smithclay / etherimp Goto Github PK
View Code? Open in Web Editor NEWEthereum smart contract based on Robert Louis Stevenson's "The Bottle Imp" (written 1891)
License: BSD 2-Clause "Simplified" License
etherimp's People
Stargazers
Watchers
etherimp's Issues
Creator can steal funds in contract.
The function close() calls selfdestruct(creator) on the contract, and allows the creator to steal the Ether locked up in the contract. Selfdestruct(creator) will send whatever Ether is stored in the contract to it's creator. You can use this, by first selling the etherimp, and the calling self-destruct on it, to claim what the buyer bought it for.
Due to #1, even when there's only 1 wei left in the contract, the owner will still be able to get his initial deposit back, and whatever he sold the etherimp for, when calling selfdestruct, as the leftover wei will have accumulated to that amount.
Won't get my Ether back
I don't know if this was intended or not, but now I don't see a point in sending Ether to your contract because of this line:
previousOwner.transfer(msg.value);
Basically, this transfers new lowest price to the previous owner. So, imagine that I sent 0.03 Ether to your contract and became a king. Then you sent 0.01 Ether and stole my crown. I will be refunded with 0.01 Ether, so my 0.02 Ether is lost and can only be retrieved by the owner of the contract (you) by calling close() function. I think that's unfair and you should fix it.
Unused modifier
modifier onlyOwner {
require(msg.sender == currentOwner);
_;
}
This modifier is not used anywhere in the codebase so there is no point in keeping it.
I can own this contract forever
Because of this line:
previousOwner.transfer(msg.value);
I can become a permanent owner of your contract.
Example:
I send Ether to your contract not from my wallet but from another smart contract. Inside this smart contract, I have a custom Fallback function which automatically throws when someone sends Ether to my contract.
function () payable {
revert();
}
So, when I become a king of your contract and someone wants to steal my title, they send less Ether to your contract and your contract tries to refund me. But because of my Fallback function, your contract will never succeed and the transaction will be reverted. So I am the owner of your contract forever. I hope you understood the possible malicious scenario.
A solution would be to prefer pull payments instead of push. Basically, you should write another function which let's previous owner retrieve his stake.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.