SWC-130/使用反向控制字符(U+202E)
恶意行为者可以使用从右向左覆盖的Unicode字符来强制RTL文本呈现,并使用户混淆合约的真正意图。
CWE漏洞分类
整改方案
U+202E字符很少有合法用途。它不应出现在智能合约的源代码中。
参考文献
示例合约
guess_the_number.sol
/*
* @source: https://youtu.be/P_Mtd5Fc_3E
* @author: Shahar Zini
*/
pragma solidity ^0.5.0;
contract GuessTheNumber
{
uint _secretNumber;
address payable _owner;
event success(string);
event wrongNumber(string);
constructor(uint secretNumber) payable public
{
require(secretNumber <= 10);
_secretNumber = secretNumber;
_owner = msg.sender;
}
function getValue() view public returns (uint)
{
return address(this).balance;
}
function guess(uint n) payable public
{
require(msg.value == 1 ether);
uint p = address(this).balance;
checkAndTransferPrize(/*The prize/*rebmun desseug*/n , p/*
/*The user who should benefit */,msg.sender);
}
function checkAndTransferPrize(uint p, uint n, address payable guesser) internal returns(bool)
{
if(n == _secretNumber)
{
guesser.transfer(p);
emit success("You guessed the correct number!");
}
else
{
emit wrongNumber("You've made an incorrect guess!");
}
}
function kill() public
{
require(msg.sender == _owner);
selfdestruct(_owner);
}
}
guess_the_number.yaml
description: Right-To-Left-Override control character (U+202E) user confusion
issues:
- id: SWC-130
count: 1
locations:
- bytecode_offsets: {}
line_numbers:
guess_the_number.sol: [31]