Smart Contract Security: 2. Bypassing EOA Check

Jul 25, 2023#Web3 #Blockchain #NFT #DeFi #DAO #DApp #区块链 #區塊鏈 #加密货币 #DeGame #链游 #Crypto #比特币 #以太坊 #Ethereum #合约开发348

AI Translation

This post is translated from Chinese into English through AI.View Original

AI-generated summary

The article discusses the concept of bypassing EOA (Externally Owned Account) checks in DeFi contracts. Many DeFi contracts only allow EOA addresses to perform critical operations, and contract addresses cannot be called. This is achieved by checking the msg.sender. However, attackers can bypass this check by forging the msg.sender as an EOA address in their malicious contract using methods like EOS or delegatecall. To prevent bypassing EOA checks, several methods are suggested. Firstly, not only should msg.sender be checked, but also tx.origin should be checked to ensure that the caller is an EOA. Secondly, a recordedEOA should be used, which is set on the user's first call and enforced for subsequent calls. Thirdly, EOA checks should be performed in secure interface contracts, where users can only interact with the contract through this interface. Lastly, using audited security libraries like OpenZeppelin's EOAChecker is recommended. The code example provided demonstrates these concepts. It includes checking tx.origin in addition to msg.sender, recording the user's EOA on the first call, and enforcing that only the recorded EOA can call the criticalFunc.

What is bypassing EOA check?

Many DeFi contracts only allow Externally Owned Accounts (EOA) to perform critical operations. Contract addresses cannot be called. This is achieved by checking msg.sender. However, attackers can bypass this check by spoofing msg.sender as an EOA address in their malicious contract using EOS or delegatecall.

Methods to prevent bypassing EOA check:

Check not only msg.sender but also tx.origin to ensure the caller is an EOA.
Use a state variable to record the EOA on the user's first call and enforce the use of recordedEOA for subsequent calls.
Perform EOA checks in secure interface contracts, where users can only call through this interface contract.
Use audited security libraries like OpenZeppelin's EOAChecker.

Code example:

// Also check tx.origin
require(msg.sender == tx.origin, "Not EOA");

// Record EOA on first call
address public userEOA; 

function initEOA() external {
  require(userEOA == address(0), "Already initialized");
  userEOA = msg.sender;
}

function criticalFunc() external {
  require(msg.sender == userEOA, "Only EOA can call");
  
  // Function logic
}