top | item 28166424

(no title)

The "bug" is that some developers think of matching function signatures as some form of authN / authZ.

A few years back I wrote https://medium.com/coinmonks/lashing-out-at-a-spank-channel-... about a similar hack where a contract "trusted" a given (user input) contract based on nothing other than verifying a function signature. This latest hack was smarter but ultimately it still exploited a 4 bytes hash "security" feature...

discuss

No comments yet.