Custom ERC20 implementation exposes _transfer() as public
Description
The _transfer() function in a custom ERC20 implementation is exposed as public, allowing unauthorized access and potentially leading to security vulnerabilities.
Examples
Insecure Code
solidity
function _transfer(address recipient, uint256 amount) public {... }Secure Code
solidity
function _transfer(address recipient, uint256 amount) internal {... }Remediation
Change the visibility of the _transfer() function to internal or private to restrict access.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0206 |
| Category | AccessControl |
| Severity | HIGH |
| CWE | CWE-284 |
| Confidence | LOW |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | erc20, smart contract |
| OWASP | N/A |
References
- https://medium.com/@Knownsec_Blockchain_Lab/creat-future-was-tragically-transferred-coins-at-will-who-is-the-mastermind-behind-the-scenes-8ad42a7af814
- https://bscscan.com/address/0x8B7218CF6Ac641382D7C723dE8aA173e98a80196