Smart Contract / Incorrect Constructor Name



Incorrect Constructor Name is a vulnerability of the category Smart Contract. It occurs in Solidity and the Common Weakness Enumeration (CWE) directory refers to it as CWE-811. According to the OWASP Testing Guide, this vulnerability occurs when the constructor is named incorrectly, allowing malicious attackers to call the constructor multiple times or to call other functions as if they were the constructor. This can lead to problems such as double payments or incorrect initialization of the smart contract.


This vulnerability can lead to a high risk of financial loss, as attackers can take advantage of the incorrect constructor name to call other functions and make multiple payments or bypass security measures of the smart contract. In addition, it can lead to a high risk of data leakage if the smart contract is used to store sensitive information, as incorrect initialization of the smart contract can lead to security issues.


The solution to this vulnerability is to ensure that the constructor is named correctly, as this will prevent attackers from using the incorrect constructor name to call other functions or to make multiple payments. In addition, it is important to ensure that all parameters of the constructor are given the correct names and types, and that the constructor is not accessible to external parties.


The following example is taken from CVE-2020-14795, which is related to an incorrect constructor name vulnerability in the popular smart contract language Solidity.

contract MyContract {
  function MyContract() {
    // do something
  function myContract() {
    // do something else

In this example, the constructor is named incorrectly. Instead of being named MyContract, it is named myContract. This can lead to attackers calling the wrong function, possibly resulting in financial loss or data leakage.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.