Ethereum: How to Fix the “View Only” Bug with Function State Variability
In February 2018, a critical bug was discovered in the Ethereum blockchain that affected the “Withdraw” feature on the mainnet. The problem was related to the use of function state mutability, specifically the “onlyOwner” modifier, which was designed to restrict access to functions without view functionality.
A view-only error occurred while attempting to withdraw funds from your wallet. This bug exposed a security flaw in the system that allowed an attacker to drain an account’s balance without triggering a gas limit error or a reentrancy attack.
Understanding Function State Variability
Function state volatility is the change in a function’s output variables, which can lead to unexpected behavior and security risks. In Ethereum, functions without view functionality are considered mutable by default, while view-only functions are immutable by design.
The “onlyOwner” modifier is used to restrict access to functions that change the state of the contract or its storage. However, it does not prevent all possible attacks; in fact, it only prevents certain types of attacks from taking place.
Display-only bug
Related to the “Withdraw” function, the issue occurred when attempting to withdraw funds without checking whether the user had completed the transaction (i.e. the contract state was completed). If a user attempts to withdraw funds before all transactions are completed, the gas limit is exceeded and the transaction fails.
To fix this bug, the “withdraw” function was modified as follows:
Function withdraw() extern onlyOwner {
if(block.timestamp < end || totalCollected < target) {
CollectNotFinished() reset;
}
}
By using the “onlyOwner” modifier, we ensure that only the owner of the contract can attempt to withdraw funds. This prevents an attacker from draining your account balance without triggering a gas limit bug.
Additional recommendations
- Review and audit contracts regularly: To minimize the risk of similar bugs in the future, it is essential to regularly review and audit contracts for security vulnerabilities.
- Use secure coding practices: Follow secure coding best practices, such as using immutable state variables, enforcing gas limits, and preventing reentrancy attacks.
- Document dependencies
: Make sure you document all external dependencies, including libraries and other smart contracts, to avoid security vulnerabilities.
Application
The “Withdraw” function was a critical bug that exposed a security vulnerability in the Ethereum blockchain. By understanding how this issue arose and modifying the function to use the “onlyOwner” modifier, we can significantly reduce the risk of similar bugs occurring in the future. Be sure to regularly review and audit your contracts, use secure coding practices, and document dependencies to ensure the security and integrity of your Ethereum-based applications.
Leave a Reply