nitowa 1 год назад
Родитель
Сommit
d322ce79b0
2 измененных файлов: 69 добавлений и 69 удалений
  1. 39
    39
      README.md
  2. 30
    30
      papers/README.md

+ 39
- 39
README.md Просмотреть файл

@@ -1,39 +1,39 @@
1
-# SWC-124: Write to Arbitrary Storage Location
2
-
3
-## Introduction
4
-
5
-The aim of this paper is to introduce the SWC-124 smart contract weakness.
6
-In order to do that, the paper will:
7
-- describe weakness itself and the consequences if the weakness is exploited;
8
-- describe the various forms it may take and construct minimal sample contracts for each variant. It will also describe variants that look similar but are not a weakness, and construct minimal contracts for these non-weaknesses;
9
-- collect vulnerable contracts used by different papers to motivate/illustrate the weakness;
10
-- summarize the code properties that tools are looking for so that they can detect the weakness;
11
-- sketch ways to potentially exploit the different variants of the weakness.
12
-
13
-## Weakness description
14
-
15
-Smart contracts in Ethereum support persistent storage on the EVM level. It is the contracts responsibility to implement access control to sensitive information
16
-and doing so incorrectly may allow an attacker:
17
-* to read and overwrite sensitive data that should only be accessible to contract owners, maintainers etc.;
18
-* setting himself as the contract owner and circumventing authorization checks;
19
-* draining the contract of its funds by, for example, overwriting the address that collects the received tokens;
20
-* TODO: add more
21
-
22
-## Various forms
23
-
24
-1. Arrays + integer underflow/overflow
25
-2. Unchecked assembly calls
26
-3. TODO: add more
27
-
28
-## Samples
29
-
30
-TODO
31
-
32
-## Code properties
33
-
34
-TODO
35
-
36
-## Potential exploits
37
-
38
-TODO
39
-
1
+# SWC-124: Write to Arbitrary Storage Location
2
+
3
+## Introduction
4
+
5
+The aim of this paper is to introduce the SWC-124 smart contract weakness.
6
+In order to do that, the paper will:
7
+- describe weakness itself and the consequences if the weakness is exploited;
8
+- describe the various forms it may take and construct minimal sample contracts for each variant. It will also describe variants that look similar but are not a weakness, and construct minimal contracts for these non-weaknesses;
9
+- collect vulnerable contracts used by different papers to motivate/illustrate the weakness;
10
+- summarize the code properties that tools are looking for so that they can detect the weakness;
11
+- sketch ways to potentially exploit the different variants of the weakness.
12
+
13
+## Weakness description
14
+
15
+Smart contracts in Ethereum support persistent storage on the EVM level. It is the contracts responsibility to implement access control to sensitive information
16
+and doing so incorrectly may allow an attacker:
17
+* to read and overwrite sensitive data that should only be accessible to contract owners, maintainers etc.;
18
+* setting himself as the contract owner and circumventing authorization checks;
19
+* draining the contract of its funds by, for example, overwriting the address that collects the received tokens;
20
+* TODO: add more
21
+
22
+## Various forms
23
+
24
+1. Arrays + integer underflow/overflow
25
+2. Unchecked assembly calls
26
+3. TODO: add more
27
+
28
+## Samples
29
+
30
+TODO
31
+
32
+## Code properties
33
+
34
+TODO
35
+
36
+## Potential exploits
37
+
38
+TODO
39
+

+ 30
- 30
papers/README.md Просмотреть файл

@@ -1,30 +1,30 @@
1
-# Papers
2
-## SMARTIAN: Enhancing Smart Contract Fuzzingwith Static and Dynamic Data-Flow Analyses
3
-
4
-- listed as: "arbitrary write" (Choi et al., 2021)
5
-- from: [IEEE](https://ieeexplore.ieee.org/document/9678888)
6
-- file: [PDF](choi-ase2021.pdf)
7
-
8
-## SmartFuzzDriverGen: Smart ContractFuzzing Automation for Golang
9
-
10
-- listed as: "buffer-overwrite" (Pani et al., 2023)
11
-- from: [ACM](https://dl.acm.org/doi/fullHtml/10.1145/3578527.3578538)
12
-- file: [PDF](SmartFuzzDriverGen_ Smart Contract Fuzzing Automation for Golang.pdf)
13
-
14
-## teEther: Gnawing at Ethereum to Automatically Exploit Smart Contracts
15
-
16
-- listed as: "storage modification" (Krupp and Rossow, 2018)
17
-- from: [Usenix](https://www.usenix.org/conference/usenixsecurity18/presentation/krupp)
18
-- talk: [Youtube](https://www.youtube.com/watch?v=mW4jQzPVP_A)
19
-- file: [PDF](sec18-krupp.pdf)
20
-
21
-## Securify: Practical Security Analysis of Smart Contracts
22
-
23
-- listed as: "unrestricted write" (Tsankov et al., 2018)
24
-- from: [ACM](https://dl.acm.org/doi/10.1145/3243734.3243780)
25
-- talk: On ACM page
26
-- file: [PDF](Securify Practical Security Analysis of Smart Contracts.pdf)
27
-
28
-## "SWC-124: Write to Arbitrary Storage Location" (SmartContractSecurity, 2020)
29
-
30
-- from: [SWCregistry](https://swcregistry.io/docs/SWC-124/)
1
+# Papers
2
+## SMARTIAN: Enhancing Smart Contract Fuzzingwith Static and Dynamic Data-Flow Analyses
3
+
4
+- listed as: "arbitrary write" (Choi et al., 2021)
5
+- from: [IEEE](https://ieeexplore.ieee.org/document/9678888)
6
+- file: [PDF](choi-ase2021.pdf)
7
+
8
+## SmartFuzzDriverGen: Smart ContractFuzzing Automation for Golang
9
+
10
+- listed as: "buffer-overwrite" (Pani et al., 2023)
11
+- from: [ACM](https://dl.acm.org/doi/fullHtml/10.1145/3578527.3578538)
12
+- file: [PDF](SmartFuzzDriverGen_ Smart Contract Fuzzing Automation for Golang.pdf)
13
+
14
+## teEther: Gnawing at Ethereum to Automatically Exploit Smart Contracts
15
+
16
+- listed as: "storage modification" (Krupp and Rossow, 2018)
17
+- from: [Usenix](https://www.usenix.org/conference/usenixsecurity18/presentation/krupp)
18
+- talk: [Youtube](https://www.youtube.com/watch?v=mW4jQzPVP_A)
19
+- file: [PDF](sec18-krupp.pdf)
20
+
21
+## Securify: Practical Security Analysis of Smart Contracts
22
+
23
+- listed as: "unrestricted write" (Tsankov et al., 2018)
24
+- from: [ACM](https://dl.acm.org/doi/10.1145/3243734.3243780)
25
+- talk: On ACM page
26
+- file: [PDF](Securify Practical Security Analysis of Smart Contracts.pdf)
27
+
28
+## "SWC-124: Write to Arbitrary Storage Location" (SmartContractSecurity, 2020)
29
+
30
+- from: [SWCregistry](https://swcregistry.io/docs/SWC-124/)

Загрузка…
Отмена
Сохранить