Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
Ivaylo Ivanov 84e1fbdce2 Add conclustions and open challenges 11 mēnešus atpakaļ
SemSEpaper improve paper formatting, code coloring, add abstract+conclusion, add safe code example, fix typos 1 gadu atpakaļ
SemSEreport Add conclustions and open challenges 11 mēnešus atpakaļ
papers add paper template 1 gadu atpakaļ
.gitignore Add unchecked assembly, add gitignore, cleanup 1 gadu atpakaļ
README.md add paper template 1 gadu atpakaļ

README.md

SWC-124: Write to Arbitrary Storage Location

Introduction

The aim of this paper is to introduce the SWC-124 smart contract weakness. In order to do that, the paper will:

  • describe weakness itself and the consequences if the weakness is exploited;
  • describe the various forms it may take and construct minimal sample contracts for each variant. It will also describe variants that look similar but are not a weakness, and construct minimal contracts for these non-weaknesses;
  • collect vulnerable contracts used by different papers to motivate/illustrate the weakness;
  • summarize the code properties that tools are looking for so that they can detect the weakness;
  • sketch ways to potentially exploit the different variants of the weakness.

Weakness description

Smart contracts in Ethereum support persistent storage on the EVM level. It is the contracts responsibility to implement access control to sensitive information and doing so incorrectly may allow an attacker:

  • to read and overwrite sensitive data that should only be accessible to contract owners, maintainers etc.;
  • setting himself as the contract owner and circumventing authorization checks;
  • draining the contract of its funds by, for example, overwriting the address that collects the received tokens;
  • TODO: add more

Various forms

  1. Arrays + integer underflow/overflow
  2. Unchecked assembly calls
  3. TODO: add more

Samples

TODO

Code properties

TODO

Potential exploits

TODO