Skip to content
This repository has been archived by the owner on Dec 31, 2024. It is now read-only.

If value of contract call is <= 0 or > contract balance call will not be made and expression will return 0. #120

Open
MicahZoltu opened this issue Jun 19, 2017 · 0 comments
Open

If value of contract call is <= 0 or > contract balance call will not be made and expression will return 0. #120

MicahZoltu opened this issue Jun 19, 2017 · 0 comments

Comments

@MicahZoltu
Copy link

I consider this to be a security issue because it is super easy to not realize that this is the behavior and result in potentially not calling a method that should have been called, yet returning a well defined value. This could allow a clever attacker to get a script to do what they want.

This prints 2, should throw. Changing value = 0 to value = 2 results in the same behavior.

from ethereum import tester
import serpent

code = """
def foo():
    return 5

def bar():
    result = self.foo(value = 0)
    return result + 2
"""

state = tester.state()
state.block.number += 2000000
contract = state.abi_contract(code)
print contract.bar(value = 1)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MicahZoltu