Security Implications of selfdestruct() in Solidity — Part 1
Security Implications of selfdestruct() in Solidity — Part 1
What is selfdestruct()in solidity?
Contracts can be deleted from the blockchain by calling selfdestruct. It is used to destroy a contract and transfer the remaining funds to the address specified while calling the function.
Why selfdestruct() is used?
There are many use cases for selfdestruct function like:
- In case of an ongoing attack on the contract endangering the funds by an external attacker, the owner or the contract deployer having necessary access controls can
selfdestructthe contract and transfer all the remaining funds to a secure address. - Developers use
selfdestructto destroy old contract when migrating to a new contract so that users don’t interact with older contract by mistake.
Security Threats of selfdestruct:
1. A user or an attacker can mistakenly or intentionally kill the contract.
2. Use selfdestruct to force transactions in a contract.
Hence such functions need to be protected and carefully implemented.
Case Scenario:
1. Unprotected selfdestruct function
If a selfdestruct function is unprotected, i.e. it has missing access controls; a malicious user could destroy the contract and possibly drain all the funds to their account if they can control the address input as well.
Example:
We can notice the selfDestruct function is public and hence any user can call the function and supply their address to withdraw all the funds from the contract.
function selfDestruct(address adr) public { selfdestruct(payable(adr));
}
The Parity hack!
In 2017, the Parity library was compromised due to an access control issue allowing the attacker to become the owner of the library contract and therefore having access to call the selfdestruct function.
This action blocked funds in 587 wallets holding a total amount of 513,774.16 Ether ~ 1019666706 USD as well as additional tokens.
Our cloud based smart contract security scanner SoldityScan detects unprotected or use of selfdestruct functions inside a contract.
We will be writing the 2nd part of this blog very soon. Please follow/subscribe to get instant alerts.