Closed Rapso closed 7 years ago
hlogeon
commented
7 years ago Hello, @Rapso ! Thanks for opening an issue! We will check this information soon and apply fixes if needed. To participate in our Bounty program, please, post a comment with your Ethereum address. After we review the problem we will decide the amount of JCR you'll receive for this issue and comment it here.
Rapso
commented
7 years ago Hi @hlogeon here is my eth address - 0xE14f7A9AF3F75a4Ccd33909B0046b16d82c6EC0e
hlogeon
commented
7 years ago Hello again, @Rapso!
After a little research and evaluating all the pros and cons of fixing the attack directly in token contract our team decides to decline your proposal. The main reason is that we think that token itself is the wrong layer for such checks. This issue doesn't affect token itself.
However we understand that it may cause problems on the contracts which are using the token. So it means that we will need to pay additional attention on the contracts which are using tokens transfer method.
Danger: LOW Priority: LOW Importance: MEDIUM
I'd like to mention that @OpenZeppelin removed the check you proposed and their expertise and argumentation looks really strong. You can find more details here: https://github.com/OpenZeppelin/zeppelin-solidity/issues/261
We are happy to offer 250 JCR tokens for opening this issue ;)
Looks like your token is vunerable to the short address attack, more about it you can read here http://vessenes.com/the-erc20-short-address-attack-explained/ you can use additional modifier for token transfer functions
modifier onlyPayloadSize(uint size) { if(msg.data.length < size + 4) { throw; } _; }