Skip to content

Fix incorrect-modifier false positive on revert("msg") and custom-error reverts#3035

Open
MarkLee131 wants to merge 2 commits into
crytic:masterfrom
MarkLee131:fix/incorrect-modifier-revert-string
Open

Fix incorrect-modifier false positive on revert("msg") and custom-error reverts#3035
MarkLee131 wants to merge 2 commits into
crytic:masterfrom
MarkLee131:fix/incorrect-modifier-revert-string

Conversation

@MarkLee131

@MarkLee131 MarkLee131 commented May 28, 2026

Copy link
Copy Markdown

Summary

Fixes #3034:

incorrect-modifier was flagging modifiers ending in revert("msg") or revert MyError() as "does not always execute _; or revert."

Root Cause

is_revert in slither/detectors/functions/modifier.py:

def is_revert(node: Node) -> bool:
    return node.type == NodeType.THROW or any(
        ir.function.name in ["revert()", "revert(string"] for ir in node.internal_calls
    )

"revert(string" is missing the closing paren. The actual SolidityFunction.name for revert("msg") is "revert(string)" (see solidity_variables.py:55), so the membership check never matches.

Custom-error reverts are represented by SolidityCustomRevert with name = "revert " + signature. Also not in the kill set, so revert MyError() is missed too.

Fix

def is_revert(node: Node) -> bool:
    return node.type == NodeType.THROW or any(
        ir.function.name == "revert()"
        or ir.function.name == "revert(string)"
        or ir.function.name.startswith("revert ")  # SolidityCustomRevert
        for ir in node.internal_calls
    )

startswith("revert ") (trailing space) covers any SolidityCustomRevert.name, since they're all built as "revert " + signature.

Tests

Added tests/e2e/detectors/test_data/incorrect-modifier/0.8.20/modifier_revert_variants.sol. Covers revert(), revert("msg"), revert MyError(), revert MyError(args), plus one negative case that should still fire. After the fix only the negative case is reported.

The existing modifier_default.sol fixture (0.4.25 / 0.5.16 / 0.6.11 / 0.7.6) only uses bare revert(), which still matches exactly. Existing assertions unchanged.

MarkLee131 added 2 commits May 29, 2026 00:08
@MarkLee131
Fix incorrect-modifier false positive on revert("msg") and custom-err…
af5da89 
…or reverts

is_revert checked ir.function.name in ["revert()", "revert(string"], where
the second literal is missing the closing paren. The real SolidityFunction
name for revert("msg") is "revert(string)" (see solidity_variables.py:55),
so the membership check never matched. Custom-error reverts are also missed
because SolidityCustomRevert builds its name as "revert " + signature.

Switch to explicit checks for "revert()" and "revert(string)" plus a
startswith("revert ") branch that covers any SolidityCustomRevert.name.

Adds tests/e2e/detectors/test_data/incorrect-modifier/0.8.20/modifier_revert_variants.sol
covering revert(), revert("msg"), revert MyError(), revert MyError(args)
and one negative case that should still fire.
@MarkLee131
Add test snapshot and compile archive for modifier_revert_variants
2d796a7 
Generated via:
  python tests/e2e/detectors/test_detectors.py --compile
  pytest -k ModifierDefaultDetection-0.8.20-modifier_revert_variants --insta update

All 5 ModifierDefaultDetection test cases (0.4.25, 0.5.16, 0.6.11, 0.7.6,
0.8.20) pass with the fix applied.
@MarkLee131 MarkLee131 requested a review from smonicas as a code owner May 28, 2026 16:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smonicas smonicas Awaiting requested review from smonicas smonicas is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[False-Positive]: incorrect-modifier — modifiers ending in revert("string") or custom-error revert

1 participant

@MarkLee131