status-network-token icon indicating copy to clipboard operation
status-network-token copied to clipboard

Published 20 hours ago verified publisher icon status-im

Medium - MiniMeToken.sol - checks not done properly

Open k4ms opened this issue 8 years ago • 2 comments
trafficstars

As stated in the Solidity docs (http://solidity.readthedocs.io/en/develop/security-considerations.html#use-the-checks-effects-interactions-pattern), it is much safer to use the Checks-Effects-Interactions Pattern.

We can see 3 occurrences in the source code of MiniMeToken.sol where this pattern should be used to avoid improper situations :

  • doTransfer (l.239) : the check overflow is done too late and if the condition is met, amount can be deduced from sender and not credited to receiver : the account balance is not respected.

  • generateTokens (l.425) : totalSupplyHistory can be updated without balances to be : possible owner account balance value error.

  • destroyTokens (l.442) : again totalHistory can be decremented without owner balance to be.

Each checks/throw should be done before doing any update of variable.

k4ms avatar Jun 18 '17 18:06 k4ms

In solidity, when a throw is raised, it rolls back the transaction, so it's not possible to trick the balances the way it's described here.

jbaylina avatar Jun 18 '17 23:06 jbaylina

Yes you are right for transactions but my point was more for the internal contract variables (totalSupplyHistory, balances) that can be corrupted. In case of a throw, do these variables stay in their previous state? I was concerned because these variables are used for other computations and contracts.

k4ms avatar Jun 18 '17 23:06 k4ms