Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect untrusted input used to make a call #2510

Open
frangio opened this issue Jul 16, 2024 · 1 comment
Open

Detect untrusted input used to make a call #2510

frangio opened this issue Jul 16, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@frangio
Copy link

frangio commented Jul 16, 2024

Describe the desired feature

A common way a contract can be made vulnerable is to make a call with attacker-controlled target and data. For example, see this Li.Fi exploit.

Slither could detect that the arguments to .call are untrusted and flag it as a warning.
@frangio frangio added the enhancement New feature or request label Jul 16, 2024
@huzhanchi
Copy link

In li.fi case, the untrusted calldata passed into .call and could be successfully swapped, essentially caused by arbitray call of depositToGasZipERC20 , no permission controll.

  1. In Slither scope, we could referece the implementation like arbitrary-send-erc20, however Slither is a static data flow audit tool.
    So completeness is a advantage than soundness.
    Arbitray call issue about Slither
  2. You can try smbolic tool like Mythrill and Manticore(Manticore I haven't try so far)
    Arbitray call issue with symbolic method

@github-actions github-actions bot mentioned this issue Aug 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@frangio @huzhanchi