From 37b06884b26ec55fcc9bad2d6744b09dcf568006 Mon Sep 17 00:00:00 2001 From: Alex Beregszaszi Date: Tue, 12 Dec 2017 03:31:30 +0000 Subject: Correct that ether transfers _can_ always include code execution in re-entrancy example --- docs/security-considerations.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/security-considerations.rst b/docs/security-considerations.rst index 197e80e5..1e2138fa 100644 --- a/docs/security-considerations.rst +++ b/docs/security-considerations.rst @@ -69,8 +69,8 @@ complete contract): } The problem is not too serious here because of the limited gas as part -of ``send``, but it still exposes a weakness: Ether transfer always -includes code execution, so the recipient could be a contract that calls +of ``send``, but it still exposes a weakness: Ether transfer can always +include code execution, so the recipient could be a contract that calls back into ``withdraw``. This would let it get multiple refunds and basically retrieve all the Ether in the contract. In particular, the following contract will allow an attacker to refund multiple times -- cgit v1.2.3