Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/asserting-contract-from-code-size

Name: asserting-contract-from-code-size
Author: apegurus

skills/vulnerability-patterns/asserting-contract-from-code-size/SKILL.md

npx skillsauth add apegurus/solidity-argus asserting-contract-from-code-size

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Asserting Contract from Code Size

Preconditions

Contract uses extcodesize or address.code.length to check whether an address is an EOA vs. a contract
This check gates access control, anti-bot logic, or security-sensitive operations
The check assumes that code size == 0 means EOA

Vulnerable Pattern

modifier onlyEOA() {
    // During constructor execution, extcodesize returns 0
    // An attacker calling from their constructor bypasses this check
    require(msg.sender.code.length == 0, "no contracts");
    _;
}

function mint() external onlyEOA {
    _mint(msg.sender, 1);
}

// Assembly variant
function isContract(address addr) internal view returns (bool) {
    uint256 size;
    assembly { size := extcodesize(addr) }
    return size > 0; // Returns false during constructor
}

Detection Heuristics

Search for extcodesize, .code.length, or helper functions named isContract
Check if the result is used to gate access (e.g., require(... == 0) to allow only EOAs)
If used for EOA-only enforcement, flag it — contracts calling from their constructor have code size 0
Also check for tx.origin == msg.sender as an alternative EOA check — flag it as incompatible with account abstraction (ERC-4337) and smart contract wallets
Check if the "no contracts" logic protects anything security-sensitive (minting limits, anti-bot, etc.)

False Positives

extcodesize is used to check if a contract EXISTS at an address (not to distinguish EOA vs contract)
The check is combined with other protections that don't rely solely on code size
The function has no security implications if called by a contract

Remediation

There is no fully reliable on-chain method to distinguish EOAs from contracts
Redesign logic to not depend on this distinction — make the system work correctly regardless of caller type
If EOA-only behavior is truly needed, consider off-chain verification (e.g., signed messages from known EOAs)
Remove isContract checks from security-critical paths

// Instead of gating by caller type, use per-address limits
mapping(address => bool) public hasMinted;

function mint() external {
    require(!hasMinted[msg.sender], "already minted");
    hasMinted[msg.sender] = true;
    _mint(msg.sender, 1);
}

apegurus/asserting-contract-from-code-size

skills/vulnerability-patterns/asserting-contract-from-code-size/SKILL.md

- Contract uses `extcodesize` or `address.code.length` to check whether an address is an EOA vs. a contract

development

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus asserting-contract-from-code-size

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:25 AM165.0s1 file scanned

SKILL.md

name:: asserting-contract-from-code-size
description:: isContract helper usage should not gate security decisions
pattern_category:: logic-error
- regex:: isContract\(
severity:: Medium
confidence:: Medium
swc:: SWC-113

Asserting Contract from Code Size

Preconditions

Contract uses extcodesize or address.code.length to check whether an address is an EOA vs. a contract
This check gates access control, anti-bot logic, or security-sensitive operations
The check assumes that code size == 0 means EOA

Vulnerable Pattern

modifier onlyEOA() {
    // During constructor execution, extcodesize returns 0
    // An attacker calling from their constructor bypasses this check
    require(msg.sender.code.length == 0, "no contracts");
    _;
}

function mint() external onlyEOA {
    _mint(msg.sender, 1);
}

// Assembly variant
function isContract(address addr) internal view returns (bool) {
    uint256 size;
    assembly { size := extcodesize(addr) }
    return size > 0; // Returns false during constructor
}

Detection Heuristics

Search for extcodesize, .code.length, or helper functions named isContract
Check if the result is used to gate access (e.g., require(... == 0) to allow only EOAs)
If used for EOA-only enforcement, flag it — contracts calling from their constructor have code size 0
Also check for tx.origin == msg.sender as an alternative EOA check — flag it as incompatible with account abstraction (ERC-4337) and smart contract wallets
Check if the "no contracts" logic protects anything security-sensitive (minting limits, anti-bot, etc.)

False Positives

extcodesize is used to check if a contract EXISTS at an address (not to distinguish EOA vs contract)
The check is combined with other protections that don't rely solely on code size
The function has no security implications if called by a contract

Remediation

There is no fully reliable on-chain method to distinguish EOAs from contracts
Redesign logic to not depend on this distinction — make the system work correctly regardless of caller type
If EOA-only behavior is truly needed, consider off-chain verification (e.g., signed messages from known EOAs)
Remove isContract checks from security-critical paths

// Instead of gating by caller type, use per-address limits
mapping(address => bool) public hasMinted;

function mint() external {
    require(!hasMinted[msg.sender], "already minted");
    hasMinted[msg.sender] = true;
    _mint(msg.sender, 1);
}

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/asserting-contract-from-code-size ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT