Hide Solidity code with an external contract

Ledger Nano X - The secure hardware wallet

How to hide Solidity code with an external contract. In Solidity a contract can reference the code of another contract. Unfortunately this feature can be exploited and used to hide malicious code. In this tutorial we will review an example of how to hide code in a Solidity smart contract.

How does a contract hide malicious code

A bad actor hides code by tricking users into believing their contract does not make any external calls. In the example below Bob deploys contract B which has malicious code. Then Bob deploys contract A which references contract B’s address. Unfortunately Alice does not realize contract A references contract B. When she calls contract A she receives unexpected results.

hide code in solidity smart contract

How to hide code in Solidity

Lets review an example of how to hide code in a Solidity smart contract. For this example we will deploy two smart contracts to the blockchain.

  1. A mustard contract
  2. A peanut butter contract

An unsuspecting user will call into the peanut butter contract but they will receive a response from the mustard contract.

First deploy the mustard contract below. This contract is the hidden contract and will contain malicious code. The address of this contract will be an input to the constructor of the peanut butter contract.

contract Mustard {
     event Log(string message);
     function log() public {     
     //write your malicious code here
     emit Log("Mustard function was called"); }
 }

Try on Remix

Next deploy the peanut butter contract below. Include the jelly contract in your deployment and verify the contract on Etherscan. The combination of these contracts will confuse an unsuspecting user.

pragma solidity ^0.8.5;

contract peanutButter {
    Jelly jelly;
    constructor(address _jelly) {
       jelly = Jelly(_jelly); 

    } 

    function callJelly() public {
       jelly.log(); 

   }

}


contract Jelly {
   event Log(string message);

   function log() public{
   emit Log("Jelly function was called");
   
   }  

}

Try on Remix

The screen shot below shows what the code looks like after it is deployed and verified on Etherscan. The contract reads like the peanut butter contract calls the jelly contract however the peanut butter contract actually calls the mustard contract.

hide code in solidity smart contract etherscan

This is a simple example of how to hide code in Solidity. When interacting with smart contracts on the blockchain it is important to read and understand the code before transacting any funds.

Blockchains to build and test on

Chick here for Ethereum help and additional information

Next – Learn about more Solidity smart contract attacks

2 thoughts on “Hide Solidity code with an external contract

Leave a Reply