DAML contract--Potential Vulnerabilities

I am looking for a DAML contract having at least 3-4 potential vulnerabilities for performing verification etc. From where I can find such examples?

1 Like

Hey @Iqra_Mustafa , not quite sure I understand your question. Could you provide a description that is a bit more detailed?

1 Like

Thanks, Max, I am looking for vulnerable DAML contracts. I try to find it online but couldn’t find it. If anyone here provides such a contract or small data, I can possibly replicate it.

1 Like

Can you provide an idea of the types of vulnerabilities you’re looking for?

A lot of common “vulnerabilities” are not present in Daml Templates/Contracts because Daml Templates are strongly permissioned, typed, and Contract/Choice creation/execution is atomic (ie. no successful race conditions).

It would be helpful to understand what types of vulnerabilities you’re wanting to test for as most Daml “vulnerabilities” would boil down to a mismatch between design and implementation rather than code not executing as expected.

For example, logical or runtime flaws. You can categorize them as potential errors that, if not corrected, will have a significant impact on ledgers. Such as this example is given in DAML documentation but it is quite basic: What is Formal Verification and what it means for Daml

1 Like

I see, there’s a few more examples of these types of flaws in the daml repo, you can find them here: daml/compiler/daml-lf-verify at main · digital-asset/daml · GitHub

I couldn’t find it here. Haskell related code is at this link. Can you send one example here

1 Like

There is a daml subdirectory in there daml/compiler/daml-lf-verify/daml at main · digital-asset/daml · GitHub which contains the Daml test cases. Keep in mind that this never got past PoC stage so it is rather limited.

1 Like

Is there any library for generating the control flow graph of DAML?

There is no library. The only thing that comes close is the visualizer (which is still in labs status) Visualizing Daml Contracts — Daml SDK 1.15.0 documentation. It generates graphviz dot files for which you can find parser for most languages.

yeah, I am familiar with it. Thanks

A post was split to a new topic: How do you statically analyze a single Daml file in a project?