Incomplete Transaction Receipt Status Inspection
Description
A transaction receipt's status is inspected without considering the potential failure of calls within the transaction. This can lead to incorrect assumptions about the transaction's success, especially in high-risk environments such as bridges and exchanges. Review the related code to ensure the receipt's success is not used as a verification measure and the transaction being inspected is from a finalized block.
Examples
Insecure Code
go
receiptStatus := receipt.Status()
if receiptStatus == types.ReceiptStatusSuccessful {
// Potential incorrect assumption about transaction success
}Secure Code
go
receiptStatus := receipt.Status()
if receiptStatus == types.ReceiptStatusSuccessful && isTransactionInFinalizedBlock(transaction) {
// More accurate assessment of transaction success
}Remediation
Verify the transaction receipt's status in conjunction with other factors, such as the transaction's inclusion in a finalized block, to ensure accurate assessment of the transaction's success.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0761 |
| Category | Blockchain |
| Severity | HIGH |
| CWE | CWE-437 |
| Confidence | LOW |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | transaction receipt, blockchain security |
| OWASP | N/A |