diff --git a/README.md b/README.md index 09e8b4df..64b3157f 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,7 @@ cargo scout-audit | [overflow-check](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/overflow-check) | An arithmetic operation overflows or underflows the available memory allocated to the variable. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/overflow-check/overflow-check-1)| Critical | | [insufficiently-random-values](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/insufficiently-random-values) | Avoid using block attributes for random number generation to prevent manipulation. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/insufficiently-random-values/insufficiently-random-values-1)| Critical | | [unprotected-update-current-contract-wasm](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/unprotected-update-current-contract-wasm) | If users are allowed to call `update_current_contract_wasm()`, they can intentionally modify the contract behaviour. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/unprotected-update-current-contract-wasm/unprotected-update-current-contract-wasm-1)| Critical | +| [avoid-core-mem-forget](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/avoid-core-mem-forget) | The use of `core::mem::forget()` could lead to memory leaks and logic errors. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/avoid-core-mem-forget/avoid-core-mem-forget-1) | Enhacement | ## Tests diff --git a/detectors/avoid-core-mem-forget/README.md b/detectors/avoid-core-mem-forget/README.md new file mode 100644 index 00000000..089b9c8c --- /dev/null +++ b/detectors/avoid-core-mem-forget/README.md @@ -0,0 +1,31 @@ +# Avoid core::mem::forget usage + +### What it does + +Checks for `core::mem::forget` usage. + +### Why is this bad? + +This is a bad practice because it can lead to memory leaks, resource leaks and logic errors. + +### Example + +```rust +pub fn forget_something(n: WithoutCopy) -> u64 { + core::mem::forget(n); + 0 +} +``` + +Use instead: + +```rust +pub fn forget_something(n: WithoutCopy) -> u64 { + let _ = n; + 0 +} +``` + +### Implementation + +The detector's implementation can be found at [this link](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/avoid-core-mem-forget). diff --git a/test-cases/README.md b/test-cases/README.md index b2956151..3d933d53 100644 --- a/test-cases/README.md +++ b/test-cases/README.md @@ -118,3 +118,10 @@ and has a Critical severity. If users are allowed to call `update_current_contract_wasm()`, they can intentionally modify the contract behaviour, leading to the loss of all associated data/tokens and functionalities given by this contract or by others that depend on it. To prevent this, the function should be restricted to administrators or authorized users only. This vulnerability falls under the [Authorization](#vulnerability-categories) category and has a Critical severity. + +### Avoid core::mem::forget + +The `core::mem::forget` function is used to forget about a value without running its destructor. This could lead to memory leaks and logic errors. + +We classified this issue, a deviation from best practices which could have +security implications, under the [Best practices](#vulnerability-categories) category and assigned it an Enhancement severity.