Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[L-01] SmartWalletChecker can be easily bypassed #24

Open
ddimitrov22 opened this issue Jan 4, 2024 · 1 comment
Open

[L-01] SmartWalletChecker can be easily bypassed #24

ddimitrov22 opened this issue Jan 4, 2024 · 1 comment

Comments

@ddimitrov22
Copy link
Collaborator

The SmartWalletChecker::check function is used to determine if the caller is a smart contract or an EOA. It does so by checking if the extcodesize(account) == 0:

    function check(address account) external view returns (bool) {
        uint256 size;
        assembly {
            size := extcodesize(account)
        }
        return size == 0;
    }
}

However, this check can be easily bypassed if a smart contract is calling the method within its constructor. During construction time the codesize will be still 0 and the check will pass.

If you want to make sure that an EOA is calling your contract, a simple way is require(msg.sender == tx.origin). However, preventing a contract is an antipattern with security and interoperability considerations.
@wankhede04
Copy link
Contributor

fixed at d00d2ac

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wankhede04 @ddimitrov22