Comments (2)
paulperegud
commented on August 18, 2024
| # | Test | checked |
|---|---|---|
| 1 | Is internal logic sound? | |
| 1.1 | unittests | |
| 1.2 | fuzztesting / quickcheck | |
| 1.3 | are we following Solidity coding guidelines? | |
| 1.4 | is contract as simple as it can be? | |
| 2 | Can we fail send? | |
| 2.1 | is enough gas included? | |
| 2.2 | fallback mechanism ("ring-fence" the funds for the recipient to withdraw) | |
| 2.3 | is there a automatic tests which verifies such scenario? | |
| 3 | Are recursive calls possible? | |
| 4 | Are we protected against wraparound of '+' operator? | |
| 4.1 | check every place where user-input is provided | |
| 4.2 | add precondition where appropriate | |
| 5 | Can a user-supplied data be a problem for other users? | |
| 6 | Exposed functions | |
| 6.1 | check compiler-generated ABI for unexpected functions | |
| 6.2 | audit every external function to insure it's intended to be exposed | |
| 6.3 | is exposed function appropriately protected? | |
| 7 | Are we exposing any secrets? | |
| 8 | Denial of service / dust spam | |
| 8.1 | limit length of user-supplied data | |
| 8.2 | avoid non-linear behavior (cost dependent on size of input/state) | |
| 8.3 | ensure that non-trivial payment is required for actions that influence other users | |
| 8.4 | use DDoS protection of websites related to content | |
| 8.5 | websites and services in multiple datacentres with automated hot failover | |
| 9 | Miner vulnerabilities | |
| 9.1 | don't use block hashes | |
| 9.2 | don't expect precision more than 15 minutes from block timestamps | |
| 9.3 | don't provide miner with incentive large enough to cheat | |
| 10 | Malicious creator | |
| 10.1 | don't store users' funds so they can't be stolen by MC | |
| 10.2 | don't allow rules to be changed by MC (unilaterally) | |
| 10.3 | ring-fence creator's funds for creators (their commission) | |
| 11 | Off-chain safety (don't let attacker cheat your users) | |
| 11.1 | use strong HTTPS when talking to users | |
| 11.2 | use 2FA on hosting provider, DNS, email, reddit, github | |
| 11.3 | follow OWASP and ISO-27001 controls where applicable | |
| 11.4 | keymaterial on encrypted storage on physically separated hardware | |
| 12 | Cross-chain replay attacks | |
| 13 | X.Origin - don't use for authentication! | |
| 14 | Solidity function signatures and fallback data | |
| 14.1 | phishing: try to prevent users from manually sending "magic data" to contract | |
| 14.2 | poisoning: don't use fallback function, it's tricky | |
| 15 | Don't use any crypto (crypto is hard) | |
| 16 | Gas limits | |
| 16.1 | don't delete or loop over arrays that may grow with user input | |
| 16.2 | limit length of user-supplied info | |
| 16.3 | run automated tests for gas usage | |
| 16.4 | perform fuzztesting | |
| 17 | Stack depth exhaustion |
from golem-crowdfunding.
chfast
commented on August 18, 2024
Check also this: https://www.kingoftheether.com/postmortem.html#Causes.
from golem-crowdfunding.
Related Issues (20)
- Specify information needed for Crowdfunding UI HOT 8
- Check default gas in wallets
- Check gas costs
- The Wallet contract is produced by old solidity
- You cannot send generic transaction from Multisig HOT 4
- Source of contract cannot be verified
- Additional token generation does not send events
- Require solidity 0.4.3
- Test refund to Multisig Wallet HOT 3
- Add tests: 100x higher ether raise, 100k purchasers, actual values, and gas-bound purchaser limit
- stack exhausion attack? HOT 1
- chain replay attack? HOT 1
- dust spam attack? HOT 1
- check ABI for functions / variables that should not be exposed HOT 3
- Separate contracts used for tests HOT 2
- Use natspec
- Maybe use populus for testing? HOT 2
- Theorical integer overflow in default function of Token contract HOT 3
- Add checks for GNT constructor params
- Test with EIP160 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from golem-crowdfunding.