SWC智能合约漏洞库

SWC ID
SWC-100/未声明函数可见性 SWC-101/整数溢出 SWC-102/使用过时的编译器 SWC-103/未锁定的pragma声明 SWC-104/未检查的调用范围值 SWC-105/无保护的以太币提款 SWC-106/无保护的SELFDESTRUCT指令 SWC-107/重入漏洞 SWC-108/未声明状态变量可见性 SWC-109/未初始化的存储指针 SWC-110/触发assert断言 SWC-111/使用过时的solidity函数 SWC-112/委托调用非可信合约 SWC-113/失败调用引发的DoS攻击 SWC-114/交易顺序依赖 SWC-115/利用tx.origin授权 SWC-116/使用区块值作为时间计量 SWC-117/签名的非唯一性 SWC-118/错误的构造函数名 SWC-119/影子状态变量 SWC-120/基于链属性的弱随机性 SWC-121/未保护签名重放攻击 SWC-122/缺乏适当的签名验证 SWC-123/违反require要求 SWC-124/写入任意存储位置 SWC-125/不正确的继承顺序 SWC-126/gas不足 SWC-127/函数类型变量任意跳转 SWC-128/利用区块gas限制的DoS攻击 SWC-129/笔误 SWC-130/使用反向控制字符 SWC-131/存在未使用的变量 SWC-132/依赖于以太币余额的逻辑 SWC-133/变长参数导致的哈希冲突 SWC-134/硬编码gas用量的消息调用 SWC-135/无效代码 SWC-136/未加密的链上私人数据
  1. 全部教程
  2. SWC智能合约漏洞库
  3. SWC智能合约漏洞库
  4. SWC-124/写入任意存储位置
在线工具推荐: Three.js AI纹理开发包 - YOLO合成数据生成器 - GLTF/GLB在线编辑 - 3D模型格式在线转换 - 可编程3D场景编辑器

SWC-124/写入任意存储位置

智能合约的数据(例如,存储合约的所有者)被永久存储在EVM的某个存储位置。合约负责确保只有 授权的用户或合约帐户才能写入敏感的存储位置。如果攻击者能够写入合约的任意存储位置,则可以 很容易地规避授权检查。这可能使攻击者破坏存储;例如,通过覆盖存储合约所有者地址的字段。

CWE漏洞分类

CWE-123:在何处写入的条件

整改方案

作为一般性建议,鉴于所有数据结构共享相同的存储(地址)空间,应确保对一个数据结构的写入 不会无意间覆盖另一数据结构的条目。

参考文献

2017 solidity代码大赛

合约示例

random_location_write_simple.sol

pragma solidity ^0.4.25;

contract Wallet {
    uint[] private bonusCodes;
    address private owner;

    constructor() public {
        bonusCodes = new uint[](0);
        owner = msg.sender;
    }

    function () public payable {
    }

    function PushBonusCode(uint c) public {
        bonusCodes.push(c);
    }

    function PopBonusCode() public {
        require(0 <= bonusCodes.length);
        bonusCodes.length--;
    }

    function UpdateBonusCodeAt(uint idx, uint c) public {
        require(idx < bonusCodes.length);
        bonusCodes[idx] = c;
    }

    function Destroy() public {
        require(msg.sender == owner);
        selfdestruct(msg.sender);
    }
}

random_location_write_simple.yaml

description: Simple variant of write to arbitrary storage location
issues:
- id: SWC-124
  count: 1
  locations:
  - bytecode_offsets:
      '0x4d778370f4fe1789bc427ab08efc768fcb4c6c8b68d2ee41178340423445bd45': [294]
    line_numbers:
      arbitrary_location_write_simple.sol: [26]

random_location_write_simple_fixed.sol

pragma solidity ^0.4.25;

contract Wallet {
    uint[] private bonusCodes;
    address private owner;

    constructor() public {
        bonusCodes = new uint[](0);
        owner = msg.sender;
    }

    function () public payable {
    }

    function PushBonusCode(uint c) public {
        bonusCodes.push(c);
    }

    function PopBonusCode() public {
        require(0 < bonusCodes.length);
        bonusCodes.length--;
    }

    function UpdateBonusCodeAt(uint idx, uint c) public {
        require(idx < bonusCodes.length); //Since you now have to push very codes this is no longer an arbitray write.
        bonusCodes[idx] = c;
    }

    function Destroy() public {
        require(msg.sender == owner);
        selfdestruct(msg.sender);
    }
}

random_location_write_simple_fixed.yaml

description: Simple variant of write to arbitrary storage location
issues:
- id: SWC-124
  count: 0
  locations: []

mapping_write.sol

pragma solidity ^0.4.24;

//This code is derived from the Capture the Ether https://capturetheether.com/challenges/math/mapping/

contract Map {
    address public owner;
    uint256[] map;

    function set(uint256 key, uint256 value) public {
        if (map.length <= key) {
            map.length = key + 1;
        }

        map[key] = value;
    }

    function get(uint256 key) public view returns (uint256) {
        return map[key];
    }
    function withdraw() public{
      require(msg.sender == owner);
      msg.sender.transfer(address(this).balance);
    }
}

mapping_write.yaml

description: Write to arbitrary storage location using dynamic arrays
issues:
- id: SWC-124
  count: 1
  locations:
  - bytecode_offsets:
      '0xb3f8b66f8449fff6ee9ba17ae5534dfb2d8f4c4281c8a9ad56c1354a55c389d3': [395]
    line_numbers:
      mapping_write.sol: [14]
在线互动课程