Set contract storage

What it does

Checks for calls to env::set_contract_storage.

Why is this bad?

Functions using keys as variables without proper access control or input sanitization can allow users to perform changes in arbitrary memory locations.

Known problems

Only checks the function call, so false positives could result.

Example

fn set_contract_storage(
    &mut self,
    user_input_key: [u8; 68],
    user_input_data: u128,
) -> Result<()> {
    env::set_contract_storage(&user_input_key, &user_input_data);
    Ok(())
}

Use instead:

fn set_contract_storage(
    &mut self,
    user_input_key: [u8; 68],
    user_input_data: u128,
) -> Result<()> {
    if self.env().caller() == self.owner {
        env::set_contract_storage(&user_input_key, &user_input_data);
        Ok(())
    } else {
        Err(Error::UserNotOwner)
    }
}

Implementation

The detector's implementation can be found at this link.

Set contract storage

What it does​

Why is this bad?​

Known problems​

Example​

Implementation​

What it does

Why is this bad?

Known problems

Example

Implementation