Thanks for the great insights — reading about these topics never gets boring, the more details the better.
I totally disagree on your long excuses at the end though. This is not a regular app, not even a regular financial app, but an app that deals with a lot of money by other people. There is loads and loads of advice on the internet for secure programming, there are infosec developers who are happy to give advice on this stuff, there are tools that automate things…
And then you post something like
function() payable {
// just being sent some cash?
if (msg.value > 0)
Deposit(msg.sender, msg.value);
else if (msg.data.length > 0)
_walletLibrary.delegatecall(msg.data);
}and daresay that this was hard to spot…
Here is a spoiler for you: “else if” is not best practice in secure programming. Neither is function(). Secure programming doesn’t have fallbacks. This code is highly optimistic, where it should be highly pessimistic.
Don’t even get me started on the insanity of a business logic with a if (msg.value > 0) heuristic…
