SWC-registry
SWC-registry copied to clipboard
SmartContractSecurity
Breaking changes: New location information & updated directory structure
Changes to the test case configuration
The current specification of location information for bytecode offsets does not define a property to map the exact contract that the byte code relates to. This is problematic for test cases that have multiple contracts in the combined JSON output from the Solidity compiler. Similarly it's not possible to specify issue locations in source files other than the main source file. It is proposed to expand the location information to a tuple consisting of:
- the keccak256 hash of the runtime or creation byte code and the offset
- the source file and the line number
The following illustrates the new location information for the assert_constructor test case:
https://github.com/SmartContractSecurity/SWC-registry/blob/21cf046bac6dc15d5344e313579dfb05a587a997/test_cases/assert_violations/assert_constructor.sol#L10
The issue for the test case assert_constructor is in the constructor of the contract AssertConstructor. The keccak256 hash has to be created for the creation byte code as in the example below:
web3.utils.sha3('0x6080604052348015600f57600080fd5b5060001515601957fe5b60358060266000396000f3006080604052600080fd00a165627a7a72305820e7a243ebed387408e06ac03e16bf0be6e61b13d34896c4fb307e4641d2c0c2b70029')
'0x78a26dc3f4a5757a59e3a9d9872f127cb3941448491b0e903c126462041f2779'
Since the assert instruction 0xfe is located at offset 24 of the create byte code, the new location information can be defined as follows:
https://github.com/SmartContractSecurity/SWC-registry/blob/21cf046bac6dc15d5344e313579dfb05a587a997/test_cases/assert_violations/assert_constructor.yaml#L7
Locations in a source file can also be added as tuples see the same example below:
https://github.com/SmartContractSecurity/SWC-registry/blob/21cf046bac6dc15d5344e313579dfb05a587a997/test_cases/assert_violations/assert_constructor.yaml#L9
Being able to reference any source file or contract byte code as part of the location tuple allows more complex contract samples to be added to the SWC-registry.
Changes to directory structure
In order to keep multi source file test cases more self contained, each test case is moved into its own directory. For simplicity the name of the directory will be the same as the name for the main source or yaml file without the extension. Also there will be a directory under test_cases that specifies which language the sample was written in to prepare for other languages to be added to the SWC-registry.
Old:
/test_cases/assert_violations/assert_constructor.sol
New:
/test_cases/solidity/assert_violations/assert_constructor/assert_constructor.sol
Changes to EIP-1470
Changes regarding the test configuration affect EIP-1470 and propose the following new YAML schema for the test case configuration:
{
"title": "SWC config",
"type": "object",
"required": ["description", "issues"],
"properties": {
"description": {
"type": "string"
},
"issues": {
"title": "Issue set",
"type": "array",
"items": {
"title": "Issue",
"type": "object",
"required": ["id", "count"],
"properties": {
"id": {
"type": "string"
},
"count": {
"type": "number"
},
"locations": {
"type": "array",
"items": {
"bytecode_offsets": {
"type": "object"
},
"line_numbers": {
"type": "object"
}
}
}
}
}
}
}
}
All changes in detail
#166.
Thanks for sharing your experience. I want to know keccak256 hash's disadvantages and the other hash functions.
