43.Hiding Malicious Code with External Contract
2023-07-16 15:13:36 # 00.security

Hiding Malicious Code with External Contract

In Solidity any address can be casted into specific contract, even if the contract at the address is not the one being casted.

This can be exploited to hide malicious code. Let’s see how.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;

/*
Let's say Alice can see the code of Foo and Bar but not Mal.
It is obvious to Alice that Foo.callBar() executes the code inside Bar.log().
However Eve deploys Foo with the address of Mal, so that calling Foo.callBar()
will actually execute the code at Mal.
*/

/*
1. Eve deploys Mal
2. Eve deploys Foo with the address of Mal
3. Alice calls Foo.callBar() after reading the code and judging that it is
safe to call.
4. Although Alice expected Bar.log() to be execute, Mal.log() was executed.
*/

contract Foo {
Bar bar;

constructor(address _bar) {
bar = Bar(_bar);
}

function callBar() public {
bar.log();
}
}

contract Bar {
event Log(string message);

function log() public {
emit Log("Bar was called");
}
}

// This code is hidden in a separate file
contract Mal {
event Log(string message);

// function () external {
// emit Log("Mal was called");
// }

// Actually we can execute the same exploit even if this function does
// not exist by using the fallback
function log() public {
emit Log("Mal was called");
}
}

Remediation

  • Initialize a new contract inside the constructor
  • Make the address of external contract public so that the code of the external contract can be reviewed
1
2
3
4
5
Bar public bar;

constructor() public {
bar = new Bar();
}
Prev
2023-07-16 15:13:36 # 00.security
Next