Ownership Exploitation in Solidity

Ownership Exploitation in Ethereum Smart Contracts

Function types in Solidity come in four flavors — internal, external, public, and private functions:

function (<parameter types>) {internal|external|public|private} [pure|constant|view|payable] [(modifiers)] [returns (<return types>)]

Internal functions can only be invoked inside the current contract.

External functions include an address and a signature, and they can be handed through and returned from external function calls. It can be called from the outside, but it can’t be a call from the inside.

Private functions can only be invoked inside the contract; even the inherited contracts can’t invoke them.

And finally, public functions can be invoked from anywhere.

Things become more exciting when developers use External functions! as a part of the contract interface, which means they can be invoked from other contracts and through transactions.

Devs sometimes use external functions due to efficiency when they receive large data arrays.

However, the catch is hackers can also call these functions!

Let’s supposed we have a contract like this:

// SPDX-License-Identifier: MIT

pragma solidity 0.8.9;

contract PriceOracle{

uint256 public AssetPrice;

address owner;

constructor(uint256 _price){

AssetPrice=_price;

owner = msg.sender;

}

function upgradeAssetPrice(uint256 _price) external {

AssetPrice = _price;

}

}

How to fix the problem?

In order to fix the issue, we can define a modifier for the upgrade function. A modifier is a piece of code that manipulates the execution of a function.

contract SafePriceOracle{

uint256 public AssetPrice;
address owner;

constructor(uint256 _price){
AssetPrice=_price;
owner = msg.sender;
}

modifier CheckOwner(){
require(msg.sender == owner, “ No owner!”);
_;
}

function upgradeAssetPrice(uint256 _price) external CheckOwner {
AssetPrice = _price;
}

}

That’s all!