Solidity gotchas

01.

A contract has these modifiers and a function:

solidity

contract X {
    bool public paused = true;
    address public owner;

    modifier whenNotPaused() {
        require(!paused, "paused");
        _;
    }

    modifier onlyOwner() {
        require(msg.sender == owner, "not owner");
        _;
    }

    function adminAction() external whenNotPaused onlyOwner {
        // body
    }
}

A non-owner calls `adminAction()` while the contract is paused. What is the revert message?

"not owner"

"paused"

Both messages are included in the revert data

Neither, the function succeeds because the body still runs

02.

A contract has this function:

solidity

function trySend(address payable to, uint256 amount) external {
    (bool ok, ) = to.call{value: amount}("");
    // no further code
}

The to address is a contract whose receive() always reverts. A user calls trySend with amount = 1 ether. What happens?

The transaction succeeds. 1 ETH stays in the calling contract because the transfer silently failed

The transaction succeeds and 1 ETH is sent to to despite the revert

The transaction succeeds and the 1 ETH is sent back to the original caller as a refund

The transaction reverts and the 1 ETH stays with the caller

03.

A developer writes this modifier to track call counts and applies it to several functions

solidity

uint256 public callCount;

modifier counted() {
    callCount += 1;
}

function doStuff() external counted {
    // important logic here
}

The contract deploys without errors. What happens when a user calls doStuff()?

The function works normally and callCount is incremented after the body runs

The transaction reverts because the modifier never reaches the function body

callCount is incremented but the function body never executes, so "important logic here" never runs

The function body runs first and the modifier code is appended afterward

04.

A vault contract reverts all direct ETH transfers via receive

solidity

contract Vault {
    uint256 public trackedBalance;

    function deposit() external payable {
        trackedBalance += msg.value;
    }

    receive() external payable {
        revert("use deposit()");
    }
}

An attacker creates a separate contract, sends 5 ETH to it, then calls selfdestruct on it with the Vault's address as the recipient. What is the state of the Vault afterwards?

The Vault has 5 ETH in its balance, but trackedBalance is still 0

The Vault's trackedBalance is automatically updated to include the forced 5 ETH

The 5 ETH is burned because the Vault refuses to accept it

The Vault's receive reverts, so the selfdestruct fails and no ETH moves

05.

Approve without sufficient balance Alice has a balance of 50 USDC. She calls usdc.approve(bob, 1000). What is the result?

The transaction reverts because Alice cannot approve more than her balance

Alice's allowance to Bob is set to 1000, even though her balance is only 50.

The allowance is automatically capped at 50

06.

A protocol integrates a new token and uses this code

solidity

function notify(address token, address user) external {
    (bool ok, ) = token.call(
        abi.encodeWithSignature("notifyDeposit(address)", user)
    );
    require(ok, "notify failed");
}

The token address is set by an admin. Through misconfiguration, the admin sets token to an address that has no contract deployed. What happens when notify is called?

The transaction reverts because the function selector doesn't match anything

The transaction reverts because you can't call an address with no code

The transaction succeeds but ok is set to false

The transaction succeeds with ok == true, even though no code ran, because the EVM does not check whether code exists at the target

Low-level calls

Front-running and MEV

01.Welcome to Ethereum

02.How Ethereum works

03.Solidity basics

04.Token security and EVM internals

05.DeFi tasks and patterns

06.Tokens beyond ERC-20

07.Oracles

08.Advanced DeFi

09.Conclusion

Solidity gotchas