26 Кві, 2023

Function Default Visibility(SWC-100)

Description

SWC-100 is a vulnerability that can arise in software systems when functions are left without a specified function visibility type. By default, these functions are made public, which can leave them susceptible to attacks from malicious users who can make unauthorized or unintended changes to the system’s. This underscores the importance of ensuring that all functions within a software system are given appropriate function visibility types to help prevent such vulnerabilities. By proactively setting the function visibility type for each function, developers can help to minimize the risk of unauthorized access or unintended changes to the system, thereby helping to enhance the overall security and integrity of the system. It is essential to keep in mind that even small oversights or errors can have significant consequences, particularly when it comes to software security, and taking a proactive approach is key to maintaining the safety and reliability of software systems.

Відновлення

In the context of smart contract development, functions can be classified into different visibility types, namely external, public, internal чи private. Each of these visibility types serves a specific purpose and has its own unique properties. It is highly recommended that developers make a deliberate and conscious decision when selecting the appropriate visibility type for each function. Doing so can have a significant impact on the overall security of the contract system, as it can help to reduce the attack surface that the system is exposed to.

By designating a function as external, developers are making it accessible from outside the contract, allowing it to be called by other contracts or external accounts. Public functions, on the other hand, are accessible both within and outside the contract, while internal functions are only accessible within the contract itself. Finally, private functions are only accessible from within the contract and cannot be called externally.

By taking the time to carefully consider which visibility type is appropriate for each function, developers can help to reduce the likelihood of vulnerabilities such as the SWC-100 vulnerability, where a lack of visibility type can lead to unintended access to the contract system. This approach can help to strengthen the overall security posture of the system, ultimately providing greater peace of mind for both developers and users alike.

Contract Samples

Code with a vulnerability

				
					pragma solidity ^0.4.24; 
contract HashForEther { 
    function withdrawWinnings() { 
        // Winner if the last 8 hex characters of the address are 0. 
        require(uint32(msg.sender) == 0);
        _sendWinnings(); 
    } 
    function _sendWinnings(){
        msg.sender.transfer(this.balance); 
    }
}
    
				
			

Code without vulnerabilities

				
					pragma solidity ^0.4.24;
contract HashForEther {
    function withdrawWinnings() public {
        // Winner if the last 8 hex characters of the address are 0.
        require(uint32(msg.sender) == 0);
        _sendWinnings();
     }
     function _sendWinnings() internal{
         msg.sender.transfer(this.balance);
     }
}

				
			

Tools for scaning SWC-100

1. Mythril: Mythril is an open-source security analysis tool for Ethereum smart contracts. It can detect various types of vulnerabilities, including some SWC-100 issues, such as transaction ordering dependence (TOD) vulnerabilities.

2. Slither: Slither is another open-source security analysis tool for Ethereum smart contracts. It can detect a wide range of vulnerabilities, including some SWC-100 issues, such as reentrancy vulnerabilities.

3. Securify: Securify is a security analysis tool for Ethereum smart contracts that uses formal verification techniques to detect vulnerabilities. It can detect various types of vulnerabilities, including some SWC-100 issues, such as incorrect permission order.

4. SmartCheck: SmartCheck is a cloud-based smart contract security tool that can detect various types of vulnerabilities, including some SWC-100 issues, such as reentrancy vulnerabilities.

5. Oyente: Oyente is an open-source security analysis tool for Ethereum smart contracts. It can detect various types of vulnerabilities, including some SWC-100 issues, such as the timestamp dependency vulnerability.

Загальна перерахування слабких місць (CWE)

CWE-710: Improper Adherence to Coding Standards

Mitigation for SWC-100

1. Use safe math libraries: Use safe math libraries such as OpenZeppelin’s SafeMath to prevent integer overflows and underflows.

2. Limit the scope of variables: Use the lowest possible scope for variables to minimize the chance of them being modified by attackers.

3. Use compiler version pragmas: Use compiler version pragmas to ensure that the code behaves as expected.

4. Use external libraries and contracts from reputable sources: When using external libraries and contracts, ensure they come from reputable sources.

5. Implement input validation: Validate all user inputs to prevent malicious input from being processed by the smart contract.

6. Use access control mechanisms: Use access control mechanisms to restrict the execution of certain functions to authorized users only.

7. Test extensively: Test the smart contract extensively using various testing tools and techniques to identify potential vulnerabilities.

Висновок

SWC-100 is a critical vulnerability that allows an attacker to steal tokens or ETH from a vulnerable contract.That developers should always explicitly set the visibility type for their functions in Solidity smart contracts. If a visibility type is not specified, the function is public by default, which can lead to unintended or unauthorized state changes. This vulnerability can be mitigated by carefully reviewing the contract code and using automated analysis tools to scan for potential vulnerabilities, including functions without explicit visibility types. Additionally, developers should follow best practices such as using the latest version of Solidity and testing their contracts thoroughly before deployment.

Інші Послуги

Готові до безпеки?

зв'язатися з нами