If a contract does not verify that an external address is a valid contract, it may perform operations under the incorrect assumption that the contract exists, risking failed calls.
Game
What assumptions can be false?
// SPDX-License-Identifier: MIT// Open me in VSCode and really think before opening the hints!// Add @audit tags wherever suspicious// Go to the solidity docs to complete missing knowledge of what's happening here// Solve by drafting a fix!pragmasolidity ^0.8.0;interface IExternalContract {functionperformAction() external;}contract ExistenceAssumptionGame {addresspublic externalContractAddress;constructor(address_externalContractAddress) { externalContractAddress = _externalContractAddress; }// Function that assumes the address is a valid contract and calls a function on itfunctionexecuteAction() public {IExternalContract(externalContractAddress).performAction(); }}
Consider how you might confirm that an address actually points to a contract before attempting to call a function on it.
Solidity provides certain tools to help verify contract existence.
Checking if code exists at externalContractAddress can help determine if the address points to a contract or an EOA.
functionexecuteAction() public {require(isContract(externalContractAddress),"Address is not a contract"); // Fix: Check if address is a contractIExternalContract(externalContractAddress).performAction();}// New functionfunctionisContract(address addr) internalviewreturns (bool) {uint256 size;assembly { size :=extcodesize(addr) }return size >0;}