Checks for calls to env::set_contract_storage.
Functions using keys as variables without proper access control or input sanitation can allow users to perform changes in arbitrary memory locations.
Only check the function call, so false positives could result.
fn set_contract_storage(
&mut self,
user_input_key: [u8; 68],
user_input_data: u128,
) -> Result<()> {
env::set_contract_storage(&user_input_key, &user_input_data);
Ok(())
}
Use instead:
fn set_contract_storage(
&mut self,
user_input_key: [u8; 68],
user_input_data: u128,
) -> Result<()> {
if self.env().caller() == self.owner {
env::set_contract_storage(&user_input_key, &user_input_data);
Ok(())
} else {
Err(Error::UserNotOwner)
}
}