2017-04-12 10:23:34 +00:00
|
|
|
.. index:: Bugs
|
|
|
|
|
|
|
|
.. _known_bugs:
|
|
|
|
|
|
|
|
##################
|
|
|
|
List of Known Bugs
|
|
|
|
##################
|
|
|
|
|
2017-04-18 09:40:00 +00:00
|
|
|
Below, you can find a JSON-formatted list of some of the known security-relevant bugs in the
|
2017-04-12 10:23:34 +00:00
|
|
|
Solidity compiler. The file itself is hosted in the `Github repository
|
|
|
|
<https://github.com/ethereum/solidity/blob/develop/docs/bugs.json>`_.
|
|
|
|
The list stretches back as far as version 0.3.0, bugs known to be present only
|
2017-04-12 13:35:25 +00:00
|
|
|
in versions preceding that are not listed.
|
|
|
|
|
|
|
|
There is another file called `bugs_by_version.json
|
|
|
|
<https://github.com/ethereum/solidity/blob/develop/docs/bugs_by_version.json>`_,
|
|
|
|
which can be used to check which bugs affect a specific version of the compiler.
|
|
|
|
|
|
|
|
Contract source verification tools and also other tools interacting with
|
|
|
|
contracts should consult this list according to the following criteria:
|
|
|
|
|
2021-07-14 15:55:05 +00:00
|
|
|
- It is mildly suspicious if a contract was compiled with a nightly
|
|
|
|
compiler version instead of a released version. This list does not keep
|
|
|
|
track of unreleased or nightly versions.
|
|
|
|
- It is also mildly suspicious if a contract was compiled with a version that was
|
|
|
|
not the most recent at the time the contract was created. For contracts
|
|
|
|
created from other contracts, you have to follow the creation chain
|
|
|
|
back to a transaction and use the date of that transaction as creation date.
|
|
|
|
- It is highly suspicious if a contract was compiled with a compiler that
|
|
|
|
contains a known bug and the contract was created at a time where a newer
|
|
|
|
compiler version containing a fix was already released.
|
2017-04-12 13:35:25 +00:00
|
|
|
|
|
|
|
The JSON file of known bugs below is an array of objects, one for each bug,
|
|
|
|
with the following keys:
|
2017-04-12 10:23:34 +00:00
|
|
|
|
2020-04-22 20:28:10 +00:00
|
|
|
uid
|
|
|
|
Unique identifier given to the bug in the form of ``SOL-<year>-<number>``.
|
|
|
|
It is possible that multiple entries exists with the same uid. This means
|
|
|
|
multiple version ranges are affected by the same bug.
|
2017-04-12 10:23:34 +00:00
|
|
|
name
|
|
|
|
Unique name given to the bug
|
|
|
|
summary
|
|
|
|
Short description of the bug
|
|
|
|
description
|
|
|
|
Detailed description of the bug
|
|
|
|
link
|
|
|
|
URL of a website with more detailed information, optional
|
|
|
|
introduced
|
|
|
|
The first published compiler version that contained the bug, optional
|
|
|
|
fixed
|
|
|
|
The first published compiler version that did not contain the bug anymore
|
|
|
|
publish
|
|
|
|
The date at which the bug became known publicly, optional
|
|
|
|
severity
|
2017-10-16 20:27:27 +00:00
|
|
|
Severity of the bug: very low, low, medium, high. Takes into account
|
2017-04-12 10:23:34 +00:00
|
|
|
discoverability in contract tests, likelihood of occurrence and
|
|
|
|
potential damage by exploits.
|
|
|
|
conditions
|
2019-03-12 10:41:47 +00:00
|
|
|
Conditions that have to be met to trigger the bug. The following
|
|
|
|
keys can be used:
|
|
|
|
``optimizer``, Boolean value which
|
2017-04-12 10:23:34 +00:00
|
|
|
means that the optimizer has to be switched on to enable the bug.
|
2019-03-12 10:41:47 +00:00
|
|
|
``evmVersion``, a string that indicates which EVM version compiler
|
|
|
|
settings trigger the bug. The string can contain comparison
|
|
|
|
operators. For example, ``">=constantinople"`` means that the bug
|
|
|
|
is present when the EVM version is set to ``constantinople`` or
|
|
|
|
later.
|
2017-04-12 10:23:34 +00:00
|
|
|
If no conditions are given, assume that the bug is present.
|
2018-08-03 11:55:44 +00:00
|
|
|
check
|
2018-08-21 14:09:53 +00:00
|
|
|
This field contains different checks that report whether the smart contract
|
|
|
|
contains the bug or not. The first type of check are Javascript regular
|
|
|
|
expressions that are to be matched against the source code ("source-regex")
|
|
|
|
if the bug is present. If there is no match, then the bug is very likely
|
|
|
|
not present. If there is a match, the bug might be present. For improved
|
|
|
|
accuracy, the checks should be applied to the source code after stripping
|
2018-08-03 11:55:44 +00:00
|
|
|
comments.
|
2018-08-21 14:09:53 +00:00
|
|
|
The second type of check are patterns to be checked on the compact AST of
|
|
|
|
the Solidity program ("ast-compact-json-path"). The specified search query
|
|
|
|
is a `JsonPath <https://github.com/json-path/JsonPath>`_ expression.
|
|
|
|
If at least one path of the Solidity AST matches the query, the bug is
|
|
|
|
likely present.
|
2017-04-12 10:23:34 +00:00
|
|
|
|
|
|
|
.. literalinclude:: bugs.json
|
|
|
|
:language: js
|