Skip to content
This repository has been archived by the owner on Feb 24, 2023. It is now read-only.

Added Suicidal Contract #12

Closed
wants to merge 1 commit into from
Closed

Conversation

ksloven
Copy link

@ksloven ksloven commented May 8, 2018

A smart contract can have a 'self-destruct' or 'kill' option which can be called by the owner in the case of theft of ether or smart contract malfunction.
But if the contract can be killed by any account/user, it is considered 'suicidal'

1 function initMultiowned ( address [] _owners ,
2 uint _required ) {
3 if ( m_numOwners > 0) throw ;
4 m_numOwners = _owners . length + 1;
5 m_owners [1] = uint ( msg . sender ) ;
6 m_ownerIndex [ uint ( msg . sender )] = 1;
7 m_required = _required ;
8 /* ... /
9 }
10
11 function kill ( address _to ) {
12 uint ownerIndex = m_ownerIndex [ uint ( msg. sender ) ];
13 if ( ownerIndex == 0) return ;
14 var pending = m_pending [ sha3 ( msg . data ) ];
15 if ( pending . yetNeeded == 0) {
16 pending . yetNeeded = m_required ;
17 pending . ownersDone = 0;
18 }
19 uint ownerIndexBit = 2
* ownerIndex ;
20 if ( pending . ownersDone & ownerIndexBit == 0) {
21 if ( pending . yetNeeded <= 1)
22 suicide (_to) ;
23 else {
24 pending . yetNeeded - -;
25 pending . ownersDone |= ownerIndexBit ;
26 }
27 }
28 }
}

Attack :
user calls initMultiowned with empty array for _'owners', and zero for '_required'. Then user invokes 'kill' function which needs '_required' number of owners (line 16) before the suicide function is called (line 22). Since the initial initMultiowned call was set to zero, the suicide function executes

Known exploit:
Parity (openethereum/parity-ethereum#6995)

A smart contract can have a 'self-destruct' or 'kill' option which can be called by the owner in the case of theft of ether or smart contract malfunction.
But if the contract can be killed by any account/user, it is considered 'suicidal'
@ksloven ksloven changed the title Add Suicidal Contract Added Suicidal Contract May 8, 2018
@NoahMarconi
Copy link

Did you mean to commit only a file with no lines of code in it?

@ksloven
Copy link
Author

ksloven commented May 23, 2018

Hi @NoahMarconi oops, sorry, first time using this feature of github. I see I actually put the code in my comment above

@montyly
Copy link
Member

montyly commented Jun 7, 2018

@ksloven Thank you for your contribution. Note that the PR is still missing the Solidity file.

I am not sure we want a separate type of vulnerability for the suicidal contract, as I think that it is a sub-class of the Unprotected function vulnerability: https://github.com/trailofbits/not-so-smart-contracts/tree/master/unprotected_function

@CLAassistant
Copy link

CLAassistant commented Jul 30, 2019

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@bohendo bohendo closed this Sep 8, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants