37

An address in Solidity can be an account or a contract (or other things, such as a transaction). When I have a variable x, holding an address, how can I test if it is a contract or not?

(Yes, I've read the chapter on types in the doc)

Yilmaz
  • 35,338
  • 10
  • 157
  • 202
bortzmeyer
  • 34,164
  • 12
  • 67
  • 91

8 Answers8

63

Yes you can, by using some EVM assembly code to get the address' code size:

function isContract(address addr) returns (bool) {
  uint size;
  assembly { size := extcodesize(addr) }
  return size > 0;
}
Manuel Araoz
  • 15,962
  • 24
  • 71
  • 95
  • 3
    Here's some [info](http://ethereum.stackexchange.com/questions/14015/using-evm-assembly-to-get-the-address-code-size/14016#14016) on how this function works – manidos Apr 07 '17 at 10:45
  • 17
    This code is dangerous and no longer advisable as it is [hackable](http://web.archive.org/web/20190105222409/https://www.reddit.com/r/ethereum/comments/916xni/how_to_pwn_fomo3d_a_beginners_guide) because EXTCODESIZE returns 0 in a contract's constructor. – eth Jan 05 '19 at 22:32
33

The top-voted answer with the isContract function that uses EXTCODESIZE was discovered to be hackable.

The function will return false if it is invoked from a contract's constructor (because the contract has not been deployed yet).

The code should be used very carefully, if at all, to avoid security hacks such as:

https://www.reddit.com/r/ethereum/comments/916xni/how_to_pwn_fomo3d_a_beginners_guide (archive)

To repeat:

Do not use the EXTCODESIZE check to prevent smart contracts from calling a function. This is not foolproof, it can be subverted by a constructor call, due to the fact that while the constructor is running, EXTCODESIZE for that address returns 0.

See sample code for a contract that tricks EXTCODESIZE to return 0.

Checking if a caller is a contract

If you want to make sure that an EOA is calling your contract, a simple way is require(msg.sender == tx.origin). However, preventing a contract is an anti-pattern with security and interoperability considerations.

require(msg.sender == tx.origin) will need revisiting when account abstraction is implemented.

Checking if a callee is a contract

As @Luke points out in a comment, there is no general on-chain way to find out about a callee. If you want to "call" an address, there's no general way to find out if that address is a contract, EOA, or an address that a new contract can be deployed on, or if it's a CREATE2 address.

One non-general way that works for some callees: you can have a mapping on-chain that stores addresses of known EOAs or contracts. (Just remember that for an address without any on-chain history, you can't know if it's an EOA or an address that a contract can be deployed on.)

eth
  • 842
  • 9
  • 14
  • 3
    It should probably be pointed out that `require(msg.sender == tx.origin)` only detects if the caller of a function is an EOA, it can't be used to detect if any other third-party contract is an EOA (such as a contract that you want to call from your own function). – Luke Hutchison Dec 16 '21 at 07:45
  • 1
    @LukeHutchison Upvoted, great point! Added the caller and callee case; happy to hear from you if I missed some things or you have other suggestions. – eth Dec 21 '21 at 16:39
  • 1
    For completeness you could add that extcodesize is now abstracted away to `
    .code.size` in solidity (no assembly needed). People need to recognize this form too. (I might have the syntax wrong, I'm not near a computer right now.)
     – Luke Hutchison Dec 22 '21 at 20:29
14

This isn't something you can query from within a contract using Solidity, but if you were just wanting to know whether an address holds contract code or not, you can check using your geth console or similar with eg:

  > eth.getCode("0xbfb2e296d9cf3e593e79981235aed29ab9984c0f")

with the hex string (here 0xbfb2e296d9cf3e593e79981235aed29ab9984c0f) as the address you wish to query. This will return the bytecode stored at that address.

You can also use a blockchain scanner to find the source code of the contract at that address, for example the ecsol library as shown on etherscan.io.

bekah
  • 393
  • 2
  • 8
11

Edit: Solidity has changed since this answer was first written, @manuel-aráoz has the correct answer.

There is no way in solidity to check if an address is a contract. One of the goals of Ethereum is for humans and smart contracts to both be treated equally. This leads into a future where smart contracts interact seamlessly with humans and other contracts. It might change in the future , but for now an arbitrary address is ambiguous.

firescar96
  • 419
  • 3
  • 8
  • 5
    The gas consumed by sending to contract is utterly different than the gas consumed by sending to an address. If there were a goal to treat those two things in the same way, there couldn't be a gas distinction. – James Moore Feb 22 '21 at 18:24
2

If you want to use nodejs to confirm, you can do this:

const Web3 = require('web3')

// make sure you are running geth locally
const web3 = new Web3(new Web3.providers.HttpProvider('http://localhost:8545'))

is_contract = async function(address) {
    res = await web3.eth.getCode(address)
    return res.length > 5
}

is_contract('your address').then(console.log)
Pang
  • 9,564
  • 146
  • 81
  • 122
chu4nx
  • 21
  • 1
  • 1
    I don't think it makes much of a difference, but I'm curious as to why you went with `return res.length > 5`? If it's not a Smart contract shouldn't `res` be `0x`, meaning `res.length > 2` should work just as well? I guess you can also test for `res.startsWith("0x6080604052")`? – Matthew Scerri Mar 30 '22 at 15:05
2

From openzeppeling Address.sol library, it has this function:

pragma solidity ^0.8.1;

function isContract(address account) internal view returns (bool) {
    // This method relies on extcodesize/address.code.length, which returns 0
    // for contracts in construction, since the code is only stored at the end
    // of the constructor execution.

    return account.code.length > 0;
}

isContract will return false for the following types of addresses:

  • an externally-owned account

  • a contract in construction

  • an address where a contract will be created

  • an address where a contract lived, but was destroyed

Yilmaz
  • 35,338
  • 10
  • 157
  • 202
-1

What you can do, granted you have the information at hand. If the transactions sender address was null or unoccupied then you can tell if the address is a contract account or an EOA (externally owned account). i.e. when sending a create contract transaction on the network then the receive address in the transaction is null/not used.

Reference from github: https://github.com/ethereum/go-ethereum/wiki/Contracts-and-Transactions

Hope this helps.

James Moore
  • 8,636
  • 5
  • 71
  • 90
Malone
  • 155
  • 7
-1

If you are checking whether the caller is an EOA rather than a contract:

Short answer:

require(tx.origin == msg.sender);

tx.origin is a reference of the original address who initiates this serial function call, while msg.sender is the address who directly calls the target function. Which means, tx.origin must be a human, msg.sender can be a contract or human. Thus, if someone calls you from a contract, then the msg.sender is a contract address which is different from tx.origin.

I know most contracts may use @Manuel Aráoz's code, which works in most cases. But if you call a function within the constructor of a contract, extcodesize will return 0 which fails the isContract check.

NOTE: DON'T use tx.origin under other circumstances if you are not clear about what it represents because .

xhyumiracle
  • 29
  • 3
  • this means that direct user is calling the function. this is one way of mitigating reentrancy attack because if `(tx.origin == msg.sender)` means there is not a chain of function calls – Yilmaz Aug 24 '22 at 21:33