SWC-100/未声明函数可见性
没有指定可见性(Visibility)类型的函数其可见性默认为public。如果开发人员忘记 设置函数的可见性,并且恶意用户能够进行未经授权或意外的状态更改,则可能导致漏洞。
CWE漏洞分类
整改方案
函数可被指定为external,public,internal或private。建议有意识选择合适的可见性类型, 这可以大大减少合约系统的攻击面。
参考文献
缺陷合约示例
visible_not_set.sol
/*
* @source: https://github.com/sigp/solidity-security-blog#visibility
* @author: SigmaPrime
* Modified by Gerhard Wagner
*/
pragma solidity ^0.4.24;
contract HashForEther {
function withdrawWinnings() {
// Winner if the last 8 hex characters of the address are 0.
require(uint32(msg.sender) == 0);
_sendWinnings();
}
function _sendWinnings() {
msg.sender.transfer(this.balance);
}
}
visible_not_set.yaml
description: Default function visibility
issues:
- id: SWC-100
count: 2
locations:
- bytecode_offsets: {}
line_numbers:
visibility_not_set.sol: [11]
- bytecode_offsets: {}
line_numbers:
visibility_not_set.sol: [17]
visible_not_set_fixed.sol
/*
* @source: https://github.com/sigp/solidity-security-blog#visibility
* @author: SigmaPrime
* Modified by Gerhard Wagner
*/
pragma solidity ^0.4.24;
contract HashForEther {
function withdrawWinnings() public {
// Winner if the last 8 hex characters of the address are 0.
require(uint32(msg.sender) == 0);
_sendWinnings();
}
function _sendWinnings() internal{
msg.sender.transfer(this.balance);
}
}
visible_not_set_fixed.yaml
description: Default function visibility
issues:
- id: SWC-100
count: 0
locations: []