-
Notifications
You must be signed in to change notification settings - Fork 0
/
result-mythril-0.23.5-simple_dao.sol.sarif
185 lines (185 loc) · 12.9 KB
/
result-mythril-0.23.5-simple_dao.sol.sarif
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"results": [
{
"locations": [
{
"message": {
"text": "contract SimpleDAO, function withdraw(uint256)"
},
"physicalLocation": {
"artifactLocation": {
"uri": "simple_dao.sol"
},
"region": {
"startLine": 19
}
}
}
],
"message": {
"text": "A call to a user-supplied address is executed.\nAn external message call to an address specified by the caller is executed. Note that the callee account might contain arbitrary code and could re-enter any function within this contract. Reentering the contract in an intermediate state may lead to unexpected behaviour. Make sure that no state modifications are executed after this call and/or reentrancy guards are in place.\nClassification: SWC-107\nSeverity: Low"
},
"ruleId": "mythril_0_23_5_External_Call_To_User_Supplied_Address"
},
{
"locations": [
{
"message": {
"text": "contract SimpleDAO, function withdraw(uint256)"
},
"physicalLocation": {
"artifactLocation": {
"uri": "simple_dao.sol"
},
"region": {
"startLine": 19
}
}
}
],
"message": {
"text": "The return value of a message call is not checked.\nExternal calls return a boolean value. If the callee halts with an exception, 'false' is returned and execution continues in the caller. The caller should check whether an exception happened and react accordingly to avoid unexpected behavior. For example it is often desirable to wrap external calls in require() so the transaction is reverted if the call fails.\nClassification: SWC-104\nSeverity: Medium"
},
"ruleId": "mythril_0_23_5_Unchecked_return_value_from_external_call"
},
{
"locations": [
{
"message": {
"text": "contract SimpleDAO, function withdraw(uint256)"
},
"physicalLocation": {
"artifactLocation": {
"uri": "simple_dao.sol"
},
"region": {
"startLine": 19
}
}
}
],
"message": {
"text": "Any sender can withdraw Ether from the contract account.\nArbitrary senders other than the contract creator can profitably extract Ether from the contract account. Verify the business logic carefully and make sure that appropriate security controls are in place to prevent unexpected loss of funds.\nClassification: SWC-105\nSeverity: High"
},
"ruleId": "mythril_0_23_5_Unprotected_Ether_Withdrawal"
},
{
"locations": [
{
"message": {
"text": "contract SimpleDAO, function withdraw(uint256)"
},
"physicalLocation": {
"artifactLocation": {
"uri": "simple_dao.sol"
},
"region": {
"startLine": 20
}
}
}
],
"message": {
"text": "Read of persistent state following external call\nThe contract account state is accessed after an external call to a user defined address. To prevent reentrancy issues, consider accessing the state only before the call, especially if the callee is untrusted. Alternatively, a reentrancy lock can be used to prevent untrusted callees from re-entering the contract in an intermediate state.\nClassification: SWC-107\nSeverity: Medium"
},
"ruleId": "mythril_0_23_5_State_access_after_external_call"
},
{
"locations": [
{
"message": {
"text": "contract SimpleDAO, function withdraw(uint256)"
},
"physicalLocation": {
"artifactLocation": {
"uri": "simple_dao.sol"
},
"region": {
"startLine": 20
}
}
}
],
"message": {
"text": "Write to persistent state following external call\nThe contract account state is accessed after an external call to a user defined address. To prevent reentrancy issues, consider accessing the state only before the call, especially if the callee is untrusted. Alternatively, a reentrancy lock can be used to prevent untrusted callees from re-entering the contract in an intermediate state.\nClassification: SWC-107\nSeverity: Medium"
},
"ruleId": "mythril_0_23_5_State_access_after_external_call"
}
],
"tool": {
"driver": {
"informationUri": "https://github.com/ConsenSys/mythril",
"name": "Mythril",
"rules": [
{
"fullDescription": {
"text": "Read of/Write to persistent state following external call The contract account state is accessed after an external call to a user-defined/fixed address. To prevent reentrancy issues, consider accessing the state only before the call, especially if the callee is untrusted. Alternatively, a reentrancy lock can be used to prevent untrusted callees from re-entering the contract in an intermediate state. Classification: SWC-107. Detection method: Check whether the account state is accesses after the execution of an external call"
},
"help": {
"text": "The contract account state is accessed after an external call to a user-defined/fixed address. To prevent reentrancy issues, consider accessing the state only before the call, especially if the callee is untrusted. Alternatively, a reentrancy lock can be used to prevent untrusted callees from re-entering the contract in an intermediate state."
},
"id": "mythril_0_23_5_State_access_after_external_call",
"name": "State access after external call",
"shortDescription": {
"text": "Read of/Write to persistent state following external call"
}
},
{
"fullDescription": {
"text": "Any sender can withdraw Ether from the contract account. Arbitrary senders other than the contract creator can profitably extract Ether from the contract account. Verify the business logic carefully and make sure that appropriate security controls are in place to prevent unexpected loss of funds. Classification: SWC-105. Detection method: Search for cases where Ether can be withdrawn to a user-specified address. An issue is reported if there is a valid end state where the attacker has successfully increased their Ether balance."
},
"help": {
"text": "Arbitrary senders other than the contract creator can profitably extract Ether from the contract account. Verify the business logic carefully and make sure that appropriate security controls are in place to prevent unexpected loss of funds."
},
"id": "mythril_0_23_5_Unprotected_Ether_Withdrawal",
"name": "Unprotected Ether Withdrawal",
"properties": {
"security-severity": "8.0"
},
"shortDescription": {
"text": "Any sender can withdraw Ether from the contract account."
}
},
{
"fullDescription": {
"text": "The return value of a message call is not checked. External calls return a boolean value. If the callee halts with an exception, 'false' is returned and execution continues in the caller. The caller should check whether an exception happened and react accordingly to avoid unexpected behavior. For example it is often desirable to wrap external calls in require() so the transaction is reverted if the call fails. Classification: SWC-104. Detection method: Test whether CALL return value is checked. For direct calls, the Solidity compiler auto-generates this check. For low-level-calls this check is omitted."
},
"help": {
"text": "External calls return a boolean value. If the callee halts with an exception, 'false' is returned and execution continues in the caller. The caller should check whether an exception happened and react accordingly to avoid unexpected behavior. For example it is often desirable to wrap external calls in require() so the transaction is reverted if the call fails."
},
"id": "mythril_0_23_5_Unchecked_return_value_from_external_call",
"name": "Unchecked return value from external call.",
"properties": {
"security-severity": "5.5"
},
"shortDescription": {
"text": "The return value of a message call is not checked."
}
},
{
"fullDescription": {
"text": "A call to a user-supplied address is executed. An external message call to an address specified by the caller is executed. Note that the callee account might contain arbitrary code and could re-enter any function within this contract. Reentering the contract in an intermediate state may lead to unexpected behaviour. Make sure that no state modifications are executed after this call and/or reentrancy guards are in place. Classification: SWC-107. Detection method: Search for external calls with unrestricted gas to a user-specified address."
},
"help": {
"text": "An external message call to an address specified by the caller is executed. Note that the callee account might contain arbitrary code and could re-enter any function within this contract. Reentering the contract in an intermediate state may lead to unexpected behaviour. Make sure that no state modifications are executed after this call and/or reentrancy guards are in place."
},
"id": "mythril_0_23_5_External_Call_To_User_Supplied_Address",
"name": "External Call To User-Supplied Address",
"properties": {
"security-severity": "2.0"
},
"shortDescription": {
"text": "A call to a user-supplied address is executed."
}
}
],
"version": "0.23.5"
}
}
}
],
"version": "2.1.0"
}