Solidity Attack Vector #19: Unexpected Ether

Many developers assume a contract can only receive Ether if it has a payable function or a receive() handler. This assumption is a security hole.

The Attack Vector

An attacker can use selfdestruct(target) from another contract. The remaining ETH in the attacker's contract is sent to the target regardless of its code.

Defense

Never use address(this).balance for critical state transitions. Use a dedicated state variable to track expected deposits.