Discussions/App Development/DAML contract--Potential VulnerabilitiesForum ↗

DAML contract--Potential Vulnerabilities

App Development12 posts521 views6 likesLast activity Aug 2021
IQ
Iqra_MustafaOP
Jul 2021

I am looking for a DAML contract having at least 3-4 potential vulnerabilities for performing verification etc. From where I can find such examples?

MA
Max
Jul 2021

Hey @Iqra_Mustafa , not quite sure I understand your question. Could you provide a description that is a bit more detailed?

IQ
Iqra_Mustafa
Jul 2021

Thanks, Max, I am looking for vulnerable DAML contracts. I try to find it online but couldn’t find it. If anyone here provides such a contract or small data, I can possibly replicate it.

AN
anthony
Jul 2021
Iqra_Mustafa:

3-4 potential vulnerabilities for performing verification

Can you provide an idea of the types of vulnerabilities you’re looking for?

A lot of common “vulnerabilities” are not present in Daml Templates/Contracts because Daml Templates are strongly permissioned, typed, and Contract/Choice creation/execution is atomic (ie. no successful race conditions).

It would be helpful to understand what types of vulnerabilities you’re wanting to test for as most Daml “vulnerabilities” would boil down to a mismatch between design and implementation rather than code not executing as expected.

IQ
Iqra_Mustafa
Jul 2021

For example, logical or runtime flaws. You can categorize them as potential errors that, if not corrected, will have a significant impact on ledgers. Such as this example is given in DAML documentation but it is quite basic: What is Formal Verification and what it means for Daml

AN
anthony
Jul 2021

I see, there’s a few more examples of these types of flaws in the daml repo, you can find them here: daml/compiler/daml-lf-verify at main · digital-asset/daml · GitHub

IQ
Iqra_Mustafa
Jul 2021

I couldn’t find it here. Haskell related code is at this link. Can you send one example here

CO
cocreature
Jul 2021

There is a daml subdirectory in there daml/compiler/daml-lf-verify/daml at main · digital-asset/daml · GitHub which contains the Daml test cases. Keep in mind that this never got past PoC stage so it is rather limited.

IQ
Iqra_Mustafa
Jul 2021

Is there any library for generating the control flow graph of DAML?

CO
cocreature
Aug 2021

There is no library. The only thing that comes close is the visualizer (which is still in labs status) Visualizing Daml Contracts — Daml SDK 1.15.0 documentation. It generates graphviz dot files for which you can find parser for most languages.

IQ
Iqra_Mustafa
Aug 2021

yeah, I am familiar with it. Thanks

AN
anthony
Aug 2021

A post was split to a new topic: How do you statically analyze a single Daml file in a project?

← Back to Discussions