Smart Contract / Incorrect Inheritance Order
Description
Incorrect Inheritance Order, a smart contract vulnerability identified in the Common Weakness Enumeration (CWE) directory, occurs when the order of inheritance is incorrect when a contract is written in Solidity (SWC). This can lead to security issues due to incorrect visibility rules for functions and state variables, and can be exploited to allow unintended access to code or data. According to the OWASP Testing Guide, this vulnerability is difficult to detect, as it requires an understanding of the language, design, and architecture of the smart contract.
Risk
Incorrect Inheritance Order is a severe vulnerability as it can allow attackers to access and manipulate smart contract code and data that is not intended to be public. The vulnerability can be used to perform malicious activities such as theft of funds, data manipulation, and control of the contract by malicious actors.
Solution
To fix this vulnerability, the order of inheritance must be correct and checked. To do this, the contract must be designed in such a way that the public functions and variables are at the top of the inheritance chain and all other functions and variables are lower in the inheritance chain. Additionally, all contracts must be tested and reviewed to ensure that the order of inheritance is correct.
Example
The following code block shows an example of a contract with an incorrect inheritance order.
contract A {
uint private a;
function foo() public {
a = 10;
}
}
contract B is A {
uint private b;
function bar() public {
b = 10;
}
}
In this example, the order of inheritance is incorrect, as the private function bar() and variable b are declared before the public function foo() and the public variable a. This can result in foo() and a being accessible to any external callers, which is not the intended behavior.