Skip to content

Latest commit

 

History

History
41 lines (27 loc) · 1.58 KB

6-tx-sender-in-assert.md

File metadata and controls

41 lines (27 loc) · 1.58 KB
Raw

Tx-Sender in Assert

Description

In Clarity, the tx-sender keyword is used to get the principal of the current transaction.

Exploit Scenario

Since tx-sender can change during the execution of a contract, using it inside an assert statement can lead to unexpected behavior. Because of that, be mindful of the context in which tx-sender is used inside an assert.

(define-public (start (new-members (list 100 principal)) (new-votes-required uint))
	(begin
		(asserts! (is-eq tx-sender contract-owner) err-owner-only)
		(asserts! (is-eq (len (var-get members)) u0) err-already-locked)
		(asserts! (>= (len new-members) new-votes-required) err-more-votes-than-members-required)
		(var-set members new-members)
		(var-set votes-required new-votes-required)
		(ok true)
	)
)

The vulnerable code example can be found here.

Remediation

Only use tx-sender inside and assert only if you are sure it's not introducing a vulnerabilty

The remediated code example can be found here.

References