Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't assume contracts are created with zero balance #61

Closed
SergioDemianLerner opened this issue Sep 19, 2016 · 5 comments
Closed

Don't assume contracts are created with zero balance #61

SergioDemianLerner opened this issue Sep 19, 2016 · 5 comments

Comments

@SergioDemianLerner
Copy link

SergioDemianLerner commented Sep 19, 2016
edited

Contract developers may assume a newly created contract has zero balance. For example,developers may write asserts on different parts of the code that check that the contract balance equals an internal field such as expectedBalance, which is updated on every incoming/outgoing payment.

In Ethereum contract addresses can be guessed: they are built using the source address and source nonce hashed. Therefore an attacker can predict the a contract address that is to be created and send before a tiny amount of ether the that address, pre-creating an account (without any code) with the same address. The attacker has no control over it, so the account nonce will be always zero. When the contract is actually created by the authentic source, the pre-existing balance will not be destroyed: the contract will be created with a pre-existent non-zero balance. Therefore a contract cannot assume the balance is zero upon creation.
@simondlr
Copy link
Contributor

Excellent edge case @SergioDemianLerner.

Thanks for the find. We will add this.

@ethers ethers closed this as completed in 6a7b382 Nov 15, 2016
@lherbeur
Copy link

lherbeur commented May 7, 2017

@SergioDemianLerner ...Does it mean if the authentic user tries creating the contract, the already existing one is used or how does the pre-creation affect the new creation? If indeed the attacker's pre-created contract is used and has control over the "contract created" by the real user, does that mean only the attacker would then have access over the contract and it's funds, which would have been updated by the authentic user?

@ethers
Copy link
Contributor

ethers commented May 9, 2017

pre-creating an account (without any code)

@lherbeur an account (no code) is what's pre-created. This advice is even in the case where someone sends ether to an accidental address, which happens to be the address that your new contract would be deployed to.

@mathcrypto
Copy link

Can we create a contract with pre existing balance and it will not refer to the addresse which created it. Annonimize the creator

@mathcrypto
Copy link

and also, will this balance be used by the owner of the contract or it will stay blocked if it came from someone else?

brakmic added a commit to brakmic/BlockchainStore that referenced this issue Jun 25, 2017
@brakmic
don't assume balance == 0, ref: Consensys/smart-contract-best-practic…
321e4fe 
…es#61
loredanacirstea added a commit to raiden-network/raiden-token that referenced this issue Aug 2, 2017
@loredanacirstea
Add auction contract requirements
aa7c06c 
`require(this.balance == 0);` is addressing any possibility of this happening: Consensys/smart-contract-best-practices#61
@srisankethu srisankethu mentioned this issue Nov 29, 2018
Closed
devninja309 added a commit to devninja309/smart-contract-best-practices that referenced this issue Jun 4, 2022
@devninja309
Don't assume contracts are created with zero balance
3157475 
Fix #61 Consensys/smart-contract-best-practices#61

Thanks @SergioDemianLerner
SepehrSameni pushed a commit to SepehrSameni/smart-contract-best-practices that referenced this issue Oct 19, 2022
@ethers
Don't assume contracts are created with zero balance
f5efa4f 
Fix #61 Consensys/smart-contract-best-practices#61

Thanks @SergioDemianLerner
darrylcharlton54 added a commit to darrylcharlton54/best-practices-smart-contract that referenced this issue Nov 8, 2022
@darrylcharlton54
Don't assume contracts are created with zero balance
fd79412 
Fix #61 Consensys/smart-contract-best-practices#61

Thanks @SergioDemianLerner
onlinedev0808 added a commit to onlinedev0808/-smart-contract-best-practices that referenced this issue Feb 20, 2023
@onlinedev0808
Don't assume contracts are created with zero balance
4830b95 
Fix #61 Consensys/smart-contract-best-practices#61

Thanks @SergioDemianLerner
FPLeader added a commit to FPLeader/smart-contract-practices that referenced this issue Sep 12, 2023
@FPLeader
Don't assume contracts are created with zero balance
6ad5414 
Fix #61 Consensys/smart-contract-best-practices#61

Thanks @SergioDemianLerner
GreyRabbitty added a commit to GreyRabbitty/smart-contract-practice-best that referenced this issue Sep 19, 2023
@GreyRabbitty
Don't assume contracts are created with zero balance
3bb74a8 
Fix #61 Consensys/smart-contract-best-practices#61

Thanks @SergioDemianLerner
matiaszhang added a commit to matiaszhang/smart_contract_challenge that referenced this issue Sep 20, 2023
@matiaszhang
Don't assume contracts are created with zero balance
81d9c9b 
Fix #61 Consensys/smart-contract-best-practices#61

Thanks @SergioDemianLerner
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@simondlr @SergioDemianLerner @lherbeur @ethers @mathcrypto