├── rule_descriptions
├── SOLIDITY_DIV_MUL
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── links_en.html
│ ├── name_en.txt
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── description.html
│ ├── description_en.html
│ ├── example_en.html
│ └── example.html
├── SOLIDITY_SEND
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── links_en.html
│ ├── description_en.html
│ ├── example_en.html
│ ├── example.html
│ └── description.html
├── SOLIDITY_VAR
│ ├── severity.txt
│ ├── links.html
│ ├── name_en.txt
│ ├── name.txt
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── links_en.html
│ ├── example.html
│ ├── example_en.html
│ ├── description.html
│ └── description_en.html
├── SOLIDITY_EXACT_TIME
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── links_en.html
│ ├── description.html
│ ├── description_en.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_LOCKED_MONEY
│ ├── severity.txt
│ ├── name_en.txt
│ ├── links.html
│ ├── name.txt
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── links_en.html
│ ├── description_en.html
│ ├── description.html
│ ├── example_en.html
│ └── example.html
├── SOLIDITY_SAFEMATH
│ ├── severity.txt
│ ├── links.html
│ ├── name_en.txt
│ ├── links_en.html
│ ├── name.txt
│ ├── description.html
│ ├── description_en.html
│ ├── recommendation_en.html
│ └── recommendation.html
├── SOLIDITY_TX_ORIGIN
│ ├── severity.txt
│ ├── links.html
│ ├── name_en.txt
│ ├── name.txt
│ ├── description.html
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── links_en.html
│ └── description_en.html
├── SOLIDITY_VISIBILITY
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── links_en.html
│ ├── example.html
│ ├── example_en.html
│ ├── description_en.html
│ └── description.html
├── VYPER_ERC20_APPROVE
│ ├── severity.txt
│ ├── links.html
│ ├── name_en.txt
│ ├── name.txt
│ ├── description.html
│ ├── description_en.html
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── links_en.html
│ ├── example.html
│ └── example_en.html
├── VYPER_LOCKED_MONEY
│ ├── severity.txt
│ ├── links.html
│ ├── name_en.txt
│ ├── links_en.html
│ ├── name.txt
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── description_en.html
│ ├── description.html
│ ├── example.html
│ └── example_en.html
├── VYPER_UNITLESS_NUMBER
│ ├── severity.txt
│ ├── links.html
│ ├── name_en.txt
│ ├── name.txt
│ ├── links_en.html
│ ├── recommendation_en.html
│ ├── description_en.html
│ ├── recommendation.html
│ ├── description.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_ADDRESS_HARDCODED
│ ├── severity.txt
│ ├── links.html
│ ├── links_en.html
│ ├── name_en.txt
│ ├── name.txt
│ ├── recommendation.html
│ ├── description_en.html
│ ├── recommendation_en.html
│ ├── description.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_BALANCE_EQUALITY
│ ├── severity.txt
│ ├── links.html
│ ├── links_en.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── description.html
│ ├── example.html
│ ├── example_en.html
│ └── description_en.html
├── SOLIDITY_CALL_WITHOUT_DATA
│ ├── severity.txt
│ ├── links.html
│ ├── links_en.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── description.html
│ ├── description_en.html
│ ├── example_en.html
│ ├── recommendation_en.html
│ ├── example.html
│ └── recommendation.html
├── SOLIDITY_DO_WHILE_CONTINUE
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── links_en.html
│ ├── description.html
│ ├── example.html
│ ├── description_en.html
│ └── example_en.html
├── SOLIDITY_ERC20_APPROVE
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── description.html
│ ├── description_en.html
│ ├── links_en.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_ERC20_INDEXED
│ ├── severity.txt
│ ├── name_en.txt
│ ├── name.txt
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── links.html
│ ├── links_en.html
│ ├── description_en.html
│ ├── description.html
│ ├── example_en.html
│ └── example.html
├── SOLIDITY_OVERPOWERED_ROLE
│ ├── severity.txt
│ ├── name.txt
│ ├── name_en.txt
│ ├── links_en.html
│ ├── recommendation_en.html
│ ├── links.html
│ ├── description.html
│ ├── recommendation.html
│ ├── description_en.html
│ ├── example_en.html
│ └── example.html
├── SOLIDITY_PRAGMAS_VERSION
│ ├── severity.txt
│ ├── links.html
│ ├── links_en.html
│ ├── name_en.txt
│ ├── name.txt
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── example.html
│ ├── example_en.html
│ ├── description_en.html
│ └── description.html
├── SOLIDITY_REVERT_REQUIRE
│ ├── severity.txt
│ ├── links.html
│ ├── name_en.txt
│ ├── name.txt
│ ├── description.html
│ ├── description_en.html
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── links_en.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_TRANSFER_IN_LOOP
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── links_en.html
│ ├── description.html
│ ├── description_en.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_UNCHECKED_CALL
│ ├── severity.txt
│ ├── links.html
│ ├── name_en.txt
│ ├── name.txt
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── links_en.html
│ ├── description_en.html
│ ├── description.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_UPGRADE_TO_050
│ ├── severity.txt
│ ├── name.txt
│ ├── name_en.txt
│ ├── description.html
│ ├── description_en.html
│ ├── links.html
│ ├── links_en.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_VAR_IN_LOOP_FOR
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── links_en.html
│ ├── example.html
│ ├── example_en.html
│ ├── description.html
│ └── description_en.html
├── SOLIDITY_WRONG_SIGNATURE
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── links_en.html
│ ├── description.html
│ ├── description_en.html
│ ├── example_en.html
│ └── example.html
├── VYPER_BALANCE_EQUALITY
│ ├── severity.txt
│ ├── links.html
│ ├── links_en.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── description_en.html
│ ├── description.html
│ ├── example.html
│ └── example_en.html
├── VYPER_TIMESTAMP_DEPENDENCE
│ ├── severity.txt
│ ├── links.html
│ ├── links_en.html
│ ├── name_en.txt
│ ├── name.txt
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── description.html
│ ├── description_en.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_CONSTRUCTOR_RETURN
│ ├── severity.txt
│ ├── links.html
│ ├── name_en.txt
│ ├── name.txt
│ ├── links_en.html
│ ├── recommendation.html
│ ├── description.html
│ ├── recommendation_en.html
│ └── description_en.html
├── SOLIDITY_EXTRA_GAS_IN_LOOPS
│ ├── severity.txt
│ ├── links.html
│ ├── name_en.txt
│ ├── links_en.html
│ ├── name.txt
│ ├── description_en.html
│ ├── description.html
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_GAS_LIMIT_IN_LOOPS
│ ├── severity.txt
│ ├── name_en.txt
│ ├── links.html
│ ├── name.txt
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── links_en.html
│ └── description.html
├── SOLIDITY_INCORRECT_BLOCKHASH
│ ├── severity.txt
│ ├── links.html
│ ├── name_en.txt
│ ├── name.txt
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── description.html
│ ├── links_en.html
│ ├── description_en.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_MSGVALUE_EQUALS_ZERO
│ ├── example.html
│ ├── example_en.html
│ ├── severity.txt
│ ├── links.html
│ ├── links_en.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── description.html
│ └── description_en.html
├── SOLIDITY_SHOULD_NOT_BE_PURE
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── description_en.html
│ ├── description.html
│ ├── links_en.html
│ ├── example_en.html
│ └── example.html
├── SOLIDITY_SHOULD_NOT_BE_VIEW
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── description.html
│ ├── description_en.html
│ ├── links_en.html
│ ├── example_en.html
│ ├── example.html
│ ├── recommendation_en.html
│ └── recommendation.html
├── SOLIDITY_SHOULD_RETURN_STRUCT
│ ├── severity.txt
│ ├── links.html
│ ├── name_en.txt
│ ├── name.txt
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── description_en.html
│ ├── links_en.html
│ ├── description.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_UINT_CANT_BE_NEGATIVE
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── recommendation.html
│ ├── links_en.html
│ ├── recommendation_en.html
│ ├── description_en.html
│ ├── description.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_USING_INLINE_ASSEMBLY
│ ├── severity.txt
│ ├── links.html
│ ├── name_en.txt
│ ├── name.txt
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── links_en.html
│ ├── description.html
│ └── description_en.html
├── VYPER_REDUNDANT_FALLBACK_REJECT
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── description_en.html
│ ├── description.html
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── links_en.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_ARRAY_LENGTH_MANIPULATION
│ ├── severity.txt
│ ├── links.html
│ ├── links_en.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── description.html
│ ├── description_en.html
│ ├── recommendation.html
│ └── recommendation_en.html
├── SOLIDITY_BYTE_ARRAY_INSTEAD_BYTES
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── description_en.html
│ ├── description.html
│ ├── links_en.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_DELETE_ON_DYNAMIC_ARRAYS
│ ├── severity.txt
│ ├── links.html
│ ├── links_en.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── description_en.html
│ ├── recommendation_en.html
│ ├── description.html
│ └── recommendation.html
├── SOLIDITY_DEPRECATED_CONSTRUCTIONS
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── description.html
│ ├── description_en.html
│ ├── recommendation_en.html
│ ├── recommendation.html
│ └── links_en.html
├── SOLIDITY_ERC20_TRANSFER_SHOULD_THROW
│ ├── severity.txt
│ ├── links.html
│ ├── name_en.txt
│ ├── name.txt
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── links_en.html
│ ├── description_en.html
│ ├── description.html
│ └── example_en.html
├── SOLIDITY_REDUNDANT_FALLBACK_REJECT
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── links_en.html
│ ├── example_en.html
│ ├── example.html
│ ├── description_en.html
│ └── description.html
├── SOLIDITY_REWRITE_ON_ASSEMBLY_CALL
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── links_en.html
│ ├── description_en.html
│ └── description.html
├── VYPER_PRIVATE_MODIFIER_DONT_HIDE_DATA
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── links_en.html
│ ├── name_en.txt
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── description.html
│ ├── description_en.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_ERC20_FUNCTIONS_ALWAYS_RETURN_FALSE
│ ├── severity.txt
│ ├── links.html
│ ├── recommendation_en.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── recommendation.html
│ ├── links_en.html
│ ├── description_en.html
│ ├── description.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_FUNCTION_RETURNS_TYPE_AND_NO_RETURN
│ ├── severity.txt
│ ├── links.html
│ ├── links_en.html
│ ├── name_en.txt
│ ├── name.txt
│ ├── description_en.html
│ ├── description.html
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── example.html
│ └── example_en.html
├── SOLIDITY_PRIVATE_MODIFIER_DOES_NOT_HIDE_DATA
│ ├── severity.txt
│ ├── links.html
│ ├── name.txt
│ ├── name_en.txt
│ ├── recommendation.html
│ ├── recommendation_en.html
│ ├── links_en.html
│ ├── description.html
│ └── description_en.html
└── SOLIDITY_UNUSED_FUNCTION_SHOULD_BE_EXTERNAL
│ ├── severity.txt
│ ├── links.html
│ ├── name_en.txt
│ ├── name.txt
│ ├── recommendation_en.html
│ ├── recommendation.html
│ ├── links_en.html
│ ├── description.html
│ └── description_en.html
├── tests_not_used_now
├── SOLIDITY_INTEGER_OVERFLOW_UNDERFLOW.sol
├── SOLIDITY_SIMILAR_VARIABLE_NAMES.sol
├── SOLIDITY_SHORT_ADDRESS_ATTACK.sol
├── SOLIDITY_DEAD_CODE.sol
├── SOLIDITY_LOOP_FUSION.sol
├── SOLIDITY_CONSTANT_STATE_VARIABLE.sol
├── SOLIDITY_CONSTANT_OUTCOME_OF_LOOP.sol
├── SOLIDITY_OPAQUE_PREDICATE.sol
├── SOLIDITY_EXPENSIVE_OPERATIONS_IN_LOOP.sol
├── SOLIDITY_REPEATED_COMPUTATION_IN_LOOP.sol
├── SOLIDITY_SEND_BALANCE_BEFORE_CHANGE.sol
├── SOLIDITY_DIVISION_BY_ZERO.sol
├── SOLIDITY_USING_UBTRUSTED_INPUTS.sol
├── SOLIDITY_DOS_WITH_BLOCK_GAS_LIMIT.sol
├── SOLIDITY_MISSING_INPUT_VALIDATION.sol
├── SOLIDITY_DUPLICATED_STORAGE.sol
├── SOLIDITY_REFACTOR_CONFUSING_PRECONDITION.sol
├── SOLIDITY_TRANSACTION_ORDERING_DEPENDENCE.sol
├── SOLIDITY_CROSS_FUNCTION_RACE_CONDITION.sol
├── SOLIDITY_UNCHECKED_MATH.sol
├── SOLIDITY_PITFALLS_IN_RACE_CONDITION.sol
└── SOLIDITY_IMMUTABILITY.sol
├── src
├── main
│ └── java
│ │ └── ru
│ │ └── smartdec
│ │ └── smartcheck
│ │ ├── app
│ │ ├── package-info.java
│ │ ├── cli
│ │ │ ├── package-info.java
│ │ │ └── Arguments.java
│ │ ├── Media.java
│ │ ├── Report.java
│ │ ├── TreeFactory.java
│ │ ├── SourceLanguage.java
│ │ ├── ReportDefault.java
│ │ └── DirectoryAnalysis.java
│ │ ├── Pattern.java
│ │ ├── Source.java
│ │ ├── Query.java
│ │ ├── Rule.java
│ │ ├── package-info.java
│ │ ├── Rules.java
│ │ ├── ParseTree.java
│ │ └── SearchableTreeDefault.java
└── test
│ └── resources
│ └── rules
│ ├── SOLIDITY_PRAGMAS_VERSION.sol
│ ├── VYPER_PRIVATE_MODIFIER_DONT_HIDE_DATA.vy
│ ├── SOLIDITY_PRIVATE_MODIFIER_DOES_NOT_HIDE_DATA.sol
│ ├── SOLIDITY_BYTE_ARRAY_INSTEAD_BYTES.sol
│ ├── VYPER_BALANCE_EQUALITY.vy
│ ├── VYPER_REDUNDANT_FALLBACK_REJECT.vy
│ ├── SOLIDITY_SAFEMATH.sol
│ ├── SOLIDITY_VAR_IN_LOOP_FOR.sol
│ ├── VYPER_ERC20_APPROVE.vy
│ ├── SOLIDITY_VAR.sol
│ ├── SOLIDITY_REDUNDANT_FALLBACK_REJECT.sol
│ ├── SOLIDITY_EXACT_TIME.sol
│ ├── VYPER_UNITLESS_NUMBER.vy
│ ├── SOLIDITY_USING_INLINE_ASSEMBLY.sol
│ ├── SOLIDITY_DOS_WITH_THROW.sol
│ ├── SOLIDITY_DO_WHILE_CONTINUE.sol
│ └── VYPER_LOCKED_MONEY.vy
├── .gitattributes
└── .gitignore
/rule_descriptions/SOLIDITY_DIV_MUL/severity.txt:
--------------------------------------------------------------------------------
1 | 2
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SEND/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR/severity.txt:
--------------------------------------------------------------------------------
1 | 2
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXACT_TIME/severity.txt:
--------------------------------------------------------------------------------
1 | 2
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_LOCKED_MONEY/severity.txt:
--------------------------------------------------------------------------------
1 | 3
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SAFEMATH/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TX_ORIGIN/severity.txt:
--------------------------------------------------------------------------------
1 | 3
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VISIBILITY/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_ERC20_APPROVE/severity.txt:
--------------------------------------------------------------------------------
1 | 2
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_LOCKED_MONEY/severity.txt:
--------------------------------------------------------------------------------
1 | 3
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_UNITLESS_NUMBER/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ADDRESS_HARDCODED/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BALANCE_EQUALITY/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CALL_WITHOUT_DATA/severity.txt:
--------------------------------------------------------------------------------
1 | 2
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DO_WHILE_CONTINUE/severity.txt:
--------------------------------------------------------------------------------
1 | 2
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_APPROVE/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_INDEXED/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_OVERPOWERED_ROLE/severity.txt:
--------------------------------------------------------------------------------
1 | 2
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRAGMAS_VERSION/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REVERT_REQUIRE/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SEND/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TRANSFER_IN_LOOP/severity.txt:
--------------------------------------------------------------------------------
1 | 2
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNCHECKED_CALL/severity.txt:
--------------------------------------------------------------------------------
1 | 3
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UPGRADE_TO_050/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR_IN_LOOP_FOR/severity.txt:
--------------------------------------------------------------------------------
1 | 2
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_WRONG_SIGNATURE/severity.txt:
--------------------------------------------------------------------------------
1 | 2
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_BALANCE_EQUALITY/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_TIMESTAMP_DEPENDENCE/severity.txt:
--------------------------------------------------------------------------------
1 | 2
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_INTEGER_OVERFLOW_UNDERFLOW.sol:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_SIMILAR_VARIABLE_NAMES.sol:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CONSTRUCTOR_RETURN/severity.txt:
--------------------------------------------------------------------------------
1 | 3
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DIV_MUL/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXACT_TIME/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXTRA_GAS_IN_LOOPS/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_GAS_LIMIT_IN_LOOPS/severity.txt:
--------------------------------------------------------------------------------
1 | 2
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_INCORRECT_BLOCKHASH/severity.txt:
--------------------------------------------------------------------------------
1 | 2
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_LOCKED_MONEY/name_en.txt:
--------------------------------------------------------------------------------
1 | Locked money
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_MSGVALUE_EQUALS_ZERO/example.html:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_MSGVALUE_EQUALS_ZERO/example_en.html:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_MSGVALUE_EQUALS_ZERO/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SAFEMATH/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SAFEMATH/name_en.txt:
--------------------------------------------------------------------------------
1 | Use of SafeMath
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SEND/name.txt:
--------------------------------------------------------------------------------
1 | Send вместо transfer
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_PURE/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_VIEW/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_RETURN_STRUCT/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TX_ORIGIN/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UINT_CANT_BE_NEGATIVE/severity.txt:
--------------------------------------------------------------------------------
1 | 2
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_USING_INLINE_ASSEMBLY/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR/name_en.txt:
--------------------------------------------------------------------------------
1 | Unsafe type inference
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VISIBILITY/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_ERC20_APPROVE/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_LOCKED_MONEY/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_LOCKED_MONEY/name_en.txt:
--------------------------------------------------------------------------------
1 | Locked money
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_REDUNDANT_FALLBACK_REJECT/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ARRAY_LENGTH_MANIPULATION/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BYTE_ARRAY_INSTEAD_BYTES/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DELETE_ON_DYNAMIC_ARRAYS/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DEPRECATED_CONSTRUCTIONS/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DIV_MUL/name.txt:
--------------------------------------------------------------------------------
1 | Умножение после деления
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_APPROVE/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_TRANSFER_SHOULD_THROW/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_GAS_LIMIT_IN_LOOPS/name_en.txt:
--------------------------------------------------------------------------------
1 | Costly loop
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_LOCKED_MONEY/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_OVERPOWERED_ROLE/name.txt:
--------------------------------------------------------------------------------
1 | Избыточные права
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRAGMAS_VERSION/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REDUNDANT_FALLBACK_REJECT/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REVERT_REQUIRE/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REWRITE_ON_ASSEMBLY_CALL/severity.txt:
--------------------------------------------------------------------------------
1 | 2
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SAFEMATH/links_en.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SAFEMATH/name.txt:
--------------------------------------------------------------------------------
1 | Использование SafeMath
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SEND/name_en.txt:
--------------------------------------------------------------------------------
1 | Send instead of transfer
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNCHECKED_CALL/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR_IN_LOOP_FOR/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_WRONG_SIGNATURE/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_BALANCE_EQUALITY/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_LOCKED_MONEY/links_en.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_UNITLESS_NUMBER/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ADDRESS_HARDCODED/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ADDRESS_HARDCODED/links_en.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ADDRESS_HARDCODED/name_en.txt:
--------------------------------------------------------------------------------
1 | Hardcoded address
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BALANCE_EQUALITY/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BALANCE_EQUALITY/links_en.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CONSTRUCTOR_RETURN/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DO_WHILE_CONTINUE/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXTRA_GAS_IN_LOOPS/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_GAS_LIMIT_IN_LOOPS/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_GAS_LIMIT_IN_LOOPS/name.txt:
--------------------------------------------------------------------------------
1 | Трудозатратный цикл
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_INCORRECT_BLOCKHASH/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_LOCKED_MONEY/name.txt:
--------------------------------------------------------------------------------
1 | Заблокированные деньги
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_MSGVALUE_EQUALS_ZERO/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_OVERPOWERED_ROLE/name_en.txt:
--------------------------------------------------------------------------------
1 | Overpowered role
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRAGMAS_VERSION/links_en.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_PURE/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_VIEW/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_RETURN_STRUCT/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TRANSFER_IN_LOOP/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TRANSFER_IN_LOOP/name.txt:
--------------------------------------------------------------------------------
1 | Передача ETH в цикле
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR/name.txt:
--------------------------------------------------------------------------------
1 | Небезопасное преобразование типа
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VISIBILITY/name.txt:
--------------------------------------------------------------------------------
1 | Не указан уровень видимости
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_BALANCE_EQUALITY/links_en.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_ERC20_APPROVE/name_en.txt:
--------------------------------------------------------------------------------
1 | ERC-20 approve issue
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_LOCKED_MONEY/name.txt:
--------------------------------------------------------------------------------
1 | Заблокированные средства
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_PRIVATE_MODIFIER_DONT_HIDE_DATA/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_TIMESTAMP_DEPENDENCE/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_TIMESTAMP_DEPENDENCE/links_en.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ARRAY_LENGTH_MANIPULATION/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BYTE_ARRAY_INSTEAD_BYTES/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CALL_WITHOUT_DATA/links.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DELETE_ON_DYNAMIC_ARRAYS/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DEPRECATED_CONSTRUCTIONS/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DIV_MUL/links_en.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DIV_MUL/name_en.txt:
--------------------------------------------------------------------------------
1 | Multiplication after division
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_FUNCTIONS_ALWAYS_RETURN_FALSE/severity.txt:
--------------------------------------------------------------------------------
1 | 2
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXTRA_GAS_IN_LOOPS/name_en.txt:
--------------------------------------------------------------------------------
1 | Extra gas consumption
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_FUNCTION_RETURNS_TYPE_AND_NO_RETURN/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_MSGVALUE_EQUALS_ZERO/links_en.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRIVATE_MODIFIER_DOES_NOT_HIDE_DATA/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REDUNDANT_FALLBACK_REJECT/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UINT_CANT_BE_NEGATIVE/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNCHECKED_CALL/name_en.txt:
--------------------------------------------------------------------------------
1 | Unchecked low-level call
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNUSED_FUNCTION_SHOULD_BE_EXTERNAL/severity.txt:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_USING_INLINE_ASSEMBLY/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_USING_INLINE_ASSEMBLY/name_en.txt:
--------------------------------------------------------------------------------
1 | Use of assembly
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VISIBILITY/name_en.txt:
--------------------------------------------------------------------------------
1 | Implicit visibility level
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_REDUNDANT_FALLBACK_REJECT/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_TIMESTAMP_DEPENDENCE/name_en.txt:
--------------------------------------------------------------------------------
1 | Timestamp dependence
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ADDRESS_HARDCODED/name.txt:
--------------------------------------------------------------------------------
1 | Адрес задан в исходном коде
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ARRAY_LENGTH_MANIPULATION/links_en.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CALL_WITHOUT_DATA/links_en.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DELETE_ON_DYNAMIC_ARRAYS/links_en.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DEPRECATED_CONSTRUCTIONS/name.txt:
--------------------------------------------------------------------------------
1 | Устаревшие конструкции
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_TRANSFER_SHOULD_THROW/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXTRA_GAS_IN_LOOPS/links_en.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXTRA_GAS_IN_LOOPS/name.txt:
--------------------------------------------------------------------------------
1 | Излишнее потребление газа
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_INCORRECT_BLOCKHASH/name_en.txt:
--------------------------------------------------------------------------------
1 | Blockhash function misuse
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_MSGVALUE_EQUALS_ZERO/name.txt:
--------------------------------------------------------------------------------
1 | Проверка msg.value == 0
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_MSGVALUE_EQUALS_ZERO/name_en.txt:
--------------------------------------------------------------------------------
1 | msg.value == 0 check
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRAGMAS_VERSION/name_en.txt:
--------------------------------------------------------------------------------
1 | Compiler version not fixed
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REVERT_REQUIRE/name_en.txt:
--------------------------------------------------------------------------------
1 | Revert inside the if-operator
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REWRITE_ON_ASSEMBLY_CALL/links.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TRANSFER_IN_LOOP/name_en.txt:
--------------------------------------------------------------------------------
1 | ETH transfer inside the loop
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TX_ORIGIN/name_en.txt:
--------------------------------------------------------------------------------
1 | Using tx.origin for authorization
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UPGRADE_TO_050/name.txt:
--------------------------------------------------------------------------------
1 | Обновите код до Solidity 0.5.х
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UPGRADE_TO_050/name_en.txt:
--------------------------------------------------------------------------------
1 | Upgrade code to Solidity 0.5.x
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_USING_INLINE_ASSEMBLY/name.txt:
--------------------------------------------------------------------------------
1 | Использование assembly
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_WRONG_SIGNATURE/name.txt:
--------------------------------------------------------------------------------
1 | Неправильная сигнатура функции
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_WRONG_SIGNATURE/name_en.txt:
--------------------------------------------------------------------------------
1 | Incorrect function signature
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_ERC20_APPROVE/name.txt:
--------------------------------------------------------------------------------
1 | Проблема с ERC-20 approve функцией
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_PRIVATE_MODIFIER_DONT_HIDE_DATA/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_PRIVATE_MODIFIER_DONT_HIDE_DATA/name.txt:
--------------------------------------------------------------------------------
1 | Private переменная
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_TIMESTAMP_DEPENDENCE/name.txt:
--------------------------------------------------------------------------------
1 | Использование block.timestamp
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BYTE_ARRAY_INSTEAD_BYTES/name.txt:
--------------------------------------------------------------------------------
1 | Массив байтов место bytes
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CONSTRUCTOR_RETURN/name_en.txt:
--------------------------------------------------------------------------------
1 | Use of return in constructor
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DEPRECATED_CONSTRUCTIONS/name_en.txt:
--------------------------------------------------------------------------------
1 | Deprecated constructions
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_FUNCTIONS_ALWAYS_RETURN_FALSE/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_FUNCTION_RETURNS_TYPE_AND_NO_RETURN/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRAGMAS_VERSION/name.txt:
--------------------------------------------------------------------------------
1 | Версия компилятора не фиксирована
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRIVATE_MODIFIER_DOES_NOT_HIDE_DATA/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REDUNDANT_FALLBACK_REJECT/name.txt:
--------------------------------------------------------------------------------
1 | Избыточная fallback-функция
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TX_ORIGIN/name.txt:
--------------------------------------------------------------------------------
1 | Использование tx.origin для авторизации
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UINT_CANT_BE_NEGATIVE/name.txt:
--------------------------------------------------------------------------------
1 | Нестрогое сравнение с нулём
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNUSED_FUNCTION_SHOULD_BE_EXTERNAL/links.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR_IN_LOOP_FOR/name.txt:
--------------------------------------------------------------------------------
1 | Небезопасное выведение типа в for
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_BALANCE_EQUALITY/name.txt:
--------------------------------------------------------------------------------
1 | Проверка баланса на строгое равенство
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_BALANCE_EQUALITY/name_en.txt:
--------------------------------------------------------------------------------
1 | Checking for strict balance equality
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_PRIVATE_MODIFIER_DONT_HIDE_DATA/links_en.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_REDUNDANT_FALLBACK_REJECT/name.txt:
--------------------------------------------------------------------------------
1 | Избыточная default-функция
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_REDUNDANT_FALLBACK_REJECT/name_en.txt:
--------------------------------------------------------------------------------
1 | Redundant default function
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_UNITLESS_NUMBER/name_en.txt:
--------------------------------------------------------------------------------
1 | Use of as_unitless_number() function
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ARRAY_LENGTH_MANIPULATION/name.txt:
--------------------------------------------------------------------------------
1 | Прямое изменение длины массива
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BALANCE_EQUALITY/name.txt:
--------------------------------------------------------------------------------
1 | Проверка баланса на строгое равенство
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BALANCE_EQUALITY/name_en.txt:
--------------------------------------------------------------------------------
1 | Checking for strict balance equality
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BYTE_ARRAY_INSTEAD_BYTES/name_en.txt:
--------------------------------------------------------------------------------
1 | Byte array instead of bytes
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CALL_WITHOUT_DATA/name.txt:
--------------------------------------------------------------------------------
1 | Вызов функции call без передачи данных
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CALL_WITHOUT_DATA/name_en.txt:
--------------------------------------------------------------------------------
1 | Use of call function with no data
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CONSTRUCTOR_RETURN/name.txt:
--------------------------------------------------------------------------------
1 | Использование return в конструкторе
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DELETE_ON_DYNAMIC_ARRAYS/name.txt:
--------------------------------------------------------------------------------
1 | Удаление динамического массива
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DO_WHILE_CONTINUE/name.txt:
--------------------------------------------------------------------------------
1 | Использование continue в цикле do-while
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DO_WHILE_CONTINUE/name_en.txt:
--------------------------------------------------------------------------------
1 | Using continue in the do-while loop
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXACT_TIME/name.txt:
--------------------------------------------------------------------------------
1 | Строгое сравнение с block.timestamp или now
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRIVATE_MODIFIER_DOES_NOT_HIDE_DATA/name.txt:
--------------------------------------------------------------------------------
1 | Модификатор private
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRIVATE_MODIFIER_DOES_NOT_HIDE_DATA/name_en.txt:
--------------------------------------------------------------------------------
1 | Private modifier
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REDUNDANT_FALLBACK_REJECT/name_en.txt:
--------------------------------------------------------------------------------
1 | Redundant fallback function
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_VIEW/name.txt:
--------------------------------------------------------------------------------
1 | View-функции не должны менять состояние
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UINT_CANT_BE_NEGATIVE/name_en.txt:
--------------------------------------------------------------------------------
1 | Non-strict comparison with zero
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNCHECKED_CALL/name.txt:
--------------------------------------------------------------------------------
1 | Нет проверки результатов внешнего вызова
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR_IN_LOOP_FOR/name_en.txt:
--------------------------------------------------------------------------------
1 | Unsafe type inference in the for-loop
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_PRIVATE_MODIFIER_DONT_HIDE_DATA/name_en.txt:
--------------------------------------------------------------------------------
1 | Private state variable
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_UNITLESS_NUMBER/name.txt:
--------------------------------------------------------------------------------
1 | Использование функции as_unitless_number()
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ARRAY_LENGTH_MANIPULATION/name_en.txt:
--------------------------------------------------------------------------------
1 | Unsafe array's length manipulation
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_APPROVE/name.txt:
--------------------------------------------------------------------------------
1 | Использование функции approve стандарта ERC-20
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_TRANSFER_SHOULD_THROW/name_en.txt:
--------------------------------------------------------------------------------
1 | ERC-20 transfer should throw
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXACT_TIME/name_en.txt:
--------------------------------------------------------------------------------
1 | Strict comparison with block.timestamp or now
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_FUNCTION_RETURNS_TYPE_AND_NO_RETURN/links_en.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REVERT_REQUIRE/name.txt:
--------------------------------------------------------------------------------
1 | Функция revert в теле условного оператора if
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REWRITE_ON_ASSEMBLY_CALL/name.txt:
--------------------------------------------------------------------------------
1 | Перезапись инструкциями семейства CALL
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_PURE/name.txt:
--------------------------------------------------------------------------------
1 | Pure-функции не должны читать/изменять стейт
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_VIEW/name_en.txt:
--------------------------------------------------------------------------------
1 | View-function should not change state
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_APPROVE/name_en.txt:
--------------------------------------------------------------------------------
1 | Using approve function of the ERC-20 token standard
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_FUNCTION_RETURNS_TYPE_AND_NO_RETURN/name_en.txt:
--------------------------------------------------------------------------------
1 | Non-initialized return value
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_INCORRECT_BLOCKHASH/name.txt:
--------------------------------------------------------------------------------
1 | Неправильное использование функции blockhash
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_PURE/name_en.txt:
--------------------------------------------------------------------------------
1 | Pure-functions should not read/change state
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_RETURN_STRUCT/name_en.txt:
--------------------------------------------------------------------------------
1 | Replace multiple return values with a struct
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DELETE_ON_DYNAMIC_ARRAYS/name_en.txt:
--------------------------------------------------------------------------------
1 | Deletion of dynamically-sized storage array
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_INDEXED/name_en.txt:
--------------------------------------------------------------------------------
1 | Use of unindexed arguments in ERC-20 standard events
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REWRITE_ON_ASSEMBLY_CALL/name_en.txt:
--------------------------------------------------------------------------------
1 | Output overwrites input of assembly CALLs
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_TRANSFER_SHOULD_THROW/name.txt:
--------------------------------------------------------------------------------
1 | Функция ERC-20 transfer должна бросать исключение
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_RETURN_STRUCT/name.txt:
--------------------------------------------------------------------------------
1 | Функция может возвращать структуру вместо нескольких значений
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNUSED_FUNCTION_SHOULD_BE_EXTERNAL/name_en.txt:
--------------------------------------------------------------------------------
1 | Prefer external to public visibility level
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_INDEXED/name.txt:
--------------------------------------------------------------------------------
1 | Использование неиндексированных аргументов в событиях стандарта ERC-20
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SAFEMATH/description.html:
--------------------------------------------------------------------------------
1 |
2 | Используется библиотека SafeMath.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SAFEMATH/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | SafeMath library is used.
3 |
4 |
--------------------------------------------------------------------------------
/src/main/java/ru/smartdec/smartcheck/app/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | *
3 | */
4 | package ru.smartdec.smartcheck.app;
5 |
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | rule_descriptions/* linguist-documentation
2 | *.g4 linguist-generated
3 | *.sol linguist-language=Solidity
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_FUNCTION_RETURNS_TYPE_AND_NO_RETURN/name.txt:
--------------------------------------------------------------------------------
1 | Возвращаемое значение функции не проинициализированно
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNUSED_FUNCTION_SHOULD_BE_EXTERNAL/name.txt:
--------------------------------------------------------------------------------
1 | Уровень видимости external является более предпочтительным
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UPGRADE_TO_050/description.html:
--------------------------------------------------------------------------------
1 |
2 | Подготовьте ваш код к релизу Solidity 0.5.0.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_INDEXED/recommendation.html:
--------------------------------------------------------------------------------
1 | Используйте индексированные аргументы, как указано в стандарте.
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REWRITE_ON_ASSEMBLY_CALL/recommendation_en.html:
--------------------------------------------------------------------------------
1 | Save output to the separate area of memory.
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UPGRADE_TO_050/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Prepare your code for Solidity 0.5.0 release.
3 |
--------------------------------------------------------------------------------
/src/main/java/ru/smartdec/smartcheck/app/cli/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | *
3 | */
4 | package ru.smartdec.smartcheck.app.cli;
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BALANCE_EQUALITY/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Use non-strict inequality.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_INDEXED/recommendation_en.html:
--------------------------------------------------------------------------------
1 | Use indexed events' arguments, as stated in ERC-20 Token Standard
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REWRITE_ON_ASSEMBLY_CALL/recommendation.html:
--------------------------------------------------------------------------------
1 | Записывайте возвращаемое значение в очищенную память.
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TX_ORIGIN/description.html:
--------------------------------------------------------------------------------
1 |
2 | tx.origin используется для авторизации.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_BALANCE_EQUALITY/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Use non-strict inequalities.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BALANCE_EQUALITY/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Используйте нестрогие неравенства.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BYTE_ARRAY_INSTEAD_BYTES/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Use
bytes.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_MSGVALUE_EQUALS_ZERO/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Avoid meaningless checks.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_BALANCE_EQUALITY/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Используйте нестрогие неравенства.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BYTE_ARRAY_INSTEAD_BYTES/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Используйте
bytes.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_GAS_LIMIT_IN_LOOPS/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | Avoid loops with big or unknown number of steps.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_MSGVALUE_EQUALS_ZERO/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Избегайте бессмысленных проверок.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Явно указывайте требуемый тип (например, uint256).
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_ERC20_APPROVE/description.html:
--------------------------------------------------------------------------------
1 |
2 | Функция approve() стандарта ERC-20 является уязвимой.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CALL_WITHOUT_DATA/description.html:
--------------------------------------------------------------------------------
1 |
2 | Вызов функции call без передачи каких-либо данных.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DIV_MUL/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Выполнение деления после умножения позволит повысить точность вычислений.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DIV_MUL/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | Multiplication before division may increase the rounding precision.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DO_WHILE_CONTINUE/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Не используйте инструкцию continue в цикле do-while.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNCHECKED_CALL/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Always check the return value of functions.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_REDUNDANT_FALLBACK_REJECT/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | The payment rejection default function is redundant.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRAGMAS_VERSION/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Укажите конкретную версию компилятора (pragma solidity x.y.z;).
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRAGMAS_VERSION/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | Specify the exact compiler version (pragma solidity x.y.z;).
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TX_ORIGIN/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Не используйте
tx.origin для авторизации.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNCHECKED_CALL/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Всегда проверяйте возвращаемое значение функции.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_ERC20_APPROVE/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | ERC-20 approve function is vulnerable to front-running attack.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DO_WHILE_CONTINUE/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | Do not use continue instruction in the do-while loop.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_INCORRECT_BLOCKHASH/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | Use blockhash function only for last 256 blocks.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_VIEW/description.html:
--------------------------------------------------------------------------------
1 | В Solidity функции, которые обозначены как view, не должны изменять состояние.
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_USING_INLINE_ASSEMBLY/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Avoid using
assembly if possible.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VISIBILITY/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Избегайте двусмысленности: явно объявляйте уровни видимости.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VISIBILITY/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Avoid ambiguity: explicitly declare visibility levels.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_REDUNDANT_FALLBACK_REJECT/description.html:
--------------------------------------------------------------------------------
1 |
2 | Default-функция, отклоняющая платежи, является избыточной.
3 |
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CALL_WITHOUT_DATA/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Use of low-level call function with no arguments provided.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_FUNCTIONS_ALWAYS_RETURN_FALSE/recommendation_en.html:
--------------------------------------------------------------------------------
1 | It is required to return true, if the function was successful.
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_MSGVALUE_EQUALS_ZERO/description.html:
--------------------------------------------------------------------------------
1 |
2 | Проверка условия msg.value == 0 бессмысленна в большинстве случаев.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_MSGVALUE_EQUALS_ZERO/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | The msg.value == 0 condition check is meaningless in most cases.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TRANSFER_IN_LOOP/recommendation.html:
--------------------------------------------------------------------------------
1 | Следует использовать такую схему вывода ETH, в которой пользователи сами забрают свои средства.
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Explicitly specify the required type (e.g.,
uint256).
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_LOCKED_MONEY/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Реализуйте функции вывода средств или не реализуйте функции, принимающие платежи.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_LOCKED_MONEY/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | Implement a function with withdrawal functionality or reject all the payments.
3 |
4 |
--------------------------------------------------------------------------------
/src/test/resources/rules/SOLIDITY_PRAGMAS_VERSION.sol:
--------------------------------------------------------------------------------
1 | // SOLIDITY_PRAGMAS_VERSION 23fc32
2 | pragma solidity ^0.4.21;
3 |
4 | pragma solidity 0.4.24;
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_FUNCTIONS_ALWAYS_RETURN_FALSE/name.txt:
--------------------------------------------------------------------------------
1 | Возвращаемое значение функции transfer, transferFrom или approve стандарта ERC-20 всегда равно false.
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_FUNCTIONS_ALWAYS_RETURN_FALSE/name_en.txt:
--------------------------------------------------------------------------------
1 | Return value of transfer, transferFrom, or approve function of ERC-20 standard is always false.
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_FUNCTION_RETURNS_TYPE_AND_NO_RETURN/description_en.html:
--------------------------------------------------------------------------------
1 | Function doesn't initialize return value. As result default value will be returned.
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_GAS_LIMIT_IN_LOOPS/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Избегайте циклов со слишком большим или заранее неизвестным количеством шагов.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_INCORRECT_BLOCKHASH/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Используйте функцию blockhash только для последних 256 блоков.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SEND/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | Use transfer, which is equivalent to if (!send()) { revert();}.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR_IN_LOOP_FOR/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Явно указывайте требуемый тип (например,
uint256).
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_PRIVATE_MODIFIER_DONT_HIDE_DATA/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | Keep in mind that anyone can read values of variables in Ethereum.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BYTE_ARRAY_INSTEAD_BYTES/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Use bytes instead of byte[] for lower gas consumption.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REVERT_REQUIRE/description.html:
--------------------------------------------------------------------------------
1 | Использование конструкции вида if (условие) {revert();} вместо require(условие);
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REVERT_REQUIRE/description_en.html:
--------------------------------------------------------------------------------
1 | Using the construction if (condition) {revert();} instead of require(condition);
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_USING_INLINE_ASSEMBLY/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | По возможности избегайте использование
assembly.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR_IN_LOOP_FOR/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Explicitly specify the required type (e.g.,
uint256).
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_PRIVATE_MODIFIER_DONT_HIDE_DATA/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Имейте в виду, что значения переменных в Ethereum являются общедоступными.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_FUNCTIONS_ALWAYS_RETURN_FALSE/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Необходимо возвращать true в случае успешного выполнения функции.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_PURE/description_en.html:
--------------------------------------------------------------------------------
1 | In Solidity, function that do not read from the state or modify it can be declared as pure.
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_VIEW/description_en.html:
--------------------------------------------------------------------------------
1 | In Solidity, functions that do not read from the state or modify it can be declared as view.
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_INDEXED/links.html:
--------------------------------------------------------------------------------
1 |
2 | - Стандарт ERC-20
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_FUNCTION_RETURNS_TYPE_AND_NO_RETURN/description.html:
--------------------------------------------------------------------------------
1 | Возвращаемое значение не инициализировано, поэтому всегда будет возвращаться значение по умолчанию.
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REDUNDANT_FALLBACK_REJECT/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Удалите функцию для экономии пространства: контракт автоматически отклонит платежи.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REDUNDANT_FALLBACK_REJECT/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | Remove the function to save space: the contract will reject payments automatically.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_ERC20_APPROVE/recommendation.html:
--------------------------------------------------------------------------------
1 | Используйте функцию approve стандарта ERC-20 только для изменения одобренного количества токенов с или до 0.
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BYTE_ARRAY_INSTEAD_BYTES/description.html:
--------------------------------------------------------------------------------
1 |
2 | Используйте bytes вместо byte[] для более низкого расхода газа.
3 |
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_APPROVE/recommendation.html:
--------------------------------------------------------------------------------
1 | Используйте функцию approve стандарта ERC-20 только для изменения одобренного количества токенов с 0 или до 0.
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_INDEXED/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | - ERC-20 Token Standard
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_FUNCTION_RETURNS_TYPE_AND_NO_RETURN/recommendation.html:
--------------------------------------------------------------------------------
1 | Если не требуется, чтобы функция возвращала значение, не указывайте returns в сигнатуре.
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRIVATE_MODIFIER_DOES_NOT_HIDE_DATA/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Имейте в виду, что модификатор private не делает переменную невидимой.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SEND/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Используйте функцию transfer, которая является эквивалентом if (!send()) { revert();}.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TRANSFER_IN_LOOP/recommendation_en.html:
--------------------------------------------------------------------------------
1 | Withdrawal pattern is the recommended method of sending funds. In this pattern, users take their ETH by themselves.
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TX_ORIGIN/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Never use
tx.origin for authorization. Use msg.sender instead.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_WRONG_SIGNATURE/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Use the canonical form to specify the parameter type (e.g.,
uint256).
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_TRANSFER_SHOULD_THROW/recommendation.html:
--------------------------------------------------------------------------------
1 | В стандарте ERC-20 рекомендуется бросать исключения в функциях transfer и transferFrom.
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRIVATE_MODIFIER_DOES_NOT_HIDE_DATA/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | Keep in mind that the private modifier does not make a variable invisible.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_PURE/description.html:
--------------------------------------------------------------------------------
1 |
2 | В Solidity функции, которые обозначены как pure, не должны считывать или изменять состояние.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ADDRESS_HARDCODED/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Проверьте правильность адреса. Кроме того, проверьте код вызываемого контракта на уязвимости.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_INDEXED/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Address arguments of Transfer and Approve events of ERC-20 token standard must be indexed.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_TRANSFER_SHOULD_THROW/recommendation_en.html:
--------------------------------------------------------------------------------
1 | The ERC20 standard recommends throwing exceptions in functions transfer and transferFrom.
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_LOCKED_MONEY/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | Implement a withdraw function or reject payments (contracts without a fallback function do it automatically).
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_REDUNDANT_FALLBACK_REJECT/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Удалите функцию для экономии газа и улучшения читаемости кода: контракт автоматически отклонит платежи.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_INDEXED/description.html:
--------------------------------------------------------------------------------
1 |
2 | Аргументы типа address событий Transfer и Approve стандарта ERC-20 должны быть индексированными.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TRANSFER_IN_LOOP/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | https://solidity.readthedocs.io/en/v0.4.25/common-patterns.html#withdrawal-from-contracts
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | Solidity: Type Deduction
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_WRONG_SIGNATURE/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Используйте каноничную форму записи для типов в сигнатурах функций (например,
uint256).
4 |
5 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_SHORT_ADDRESS_ATTACK.sol:
--------------------------------------------------------------------------------
1 | contract SimpleBank {
2 | function sendMoney(address to, uint amount) {
3 | to.transfer(amount);//нет проверки на длину адреса
4 | }
5 | }
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DIV_MUL/description.html:
--------------------------------------------------------------------------------
1 |
2 | Solidity работает только с целыми числами. Таким образом, при делении, предшевствующем умноженитю, может возникать большая погрешность.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_FUNCTION_RETURNS_TYPE_AND_NO_RETURN/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | If you don't need the return value of the function, do not specify returns in function signature.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNCHECKED_CALL/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | External calls
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_ERC20_APPROVE/recommendation_en.html:
--------------------------------------------------------------------------------
1 | Only use approve function of ERC-20 standard to change allowed amount to 0 or from 0 (wait till transaction is mined and approved).
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_UNITLESS_NUMBER/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Custom Unit Types
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_RETURN_STRUCT/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | Use structure for internal function, which returns several parameters, if it improves code readability.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNUSED_FUNCTION_SHOULD_BE_EXTERNAL/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | Use the external visibility modifier for functions never called from the contract via internal call.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR_IN_LOOP_FOR/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | Solidity: Type Deduction
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_REDUNDANT_FALLBACK_REJECT/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | Remove the function to save on gas and increase code readability: the contract will reject payments automatically.
3 |
4 |
--------------------------------------------------------------------------------
/src/test/resources/rules/VYPER_PRIVATE_MODIFIER_DONT_HIDE_DATA.vy:
--------------------------------------------------------------------------------
1 | # VYPER_PRIVATE_MODIFIER_DONT_HIDE_DATA lo771p
2 | a: uint256
3 | b: public(address)
4 | @public
5 | def function():
6 | d: int128
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DELETE_ON_DYNAMIC_ARRAYS/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Applying delete or .length = 0 to dynamically-sized storage arrays may lead to Out-of-Gas exception.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DO_WHILE_CONTINUE/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | Issue on ethereum/solidity GitHub
5 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_APPROVE/recommendation_en.html:
--------------------------------------------------------------------------------
1 | Only use the approve function of the ERC-20 standard to change allowed amount to 0 or from 0 (wait till transaction is mined and approved).
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_LOCKED_MONEY/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Реализуйте функции вывода средств или отклонения платежей (контракты без функции резервного копирования выполняют это автоматически).
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REWRITE_ON_ASSEMBLY_CALL/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | The 0x vulnerability, explained
4 |
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SEND/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | Solidity: Members of Addresses
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TX_ORIGIN/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | Solidity: tx.origin
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNUSED_FUNCTION_SHOULD_BE_EXTERNAL/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Используйте уровень видимости external в случае, когда функция не вызывается с помощью внутреннего вызова.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_WRONG_SIGNATURE/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | Solidity: Function Selector
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CONSTRUCTOR_RETURN/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Solidity CTF Part 3 Explanation
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DO_WHILE_CONTINUE/description.html:
--------------------------------------------------------------------------------
1 |
2 | Компилятор до версии 0.5.0 неправильно обрабатывает continue внутри цикла do-while: игнорируется условие внутри while.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DO_WHILE_CONTINUE/example.html:
--------------------------------------------------------------------------------
1 |
2 | Этот цикл является бесконечным:
3 |
4 |
5 |
6 | do {
7 | continue;
8 | } while(false);
9 |
10 |
11 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXACT_TIME/recommendation_en.html:
--------------------------------------------------------------------------------
1 | Use block.timestamp and now only in inequalities (>, <, >=, <=).
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_PURE/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | Solidity: Pure Functions
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_VIEW/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | Solidity: View Functions
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_RETURN_STRUCT/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Используйте структуры для internal функций, которые возвращают несколько переменных, если это улучшит читаемость кода.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UPGRADE_TO_050/links.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Solidity 0.5.0 — что нового он нам несет
4 |
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DEPRECATED_CONSTRUCTIONS/description.html:
--------------------------------------------------------------------------------
1 |
2 | Устаревшие конструкции: years, sha3, suicide, throw и constant функции.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DO_WHILE_CONTINUE/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Prior to version 0.5.0, Solidity compiler handles continue inside do-while loop incorrectly: it ignores while condition.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DO_WHILE_CONTINUE/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | The following loop is infinite:
3 |
4 |
5 |
6 | do {
7 | continue;
8 | } while(false);
9 |
10 |
11 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXACT_TIME/recommendation.html:
--------------------------------------------------------------------------------
1 | Используйте block.timestamp и now только в неравенствах (>, <, >=, <=).
2 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_OVERPOWERED_ROLE/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | What can theft of a private key lead to
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_USING_INLINE_ASSEMBLY/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | Solidity: Inline Assembly
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VISIBILITY/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | Solidity: Visibility and getters
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ADDRESS_HARDCODED/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | The contract contains unknown address. This address might be used for some malicious activity. Please check hardcoded address and it's usage.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ADDRESS_HARDCODED/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | It is required to check the address. Also, it is required to check the code of the called contract for vulnerabilities.
4 |
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_APPROVE/description.html:
--------------------------------------------------------------------------------
1 |
2 | Функция approve стандарта ERC-20 является уязвимой. Средства могут быть потрачены до того, как изменится значение allowance.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REDUNDANT_FALLBACK_REJECT/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | Solidity: Fallback Function
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UINT_CANT_BE_NEGATIVE/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Для сравнения переменных типа uint с 0 используйте строгое неравенство, либо операторы != и ==.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_USING_INLINE_ASSEMBLY/description.html:
--------------------------------------------------------------------------------
1 |
2 | По возможности, избегайте использование assembly. Низкоуровневые команды затрудняют понимание кода, осложняют проведение аудита.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_USING_INLINE_ASSEMBLY/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Inline assembly is a way to access the Ethereum Virtual Machine at a low level. This discards several important safety features of Solidity.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BYTE_ARRAY_INSTEAD_BYTES/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | Solidity: Fixed-size byte arrays
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DELETE_ON_DYNAMIC_ARRAYS/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Restrict adding too many elements into storage array. Otherwise, allow partial deletion of array's elements.
4 |
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DEPRECATED_CONSTRUCTIONS/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Deprecated constructions: years, sha3, suicide, throw and constant functions.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXACT_TIME/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | Solidity: Timestamp Dependence
5 |
6 |
7 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR/example.html:
--------------------------------------------------------------------------------
1 |
2 | В следующем примере используется неявный тип var:
3 |
4 |
5 |
6 | for (var i = 0; i < array.length; i++) { /* ... */ }
7 |
8 |
9 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | In the following example, the type var is used:
3 |
4 |
5 |
6 | for (var i = 0; i < array.length; i++) { /* ... */ }
7 |
8 |
9 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_DEAD_CODE.sol:
--------------------------------------------------------------------------------
1 | pragma solidity ^0.4.5;
2 | contract Voting {
3 | function p1( uint x ){
4 | if ( x> 5){
5 | if ( x*x< 20){
6 | a=a+1;//dead code
7 | }
8 | }
9 | }
10 | }
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_LOOP_FUSION.sol:
--------------------------------------------------------------------------------
1 | pragma solidity ^0.4.5;
2 | contract Voting {
3 | function p5 ( uint x ) {
4 | uint m=0;
5 | uint v=0;
6 | for ( uint i = 0;i
2 | The approve function of ERC-20 is vulnerable. Using front-running attack one can spend approved tokens before change of allowance value.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_LOCKED_MONEY/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | Solidity: Withdrawal from Contracts
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_RETURN_STRUCT/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Consider using struct instead of multiple return values for internal or private functions. It can improve code readability.
3 |
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_RETURN_STRUCT/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_CONSTANT_STATE_VARIABLE.sol:
--------------------------------------------------------------------------------
1 | pragma solidity ^0.4.5;
2 | contract Voting {
3 | uint256 public batFund = 300 * 10**24;//если эта переменная не изменяется нигде далее в программе, должна быть объявлена константой
4 | }
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ADDRESS_HARDCODED/description.html:
--------------------------------------------------------------------------------
1 |
2 | Использование в коде контракта адресов других контрактов потенциально может привести к уязвимостям. Требуется проверить на уязвимости и код вызываемого контракта.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DELETE_ON_DYNAMIC_ARRAYS/description.html:
--------------------------------------------------------------------------------
1 |
2 | Применение delete или .length = 0 к динамическому массиву может требовать слишком большое количество газа и приводить к исключению.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DELETE_ON_DYNAMIC_ARRAYS/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Ограничьте возможность добавления слишом большого числа элементов в массив или позвольте удалять элементы массива по частям.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_FUNCTIONS_ALWAYS_RETURN_FALSE/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | - ERC20 API: Transfer and TransferFrom
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_GAS_LIMIT_IN_LOOPS/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | Solidity: Gas Limit and Loops
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_INCORRECT_BLOCKHASH/description.html:
--------------------------------------------------------------------------------
1 |
2 | Функция blockhash возвращает ненулевое значение только для последних 256 блоков. Кроме того, blockhash(block.number) всегда равно 0.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRIVATE_MODIFIER_DOES_NOT_HIDE_DATA/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | Solidity: Visibility and getters
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REVERT_REQUIRE/recommendation_en.html:
--------------------------------------------------------------------------------
1 | Use require for better code readability
.
2 | Since the construction if (condition) {revert();} is equivalent to require(!condition);.
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_RETURN_STRUCT/description.html:
--------------------------------------------------------------------------------
1 |
2 | Если internal или private функция возвращает несколько параметров, рекомендуется использовать структуру. Это может улучшить читаемость кода.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UPGRADE_TO_050/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Changelog on ethereum/solidity GitHub
4 |
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_REDUNDANT_FALLBACK_REJECT/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Vyper: Default function
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_FUNCTIONS_ALWAYS_RETURN_FALSE/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | The transfer, transferFrom or approve functions do not return true for any values of input parameters.
3 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_CONSTANT_OUTCOME_OF_LOOP.sol:
--------------------------------------------------------------------------------
1 | pragma solidity ^0.4.5;
2 | contract Voting {
3 | function p4 () returns ( uint ){
4 | uint sum = 0;
5 | for ( uint i = 1 ; i <= 100 ; i++) sum+=i;
6 | return sum;
7 | }
8 | }
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CONSTRUCTOR_RETURN/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Не используйте return в конструкторе для лучшей читаемости кода. В целом, контракты, использующие assembly в конструкторе, не являются безопасными.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REVERT_REQUIRE/recommendation.html:
--------------------------------------------------------------------------------
1 | Для лучшей читаемости кода используйте require.
2 | Поскольку конструкция if (condition) {revert();} равносильна конструкции require(!condition);.
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UINT_CANT_BE_NEGATIVE/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | - Overflow and Underflow in Solidity
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UINT_CANT_BE_NEGATIVE/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | For comparison of uint type variables with 0 use >, <, !=, or == operators.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_WRONG_SIGNATURE/description.html:
--------------------------------------------------------------------------------
1 |
2 | В сигнатурах функций надо использовать каноническое представление для типов, например, uint256 и int256 вместо uint или int.
3 |
4 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_OPAQUE_PREDICATE.sol:
--------------------------------------------------------------------------------
1 | pragma solidity ^0.4.5;
2 | contract Voting {
3 | function p2 ( uint x ){
4 | if ( x> 5){
5 | if ( x > 1){
6 | a=a+1;
7 | }
8 | }
9 | }
10 | }
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_FUNCTIONS_ALWAYS_RETURN_FALSE/description.html:
--------------------------------------------------------------------------------
1 |
2 | В функциях transfer, transferFrom или approve не возвращается true ни при каких значениях входных параметров.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_LOCKED_MONEY/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Contracts programmed to receive ether should implement a way to withdraw it, i.e., call transfer (recommended), send, or call.value at least once.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNCHECKED_CALL/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Expect calls to external contract to fail. When sending ether, check for the return value and handle errors. The recommended way of doing ether transfers is transfer.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_TIMESTAMP_DEPENDENCE/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Не используйте block.timestamp для генерации случайных чисел, создавайте контракты так, чтобы их логика не зависела от точного значения block.timestamp.
3 |
4 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_EXPENSIVE_OPERATIONS_IN_LOOP.sol:
--------------------------------------------------------------------------------
1 | pragma solidity ^0.4.5;
2 | contract Voting {
3 | uint sum= 0;
4 | function p3 ( uint x ){
5 | for ( uint i = 0 ; i< x ; i ++){
6 | sum+=i;
7 | }
8 | }
9 | }
10 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_REPEATED_COMPUTATION_IN_LOOP.sol:
--------------------------------------------------------------------------------
1 | pragma solidity ^0.4.5;
2 | contract Voting {
3 | uint x=1;
4 | uint y=2;
5 | function p(uint k){
6 | uint sum=0;
7 | for(uint i=1;i<=k;i++) sum=sum+x+y;
8 | }
9 | }
10 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_SEND_BALANCE_BEFORE_CHANGE.sol:
--------------------------------------------------------------------------------
1 | contract SimpleBank {
2 | mapping(address => uint) balances;
3 |
4 | function withdraw(uint amount) {
5 | balances[msg.sender] -= amount;
6 | msg.sender.transfer(amount);
7 | }
8 | }
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR_IN_LOOP_FOR/example.html:
--------------------------------------------------------------------------------
1 |
2 | В следующем примере используется неявный тип var внутри for:
3 |
4 |
5 |
6 | for (var i = 0; i < array.length; i++) { /* ... */ }
7 |
8 |
9 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_REDUNDANT_FALLBACK_REJECT/example.html:
--------------------------------------------------------------------------------
1 | В следующем примере default-функция по отклонению платежа является избыточной:
2 |
3 |
4 | @public
5 | @payable
6 | def __default__():
7 | throw
8 |
9 |
10 |
--------------------------------------------------------------------------------
/src/main/java/ru/smartdec/smartcheck/app/Media.java:
--------------------------------------------------------------------------------
1 | package ru.smartdec.smartcheck.app;
2 |
3 | /**
4 | *
5 | */
6 | public interface Media {
7 |
8 | /**
9 | * @param info info
10 | */
11 | void accept(DirectoryAnalysis.Info info);
12 | }
13 |
--------------------------------------------------------------------------------
/src/main/java/ru/smartdec/smartcheck/app/Report.java:
--------------------------------------------------------------------------------
1 | package ru.smartdec.smartcheck.app;
2 |
3 | /**
4 | *
5 | */
6 | public interface Report {
7 |
8 | /**
9 | * @throws Exception exception
10 | */
11 | void print() throws Exception;
12 | }
13 |
--------------------------------------------------------------------------------
/src/test/resources/rules/SOLIDITY_PRIVATE_MODIFIER_DOES_NOT_HIDE_DATA.sol:
--------------------------------------------------------------------------------
1 | pragma solidity 0.4.24;
2 |
3 | contract MarketPlace {
4 | // SOLIDITY_PRIVATE_MODIFIER_DOES_NOT_HIDE_DATA 5616b2
5 | uint private data1;
6 |
7 | uint data2;
8 | }
9 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_DIVISION_BY_ZERO.sol:
--------------------------------------------------------------------------------
1 | pragma solidity ^0.4.11;
2 |
3 | contract SolidityUncheckedSend {
4 | function(){
5 | a=0;
6 | uint x = 5 / a;//плохо
7 | if (a!=0){
8 | uint b=1/a;//хорошо
9 | }
10 | }
11 | }
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ARRAY_LENGTH_MANIPULATION/description.html:
--------------------------------------------------------------------------------
1 |
2 | Длина динамического массива изменяется напрямую. Это может привести к гигантским массивам, которые в свою очередь могут сделать возможной overlap атаку (перезапись других данных в хранилище).
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_INCORRECT_BLOCKHASH/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Solidity documentation
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REVERT_REQUIRE/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | - Error handling: Assert, Require, Revert and Exceptions
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR_IN_LOOP_FOR/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | In the following example, the type var is used inside of for:
3 |
4 |
5 |
6 | for (var i = 0; i < array.length; i++) { /* ... */ }
7 |
8 |
9 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_REDUNDANT_FALLBACK_REJECT/example_en.html:
--------------------------------------------------------------------------------
1 | In the following example, the payment rejection default function is redundant:
2 |
3 |
4 | @public
5 | @payable
6 | def __default__():
7 | throw
8 |
9 |
10 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNUSED_FUNCTION_SHOULD_BE_EXTERNAL/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 |
4 | Public vs External Functions in Solidity
5 |
6 |
--------------------------------------------------------------------------------
/src/test/resources/rules/SOLIDITY_BYTE_ARRAY_INSTEAD_BYTES.sol:
--------------------------------------------------------------------------------
1 | pragma solidity 0.4.24;
2 | contract C {
3 |
4 | // SOLIDITY_BYTE_ARRAY_INSTEAD_BYTES f13a9f
5 | byte[] someVariable1;
6 |
7 | bytes someVariable2;
8 | uint[] data;
9 | }
10 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_INCORRECT_BLOCKHASH/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | blockhash function returns a non-zero value only for 256 last blocks. Besides, it always returns 0 for the current block, i.e. blockhash(block.number) always equals to 0.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_OVERPOWERED_ROLE/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | We recommend designing contracts in a trustless manner. For instance, this functionality can be implemented in the contract's constructor. Another option is to use MultiSig wallet at this address.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_VIEW/example_en.html:
--------------------------------------------------------------------------------
1 | Here is the example of correct view-function:
2 |
3 | contract C {
4 | function f(uint a, uint b) view returns (uint) {
5 | return a * (b + 42) + now;
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXTRA_GAS_IN_LOOPS/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | State variable, .balance, or .length of non-memory array is used in the condition of for or while loop. In this case, every iteration of loop consumes extra gas.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_LOCKED_MONEY/description.html:
--------------------------------------------------------------------------------
1 |
2 | Контракты, запрограммированные на получение эфира, должны реализовать способ его снятия, т.е. вызывать функции transfer (рекомендуется), send или call.value как минимум один раз.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_OVERPOWERED_ROLE/links.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | К чему может привести кража приватного ключа
4 |
5 |
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TRANSFER_IN_LOOP/description.html:
--------------------------------------------------------------------------------
1 |
2 | Производится отправка ETH в цикле. В случае, если хотя бы один из адресатов не может принимать ETH (например, является контрактом со стандартной fallback функцией), то отправка ETH в таком цикле будет невозможна.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REWRITE_ON_ASSEMBLY_CALL/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Dangerous use of inline assembly instruction of CALL family, which overwrites the input with the output.
3 | In case the arbitrary address is called return value may differ from expected one.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SAFEMATH/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | We do not recommend using SafeMath library for all arithmetic operations. It is good practice to use explicit checks where it is really needed, and to avoid extra checks where overflow/underflow is impossible.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CONSTRUCTOR_RETURN/description.html:
--------------------------------------------------------------------------------
1 |
2 | В конструкторе контракта используется return. Из-за return процесс деплоя будет отличаться от интуитивного. Например, задеплоенный байткод может не содержать функций, реализованных в исходном коде.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_OVERPOWERED_ROLE/description.html:
--------------------------------------------------------------------------------
1 |
2 | Данная функция предназначена для вызова только с одного адреса. Таким образом, работа контракта зависит от данного адреса. В таком случае возможны нежелательные ситуации, например если приватный ключ данного адреса будет утерян.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNCHECKED_CALL/description.html:
--------------------------------------------------------------------------------
1 |
2 | Ожидайте, что вызовы внешнего контракта могут завершиться неудачей. При отправке эфира проверьте возвращаемое значение и обработайте ошибки. Рекомендованный способ передачи эфира — с помощью функции transfer.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TX_ORIGIN/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | tx.origin is used for authorization.
3 |
4 |
5 | Vulnerability type by SmartDec classification:
6 | Authorization with tx.origin.
7 |
8 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_LOCKED_MONEY/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Contracts including at least one function with @payable decorator should implement a way to withdraw ETH, i.e. call send (recommended), raw_call, or selfdestruct function at least once.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BALANCE_EQUALITY/description.html:
--------------------------------------------------------------------------------
1 |
2 | Используется проверка баланса на строгое равенство.
3 |
4 |
5 | Избегайте проверки баланса на строгое равенство: злоумышленник может принудительно отправить эфир на любой адрес, используя уничтожение контракта или майнинг.
6 |
7 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_PURE/example_en.html:
--------------------------------------------------------------------------------
1 | Here is the example of correct pure-function:
2 | pragma solidity ^0.4.16;
3 |
4 | contract C {
5 | function f(uint a, uint b) pure returns (uint) {
6 | return a * (b + 42) + now;
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_TIMESTAMP_DEPENDENCE/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | block.timestamp variable should not be used for entropy or generating random numbers. Also, we recommend developing contracts so that their logic does not depend on precise value of block.timestamp variable.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_UNITLESS_NUMBER/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | as_unitless_number() function allows applying arithmetic operations not allowed for this unit type. Use of this function may lead to errors and vulnerabilities. Therefore, try to avoid the use of this function or use it carefully.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRIVATE_MODIFIER_DOES_NOT_HIDE_DATA/description.html:
--------------------------------------------------------------------------------
1 |
2 | Вопреки распространенному заблуждению, модификатор private не делает переменную невидимой. Майнеры имеют доступ ко всем кодам контрактов и данным. Разработчики должны учитывать отсутствие конфиденциальности в Ethereum.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SAFEMATH/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Мы не рекомендуем использовать библиотеку SafeMath для всех арифметических операций. Правильной практикой считается использовать явные проверки там, где они действительно нужны, и не использовать лишних проверок там, где переполнение невозможно.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_LOCKED_MONEY/description.html:
--------------------------------------------------------------------------------
1 |
2 | Контракты, в которых есть хотя бы одна функция с декоратором @payable, должны реализовывать способ снятия ETH, т.е. вызывать функции send (рекомендуется), raw_call или selfdestruct как минимум один раз.
3 |
4 |
--------------------------------------------------------------------------------
/src/main/java/ru/smartdec/smartcheck/Pattern.java:
--------------------------------------------------------------------------------
1 | package ru.smartdec.smartcheck;
2 |
3 | /**
4 | *
5 | */
6 | public interface Pattern extends Query {
7 |
8 | /**
9 | * @return id
10 | */
11 | String id();
12 |
13 | /**
14 | * @return severity
15 | */
16 | int severity();
17 | }
18 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_ERC20_APPROVE/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | - ERC20 approve issue in simple words
3 | - Ethereum. Approve
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REWRITE_ON_ASSEMBLY_CALL/description.html:
--------------------------------------------------------------------------------
1 |
2 | Опасное использование assembly инструкции семейства CALL: возвращаемые значения записываются поверх входных параметров.
3 | В случае, когда вызывается произвольный адрес, возвращаемое значение может отличаться от ожидаемого.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_TIMESTAMP_DEPENDENCE/description.html:
--------------------------------------------------------------------------------
1 |
2 | В контракте используется block.timestamp. Майнеры могут изменять block.timestamp в некоторых пределах. При этом, если логика контракта полагается на точное значение этой переменной, то майнер может менять ее для получения выгоды.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CONSTRUCTOR_RETURN/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | Do not use return in contract's constructor in order to increase code readability and transparency unless you clearly understand this vulnerability. Generally, it is not safe to use smart contracts that have assembly in the constructor.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_PURE/example.html:
--------------------------------------------------------------------------------
1 | Ниже приведен пример корректной pure-функции:
2 |
3 | pragma solidity ^0.4.16;
4 |
5 | contract C {
6 | function f(uint a, uint b) pure returns (uint) {
7 | return a * (b + 42) + now;
8 | }
9 | }
10 |
11 |
12 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_TIMESTAMP_DEPENDENCE/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | block.timestamp variable is used in the contract. Miners have the ability to adjust block.timestamp slightly. It can be quite dangerous if smart contract's logic relies on the exact value of block.timestamp variable.
3 |
4 |
5 |
--------------------------------------------------------------------------------
/src/main/java/ru/smartdec/smartcheck/Source.java:
--------------------------------------------------------------------------------
1 | package ru.smartdec.smartcheck;
2 |
3 | import org.antlr.v4.runtime.CharStream;
4 |
5 | /**
6 | *
7 | */
8 | public interface Source {
9 |
10 | /**
11 | * @return char chars
12 | * @throws Exception exception
13 | */
14 | CharStream chars() throws Exception;
15 | }
16 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SEND/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | The send function is called inside checks instead of using transfer.
3 |
4 |
5 | The recommended way to perform checked ether payments is addr.transfer(x), which automatically throws an exception if the transfer is unsuccessful.
6 |
7 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SEND/example_en.html:
--------------------------------------------------------------------------------
1 | In the following example, the send function is used:
2 |
3 |
4 | if(!addr.send(42 ether)) {
5 | revert();
6 | }
7 |
8 |
9 | Preferred alternative:
10 |
11 |
12 | addr.transfer(42 ether);
13 |
14 |
15 |
--------------------------------------------------------------------------------
/src/main/java/ru/smartdec/smartcheck/Query.java:
--------------------------------------------------------------------------------
1 | package ru.smartdec.smartcheck;
2 |
3 | import org.w3c.dom.Node;
4 |
5 | import java.util.stream.Stream;
6 |
7 | /**
8 | *
9 | */
10 | public interface Query {
11 |
12 | /**
13 | * @param node node
14 | * @return nodes
15 | */
16 | Stream nodes(Node node);
17 | }
18 |
--------------------------------------------------------------------------------
/src/test/resources/rules/VYPER_BALANCE_EQUALITY.vy:
--------------------------------------------------------------------------------
1 | @public
2 | def func_1(user: address):
3 | # VYPER_BALANCE_EQUALITY 5094ad
4 | if (user.balance == 0):
5 | pass
6 |
7 |
8 | @public
9 | def func_2(user: address):
10 | # VYPER_BALANCE_EQUALITY 5094ad
11 | if (user.balance != 0):
12 | pass
13 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXACT_TIME/description.html:
--------------------------------------------------------------------------------
1 |
2 | Используется строгое сравнение с block.timestamp или now. Майнеры могут влиять на block.timestamp для получения выгоды. Таким образом, не следует рассчитывать, что block.timestamp примет (или не примет) какое-то конкретное значение.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_VIEW/example.html:
--------------------------------------------------------------------------------
1 |
2 | Ниже приведен пример корректной view-функции:
3 |
4 |
5 | pragma solidity ^0.4.16;
6 |
7 | contract C {
8 | function f(uint a, uint b) view returns (uint) {
9 | return a * (b + 42) + now;
10 | }
11 | }
12 |
13 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_BALANCE_EQUALITY/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | The balance is checked for strict equality.
3 |
4 |
5 | Avoid checking for strict balance equality: an adversary can forcibly send Ether to any address via selfdestruct() function or by mining. Also, Ether can be sent to the precomputed contract's address.
6 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SEND/example.html:
--------------------------------------------------------------------------------
1 |
2 | В следующем примере используется функция send:
3 |
4 |
5 |
6 | if(!addr.send(42 ether)) {
7 | revert();
8 | }
9 |
10 |
11 | Предпочтительный вариант:
12 |
13 |
14 | addr.transfer(42 ether);
15 |
16 |
17 |
--------------------------------------------------------------------------------
/src/main/java/ru/smartdec/smartcheck/Rule.java:
--------------------------------------------------------------------------------
1 | package ru.smartdec.smartcheck;
2 |
3 | import java.util.stream.Stream;
4 |
5 | /**
6 | *
7 | */
8 | public interface Rule {
9 |
10 | /**
11 | * @return id
12 | */
13 | String id();
14 |
15 | /**
16 | * @return patterns
17 | */
18 | Stream patterns();
19 | }
20 |
--------------------------------------------------------------------------------
/src/main/java/ru/smartdec/smartcheck/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | * .
3 | */
4 | @XmlSchema(
5 | namespace = "http://www.smartdec.ru/SmartCheck/Conditions",
6 | elementFormDefault = XmlNsForm.QUALIFIED)
7 | package ru.smartdec.smartcheck;
8 |
9 | import javax.xml.bind.annotation.XmlNsForm;
10 | import javax.xml.bind.annotation.XmlSchema;
11 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXTRA_GAS_IN_LOOPS/description.html:
--------------------------------------------------------------------------------
1 |
2 | В условии цикла for или while происходит обращение к storage контракта, .length массива, не находящегося в memory, либо к полю .balance. Таким образом, на каждом шаге цикла тратится большое количество газа на чтение.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXTRA_GAS_IN_LOOPS/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | If state variable, .balance, or .length is used several times, holding its value in a local variable is more gas efficient.
3 | If .length of calldata-array is placed into local variable, the optimisation will be less significant.
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_OVERPOWERED_ROLE/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Мы рекомендуем разрабатывать контракты так, чтобы их работа ни от кого не зависела. Один из возможных вариантов решения данной задачи - реализация данной функциональности в конструкторе контракта либо в скрипте деплоя. Ещё один вариант - использовать MultiSig кошелек по этому адресу.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UINT_CANT_BE_NEGATIVE/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Variables of uint type cannot be negative. Thus, comparing uint variable with zero (greater than or equal) is redundant. Also, it may lead to an underflow issue. Moreover, comparison with zero used in for-loop condition results in an infinite loop.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNCHECKED_CALL/example.html:
--------------------------------------------------------------------------------
1 |
2 | В следующем примере используется функция send без проверки возвращаемого значения:
3 |
4 |
5 |
6 | contract SolidityUncheckedSend {
7 | function unseatKing(address addr, uint value) {
8 | addr.send(value);
9 | }
10 | }
11 |
12 |
13 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_APPROVE/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | - ERC20 API: An Attack Vector on Approve/TransferFrom Methods
3 | - Ethereum. Approve
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRAGMAS_VERSION/example.html:
--------------------------------------------------------------------------------
1 |
2 | В следующем примере используется небезопасный способ указания версий компиляторов:
3 |
4 |
5 |
6 | pragma solidity ^0.4.17;
7 |
8 |
9 |
10 | Безопасный вариант:
11 |
12 |
13 |
14 | pragma solidity 0.4.24;
15 |
16 |
17 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNCHECKED_CALL/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | In the following example, the send function without checking return value is used:
3 |
4 |
5 |
6 | contract SolidityUncheckedSend {
7 | function unseatKing(address addr, uint value) {
8 | addr.send(value);
9 | }
10 | }
11 |
12 |
13 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_BALANCE_EQUALITY/description.html:
--------------------------------------------------------------------------------
1 |
2 | Используется проверка баланса на строгое равенство.
3 |
4 |
5 | Избегайте проверки баланса на строгое равенство: злоумышленник может принудительно отправить эфир на любой адрес, используя уничтожение контракта или майнинг. Также эфир мог быть прислан на предвычисленный адрес контракта.
6 |
7 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRAGMAS_VERSION/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | In the following example, аn unsafe way to specify versions of the compiler is used:
3 |
4 |
5 |
6 | pragma solidity ^0.4.17;
7 |
8 |
9 |
10 | Safe alternative:
11 |
12 |
13 |
14 | pragma solidity 0.4.24;
15 |
16 |
17 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VISIBILITY/example.html:
--------------------------------------------------------------------------------
1 |
2 | В следующем примере не используется модификатор при объявлении функции:
3 |
4 |
5 |
6 | function foo();
7 |
8 |
9 |
10 | Безопасный вариант:
11 |
12 |
13 |
14 | function foo() public;
15 | function foo() private;
16 |
17 |
18 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DIV_MUL/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Solidity operates only with integers. Thus, if the division is done before the multiplication, the rounding errors can increase dramatically.
3 |
4 |
5 | Vulnerability type by SmartDec classification:
6 | Precision issues.
7 |
8 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_TRANSFER_SHOULD_THROW/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | - ERC20 API: Transfer and TransferFrom
3 | - Zeppelin-solidity. Transfer
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SEND/description.html:
--------------------------------------------------------------------------------
1 |
2 | Используется функция send с проверкой возвращаемого значения вместо вызова transfer.
3 |
4 |
5 | Рекомендуемым способом выполнения проверенных эфирных платежей является addr.transfer(x), который автоматически генерирует исключение, если отправка эфира не удалась.
6 |
7 |
--------------------------------------------------------------------------------
/src/main/java/ru/smartdec/smartcheck/app/TreeFactory.java:
--------------------------------------------------------------------------------
1 | package ru.smartdec.smartcheck.app;
2 |
3 | import ru.smartdec.smartcheck.SearchableTree;
4 |
5 | import java.nio.file.Path;
6 |
7 | /**
8 | *
9 | */
10 | public interface TreeFactory {
11 |
12 | /**
13 | * @param path source
14 | * @return tree
15 | */
16 | SearchableTree tree(Path path);
17 | }
18 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VISIBILITY/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | In the following example, a specific modifier is not used when declaring a function:
3 |
4 |
5 |
6 | function foo();
7 |
8 |
9 |
10 | Preferred alternatives:
11 |
12 |
13 |
14 | function foo() public;
15 | function foo() internal;
16 |
17 |
18 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_UNITLESS_NUMBER/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Vyper allows you to use unit label to either uint256, int128, or decimal type. This feature is implemented to increase code readability and security. However, as_unitless_number() function is used in the contract. Use of this function can endanger contract security.
3 |
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_UNITLESS_NUMBER/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | Функция as_unitless_number() позволяет произвдить операции, изначально запрещённые для данных единиц измерения. Использование этой функции может привести к ошибкам и уязвимостям. Поэтому мы рекомендуем не использовать данную функцию, а в случае, если это невозможно - использовать ее с предельной аккуратностью.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_INCORRECT_BLOCKHASH/example.html:
--------------------------------------------------------------------------------
1 |
2 | В следующем примере функция currentBlockBlockhash всегда возвращает 0:
3 |
4 |
5 |
6 | pragma solidity 0.4.25;
7 |
8 | contract MyContract {
9 |
10 | function currentBlockHash() public view returns(bytes32) {
11 | return blockhash(block.number);
12 | }
13 | }
14 |
15 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UINT_CANT_BE_NEGATIVE/description.html:
--------------------------------------------------------------------------------
1 |
2 | Переменные типа uint не могут быть отрицательными. В общем случае, нестрогое сравнение такой переменной с нулем является излишним. А в отдельных случаях ее использование может привести к ошибке переполнения (underflow). Кроме того, использование сравнения с нулем в условии цикла for приводит к бесконечному циклу.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNUSED_FUNCTION_SHOULD_BE_EXTERNAL/description.html:
--------------------------------------------------------------------------------
1 |
2 | Функция с уровнем видимости public, которая не вызывается из контракта с помощью внутреннего вызова. Изменение уровня видимости на external у такой функции повышает читаемость кода. Более того, в некоторых случаях внешний вызов функции с уровнем видимости external потребляет меньше газа.
3 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_UNITLESS_NUMBER/description.html:
--------------------------------------------------------------------------------
1 |
2 | Vyper позволяет использовать единицы измерения для типов uint256, int128 и decimal. Эта возможность была создана для повышения читаемости кода и безопасности контракта. Однако, в контракте используется функция as_unitless_number(). Использование этой функции может снизить безопасность контракта.
3 |
4 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | target/
2 |
3 | # Compiled class file
4 | *.class
5 |
6 | # Log file
7 | *.log
8 |
9 | # BlueJ files
10 | *.ctxt
11 |
12 | # Mobile Tools for Java (J2ME)
13 | .mtj.tmp/
14 |
15 | # Package Files #
16 | *.jar
17 | *.war
18 | *.ear
19 | *.zip
20 | *.tar.gz
21 | *.rar
22 |
23 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
24 | hs_err_pid*
25 | /.idea/
26 | /gen/
27 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_INCORRECT_BLOCKHASH/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | In the following example, currentBlockBlockhash function always returns 0:
3 |
4 |
5 |
6 | pragma solidity 0.4.25;
7 |
8 | contract MyContract {
9 |
10 | function currentBlockHash() public view returns(bytes32) {
11 | return blockhash(block.number);
12 | }
13 | }
14 |
15 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REDUNDANT_FALLBACK_REJECT/example_en.html:
--------------------------------------------------------------------------------
1 | In the following example, the payment rejection fallback is redundant:
2 |
3 |
4 | pragma solidity 0.4.24;
5 |
6 | contract Сlock {
7 |
8 | function time() public returns(uint) {
9 | return now;
10 | }
11 |
12 | function() {
13 | revert();
14 | }
15 | }
16 |
17 |
18 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UNUSED_FUNCTION_SHOULD_BE_EXTERNAL/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | A function with public visibility modifier that is not called internally. Changing visibility level to external increases code readability. Moreover, in many cases functions with external visibility modifier spend less gas comparing to functions with public visibility modifier.
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CALL_WITHOUT_DATA/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | In the following example, call function is used for ETH transfer:
3 |
4 |
5 |
6 |
7 | pragma solidity 0.4.24;
8 |
9 | contract MyContract {
10 |
11 | function withdraw() {
12 | if (msg.sender.call.value(1)()) {
13 | /*...*/
14 | }
15 | }
16 | }
17 |
18 |
19 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CALL_WITHOUT_DATA/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | In this case, transfer or send function call is more secure. Another option is to implement the desired functionality in the separate public function of the target contract. Nevertheless, if use of call function is necessary due to the target contract design, gas limit should be added (.gas()).
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REDUNDANT_FALLBACK_REJECT/example.html:
--------------------------------------------------------------------------------
1 | В следующем примере fallback-функция по отклонению платежа является избыточной:
2 |
3 |
4 | pragma solidity 0.4.24;
5 |
6 | contract Сlock {
7 |
8 | function time() public returns(uint) {
9 | return now;
10 | }
11 |
12 | function() {
13 | revert();
14 | }
15 | }
16 |
17 |
18 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TRANSFER_IN_LOOP/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | ETH is transferred in a loop. If at least one address cannot receive ETH (e.g. it is a contract with default fallback function), the whole transaction will be reverted.
3 |
4 |
5 | Vulnerability type by SmartDec classification:
6 | DoS with revert.
7 |
8 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_USING_UBTRUSTED_INPUTS.sol:
--------------------------------------------------------------------------------
1 | //BAD
2 | contract SimpleBank {
3 |
4 | function hashingsha3 () returns (bytes32 hash){
5 | uint time = block.timestamp;//!!!
6 | return sha3(time);
7 | }
8 | }
9 | //GOOD
10 | contract SimpleBank {
11 |
12 | function hashingsha3 () returns (bytes32 hash){
13 | bytes32 b = block.blockhash(1);
14 | return sha3(b);
15 | }
16 | }
--------------------------------------------------------------------------------
/src/test/resources/rules/VYPER_REDUNDANT_FALLBACK_REJECT.vy:
--------------------------------------------------------------------------------
1 | @public
2 | @payable
3 | def __default__():
4 | send(msg.sender, 15)
5 |
6 | @public
7 | @payable
8 | # VYPER_REDUNDANT_FALLBACK_REJECT am179p
9 | def __default__():
10 | throw
11 |
12 | @public
13 | @payable
14 | def __default__():
15 | throw
16 | pass
17 |
18 | @public
19 | @payables
20 | def __default__():
21 | if True:
22 | throw
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_DOS_WITH_BLOCK_GAS_LIMIT.sol:
--------------------------------------------------------------------------------
1 | pragma solidity ^0.4.11;
2 |
3 | contract PullPayment {
4 | function refundAll() public {
5 | for(uint x; x < refundAddresses.length; x++) { // arbitrary length iteration based on how many addresses participated
6 | if(refundAddresses[x].send(refunds[refundAddresses[x]])) {
7 | throw; // doubly bad, now a single failure on send will hold up all funds
8 | }
9 | }
10 | }
11 | }
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CALL_WITHOUT_DATA/example.html:
--------------------------------------------------------------------------------
1 |
2 | В следующем примере используются функция call для передачи ETH:
3 |
4 |
5 |
6 |
7 | pragma solidity 0.4.24;
8 |
9 | contract MyContract {
10 |
11 | function withdraw() public {
12 | if (msg.sender.call.value(1 ether)()) {
13 | /*...*/
14 | }
15 | }
16 | }
17 |
18 |
19 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXTRA_GAS_IN_LOOPS/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | В случаях, когда переменные, хранящиеся в storage контракта, а также поля .balance и .length, используются несколько раз, рекомендуется записывать их значения в локальные переменные.
3 | При этом в случае, когда происходит обращение к длине массива, находящегося в calldata, оптимизация будет менее значимой.
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXTRA_GAS_IN_LOOPS/example.html:
--------------------------------------------------------------------------------
1 | В следующем примере обращение к переменной limiter происходит на каждом шаге цикла:
2 |
3 |
4 | pragma solidity 0.4.25;
5 |
6 | contract NewContract {
7 | uint limiter = 100;
8 |
9 | function longLoop() {
10 | for(uint i = 0; i < limiter; i++) {
11 | /* ... */
12 | }
13 | }
14 | }
15 |
16 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_LOCKED_MONEY/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | In the following example, contracts programmed to receive ether does not call transfer, send, or call.value function:
3 |
4 |
5 |
6 | pragma solidity 0.4.25;
7 |
8 | contract BadMarketPlace {
9 | function deposit() payable {
10 | require(msg.value > 0);
11 | }
12 | }
13 |
14 |
15 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ARRAY_LENGTH_MANIPULATION/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | The length of the dynamic array is changed directly. In this case, the appearance of gigantic arrays is possible and it can lead to a storage overlap attack (collisions with other data in storage).
3 |
4 |
5 | Vulnerability type by SmartDec classification:
6 | Overlap attack.
7 |
8 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_RETURN_STRUCT/example.html:
--------------------------------------------------------------------------------
1 |
2 | В следующем примере internal функция возвращает несколько переменных:
3 |
4 |
5 |
6 | pragma solidity 0.4.24;
7 |
8 | contract TestContract {
9 |
10 | function test() internal returns(uint a, address b, bool c) {
11 | a = 1;
12 | b = msg.sender;
13 | c = true;
14 | }
15 | }
16 |
17 |
18 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CALL_WITHOUT_DATA/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | В данной ситуации более безопасными являются функции transfer и send. Также, по возможности рекомендуется доработать целевой контракт и добавить в него функцию с желаемой функциональностью. Однако, если вызов функции call необходим (в силу дизайна целевого контракта), то рекомендуется добавлять ограничение на газ (.gas()).
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXTRA_GAS_IN_LOOPS/example_en.html:
--------------------------------------------------------------------------------
1 | In the following example, limiter variable is accessed on every for-loop iteration:
2 |
3 |
4 |
5 | pragma solidity 0.4.25;
6 |
7 | contract NewContract {
8 | uint limiter = 100;
9 |
10 | function longLoop() {
11 | for(uint i = 0; i < limiter; i++) {
12 | /* ... */
13 | }
14 | }
15 | }
16 |
17 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_LOCKED_MONEY/example.html:
--------------------------------------------------------------------------------
1 |
2 | В следующем примере контракт, запрограммированный на получение эфира, не вызывает ни одну из функций transfer, send или call.value:
3 |
4 |
5 |
6 | pragma solidity 0.4.25;
7 |
8 | contract BadMarketPlace {
9 | function deposit() payable {
10 | require(msg.value > 0);
11 | }
12 | }
13 |
14 |
15 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_RETURN_STRUCT/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | In the following example, internal function returns several parameters:
3 |
4 |
5 |
6 | pragma solidity 0.4.24;
7 |
8 | contract TestContract {
9 |
10 | function test() internal returns(uint a, address b, bool c) {
11 | a = 1;
12 | b = msg.sender;
13 | c = true;
14 | }
15 | }
16 |
17 |
18 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_FUNCTION_RETURNS_TYPE_AND_NO_RETURN/example.html:
--------------------------------------------------------------------------------
1 | В следующем примере в сигнатуре функции обозначен только тип возвращаемого значения, а в ее теле нет return:
2 |
3 |
4 | pragma solidity 0.4.25;
5 |
6 | contract NewContract {
7 | uint minimumBuy;
8 |
9 | function setMinimumBuy(uint256 newMinimumBuy) returns (bool){
10 | minimumBuy = newMinimumBuy;
11 | }
12 | }
13 |
14 |
--------------------------------------------------------------------------------
/src/test/resources/rules/SOLIDITY_SAFEMATH.sol:
--------------------------------------------------------------------------------
1 | pragma solidity 0.4.24;
2 |
3 | library SafeMath {
4 | function sub(uint256 a, uint256 b) internal pure returns (uint256) {
5 | assert(b <= a);
6 | return a - b;
7 | }
8 | }
9 |
10 | contract MyToken {
11 | // SOLIDITY_SAFEMATH 837cac
12 | using SafeMath for uint256;
13 |
14 | function sub(uint a, uint b) public returns(uint) {
15 | return(a.sub(b));
16 | }
17 | }
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BALANCE_EQUALITY/example.html:
--------------------------------------------------------------------------------
1 |
2 | В следующем примере используется проверка баланса на строгое равенство:
3 |
4 |
5 |
6 | if (address(this).balance == 42 ether ) {
7 | /* ... */
8 | }
9 |
10 |
11 |
12 | Безопасный вариант:
13 |
14 |
15 |
16 | if (address(this).balance >= 42 ether ) {
17 | /* ... */
18 | }
19 |
20 |
21 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRIVATE_MODIFIER_DOES_NOT_HIDE_DATA/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Contrary to a popular misconception, the private modifier does not make a variable invisible. Miners have access to all contracts’ code and data. Developers must account for the lack of privacy in Ethereum.
3 |
4 |
5 | Vulnerability type by SmartDec classification:
6 | Privacy.
7 |
8 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_WRONG_SIGNATURE/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | In Solidity, the function signature is defined as the canonical expression of the basic prototype without data location specifier, i.e. the function name with the parenthesised list of parameter types. Parameter types are split by a single comma - no spaces are used. This means one should use uint256 and int256 instead of uint or int.
3 |
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BALANCE_EQUALITY/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | In the following example, checking for strict balance equality is used:
3 |
4 |
5 |
6 | if (address(this).balance == 42 ether ) {
7 | /* ... */
8 | }
9 |
10 |
11 |
12 | Secure alternative:
13 |
14 |
15 |
16 | if (address(this).balance >= 42 ether ) {
17 | /* ... */
18 | }
19 |
20 |
21 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_TRANSFER_SHOULD_THROW/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Functions of ERC-20 Token Standard should throw in special cases:
3 |
4 |
5 | transfer should throw if the _from account balance does not have enough tokens to spendtransferFrom should throw unless the _from account has deliberately authorized the sender of the message via some mechanism
8 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BALANCE_EQUALITY/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | The balance is checked for strict equality.
3 |
4 |
5 | Avoid checking for strict balance equality: an adversary can forcibly send ether to any address via selfdestruct() or by mining.
6 |
7 |
8 | Vulnerability type by SmartDec classification:
9 | Ether transfer.
10 |
11 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BYTE_ARRAY_INSTEAD_BYTES/example.html:
--------------------------------------------------------------------------------
1 | В следующем примере используется массив байтов:
2 |
3 |
4 | pragma solidity 0.4.24;
5 |
6 | contract C {
7 | byte[] someVariable;
8 | ...
9 | }
10 |
11 |
12 |
13 | Альтернатива:
14 |
15 |
16 |
17 | pragma solidity 0.4.24;
18 |
19 | contract C {
20 | bytes someVariable;
21 | ...
22 | }
23 |
24 |
25 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_BYTE_ARRAY_INSTEAD_BYTES/example_en.html:
--------------------------------------------------------------------------------
1 | In the following example, byte array is used:
2 |
3 |
4 | pragma solidity 0.4.24;
5 |
6 | contract C {
7 | byte[] someVariable;
8 | ...
9 | }
10 |
11 |
12 |
13 | Alternative:
14 |
15 |
16 |
17 | pragma solidity 0.4.24;
18 |
19 | contract C {
20 | bytes someVariable;
21 | ...
22 | }
23 |
24 |
25 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXACT_TIME/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Strict comparison with block.timestamp or now. Miners can affect block.timestamp for their benefits. Thus, one should not rely on the exact value of block.timestamp.
3 |
4 |
5 | Vulnerability type by SmartDec classification:
6 | Timestamp manipulation.
7 |
8 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VISIBILITY/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | The default function visibility level in contracts is public, in interfaces - external, state variable default visibility level is internal.
3 | In contracts, the fallback function can be external or public. In interfaces, all the functions should be declared as external. Explicitly define function visibility to prevent confusion.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_APPROVE/example.html:
--------------------------------------------------------------------------------
1 | В следующем контракте используется функция approve:
2 | pragma solidity ^0.4.5;
3 | contract StandardToken is ERC20, BasicToken {
4 | ...
5 | function approve(address _spender, uint256 _value) public returns (bool) {
6 | allowed[msg.sender][_spender] = _value;
7 | Approval(msg.sender, _spender, _value);
8 | return true;
9 | }
10 | ...
11 | }
12 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_APPROVE/example_en.html:
--------------------------------------------------------------------------------
1 | In the following contract the function approve is used:
2 | pragma solidity ^0.4.5;
3 | contract StandardToken is ERC20, BasicToken {
4 | ...
5 | function approve(address _spender, uint256 _value) public returns (bool) {
6 | allowed[msg.sender][_spender] = _value;
7 | Approval(msg.sender, _spender, _value);
8 | return true;
9 | }
10 | ...
11 | }
12 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_TRANSFER_SHOULD_THROW/description.html:
--------------------------------------------------------------------------------
1 |
2 | Функции стандарта ERC-20 должны бросать исключения в случиях:
3 |
4 |
5 | - функция
transfer должна бросать исключение, если адрес _from не имеет достаточно токенов для траты
6 | - функция
transferFrom должна бросать исключение, если адрес _from намеренно не авторизовал отправителя сообщения с помощью какого-либо механизма
7 |
8 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_PRIVATE_MODIFIER_DONT_HIDE_DATA/description.html:
--------------------------------------------------------------------------------
1 |
2 | По умолчанию, переменные, не объявленные как public, являются недоступными для внешних контрактов и могут быть вызваны только из методов данного контракта. Вопреки распространенному заблуждению, значения этих переменных всё ещё остаются доступными пользователям. Разработчики должны учитывать отсутствие конфиденциальности в Ethereum. (На элементах структур происходит ложное срабатывание паттерна)
3 |
4 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_OVERPOWERED_ROLE/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | This function is callable only from one address. Therefore, the system depends heavily on this address. In this case, there are scenarios that may lead to undesirable consequences for investors, e.g. if the private key of this address becomes compromised.
3 |
4 |
5 | Vulnerability type by SmartDec classification:
6 | Overpowered owner.
7 |
8 |
--------------------------------------------------------------------------------
/src/test/resources/rules/SOLIDITY_VAR_IN_LOOP_FOR.sol:
--------------------------------------------------------------------------------
1 | pragma solidity ^0.4.11;
2 |
3 | contract SolidityUncheckedSend {
4 | function unseatKing(address a, uint w) view returns (uint){
5 | // SOLIDITY_VAR_IN_LOOP_FOR f176ab
6 | for (var i = 0; i < 257; i++) {
7 | a=0;
8 | }
9 | for (var i = 0; i < 4; i++) {
10 | a=0;
11 | }
12 | for (var i = 1000; i > 400; i--) {
13 | a=0;
14 | }
15 | }
16 | }
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_CONSTRUCTOR_RETURN/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | return statement is used in contract's constructor. With return the process of deploy will differ from the intuitive one. For instance, deployed bytecode may not include functions implemented in the source.
3 |
4 |
5 | Vulnerability type by SmartDec classification:
6 | Assembly return in constructor.
7 |
8 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REDUNDANT_FALLBACK_REJECT/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | The payment rejection fallback is redundant.
3 |
4 |
5 | Contracts should reject unexpected payments. Before Solidity 0.4.0, it was done manually:
6 |
7 |
8 |
9 | function () { revert(); }
10 |
11 |
12 |
13 | Starting from Solidity 0.4.0, contracts without a fallback function automatically
14 | revert payments, making the code above redundant.
15 |
16 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_FUNCTION_RETURNS_TYPE_AND_NO_RETURN/example_en.html:
--------------------------------------------------------------------------------
1 | In the following example, the function's signature only denotes the type of the return value, but the function's body does not contain return statement:
2 |
3 |
4 | pragma solidity 0.4.25;
5 |
6 | contract NewContract {
7 | uint minimumBuy;
8 |
9 | function setMinimumBuy(uint256 newMinimumBuy) returns (bool){
10 | minimumBuy = newMinimumBuy;
11 | }
12 | }
13 |
14 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REDUNDANT_FALLBACK_REJECT/description.html:
--------------------------------------------------------------------------------
1 |
2 | Fallback-функция по отклонению платежа является избыточной.
3 |
4 |
5 | Контракты должны отклонять неожиданные платежи. До версии 0.4.0 в Solidity это делалось вручную:
6 |
7 |
8 | function () { revert(); }
9 |
10 |
11 |
12 | Начиная с Solidity 0.4.0, контракты без fallback-функции автоматически возвращают платежи, что делает код, представленный выше, избыточным.
13 |
14 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VISIBILITY/description.html:
--------------------------------------------------------------------------------
1 |
2 | В Solidity есть уровни видимости по умолчанию. Для функций в контрактах - public, для функций в интерфейсах - external, для переменных - internal. Fallback функция в контрактах может иметь только external или public уровень видимости. Все функции в интерфейсах должны иметь external уровень видимости.
3 | Четко определяйте видимость для предотвращения неоднозначной ситуации.
4 |
5 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_WRONG_SIGNATURE/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | This code uses incorrect function signature:
3 |
4 |
5 |
6 | pragma solidity ^0.5.1;
7 | contract Signature {
8 | function callFoo(address addr, uint value) public returns (bool) {
9 | bytes memory data = abi.encodeWithSignature("foo(uint)", value);
10 | (bool status, ) = addr.call(data);
11 | return status;
12 | }
13 | }
14 |
15 |
16 |
17 | Use "foo(uint256)" instead.
18 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_PRIVATE_MODIFIER_DONT_HIDE_DATA/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Initializing the variables without the public function defaults to a private declaration and thus only accessible to methods within the same contract. Contrary to a popular misconception, values of these variables are still accessible for users. Developers must account for the lack of privacy in Ethereum.
3 | This rule reports all structure's fields in structure definition but it is not the issue (it is false positive).
4 |
5 |
--------------------------------------------------------------------------------
/src/test/resources/rules/VYPER_ERC20_APPROVE.vy:
--------------------------------------------------------------------------------
1 | Approval: event({_owner: indexed(address), _spender: indexed(address), _value: uint256(wei)})
2 |
3 |
4 | allowances: (uint256(wei)[address])[address]
5 |
6 |
7 | @public
8 | # VYPER_ERC20_APPROVE af782c
9 | def approve(_spender : address, _value : uint256(wei)) -> bool:
10 | _sender: address = msg.sender
11 | self.allowances[_sender][_spender] = _value
12 | # Fire approval event
13 | log.Approval(_sender, _spender, _value)
14 | return True
15 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRAGMAS_VERSION/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Solidity source files indicate the versions of the compiler they can be compiled with.
3 |
4 |
5 |
6 | pragma solidity ^0.4.17; // bad: compiles w 0.4.17 and above
7 | pragma solidity 0.4.24; // good : compiles w 0.4.24 only
8 |
9 |
10 |
11 | It is recommended to follow the latter example, as future compiler versions may handle certain language constructions in a way the developer did not foresee.
12 |
13 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_MISSING_INPUT_VALIDATION.sol:
--------------------------------------------------------------------------------
1 |
2 | contract SimpleBank {
3 | mapping(address => uint) balances;
4 |
5 | function withdraw(uint amount) {
6 | balances[msg.sender] -= amount;
7 | msg.sender.transfer(amount);
8 | }
9 | }
10 |
11 | contract SimpleBank {
12 | mapping(address => uint) balances;
13 |
14 | function withdraw(uint amount) {
15 | require(amount <= balances[msg.sender]);
16 | balances[msg.sender] -= amount;
17 | msg.sender.transfer(amount);
18 | }
19 | }
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_PRAGMAS_VERSION/description.html:
--------------------------------------------------------------------------------
1 |
2 | Файлы исходных текстов Solidity указывают версии компилятора, с которыми они могут быть скомпилированы.
3 |
4 |
5 |
6 | pragma solidity ^0.4.17; // bad: compiles w 0.4.17 and above
7 | pragma solidity 0.4.24; // good : compiles w 0.4.24 only
8 |
9 |
10 |
11 | Рекомендуется следовать последнему примеру, поскольку будущие версии компилятора могут обрабатывать определенные языковые конструкции способом, который разработчик не предвидел.
12 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_PRIVATE_MODIFIER_DONT_HIDE_DATA/example.html:
--------------------------------------------------------------------------------
1 | В следующем примере переменная password используется для хранения пароля:
2 |
3 |
4 | password: bytes32
5 | set: public(bool)
6 |
7 | @public
8 | def unlock(_password: bytes32):
9 | assert self.password == _password
10 | send(msg.sender, self.balance)
11 |
12 | @payable
13 | @public
14 | def lock(_password: bytes32):
15 | assert self.set == False
16 | self.password = _password
17 | self.set = True
18 |
19 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_WRONG_SIGNATURE/example.html:
--------------------------------------------------------------------------------
1 |
2 | В этом примере используется неправильно сформированная сигнатура фукнции:
3 |
4 |
5 |
6 | pragma solidity ^0.5.1;
7 | contract Signature {
8 | function callFoo(address addr, uint value) public returns (bool) {
9 | bytes memory data = abi.encodeWithSignature("foo(uint)", value);
10 | (bool status, ) = addr.call(data);
11 | return status;
12 | }
13 | }
14 |
15 |
16 |
17 | Правильный вариант - "foo(uint256)".
18 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_DUPLICATED_STORAGE.sol:
--------------------------------------------------------------------------------
1 | contract Storage {
2 | struct Info {
3 | address owner;
4 | uint amount;
5 | }
6 | mapping (address => Info) addressInfo;
7 | mapping (uint => Info) indexInfo;
8 | uint index;
9 | function create(uint _amount) {
10 | var info = Info(msg.sender, _amount);
11 | indexInfo[index] = info;//!
12 | addressInfo[msg.sender] = info;//!
13 | ++index;
14 | }
15 | function burn(address _to, uint _amount) {
16 | var info = addressInfo[msg.sender];
17 | info.amount = safeSub(info.amount, _amount);
18 | }
19 | }
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ADDRESS_HARDCODED/example.html:
--------------------------------------------------------------------------------
1 |
2 | В следующем контракте адрес задан в исходном коде:
3 |
4 |
5 |
6 | pragma solidity 0.4.24;
7 |
8 | contract C {
9 | function f(uint a, uint b) pure returns (address) {
10 | address public multisig = 0xf64B584972FE6055a770477670208d737Fff282f;
11 | return multisig;
12 | }
13 | }
14 |
15 |
16 |
17 | Не забудьте проверить код контракта по адресу
18 | 0xf64B584972FE6055a770477670208d737Fff282f на уязвимости.
19 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_PRIVATE_MODIFIER_DONT_HIDE_DATA/example_en.html:
--------------------------------------------------------------------------------
1 | In the following example, sensitive data is stored in password state variable:
2 |
3 |
4 | password: bytes32
5 | set: public(bool)
6 |
7 | @public
8 | def unlock(_password: bytes32):
9 | assert self.password == _password
10 | send(msg.sender, self.balance)
11 |
12 | @payable
13 | @public
14 | def lock(_password: bytes32):
15 | assert self.set == False
16 | self.password = _password
17 | self.set = True
18 |
19 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXACT_TIME/example.html:
--------------------------------------------------------------------------------
1 |
2 | В следующем примере майнер может воздействовать на значение now и всегда выигрывать:
3 |
4 |
5 |
6 | pragma solidity 0.4.25;
7 |
8 | contract Game {
9 |
10 | function oddOrEven(bool yourGuess) external payable {
11 | if (yourGuess == now % 2 > 0) {
12 | uint fee = msg.value / 10;
13 | msg.sender.transfer(msg.value * 2 - fee);
14 | }
15 | }
16 |
17 | function () external payable {}
18 | }
19 |
20 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_EXACT_TIME/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | In the following example, now can be manipulated by the miner so that he/she will always win:
3 |
4 |
5 |
6 | pragma solidity 0.4.25;
7 |
8 | contract Game {
9 |
10 | function oddOrEven(bool yourGuess) external payable {
11 | if (yourGuess == now % 2 > 0) {
12 | uint fee = msg.value / 10;
13 | msg.sender.transfer(msg.value * 2 - fee);
14 | }
15 | }
16 |
17 | function () external payable {}
18 | }
19 |
20 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_LOCKED_MONEY/example.html:
--------------------------------------------------------------------------------
1 |
2 | В данном примере у контракта есть @payable функция:
3 |
4 |
5 |
6 | funders: {sender: address, value: wei_value}[int128]
7 | nextFunderIndex: int128
8 |
9 |
10 | @public
11 | @payable
12 | def participate(i: int128):
13 | nfi: int128 = self.nextFunderIndex
14 | self.funders[nfi] = {sender: msg.sender, value: msg.value}
15 | self.nextFunderIndex = nfi + 1
16 |
17 |
18 |
19 | Однако, вывести средства с адреса контракта невозможно.
20 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DEPRECATED_CONSTRUCTIONS/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Use
keccak256 instead of sha3.
4 |
5 | -
6 | Use
selfdestruct instead of suicide.
7 |
8 | -
9 | Use
revert() instead of throw.
10 |
11 | -
12 | Use
view instead of constant for functions.
13 |
14 | -
15 | Use
days instead of years.
16 |
17 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_BALANCE_EQUALITY/example.html:
--------------------------------------------------------------------------------
1 |
2 | В следующем примере используется проверка баланса на строгое равенство:
3 |
4 |
5 |
6 | @public
7 | def func_1(user: address):
8 | if (user.balance == as_wei_value(10, "ether")):
9 | # do some stuff
10 | pass
11 |
12 |
13 |
14 | Безопасный вариант:
15 |
16 |
17 |
18 | @public
19 | def func_1(user: address):
20 | if (user.balance >= as_wei_value(10, "ether")):
21 | # do some stuff
22 | pass
23 |
24 |
25 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_BALANCE_EQUALITY/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | In the following example, checking for strict balance equality is used:
3 |
4 |
5 |
6 | @public
7 | def func_1(user: address):
8 | if (user.balance == as_wei_value(10, "ether")):
9 | # do some stuff
10 | pass
11 |
12 |
13 |
14 | Secure alternative:
15 |
16 |
17 |
18 | @public
19 | def func_1(user: address):
20 | if (user.balance >= as_wei_value(10, "ether")):
21 | # do some stuff
22 | pass
23 |
24 |
25 |
--------------------------------------------------------------------------------
/src/main/java/ru/smartdec/smartcheck/Rules.java:
--------------------------------------------------------------------------------
1 | package ru.smartdec.smartcheck;
2 |
3 | import java.util.stream.Stream;
4 |
5 | /**
6 | *
7 | */
8 | public interface Rules {
9 |
10 | /**
11 | * @return rules
12 | * @throws Exception exception
13 | */
14 | Stream stream() throws Exception;
15 |
16 | /**
17 | * @return rules
18 | */
19 | default Stream streamUnchecked() {
20 | try {
21 | return this.stream();
22 | } catch (Exception ex) {
23 | throw new RuntimeException(ex);
24 | }
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DIV_MUL/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | In the following example, amount variable is divided by DELIMITER and then multiplied by BONUS. Thus, a rounding error appears (consider amount = 9000):
3 |
4 |
5 |
6 | pragma solidity 0.4.25;
7 |
8 | contract MyContract {
9 |
10 | uint constant BONUS = 500;
11 | uint constant DELIMITER = 10000;
12 |
13 | function calculateBonus(uint amount) returns (uint) {
14 | return amount/DELIMITER*BONUS;
15 | }
16 | }
17 |
18 |
19 |
--------------------------------------------------------------------------------
/src/main/java/ru/smartdec/smartcheck/ParseTree.java:
--------------------------------------------------------------------------------
1 | package ru.smartdec.smartcheck;
2 |
3 | import org.antlr.v4.runtime.tree.RuleNode;
4 |
5 | /**
6 | *
7 | */
8 | public interface ParseTree {
9 |
10 | /**
11 | * @return root
12 | * @throws Exception exception
13 | */
14 | RuleNode root() throws Exception;
15 |
16 | /**
17 | * @return root
18 | */
19 | default RuleNode rootUnchecked() {
20 | try {
21 | return this.root();
22 | } catch (Exception ex) {
23 | throw new RuntimeException(ex);
24 | }
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DEPRECATED_CONSTRUCTIONS/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | -
3 | Используйте
keccak256 вместо sha3.
4 |
5 | -
6 | Используйте
selfdestruct вместо suicide.
7 |
8 | -
9 | Используйте
revert() вместо throw.
10 |
11 | -
12 | Используйте
view вместо constant для функций.
13 |
14 | -
15 | Используйте
days вместо years.
16 |
17 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_ERC20_APPROVE/example.html:
--------------------------------------------------------------------------------
1 | В следующем контракте определена функция approve
2 |
3 |
4 | Approval: event({_owner: indexed(address), _spender: indexed(address), _value: uint256(wei)})
5 |
6 |
7 | allowances: (uint256(wei)[address])[address]
8 |
9 |
10 | @public
11 | def approve(_spender : address, _value : uint256(wei)) -> bool:
12 | _sender: address = msg.sender
13 | self.allowances[_sender][_spender] = _value
14 | # Fire approval event
15 | log.Approval(_sender, _spender, _value)
16 | return True
17 |
18 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ADDRESS_HARDCODED/example_en.html:
--------------------------------------------------------------------------------
1 | In the following contract, the address is specified in the source code:
2 |
3 |
4 |
5 | pragma solidity 0.4.24;
6 |
7 | contract C {
8 | function f(uint a, uint b) pure returns (address) {
9 | address public multisig = 0xf64B584972FE6055a770477670208d737Fff282f;
10 | return multisig;
11 | }
12 | }
13 |
14 |
15 |
16 | Do not forget to check the contract at the address 0xf64B584972FE6055a770477670208d737Fff282f for vulnerabilities.
17 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DIV_MUL/example.html:
--------------------------------------------------------------------------------
1 |
2 | В данном примере величина amount делится на DELIMITER нацело и только потом умножается на BONUS. Таким образом, возникает погрешность (например, при amount = 9000):
3 |
4 |
5 |
6 | pragma solidity 0.4.25;
7 |
8 | contract MyContract {
9 |
10 | uint constant BONUS = 500;
11 | uint constant DELIMITER = 10000;
12 |
13 | function calculateBonus(uint amount) returns (uint) {
14 | return amount/DELIMITER*BONUS;
15 | }
16 | }
17 |
18 |
19 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_ERC20_APPROVE/example_en.html:
--------------------------------------------------------------------------------
1 | In the following contract approve function is used
2 |
3 |
4 | Approval: event({_owner: indexed(address), _spender: indexed(address), _value: uint256(wei)})
5 |
6 |
7 | allowances: (uint256(wei)[address])[address]
8 |
9 |
10 | @public
11 | def approve(_spender : address, _value : uint256(wei)) -> bool:
12 | _sender: address = msg.sender
13 | self.allowances[_sender][_spender] = _value
14 | # Fire approval event
15 | log.Approval(_sender, _spender, _value)
16 | return True
17 |
18 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_REFACTOR_CONFUSING_PRECONDITION.sol:
--------------------------------------------------------------------------------
1 | pragma solidity ^0.4.5;
2 | contract Voting {
3 | function finalize() external {
4 | if (!isFunding) throw;
5 | if (msg.sender != ethFundDeposit) throw; // this locks finalize to the ultimate ETH owner
6 | if ((block.number <= fundingEndBlock ||//лучше разделить эти if
7 | totalSupply < tokenCreationMin) &&
8 | totalSupply < tokenCreationCap) throw;
9 | // move to operational
10 | isFunding = false;
11 | if(!ethFundDeposit.send(this.balance)) throw; // send the eth to Brave International
12 | }
13 | }
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_LOCKED_MONEY/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | In the following example the contract implements a function with @payable decorator:
3 |
4 |
5 |
6 | funders: {sender: address, value: wei_value}[int128]
7 | nextFunderIndex: int128
8 |
9 |
10 | @public
11 | @payable
12 | def participate(i: int128):
13 | nfi: int128 = self.nextFunderIndex
14 | self.funders[nfi] = {sender: msg.sender, value: msg.value}
15 | self.nextFunderIndex = nfi + 1
16 |
17 |
18 |
19 | However, it is impossible to withdraw ETH from the contract address.
20 |
--------------------------------------------------------------------------------
/src/main/java/ru/smartdec/smartcheck/app/cli/Arguments.java:
--------------------------------------------------------------------------------
1 | package ru.smartdec.smartcheck.app.cli;
2 |
3 | import java.util.Arrays;
4 | import java.util.Collection;
5 | import java.util.Optional;
6 |
7 | /**
8 | *
9 | */
10 | public interface Arguments {
11 |
12 | /**
13 | * @param keys keys
14 | * @return optional
15 | */
16 | Optional value(Collection keys);
17 |
18 | /**
19 | * @param keys keys
20 | * @return optional
21 | */
22 | default Optional value(final String... keys) {
23 | return this.value(Arrays.asList(keys));
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_TRANSACTION_ORDERING_DEPENDENCE.sol:
--------------------------------------------------------------------------------
1 | contract SimpleGame {
2 | address winner;
3 | uint constant reward = 100;
4 |
5 | function play() {
6 | // win game
7 | winner = msg.sender;
8 | }
9 | function getReward() {
10 | winner.send(reward);//!!!
11 | }
12 | }
13 | contract TokenMarket {
14 | uint price = 10;
15 | address owner;
16 |
17 | function setPrice(uint newPrice) {
18 | if (msg.sender == owner)
19 | price = newPrice;
20 | }
21 |
22 | function sellToken() {
23 | msg.sender.send(price);//!!!
24 | }
25 | }
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REVERT_REQUIRE/example.html:
--------------------------------------------------------------------------------
1 | В следующем примере в теле условного оператора if используется revert():
2 |
3 | contract Holder {
4 | uint public holdUntil;
5 | address public holder;
6 |
7 | function Holder(uint period) public payable {
8 | holdUntil = now + period;
9 | holder = msg.sender;
10 | }
11 |
12 | function withdraw (uint a, uint b) external {
13 | if (now < holdUntil){
14 | revert();
15 | }
16 | holder.transfer(this.balance);
17 | }
18 | }
19 |
20 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_UNITLESS_NUMBER/example.html:
--------------------------------------------------------------------------------
1 |
2 | В данном примере используется функция as_unitless_number(), что приводит к ошибке:
3 |
4 |
5 |
6 | units: {day: "days"}
7 |
8 | price: public(uint256(wei/day))
9 | start: public(timestamp[address])
10 |
11 | @public
12 | @payable
13 | def payment():
14 | total_price: uint256(wei)
15 | total_price = as_wei_value(as_unitless_number(self.price) *
16 | (as_unitless_number(block.timestamp) - as_unitless_number(self.start[msg.sender])), "wei")
17 | assert(msg.value >= total_price)
18 |
19 |
20 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_CROSS_FUNCTION_RACE_CONDITION.sol:
--------------------------------------------------------------------------------
1 | pragma solidity ^0.4.11;
2 |
3 | contract PullPayment {
4 | mapping (address => uint) private userBalances;
5 |
6 | function transfer(address to, uint amount) {
7 | if (userBalances[msg.sender] >= amount) {
8 | userBalances[to] += amount;
9 | userBalances[msg.sender] -= amount;
10 | }
11 | }
12 |
13 | function withdrawBalance() public {
14 | uint amountToWithdraw = userBalances[msg.sender];
15 | if (!(msg.sender.call.value(amountToWithdraw)())) { throw; } // At this point, the caller's code is executed, and can call transfer()
16 | userBalances[msg.sender] = 0;
17 | }
18 | }
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_UNITLESS_NUMBER/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | In the following example, use of as_unitless_number() function leads to the mistake:
3 |
4 |
5 |
6 | units: {day: "days"}
7 |
8 | price: public(uint256(wei/day))
9 | start: public(timestamp[address])
10 |
11 | @public
12 | @payable
13 | def payment():
14 | total_price: uint256(wei)
15 | total_price = as_wei_value(as_unitless_number(self.price) *
16 | (as_unitless_number(block.timestamp) - as_unitless_number(self.start[msg.sender])), "wei")
17 | assert(msg.value >= total_price)
18 |
19 |
20 |
--------------------------------------------------------------------------------
/src/test/resources/rules/SOLIDITY_VAR.sol:
--------------------------------------------------------------------------------
1 | pragma solidity ^0.4.11;
2 |
3 | contract SolidityVarZero {
4 | function foo1() {
5 | // SOLIDITY_VAR d28aa7
6 | for (var i = 0; i < a.length; i ++) { a[i] = i; }
7 | }
8 | function foo2() {
9 | for (uint16 i = 0; i < a.length; i ++) { a[i] = i; }
10 | }
11 | function foo3() {
12 | // SOLIDITY_VAR f77619
13 | var a;
14 | // SOLIDITY_VAR d28aa7
15 | var minIdx = 0; /* inferred to uint8 */
16 | for (var i = minIdx; i < a.length; i++) { a[i] = i; }
17 |
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_UNCHECKED_MATH.sol:
--------------------------------------------------------------------------------
1 | contract MarketPlace {
2 | function transfer() {
3 | uint x = msg.value;
4 | uint a=x+1;//63d8f9
5 | uint b=2*x;//63d8f9
6 | a=x-1+8+s(0);//63d8f9
7 | a=f(v+1-9);//63d8f9
8 | a.send(f+1);//63d8f9
9 | a += 10;//63d8f9
10 | if (x.balance < 10+a && myAddress.balance >= 10) x.send(10+9);//63d8f9
11 | while (3+1Do not declare functions that change the state as view.
2 | The following statements are considered modifying the state:
3 |
4 | - Writing to state variables;
5 | - Emitting events;
6 | - Creating other contracts;
7 | - Using
selfdestruct;
8 | - Sending Ether via calls;
9 | - Calling any function not marked
view or pure;
10 | - Using low-level calls;
11 | - Using inline assembly that contains certain opcodes.
12 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_REVERT_REQUIRE/example_en.html:
--------------------------------------------------------------------------------
1 | In the following example, in the body of if conditional operator revert() function is used:
2 |
3 |
4 | contract Holder {
5 | uint public holdUntil;
6 | address public holder;
7 |
8 | function Holder(uint period) public payable {
9 | holdUntil = now + period;
10 | holder = msg.sender;
11 | }
12 |
13 | function withdraw (uint a, uint b) external {
14 | if (now < holdUntil){
15 | revert();
16 | }
17 | holder.transfer(this.balance);
18 | }
19 | }
20 |
21 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_TIMESTAMP_DEPENDENCE/example.html:
--------------------------------------------------------------------------------
1 |
2 | В данном примере логика контракта опирается на точное значение переменной block.timestamp:
3 |
4 |
5 |
6 | investor_money: puiblic(uint256[address])
7 | lucky_time: public(timestamp)
8 |
9 | @public
10 | def init(_lucky_time: timestamp):
11 | self.lucky_time = _lucky_time
12 |
13 | @payable
14 | @public
15 | def add_investor():
16 | if block.timestamp == self.lucky_time:
17 | self.investor_money[msg.sender] = 2 * msg.value
18 | else:
19 | self.investor_money[msg.sender] = msg.value / 2
20 |
21 |
22 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UINT_CANT_BE_NEGATIVE/example.html:
--------------------------------------------------------------------------------
1 |
2 | Далее приведен пример бесконечного цикла:
3 |
4 |
5 |
6 | pragma solidity 0.4.24;
7 |
8 | contract GreaterOrEqualToZero {
9 |
10 | function infiniteLoop(uint border) returns(uint ans) {
11 |
12 | for (uint i = border; i >= 0; i--) {
13 | ans += i;
14 | }
15 | }
16 | }
17 |
18 |
19 |
20 | В данном случае, условие i >= 0 будет всегда выполнено. Следующим после 0 значением переменной i будет 2**256-1. Таким образом, цикл будет бесконечным.
21 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_OVERPOWERED_ROLE/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | This contract includes several functions callable only from one address:
3 |
4 |
5 |
6 |
7 | pragma solidity 0.4.25;
8 |
9 | contract Crowdsale {
10 |
11 | address public owner;
12 |
13 | uint rate;
14 | uint cap;
15 |
16 | constructor() {
17 | owner = msg.sender;
18 | }
19 |
20 | function setRate(_rate) public onlyOwner {
21 | rate = _rate;
22 | }
23 |
24 | function setCap(_cap) public {
25 | require (msg.sender == owner);
26 | cap = _cap;
27 | }
28 | }
29 |
30 |
31 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UINT_CANT_BE_NEGATIVE/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | The following example includes an infinite loop:
3 |
4 |
5 |
6 | pragma solidity 0.4.24;
7 |
8 | contract GreaterOrEqualToZero {
9 |
10 | function infiniteLoop(uint border) returns(uint ans) {
11 |
12 | for (uint i = border; i >= 0; i--) {
13 | ans += i;
14 | }
15 | }
16 | }
17 |
18 |
19 |
20 | In this case, i >= 0 condition will always evaluate to true. The next value of i variable after 0 will be 2**256-1. Thus, the loop will be infinite.
21 |
22 |
--------------------------------------------------------------------------------
/rule_descriptions/VYPER_TIMESTAMP_DEPENDENCE/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | In the following example, the contract's logic depends on the exact value of block.timestamp variable:
3 |
4 |
5 |
6 | investor_money: puiblic(uint256[address])
7 | lucky_time: public(timestamp)
8 |
9 | @public
10 | def init(_lucky_time: timestamp):
11 | self.lucky_time = _lucky_time
12 |
13 | @payable
14 | @public
15 | def add_investor():
16 | if block.timestamp == self.lucky_time:
17 | self.investor_money[msg.sender] = 2 * msg.value
18 | else:
19 | self.investor_money[msg.sender] = msg.value / 2
20 |
21 |
22 |
--------------------------------------------------------------------------------
/src/test/resources/rules/SOLIDITY_REDUNDANT_FALLBACK_REJECT.sol:
--------------------------------------------------------------------------------
1 | pragma solidity 0.4.24;
2 |
3 | contract C1 {
4 | // SOLIDITY_REDUNDANT_FALLBACK_REJECT b85a32
5 | function() payable {
6 | throw;
7 | }
8 | }
9 | contract C2 {
10 | // SOLIDITY_REDUNDANT_FALLBACK_REJECT b85a32
11 | function() {
12 | revert();
13 | }
14 | }
15 | contract C3 {
16 | function() payable {
17 | if(msg.sender == address(0)) {
18 | revert();
19 | }
20 | }
21 | }
22 | contract C4 {
23 | address a;
24 | function() payable {
25 | a = msg.sender;
26 | revert();
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TRANSFER_IN_LOOP/example.html:
--------------------------------------------------------------------------------
1 |
2 | В следующем примере происходит отправка ETH в цикле:
3 |
4 |
5 |
6 | pragma solidity 0.4.25;
7 |
8 | contract MyContract {
9 |
10 | address[] public users;
11 | uint internal id;
12 |
13 | function transferBatch(address[] users) public {
14 | uint amount = address(this).balance / users.length;
15 | for (uint i = 0; i < users.length; i++) {
16 | users[i].transfer(amount);
17 | }
18 | }
19 |
20 | function () public payable {
21 | users[id] = msg.sender;
22 | id++;
23 | }
24 | }
25 |
26 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_OVERPOWERED_ROLE/example.html:
--------------------------------------------------------------------------------
1 |
2 | В этом контракте есть несколько функций, которые могут быть вызваны только с одного адреса:
3 |
4 |
5 |
6 |
7 | pragma solidity 0.4.25;
8 |
9 | contract Crowdsale {
10 |
11 | address public owner;
12 |
13 | uint rate;
14 | uint cap;
15 |
16 | constructor() {
17 | owner = msg.sender;
18 | }
19 |
20 | function setRate(_rate) public onlyOwner {
21 | rate = _rate;
22 | }
23 |
24 | function setCap(_cap) public {
25 | require (msg.sender == owner);
26 | cap = _cap;
27 | }
28 | }
29 |
30 |
31 |
--------------------------------------------------------------------------------
/src/test/resources/rules/SOLIDITY_EXACT_TIME.sol:
--------------------------------------------------------------------------------
1 | pragma solidity 0.4.24;
2 |
3 | contract TimestampDependence {
4 |
5 | function doSomething() {
6 | uint startTime = now;
7 | // SOLIDITY_EXACT_TIME 1955d9
8 | if ( startTime + 1 days == block.timestamp) {}
9 | // SOLIDITY_EXACT_TIME 1955d9
10 | if ( startTime + 1 days != now) {}
11 | require(true == ICOisEnd(now));
12 | require(now >= startTime && now <= startTime + 1 days);
13 | require(now > startTime + 1 days);
14 | }
15 |
16 | function ICOisEnd(uint _time) returns(bool) {
17 | return _time > 1000000000;
18 | }
19 | }
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UPGRADE_TO_050/example.html:
--------------------------------------------------------------------------------
1 |
2 | Данный контракт не будет компилироваться компилятором версии 0.5.0:
3 |
4 |
5 |
6 | contract Token {
7 | uint totalSupply;
8 |
9 | function Token() {
10 | totalSupply = +1e18;
11 | }
12 |
13 | function () payable {}
14 | }
15 |
16 |
17 |
18 |
19 | Один из вариантов обновления контракта:
20 |
21 |
22 |
23 | contract Token {
24 | uint public totalSupply;
25 |
26 | constructor() public {
27 | totalSupply = 1e18;
28 | }
29 |
30 | function () external payable {}
31 | }
32 |
33 |
34 |
--------------------------------------------------------------------------------
/src/test/resources/rules/VYPER_UNITLESS_NUMBER.vy:
--------------------------------------------------------------------------------
1 | numberas: public(uint256)
2 |
3 | @public
4 | def __init__(deadline: timestamp, goal: wei_value, timelimit: timedelta) -> uint256:
5 | # VYPER_UNITLESS_NUMBER fgg331
6 | self.numberas = as_unitless_number(goal)
7 | # VYPER_UNITLESS_NUMBER fgg331
8 | self.numberas = as_unitless_number(deadline)
9 | # VYPER_UNITLESS_NUMBER fgg331
10 | self.numberas = as_unitless_number(timelimit)
11 | # VYPER_UNITLESS_NUMBER fgg331
12 | return as_unitless_number(timelimit)
13 |
14 | @private
15 | def clock(time: timestamp) -> uint256:
16 | return as_unitless_number(time)
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_TRANSFER_IN_LOOP/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | In the following example, ETH is transferred in a loop:
3 |
4 |
5 |
6 |
7 | pragma solidity 0.4.25;
8 |
9 | contract MyContract {
10 |
11 | address[] public users;
12 | uint internal id;
13 |
14 | function transferBatch(address[] users) public {
15 | uint amount = address(this).balance / users.length;
16 | for (uint i = 0; i < users.length; i++) {
17 | users[i].transfer(amount);
18 | }
19 | }
20 |
21 | function () public payable {
22 | users[id] = msg.sender;
23 | id++;
24 | }
25 | }
26 |
27 |
28 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_UPGRADE_TO_050/example_en.html:
--------------------------------------------------------------------------------
1 |
2 | The following contract will not compile with compiler version 0.5.0:
3 |
4 |
5 |
6 | contract Token {
7 | uint totalSupply;
8 |
9 | function Token() {
10 | totalSupply = +1e18;
11 | }
12 |
13 | function () payable {}
14 | }
15 |
16 |
17 |
18 |
19 | One of the possible ways of contract update:
20 |
21 |
22 |
23 | contract Token {
24 | uint public totalSupply;
25 |
26 | constructor() public {
27 | totalSupply = 1e18;
28 | }
29 |
30 | function () external payable {}
31 | }
32 |
33 |
34 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_INDEXED/example_en.html:
--------------------------------------------------------------------------------
1 | In the following contract Transfer event's arguments are unindexed:
2 |
3 | pragma solidity ^0.5.0;
4 |
5 | contract StandardToken is ERC20 {
6 | ...
7 |
8 | event Transfer(address _from, address _to, uint256 _value);
9 |
10 | function transfer(address to, uint256 value) public returns (bool) {
11 | require(value <= balances[msg.sender]);
12 | balances[msg.sender] -= value; // we've checked for underflow
13 | balances[to] += value; // no overflow because of limited supply
14 | emit Transfer(msg.sender, to, value);
15 | return true;
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ARRAY_LENGTH_MANIPULATION/recommendation.html:
--------------------------------------------------------------------------------
1 |
2 | По возможности не работайте с длиной динамического массива напрямую.
3 |
4 |
5 | -
6 | Используйте
uint[] storage arrayName = new uint[](7) для создания динамического массива нужной длины.
7 | -
8 | Используйте
delete arrayName для очистки динамического массива.
9 | -
10 | Используйте
.push() (вместо .length++) для записи в конец массива.
11 | -
12 | Начиная с версии компилятора 0.5.0, спользуйте
.pop() (вместо .length--) для удаления последнего элемента массива.
13 |
14 |
15 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_INDEXED/example.html:
--------------------------------------------------------------------------------
1 | В следующем контракте используются неиндексированные параметры события Transfer:
2 |
3 | pragma solidity ^0.5.0;
4 |
5 | contract StandardToken is ERC20 {
6 | ...
7 |
8 | event Transfer(address _from, address _to, uint256 _value);
9 |
10 | function transfer(address to, uint256 value) public returns (bool) {
11 | require(value <= balances[msg.sender]);
12 | balances[msg.sender] -= value; // we've checked for underflow
13 | balances[to] += value; // no overflow because of limited supply
14 | emit Transfer(msg.sender, to, value);
15 | return true;
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ARRAY_LENGTH_MANIPULATION/recommendation_en.html:
--------------------------------------------------------------------------------
1 |
2 | If possible, avoid changing the length of the dynamic array directly.
3 |
4 |
5 | -
6 | Use
uint[] storage arrayName = new uint[](7) to create a dynamic array of the desired length.
7 | -
8 | Use
delete arrayName to clear a dynamic array.
9 | -
10 | Use
.push() (instead of .length++) to write to the end of the dynamic array.
11 | -
12 | Starting with version 0.5.0 of the Solidity compiler, use
.pop() (instead of .length--) to delete the last element of the dynamic array.
13 |
14 |
15 |
--------------------------------------------------------------------------------
/src/main/java/ru/smartdec/smartcheck/app/SourceLanguage.java:
--------------------------------------------------------------------------------
1 | package ru.smartdec.smartcheck.app;
2 |
3 | import ru.smartdec.smartcheck.ParseTree;
4 | import ru.smartdec.smartcheck.Source;
5 |
6 | /**
7 | *
8 | */
9 | public interface SourceLanguage {
10 | /**
11 | *
12 | * @param src src
13 | * @return ParseTree
14 | */
15 | ParseTree createParseTree(Source src);
16 |
17 | /**
18 | *
19 | * @return rule names
20 | */
21 | String[] getRuleNames();
22 |
23 | /**
24 | *
25 | * @return file extension
26 | */
27 | String fileExtension();
28 |
29 | /**
30 | *
31 | * @return rules file name
32 | */
33 | String rulesFileName();
34 | }
35 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR/description.html:
--------------------------------------------------------------------------------
1 |
2 | Solidity поддерживает неявные типы: тип i в var i = 42; — это наименьший целочисленный тип, достаточный для хранения значения в правой части выражения (uint8). Рассмотрим общий шаблон для цикла:
3 |
4 |
5 |
6 | for (var i = 0; i < array.length; i++) { /* ... */ }
7 |
8 |
9 |
10 | Тип i приводится к uint8. Если array.length больше 255, произойдет переполнение. Явно определяйте тип при объявлении целочисленных переменных:
11 |
12 |
13 |
14 | for (uint256 i = 0; i < array.length; i++) { /* ... */ }
15 |
16 |
17 |
--------------------------------------------------------------------------------
/src/test/resources/rules/SOLIDITY_USING_INLINE_ASSEMBLY.sol:
--------------------------------------------------------------------------------
1 | pragma solidity ^0.4.18;
2 | library GetCode {
3 | function at( address _addr) returns (bytes o_code) {
4 | // SOLIDITY_USING_INLINE_ASSEMBLY 109cd5
5 | assembly {
6 | let size := extcodesize(_addr)
7 | o_code := mload(0x40)
8 | mstore(0x40, add(o_code, and(add(add(size, 0x20), 0x1f), not(0x1f))))
9 | mstore(o_code, size)
10 | extcodecopy(_addr, add(o_code, 0x20), 0, size)
11 | }
12 | }
13 | function isContract(address addr) private returns (bool) {
14 | uint _size;
15 | assembly { _size := extcodesize(addr) }
16 | return _size > 0;
17 | }
18 | }
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Solidity supports type inference: the type of i in var i = 42; is the smallest integer type sufficient to store the right-hand side value (uint8). Consider a common for-loop pattern:
3 |
4 |
5 |
6 | for (var i = 0; i < array.length; i++) { /* ... */ }
7 |
8 |
9 |
10 | The type of i is inferred to uint8. If array.length is bigger than 255, an
11 | overflow will occur. Explicitly define the type when declaring integer variables:
12 |
13 |
14 |
15 | for (uint256 i = 0; i < array.length; i++) { /* ... */ }
16 |
17 |
18 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_SHOULD_NOT_BE_VIEW/recommendation.html:
--------------------------------------------------------------------------------
1 | Не обозначайте функции, которые изменяют состояние, как view.
2 | Изменением состояния считается следующее:
3 |
4 | - Запись в переменные состояния;
5 | - Использование событий (
event);
6 | - Создание других контрактов;
7 | - Использование
selfdestruct;
8 | - Отправка эфира через вызовы;
9 | - Вызов любых функций, которые не являются
view или pure;
10 | - Использование низко-уровневых вызовов;
11 | - Иcпользование встроенных блоков
assembler, содержащих код определенных операций.
12 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR_IN_LOOP_FOR/description.html:
--------------------------------------------------------------------------------
1 |
2 | Solidity поддерживает неявные типы: тип i в var i = 42; — это наименьший целочисленный тип, достаточный для хранения значения в правой части выражения (uint8). Рассмотрим общий шаблон для цикла:
3 |
4 |
5 |
6 | for (var i = 0; i < array.length; i++) { /* ... */ }
7 |
8 |
9 |
10 | Тип i приводится к uint8. Если array.length больше 255, произойдет переполнение. Явно определяйте тип при объявлении целочисленных переменных:
11 |
12 |
13 |
14 | for (uint256 i = 0; i < array.length; i++) { /* ... */ }
15 |
16 |
17 |
--------------------------------------------------------------------------------
/src/main/java/ru/smartdec/smartcheck/app/ReportDefault.java:
--------------------------------------------------------------------------------
1 | package ru.smartdec.smartcheck.app;
2 |
3 | /**
4 | *
5 | */
6 | public final class ReportDefault implements Report {
7 |
8 | /**
9 | *
10 | */
11 | private final DirectoryAnalysis analysis;
12 | /**
13 | *
14 | */
15 | private final Media media;
16 |
17 | /**
18 | * @param da directory analysis
19 | * @param md media
20 | */
21 | public ReportDefault(final DirectoryAnalysis da, final Media md) {
22 | this.analysis = da;
23 | this.media = md;
24 | }
25 |
26 | @Override
27 | public void print() throws Exception {
28 | this.analysis.stream().forEach(this.media::accept);
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_VAR_IN_LOOP_FOR/description_en.html:
--------------------------------------------------------------------------------
1 |
2 | Solidity supports type inference: the type of i in var i = 42; is the smallest integer type sufficient to store the right-hand side value (uint8). Consider a common for-loop pattern:
3 |
4 |
5 |
6 | for (var i = 0; i < array.length; i++) { /* ... */ }
7 |
8 |
9 |
10 | The type of i is inferred to uint8. If array.length is bigger than 255, an
11 | overflow will occur. Explicitly define the type when declaring integer variables:
12 |
13 |
14 |
15 | for (uint256 i = 0; i < array.length; i++) { /* ... */ }
16 |
17 |
18 |
--------------------------------------------------------------------------------
/src/main/java/ru/smartdec/smartcheck/app/DirectoryAnalysis.java:
--------------------------------------------------------------------------------
1 | package ru.smartdec.smartcheck.app;
2 |
3 | import ru.smartdec.smartcheck.TreeAnalysis;
4 |
5 | import java.nio.file.Path;
6 | import java.util.stream.Stream;
7 |
8 | /**
9 | *
10 | */
11 | public interface DirectoryAnalysis {
12 |
13 | /**
14 | * @return info
15 | * @throws Exception exception
16 | */
17 | Stream stream() throws Exception;
18 |
19 | /**
20 | *
21 | */
22 | interface Info {
23 |
24 | /**
25 | * @return file
26 | */
27 | Path file();
28 |
29 | /**
30 | * @return tree report
31 | */
32 | TreeAnalysis treeReport();
33 | }
34 | }
35 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_FUNCTIONS_ALWAYS_RETURN_FALSE/example.html:
--------------------------------------------------------------------------------
1 | В следующем примере приведена функция transferFrom, которая не возвращает true:
2 |
3 |
4 | pragma Solidity 0.4.24;
5 |
6 | contract StandardToken is ERC20, BasicToken {
7 |
8 | function transferFrom(address _from, address _to, uint _value) returns (bool) {
9 | uint _allowance = allowed[_from][msg.sender];
10 | require(_allowance >= _value);
11 | balances[_to] = balances[_to].add(_value);
12 | balances[_from] = balances[_from].sub(_value);
13 | allowed[_from][msg.sender] = _allowance.sub(_value);
14 | emit Transfer(_from, _to, _value);
15 | }
16 | }
17 |
18 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_FUNCTIONS_ALWAYS_RETURN_FALSE/example_en.html:
--------------------------------------------------------------------------------
1 | The following example shows the function transferFrom, which does not return false:
2 |
3 |
4 | pragma Solidity 0.4.24;
5 |
6 | contract StandardToken is ERC20, BasicToken {
7 |
8 | function transferFrom(address _from, address _to, uint _value) returns (bool) {
9 | uint _allowance = allowed[_from][msg.sender];
10 | require(_allowance >= _value);
11 | balances[_to] = balances[_to].add(_value);
12 | balances[_from] = balances[_from].sub(_value);
13 | allowed[_from][msg.sender] = _allowance.sub(_value);
14 | emit Transfer(_from, _to, _value);
15 | }
16 | }
17 |
18 |
19 |
--------------------------------------------------------------------------------
/src/main/java/ru/smartdec/smartcheck/SearchableTreeDefault.java:
--------------------------------------------------------------------------------
1 | package ru.smartdec.smartcheck;
2 |
3 | import org.antlr.v4.runtime.tree.Tree;
4 |
5 | import java.util.stream.Stream;
6 |
7 | /**
8 | *
9 | */
10 | public final class SearchableTreeDefault implements SearchableTree {
11 |
12 | /**
13 | *
14 | */
15 | private final DocumentTree tree;
16 |
17 | /**
18 | * @param dt tree
19 | */
20 | public SearchableTreeDefault(final DocumentTree dt) {
21 | this.tree = dt;
22 | }
23 |
24 | @Override
25 | public Stream nodes(final Query query) throws Exception {
26 | final DocumentTree.Info info = this.tree.info();
27 | return query.nodes(info.node()).map(info.ruleNodes()::get);
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_PITFALLS_IN_RACE_CONDITION.sol:
--------------------------------------------------------------------------------
1 | contract NEW{
2 | mapping (address => uint) private userBalances;
3 | mapping (address => bool) private claimedBonus;
4 | mapping (address => uint) private rewardsForA;
5 |
6 | function withdraw(address recipient) public {
7 | uint amountToWithdraw = userBalances[recipient];
8 | rewardsForA[recipient] = 0;
9 | if (!(recipient.call.value(amountToWithdraw)())) { throw; }
10 | }
11 |
12 | function getFirstWithdrawalBonus(address recipient) public {
13 | if (claimedBonus[recipient]) { throw; } // Each recipient should only be able to claim the bonus once
14 |
15 | rewardsForA[recipient] += 100;
16 | withdraw(recipient); // At this point, the caller will be able to execute getFirstWithdrawalBonus again.
17 | claimedBonus[recipient] = true;
18 | }
19 | }
--------------------------------------------------------------------------------
/src/test/resources/rules/SOLIDITY_DOS_WITH_THROW.sol:
--------------------------------------------------------------------------------
1 | pragma solidity ^0.4.5;
2 | contract Auction {
3 | /* address addr;
4 | function bid() payable {
5 | // <_yes> SOLIDITY_DOS_WITH_THROW 637fdc
6 | if (currentLeader.send(highestBid)) { throw; }
7 | // <_yes> SOLIDITY_DOS_WITH_THROW 637fdc
8 | if (!currentLeader.send(highestBid)) { revert; }
9 |
10 | // <_yes> SOLIDITY_DOS_WITH_THROW efb788
11 | for(uint x; x < refundAddresses[x].transfer(1 wei); x++) {
12 | addr.transfer(1 wei);
13 | }
14 |
15 | // <_yes> SOLIDITY_DOS_WITH_THROW 04242c
16 | while ( x > refundAddresses[x].transfer(1 wei)) {
17 | refundAddresses[x].transfer(1 wei);
18 | }
19 | } */
20 | }
21 |
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_DEPRECATED_CONSTRUCTIONS/links_en.html:
--------------------------------------------------------------------------------
1 |
2 | - EIPs: Rename sha3
3 | - EIPs: Renaming SUICIDE opcode
4 | - Solidity: Error handling
5 | - Constant State Variables in Solidity
6 | - View functions in Solidity
7 | - View and constant functions in Solidity
8 |
--------------------------------------------------------------------------------
/src/test/resources/rules/SOLIDITY_DO_WHILE_CONTINUE.sol:
--------------------------------------------------------------------------------
1 | pragma solidity ^0.4.24;
2 |
3 | contract DoWhileFalse {
4 |
5 | function doWhile() {
6 | // SOLIDITY_DO_WHILE_CONTINUE 94fra3
7 | do {
8 | continue;
9 | } while(false);
10 | }
11 |
12 | function doWhile_2() {
13 | do {
14 | while(false) {
15 | continue;
16 | }
17 | } while(false);
18 |
19 | do {
20 | for(uint i;i<10;i++) {
21 | continue;
22 | }
23 | } while(false);
24 | // SOLIDITY_DO_WHILE_CONTINUE 94fra3
25 | do {
26 | for(uint j;j<10;j++) {
27 | continue;
28 | }
29 | continue;
30 | } while(false);
31 | }
32 | }
--------------------------------------------------------------------------------
/src/test/resources/rules/VYPER_LOCKED_MONEY.vy:
--------------------------------------------------------------------------------
1 | funders: {sender: address, value: wei_value}[int128]
2 | nextFunderIndex: public(int128)
3 |
4 |
5 | @public
6 | # VYPER_LOCKED_MONEY 30281d
7 | @payable
8 | def participate(i: int128):
9 | nfi: int128 = self.nextFunderIndex
10 | self.funders[nfi] = {sender: msg.sender, value: msg.value}
11 | self.nextFunderIndex = nfi + 1
12 |
13 |
14 | @public
15 | def final(i : int128):
16 | data: bytes[32]
17 | #raw_call(self.funders[i].sender, data, outsize = 32, value = self.funders[i].value, gas = 100000)
18 | pass
19 |
20 |
21 | @public
22 | def finalize(i : int128):
23 | #selfdestruct(self.funders[i].sender)
24 | pass
25 |
26 |
27 | @public
28 | def refund(i: int128):
29 | #send(self.funders[i].sender, self.funders[i].value)
30 | pass
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_GAS_LIMIT_IN_LOOPS/description.html:
--------------------------------------------------------------------------------
1 |
2 | Ethereum - среда с ограниченными ресурсами. Цены на расчетный шаг на порядок выше, чем у централизованных поставщиков. Более того, майнеры Ethereum налагают ограничение на общее количество газа, потребляемого в блоке. Если значение array.length достаточно велико, функция превышает предел блока газа, и транзакции, вызывающие его, никогда не будут подтверждены:
3 |
4 |
5 | for (uint256 i = 0; i < array.length ; i++) {
6 | cosltyFunc();
7 | }
8 |
9 |
10 | Это становится проблемой безопасности, если внешний субъект влияет на array.length. Например, если в массиве перечислены все зарегистрированные адреса, злоумышленник может зарегистрировать много адресов, вызывая проблему, описанную выше.
11 |
12 |
--------------------------------------------------------------------------------
/tests_not_used_now/SOLIDITY_IMMUTABILITY.sol:
--------------------------------------------------------------------------------
1 | //BAD
2 | contract Relay {
3 | address public currentVersion;
4 | address public owner;
5 | }
6 | //GOOD
7 | contract SomeRegister {
8 | address backendContract;
9 | address[] previousBackends;
10 | address owner;
11 |
12 | function SomeRegister() {
13 | owner = msg.sender;
14 | }
15 |
16 | modifier onlyOwner() {
17 | if (msg.sender != owner) {
18 | throw;
19 | }
20 | _;
21 | }
22 |
23 | function changeBackend(address newBackend) public
24 | onlyOwner()
25 | returns (bool)
26 | {
27 | if(newBackend != backendContract) {
28 | previousBackends.push(backendContract);
29 | backendContract = newBackend;
30 | return true;
31 | }
32 |
33 | return false;
34 | }
35 | }
--------------------------------------------------------------------------------
/rule_descriptions/SOLIDITY_ERC20_TRANSFER_SHOULD_THROW/example_en.html:
--------------------------------------------------------------------------------
1 | The following example shows the transfer function, which does not throw as recommended by ERC-20 Standard:
2 |
3 | pragma Solidity 0.4.24;
4 |
5 | contract SomeToken {
6 | mapping(address => uint256) balances;
7 | event Transfer(address indexed _from, address indexed _to, uint256 _value);
8 |
9 | function transfer(address _to, uint _value) public returns (bool) {
10 | if (_value > balances[msg.sender] || _value > balances[_to] + _value) {
11 | return false;
12 | }
13 | balances[msg.sender] = balances[msg.sender] - _value;
14 | balances[_to] = balances[_to] + _value;
15 | emit Transfer(msg.sender, _to, _value);
16 | return true;
17 | }
18 | }
19 |
20 |
21 |
--------------------------------------------------------------------------------