Smart Contract / Unprotected Selfdestruct Instruction

Description

Unprotected SELFDESTRUCT Instruction is a vulnerability classified in CWE-813 (Improper Control of Generation of Code (‘Code Injection’)) and related to Smart Contracts. It occurs when a self-destruct instruction is called within a smart contract and it is not correctly protected, allowing anyone to call the instruction and delete the smart contract (SWC). This vulnerability poses a high risk to smart contract security as it can be used to delete contracts and steal the funds associated with them.

Risk

The risk of this vulnerability is high as it can be used to delete a smart contract and steal the funds associated with it. A malicious user, by calling the self-destruct instruction, can delete the contract and gain access to the funds stored in it. This can lead to a significant financial loss for the affected organization.

Solution

The best way to prevent this vulnerability is to ensure that the self-destruct instruction is properly protected. This can be done by adding a safety measure that requires the contract creator to sign the instruction before it can be executed. Additionally, a time-lock can be added that prevents the self-destruct instruction from being executed before a certain date.

Example

contract MyContract {
    // ...
    function selfDestruct() public onlyOwner {
        address owner = msg.sender;
        if (block.timestamp > 1585292799) {
            selfdestruct(owner);
        }
    }
    // ...
}

This example shows a smart contract with a self-destruct instruction that includes a time-lock. This time-lock prevents the self-destruct instruction from being executed until the specified date (in this case 1585292799).