Report: Recursive call vulnerability in DBVN.sol
--
The DBVN has a minor recursive call vulnerability, see this question on ethereum.stackexchange.com
The recursive call “bug” comes from that when a contract calls another contract, the other contract could include code to call the original function on the calling contract, and this second recursive call would be processed before the first one was finished.
A look at the DBVN code
Since the DBVN changes the state of the proposal to
p.executed = true
only after it has called the recipient
p.recipient.call.value(p.amount)(transactionBytecode)
the recipient could perform a recursive call attack.
This is a minor vulnerability since the DBVN is able to audit the code of recipient (in the case recipient is a contract).
The default function
Smart-contracts on Ethereum have a default function, also called a fallback function, and this is what causes recursive call bugs.
With the DBVN, a contract could do a recursive call attack with this fallback function,
function() {for(uint i = 0; i<100; i++) {
DBVN.executeProposal(proposalNumber, transactionBytecode);
}
}
Fix this bug by moving p.executed = true
To fix this, put p.recipient.call.value()() after p.executed = true
/* execute result */
if (p.currentResult > majorityMargin) { p.proposalPassed = true;
p.executed = true;
p.recipient.call.value(p.amount)(transactionBytecode);
Links: