From e36be4b69d41947ccfcfe3acc29d62e865c69533 Mon Sep 17 00:00:00 2001 From: Bernhard Mueller Date: Thu, 23 May 2019 13:05:38 +0200 Subject: [PATCH 1/4] Refactor multiple_sends module --- mythril/analysis/modules/multiple_sends.py | 56 +++++++++------------- 1 file changed, 23 insertions(+), 33 deletions(-) diff --git a/mythril/analysis/modules/multiple_sends.py b/mythril/analysis/modules/multiple_sends.py index 1afaaed2..53f9a29a 100644 --- a/mythril/analysis/modules/multiple_sends.py +++ b/mythril/analysis/modules/multiple_sends.py @@ -17,11 +17,11 @@ log = logging.getLogger(__name__) class MultipleSendsAnnotation(StateAnnotation): def __init__(self) -> None: - self.calls = [] # type: List[Optional[Call]] + self.call_offsets = [] # type: List[int] def __copy__(self): result = MultipleSendsAnnotation() - result.calls = copy(self.calls) + result.call_offsets = copy(self.call_offsets) return result @@ -62,51 +62,41 @@ def _analyze_state(state: GlobalState): list(state.get_annotations(MultipleSendsAnnotation)), ) if len(annotations) == 0: - log.debug("Creating annotation for state") state.annotate(MultipleSendsAnnotation()) annotations = cast( List[MultipleSendsAnnotation], list(state.get_annotations(MultipleSendsAnnotation)), ) - calls = annotations[0].calls + call_offsets = annotations[0].call_offsets if instruction["opcode"] in ["CALL", "DELEGATECALL", "STATICCALL", "CALLCODE"]: - call = get_call_from_state(state) - if call: - calls += [call] + call_offsets.append(state.get_current_instruction()["address"]) else: # RETURN or STOP - if len(calls) > 1: + if len(call_offsets) > 1: - description_tail = ( - "Consecutive calls are executed at the following bytecode offsets:\n" - ) + for offset in call_offsets[1:]: - for call in calls: - description_tail += "Offset: {}\n".format( - call.state.get_current_instruction()["address"] + description_tail = ( + "This call is executed after a previous call in the same transaction. " + "Try to isolate each call, transfer or send into its own transaction." ) - description_tail += ( - "Try to isolate each external call into its own transaction," - " as external calls can fail accidentally or deliberately.\n" - ) - - issue = Issue( - contract=state.environment.active_account.contract_name, - function_name=state.environment.active_function_name, - address=instruction["address"], - swc_id=MULTIPLE_SENDS, - bytecode=state.environment.code.bytecode, - title="Multiple Calls in a Single Transaction", - severity="Medium", - description_head="Multiple sends are executed in one transaction.", - description_tail=description_tail, - gas_used=(state.mstate.min_gas_used, state.mstate.max_gas_used), - ) - - return [issue] + issue = Issue( + contract=state.environment.active_account.contract_name, + function_name=state.environment.active_function_name, + address=offset, + swc_id=MULTIPLE_SENDS, + bytecode=state.environment.code.bytecode, + title="Multiple Calls in a Single Transaction", + severity="Low", + description_head="Multiple calls are executed in the same transaction.", + description_tail=description_tail, + gas_used=(state.mstate.min_gas_used, state.mstate.max_gas_used), + ) + + return [issue] return [] From 4d91d803fb2af8a413b52082269e7a73d3649a61 Mon Sep 17 00:00:00 2001 From: Bernhard Mueller Date: Thu, 23 May 2019 13:10:07 +0200 Subject: [PATCH 2/4] Remove unused dependencies --- mythril/analysis/modules/multiple_sends.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/mythril/analysis/modules/multiple_sends.py b/mythril/analysis/modules/multiple_sends.py index 53f9a29a..5c9ff5ae 100644 --- a/mythril/analysis/modules/multiple_sends.py +++ b/mythril/analysis/modules/multiple_sends.py @@ -1,16 +1,14 @@ """This module contains the detection code to find multiple sends occurring in a single transaction.""" from copy import copy -from typing import cast, List, Optional +from typing import cast, List -from mythril.analysis.ops import Call from mythril.analysis.report import Issue from mythril.analysis.swc_data import MULTIPLE_SENDS from mythril.analysis.modules.base import DetectionModule from mythril.laser.ethereum.state.annotation import StateAnnotation from mythril.laser.ethereum.state.global_state import GlobalState import logging -from mythril.analysis.call_helpers import get_call_from_state log = logging.getLogger(__name__) From de78d019e323aae0ddafdb54ab0f5ee5109cbce7 Mon Sep 17 00:00:00 2001 From: Bernhard Mueller Date: Fri, 24 May 2019 09:49:38 +0200 Subject: [PATCH 3/4] Norhh suggestion #1 --- mythril/analysis/modules/multiple_sends.py | 45 +++++++++++----------- 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/mythril/analysis/modules/multiple_sends.py b/mythril/analysis/modules/multiple_sends.py index 5c9ff5ae..6b09db77 100644 --- a/mythril/analysis/modules/multiple_sends.py +++ b/mythril/analysis/modules/multiple_sends.py @@ -72,29 +72,28 @@ def _analyze_state(state: GlobalState): call_offsets.append(state.get_current_instruction()["address"]) else: # RETURN or STOP - if len(call_offsets) > 1: - - for offset in call_offsets[1:]: - - description_tail = ( - "This call is executed after a previous call in the same transaction. " - "Try to isolate each call, transfer or send into its own transaction." - ) - - issue = Issue( - contract=state.environment.active_account.contract_name, - function_name=state.environment.active_function_name, - address=offset, - swc_id=MULTIPLE_SENDS, - bytecode=state.environment.code.bytecode, - title="Multiple Calls in a Single Transaction", - severity="Low", - description_head="Multiple calls are executed in the same transaction.", - description_tail=description_tail, - gas_used=(state.mstate.min_gas_used, state.mstate.max_gas_used), - ) - - return [issue] + + for offset in call_offsets[1:]: + + description_tail = ( + "This call is executed after a previous call in the same transaction. " + "Try to isolate each call, transfer or send into its own transaction." + ) + + issue = Issue( + contract=state.environment.active_account.contract_name, + function_name=state.environment.active_function_name, + address=offset, + swc_id=MULTIPLE_SENDS, + bytecode=state.environment.code.bytecode, + title="Multiple Calls in a Single Transaction", + severity="Low", + description_head="Multiple calls are executed in the same transaction.", + description_tail=description_tail, + gas_used=(state.mstate.min_gas_used, state.mstate.max_gas_used), + ) + + return [issue] return [] From 062a07c2c7ad049a5bc2185e21b53ead9a43b2dd Mon Sep 17 00:00:00 2001 From: Nikhil Parasaram Date: Sat, 25 May 2019 11:56:30 +0530 Subject: [PATCH 4/4] Use symbolic storage for concrete=False (#1039) --- mythril/laser/ethereum/state/account.py | 6 ++- .../outputs_expected/calls.sol.o.graph.html | 6 +-- .../outputs_expected/calls.sol.o.json | 20 +++++----- .../outputs_expected/calls.sol.o.jsonv2 | 20 +++++----- .../outputs_expected/calls.sol.o.markdown | 26 ++++++------- .../outputs_expected/calls.sol.o.text | 26 ++++++------- .../ether_send.sol.o.graph.html | 4 +- .../outputs_expected/ether_send.sol.o.json | 29 ++++++++++++++- .../outputs_expected/ether_send.sol.o.jsonv2 | 37 ++++++++++++++++++- .../ether_send.sol.o.markdown | 28 +++++++++++++- .../outputs_expected/ether_send.sol.o.text | 23 +++++++++++- .../returnvalue.sol.o.graph.html | 6 +-- .../outputs_expected/returnvalue.sol.o.json | 12 +++--- .../outputs_expected/returnvalue.sol.o.jsonv2 | 12 +++--- .../returnvalue.sol.o.markdown | 16 ++++---- .../outputs_expected/returnvalue.sol.o.text | 16 ++++---- 16 files changed, 199 insertions(+), 88 deletions(-) diff --git a/mythril/laser/ethereum/state/account.py b/mythril/laser/ethereum/state/account.py index 381562ca..e806a71e 100644 --- a/mythril/laser/ethereum/state/account.py +++ b/mythril/laser/ethereum/state/account.py @@ -47,9 +47,13 @@ class Storage: return self._storage[item] except ValueError: pass + if self.concrete: return symbol_factory.BitVecVal(0, 256) - self._storage[item] = symbol_factory.BitVecVal(0, 256) + + self._storage[item] = symbol_factory.BitVecSym( + "storage_{}_{}".format(str(item), str(self.address)), 256 + ) return self._storage[item] def __setitem__(self, key: Union[int, str], value: Any) -> None: diff --git a/tests/testdata/outputs_expected/calls.sol.o.graph.html b/tests/testdata/outputs_expected/calls.sol.o.graph.html index 0884c542..0614f7da 100644 --- a/tests/testdata/outputs_expected/calls.sol.o.graph.html +++ b/tests/testdata/outputs_expected/calls.sol.o.graph.html @@ -24,8 +24,8 @@ @@ -59,4 +59,4 @@ }); - + \ No newline at end of file diff --git a/tests/testdata/outputs_expected/calls.sol.o.json b/tests/testdata/outputs_expected/calls.sol.o.json index fbcd2784..93fce2b7 100644 --- a/tests/testdata/outputs_expected/calls.sol.o.json +++ b/tests/testdata/outputs_expected/calls.sol.o.json @@ -5,14 +5,14 @@ "address": 661, "contract": "Unknown", "debug": "", - "description": "The contract executes an external message call.\nAn external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully.", + "description": "A call to a user-supplied address is executed.\nThe callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state.", "function": "thisisfine()", "max_gas_used": 1254, "min_gas_used": 643, - "severity": "Low", + "severity": "Medium", "sourceMap": null, "swc-id": "107", - "title": "External Call To Fixed Address" + "title": "External Call To User-Supplied Address" }, { "address": 661, @@ -31,14 +31,14 @@ "address": 779, "contract": "Unknown", "debug": "", - "description": "The contract executes an external message call.\nAn external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully.", + "description": "A call to a user-supplied address is executed.\nThe callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state.", "function": "callstoredaddress()", "max_gas_used": 1298, "min_gas_used": 687, - "severity": "Low", + "severity": "Medium", "sourceMap": null, "swc-id": "107", - "title": "External Call To Fixed Address" + "title": "External Call To User-Supplied Address" }, { "address": 779, @@ -57,14 +57,14 @@ "address": 858, "contract": "Unknown", "debug": "", - "description": "The contract executes an external message call.\nAn external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully.", + "description": "A call to a user-supplied address is executed.\nThe callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state.", "function": "reentrancy()", "max_gas_used": 1320, "min_gas_used": 709, - "severity": "Low", + "severity": "Medium", "sourceMap": null, "swc-id": "107", - "title": "External Call To Fixed Address" + "title": "External Call To User-Supplied Address" }, { "address": 858, @@ -87,7 +87,7 @@ "function": "reentrancy()", "max_gas_used": null, "min_gas_used": null, - "severity": "Low", + "severity": "Medium", "sourceMap": null, "swc-id": "107", "title": "State change after external call" diff --git a/tests/testdata/outputs_expected/calls.sol.o.jsonv2 b/tests/testdata/outputs_expected/calls.sol.o.jsonv2 index 624d3410..9acb8f18 100644 --- a/tests/testdata/outputs_expected/calls.sol.o.jsonv2 +++ b/tests/testdata/outputs_expected/calls.sol.o.jsonv2 @@ -3,8 +3,8 @@ "issues": [ { "description": { - "head": "The contract executes an external message call.", - "tail": "An external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully." + "head": "A call to a user-supplied address is executed.", + "tail": "The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state." }, "extra": { "discoveryTime": "" @@ -14,14 +14,14 @@ "sourceMap": "661:1:0" } ], - "severity": "Low", + "severity": "Medium", "swcID": "SWC-107", "swcTitle": "Reentrancy" }, { "description": { - "head": "The contract executes an external message call.", - "tail": "An external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully." + "head": "A call to a user-supplied address is executed.", + "tail": "The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state." }, "extra": { "discoveryTime": "" @@ -31,14 +31,14 @@ "sourceMap": "779:1:0" } ], - "severity": "Low", + "severity": "Medium", "swcID": "SWC-107", "swcTitle": "Reentrancy" }, { "description": { - "head": "The contract executes an external message call.", - "tail": "An external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully." + "head": "A call to a user-supplied address is executed.", + "tail": "The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state." }, "extra": { "discoveryTime": "" @@ -48,7 +48,7 @@ "sourceMap": "858:1:0" } ], - "severity": "Low", + "severity": "Medium", "swcID": "SWC-107", "swcTitle": "Reentrancy" }, @@ -82,7 +82,7 @@ "sourceMap": "869:1:0" } ], - "severity": "Low", + "severity": "Medium", "swcID": "SWC-107", "swcTitle": "Reentrancy" }, diff --git a/tests/testdata/outputs_expected/calls.sol.o.markdown b/tests/testdata/outputs_expected/calls.sol.o.markdown index b45544be..9472f159 100644 --- a/tests/testdata/outputs_expected/calls.sol.o.markdown +++ b/tests/testdata/outputs_expected/calls.sol.o.markdown @@ -1,8 +1,8 @@ # Analysis results for test-filename.sol -## External Call To Fixed Address +## External Call To User-Supplied Address - SWC ID: 107 -- Severity: Low +- Severity: Medium - Contract: Unknown - Function name: `thisisfine()` - PC address: 661 @@ -10,8 +10,8 @@ ### Description -The contract executes an external message call. -An external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully. +A call to a user-supplied address is executed. +The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state. ## Unchecked Call Return Value - SWC ID: 104 @@ -26,9 +26,9 @@ An external function call to a fixed contract address is executed. Make sure tha The return value of a message call is not checked. External calls return a boolean value. If the callee contract halts with an exception, 'false' is returned and execution continues in the caller. It is usually recommended to wrap external calls into a require statement to prevent unexpected states. -## External Call To Fixed Address +## External Call To User-Supplied Address - SWC ID: 107 -- Severity: Low +- Severity: Medium - Contract: Unknown - Function name: `callstoredaddress()` - PC address: 779 @@ -36,8 +36,8 @@ External calls return a boolean value. If the callee contract halts with an exce ### Description -The contract executes an external message call. -An external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully. +A call to a user-supplied address is executed. +The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state. ## Unchecked Call Return Value - SWC ID: 104 @@ -52,9 +52,9 @@ An external function call to a fixed contract address is executed. Make sure tha The return value of a message call is not checked. External calls return a boolean value. If the callee contract halts with an exception, 'false' is returned and execution continues in the caller. It is usually recommended to wrap external calls into a require statement to prevent unexpected states. -## External Call To Fixed Address +## External Call To User-Supplied Address - SWC ID: 107 -- Severity: Low +- Severity: Medium - Contract: Unknown - Function name: `reentrancy()` - PC address: 858 @@ -62,8 +62,8 @@ External calls return a boolean value. If the callee contract halts with an exce ### Description -The contract executes an external message call. -An external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully. +A call to a user-supplied address is executed. +The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state. ## Unchecked Call Return Value - SWC ID: 104 @@ -80,7 +80,7 @@ External calls return a boolean value. If the callee contract halts with an exce ## State change after external call - SWC ID: 107 -- Severity: Low +- Severity: Medium - Contract: Unknown - Function name: `reentrancy()` - PC address: 869 diff --git a/tests/testdata/outputs_expected/calls.sol.o.text b/tests/testdata/outputs_expected/calls.sol.o.text index 27706fd1..6b20a8a3 100644 --- a/tests/testdata/outputs_expected/calls.sol.o.text +++ b/tests/testdata/outputs_expected/calls.sol.o.text @@ -1,12 +1,12 @@ -==== External Call To Fixed Address ==== +==== External Call To User-Supplied Address ==== SWC ID: 107 -Severity: Low +Severity: Medium Contract: Unknown Function name: thisisfine() PC address: 661 Estimated Gas Usage: 643 - 1254 -The contract executes an external message call. -An external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully. +A call to a user-supplied address is executed. +The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state. -------------------- ==== Unchecked Call Return Value ==== @@ -20,15 +20,15 @@ The return value of a message call is not checked. External calls return a boolean value. If the callee contract halts with an exception, 'false' is returned and execution continues in the caller. It is usually recommended to wrap external calls into a require statement to prevent unexpected states. -------------------- -==== External Call To Fixed Address ==== +==== External Call To User-Supplied Address ==== SWC ID: 107 -Severity: Low +Severity: Medium Contract: Unknown Function name: callstoredaddress() PC address: 779 Estimated Gas Usage: 687 - 1298 -The contract executes an external message call. -An external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully. +A call to a user-supplied address is executed. +The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state. -------------------- ==== Unchecked Call Return Value ==== @@ -42,15 +42,15 @@ The return value of a message call is not checked. External calls return a boolean value. If the callee contract halts with an exception, 'false' is returned and execution continues in the caller. It is usually recommended to wrap external calls into a require statement to prevent unexpected states. -------------------- -==== External Call To Fixed Address ==== +==== External Call To User-Supplied Address ==== SWC ID: 107 -Severity: Low +Severity: Medium Contract: Unknown Function name: reentrancy() PC address: 858 Estimated Gas Usage: 709 - 1320 -The contract executes an external message call. -An external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully. +A call to a user-supplied address is executed. +The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state. -------------------- ==== Unchecked Call Return Value ==== @@ -66,7 +66,7 @@ External calls return a boolean value. If the callee contract halts with an exce ==== State change after external call ==== SWC ID: 107 -Severity: Low +Severity: Medium Contract: Unknown Function name: reentrancy() PC address: 869 diff --git a/tests/testdata/outputs_expected/ether_send.sol.o.graph.html b/tests/testdata/outputs_expected/ether_send.sol.o.graph.html index 74bac94a..b7ea6248 100644 --- a/tests/testdata/outputs_expected/ether_send.sol.o.graph.html +++ b/tests/testdata/outputs_expected/ether_send.sol.o.graph.html @@ -24,8 +24,8 @@ diff --git a/tests/testdata/outputs_expected/ether_send.sol.o.json b/tests/testdata/outputs_expected/ether_send.sol.o.json index 712f50c1..3f7072fe 100644 --- a/tests/testdata/outputs_expected/ether_send.sol.o.json +++ b/tests/testdata/outputs_expected/ether_send.sol.o.json @@ -1,5 +1,32 @@ { "error": null, - "issues": [], + "issues": [ + { + "address": 722, + "contract": "Unknown", + "debug": "", + "description": "Anyone can withdraw ETH from the contract account.\nArbitrary senders other than the contract creator can withdraw ETH from the contract account without previously having sent an equivalent amount of ETH to it. This is likely to be a vulnerability.", + "function": "withdrawfunds()", + "max_gas_used": 1749, + "min_gas_used": 1138, + "severity": "High", + "sourceMap": null, + "swc-id": "105", + "title": "Unprotected Ether Withdrawal" + }, + { + "address": 883, + "contract": "Unknown", + "debug": "", + "description": "The binary addition can overflow.\nThe operands of the addition operation are not sufficiently constrained. The addition could therefore result in an integer overflow. Prevent the overflow by checking inputs or ensure sure that the overflow is caught by an assertion.", + "function": "invest()", + "max_gas_used": 26883, + "min_gas_used": 6598, + "severity": "High", + "sourceMap": null, + "swc-id": "101", + "title": "Integer Overflow" + } + ], "success": true } \ No newline at end of file diff --git a/tests/testdata/outputs_expected/ether_send.sol.o.jsonv2 b/tests/testdata/outputs_expected/ether_send.sol.o.jsonv2 index 9f1597a1..a92e3c21 100644 --- a/tests/testdata/outputs_expected/ether_send.sol.o.jsonv2 +++ b/tests/testdata/outputs_expected/ether_send.sol.o.jsonv2 @@ -1,6 +1,41 @@ [ { - "issues": [], + "issues": [ + { + "description": { + "head": "Anyone can withdraw ETH from the contract account.", + "tail": "Arbitrary senders other than the contract creator can withdraw ETH from the contract account without previously having sent an equivalent amount of ETH to it. This is likely to be a vulnerability." + }, + "extra": { + "discoveryTime": "" + }, + "locations": [ + { + "sourceMap": "722:1:0" + } + ], + "severity": "High", + "swcID": "SWC-105", + "swcTitle": "Unprotected Ether Withdrawal" + }, + { + "description": { + "head": "The binary addition can overflow.", + "tail": "The operands of the addition operation are not sufficiently constrained. The addition could therefore result in an integer overflow. Prevent the overflow by checking inputs or ensure sure that the overflow is caught by an assertion." + }, + "extra": { + "discoveryTime": "" + }, + "locations": [ + { + "sourceMap": "883:1:0" + } + ], + "severity": "High", + "swcID": "SWC-101", + "swcTitle": "Integer Overflow and Underflow" + } + ], "meta": {}, "sourceFormat": "evm-byzantium-bytecode", "sourceList": [ diff --git a/tests/testdata/outputs_expected/ether_send.sol.o.markdown b/tests/testdata/outputs_expected/ether_send.sol.o.markdown index 321484fd..2e1c2a9e 100644 --- a/tests/testdata/outputs_expected/ether_send.sol.o.markdown +++ b/tests/testdata/outputs_expected/ether_send.sol.o.markdown @@ -1,3 +1,27 @@ -# Analysis results for None +# Analysis results for test-filename.sol -The analysis was completed successfully. No issues were detected. +## Unprotected Ether Withdrawal +- SWC ID: 105 +- Severity: High +- Contract: Unknown +- Function name: `withdrawfunds()` +- PC address: 722 +- Estimated Gas Usage: 1138 - 1749 + +### Description + +Anyone can withdraw ETH from the contract account. +Arbitrary senders other than the contract creator can withdraw ETH from the contract account without previously having sent an equivalent amount of ETH to it. This is likely to be a vulnerability. + +## Integer Overflow +- SWC ID: 101 +- Severity: High +- Contract: Unknown +- Function name: `invest()` +- PC address: 883 +- Estimated Gas Usage: 6598 - 26883 + +### Description + +The binary addition can overflow. +The operands of the addition operation are not sufficiently constrained. The addition could therefore result in an integer overflow. Prevent the overflow by checking inputs or ensure sure that the overflow is caught by an assertion. diff --git a/tests/testdata/outputs_expected/ether_send.sol.o.text b/tests/testdata/outputs_expected/ether_send.sol.o.text index 729320d8..493978be 100644 --- a/tests/testdata/outputs_expected/ether_send.sol.o.text +++ b/tests/testdata/outputs_expected/ether_send.sol.o.text @@ -1 +1,22 @@ -The analysis was completed successfully. No issues were detected. +==== Unprotected Ether Withdrawal ==== +SWC ID: 105 +Severity: High +Contract: Unknown +Function name: withdrawfunds() +PC address: 722 +Estimated Gas Usage: 1138 - 1749 +Anyone can withdraw ETH from the contract account. +Arbitrary senders other than the contract creator can withdraw ETH from the contract account without previously having sent an equivalent amount of ETH to it. This is likely to be a vulnerability. +-------------------- + +==== Integer Overflow ==== +SWC ID: 101 +Severity: High +Contract: Unknown +Function name: invest() +PC address: 883 +Estimated Gas Usage: 6598 - 26883 +The binary addition can overflow. +The operands of the addition operation are not sufficiently constrained. The addition could therefore result in an integer overflow. Prevent the overflow by checking inputs or ensure sure that the overflow is caught by an assertion. +-------------------- + diff --git a/tests/testdata/outputs_expected/returnvalue.sol.o.graph.html b/tests/testdata/outputs_expected/returnvalue.sol.o.graph.html index 278fa213..cbc662d5 100644 --- a/tests/testdata/outputs_expected/returnvalue.sol.o.graph.html +++ b/tests/testdata/outputs_expected/returnvalue.sol.o.graph.html @@ -24,8 +24,8 @@ @@ -59,4 +59,4 @@ }); - + \ No newline at end of file diff --git a/tests/testdata/outputs_expected/returnvalue.sol.o.json b/tests/testdata/outputs_expected/returnvalue.sol.o.json index b31986bd..1f01da4b 100644 --- a/tests/testdata/outputs_expected/returnvalue.sol.o.json +++ b/tests/testdata/outputs_expected/returnvalue.sol.o.json @@ -5,27 +5,27 @@ "address": 196, "contract": "Unknown", "debug": "", - "description": "The contract executes an external message call.\nAn external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully.", + "description": "A call to a user-supplied address is executed.\nThe callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state.", "function": "callchecked()", "max_gas_used": 1210, "min_gas_used": 599, - "severity": "Low", + "severity": "Medium", "sourceMap": null, "swc-id": "107", - "title": "External Call To Fixed Address" + "title": "External Call To User-Supplied Address" }, { "address": 285, "contract": "Unknown", "debug": "", - "description": "The contract executes an external message call.\nAn external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully.", + "description": "A call to a user-supplied address is executed.\nThe callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state.", "function": "callnotchecked()", "max_gas_used": 1232, "min_gas_used": 621, - "severity": "Low", + "severity": "Medium", "sourceMap": null, "swc-id": "107", - "title": "External Call To Fixed Address" + "title": "External Call To User-Supplied Address" }, { "address": 285, diff --git a/tests/testdata/outputs_expected/returnvalue.sol.o.jsonv2 b/tests/testdata/outputs_expected/returnvalue.sol.o.jsonv2 index 03fb9c0d..9c245482 100644 --- a/tests/testdata/outputs_expected/returnvalue.sol.o.jsonv2 +++ b/tests/testdata/outputs_expected/returnvalue.sol.o.jsonv2 @@ -3,8 +3,8 @@ "issues": [ { "description": { - "head": "The contract executes an external message call.", - "tail": "An external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully." + "head": "A call to a user-supplied address is executed.", + "tail": "The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state." }, "extra": { "discoveryTime": "" @@ -14,14 +14,14 @@ "sourceMap": "196:1:0" } ], - "severity": "Low", + "severity": "Medium", "swcID": "SWC-107", "swcTitle": "Reentrancy" }, { "description": { - "head": "The contract executes an external message call.", - "tail": "An external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully." + "head": "A call to a user-supplied address is executed.", + "tail": "The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state." }, "extra": { "discoveryTime": "" @@ -31,7 +31,7 @@ "sourceMap": "285:1:0" } ], - "severity": "Low", + "severity": "Medium", "swcID": "SWC-107", "swcTitle": "Reentrancy" }, diff --git a/tests/testdata/outputs_expected/returnvalue.sol.o.markdown b/tests/testdata/outputs_expected/returnvalue.sol.o.markdown index fcbd0a1b..5309f405 100644 --- a/tests/testdata/outputs_expected/returnvalue.sol.o.markdown +++ b/tests/testdata/outputs_expected/returnvalue.sol.o.markdown @@ -1,8 +1,8 @@ # Analysis results for test-filename.sol -## External Call To Fixed Address +## External Call To User-Supplied Address - SWC ID: 107 -- Severity: Low +- Severity: Medium - Contract: Unknown - Function name: `callchecked()` - PC address: 196 @@ -10,12 +10,12 @@ ### Description -The contract executes an external message call. -An external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully. +A call to a user-supplied address is executed. +The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state. -## External Call To Fixed Address +## External Call To User-Supplied Address - SWC ID: 107 -- Severity: Low +- Severity: Medium - Contract: Unknown - Function name: `callnotchecked()` - PC address: 285 @@ -23,8 +23,8 @@ An external function call to a fixed contract address is executed. Make sure tha ### Description -The contract executes an external message call. -An external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully. +A call to a user-supplied address is executed. +The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state. ## Unchecked Call Return Value - SWC ID: 104 diff --git a/tests/testdata/outputs_expected/returnvalue.sol.o.text b/tests/testdata/outputs_expected/returnvalue.sol.o.text index 2678bf80..baff23ea 100644 --- a/tests/testdata/outputs_expected/returnvalue.sol.o.text +++ b/tests/testdata/outputs_expected/returnvalue.sol.o.text @@ -1,23 +1,23 @@ -==== External Call To Fixed Address ==== +==== External Call To User-Supplied Address ==== SWC ID: 107 -Severity: Low +Severity: Medium Contract: Unknown Function name: callchecked() PC address: 196 Estimated Gas Usage: 599 - 1210 -The contract executes an external message call. -An external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully. +A call to a user-supplied address is executed. +The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state. -------------------- -==== External Call To Fixed Address ==== +==== External Call To User-Supplied Address ==== SWC ID: 107 -Severity: Low +Severity: Medium Contract: Unknown Function name: callnotchecked() PC address: 285 Estimated Gas Usage: 621 - 1232 -The contract executes an external message call. -An external function call to a fixed contract address is executed. Make sure that the callee contract has been reviewed carefully. +A call to a user-supplied address is executed. +The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state. -------------------- ==== Unchecked Call Return Value ====