Attacker Invokable Self Destruct

What it detects

The detector identifies functions that allow anyone, or non-authorized parties, to call selfdestruct. A malicious user could permanently remove the contract, halting its logic and possibly stealing leftover ether.

Typical symptoms

Self-destruct is callable without an access check
Owner checks are missing or misconfigured

Solidity snippet (v0.8.25)

pragma solidity ^0.8.25;

contract Killable {
    function destroy() external {
        // Any caller can self-destruct
        selfdestruct(payable(msg.sender));
    }
}

Why it matters on EVM

Allowing open self-destruction enables attackers to erase contract code and disrupt systems relying on it. Funds left in the contract can also be redirected to an attacker.

What it detects​

Typical symptoms​

Solidity snippet (v0.8.25)​

Why it matters on EVM​

What it detects

Typical symptoms

Solidity snippet (v0.8.25)

Why it matters on EVM