Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

`library::Address::isContract` check can be manipulated returning false information

x0rc1ph3r

Summary

The Address::isContract function is designed to check if a given address belongs to a smart contract. However, this function can be bypassed when called within the constructor of a contract, as the code size of a contract is zero during its construction phase. This loophole can potentially be exploited to deceive the isContract check.

Vulnerability Details

The isContract function in the Address library relies on the extcodesize assembly instruction to determine if an address has associated contract code. The function returns true if the code size at the given address is greater than zero.

Here is the relevant code from the Address library:

// SPDX-License-Identifier: GPL-2.0-or-later
pragma solidity ^0.8.13;
/**
* @dev Collection of functions related to the address type
*/
library Address {
/**
* @dev Returns true if `target` is a contract.
*/
function isContract(address target) internal view returns (bool) {
uint256 size;
assembly {
size := extcodesize(target)
}
return size > 0;
}
}

The vulnerability arises because, during the execution of a contract's constructor, the extcodesize of the contract's address is zero. Consequently, calling isContract within the constructor will incorrectly return false, even though the address belongs to a contract.

Proof of Code

contract Example {
constructor() {
require(!Address.isContract(address(this)), "Address is a contract");
// Other initialization code
}
}

In this case, the require statement will pass during construction, even though address(this) is indeed a contract.

Impact

This vulnerability can lead to several potential issues:

@> Bypassing Contract Checks: Contracts that rely on isContract to distinguish between externally owned accounts (EOAs) and contract addresses can be deceived during construction. This can lead to unexpected behavior or security vulnerabilities in protocols that depend on this check for access control or logic branching.
@> Security Risks: Attackers can exploit this behavior to bypass restrictions meant to prevent contracts from interacting with certain functions, potentially leading to unauthorized access or manipulation of the contracts state.

Tools Used

  • Manual code review

  • Solidity documentation and assembly analysis

  • Static analysis tools for additional insights

Recommended Mitigation

While there is no perfect solution to completely eliminate this issue due to the nature of contract construction in Ethereum, the following mitigations can reduce the risk:

@> Awareness and Documentation: Clearly document the limitations of the isContract function, making developers aware of its behavior during contract construction.
@> Alternative Approaches: Depending on the use case, consider alternative methods for distinguishing EOAs from contracts. For instance, use a combination of tx.origin and msg.sender checks, though this approach also has its own caveats and should be used carefully.
@> Avoiding Critical Reliance: Avoid relying on isContract for critical security decisions during contract initialization. Instead, use this check for non-critical logic or in conjunction with other security mechanisms.
@> Enhanced Checks: Implement additional logic to account for the construction phase, although this is complex and context-dependent.
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[invalid] finding-Admin-Errors-Malicious

The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!