How smart contracts can bypass 0 size condition in presence of malicious code in it? Here is detailed example of Bank.sol.
Few repositories back, we went through phishing attack in tx.origin and here is yet another example of how tx.origin can go against dev expectations.
Bank.sol is using tx.origin for condition check whether call is sent by wallet address or contract address.
Any address with code in it have some specific size (!0) but, if contract is not initialized yet, if you call a function being in constructor(), it is having 0 size.
Here dev calls Attack.sol with a msg.value to deposit and Attack.sol diverted that call to Bank.sol to deposit the same value.
Since tx.origin is MainAttack.sol which is yet to be deployed, it will bypass the condition check in Bank.sol for size > 0 and successfully exploit the vulnerability of Re-Entrancy in Bank.sol.
With it, all deposited Eth in Bank.sol get transferred to Attack.sol and after that MainAttack.sol gets deployed.
You may test in Remix-IDE, it may fail a few times to deploy MainAttack.sol, try changing the msg.value and attempt to re-deploy and it will pass.