 +79,11 @@ import "./base_fixed.sol"; contract DerivedA is Base { int internal j = 500; - + function call(int a) public { assign1(a); } - + function assign3(A memory x) public returns (uint) { return g[1] + x.a + uint(j); } @@ -79,7 +92,7 @@ contract DerivedA is Base { return this.e(); } - + } ``` @@ -102,7 +115,7 @@ contract UnusedVariables { o = m/2; } - // x is not accessed + // x is not accessed function neverAccessed(int test) public pure returns (int) { int z = 10; @@ -115,10 +128,10 @@ contract UnusedVariables { return z; } - + function tupleAssignment(int p) public returns (int q, int r){ (q, , r) = unusedReturn(p,2); - + } @@ -144,7 +157,7 @@ contract UnusedVariables { o = m/2; } - // x is not accessed + // x is not accessed function neverAccessed(int test) public pure returns (int) { int z = 10; @@ -154,10 +167,10 @@ contract UnusedVariables { return z; } - + function tupleAssignment(int p) public returns (int q, int r){ (q, , r) = unusedReturn(p,2); - + } } diff --git a/entries/docs/SWC-132.md b/entries/docs/SWC-132.md index bc694217..7f56dc69 100644 --- a/entries/docs/SWC-132.md +++ b/entries/docs/SWC-132.md @@ -1,10 +1,24 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Unexpected Ether balance ## Relationships -[CWE-667: Improper Locking](https://cwe.mitre.org/data/definitions/667.html) +- [CWE-667: Improper Locking](https://cwe.mitre.org/data/definitions/667.html) +- EEA EthTrust Security Levels: + - [**[S] No Exact Balance Check**](https://entethalliance.org/specs/ethtrust-sl/#req-1-exact-balance-check) + - [**[M] Verify Exact Balance Checks**](https://entethalliance.org/specs/ethtrust-sl/#req-1-verify-exact-balance-check) ## Description @@ -25,7 +39,7 @@ Avoid strict equality checks for the Ether balance in a contract. ### Lockdrop.sol ```solidity -/** +/** * @source: https://github.com/hicommonwealth/edgeware-lockdrop/blob/93ecb524c9c88d25bab36278541f190fa9e910c2/contracts/Lockdrop.sol */ @@ -40,7 +54,7 @@ contract Lock { sstore(0x01, unlockTime) } } - + /** * @dev Withdraw function once timestamp has passed unlock time */ @@ -69,7 +83,7 @@ contract Lockdrop { // ETH locking events event Locked(address indexed owner, uint256 eth, Lock lockAddr, Term term, bytes edgewareAddr, bool isValidator, uint time); event Signaled(address indexed contractAddr, bytes edgewareAddr, uint time); - + constructor(uint startTime) public { LOCK_START_TIME = startTime; LOCK_END_TIME = startTime + LOCK_DROP_PERIOD; @@ -116,7 +130,7 @@ contract Lockdrop { if (term == Term.ThreeMo) return now + 92 days; if (term == Term.SixMo) return now + 183 days; if (term == Term.TwelveMo) return now + 365 days; - + revert(); } diff --git a/entries/docs/SWC-133.md b/entries/docs/SWC-133.md index 40293356..73953016 100644 --- a/entries/docs/SWC-133.md +++ b/entries/docs/SWC-133.md @@ -1,3 +1,14 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Hash Collisions With Multiple Variable Length Arguments diff --git a/entries/docs/SWC-134.md b/entries/docs/SWC-134.md index f7ddaa41..fd00b400 100644 --- a/entries/docs/SWC-134.md +++ b/entries/docs/SWC-134.md @@ -1,3 +1,14 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Message call with hardcoded gas amount diff --git a/entries/docs/SWC-135.md b/entries/docs/SWC-135.md index 95d3ba6f..984d8238 100644 --- a/entries/docs/SWC-135.md +++ b/entries/docs/SWC-135.md @@ -1,10 +1,23 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Code With No Effects ## Relationships -[CWE-1164: Irrelevant Code](https://cwe.mitre.org/data/definitions/1164.html) +- [CWE-710: Improper Adherence to Coding Standards](https://cwe.mitre.org/data/definitions/710.html) +- EthTrust Security Levels: + - [**[Q] Code Linting**](https://entethalliance.org/specs/ethtrust-sl/#req-3-linted) ## Description diff --git a/entries/docs/SWC-136.md b/entries/docs/SWC-136.md index b2881fd3..6e2e4ff3 100644 --- a/entries/docs/SWC-136.md +++ b/entries/docs/SWC-136.md @@ -4,10 +4,10 @@ The content of the SWC registry has not been thoroughly updated since 2020. It i For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the [EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an -[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, that represents the latest work of the group developing the specification. -General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the [Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). # Title @@ -16,7 +16,10 @@ Unencrypted Private Data On-Chain ## Relationships -[CWE-767: Access to Critical Private Variable via Public Method](https://cwe.mitre.org/data/definitions/767.html) +- [CWE-767: Access to Critical Private Variable via Public Method](https://cwe.mitre.org/data/definitions/767.html) +- EthTrust Security Levels: + - [**[Q] No Private Data**](https://entethalliance.github.io/eta-registry/security-levels-spec.html#req-3-no-private-data) + - [**[Q] Enforce Least Privilege**](https://entethalliance.github.io/eta-registry/security-levels-spec.html#req-3-access-control) ## Description