Skip to content

Commit

Permalink
Update website content (#224)
Browse files Browse the repository at this point in the history
* Add details to requirement_simple bytecode locations

* Tweak location info for SWC-128

* misformatted bytecode offsets

* Update README.md

Updating links and some minor textual changes.

* Slightly more descriptive error

* Print full error

* Clarify scope (#220)

* Kaden zipfel feature/gas griefing (#222)

* Insufficient gas griefing

* Add newlines

* Fix improper newlines

* Make changes to relayer contracts

* Add CWE reference

* Fix link

* Rename to SWC-126

* No target redeploy

* Fix compiler warnings

* Update SWC definition [ci skip]
  • Loading branch information
s0b0lev authored and thec00n committed Dec 18, 2019
1 parent 16ad5bc commit 700fe5a
Show file tree
Hide file tree
Showing 14 changed files with 2,847 additions and 15 deletions.
17 changes: 11 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@
[![Discord](https://img.shields.io/discord/481002907366588416.svg)](https://discord.gg/qcNvR2r)


The Smart Contract Weakness Classification Registry is an implementation of the weakness classification scheme proposed in [EIP-1470](https://github.com/ethereum/EIPs/issues/1469). It is loosely aligned to the terminologies and structure used in the Common Weakness Enumeration ([CWE](https://cwe.mitre.org)) while overlaying a wide range of weakness variants that are specific to smart contracts.
The Smart Contract Weakness Classification Registry (SWC Registry) is an implementation of the weakness classification scheme proposed in [EIP-1470](https://github.com/ethereum/EIPs/issues/1469). It is loosely aligned to the terminologies and structure used in the Common Weakness Enumeration ([CWE](https://cwe.mitre.org)) while overlaying a wide range of weakness variants that are specific to smart contracts.

The goals of this project are as follows:

- Provide a straight forward way to classify security issues in smart contract systems.
- Provide a straightforward way to classify security issues in smart contract systems.
- Define a common language for describing security issues in smart contract systems' architecture, design, or code.
- Serve as a way to train and increase performance for smart contract security analysis tools.

Expand All @@ -35,7 +35,7 @@ Link to external references that contain useful additional information on the is
```

## Create a new Test Case
## Create a new test case

Test cases should be as varied as possible and include both simple test cases and real-world samples of vulnerable smart contracts. The test cases are grouped into subdirectories based on a single weakness variant or based on more complex real world contract systems that can contain various weakness variants. A single test case consists of the following structure:

Expand Down Expand Up @@ -89,7 +89,7 @@ The configuration contains meta-information about the weaknesses contained in a

Before you create a PR for the first time make sure you have read:

- the sections [Create a new SWC entry](#create-a-new-swc-entry) and [Create a test case](#create-a-new-test-case).
- the sections [Create a new SWC entry](#create-a-new-swc-entry) and [Create a new test case](#create-a-new-test-case).
- read several existing SWC definitions and their test cases.

From time to time there will be challenges on [Gitcoin](https://gitcoin.co). Follow the below link to check what challenges are currently open.
Expand All @@ -98,8 +98,13 @@ From time to time there will be challenges on [Gitcoin](https://gitcoin.co). Fol
<img src="https://gitcoin.co/funding/embed?repo=https://github.com/SmartContractSecurity/SWC-registry/&max_age=60&badge=1">
</a>

## Contact
### Scope of Weaknesses

SWCs should be concerned with weaknesses that can be identified within the code of a smart contract, typically Solidity.
Weaknesses in 'smart contract adjacent' code should not be included. For example, the [gas siphoning attack](https://github.com/SmartContractSecurity/SWC-registry/pull/140) occurs in wallet code, and should be protected against in wallet code.

This repository is maintained by the [Mythril](https://mythril.ai) team. Join the #swc-registry channel on the [Mythril Community Discord Server](https://discord.gg/qcNvR2r) for discussions.
## Contact

This repository is maintained by the team behind [MythX](https://mythx.io).

Please join the #swc-registry channel on the [MythX Discord](https://discord.gg/qcNvR2r) for discussions.
19 changes: 19 additions & 0 deletions entries/SWC-126.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Title
Insufficient Gas Griefing

## Relationships
[CWE-691: Insufficient Control Flow Management](https://cwe.mitre.org/data/definitions/691.html)

## Description
Insufficient gas griefing attacks can be performed on contracts which accept data and use it in a sub-call on another contract. If the sub-call fails, either the whole transaction is reverted, or execution is continued. In the case of a relayer contract, the user who executes the transaction, the 'forwarder', can effectively censor transactions by using just enough gas to execute the transaction, but not enough for the sub-call to succeed.

## Remediation
There are two options to prevent insufficient gas griefing:

- Only allow trusted users to relay transactions.
- Require that the forwarder provides enough gas.

## References
- [Consensys Smart Contract Best Practices](https://consensys.github.io/smart-contract-best-practices/known_attacks/#insufficient-gas-griefing)
- [What does griefing mean?](https://ethereum.stackexchange.com/questions/62829/what-does-griefing-mean)
- [Griefing Attacks: Are they profitable for the attacker?](https://ethereum.stackexchange.com/questions/73261/griefing-attacks-are-they-profitable-for-the-attacker)
9 changes: 9 additions & 0 deletions export/swc-definition.json
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,15 @@
"Remediation": "When inheriting multiple contracts, especially if they have identical functions, a developer should carefully specify inheritance in the correct order. The rule of thumb is to inherit contracts from more /general/ to more /specific/."
}
},
"SWC-126": {
"markdown": "# Title\nInsufficient Gas Griefing\n\n## Relationships\n[CWE-691: Insufficient Control Flow Management](https://cwe.mitre.org/data/definitions/691.html)\n\n## Description\nInsufficient gas griefing attacks can be performed on contracts which accept data and use it in a sub-call on another contract. If the sub-call fails, either the whole transaction is reverted, or execution is continued. In the case of a relayer contract, the user who executes the transaction, the 'forwarder', can effectively censor transactions by using just enough gas to execute the transaction, but not enough for the sub-call to succeed.\n\n## Remediation\nThere are two options to prevent insufficient gas griefing:\n\n- Only allow trusted users to relay transactions.\n- Require that the forwarder provides enough gas.\n\n## References\n- [Consensys Smart Contract Best Practices](https://consensys.github.io/smart-contract-best-practices/known_attacks/#insufficient-gas-griefing)\n- [What does griefing mean?](https://ethereum.stackexchange.com/questions/62829/what-does-griefing-mean)\n- [Griefing Attacks: Are they profitable for the attacker?](https://ethereum.stackexchange.com/questions/73261/griefing-attacks-are-they-profitable-for-the-attacker)",
"content": {
"Title": "Insufficient Gas Griefing",
"Relationships": "[CWE-691: Insufficient Control Flow Management](https://cwe.mitre.org/data/definitions/691.html)",
"Description": "Insufficient gas griefing attacks can be performed on contracts which accept data and use it in a sub-call on another contract. If the sub-call fails, either the whole transaction is reverted, or execution is continued. In the case of a relayer contract, the user who executes the transaction, the 'forwarder', can effectively censor transactions by using just enough gas to execute the transaction, but not enough for the sub-call to succeed.",
"Remediation": "There are two options to prevent insufficient gas griefing:\n\n\n- Only allow trusted users to relay transactions.\n- Require that the forwarder provides enough gas."
}
},
"SWC-127": {
"markdown": "# Title \nArbitrary Jump with Function Type Variable\n\n## Relationships\n[CWE-695: Use of Low-Level Functionality](https://cwe.mitre.org/data/definitions/695.html)\n\n## Description \nSolidity supports function types. That is, a variable of function type can be assigned with a reference to a function with a matching signature. The function saved to such variable can be called just like a regular function.\n\nThe problem arises when a user has the ability to arbitrarily change the function type variable and thus execute random code instructions. As Solidity doesn't support pointer arithmetics, it's impossible to change such variable to an arbitrary value. However, if the developer uses assembly instructions, such as `mstore` or assign operator, in the worst case scenario an attacker is able to point a function type variable to any code instruction, violating required validations and required state changes.\n\n## Remediation\nThe use of assembly should be minimal. A developer should not allow a user to assign arbitrary values to function type variables.\n\n## References \n* [Solidity CTF](https://medium.com/authio/solidity-ctf-part-2-safe-execution-ad6ded20e042)\n* [Solidity docs - Solidity Assembly](https://solidity.readthedocs.io/en/v0.4.25/assembly.html)\n* [Solidity docs - Function Types](https://solidity.readthedocs.io/en/v0.4.25/types.html#function-types)\n",
"content": {
Expand Down
3 changes: 2 additions & 1 deletion scripts/update_swc.js
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,8 @@ const generateSWC = () => {
},
};
} catch(e) {
console.log(`[ERROR] Wrong document format: ${name}.md`)
console.log(`[ERROR] Wrong document format: ${name}.md, provide content for all required headings`)
console.log(e)
if (command && command === 'markdown-validate') {
process.exit(1);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@ issues:
- bytecode_offsets:
'0x53aef779087c1829c3990fbf300aaafe4ccbd3328e8b6a630c7484b8c921aa8e': [408]
line_numbers:
dos_address.sol: [9,10,11,12]
dos_address.sol: [10]
5 changes: 2 additions & 3 deletions test_cases/solidity/dos_gas_limit/dos_number/dos_number.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ issues:
- id: SWC-128
count: 1
locations:
- bytecode_offsets:
'0x3e71712b10e2878a71d36b38b239d8560bedb5a1e0e9b6ade8d61ce8ec28fdf1': [413]
- bytecode_offsets: {}
line_numbers:
dos_number.sol: [11,12,13,14,15,16]
dos_number.sol: [29]
5 changes: 2 additions & 3 deletions test_cases/solidity/dos_gas_limit/dos_simple/dos_simple.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ issues:
- id: SWC-128
count: 1
locations:
- bytecode_offsets:
'0x81cafe753b96f7315b17b2bb5184b64b8f2cfe66a7077e94569355ce4dfa5208': [150]
- bytecode_offsets: {}
line_numbers:
dos_simple.sol: [10,11,12]
dos_simple.sol: [16]
Loading

0 comments on commit 700fe5a

Please # to comment.