Procházet zdrojové kódy

Begin with paper

master
Ivaylo Ivanov před 1 rokem
rodič
revize
622a68524b
1 změnil soubory, kde provedl 37 přidání a 6 odebrání
  1. 37
    6
      README.md

+ 37
- 6
README.md Zobrazit soubor

@@ -1,8 +1,39 @@
1
-# TODO
2
-- Describe the various forms it may take and construct minimal sample contracts for each variant. Also describe variants that look similar but are not a weakness, and construct minimal contracts for these non-weaknesses.
3
-- Describe the consequences if the weakness is exploited.
4
-- Collect vulnerable contracts used by the papers to motivate/illustrate the weakness.
5
-- Summarize the code properties that tools are looking for so that they can detect the weakness.
6
-- Sketch ways to potentially exploit the different variants of the weakness.
1
+# SWC-124: Write to Arbitrary Storage Location
7 2
 
3
+## Introduction
4
+
5
+The aim of this paper is to introduce the SWC-124 smart contract weakness.
6
+In order to do that, the paper will:
7
+- describe weakness itself and the consequences if the weakness is exploited;
8
+- describe the various forms it may take and construct minimal sample contracts for each variant. It will also describe variants that look similar but are not a weakness, and construct minimal contracts for these non-weaknesses;
9
+- collect vulnerable contracts used by different papers to motivate/illustrate the weakness;
10
+- summarize the code properties that tools are looking for so that they can detect the weakness;
11
+- sketch ways to potentially exploit the different variants of the weakness.
12
+
13
+## Weakness description
14
+
15
+Smart contracts in Ethereum support persistent storage on the EVM level. It is the contracts responsibility to implement access control to sensitive information
16
+and doing so incorrectly may allow an attacker:
17
+* to read and overwrite sensitive data that should only be accessible to contract owners, maintainers etc.;
18
+* setting himself as the contract owner and circumventing authorization checks;
19
+* draining the contract of its funds by, for example, overwriting the address that collects the received tokens;
20
+* TODO: add more
21
+
22
+## Various forms
23
+
24
+1. Arrays + integer underflow/overflow
25
+2. Unchecked assembly calls
26
+3. TODO: add more
27
+
28
+## Samples
29
+
30
+TODO
31
+
32
+## Code properties
33
+
34
+TODO
35
+
36
+## Potential exploits
37
+
38
+TODO
8 39
 

Načítá se…
Zrušit
Uložit