Ether Balance Assumption
Detects contracts that assume their ETH balance equals the sum of deposits, ignoring forcibly sent ETH via selfdestruct or coinbase transactions.
Ether Balance Assumption
Overview
The ether balance detector identifies contracts that use address(this).balance in equality checks or invariant assertions, assuming the balance can only change through their own payable functions. ETH can be forcibly sent to any contract via selfdestruct (deprecated but still functional on some chains), block coinbase rewards, or pre-funding before deployment, breaking these assumptions.
Why This Is an Issue
A contract that checks require(address(this).balance == expectedBalance) can be permanently bricked by sending it a single wei via selfdestruct. This creates a denial-of-service vector with minimal cost. Contracts using balance-based accounting (e.g., tracking deposits via balance instead of internal state) are vulnerable to inflation attacks.
How to Resolve
// Before: Uses address balance for accounting
function totalDeposits() public view returns (uint256) {
return address(this).balance; // Can be inflated by selfdestruct
}
// After: Internal accounting
mapping(address => uint256) public deposits;
uint256 public totalDeposited;
function deposit() external payable {
deposits[msg.sender] += msg.value;
totalDeposited += msg.value;
}Examples
Sample Sigvex Output
{
"detector_id": "ether-balance",
"severity": "medium",
"confidence": 0.82,
"description": "Strict equality check on address(this).balance at offset 0x3c. Forcibly sent ETH via selfdestruct will cause this check to fail permanently, bricking the contract.",
"location": { "function": "checkInvariant()", "offset": 60 }
}Detection Methodology
- BALANCE/SELFBALANCE detection: Identifies
address(this).balancereads via the BALANCE or SELFBALANCE opcodes. - Equality analysis: Flags strict equality (
EQ) comparisons against computed expected values. - Accounting pattern: Distinguishes between balance-as-accounting (vulnerable) and balance-as-limit (less vulnerable).
Limitations
address(this).balance >= thresholdchecks (using GE instead of EQ) are less vulnerable and may still be flagged.- Post-Cancun, selfdestruct behavior may change, reducing the attack surface.
Related Detectors
- Selfdestruct — selfdestruct usage
- Locked Ether — contracts that trap ETH