aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorchriseth <chris@ethereum.org>2018-04-17 15:09:07 +0800
committerchriseth <chris@ethereum.org>2018-04-17 18:04:36 +0800
commit3710fb59f005073ea397b3d11df25f005cc663d0 (patch)
tree2c19e174a17dc90c77744072cacdf489bbdf75a0
parent0304582cbf61798d0a088c46681ffb4f0ab5793c (diff)
downloaddexon-solidity-3710fb59f005073ea397b3d11df25f005cc663d0.tar.gz
dexon-solidity-3710fb59f005073ea397b3d11df25f005cc663d0.tar.zst
dexon-solidity-3710fb59f005073ea397b3d11df25f005cc663d0.zip
Update security considerations.
-rw-r--r--docs/security-considerations.rst19
1 files changed, 16 insertions, 3 deletions
diff --git a/docs/security-considerations.rst b/docs/security-considerations.rst
index 49fd7ea4..3e1c3a12 100644
--- a/docs/security-considerations.rst
+++ b/docs/security-considerations.rst
@@ -225,9 +225,6 @@ Minor Details
=============
- In ``for (var i = 0; i < arrayName.length; i++) { ... }``, the type of ``i`` will be ``uint8``, because this is the smallest type that is required to hold the value ``0``. If the array has more than 255 elements, the loop will not terminate.
-- The ``constant`` keyword for functions is currently not enforced by the compiler.
- Furthermore, it is not enforced by the EVM, so a contract function that "claims"
- to be constant might still cause changes to the state.
- Types that do not occupy the full 32 bytes might contain "dirty higher order bits".
This is especially important if you access ``msg.data`` - it poses a malleability risk:
You can craft transactions that call a function ``f(uint8 x)`` with a raw byte argument
@@ -239,6 +236,22 @@ Minor Details
Recommendations
***************
+Take Warnings Seriously
+=======================
+
+If the compiler warns you about something, you should better change it.
+Even if you do not think that this particular warning has security
+implications, there might be another issue buried beneath it.
+Any compiler warning we issue can be silenced by slight changes to the
+code.
+
+Also try to enable the "0.5.0" safety features as early as possible
+by adding ``pragma experimental "v0.5.0";``. Note that in this case,
+the word ``experimental`` does not mean that the safety features are in any
+way risky, it is just a way to enable some features that are
+not yet part of the latest version of Solidity due to backwards
+compatibility.
+
Restrict the Amount of Ether
============================