Add another example with call to demonstrate Re-Entrancy#3197
Merged
axic merged 2 commits intoargotorg:developfrom Dec 12, 2017
medvedev1088:fix-security-considerations-example
Merged
Add another example with call to demonstrate Re-Entrancy#3197axic merged 2 commits intoargotorg:developfrom medvedev1088:fix-security-considerations-example
axic merged 2 commits intoargotorg:developfrom
medvedev1088:fix-security-considerations-example
Conversation
axic
reviewed
Nov 13, 2017
docs/security-considerations.rst
Outdated
|
|
||
| The problem is not too serious here because of the limited gas as part | ||
| of ``send``, but it still exposes a weakness: Ether transfer always | ||
| of ``call``, but it still exposes a weakness: Ether transfer always |
Contributor
There was a problem hiding this comment.
Please see the first part of this sentence "not too serious here because of the limited gas".
I think it would be a good idea to leave the above sentence as it is and introduce a new example using call and explain that is even more dangerous than send.
What do yo think?
Author
There was a problem hiding this comment.
I agree. I added a new example that uses call. Please review again.
medvedev1088
changed the title
Add another contract with call to demonstrate re-entrancy vulnerability as send explicitly sets gas to 2300 by default according to this commit 9ca7472 which makes it impossible to "get multiple refunds" because a non-zero CALL costs at least 9700 gas. This issue is discussed on Ethereum StackExchange https://ethereum.stackexchange.com/questions/30371/send-ether-reentrancy-attack-in-reality-how-could-fallback-function-make-a-mes/30616#30616
…e-entrancy example
Contributor
|
Rebased to have the new indentation rules (and trigger compilation tests). |
axic
approved these changes
Dec 12, 2017
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add another example with
callto demonstrate Re-Entrancy. Sincesendexplicitly sets gas to 2300 by default according to this commit 9ca7472 which makes it impossible to "get multiple refunds" because a non-zero CALL costs at least 9700 gas. This issue is discussed on Ethereum StackExchange https://ethereum.stackexchange.com/questions/30371/send-ether-reentrancy-attack-in-reality-how-could-fallback-function-make-a-mes/30616#30616