add why-this-works slide

SemSEpresentation/slides.tex

@@ -117,15 +117,17 @@
 pragma solidity 0.4.25;
 
 contract MyContract {
-  uint[] private arr;
-
-  constructor() public {
-    arr = new uint[](0);
-  }
-
-  function write(unit index, uint value) {
-    arr[index] = value;
-  }
+	address private owner;
+	uint[] private arr;
+	
+	constructor() public {
+		arr = new uint[](0);
+		owner = msg.sender;
+	}
+	
+	function write(unit index, uint value) {
+		arr[index] = value;
+	}
 }
   \end{lstlisting}
 \end{frame}
@@ -192,6 +194,15 @@ contract MyContract {
 	\end{lstlisting}
 \end{frame}
 
+\begin{frame}[fragile]
+	\frametitle{Why this works}
+	A dynamic array in storage slot $p$ stores its data at continuous addresses starting at $keccak(p)$. 
+	
+	For example, if the variable $x$ is a dynamic array occupying storage slot 3, $x[o]$ can be found at $keccak(0x3)+o$.
+	
+	An attacker can use this information to overwrite any storage slot by finding an appropriate offset value.
+\end{frame}
+
 \section{Detecting and Exploiting}
 \subsection[Detecting SWC-124]{Detecting SWC-124}
 \begin{frame}[fragile]