aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorchriseth <chris@ethereum.org>2018-09-27 20:55:05 +0800
committerchriseth <chris@ethereum.org>2018-09-27 20:55:05 +0800
commitb43e9f27f8bf9bf484451195dff19366313ee723 (patch)
treeb9d25e0bf0e8ba82d8c6bc5322a10b5cb7713dcb
parentdd3459d76fb594b1df160e7a87ab0a181cd297c6 (diff)
downloaddexon-solidity-b43e9f27f8bf9bf484451195dff19366313ee723.tar.gz
dexon-solidity-b43e9f27f8bf9bf484451195dff19366313ee723.tar.zst
dexon-solidity-b43e9f27f8bf9bf484451195dff19366313ee723.zip
Pitfalls regarding over/underflows
-rw-r--r--docs/layout-of-source-files.rst2
-rw-r--r--docs/security-considerations.rst20
2 files changed, 22 insertions, 0 deletions
diff --git a/docs/layout-of-source-files.rst b/docs/layout-of-source-files.rst
index d89ecded..fb18f8a9 100644
--- a/docs/layout-of-source-files.rst
+++ b/docs/layout-of-source-files.rst
@@ -77,6 +77,8 @@ for this part of the code is still under development) and has not
received as much testing as the old encoder. You can activate it
using ``pragma experimental ABIEncoderV2;``.
+.. _smt_checker:
+
SMTChecker
~~~~~~~~~~
diff --git a/docs/security-considerations.rst b/docs/security-considerations.rst
index 3305c1e1..b252b55e 100644
--- a/docs/security-considerations.rst
+++ b/docs/security-considerations.rst
@@ -223,6 +223,26 @@ Now someone tricks you into sending ether to the address of this attack wallet:
If your wallet had checked ``msg.sender`` for authorization, it would get the address of the attack wallet, instead of the owner address. But by checking ``tx.origin``, it gets the original address that kicked off the transaction, which is still the owner address. The attack wallet instantly drains all your funds.
+
+Two's Complement / Underflows / Overflows
+=========================================
+
+As in many programming languages, Solidity's integer types are not actually integers.
+They resemble integers when the values are small, but behave differently if the numbers are larger.
+For example, the following is true: ``uint8(255) + uint8(1) == 0``. This situation is called
+an *overflow*. It occurs when an operation is performed that requires a fixed size variable
+to store a number (or piece of data) that is outside the range of the variable's data type.
+An *underflow* is the converse situation: ``uint8(0) - uint8(1) == 255``.
+
+In general, read about the limits of two's complement representation, which even has some
+more special edge cases for signed numbers.
+
+Try to use ``require`` to limit the size of inputs to a reasonable range and use the
+:ref:`SMT checker<smt_checker>` to find potential overflows, or
+use a library like
+`SafeMath<https://github.com/OpenZeppelin/openzeppelin-solidity/blob/master/contracts/math/SafeMath.sol>`
+if you want all overflows to cause a revert.
+
Minor Details
=============