SolidityScan
HACK ANALYSIS 3 min read

Distinguishing EOA and Smart Contracts Securely

Distinguishing EOA and Smart Contracts Securely

Ethereum accounts can be of two types:
i) Externally owned account (EOA)
ii) Smart contract.

What is the difference between EOA and Smart contracts?

  • EOA’s are wallet accounts owned and controlled by users using their private keys, whereas Smart contracts are independent addresses/accounts that are deployed on the Ethereum network and are controlled by their contract code.
  • Creating EOA does not cost anything, but creating a smart contract costs the user some amount because they’re using the network’s storage.
  • EOA does not have any code associated with them, and one can initiate and sign transactions. In contrast, Smart contracts have code and associated storage triggered every time a transaction or call is made to its functions.

What is EXTCODESIZE?
While developing in Solidity, in some specific cases, it becomes essential to know if the interacting address is an externally owned account (EOA) or another smart contract.

To help with this distinction, solidity defines a method called `EXTCODESIZE.

EXTCODESIZE is an opcode that returns the size of an account’s code. This is usually implemented inside of a function, as shown below.

If the address is a contract account, the function returns true; if it is an EOA, it returns false:

function isContract(address addr) returns (bool) {
    uint size;
    assembly { size := extcodesize(addr) }
    return size > 0;
}

Security edge-case of checking EOA with EXTCODESIZE
Now that we understand how to use the assembly function EXTCODESIZE to determine the size of code stored at an address, it is crucial to note that this strategy is weak and can be exploited during a specific scenario mentioned below.
If the developers are using EXTCODESIZE to check the size of the code during contract creation, it will always return 0, although it is a smart contract and not an EOA. This will give incorrect results.

Recommendations
It is recommended to use a combination of validation methods using extcodesize and check the value of tx.origin == msg.sender if your goal is to prevent other contracts from being able to call your contract. Both have consequences that must be thought about. 
Our cloud-based smart contract security scanner SolidityScan can automatically find vulnerabilities related to insecure EXTCODESIZE checks.

Conclusion:
In this article, we talked about EXTCODESIZE, its features, and security pillars. Using this inline assembly feature, we can check an account code. When employing it as a check for contract interaction, it’s crucial to take its vulnerability into account as well.

You can rely on SolidityScan to ensure that the proper steps are taken to achieve the highest level of smart contract security. Signup for a free trial https://solidityscan.com/signup

Security Issues with Delegate Calls
Integer Overflow and Underflow in Smart Contracts