False positive on detecting leaking contracts?

[sunbeomso]

Hi, I have tested the following code using ILF.

As you can see, this Test contract does not have payable functions. Thus, the statement to.transfer(amount) cannot send positive amount of value(>0) to to (except for an edge case where another contract that has some Ethers is killed and send money to Test via selfdestruct instruction).

However, ILF says that this contract has leaking vulnerability. Could you explain why ILF flags this contract as vulnerable one?

contract Test{
  function test(address to, uint value) public {
    to.transfer(value);
  }
}

[LostBenjamin]

Hi,

This is not a false positive because, as you point out, the Test contract can receive ether via selfdestruct.

During fuzzing, we sometimes set a contract's balance to positive and check if it can leak ethers. The consideration here is that a contract can always receive ether via payable functions (if any) or selfdestruct.

If you don't want to set the balance of a contract without payable functions to positive, simply comment out these lines.

Best, Jingxuan

[sunbeomso]

Thanks for the answer and pointing the relevant code snippet.