This repository has been archived by the owner on Dec 24, 2020. It is now read-only.
buyOTokens should check if the sender paid ETH #4
Labels
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The code for buying otokens using ethereum buyOtokens() does not check whether the sender sent enough eth to pay for the purchase. This would allow an attacker to drain the OptionsExchange contract of all ETH in it by calling buyOtokens() where the receiver address is the attackers address. This is not normally exploitable because the OptionsExchange contract never holds ETH during the normal operation of the smart contracts system. However, it would allow an attacker to drain any ETH that is accidentally sent to the OptionsExchange contract.(3) Low Severity: the code for buying otokens using ethereum buyOtokens() does not check whether the sender sent enough eth to pay for the purchase. This would allow an attacker to drain the OptionsExchange contract of all ETH in it by calling buyOtokens() where the receiver address is the attackers address. This is not normally exploitable because the OptionsExchange contract never holds ETH during the normal operation of the smart contracts system. However, it would allow an attacker to drain any ETH that is accidentally sent to the OptionsExchange contract.
The text was updated successfully, but these errors were encountered: