🚀
Smart Contract Auditors Space
  • 👋Welcome to the Smart Contract Auditors Space
  • Smart Contract Vulnerabilities
    • FV-SOL-1 Reentrancy
      • FV-SOL-1-C1 Single Function
      • FV-SOL-1-C2 Cross Function
      • FV-SOL-1-C3 Cross Contract
      • FV-SOL-1-C4 Cross Chain
      • FV-SOL-1-C5 Dynamic
      • FV-SOL-1-C6 Read-Only
    • FV-SOL-2 Precision Errors
      • FV-SOL-2-C1 Token Decimals
      • FV-SOL-2-C2 Floating Point
      • FV-SOL-2-C3 Rounding
      • FV-SOL-2-C4 Division by Zero
      • FV-SOL-2-C5 Time-Based
    • FV-SOL-3 Arithmetic Errors
      • FV-SOL-3-C1 Overflow and Underflow
      • FV-SOL-3-C2 Sign Extension
      • FV-SOL-3-C3 Truncation in Type Casting
      • FV-SOL-3-C4 Misuse of Environment Variables
    • FV-SOL-4 Bad Access Control
      • FV-SOL-4-C1 Using tx.origin for Authorization
      • FV-SOL-4-C2 Unrestricted Role Assignment
      • FV-SOL-4-C3 Lack of Multi-Signature for Crucial Operations
    • FV-SOL-5 Logic Errors
      • FV-SOL-5-C1 Boundary Misalignment
      • FV-SOL-5-C2 Incorrect Conditionals
      • FV-SOL-5-C3 Improper State Transitions
      • FV-SOL-5-C4 Misordered Calculations
      • FV-SOL-5-C5 Event Misreporting
    • FV-SOL-6 Unchecked Returns
      • FV-SOL-6-C1 Unchecked Call Return
      • FV-SOL-6-C2 Unchecked Transfer Return
      • FV-SOL-6-C3 Silent Fail
      • FV-SOL-6-C4 False Positive Success Assumption
      • FV-SOL-6-C5 Partial Execution with No Rollback
      • FV-SOL-6-C6 False Contract Existence Assumption
    • FV-SOL-7 Proxy Insecurities
      • FV-SOL-7-C1 delegatecall Storage Collision
      • FV-SOL-7-C2 Function Selector Collision
      • FV-SOL-7-C3 Centralized Update Control
      • FV-SOL-7-C4 Uninitialized Proxy
    • FV-SOL-8 Slippage
    • FV-SOL-9 Unbounded Loops
    • FV-SOL-10 Oracle Manipulation
Powered by GitBook
On this page
  • TLDR
  • Code
  • Classifications
  • delegatecall Storage Collision (FV-SOL-7-C1)
  • Function Selector Collision (FV-SOL-7-C2)
  • Centralized Update Control (FV-SOL-7-C3)
  • Uninitialized Proxy (FV-SOL-7-C4)
  • Mitigation Patterns
  • Validate Addresses Being Called (FV-SOL-7-M1)
  • Limit State Changes (FV-SOL-7-M2)
  • __gap Array (FV-SOL-7-M3)
  • Actual Occurrences
  • Content

Was this helpful?

FV-SOL-7 Proxy Insecurities

TLDR

Upgradeability is essential for maintaining and improving deployed contracts and fixes over time

Due to their nature, they are often misunderstood or implemented insecurely

Code

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

// Delegate contract contains logic but no storage
contract Delegate {
    uint public storedData;  // This variable will be ignored when using delegatecall

    // Function to be called via delegatecall
    function setValue(uint _value) public {
        storedData = _value;  // This will set the caller's storage, not Delegate's
    }
}

// Caller contract with storage that will be updated
contract Caller {
    uint public storedData;  // The storage slot used in Delegate

    // Function to execute delegatecall to Delegate contract
    function setDelegateValue(address _delegateAddress, uint _value) public {
        // Prepare data for delegatecall (function selector + argument)
        (bool success, ) = _delegateAddress.delegatecall(
            abi.encodeWithSignature("setValue(uint256)", _value)
        );
        require(success, "Delegatecall failed");
    }
}

Classifications

delegatecall Storage Collision (FV-SOL-7-C1)

delegatecall is a function call that allows a contract to run code from another contract while preserving the original caller's context, including storage, msg.sender, and msg.value

Since delegatecall runs in the storage context of the caller, if the contract calls delegatecall on user-supplied input, an attacker can input an address to a malicious contract that can manipulate the storage of the calling contract, potentially overwriting sensitive variables or stealing funds

If the target contract has a different storage layout, it may overwrite or corrupt crucial storage variables in the calling contract

Function Selector Collision (FV-SOL-7-C2)

When two functions in the implementation contract have the same function selector, unintended functions can be called, leading to incorrect behavior or security loopholes

Centralized Update Control (FV-SOL-7-C3)

If the upgrade process is too centralized, it creates a single point of failure, and generaly considered unethical to the users

Uninitialized Proxy (FV-SOL-7-C4)

If the initializer function isn’t called during deployment, it may leave critical variables in an unprotected state

Same goes for accidentally allowing initializer functions to be called again in the proxy pattern which can result in re-initializing the contract, doing so gaining ability to modify data

Mitigation Patterns

Validate Addresses Being Called (FV-SOL-7-M1)

Ensure that the address used with delegatecall is fixed or restricted to trusted sources

Limit State Changes (FV-SOL-7-M2)

Be cautious of contracts that use delegatecall to avoid unintended storage changes

__gap Array (FV-SOL-7-M3)

The __gap variable is a common technique used in Solidity's upgradeable contract design to prevent storage layout issues during contract upgrades. It is essentially a reserved area in the contract's storage layout that provides "padding" for future storage variables

Actual Occurrences

  • https://solodit.cyfrin.io/issues/h-03-attacker-can-gain-control-of-counterfactual-wallet-code4rena-biconomy-biconomy-smart-contract-wallet-contest-git

  • https://solodit.cyfrin.io/issues/h01-corruptible-storage-upgradeability-pattern-openzeppelin-ribbon-finance-audit-markdown

  • https://solodit.cyfrin.io/issues/diamond-proxy-initialize-functions-can-be-called-multiple-times-halborn-polemos-lending-pdf

Content

https://www.halborn.com/blog/post/delegatecall-vulnerabilities-in-solidity

PreviousFV-SOL-6-C6 False Contract Existence AssumptionNextFV-SOL-7-C1 delegatecall Storage Collision

Last updated 15 days ago

Page cover image