Address.isContract() is not a reliable way of checking if an address is a contract
Summary
Address.isContract() checks for the code length is > 0 . However , the function will return false if it is invoked from a contract's constructor , because the contract has not been deployed yet
Vulnerability Details
The CREATE2 opcode can be used to deterministically calculate the address of a smart contract before it is created. This means that users can bypass this check by calling this function before deploying the contract.
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/libraries/Address.sol
To get more details about the issue
Impact
An attacker could bypass these restrictions by calling from their constructor
Tools Used
Manual Review
Recommendations
It is generally not recommended to enforce an address to be only contract.
Lead Judging Commences
[invalid] finding-Admin-Errors-Malicious
The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.