From 7fcb24f95e028cbf9249c558a70cdad251e4a850 Mon Sep 17 00:00:00 2001 From: chaals Date: Mon, 21 Aug 2023 14:09:25 +0200 Subject: [PATCH] Update SWC-136 (comment samples, note no maintenance) --- entries/docs/SWC-136.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/entries/docs/SWC-136.md b/entries/docs/SWC-136.md index 81c7e53a..d439db36 100644 --- a/entries/docs/SWC-136.md +++ b/entries/docs/SWC-136.md @@ -1,3 +1,15 @@ +# Please note, this content is no longer actively maintained. + +The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions. + +For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the +[EEA EthTrust Security Levels specification](https://entethalliance.org/specs/ethtrust-sl). As well as the latest release version, an +[Editor's draft](https://entethalliance.github.io/eta-registry/security-levels-spec.html) is available, +that represents the latest work of the group developing the specification. + +General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the +[Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS). + # Title Unencrypted Private Data On-Chain @@ -60,6 +72,18 @@ contract OddEven { } ``` +#### Comments + +The vulnerable version above requires the players to send the number they are using +as part of the transaction. +This means the first player's number will be visible, allowing the second player to select a number +that they know will make them a winner. +(This assumption is simplistic to illustrate - there are also possibilities to front-run players, +among other potential issues). + +In the fixed version below, the players instead submit a commitment that encrypts their number, +and only subsequently reveal that they know the secret to set in train the process of a payout. + ### odd_even_fixed.sol ```solidity