How to hide Solidity code with an external contract. In Solidity a contract can reference the code of another contract. Unfortunately this feature can be exploited and used to hide malicious code. In this tutorial we will review an example of how to hide code in a Solidity smart contract.
How does a contract hide malicious code
A bad actor hides code by tricking users into believing their contract does not make any external calls. In the example below Bob deploys contract B which has malicious code. Then Bob deploys contract A which references contract B’s address. Unfortunately Alice does not realize contract A references contract B. When she calls contract A she receives unexpected results.
How to hide code in Solidity
Lets review an example of how to hide code in a Solidity smart contract. For this example we will deploy two smart contracts to the blockchain.
- A mustard contract
- A peanut butter contract
An unsuspecting user will call into the peanut butter contract but they will receive a response from the mustard contract.
First deploy the mustard contract below. This contract is the hidden contract and will contain malicious code. The address of this contract will be an input to the constructor of the peanut butter contract.
contract Mustard {
event Log(string message);
function log() public {
//write your malicious code here
emit Log("Mustard function was called"); }
}Try on Remix
Next deploy the peanut butter contract below. Include the jelly contract in your deployment and verify the contract on Etherscan. The combination of these contracts will confuse an unsuspecting user.
pragma solidity ^0.8.5;
contract peanutButter {
Jelly jelly;
constructor(address _jelly) {
jelly = Jelly(_jelly);
}
function callJelly() public {
jelly.log();
}
}
contract Jelly {
event Log(string message);
function log() public{
emit Log("Jelly function was called");
}
}Try on Remix
The screen shot below shows what the code looks like after it is deployed and verified on Etherscan. The contract reads like the peanut butter contract calls the jelly contract however the peanut butter contract actually calls the mustard contract.
This is a simple example of how to hide code in Solidity. When interacting with smart contracts on the blockchain it is important to read and understand the code before transacting any funds.
Blockchains to build and test on
- Click here for information about how to use the Ethereum test network and how to obtain test ETH.
- For information about how to use the Binance Smart Chain and how to obtain test BNB
- Click here for information about how to use the Polygon test network and how to obtain test ETH.
Chick here for Ethereum help and additional information
Next – Learn about more Solidity smart contract attacks
2 thoughts on “Hide Solidity code with an external contract”