Shulou(Shulou.com)06/01 Report--

This article mainly analyzes the relevant knowledge points of the example analysis of Dapp vulnerabilities caused by the improper use of visibility specifiers, the content is detailed and easy to understand, the operation details are reasonable, and has a certain reference value. If you are interested, you might as well follow the editor and learn more about the example analysis of Dapp vulnerabilities caused by the improper use of visibility specifiers.

The Solidity function has a visibility specifier that indicates how the function is allowed to be accessed. Visibility determines whether a function can be called by the user, by other derived contracts, from outside, only from within, and so on. There are 4 visibility specifiers. The default visibility specifier for the function is public-allows the user to make external calls. Improper use of visibility specifiers can lead to catastrophic vulnerabilities.

Attack principle

The default visibility specifier for a function is public. If the function visibility specifier is not specified, it is considered to be public, meaning that the function will allow external users to call. A vulnerability is introduced when development programmers incorrectly specify visibility specifiers for functions that are supposed to be private (which can only be accessed from within the contract). Take a look at the following example:

Contract HashForEther {function withdrawWinnings () {/ / Winner if the last 8 hex characters of the address are 0. Require (uint32 (msg.sender) = = 0); _ sendWinnings ();} function _ sendWinnings () {msg.sender.transfer (this.balance);}}

This simple contract is a game of guessing an address to get a reward. The user must generate an etheric place address, and if its last 8 bits in hexadecimal are all zeros, the game can be won. Once they win the game, they can get a reward by calling the WithdrawWinnings () function. Unfortunately, however, the visibility of the function is not specified, especially since the _ sendWinnings () function is public and can be called from any address to steal the reward.

Protection technology

In intelligent contract programming, it is best to assign all functions to specify the function's visibility, even if they are intentionally public. Recent versions of Solidity include a compilation warning that the visibility specifier is not explicitly specified.

This is the end of the "example analysis of Dapp vulnerabilities caused by the improper use of visibility specifiers". More related content can be searched for previous articles, hoping to help you answer questions and questions, please support the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.