Skip to content
This repository has been archived by the owner on Dec 24, 2020. It is now read-only.

buyOTokens should check if the sender paid ETH #4

Open
aparnakr opened this issue Feb 22, 2020 · 0 comments
Open

buyOTokens should check if the sender paid ETH #4

aparnakr opened this issue Feb 22, 2020 · 0 comments

Comments

@aparnakr
Copy link
Contributor

The code for buying otokens using ethereum buyOtokens() does not check whether the sender sent enough eth to pay for the purchase. This would allow an attacker to drain the OptionsExchange contract of all ETH in it by calling buyOtokens() where the receiver address is the attackers address. This is not normally exploitable because the OptionsExchange contract never holds ETH during the normal operation of the smart contracts system. However, it would allow an attacker to drain any ETH that is accidentally sent to the OptionsExchange contract.(3) Low Severity: the code for buying otokens using ethereum buyOtokens() does not check whether the sender sent enough eth to pay for the purchase. This would allow an attacker to drain the OptionsExchange contract of all ETH in it by calling buyOtokens() where the receiver address is the attackers address. This is not normally exploitable because the OptionsExchange contract never holds ETH during the normal operation of the smart contracts system. However, it would allow an attacker to drain any ETH that is accidentally sent to the OptionsExchange contract.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant