Solidity Attack Vector #23: Right-To-Left-Override (RLO) Control Character
Solidity Attack Vector #23: Right-To-Left-Override (RLO) Control Character
The Right-To-Left-Override (RLO) control character (U+202E) is a non-printable character that reverses the direction of the text that follows it.
The Attack
An attacker can use RLO to make a function name or an address look completely different in the code editor than it actually is.
`solidity
// Code looks like: function transferto(address user)
// Actual code: function transferto(address user) // 'to' is reversed 'ot'
`
This can be used to hide malicious logic in plain sight or to trick users during signature requests.
Defense
1. Editor Warnings: Most modern IDEs (like VS Code) will highlight hidden Unicode characters.
2. Static Analysis: BlockGuard flags any non-standard Unicode characters in your source code.
3. Audit: Human auditors should always search for hidden characters in critical logic.