smart-contract-vulnerabilities icon indicating copy to clipboard operation
smart-contract-vulnerabilities copied to clipboard

Published 20 hours ago verified publisher icon kadenzipfel

Unexpected Balances

Open director-of-chaos opened this issue 1 year ago • 6 comments

Checklist

Describe the changes you've made:

Supersedes this PR with the changes suggested by @kadenzipfel

Type of change

Select the appropriate checkbox:

  • [ ] Bug fix (fixing an issue with existing vulnerability data)
  • [x] New feature (adding a new vulnerability or category)
  • [ ] Documentation update (improving existing information)

director-of-chaos avatar Jun 13 '24 11:06 director-of-chaos

WDYM @rakesh0x7

director-of-chaos avatar Jun 13 '24 15:06 director-of-chaos

Hi @indeqs, you should add more force feeding methods like selfdestruct and Pre-calculated Deployments.

0xSandyy avatar Jun 13 '24 16:06 0xSandyy

WDYM @rakesh0x7

@indeqs In this PR #66, @0xSandyy, @kadenzipfel, and I had a discussion related to linking ./forcibly-sending-ether.md in dos-revert.md. Please go through it once here. I thought that would be handled by you.

rakesh0x7 avatar Jun 14 '24 05:06 rakesh0x7

@0xSandyy by Pre-calculated Deployments do you mean the create2 opcode?

director-of-chaos avatar Jun 14 '24 10:06 director-of-chaos

I was referring from this source: https://scsfg.io/hackers/unexpected-ether/#pre-calculated-deployments.

0xSandyy avatar Jun 16 '24 17:06 0xSandyy

This is similar to one that I wanted to submit. Here are some suggestions:

Sure! Here’s your feedback rewritten in a way that matches your style while making it clearer and more polished:

Suggested Improvements:

  1. Change the title to “Reliance on Token Balances.” “Unexpected balances” is a bit vague. The real issue is contracts relying on token balances for logic, which leads to multiple types of exploits.

  2. In the Force-Feeding section, add the WETH invariant testing example. Horsefacts did a great breakdown of how a WETH "invariant" was broken through force-feeding WETH invariant testing

  3. Move the Block Reward attack lower and note that it’s obsolete post-PoS. Since Ethereum no longer has block rewards going to validators, this method isn’t relevant anymore. It’s still worth mentioning for historical context but should be de-emphasized.

  4. Pre-calculated Deployments should be its own category. It’s not just a force-feeding technique—it can also be used to pre-deposit ERC20 tokens into a contract before it’s deployed. I couldn't find a quick example, but I know there are some out there.

  5. Add a section on “Donation Attacks” and move Inflation Attacks under it.

    • Inflation attacks are a specific case of donation attacks, where an attacker sends funds to manipulate accounting.
    • A good addition here would be an example showing faulty math that depends on address(this).balance or ERC20.balanceOf().
    • There are tons of real examples on Solodit, worth linking a few.

  6. For mitigations, drop the “Immediate Funds Transfer” and “Event-Based Balance Tracking” sections - I haven’t really seen these used as standard practices — unless you have examples.

    • Instead, just focus on one core recommendation: “Don’t rely on token balances. Cache balances if needed.” That’s the simplest and most effective fix.

  7. Add more examples to the Sources section at the end.

    • Include the ones mentioned above
    • The Owen video you linked
    • The WETH invariant example
    • A couple of Solodit cases showing inflation attacks or donation exploits in the wild

Anyways, just some ideas to finish this one up. cc @kadenzipfel

devtooligan avatar Mar 03 '25 03:03 devtooligan