Skip to content
This repository has been archived by the owner on Jun 20, 2024. It is now read-only.

updating DoS attack vectors in security #312

Merged
merged 4 commits into from
Jan 31, 2024
Merged

updating DoS attack vectors in security #312

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
83d889f
updating DoS attack vectors in security
frankomosh Jan 24, 2024
4067ee5
Fix code style issues with Prettier
frankomosh Jan 25, 2024
2a2dcee
minor changes
gianalarcon Jan 31, 2024
aeb5839
Merge branch 'main' into frank/updating-DoS-attack
gianalarcon Jan 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"devDependencies": {
"all-contributors-cli": "^6.26.1",
"husky": "^8.0.3",
"prettier": "3.0.3"
"prettier": "^3.2.4"
}
}
32 changes: 31 additions & 1 deletion src/ch02-14-security-considerations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -370,6 +370,37 @@ Moreover, using a block explorer, we can view the deployed parameters in the tra

If your smart contract requires storing private data on-chain, consider off-chain encryption before sending data to the blockchain. Alternatively, explore options like hashes, merkle trees, or commit-reveal patterns to maintain data privacy.

## 6. Denial of Service.

Denial of Service (DoS), also called griefing attack, entails a situation where the atacker causes grief for other users of the protocol. A DoS attacker cripples the functionality of a Smart Contract even if they gain no economic value from doing so. A major attack vector when it comes to Denial of Service is the gas exhaustion attack. In this attack, a malicious user can call a function that needs an excessive amount of gas for execution. The consequent exhaustion of gas can cause the smart contract to stop, thus denying services to legitimate users.

```rust
use starknet::ContractAddress;
mod DoS {
#[storage]
struct Storage{
// Stored variables
}


#[external(v0)]
impl ITransactionImpl of ITransaction{
fn transaction(ref self:ContractState, ) {

loop {
// very expensive computation
}
}
}
}
```

The minimalist contract above shows a transaction that would need intensive computation. The occurrence could result from an attacker calling the `transaction` function many times, leading to gas exhaustion.

### Recommendation:

The smart contract has to be minimized as much as possible to reduce gas consumption. Gas limits could also be incorporated when designing functions. The developer should also try to estimate gas usage every step, to ensure that all aspects are carefully accounted for.

## Call for Contributions: Additional Vulnerabilities

We've discussed several common vulnerabilities in Cairo smart contracts, but many other security risks need attention. We invite community contributions to expand this chapter with more vulnerabilities:
Expand All @@ -378,7 +409,6 @@ We've discussed several common vulnerabilities in Cairo smart contracts, but man
- Flash Loan Attacks
- Oracle Manipulation
- Bad Randomness
- Denial of Service
- Untrusted Delegate Calls
- Public Burn

Expand Down
Loading
Loading