Using isContract to distinguish between Externally Owned Accounts (EOAs) and contracts in Ethereum is no longer reliable due to proxy contracts and contract creation during transaction execution. This method may inaccurately classify contracts as EOAs or vice versa, especially post-transaction. OpenZeppelin's Address library deprecated isContract recognizing these limitations. For security and accuracy, alternatives or additional checks should be used for distinguishing account types, aligning with current best practices and avoiding false assumptions based on outdated or unreliable methods.
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/utils/CommonUtils.sol#L48-L55
Vulnerability details
Impact
Using
isContract
to distinguish between Externally Owned Accounts (EOAs) and contracts in Ethereum is no longer reliable due to proxy contracts and contract creation during transaction execution. This method may inaccurately classify contracts as EOAs or vice versa, especially post-transaction. OpenZeppelin's Address library deprecatedisContract
recognizing these limitations. For security and accuracy, alternatives or additional checks should be used for distinguishing account types, aligning with current best practices and avoiding false assumptions based on outdated or unreliable methods.Tools Used
Manual reveiw.
Recommended Mitigation Steps
Check if
tx.origin == msg.sender
Assessed type
Error