Raz0r
commented
2 years ago Woah, that's a lot of contracts! I have looked through some of jsons randomly, many of them are Integer Overflow or Wraparound, which is less interesting since the initial goal is to detect some unique bugs & distinct vulnerability classes rather than to document each vulnerable contract that ever existed. However, there are some gems in here, e.g. PRNG and weak access control issues, I would definitely write some rules for those. I like that you have classifications & severity. I have thought about that initially, but SWC lacks some essential classes (or I couldn't map the bugs properly), e.g. oracle manipulation or abi.decode() injection. If you would like to contribute some of those entries, that you think might be greppable in the wild, I would be very grateful.
here is a catalog of contracts and their exploits with corresponding SWC entries: https://github.com/manifoldfinance/defi-threat/tree/2020/10/catalog
please let me know how to best contribute and also how to best cite your work.
cheers