-
Notifications
You must be signed in to change notification settings - Fork 0
/
result-mythril-0.23.5-simple_dao.rt.hex.sarif
228 lines (228 loc) · 16.3 KB
/
result-mythril-0.23.5-simple_dao.rt.hex.sarif
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"results": [
{
"locations": [
{
"message": {
"text": "contract MAIN, function withdraw(uint256)"
},
"physicalLocation": {
"artifactLocation": {
"uri": "simple_dao.rt.hex"
},
"region": {
"startColumn": 289,
"startLine": 1
}
}
}
],
"message": {
"text": "An assertion violation was triggered.\nIt is possible to trigger an assertion violation. Note that Solidity assert() statements should only be used to check invariants. Review the transaction trace generated for this issue and either make sure your program logic is correct, or use require() instead of assert() if your goal is to constrain user inputs or enforce preconditions. Remember to validate inputs from both callers (for instance, via passed arguments) and callees (for instance, via return values).\nClassification: SWC-110\nSeverity: Medium"
},
"ruleId": "mythril_0_23_5_Exception_State"
},
{
"locations": [
{
"message": {
"text": "contract MAIN, function withdraw(uint256)"
},
"physicalLocation": {
"artifactLocation": {
"uri": "simple_dao.rt.hex"
},
"region": {
"startColumn": 1039,
"startLine": 1
}
}
}
],
"message": {
"text": "A call to a user-supplied address is executed.\nAn external message call to an address specified by the caller is executed. Note that the callee account might contain arbitrary code and could re-enter any function within this contract. Reentering the contract in an intermediate state may lead to unexpected behaviour. Make sure that no state modifications are executed after this call and/or reentrancy guards are in place.\nClassification: SWC-107\nSeverity: Low"
},
"ruleId": "mythril_0_23_5_External_Call_To_User_Supplied_Address"
},
{
"locations": [
{
"message": {
"text": "contract MAIN, function withdraw(uint256)"
},
"physicalLocation": {
"artifactLocation": {
"uri": "simple_dao.rt.hex"
},
"region": {
"startColumn": 1039,
"startLine": 1
}
}
}
],
"message": {
"text": "The return value of a message call is not checked.\nExternal calls return a boolean value. If the callee halts with an exception, 'false' is returned and execution continues in the caller. The caller should check whether an exception happened and react accordingly to avoid unexpected behavior. For example it is often desirable to wrap external calls in require() so the transaction is reverted if the call fails.\nClassification: SWC-104\nSeverity: Medium"
},
"ruleId": "mythril_0_23_5_Unchecked_return_value_from_external_call"
},
{
"locations": [
{
"message": {
"text": "contract MAIN, function withdraw(uint256)"
},
"physicalLocation": {
"artifactLocation": {
"uri": "simple_dao.rt.hex"
},
"region": {
"startColumn": 1039,
"startLine": 1
}
}
}
],
"message": {
"text": "Any sender can withdraw Ether from the contract account.\nArbitrary senders other than the contract creator can profitably extract Ether from the contract account. Verify the business logic carefully and make sure that appropriate security controls are in place to prevent unexpected loss of funds.\nClassification: SWC-105\nSeverity: High"
},
"ruleId": "mythril_0_23_5_Unprotected_Ether_Withdrawal"
},
{
"locations": [
{
"message": {
"text": "contract MAIN, function withdraw(uint256)"
},
"physicalLocation": {
"artifactLocation": {
"uri": "simple_dao.rt.hex"
},
"region": {
"startColumn": 1189,
"startLine": 1
}
}
}
],
"message": {
"text": "Read of persistent state following external call\nThe contract account state is accessed after an external call to a user defined address. To prevent reentrancy issues, consider accessing the state only before the call, especially if the callee is untrusted. Alternatively, a reentrancy lock can be used to prevent untrusted callees from re-entering the contract in an intermediate state.\nClassification: SWC-107\nSeverity: Medium"
},
"ruleId": "mythril_0_23_5_State_access_after_external_call"
},
{
"locations": [
{
"message": {
"text": "contract MAIN, function withdraw(uint256)"
},
"physicalLocation": {
"artifactLocation": {
"uri": "simple_dao.rt.hex"
},
"region": {
"startColumn": 1203,
"startLine": 1
}
}
}
],
"message": {
"text": "Write to persistent state following external call\nThe contract account state is accessed after an external call to a user defined address. To prevent reentrancy issues, consider accessing the state only before the call, especially if the callee is untrusted. Alternatively, a reentrancy lock can be used to prevent untrusted callees from re-entering the contract in an intermediate state.\nClassification: SWC-107\nSeverity: Medium"
},
"ruleId": "mythril_0_23_5_State_access_after_external_call"
}
],
"tool": {
"driver": {
"informationUri": "https://github.com/ConsenSys/mythril",
"name": "Mythril",
"rules": [
{
"fullDescription": {
"text": "Read of/Write to persistent state following external call The contract account state is accessed after an external call to a user-defined/fixed address. To prevent reentrancy issues, consider accessing the state only before the call, especially if the callee is untrusted. Alternatively, a reentrancy lock can be used to prevent untrusted callees from re-entering the contract in an intermediate state. Classification: SWC-107. Detection method: Check whether the account state is accesses after the execution of an external call"
},
"help": {
"text": "The contract account state is accessed after an external call to a user-defined/fixed address. To prevent reentrancy issues, consider accessing the state only before the call, especially if the callee is untrusted. Alternatively, a reentrancy lock can be used to prevent untrusted callees from re-entering the contract in an intermediate state."
},
"id": "mythril_0_23_5_State_access_after_external_call",
"name": "State access after external call",
"shortDescription": {
"text": "Read of/Write to persistent state following external call"
}
},
{
"fullDescription": {
"text": "A call to a user-supplied address is executed. An external message call to an address specified by the caller is executed. Note that the callee account might contain arbitrary code and could re-enter any function within this contract. Reentering the contract in an intermediate state may lead to unexpected behaviour. Make sure that no state modifications are executed after this call and/or reentrancy guards are in place. Classification: SWC-107. Detection method: Search for external calls with unrestricted gas to a user-specified address."
},
"help": {
"text": "An external message call to an address specified by the caller is executed. Note that the callee account might contain arbitrary code and could re-enter any function within this contract. Reentering the contract in an intermediate state may lead to unexpected behaviour. Make sure that no state modifications are executed after this call and/or reentrancy guards are in place."
},
"id": "mythril_0_23_5_External_Call_To_User_Supplied_Address",
"name": "External Call To User-Supplied Address",
"properties": {
"security-severity": "2.0"
},
"shortDescription": {
"text": "A call to a user-supplied address is executed."
}
},
{
"fullDescription": {
"text": "The return value of a message call is not checked. External calls return a boolean value. If the callee halts with an exception, 'false' is returned and execution continues in the caller. The caller should check whether an exception happened and react accordingly to avoid unexpected behavior. For example it is often desirable to wrap external calls in require() so the transaction is reverted if the call fails. Classification: SWC-104. Detection method: Test whether CALL return value is checked. For direct calls, the Solidity compiler auto-generates this check. For low-level-calls this check is omitted."
},
"help": {
"text": "External calls return a boolean value. If the callee halts with an exception, 'false' is returned and execution continues in the caller. The caller should check whether an exception happened and react accordingly to avoid unexpected behavior. For example it is often desirable to wrap external calls in require() so the transaction is reverted if the call fails."
},
"id": "mythril_0_23_5_Unchecked_return_value_from_external_call",
"name": "Unchecked return value from external call.",
"properties": {
"security-severity": "5.5"
},
"shortDescription": {
"text": "The return value of a message call is not checked."
}
},
{
"fullDescription": {
"text": "An assertion violation was triggered. It is possible to trigger an assertion violation. Note that Solidity assert() statements should only be used to check invariants. Review the transaction trace generated for this issue and either make sure your program logic is correct, or use require() instead of assert() if your goal is to constrain user inputs or enforce preconditions. Remember to validate inputs from both callers (for instance, via passed arguments) and callees (for instance, via return values). Classification: SWC-110. Detection method: Checks whether any exception states are reachable."
},
"help": {
"text": "It is possible to trigger an assertion violation. Note that Solidity assert() statements should only be used to check invariants. Review the transaction trace generated for this issue and either make sure your program logic is correct, or use require() instead of assert() if your goal is to constrain user inputs or enforce preconditions. Remember to validate inputs from both callers (for instance, via passed arguments) and callees (for instance, via return values)."
},
"id": "mythril_0_23_5_Exception_State",
"name": "Exception State",
"properties": {
"security-severity": "5.5"
},
"shortDescription": {
"text": "An assertion violation was triggered."
}
},
{
"fullDescription": {
"text": "Any sender can withdraw Ether from the contract account. Arbitrary senders other than the contract creator can profitably extract Ether from the contract account. Verify the business logic carefully and make sure that appropriate security controls are in place to prevent unexpected loss of funds. Classification: SWC-105. Detection method: Search for cases where Ether can be withdrawn to a user-specified address. An issue is reported if there is a valid end state where the attacker has successfully increased their Ether balance."
},
"help": {
"text": "Arbitrary senders other than the contract creator can profitably extract Ether from the contract account. Verify the business logic carefully and make sure that appropriate security controls are in place to prevent unexpected loss of funds."
},
"id": "mythril_0_23_5_Unprotected_Ether_Withdrawal",
"name": "Unprotected Ether Withdrawal",
"properties": {
"security-severity": "8.0"
},
"shortDescription": {
"text": "Any sender can withdraw Ether from the contract account."
}
}
],
"version": "0.23.5"
}
}
}
],
"version": "2.1.0"
}