SWC-130
Title
Right-To-Left-Override control character (U+202E)
Relationships
CWE-451: User Interface (UI) Misrepresentation of Critical Information
Description
Malicious actors can use the Right-To-Left-Override unicode character to force RTL text rendering and confuse users as to the real intent of a contract.
Remediation
There are very few legitimate uses of the U+202E character. It should not appear in the source code of a smart contract.
References
Contract Samples
guess_the_number.sol
/*
* @source: https://youtu.be/P_Mtd5Fc_3E
* @author: Shahar Zini
*/
pragma solidity ^0.5.0;
contract GuessTheNumber
{
uint _secretNumber;
address payable _owner;
event success(string);
event wrongNumber(string);
constructor(uint secretNumber) payable public
{
require(secretNumber <= 10);
_secretNumber = secretNumber;
_owner = msg.sender;
}
function getValue() view public returns (uint)
{
return address(this).balance;
}
function guess(uint n) payable public
{
require(msg.value == 1 ether);
uint p = address(this).balance;
checkAndTransferPrize(/*The prize/*rebmun desseug*/n , p/*
/*The user who should benefit */,msg.sender);
}
function checkAndTransferPrize(uint p, uint n, address payable guesser) internal returns(bool)
{
if(n == _secretNumber)
{
guesser.transfer(p);
emit success("You guessed the correct number!");
}
else
{
emit wrongNumber("You've made an incorrect guess!");
}
}
function kill() public
{
require(msg.sender == _owner);
selfdestruct(_owner);
}
}
guess_the_number.yaml
description: Right-To-Left-Override control character (U+202E) user confusion
issues:
- id: SWC-130
count: 1
locations:
- bytecode_offsets: {}
line_numbers:
guess_the_number.sol: [31]