mythril
mythril copied to clipboard
bug(UncheckedRetvalModule): overestimation of unchecked call
Description
Current implementation of the UncheckedRetvalModule
module only checks whether a call to smart contract can terminate normally(i.e. no exception, etc...). However, the truly "Unchecked Call Return Value" problem happens only when the call return value is not always as expected. It is possible for a contract simply check whether a call fails and perform fallback measures to mitigate the failure for which we say it doesn't have the SWC-104 vulnerability. However, the UncheckedRetvalModule
module reports such case as having SWC-104 problem.
I believe this is related to the code around https://github.com/ConsenSys/mythril-classic/blob/27af71c34b2ce94f4fae5613ec457f93df1a8f56/mythril/analysis/modules/unchecked_retval.py#L83 .
How to Reproduce
Just feed any smart contract code into Mythril that has a check on the call return value that doesn't make the contract throw an exception when the call return value == 0.
Expected behavior
It shouldn't report the contract as having SWC-104 problem.
Thanks for pointing it out @yxliang01, we will look into it.
Hey @norhh may I know whether there's progress on this?
@yxliang01, not yet :sweat_smile: as this isn't in our current sprint.