smartbugs-curated icon indicating copy to clipboard operation
smartbugs-curated copied to clipboard

Published 20 hours ago verified publisher icon smartbugs

Vulnerability in dead code

Open nveloso opened this issue 4 years ago • 4 comments

Hi! The contract integer_overflow_benign_1.sol has no vulnerability when compiled with solc version v0.4.25+commit.59dbf8f1 because the compiler removes the dead code. The vulnerability exists in the source code but in the runtime bytecode does not exist.

The same happens with the contract overflow_single_tx.sol in the last three functions, function overflowlocalonly(uint256), overflowmulocalonly(uint256) and underflowlocalonly(uint256)

PS: Those contracts are from the arithmetic dataset.

nveloso avatar Jul 10 '20 12:07 nveloso

Thanks, @nveloso!

I would say that the contracts should still be in the dataset, since this is a dataset of Solidity smart contracts and they might be compiled with versions of solc that do not remove the dead code.

jff avatar Jul 10 '20 13:07 jff

I'm tagging @ruimaranhao and @pedrocrvz for their opinion on this.

jff avatar Jul 10 '20 14:07 jff

I agree with @jff: these contracts should still be in the dataset, despite the issue that you report. Perhaps we can have that meta info stored somewhere.

ruimaranhao avatar Jul 24 '20 15:07 ruimaranhao

I suggest the following:

  1. We keep these contracts as they are
  2. If possible, we add new versions of these contracts where the deadcode is always used

I added this to milestone v1.1.0. If you find any more contracts with deadcode, please let me know using this thread.

jff avatar Jul 24 '20 16:07 jff