SWC-130

Title

Right-To-Left-Override control character (U+202E)

Relationships

CWE-451: User Interface (UI) Misrepresentation of Critical Information

Description

Malicious actors can use the Right-To-Left-Override unicode character to force RTL text rendering and confuse users as to the real intent of a contract.

Remediation

There are very few legitimate uses of the U+202E character. It should not appear in the source code of a smart contract.

References

• Outsmarting Smart Contracts

Contract Samples

guess_the_number.sol

/*
 * @source: https://youtu.be/P_Mtd5Fc_3E
 * @author: Shahar Zini
 */
pragma solidity ^0.5.0;

contract GuessTheNumber
{
    uint _secretNumber;
    address payable _owner;
    event success(string);
    event wrongNumber(string);
    
    constructor(uint secretNumber) payable public
    {
        require(secretNumber <= 10);
        _secretNumber = secretNumber;
        _owner = msg.sender;    
    }
    
    function getValue() view public returns (uint)
    {
        return address(this).balance;
    }

    function guess(uint n) payable public
    {
        require(msg.value == 1 ether);
        
        uint p = address(this).balance;
        checkAndTransferPrize(/*The prize‮/*rebmun desseug*/n , p/*‭
                /*The user who should benefit */,msg.sender);
    }
    
    function checkAndTransferPrize(uint p, uint n, address payable guesser) internal returns(bool)
    {
        if(n == _secretNumber)
        {
            guesser.transfer(p);
            emit success("You guessed the correct number!");
        }
        else
        {
            emit wrongNumber("You've made an incorrect guess!");
        }
    }
    
    function kill() public
    {
        require(msg.sender == _owner);
        selfdestruct(_owner);
    }
}

guess_the_number.yaml

description: Right-To-Left-Override control character (U+202E) user confusion
issues:
- id: SWC-130
  count: 1
  locations:
  - bytecode_offsets: {}
    line_numbers:
      guess_the_number.sol: [31]