Support

## Securing Withdrawals with `msg.sender` in Vyper When building smart contracts that handle funds, such as a "Buy Me a Coffee" contract where users can send cryptocurrency, a critical security concern arises: how do you ensure only the intended recipient can withdraw the collected funds? If anyone could call the `withdraw` function, the funds wouldn't be safe. This lesson demonstrates a fundamental pattern for implementing access control in Vyper, specifically ensuring only the contract owner can withdraw funds using the `msg.sender` global variable. The core solution involves two key steps: 1. Storing the contract owner's address permanently within the contract's storage. 2. Verifying the caller's identity against this stored address whenever a restricted action, like withdrawing funds, is attempted. We achieve this using several core Vyper features: **1. State Variables:** Variables declared at the contract level persist on the blockchain between transactions. We'll use a state variable to store the owner's address. To access state variables within functions, we use the `self.` prefix. **2. The `__init__` Function (Constructor):** Decorated with `@deploy`, this special function executes only *once* when the contract is first deployed to the blockchain. It's the ideal place for initial setup, including defining the contract's owner. **3. `msg.sender` Global Variable:** Vyper provides a built-in global variable `msg.sender` of type `address`. This variable always holds the address that *directly called* the current function. * During contract deployment (inside `__init__`), `msg.sender` is the address of the account deploying the contract. * During a regular function call (like `withdraw`), `msg.sender` is the address of the account or contract initiating that specific transaction. **4. The `assert` Statement:** `assert` is used to check for conditions that *must* be true for the contract to function correctly. If the condition provided to `assert` evaluates to `False`, the entire transaction is reverted. This means any state changes are undone, and the remaining gas is consumed. It's commonly used for enforcing access control rules and validating internal states. The syntax is `assert <condition>, <error_message>`. **Implementation Steps:** Let's see how these components work together to secure a `withdraw` function. **Step 1: Define the Owner State Variable** First, declare an `address` state variable at the contract level to store the owner's address. We'll also make it `public`, which automatically creates a getter function allowing anyone to query the owner's address (useful for verification). ```vyper # State variable declaration owner: public(address) ``` **Step 2: Set the Owner During Deployment** Inside the `__init__` function, assign the address of the deployer (`msg.sender`) to the `owner` state variable. This permanently sets the account deploying the contract as its owner. ```vyper @deploy def __init__(): # Other initialization logic (e.g., setting price feeds, minimum amounts) might go here # ... # Set the contract deployer as the owner self.owner = msg.sender ``` Because `__init__` runs only once at deployment, `self.owner` is assigned the deployer's address immutably at that moment. **Step 3: Implement Access Control in `withdraw`** Now, in the `withdraw` function, use an `assert` statement to check if the current caller (`msg.sender`) is the same as the stored owner (`self.owner`). ```vyper @external def withdraw(): """Allows the owner to withdraw the contract's balance.""" # Check if the caller is the stored owner assert msg.sender == self.owner, "Only the contract owner can withdraw!" # If the assert passes, proceed with the withdrawal logic # (Actual withdrawal code would go here, e.g., transferring self.balance) pass ``` **How It Works in Practice** When any account calls the `withdraw` function: 1. The Vyper runtime evaluates the condition `msg.sender == self.owner`. 2. It compares the address of the account making the current call (`msg.sender`) against the address stored in the `self.owner` state variable (which was set during deployment). 3. **If the addresses match:** The condition is `True`. The `assert` passes, and the rest of the function code executes, allowing the owner to withdraw funds. 4. **If the addresses do *not* match:** The condition is `False`. The `assert` statement triggers a revert. The transaction stops immediately, any state changes within this transaction are rolled back, and the specified error message ("Only the contract owner can withdraw!") is returned. The non-owner caller is prevented from withdrawing funds. **Conclusion** Using `msg.sender` within the `__init__` function to set an `owner` state variable, and then checking `msg.sender == self.owner` with an `assert` statement in privileged functions like `withdraw`, is a standard, secure, and fundamental pattern for implementing owner-based access control in Vyper smart contracts. This ensures that critical actions can only be performed by the designated owner, significantly enhancing the security and integrity of your decentralized application.

Msg Sender

A fundamental guide to Securing Withdrawals with msg.sender in Vyper - Learn how to implement owner-only access control by storing the deployer's address using `__init__` and `msg.sender`. Discover how `assert` statements verify the caller, preventing unauthorized function execution like withdrawals.

Course Overview

About the course

What you'll learn

The basics of blockchain transactions, how to send and receive money on a blockchain network.

How to write Python based smart contracts using Vyper.

How to read and understand Vyper smart contracts.

Vyper data structures, arrays, structs, hash maps.

How to build a smart contract application and deploy on ZKsync with Moccasin.

Course Description

Who is this course for?

Software engineers
Web3 developers
Fintech developers
AI developers
Everyone interested in learning Python and smart contracts

Potential Careers

Smart Contract Auditor

$100,000 - $200,000 (avg. salary)

On-chain Data Analyst

$59,000 - $139,000 (avg. salary)

DeFi Developer

$75,000 - $200,000 (avg. salary)

Smart Contract Engineer

$100,000 - $150,000 (avg. salary)

Web3 developer

$60,000 - $150,000 (avg. salary)

Web3 Developer Relations

$85,000 - $125,000 (avg. salary)

Meet your instructors

Patrick Collins

Founder at Cyfrin

Web3 engineer, educator, and Cyfrin co-founder. Patrick's smart contract development and security courses have helped hundreds of thousands of engineers kickstarting their careers into web3.

Last updated on June 11, 2025

Thanks for checking us out

Start learning for free

Start for free

Vyper Smart Contract Developer Introduction to Python and Vyper

Section 1: Favorites

Duration: 2h 08min

Section 2: Remix Coffee

Duration: 2h 32min

1. Introduction

An instructive introduction to Introduction to the Remix Buy Me A Coffee Project - Build the classic "Buy Me A Coffee" smart contract using Vyper and Remix. Learn core concepts like price feeds for USD minimums, payable functions, state storage, and owner-only withdrawals. Duration: 4min

2. Setup

A foundational walkthrough to Setting Up Your First Vyper Project in Remix - Learn the initial steps for creating a Vyper smart contract in Remix, including environment setup and handling Remix quirks. Define basic requirements, structure your contract with pragma/NatSpec, and create initial function skeletons with pass and @external. Duration: 4min

3. Doc Strings

An essential introduction to Documenting Vyper Code with Docstrings - Discover the standard syntax and purpose of multi-line docstrings for explaining Vyper functions, enhancing code clarity and maintainability. Duration: 1min

4. Sending Eth

A fundamental guide to Sending and Receiving Ether in Vyper Smart Contracts - Learn how blockchain transactions carry native currency via the `value` field and how Vyper functions use the `@payable` decorator to accept these funds. Understand how to access the sent amount with `msg.value` (in Wei) and enforce specific funding requirements using `assert`. Duration: 2min

5. Gwei Wei Eth

A crucial guide to Understanding Ether Denominations: Wei, Gwei, and ETH in Vyper - Learn why Vyper smart contracts operate in Wei and how to handle incoming Ether using `msg.value`. Master the `as_wei_value` function for readability and `assert` for validating Ether amounts correctly. Duration: 4min

6. Send Tx

A practical guide to Sending Ether with Smart Contract Function Calls in Remix - Learn how to send Ether to `@payable` functions using the Remix interface, validate amounts with `msg.value` and `assert`, and understand transaction reverts. Duration: 2min

7. Reverts

An essential guide to Understanding Reverts in Vyper - Explore the critical role of reverts in Vyper for ensuring contract integrity and handling errors. Understand how `assert` triggers reverts, their impact on state changes, and gas consumption implications. Duration: 5min

8. Chainlink

An essential guide to Integrating Real-World Data using Chainlink Oracles - Learn about the critical need for off-chain data in smart contracts and the limitations imposed by the Oracle Problem. See how Chainlink's decentralized oracles, particularly Data Feeds, offer a secure solution for accessing reliable price information on-chain. Duration: 13min

9. Mid Recap

A foundational overview to Handling Ether, Ensuring Validity, and the Oracle Problem in Vyper - Learn how Vyper contracts accept Ether via `@payable`, validate conditions using `assert`, and handle transaction reverts. Understand the critical challenge of accessing off-chain data, known as the Oracle Problem. Duration: 1min

10. Quiz 10 Quiz

Questions: 17

11. Chainlink In Vyper

A practical guide to Integrating Chainlink Price Feeds in Vyper - Learn how to fetch real-time asset prices like ETH/USD within your Vyper smart contracts using Chainlink. Understand the process of finding feed addresses and correctly interpreting price data with decimals. Duration: 4min

12. Abi

A foundational explanation to Understanding the Application Binary Interface (ABI) - Discover what the ABI is, why it's crucial for smart contract interaction, and how to find and interpret its JSON structure in Remix IDE. Learn how it defines the contract's callable functions and enables communication. Duration: 1min

13. In-Line Interface

A practical guide to Using In-Line Interfaces in Vyper for Smart Contract Interaction - Learn how to define interaction blueprints directly within your Vyper contract and use them to securely call functions on external deployed contracts like Chainlink. Duration: 5min

14. Quiz 14 Quiz

Questions: 7

15. Staticcall

A secure guide to Reading Data from External Contracts with Vyper's `staticcall` - Learn how Vyper uses interfaces and the mandatory `staticcall` keyword to safely read data from external smart contracts marked `view` or `pure`. Understand this explicit, security-focused approach for read-only interactions. Duration: 2min

16. Tenderly

A practical guide to Deploying Vyper Contracts to a Tenderly Virtual Network - Master deploying Vyper contracts to Tenderly Virtual Networks via Remix IDE. Learn how these forked environments enable testing interactions with external contracts like Chainlink, understanding ABI and interfaces. Duration: 3min

17. Ai

A practical guide to Using AI to Understand Smart Contract Code - Learn how to effectively prompt AI assistants with context and formatted code to decipher complex smart contract elements like `staticcall`. Understand why verifying AI explanations is crucial for accurate learning. Duration: 4min

18. Deploy Parameter

A strategic approach to Parameterizing Deployment for Flexible Vyper Contracts - Discover how to inject external dependencies like price feed addresses at deployment time using constructor arguments, making Vyper contracts adaptable across blockchains. Duration: 3min

19. Integer Precision

An essential explanation to Handling Decimal Precision in Smart Contracts: Normalizing Price Feed Data - Delve into the common problem of mismatched decimal precision when using external data like Chainlink price feeds (8 decimals) with native blockchain values like Ether (18 decimals). Discover how to normalize these values in Vyper to enable accurate calculations. Duration: 2min

20. Converting Types

A practical guide to Converting Types in Vyper using `convert()` - Understand Vyper's strict type system and the common `TypeMismatch` error between signed (`int256`) and unsigned (`uint256`) integers. Discover how to use the built-in `convert()` function for safe and explicit type casting in your smart contracts. Duration: 1min

21. Integer Division

An essential guide to Handling Value Conversion and Precision with Integer Division in Vyper - Master fixed-point arithmetic in Vyper by scaling values with different decimals (like Wei and oracle prices) and using integer division (`//`) to manage precision. Ensure accurate and deterministic value comparisons and calculations in your smart contracts. Duration: 8min

22. As Wei Value

A practical guide to Handling Decimal Precision in Vyper: Using `as_wei_value` - Learn to avoid common errors from mismatched decimal precision when comparing values like ETH and USD, and see why `as_wei_value` is the best practice for clarity and correctness. Duration: 2min

23. Send Eth In Tx

A practical guide to Interacting with Payable Functions in Vyper - Learn how to send Ether to Vyper smart contracts using `@payable` functions via Remix and MetaMask. Understand how to calculate the correct ETH amount based on USD requirements using Chainlink Price Feeds. Duration: 2min

24. Contract To Contract

A practical guide to Exposing Internal Logic with External Wrappers in Vyper - Learn how to securely expose internal Vyper functions using external wrappers. Understand the benefits of this pattern for controlled access, code organization, and maintaining encapsulation. Duration: 1min

25. Quiz 25 Quiz

Questions: 15

26. Getting Revert

An essential walkthrough to Verifying Smart Contract Reverts: Testing Minimum Funding Requirements - Discover how to test smart contract reverts caused by insufficient USD funding, focusing on Vyper's `assert`, required Wei calculations, and verifying failure conditions using development tools. Duration: 3min

27. Msg Sender

28. Withdraw Eth

A practical walkthrough to Sending ETH From Your Vyper Contract - See how to securely implement an ETH withdrawal function in Vyper using `send` and `self.balance`. Understand the importance of owner verification and essential testnet testing steps. Duration: 4min

29. Dynamic Vs Fixed Array

A foundational exploration to Enhancing Our Contract: Tracking Funders - Explore Vyper's array types, contrasting dynamic `DynArray` with fixed-size arrays for storing funder data. Understand key differences in size, initialization, and element access methods. Duration: 9min

30. Resetting Array

A clear walkthrough to Resetting Dynamic Array State Variables in Vyper - Understand how to declare Vyper's `DynArray` with a max size, add elements using `.append()`, and efficiently clear the array using `[]`. See how this applies to resetting a funder list in a smart contract. Duration: 2min

31. Plus Equals

A practical guide to Tracking Total Contribution Amounts per Funder - Learn how to implement contribution tracking in Vyper using a `HashMap` to map funder addresses to their total amounts donated in Wei. Understand how to update this state variable within the `fund` function using `msg.sender` and `msg.value`. Duration: 2min

32. For Loops

A crucial examination of Mastering For Loops in Vyper: Iteration and State Resets - Understand why `for` loops are vital for resetting Vyper mappings, learn the syntax variations, and grasp the significant gas cost differences compared to array resets. Duration: 8min

33. Tenderly_

A hands-on walkthrough to Testing Vyper Smart Contracts with Tenderly and Remix - Learn to perform end-to-end tests on a Vyper contract using Remix, MetaMask, and a Tenderly Virtual Testnet. Simulate funding, test owner-only withdrawal, and verify state changes for robust contract validation. Duration: 7min

34. Idk

An efficiency-driven look into Optimizing Vyper Contracts with Immutables and Constants - Discover how Vyper's `constant` and `immutable` keywords save gas and improve code clarity compared to standard state variables. Understand their distinct use cases and proper initialization techniques. Duration: 4min

35. Natspec

An essential guide to Enhancing Vyper Contracts with Natspec Documentation - Learn to implement Ethereum Natspec using multi-line docstrings and standard tags (`@title`, `@author`, `@notice`) in Vyper contracts. Master the professional structure for contract-level documentation, enhancing readability and tooling integration. Duration: 3min

36. Quiz 36 Quiz

Questions: 16

37. Update Immute

A practical exploration to Reducing Gas Costs in Vyper: Using `constant` and `immutable` - Discover the gas-saving benefits of using `constant` (compile-time) and `immutable` (deploy-time) variables over standard storage in Vyper. Learn to refactor your smart contracts for improved efficiency and lower deployment/runtime costs. Duration: 6min

38. Magic

A practical tutorial for Understanding and Refactoring the "Magic Numbers" Antipattern - Identify the 'magic number' antipattern in smart contracts and learn the best practice of using named constants in Vyper to enhance code clarity and ease maintenance. Duration: 1min

39. Gas

A focused analysis to Gas Optimization with Vyper Constants and Immutables - Delve into the gas cost implications of using `constant` and `immutable` versus storage variables in Vyper. Learn how avoiding `SSTORE` and `SLOAD` operations leads to cheaper contract deployment and interactions. Duration: 5min

40. Fallback

A practical guide to Understanding Vyper's `__default__` Fallback Function - Learn how this special function enables contracts to receive direct Ether transfers and handle unmatched function calls, ensuring robust fund acceptance through proper implementation and refactoring. Duration: 7min

41. Better Way To Send

A critical approach to Securely Sending Ether in Vyper: Using `raw_call` - Delve into the pitfalls of the `send()` function and master the secure `raw_call` method for transferring Ether, leveraging its revert-on-failure feature. Duration: 3min

42. Recap

A practical review to Vyper Fundamentals Recap: Building the "Buy Me A Coffee" Contract - Reinforce core Vyper concepts like state management, function types, interfaces, and data structures through the "Buy Me A Coffee" contract. Understand NatSpec documentation, external calls, oracle interaction, and precision handling before moving beyond Remix. Duration: 9min

43. Quiz 43 Quiz

Questions: 11

Section 3: Ai

Duration: 24min