🚀
Smart Contract Auditors Space
  • 👋Welcome to the Smart Contract Auditors Space
  • Smart Contract Vulnerabilities
    • Anchor
      • FV-ANC-1 Arithmetic Operations
        • FV-ANC-1-CL1 Overflow/underflow in arithmetic operations
        • FV-ANC-1-CL2 Division by zero
        • FV-ANC-1-CL3 Arbitrary rounding
      • FV-ANC-2 Signer Checks
        • FV-ANC-2-CL1 Unvalidated signers
        • FV-ANC-2-CL2 No is_signer check
      • FV-ANC-3 Account/Ownership Validations
        • FV-ANC-3-CL1 Trying to modify an account without checking if it's writeable
        • FV-ANC-3-CL2 Trying to access account data without ownership checks
        • FV-ANC-3-CL3 Usage of UncheckedAccount without manual ownership check
        • FV-ANC-3-CL4 Usage of UncheckedAccount without manual signer check
        • FV-ANC-3-CL5 No is_initialized check when operating on an account
        • FV-ANC-3-CL6 Missing account constraints
        • FV-ANC-3-CL7 Duplicate mutable accounts
        • FV-ANC-3-CL8 Using ctx.remaining_accounts without manual ownership check
        • FV-ANC-3-CL9 Using ctx.remaining_accounts without manual discriminator check
        • FV-ANC-3-CL10 Using ctx.remaining_accounts without non-zero data check
        • FV-ANC-3-CL11 No reload after account mutation
        • FV-ANC-3-CL12 Not validating a set address
      • FV-ANC-4 PDA Security
        • FV-ANC-4-CL1 Using create_program_address
      • FV-ANC-5 Cross-Program Invocation (CPI)
        • FV-ANC-5-CL1 Lack of validation of external program before CPI
        • FV-ANC-5-CL2 CPI without signer seeds
        • FV-ANC-5-CL3 Not unsetting signer status before a CPI
        • FV-ANC-5-CL4 Passing unnecessary accounts to CPIs
      • FV-ANC-6 Error Handling
        • FV-ANC-6-CL1 Unclear error messages
      • FV-ANC-7 Token Operations
        • FV-ANC-7-CL1 Unvalidated token mint & owner
        • FV-ANC-7-CL2 Using init with an ATA
      • FV-ANC-8 System Account Validation
        • FV-ANC-8-CL1 Unvalidated sysvar address
      • FV-ANC-9 Type Cosplay
        • FV-ANC-9-CL1 Not using discriminators to validate account types
        • FV-ANC-9-CL2 Account structures without discriminators
      • FV-ANC-10 Closing accounts
        • FV-ANC-10-CL1 Closing accounts without zeroing data & setting a closed discriminator
        • FV-ANC-10-CL2 Operations on accounts marked as closed
        • FV-ANC-10-CL3 Unintended closure by close constraint
    • Solidity
      • FV-SOL-1 Reentrancy
        • FV-SOL-1-C1 Single Function
        • FV-SOL-1-C2 Cross Function
        • FV-SOL-1-C3 Cross Contract
        • FV-SOL-1-C4 Cross Chain
        • FV-SOL-1-C5 Dynamic
        • FV-SOL-1-C6 Read-Only
      • FV-SOL-2 Precision Errors
        • FV-SOL-2-C1 Token Decimals
        • FV-SOL-2-C2 Floating Point
        • FV-SOL-2-C3 Rounding
        • FV-SOL-2-C4 Division by Zero
        • FV-SOL-2-C5 Time-Based
      • FV-SOL-3 Arithmetic Errors
        • FV-SOL-3-C1 Overflow and Underflow
        • FV-SOL-3-C2 Sign Extension
        • FV-SOL-3-C3 Truncation in Type Casting
        • FV-SOL-3-C4 Misuse of Environment Variables
      • FV-SOL-4 Bad Access Control
        • FV-SOL-4-C1 Using tx.origin for Authorization
        • FV-SOL-4-C2 Unrestricted Role Assignment
        • FV-SOL-4-C3 Lack of Multi-Signature for Crucial Operations
      • FV-SOL-5 Logic Errors
        • FV-SOL-5-C1 Boundary Misalignment
        • FV-SOL-5-C2 Incorrect Conditionals
        • FV-SOL-5-C3 Improper State Transitions
        • FV-SOL-5-C4 Misordered Calculations
        • FV-SOL-5-C5 Event Misreporting
      • FV-SOL-6 Unchecked Returns
        • FV-SOL-6-C1 Unchecked Call Return
        • FV-SOL-6-C2 Unchecked Transfer Return
        • FV-SOL-6-C3 Silent Fail
        • FV-SOL-6-C4 False Positive Success Assumption
        • FV-SOL-6-C5 Partial Execution with No Rollback
        • FV-SOL-6-C6 False Contract Existence Assumption
      • FV-SOL-7 Proxy Insecurities
        • FV-SOL-7-C1 delegatecall Storage Collision
        • FV-SOL-7-C2 Function Selector Collision
        • FV-SOL-7-C3 Centralized Update Control
        • FV-SOL-7-C4 Uninitialized Proxy
      • FV-SOL-8 Slippage
        • FV-SOL-8-C1 Price Manipulation
        • FV-SOL-8-C2 Front-Running
        • FV-SOL-8-C3 Insufficient Liquidity
        • FV-SOL-8-C4 Unexpected Gas Increase
      • FV-SOL-9 Unbounded Loops
        • FV-SOL-9-C1 Dynamic Array
        • FV-SOL-9-C2 Unrestricted Mapping
        • FV-SOL-9-C3 Recursive Calls
        • FV-SOL-9-C4 Reentrancy Loops
        • FV-SOL-9-C5 Nested Loops
      • FV-SOL-10 Oracle Manipulation
        • FV-SOL-10-C1 Incorrect Compounding Mechanism
        • FV-SOL-10-C2 Price Drift
        • FV-SOL-10-C3 Manipulation Through External Markets
        • FV-SOL-10-C4 Time Lags
Powered by GitBook
On this page
  • TLDR
  • Code
  • Classifications
  • Mitigation Patterns
  • Validate Addresses Being Called (FV-SOL-7-M1)
  • Limit State Changes (FV-SOL-7-M2)
  • __gap Array (FV-SOL-7-M3)
  • Actual Occurrences
  • Content

Was this helpful?

  1. Smart Contract Vulnerabilities
  2. Solidity

FV-SOL-7 Proxy Insecurities

TLDR

Upgradeability is essential for maintaining and improving deployed contracts and fixes over time

Due to their nature, they are often misunderstood or implemented insecurely

Code

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

// Delegate contract contains logic but no storage
contract Delegate {
    uint public storedData;  // This variable will be ignored when using delegatecall

    // Function to be called via delegatecall
    function setValue(uint _value) public {
        storedData = _value;  // This will set the caller's storage, not Delegate's
    }
}

// Caller contract with storage that will be updated
contract Caller {
    uint public storedData;  // The storage slot used in Delegate

    // Function to execute delegatecall to Delegate contract
    function setDelegateValue(address _delegateAddress, uint _value) public {
        // Prepare data for delegatecall (function selector + argument)
        (bool success, ) = _delegateAddress.delegatecall(
            abi.encodeWithSignature("setValue(uint256)", _value)
        );
        require(success, "Delegatecall failed");
    }
}

Classifications

FV-SOL-7-C1 delegatecall Storage Collision

FV-SOL-7-C2 Function Selector Collision

FV-SOL-7-C3 Centralized Update Control

FV-SOL-7-C4 Uninitialized Proxy

Mitigation Patterns

Validate Addresses Being Called (FV-SOL-7-M1)

Ensure that the address used with delegatecall is fixed or restricted to trusted sources

Limit State Changes (FV-SOL-7-M2)

Be cautious of contracts that use delegatecall to avoid unintended storage changes

__gap Array (FV-SOL-7-M3)

The __gap variable is a common technique used in Solidity's upgradeable contract design to prevent storage layout issues during contract upgrades. It is essentially a reserved area in the contract's storage layout that provides "padding" for future storage variables

Actual Occurrences

Content

PreviousFV-SOL-6-C6 False Contract Existence AssumptionNextFV-SOL-7-C1 delegatecall Storage Collision

Last updated 6 months ago

Was this helpful?

https://solodit.cyfrin.io/issues/h-03-attacker-can-gain-control-of-counterfactual-wallet-code4rena-biconomy-biconomy-smart-contract-wallet-contest-git
https://solodit.cyfrin.io/issues/h01-corruptible-storage-upgradeability-pattern-openzeppelin-ribbon-finance-audit-markdown
https://solodit.cyfrin.io/issues/diamond-proxy-initialize-functions-can-be-called-multiple-times-halborn-polemos-lending-pdf
https://www.halborn.com/blog/post/delegatecall-vulnerabilities-in-solidity
Page cover image