23.SWC-123_Requirement Violation
2023-07-13 16:12:08 # 09.SWC

SWC-123_Requirement Violation

Requirement Violation

  • Description: The Solidity require() construct is meant to validate external inputs of a function. In most cases, such external inputs are provided by callers, but they may also be returned by callees. In the former case, we refer to them as precondition violations. Violations of a requirement can indicate one of two possible issues:

    1. A bug exists in the contract that provided the external input.
    2. The condition used to express the requirement is too strong.

  • Remediation: If the required logical condition is too strong, it should be weakened to allow all valid external inputs.

    Otherwise, the bug must be in the contract that provided the external input and one should consider fixing its code by making sure no invalid inputs are provided.

vulnerability contract 1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
pragma solidity ^0.4.25;

contract Bar {
    Foo private f = new Foo();
    function doubleBaz() public view returns (int256) {
        return 2 * f.baz(0);
        // fix: return 2 * f.baz(1); //Changes the external contract to not hit the overly strong requirement.
    }
}

contract Foo {
    function baz(int256 x) public pure returns (int256) {
        require(0 < x);
        return 42;
    }
}
Prev
2023-07-13 16:12:08 # 09.SWC
Next