-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add incorrect-exponentiation documentation
- Loading branch information
1 parent
804b31d
commit ebf9d99
Showing
1 changed file
with
24 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,43 +1,41 @@ | ||
| # Zero or test address | ||
| # Incorrect Exponentiation | ||
|
|
||
| ### What it does | ||
| Checks whether the zero address is being inputed to a function without validation. | ||
|
|
||
| Warns about `^` being a `bit XOR` operation instead of an exponentiation. | ||
|
|
||
| ### Why is this bad? | ||
| Because the private key for the zero address is known, anyone could take ownership of the contract. | ||
|
|
||
| It can introduce unexpected behaviour in the smart contract. | ||
|
|
||
| #### More info | ||
|
|
||
| - https://doc.rust-lang.org/std/ops/trait.BitXor.html#tymethod.bitxor | ||
|
|
||
| ### Example | ||
|
|
||
| ```rust | ||
| pub fn set(e: Env, admin: Address, data: i32) -> Result<(), Error> { | ||
| if !ZeroAddressContract::ensure_is_admin(&e, admin)? { | ||
| return Err(Error::NotAdmin); | ||
| pub fn exp_data_3(e: Env) -> u128 { | ||
| let mut data = e.storage() | ||
| .instance() | ||
| .get::<DataKey, u128>(&DataKey::Data) | ||
| .expect("Data not found"); | ||
| data = data ^ 3; | ||
| return data; | ||
| } | ||
| e.storage().persistent().set(&DataKey::Data, &data); | ||
| Ok(()) | ||
| } | ||
| ``` | ||
|
|
||
|
|
||
| Use instead: | ||
|
|
||
| ```rust | ||
| pub fn set(e: Env, admin: Address, data: i32) -> Result<(), Error> { | ||
| if admin | ||
| == Address::from_string(&String::from_bytes( | ||
| &e, | ||
| b"GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWHF", | ||
| )) | ||
| { | ||
| return Err(Error::InvalidNewAdmin); | ||
| } | ||
| if !ZeroAddressContract::ensure_is_admin(&e, admin)? { | ||
| return Err(Error::NotAdmin); | ||
| pub fn exp_data_3(e: Env) -> u128 { | ||
| let data = e.storage() | ||
| .instance() | ||
| .get::<DataKey, u128>(&DataKey::Data) | ||
| .expect("Data not found"); | ||
| return data.pow(3); | ||
| } | ||
| e.storage().persistent().set(&DataKey::Data, &data); | ||
| Ok(()) | ||
| } | ||
| ``` | ||
|
|
||
| ### Implementation | ||
|
|
||
| The detector's implementation can be found at [this link](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/zero-or-test-address). | ||
| The detector's implementation can be found at [this link](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/incorrect-exponentiation). |