Security: Unrestricted readContract allows unsafe or state-mutating function calls

[dinitheth]

Issue: Unrestricted readContract Calls Allow Unsafe Execution

The readContract utility dynamically executes a user-specified function using:

contract.read[functionName](...args)

However, it does not validate:

Whether the function exists in the ABI
Whether the function is view or pure

This makes it possible for an attacker or misconfigured client to call state-mutating or even reentrant functions unintentionally — using a function that wasn't meant to be “read-only.”

Why It Matters

• Risk: Executing a non-view/pure function on-chain when expecting read-only behavior
• Impact: On-chain state mutation, gas costs, or unintentional contract execution
• Security Class: Input validation / restricted call surface

✅ Recommended Fix
Before calling a contract function, validate:

• It exists in the ABI
• It is explicitly marked as stateMutability: view or pure

Notes

• Consider adding tests for invalid/mutable functions being blocked.
• Optionally warn users when the ABI is missing or malformed.