📌 The common attacks listed below are a mix of Alyra security courses and Consensys
ℹ️ Attacks applicable to this application are checks
- Reentrancy
- Front Running
- Timestamp Dependence
- Overflow and Underflow
- DoS with (Unexpected) revert
- DoS with Block Gas Limit
- Insufficient gas griefing
- Forcibly Sending Ether to a Contract
- Call to the unknown
- Source of Randomness
- tx.origin
- Honeypot
-
The only external contract used is the official USDC ERC-20 contract which is used through the SafeERC20 library.
-
We are not using
address.call()function but SafeERC20 safeTransfer() and safeTransferFrom() instead. -
We limit the access to certain functionalities with the use of modifiers and a workflow
modifier isNotDeleted(){
require(status != WorkflowStatus.CampaignDeleted, "!Err: Campaign Deleted");
_;
}
modifier onlyManager(){
require(msg.sender == manager, "!Not Authorized");
_;
}
modifier checkStatus(
WorkflowStatus currentStatus,
WorkflowStatus requiredStatus
) {
require(currentStatus == requiredStatus, "!Err : Wrong workflow status");
_;
}
modifier checkCampaignDeadline() {
require(block.timestamp < campaignInfo.deadlineDate, "!Err : Campaign contribution has ended");
_;
}
This attack isn't applicable to our application.
We are using timestamp on several parts of the workflow. To avoid this attack we took some best practices:
-
Using
block.timestampinstead ofnoworblock.number -
Using timestamp comparison (>, <, >=, <=) instead of strict equal
-
Our application isn't impacted by the 15 seconds rule because the minimum time between action and deadline is 7 days.
We are avoiding this attack directly by using solidity version greater than 0.8.0 (reference)
Our application doesn't handle private data or sensible data. Everything is public.
Our application use pull over push payment in order to prevent this attack.
We are avoiding this attack with two solutions :
- using pull over push payment as the previous attack.
- using mapping data structures instead of arrays (example: the max level of Rewards is 10).
This attack isn't applicable to our application because it does not use the low level call() function.
This attack isn't applicable to our application because it does not handle contribution with Ether but USDC.
We are avoiding this attack by :
- not using the low level
call()neitherdelegatecall()functions - using interfaces in order to instance other contracts.
This attack isn't applicable to our application because it does have any randomly generated data.
This attack isn't applicable to our application because it does use tx.origin.
This attack isn't applicable to our application.