perdiWeb3.eth

Writing an “Unhackable” Money Market 🏦 - Problem 1: Re-Entrancy - Problem 2: Input Validation - Problem 3: Rounding Errors Now follow the thread 👇 Looks like today we're building us an "unhackable bank" on the blockchain. How do we go about this exactly? Pull up a chair, grab a cold one, and let's dive into the good, the bad, and the downright ugly of securing a web3 money market. 🔴Problem 1: Re-Entrancy Picture this: Jane and Roy are a newly married couple, eager to withdraw some funds from their wedding account. Jane presses the withdraw button, and lo and behold, the balance still shows the same amount even after a withdrawal. Being the curious (and cheeky) lass she is, Jane decides to press it again. And again. Before you know it, Jane's made more withdrawals than their account actually holds. That's re-entrancy for you, folks, and it just earned Jane a trip to the courthouse. A malicious contract can call back into the vulnerable contract before the previous function execution completes, allowing multiple withdrawals of funds. Here’s a simple version of how it can go wrong in Solidity: To fix this, you need to update the state before making external calls or use a mutex: 🔴Problem 2: Input Validation Now Roy, enterprising bloke that he is, decides to make a cash deposit for his buddy John, to whom he owes money. John, being a bit clumsy with his phone, gives Roy his account number but accidentally types a few extra digits. Even though account numbers at the bank are all 12 digits, John ends up giving a 15-digit account number. Roy, trusting John’s information, types it in without a second thought and sends the money to this non-existent account. Without proper input validation, the bank's system fails to notice the mistake and accepts the money. Poof! It’s gone now, to an account that nobody can access. A classic case of lost funds due to poor input validation. To avoid such scenarios, input validation is like your best mate who always double-checks things before you make a fool of yourself. In this case, the system should give a quick once-over to make sure the account number is exactly 12 digits and actually exists before accepting the deposit. These simple checks can prevent such costly errors and keep both Roy and John from tearing their hair out and cursing their fat fingers. But even more importantly, you should probably check that the user account exists within the depositors of the bank. Otherwise, you might still send the money into the void. Here’s how we can do that with Solidity: In this code, we validate the deposit by checking if the account number is exactly 12 digits and if the account actually exists within the bank's depositors. This way, Roy and John can sleep easy knowing their funds won’t disappear into the void, and everyone can avoid a potential nightmare. 👇👇