24.SWC-124_storage
2023-07-13 15:54:56 # 09.SWC

SWC-124_storage

Write to Arbitrary Storage Location

  • Description: A smart contract’s data (e.g., storing the owner of the contract) is persistently stored at some storage location (i.e., a key or address) on the EVM level. The contract is responsible for ensuring that only authorized user or contract accounts may write to sensitive storage locations. If an attacker is able to write to arbitrary storage locations of a contract, the authorization checks may easily be circumvented. This can allow an attacker to corrupt the storage; for instance, by overwriting a field that stores the address of the contract owner.
  • Remediation: As a general advice, given that all data structures share the same storage (address) space, one should make sure that writes to one data structure cannot inadvertently overwrite entries of another data structure.

vulnerability contract 1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
pragma solidity ^0.4.25;

contract Wallet {
uint[] private bonusCodes;
address private owner;

constructor() public {
bonusCodes = new uint[](0);
owner = msg.sender;
}

function () public payable {
}

function PushBonusCode(uint c) public {
bonusCodes.push(c);
}

function PopBonusCode() public {
require(0 <= bonusCodes.length);
// fix : require(0 < bonusCodes.length);
bonusCodes.length--;
} // underflow to get all storage layout

function UpdateBonusCodeAt(uint idx, uint c) public {
require(idx < bonusCodes.length);
bonusCodes[idx] = c;
} // set the storage layout

function Destroy() public {
require(msg.sender == owner);
selfdestruct(msg.sender);
}
}

vulnerability contract 2:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
pragma solidity ^0.4.24;

//This code is derived from the Capture the Ether https://capturetheether.com/challenges/math/mapping/

contract Map {
address public owner;
uint256[] map;

function set(uint256 key, uint256 value) public {
if (map.length <= key) {
// https://www.levi104.com/2023/06/23/01.Capturetheether%20CTF/10.Mapping/
map.length = key + 1;
}
map[key] = value;
}

function get(uint256 key) public view returns (uint256) {
return map[key];
}
function withdraw() public{
require(msg.sender == owner);
msg.sender.transfer(address(this).balance);
}
}
Prev
2023-07-13 15:54:56 # 09.SWC
Next