Kingdom: Errors
Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with "API Abuse," there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle.
Denial of Service: External Call
Abstract
A function calls an external contract inside a loop statement which can result in Denial of Service.
Explanation
A call made to an external contract can fail, which might cause a Denial of Service inside the calling contract if the failure is not handled correctly. Which can leave the contract unavailable for further use.
This is especially relevant when the external call is executed inside a loop statement and even more when dealing with payments, where it is usually better to let users withdraw funds instead of pushing funds to them.
Example 1: The following code uses a
This is especially relevant when the external call is executed inside a loop statement and even more when dealing with payments, where it is usually better to let users withdraw funds instead of pushing funds to them.
Example 1: The following code uses a
for loop statement to refund all involved addresses by using the send external call.
function refundAll() public {
for(uint x; x < refundAddresses.length; x++) {
require(refundAddresses[x].send(refunds[refundAddresses[x]]));
}
}
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 703
[6] Standards Mapping - Smart Contract Weakness Classification SWC-113
desc.structural.solidity.swc113