Smart Contract / Incorrect Constructor Name

Description

Incorrect Constructor Name is a vulnerability of the category Smart Contract. It occurs in Solidity and the Common Weakness Enumeration (CWE) directory refers to it as CWE-811. According to the OWASP Testing Guide, this vulnerability occurs when the constructor is named incorrectly, allowing malicious attackers to call the constructor multiple times or to call other functions as if they were the constructor. This can lead to problems such as double payments or incorrect initialization of the smart contract.

Risk

This vulnerability can lead to a high risk of financial loss, as attackers can take advantage of the incorrect constructor name to call other functions and make multiple payments or bypass security measures of the smart contract. In addition, it can lead to a high risk of data leakage if the smart contract is used to store sensitive information, as incorrect initialization of the smart contract can lead to security issues.

Solution

The solution to this vulnerability is to ensure that the constructor is named correctly, as this will prevent attackers from using the incorrect constructor name to call other functions or to make multiple payments. In addition, it is important to ensure that all parameters of the constructor are given the correct names and types, and that the constructor is not accessible to external parties.

Example

The following example is taken from CVE-2020-14795, which is related to an incorrect constructor name vulnerability in the popular smart contract language Solidity.

contract MyContract {
  function MyContract() {
    // do something
  }
  
  function myContract() {
    // do something else
  }
}

In this example, the constructor is named incorrectly. Instead of being named MyContract, it is named myContract. This can lead to attackers calling the wrong function, possibly resulting in financial loss or data leakage.