Skip to content
This repository has been archived by the owner on Jan 25, 2022. It is now read-only.

False positive SWC-123 warning #224

Open
elenadimitrova opened this issue Jun 19, 2019 · 5 comments
Open

False positive SWC-123 warning #224

elenadimitrova opened this issue Jun 19, 2019 · 5 comments

Comments

@elenadimitrova
Copy link

elenadimitrova commented Jun 19, 2019
edited
Loading

The following lines falsely produce SWC-123 warnings

contract OneTxPaymentFactory is ExtensionFactory, ColonyDataTypes {
contract OldRolesFactory is ExtensionFactory, ColonyDataTypes {

see https://github.com/JoinColony/colonyNetwork/blob/develop/contracts/extensions/OneTxPaymentFactory.sol#L28
and
https://github.com/JoinColony/colonyNetwork/blob/develop/contracts/extensions/OldRolesFactory.sol#L28
elenadimitrova added a commit to JoinColony/colonyNetwork that referenced this issue Jun 19, 2019
@elenadimitrova
Ignore a set of SWC-123 warnings,
06e49df 
2 of those are false positives reported with following issue
Logged Consensys/truffle-security#224
The rest are valid ignores.
elenadimitrova added a commit to JoinColony/colonyNetwork that referenced this issue Jun 19, 2019
@elenadimitrova
Ignore a set of SWC-123 warnings,
b3efd57 
2 of those are false positives reported with following issue
Logged Consensys/truffle-security#224
The rest are valid ignores.
elenadimitrova added a commit to JoinColony/colonyNetwork that referenced this issue Jun 19, 2019
@elenadimitrova
Ignore a set of SWC-123 warnings,
41b2ea5 
2 of those are false positives reported with following issue
Logged Consensys/truffle-security#224
The rest are valid ignores.
@elenadimitrova elenadimitrova mentioned this issue Jun 19, 2019
Merged
elenadimitrova added a commit to JoinColony/colonyNetwork that referenced this issue Jun 20, 2019
@elenadimitrova
Ignore a set of SWC-123 warnings,
1486215 
2 of those are false positives reported with following issue
Logged Consensys/truffle-security#224
The rest are valid ignores.
elenadimitrova added a commit to JoinColony/colonyNetwork that referenced this issue Jun 20, 2019
@elenadimitrova
Ignore a set of SWC-123 warnings,
27b3d9f 
2 of those are false positives reported with following issue
Logged Consensys/truffle-security#224
The rest are valid ignores.
elenadimitrova added a commit to JoinColony/colonyNetwork that referenced this issue Jun 20, 2019
@elenadimitrova
Ignore a set of SWC-123 warnings,
f6df491 
2 of those are false positives reported with following issue
Logged Consensys/truffle-security#224
The rest are valid ignores.
elenadimitrova added a commit to JoinColony/colonyNetwork that referenced this issue Jun 20, 2019
@elenadimitrova
Ignore a set of SWC-123 warnings,
679e420 
2 of those are false positives reported with following issue
Logged Consensys/truffle-security#224
The rest are valid ignores.
@nbanmp
Copy link
Contributor

nbanmp commented Jun 21, 2019

This is likely the same or similar issue to #222, causing a real issue in an imported contract to be reported in a different contract.

elenadimitrova added a commit to JoinColony/colonyNetwork that referenced this issue Jun 24, 2019
@elenadimitrova
Ignore a set of SWC-123 warnings,
1b25556 
2 of those are false positives reported with following issue
Logged Consensys/truffle-security#224
The rest are valid ignores.
@nbanmp nbanmp mentioned this issue Jun 28, 2019
Merged
@nbanmp nbanmp closed this as completed Jun 28, 2019
@elenadimitrova
Copy link
Author

This error still persists even after upgrading to 1.5.2 which does fix #222 , see failing build here https://circleci.com/gh/JoinColony/colonyNetwork/8986.

Please reopen.

@nbanmp
Copy link
Contributor

nbanmp commented Jul 1, 2019

:(

@nbanmp nbanmp reopened this Jul 1, 2019
@nbanmp
Copy link
Contributor

nbanmp commented Jul 1, 2019

Okay, I was able to sync up with someone who knows what is happening here.

What is happening is that the fuzzer tries to pass the address of the contract itself as _colony and tries to call function hasUserRole on itself which will fail in the fall-back function, which is compiler-generated. The tool then reports two locations for the issue: (1) the location of the call site (i.e., line with hasUserRole) and, (2) the location of the failing require (i.e., in the compiler generated code which will often map to the entire contract).

@elenadimitrova
Copy link
Author

This makes sense and would explain a few more instances of where this is happening for us, list below:

https://github.com/JoinColony/colonyNetwork/blob/develop/contracts/ColonyFunding.sol#L25
https://github.com/JoinColony/colonyNetwork/blob/develop/contracts/ContractRecovery.sol#L28
https://github.com/JoinColony/colonyNetwork/blob/develop/contracts/TokenLocking.sol#L29

area pushed a commit to JoinColony/colonyNetwork that referenced this issue Jul 23, 2019
@elenadimitrova @area
Ignore a set of SWC-123 warnings,
57992f3 
2 of those are false positives reported with following issue
Logged Consensys/truffle-security#224
The rest are valid ignores.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@elenadimitrova @nbanmp