Last updated: December 19, 2024
SCWE-013: Dead Code
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Send Feedback
Relationships
- CWE-561: Dead Code
CWE-561
Description: Dead code refers to sections of code that are written but never executed or used. It does not contribute to the program's logic and can increase contract complexity, introduce bugs, and waste computational resources.
Description
Dead code refers to any part of a smart contract that is written but never executed during the contract's lifecycle. This can happen for several reasons, including leftover code from previous implementations or logic that is no longer needed. Dead code unnecessarily increases contract size, making it harder to audit, maintain, and increases the gas cost for contract deployment and execution.
Key issues:
- Increased contract size: Larger contracts lead to higher deployment costs.
- Reduced clarity and maintainability: Unnecessary code can confuse developers and lead to mistakes in future code changes.
- Higher attack surface: Although dead code doesn't run, it could still be misused by attackers in case the contract's logic is altered.
- Remove unused code: Periodically clean up the codebase to ensure only necessary functions and variables remain.
- Refactor contract logic: Keep the contract logic simple and modular. If a piece of code is no longer needed, remove it completely.
- Regular audits and code reviews: Set up regular code reviews to identify and eliminate dead code as part of the contract development lifecycle.
Samples
Example of Dead Code
pragma solidity ^0.4.0;
contract DeadCodeExample {
uint public balance;
// This function allows users to deposit funds
function deposit(uint amount) public {
balance += amount;
}
// This function is never used and adds unnecessary complexity to the contract
function unusedWithdrawal() public {
// Logic that is never called
balance -= 10;
}
}
contract Test {
DeadCodeExample example;
constructor() public {
example = new DeadCodeExample();
}
// Calling the deposit function from the DeadCodeExample contract
function testDeposit() public {
example.deposit(100); // Calling the deposit function on the example contract
}
}
In this example, the function unusedWithdrawal()
in the DeadCodeExample
contract is never called or used in the code. It adds unnecessary complexity, increases contract size, and wastes computational resources.
Optimized Contract Without Dead Code
pragma solidity ^0.4.0;
contract DeadCodeExample {
uint public balance;
// This function allows users to deposit funds
function deposit(uint amount) public {
balance += amount;
}
}
contract Test {
DeadCodeExample example;
constructor() public {
example = new DeadCodeExample();
}
// Calling the deposit function from the DeadCodeExample contract
function testDeposit() public {
example.deposit(100); // Calling the deposit function on the example contract
}
}
In the optimized version, the unusedWithdrawal()
function has been removed from the DeadCodeExample
contract, reducing the size and complexity of the code and making it easier to maintain and audit.