Skip to content

Latest commit

 

History

History
28 lines (18 loc) · 993 Bytes

File metadata and controls

28 lines (18 loc) · 993 Bytes

Contracts can be forced to receive ether

In certain circunstances, contracts can be forced to receive ether without triggering any code. This should be considered by the contract developers in order to avoid breaking important invariants in their code.

Attack Scenario

An attacker can use a specially crafted contract to forceful send ether using suicide / selfdestruct:

contract Sender {
  function receive_and_suicide(address target) payable {
    suicide(target);
  }
}

Example

  • The MyAdvancedToken contract in coin.sol is vulnerable to this attack. It will stop the owner to perform the migration of the contract.

Mitigations

There is no way to block the reception of ether. The only mitigation is to avoid assuming how the balance of the contract increases and implement checks to handle this type of edge cases.

References