Smart Contract / Requirement Violation

Description

Requirement Violation is a vulnerability of the category Smart Contract, which occurs in SWC. It is defined in the CWE Directory as "The software does not conform to the specified requirements or violates an explicitly or implicitly stated contract or agreement between parties that is an input to the software". This vulnerability is also described in the OWASP Testing Guide as "a vulnerability in the contract logic, which does not follow the requirements".

Risk

This vulnerability can cause various security issues, including financial loss and data leakage. It can also lead to a decrease in the credibility of the system, since it will not be able to fulfill its tasks. The risk assessment of this vulnerability is rated as High.

Solution

The best way to fix this vulnerability is by ensuring that the software follows the specified requirements or any explicitly or implicitly stated contract or agreement between parties. This can be done by conducting regular code reviews and testing the software for potential vulnerabilities. Additionally, developers should also ensure that all the contracts are properly maintained and updated to reflect the current requirements and contracts.

Example

The following code is an example of Requirement Violation vulnerability from the CVE Directory.

contract MyContract {
    function setValue(uint256 value) public {
        // Requirement Violation
        balance = value;
    }
}

The code above is vulnerable to Requirement Violation as it does not follow the specified requirement that the value should be stored in a variable, instead it is stored in the balance.