[PublicResolver.interfaceImplementer(bytes32,bytes4)](https://github.com/status-im/ens-usernames/blob/embark-4-0-2/.embark/contracts/ens/PublicResolver.sol#L223-L247) uses a low level to a input-controlled function id

status-im / ens-usernames

DApp to register usernames for Status Network

MIT License

19 stars 11 forks source link

[PublicResolver.interfaceImplementer(bytes32,bytes4)](https://github.com/status-im/ens-usernames/blob/embark-4-0-2/.embark/contracts/ens/PublicResolver.sol#L223-L247) uses a low level to a input-controlled function id #113

Closed ghost closed 4 years ago

ghost commented 4 years ago

PublicResolver.interfaceImplementer(bytes32,bytes4) uses a low level to a input-controlled function id (success,returnData) = a.staticcall(abi.encodeWithSignature(supportsInterface(bytes4),interfaceID))

Avoid low-level call. Consider using a whitelist of function ids to call.

rajeevgopalakrishna commented 4 years ago

Crytic reports this as a medium level severity because staticcall is invoked on a which is derived from user-provided node in address a = addr(node); with user-supplied interfaceID.

I don't see how we can implement the suggested workaround - "Avoid low-level call. Consider using a whitelist of function ids to call" - but tagging it nevertheless in case others have ideas. @3esmit @0kok0

(Also, Crytic's default issue title is messy trying to put a link in it. Will report it to ToB Crytic team.)

rajeevgopalakrishna commented 4 years ago

Also, I see that the above code-links 404 because Crytic uses .embark in the url. Will report that as well.

3esmit commented 4 years ago

PublicResolver code does not apply to this project.