0

From what I can see, it seems trivially easy to set message sender in a view function to whatever address you want for external calls through ethers.js via the 'connect' function.

For example, if you have a contract like this:

contract Test {
    address public owner;
    string private secret;

    modifier onlyOwner() {
        require(msg.sender==owner,"onlyOwner");
        _;
    }

    constructor() {
        owner = msg.sender;
        secret="Abracadabra";
    }

    function setSecret(string memory newSecret) public onlyOwner {
        secret = newSecret;
    }
    function getSecret() public view onlyOwner returns(string memory) {
        return secret;
    }
}

Even if you aren't the owner account, you could run

 let owner = await con.owner();
 let secret = con.connect(owner).getSecret()

And get no complaints from ethers. I know this would fail if you tried to run setSecret but when there no transaction involved it looks like you don't need a real signer, just a contract address.

Is there some other to check if the msg.sender is actually an account, not just a string of the account address?

GGizmos
  • 3,443
  • 4
  • 27
  • 72
  • Deleted my answer in favor of this one: https://stackoverflow.com/a/51850115/11792577 – glinda93 Jul 09 '22 at 08:06
  • You cannot hide secret variable in the smart contract because every data in a smart contract is publicly visible. You'll get a better understanding in the above answer. – glinda93 Jul 09 '22 at 08:07

1 Answers1

0

Sure it can be, it is not a 'hack', when you call view function you can overwrite msg.sender

And anyway 'secret' variable (even private) can be read by some tools, as any data on blockchain (even if you will not provide read function), it is not a security measure to make variable private..

Sergey Chekriy
  • 171
  • 3
  • Well, I think "hack" is in the mind of the beholder. Certainly it is not obvious that msg.sender is not necessarily the account from which a call was issued. In fact the solidity language documentation states "msg.sender is always the address where the current (external) function call came from." No distinction is made that makes it obvious that the value of msg.sender can be relied upon in a transaction, but not in a call. – GGizmos Jul 09 '22 at 14:58