Skip to content

Analysis

SWC Registry Checklist

Following is our point-by-point analysis of known SWC registry vulnerabilities and our comments/remediation

SWC-100 Function Default Visibility All functions have explicit visibility

SWC-102, 103 Outdated Compiler Version, Floating pragma Version fixed at 0.8.16

SWC-104 Unchecked Call Return Value all external interactions are checked for return values

SWC-105 Unprotected Ether Withdrawal All ether withdrawals are check with checks-effects-interaction pattern. Initializers are disabled for logic contract, and are protected for proxy contract

SWC-106 Unprotected SELFDESTRUCT Instruction No Selfdestruct instruction anywhere in the code. Initializers absent on libraries, and disabled on logic contract

SWC-107 Reentrancy All internal state changes are performed before the call is executed. Only external calls are in ERC-20 token transfers (to watch out) Delegatecalls restricted to own library functions Value payments are made through tranfer or send only

SWC-108 State Variable Default Visibility All state variables are explicitly labeled with visibility

SWC-112 Delegatecall to Untrusted Callee Not present

SWC-113 DoS with Failed Call Pull payments are used for mass payments. Array sizes are limited everywhere.

SWC-114 Transaction Order Dependence Timestamps and orders are treated in a non-urgent manner in the architecture. Meaning, a block has a single timestamp that decides order precedence and the risk of a race condition is avoided. Moreover the code doesn't have any first-come-first incentives. Collisions in UID fields are directly avoided by explicit condition checks, and there is no reward for getting to any point first. Most parameters are pre-decided.

SWC-115 Authorization through tx.origin Not present

SWC-116 Block values as a proxy for time Precise time is irrelevant in the system. Approx time is good enough

SWC-119 Shadowing State Variables Not present

SWC-120 Weak Sources of Randomness from Chain Attributes Collision checks have been implemented to avoid any issues

SWC-121, SWC-122 Missing Protection against Signature Replay Attacks, Lack of Proper Signature Verification Signatures are dependent on pact parameters that are guaranteed to change. msg.sender checks exists and one could only submit their own signature Signatures submitted are verified separately using ecrecover

SWC-123 Requirement Violation Inputs are validated wherever applicable

SWC-124 Write to Arbitrary Storage Location Data structure is maintained at one place, with proper access restrictions and abstraction

SWC-126 Insufficient Gas Griefing TODO - Check how much gas ERC-20 transfer operation requires and place restrictions

SWC-136 Unencrypted Private Data On-Chain NONE

SWC-135 Code With No Effects Unit tests written, more being written and verified

SWC-134 Message call with hardcoded gas amount NA

SWC-133 Hash Collisions With Multiple Variable Length Arguments Not present, managed with access restrictions

SWC-132 Unexpected Ether balance Strict equality checks on balances not present in the code

SWC-131 Presence of unused variables Not present