Skip to content

Latest commit

 

History

History
35 lines (26 loc) · 3.69 KB

File metadata and controls

35 lines (26 loc) · 3.69 KB

(Not So) Smart Contracts

This repository contains examples of common Algorand smart contract vulnerabilities, including code from real smart contracts. Use Not So Smart Contracts to learn about Algorand vulnerabilities, as a reference when performing security reviews, and as a benchmark for security and analysis tools.

Features

Each Not So Smart Contract includes a standard set of information:

  • Description of the vulnerability type
  • Attack scenarios to exploit the vulnerability
  • Recommendations to eliminate or mitigate the vulnerability
  • Real-world contracts that exhibit the flaw
  • References to third-party resources with more information

Vulnerabilities

Not So Smart Contract Description Applicable to smart signatures Applicable to smart contracts
Rekeying Attacker rekeys an account yes yes
Unchecked Transaction Fees Attacker sets excessive fees for smart signature transactions yes no
Closing Account Attacker closes smart signature accounts yes no
Closing Asset Attacker transfers entire asset balance of a smart signature yes no
Group Size Check Contract does not check transaction group size yes yes
Time-based Replay Attack Contract does not use lease for periodic payments yes no
Access Controls Contract does not enfore access controls for updating and deleting application no yes
Asset Id Check Contract does not check asset id for asset transfer operations yes yes
Denial of Service Attacker stalls contract execution by opting out of a asset yes yes
Inner Transaction Fee Inner transaction fee should be set to zero no yes
Clear State Transaction Check Contract does not check OnComplete field of an Application Call yes yes

Credits

These examples are developed and maintained by Trail of Bits.

If you have questions, problems, or just want to learn more, then join the #ethereum channel on the Empire Hacking Slack or contact us directly.