Clear DefinitionsDelegatecall to Untrusted Contract
2 min read
Pronunciation
[del-i-git-kawl too uhn-truhs-tid kon-trakt]
Analogy
Imagine you're a CEO (calling contract) and you need to sign some important documents. You ask your assistant to bring a specific trusted lawyer (a library contract) into your office to use your desk and official seal (`delegatecall`). However, if your assistant can be tricked into bringing in an imposter lawyer (untrusted contract) chosen by an attacker, that imposter can then use your desk and seal to forge documents or steal company assets, all under your authority.
Definition
Delegatecall to Untrusted Contract is a severe smart contract vulnerability where a contract performs a `delegatecall` to an address that is either user-supplied, can be manipulated by an attacker, or is otherwise not guaranteed to be a trusted, audited library contract. This allows the untrusted contract's code to execute within the context (storage, balance, `msg.sender`) of the calling contract, leading to potential hijacking of its state and logic.
Key Points Intro
This vulnerability arises when `delegatecall` is used with a target contract address that an attacker can influence, allowing arbitrary code execution in the caller's context.
Key Points
Arbitrary Code Execution: The untrusted contract's code runs as if it were the calling contract's own code.
Full Context Assumption: The called code operates on the calling contract's storage, Ether balance, and identity.
Source of Vulnerability: Target address of `delegatecall` is not fixed or is controllable by an external party.
High Severity Risk: Can lead to complete takeover of the vulnerable contract, theft of funds, or destruction of data.
Example
A smart contract has a function that allows an administrator to set the address of a "logic" or "library" contract, and then it uses `delegatecall` to this address. If an attacker gains administrative privileges or if the address setting function is unprotected, they can point it to a malicious contract they deployed. Any subsequent `delegatecall` will execute the attacker's code, enabling them to, for instance, call `selfdestruct` (if the malicious contract has it and the caller is a contract) or transfer all Ether and tokens held by the calling contract.
Technical Deep Dive
The `delegatecall` opcode in the EVM executes the code of the target contract but operates within the storage, `msg.sender`, and `msg.value` of the calling contract. Unlike `call`, the `msg.sender` and `msg.value` are not changed to be the immediate caller/value. If the address provided to `delegatecall` is not a known, audited, and immutable piece of code (like a fixed library or a strictly controlled implementation in an upgradeable proxy), then whatever code resides at that attacker-controlled address gets to run with the full permissions and state access of the contract making the `delegatecall`.
Security Warning
Never use `delegatecall` with a target address that can be controlled by users or external entities without extremely careful validation or whitelisting. The target of a `delegatecall` should almost always be a hardcoded, audited library or a meticulously managed address in an upgradeable proxy system.
Caveat
This is one of the most critical vulnerabilities in smart contracts. Identifying and mitigating it requires a deep understanding of `delegatecall`'s behavior and careful contract design, especially for upgradeable contracts or those using external libraries.
Delegatecall to Untrusted Contract - Related Articles
No related articles for this term.