🚀
Smart Contract Auditors Space
  • 👋Welcome to the Smart Contract Auditors Space
  • Smart Contract Vulnerabilities
    • FV-SOL-1 Reentrancy
      • FV-SOL-1-C1 Single Function
      • FV-SOL-1-C2 Cross Function
      • FV-SOL-1-C3 Cross Contract
      • FV-SOL-1-C4 Cross Chain
      • FV-SOL-1-C5 Dynamic
      • FV-SOL-1-C6 Read-Only
    • FV-SOL-2 Precision Errors
      • FV-SOL-2-C1 Token Decimals
      • FV-SOL-2-C2 Floating Point
      • FV-SOL-2-C3 Rounding
      • FV-SOL-2-C4 Division by Zero
      • FV-SOL-2-C5 Time-Based
    • FV-SOL-3 Arithmetic Errors
      • FV-SOL-3-C1 Overflow and Underflow
      • FV-SOL-3-C2 Sign Extension
      • FV-SOL-3-C3 Truncation in Type Casting
      • FV-SOL-3-C4 Misuse of Environment Variables
    • FV-SOL-4 Bad Access Control
      • FV-SOL-4-C1 Using tx.origin for Authorization
      • FV-SOL-4-C2 Unrestricted Role Assignment
      • FV-SOL-4-C3 Lack of Multi-Signature for Crucial Operations
    • FV-SOL-5 Logic Errors
      • FV-SOL-5-C1 Boundary Misalignment
      • FV-SOL-5-C2 Incorrect Conditionals
      • FV-SOL-5-C3 Improper State Transitions
      • FV-SOL-5-C4 Misordered Calculations
      • FV-SOL-5-C5 Event Misreporting
    • FV-SOL-6 Unchecked Returns
      • FV-SOL-6-C1 Unchecked Call Return
      • FV-SOL-6-C2 Unchecked Transfer Return
      • FV-SOL-6-C3 Silent Fail
      • FV-SOL-6-C4 False Positive Success Assumption
      • FV-SOL-6-C5 Partial Execution with No Rollback
      • FV-SOL-6-C6 False Contract Existence Assumption
    • FV-SOL-7 Proxy Insecurities
      • FV-SOL-7-C1 delegatecall Storage Collision
      • FV-SOL-7-C2 Function Selector Collision
      • FV-SOL-7-C3 Centralized Update Control
      • FV-SOL-7-C4 Uninitialized Proxy
    • FV-SOL-8 Slippage
      • FV-SOL-8-C1 Price Manipulation
      • FV-SOL-8-C2 Front-Running
      • FV-SOL-8-C3 Insufficient Liquidity
      • FV-SOL-8-C4 Unexpected Gas Increase
    • FV-SOL-9 Unbounded Loops
      • FV-SOL-9-C1 Dynamic Array
      • FV-SOL-9-C2 Unrestricted Mapping
      • FV-SOL-9-C3 Recursive Calls
      • FV-SOL-9-C4 Reentrancy Loops
      • FV-SOL-9-C5 Nested Loops
    • FV-SOL-10 Oracle Manipulation
      • FV-SOL-10-C1 Incorrect Compounding Mechanism
      • FV-SOL-10-C2 Price Drift
      • FV-SOL-10-C3 Manipulation Through External Markets
      • FV-SOL-10-C4 Time Lags
Powered by GitBook
On this page
  • TLDR
  • Code
  • Classifications
  • Mitigation Patterns
  • Validate Addresses Being Called (FV-SOL-7-M1)
  • Limit State Changes (FV-SOL-7-M2)
  • __gap Array (FV-SOL-7-M3)
  • Actual Occurrences
  • Content

Was this helpful?

  1. Smart Contract Vulnerabilities

FV-SOL-7 Proxy Insecurities

TLDR

Upgradeability is essential for maintaining and improving deployed contracts and fixes over time

Due to their nature, they are often misunderstood or implemented insecurely

Code

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

// Delegate contract contains logic but no storage
contract Delegate {
    uint public storedData;  // This variable will be ignored when using delegatecall

    // Function to be called via delegatecall
    function setValue(uint _value) public {
        storedData = _value;  // This will set the caller's storage, not Delegate's
    }
}

// Caller contract with storage that will be updated
contract Caller {
    uint public storedData;  // The storage slot used in Delegate

    // Function to execute delegatecall to Delegate contract
    function setDelegateValue(address _delegateAddress, uint _value) public {
        // Prepare data for delegatecall (function selector + argument)
        (bool success, ) = _delegateAddress.delegatecall(
            abi.encodeWithSignature("setValue(uint256)", _value)
        );
        require(success, "Delegatecall failed");
    }
}

Classifications

FV-SOL-7-C1 delegatecall Storage Collision

FV-SOL-7-C2 Function Selector Collision

FV-SOL-7-C3 Centralized Update Control

FV-SOL-7-C4 Uninitialized Proxy

Mitigation Patterns

Validate Addresses Being Called (FV-SOL-7-M1)

Ensure that the address used with delegatecall is fixed or restricted to trusted sources

Limit State Changes (FV-SOL-7-M2)

Be cautious of contracts that use delegatecall to avoid unintended storage changes

__gap Array (FV-SOL-7-M3)

The __gap variable is a common technique used in Solidity's upgradeable contract design to prevent storage layout issues during contract upgrades. It is essentially a reserved area in the contract's storage layout that provides "padding" for future storage variables

Actual Occurrences

  • https://solodit.cyfrin.io/issues/h-03-attacker-can-gain-control-of-counterfactual-wallet-code4rena-biconomy-biconomy-smart-contract-wallet-contest-git

  • https://solodit.cyfrin.io/issues/h01-corruptible-storage-upgradeability-pattern-openzeppelin-ribbon-finance-audit-markdown

  • https://solodit.cyfrin.io/issues/diamond-proxy-initialize-functions-can-be-called-multiple-times-halborn-polemos-lending-pdf

Content

https://www.halborn.com/blog/post/delegatecall-vulnerabilities-in-solidity

PreviousFV-SOL-6-C6 False Contract Existence AssumptionNextFV-SOL-7-C1 delegatecall Storage Collision

Last updated 28 days ago

Page cover image