You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is not a bug per-se, but securing crucial functions with just tx-sender can be considered as security flaw.
Depending on your security strategy and approach I would suggest securing those functions with contract-caller or add 1uSTX transfer to crucial functions in order to enforce the need to construct TX with post-conditions.
All true, however with current approach if you manage to trick safe owners to interact (directly or indirectly) with malicious contract it is possible to create and confirm transaction without their knowledge.
For example you can add new owner and change min-confirmation. And once you manage to do that, safe is fully compromised.
It's not an easy task to convince someone to interact with your contract, but for sure it is not impossible, therefore it should be taken into account.
It is not a bug per-se, but securing crucial functions with just
tx-sender
can be considered as security flaw.Depending on your security strategy and approach I would suggest securing those functions with
contract-caller
or add 1uSTX transfer to crucial functions in order to enforce the need to construct TX with post-conditions.Reference: https://github.com/LNow/clarity-notes/blob/main/security/function-calls.md
The text was updated successfully, but these errors were encountered: