Slither considers constructors as a taint source

[priyankabose]

contract SlitherTaintBug {

    uint count;
    constructor (uint _count) public {
        count = _count;
        
    }

    function deposit() public payable {

        uint local_count = count;
    }

    
}

If I use slither's slither.analyses.data_dependency.data_dependency.is_tainted() with local_count as the variable and contract as context. It will output true. Is that intended?

According to my understanding, constructors are deployed by a contract owner. Hence, any variable declared by arguments of constructors within a constructor is done by the owner. So, it is can not be external user-controlled. Right?

[montyly]

Hi @priyankabose,

Slither has the notion of "protected" functions for the data dependency and taint. As a result, most of the related functions take an optional parameter only_unprotected (set to False by default). If set to True, the data dependency will then only be propagated for non-protected functions.

In your example:

from slither import Slither
from slither.analyses.data_dependency.data_dependency import is_tainted

Sl = Slither("test.sol")
contract = Sl.get_contract_from_name("SlitherTaintBug")
deposit = contract.get_function_from_signature("deposit()")

for variable in deposit.variables:
    if variable.name == 'local_count':
        taint = is_tainted(variable, contract)
        taint_only_unprotected = is_tainted(variable, contract, only_unprotected=True)
        print(f'Tainted: {taint}')
        print(f'Tainted (only_unprotected): {taint_only_unprotected}')

Will output

Tainted: True
Tainted (only_unprotected): False

[priyankabose]

Thanks a lot for your reply. In what condition a function is considered to be protected in terms of slither?

[montyly]

Currently, the heuristic considers a function as protected if:

• it is the constructor
• it has an operation which is a direct comparison with msg.sender, or uses msg.sender as a call's argument

But we are looking to improve this heuristic (#401)