Smart Contract / Unexpected Ether Balance

Description

Unexpected Ether Balance is a type of vulnerability that occurs in Smart Contracts. It is defined by the Common Weakness Enumeration (CWE) directory as CWE-845: "Improper Restriction of Excessive Authentication Attempts". This vulnerability occurs when a Smart Contract allows users to transfer Ether without sufficient checks. This can lead to an attacker obtaining funds or tokens in the Smart Contract without authorization. The OWASP Testing Guide has a chapter dedicated to Smart Contracts and the vulnerabilities associated with them, including the Unexpected Ether Balance vulnerability.

Risk

The risk associated with this vulnerability is that an attacker could obtain funds or tokens without authorization. This can lead to financial losses and damage to the integrity of the Smart Contract. A risk assessment should be conducted to determine the impact of this vulnerability.

Solution

The solution to this vulnerability is to ensure that all transfers of Ether are properly validated. This can be done by implementing a system of checks and balances that verify the validity of the transfer. Additionally, the Smart Contract should be regularly audited to ensure that the code is free from any vulnerabilities.

Example

Below is an example of a vulnerable Smart Contract code from the Common Vulnerabilities and Exposures (CVE) directory. The vulnerability is due to the lack of a check to verify that the transfer of Ether is valid.

contract UnexpectedEtherBalance {
    address public recipient;
    uint amount;

    function sendEther() public payable {
        recipient.transfer(amount);
    }
}