Blockchain & Smart Contract Security #11
1/9
Secure Account Existence check for Low-level Calls
A thread and a blogpost @SolidityScan Also read about "King of Ethers" contract hack.
blog.solidityscan.com/secure-account…
#blockchain #security #smartcontracts #SOLIDITY
1/9
Secure Account Existence check for Low-level Calls
A thread and a blogpost @SolidityScan Also read about "King of Ethers" contract hack.
blog.solidityscan.com/secure-account…
#blockchain #security #smartcontracts #SOLIDITY
2/9
What are low-level calls?
Low-level calls are methods that work on raw addresses to call other contracts' functions in Solidity. "call", "delegatecall", "callcode", "send", "transfer", etc are some examples of low-level functions
What are low-level calls?
Low-level calls are methods that work on raw addresses to call other contracts' functions in Solidity. "call", "delegatecall", "callcode", "send", "transfer", etc are some examples of low-level functions
3/9
The call() method allows you to call any function you want on the address specified, and if the function is implemented on that address, it will be executed.
The call() method allows you to call any function you want on the address specified, and if the function is implemented on that address, it will be executed.
4/9
delegatecall() method calls a function of contract B from contract A with contract A's storage, balance and address passed to the function. This allows us to use the function in contract B as library code.
Read more here: blog.solidityscan.com/security-issue…
delegatecall() method calls a function of contract B from contract A with contract A's storage, balance and address passed to the function. This allows us to use the function in contract B as library code.
Read more here: blog.solidityscan.com/security-issue…
5/9
staticcall() is another low-level function. The only difference between a staticcall and a call is that a staticcall cannot change the state of the contract it is calling.
staticcall() is another low-level function. The only difference between a staticcall and a call is that a staticcall cannot change the state of the contract it is calling.
6/9
Pitfalls of using Low-Level Calls
Low-level call usage has a high chance of erroring out and does not check for call success or code existence as it avoids type checking, function existence checks, and argument packing, calling a contract function is generally not advised
Pitfalls of using Low-Level Calls
Low-level call usage has a high chance of erroring out and does not check for call success or code existence as it avoids type checking, function existence checks, and argument packing, calling a contract function is generally not advised
7/9
Security issues that arise due to practices of low level call.
Unchecked Call Return Value:
If call return value is unchecked the contract will be unaware of failed calls.
Security issues that arise due to practices of low level call.
Unchecked Call Return Value:
If call return value is unchecked the contract will be unaware of failed calls.
8/9
In case receive() and fallback() are defined:
The contract's fallback function is called if the function given to the call method doesn't exist. If the contract doesn't provide a fallback function, the call method will return the success state as false.
In case receive() and fallback() are defined:
The contract's fallback function is called if the function given to the call method doesn't exist. If the contract doesn't provide a fallback function, the call method will return the success state as false.
9/9
Recommendations:
It is always recommended to check for call success or failure when making a low-level call.
@SolidityScan finds these bugs automagically.
Check out the "King of Ethers" contract hack explanation in our blog post.
blog.solidityscan.com/secure-account…
Recommendations:
It is always recommended to check for call success or failure when making a low-level call.
@SolidityScan finds these bugs automagically.
Check out the "King of Ethers" contract hack explanation in our blog post.
blog.solidityscan.com/secure-account…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
