search

Consensys / truffle-security

MythX smart contract security verification plugin for Truffle Framework
https://mythx.io
124 stars 28 forks source link

False positive SWC-128 #229

Open elenadimitrova opened 5 years ago

elenadimitrova commented 5 years ago

All instances of the SWC-128 warnings we see in the Colony Network are incorrect. Sample can be found in this nightly build https://circleci.com/gh/JoinColony/colonyNetwork/9202

Failing file:  /home/circleci/colonyNetwork/contracts/CommonAuthority.sol
{ fatal: false,
  ruleId: 'SWC-128',
  message:
   'Potential denial-of-service if block gas limit is reached. A storage modification is executed in a loop. Be aware that the transaction may fail to execute if the loop is unbounded and the necessary gas exceeds the block gas limit.',
  severity: 1,
  mythXseverity: 'Low',
  line: 30,
  column: 4,
  endLine: 30,
  endCol: 89 }

Failing file: /home/circleci/colonyNetwork/contracts/Resolver.sol { fatal: false, ruleId: 'SWC-128', message: 'Potential denial-of-service if block gas limit is reached. A storage modification is executed in a loop. Be aware that the transaction may fail to execute if the loop is unbounded and the necessary gas exceeds the block gas limit.', severity: 1, mythXseverity: 'Low', line: 2, column: 33, endLine: 5, endCol: 65 }



These lines have nothing I see that can be interpreted as providing a potential DoS attack. It could have something to do with a mapping being updated and that update being read as an array update instead but that it just a remote guess as to what might be the trigger.
muellerberndt commented 5 years ago

Thanks @elenadimitrova. We'll look into it!