Solidity Attack Vector #17: Phantom Functions

A phantom function is a function that a contract expects to exist on another contract, but doesn't.

The Behavior

In Solidity, if you use a low-level call to a non-existent function on an address that is an EOA (Externally Owned Account) or a contract with a fallback function, the call will return success: true.

If your code relies on that call to perform a critical action (like a transfer), and it does nothing but returns 'success', your protocol's state will be corrupted.

Defense

1. Check Code Length: Before calling, ensure extcodesize(target) > 0.

2. Interface Validation: Use interfaces and high-level calls instead of low-level call whenever possible.