Ethereum: How to Fix “View Only” Bug with Function State Mutability
In February 2018, a critical vulnerability was discovered in the Ethereum blockchain that affected the mainnet’s pull function. The issue involved the exploitation of function state mutability, specifically the onlyOwner modifier, which was intended to restrict access to functions with a non-viewing function.
When I tried to withdraw funds from my wallet, I got a “view only” bug. This bug exposed a security flaw in the system and allowed an attacker to exhaust the account balance without triggering a gas limit error or reentrancy attack.
Understanding Function State Mutability
Functional state mutability refers to the concept of modifying the output variables of a function, which can lead to unexpected behavior and security risks. In Ethereum, functions that do not have a display function are considered mutable by default, while functions that are only used for display are immutable by design.
The « onlyOwner » modifier is used to restrict access to functions that modify the state of the contract or its repository. However, this will not prevent all possible attacks; in fact, it only prevents certain types of attacks.
Error to display only
A problem occurred with the « withdraw » function when trying to withdraw funds without checking whether the user had completed transactions (i.e. whether the contract status had been reached). If the user tried to withdraw funds before all transactions had completed, the gas limit would be exceeded and the transaction would fail.
To fix this bug, the « pull » function was modified as follows:
function remove() external onlyOwner {
if(block.timestamp < end || total collected < target) {
return CollectNotFinished();
}
}
The “onlyOwner” modifier ensures that only the owner of the contract can attempt to withdraw funds. This prevents an attacker from running out of funds in the account without triggering a gas limit error.
Additional Recommendations
- Regularly review and audit contracts: To minimize the risk of similar errors in the future, it is essential to regularly review and audit vulnerabilities in contracts.
- Use secure coding practices: Follow secure coding best practices, such as using immutable state variables, enforcing gas limits, and preventing reentrancy attacks.
- Document dependencies: Make sure to document all external dependencies, including libraries and other smart contracts, to avoid introducing security holes.
Conclusion
The “pull” function was a critical bug that exposed a security vulnerability in the Ethereum blockchain. By understanding how this issue arose and modifying the function to use the onlyOwner modifier, we can significantly reduce the risk of similar bugs in the future. Be sure to regularly review and audit your contracts, follow secure coding practices, and document dependencies to ensure the security and integrity of your Ethereum-based applications.
