WARNING: Race conditions can be forced on specific Ethereum transactions by monitoring the mempool.
EXAMPLE: the classic ERC20
approve()
change can be front-run
BEST PRACTICE: Do not make assumptions about transaction order dependence.
I dont understand this example
/*
* @source: https://github.com/ConsenSys/evm-analyzer-benchmark-suite
* @author: Suhabe Bugrara
*/
pragma solidity ^0.4.16;
contract EthTxOrderDependenceMinimal {
address public owner;
bool public claimed;
uint public reward;
function EthTxOrderDependenceMinimal() public {
owner = msg.sender;
}
function setReward() public payable {
require (!claimed);
require(msg.sender == owner);
owner.transfer(reward);
reward = msg.value;
}
function claimReward(uint256 submission) {
require (!claimed);
require(submission < 10);
msg.sender.transfer(reward);
claimed = true;
}
see here
BEST PRACTICE: Use safeIncreaseAllowance()
and safeDecreaseAllowance()
from OpenZeppelin’s SafeERC20
implementation to prevent race conditions from manipulating the allowance amounts.
function safeIncreaseAllowance(
IERC20 token,
address spender,
uint256 value
) internal {
uint256 newAllowance = token.allowance(address(this), spender) + value;
_callOptionalReturn(token, abi.encodeWithSelector(token.approve.selector, spender, newAllowance));
}
see here
WARNING: The ecrecover
function is susceptible to signature malleability which could lead to replay attacks.
BEST PRACTICE: Consider using OpenZeppelin’s ECDSA
library.
substack post is unclear
BUG SUMMARY: The ERC20
function transfer()
implemented a faulty interface early in its development.
- These faulty transfer()
implementations do not return a bool
success condition.
- Contracts compiled with solc >= 0.4.22
interacting with these faulty transfer()
functions will revert
.
BEST PRACTICE: Use OpenZeppelin’s SafeERC20
wrappers.
substack post is unclear
Contracts compiled with solc >= 0.4.22
interacting with ERC721
ownerOf()
that returns a bool
instead of address
type will revert
.
BEST PRACTICE: Use OpenZeppelin’s ERC721
contracts.
see here