Closed ghost closed 4 years ago
Crytic reports this as a medium level severity because staticcall
is invoked on a
which is derived from user-provided node
in address a = addr(node);
with user-supplied interfaceID
.
I don't see how we can implement the suggested workaround - "Avoid low-level call. Consider using a whitelist of function ids to call" - but tagging it nevertheless in case others have ideas. @3esmit @0kok0
(Also, Crytic's default issue title is messy trying to put a link in it. Will report it to ToB Crytic team.)
Also, I see that the above code-links 404 because Crytic uses .embark
in the url. Will report that as well.
PublicResolver code does not apply to this project.
PublicResolver.interfaceImplementer(bytes32,bytes4) uses a low level to a input-controlled function id (success,returnData) = a.staticcall(abi.encodeWithSignature(supportsInterface(bytes4),interfaceID))
Avoid low-level call. Consider using a whitelist of function ids to call.