Categories
- 17.3K All Categories
- 9.5K Mining
- 574 Pool Discussion
- 378 Promotional
- 1.4K General Project Discussion (non-technical)
- 485 Education
- 811 Protocol and Client discussion
- 170 web3-js
- 29 Whisper
- 16 Swarm
- 3 RLP
- 303 IoT & Hardware
- 1.2K Smart Contracts and Dapps
- 28 Serpent
- 359 Solidity
- 664 Projects
- 1.2K Reference clients code and builds
- 249 Eth & AlethZero- Cpp Implementation
- 471 Geth - Go Implementation
- 242 Mist
- 15 Node.js Implementation
- 36 Python Implementation
- 49 Mix
- 36 Other Implementations
- 170 Meetups
- 40 Other Events
- 226 Jobs & Skills
- 281 Press and Articles
- 75 Audio/Video
- 296 Ether Sale
- 1.2K Other Languages
- 96 Chinese
- 255 German
- 33 Italian
- 111 French
- 3 Hebrew
- 42 Japanese
- 75 Portugese
- 46 Romanian
- 185 Russian
- 231 Spanish
- 47 Turkish
- 125 Watercooler
Secure Pattern: Contract wide re-entry protection with a mutex modifier.
o0ragman0o
Member, Moderator Posts: 1,291 mod
Thanks to Philip Daian, et al, the analysis that followed the DAO hack turned up some pretty nasty anti-patterns classed as 're-entries'.
In short, a reentry is an external calling of a public function followed by a subsequent calling of a function in the same contract before the first function had finished execution. A recursive reentry is when ContractA.a() calls ContractB() which then calls ContractA.a() again and so on. If that's not bad enough, another anti-pattern that can trash a contract's state is when ContractA.a() calls ContractB.a() which then calls ContractA.b() and changes state without ContractA.a() being aware of the change.
To protect against this behaviour I offer the following mutual exclusion (mutex) pattern on the contracts as a whole.
The only drawback is that an author must manage that mutex themselves if they want a public function to call another public function within their contract. However it is probably a more secure practice to simply limit the public API as best one can and rely on internals to do the bulk of the work.
Following is an example of a mutex protected contract:
In short, a reentry is an external calling of a public function followed by a subsequent calling of a function in the same contract before the first function had finished execution. A recursive reentry is when ContractA.a() calls ContractB() which then calls ContractA.a() again and so on. If that's not bad enough, another anti-pattern that can trash a contract's state is when ContractA.a() calls ContractB.a() which then calls ContractA.b() and changes state without ContractA.a() being aware of the change.
To protect against this behaviour I offer the following mutual exclusion (mutex) pattern on the contracts as a whole.
contract MutexProtectedIn the above, the
{
// Mutex contract on all state mutating external/public functions for protecting against
// Re-entry and `Solar Storm` attacks
modifier isMutexed() {
if(mutex) throw; // Exclusion already set so bail.
else mutex = true; // Set exclusion and continue with function code
_
delete mutex; // release contract from exclusion
return; // functions require single exit and return parameters
}
bool mutex; // the exclusion state variable
}
MutexProtected contract has a bool mutex which is set upon entry into a modified function (see bellow). Any further attempts to enter that or any other public function will be thrown simply by having a contract inherit MutexProtected and applying the isMutexed() modifyier to public functions.The only drawback is that an author must manage that mutex themselves if they want a public function to call another public function within their contract. However it is probably a more secure practice to simply limit the public API as best one can and rely on internals to do the bulk of the work.
Following is an example of a mutex protected contract:
contract Guff is MutexProtectedOther restrictions are that a function must have only a single exit and return parameters are to be used instead of single values.
{
uint someGuff; // a state variable
function sendSomeGuff(uint guff)
isMutexed // the function modifier
returns (uint ret) // Requires return parameters
{
// This code cannot run if the mutex is true
someGuff += guff; // Mutate the state variable
msg.sender.send(guff); // Send some eth
ret = someGuff; // set the return parament
//note the missing return. It is in the modifier.
}
}
Post edited by o0ragman0o on
Comments