[L-01] `SmartWalletChecker` can be easily bypassed

[ddimitrov22]

The SmartWalletChecker::check function is used to determine if the caller is a smart contract or an EOA. It does so by checking if the extcodesize(account) == 0:

    function check(address account) external view returns (bool) {
        uint256 size;
        assembly {
            size := extcodesize(account)
        }
        return size == 0;
    }
}

However, this check can be easily bypassed if a smart contract is calling the method within its constructor. During construction time the codesize will be still 0 and the check will pass.

If you want to make sure that an EOA is calling your contract, a simple way is require(msg.sender == tx.origin). However, preventing a contract is an antipattern with security and interoperability considerations.

[wankhede04]

fixed at d00d2accd2894130343a0149a17c8522a784ce55