Who called my contract?

At the time of writing, there is no secure way of knowing if a contract was called by Another Contract or an Externally Owned Account, there has been 2 ways but both both of them are easily hackable and I will discuss each of them below.


function isContract(address _addr) private returns (bool isContract){
uint32 size;
assembly {
size := extcodesize(_addr)
return (size > 0);
Taken from: https://ethereum.stackexchange.com/questions/15641/how-does-a-contract-find-out-if-another-address-is-a-contract

As the stackExchange answer already mentions, this way is not secure because doing construction time, the code at the address of contract is still 0 and there are many articles describing the exploit in detail. (Check references below).


While many of the websites say that this way is secure, its not and the only resource I found saying its not secure is this reddit comment, lets dive into how this can be exploited.

tx.origin refers to the originator of the transaction that is the Externally Owned Account (EOA)

msg.sender refers to the callee, it can be a contract or EOA.

The whole point of this check is to ensure that whoever called this contract was an EOA, and this would be correct if it wasn’t for DELEGATECALL.

DELEGATECALL is a function which delegates the call to the specified request while passing in the same msg.sender and msg.value, this means when your contract does this check:

require(tx.origin == msg.sender);

This check will pass as Tx.origin is the EOA and so is msg.sender since the call was delegated.

The easiest way to test this is using a Proxy contract where in remix you call the “At Address” of remix with the address of Proxy and Interface of the other contract.

I am researching on secure ways on finding whether the caller was EOA or a contract as well as designing new patterns for Trustless Smart Contract Upgradability, if you want to collaborate or talk more, reach out on twitter: aliazam2251.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store