Skip to content

Added 5 delegate call vulnerability type smart contracts #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 18, 2025
Merged

Added 5 delegate call vulnerability type smart contracts #102

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions audit_engine/smart_contracts/delegate_call/dc41.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
contract multiowned {

function Deposit(address sender, uint value) {
if (sender != 0) {
sender.delegatecall(value);
}
}
Comment on lines +3 to +7
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

🧩 Analysis chain

delegatecall(value) is invalid calldata; missing visibility; zero-address check uses 0

This won’t compile on modern Solidity and the calldata is not bytes. Fix to explicit bytes, visibility, and checks.

Apply within this hunk:

-    function Deposit(address sender, uint value) {
-        if (sender != 0) {
-            sender.delegatecall(value);
-        }
-    }
+    function Deposit(address sender, bytes calldata data) external {
+        if (sender != address(0)) {
+            (bool ok, ) = sender.delegatecall(data);
+            require(ok, "delegatecall failed");
+        }
+    }

Add at file top (outside this hunk):

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.25;

If you must keep uint value for the dataset semantics, minimally wrap it: (bool ok,) = sender.delegatecall(abi.encode(value)); require(ok);.

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "Searching for dc41.sol..."
file=$(find . -type f -name 'dc41.sol' -print -quit || true)
if [ -z "$file" ]; then
  echo "dc41.sol not found"
  exit 0
fi
echo "Found: $file"
echo "---- file path ----"
echo "$file"
echo "---- head (first 200 lines) ----"
sed -n '1,200p' "$file" || true
echo "---- search for SPDX / pragma in file ----"
grep -n -E 'SPDX|pragma' "$file" || true
echo "---- search for delegatecall occurrences in repo (first 100 lines) ----"
grep -RIn --binary-files=without-match -n 'delegatecall' . | sed -n '1,200p' || true

Length of output: 6179

Fix delegatecall usage, add visibility, and add SPDX/pragma

audit_engine/smart_contracts/delegate_call/dc41.sol (lines 3–7): won't compile on modern Solidity and is unsafe — apply the patch below.

-    function Deposit(address sender, uint value) {
-        if (sender != 0) {
-            sender.delegatecall(value);
-        }
-    }
+    function Deposit(address sender, bytes calldata data) external {
+        if (sender != address(0)) {
+            (bool ok, ) = sender.delegatecall(data);
+            require(ok, "delegatecall failed");
+        }
+    }

Add at file top (outside this hunk):

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.25;

If you must keep uint value for dataset semantics, minimally wrap it: (bool ok, ) = sender.delegatecall(abi.encode(value)); require(ok);.

🤖 Prompt for AI Agents 
In audit_engine/smart_contracts/delegate_call/dc41.sol around lines 3–7, the
function uses an unsafe/old delegatecall form and lacks SPDX/pragma and
visibility; add the following fixes: add file header lines "//
SPDX-License-Identifier: UNLICENSED" and "pragma solidity ^0.8.25;" at the top
of the file (outside this hunk), change the function signature to include
explicit visibility (e.g., "function Deposit(address sender, uint value)
public"), and replace the raw delegatecall with the safe ABI-encoded pattern:
perform the call as "(bool ok, ) = sender.delegatecall(abi.encode(value));
require(ok);" so the call is encoded and its success is checked.

}


7 changes: 7 additions & 0 deletions audit_engine/smart_contracts/delegate_call/dc42.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
contract Safe {

function requireStackDepth(address addr, bytes32 data) {
if (data=='') { throw; }
if (!addr.delegatecall(data)){ throw; }
}
Comment on lines +3 to +6
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

bytes32 vs empty string check, legacy throw, and delegatecall signature

data == '' on bytes32 is invalid; use bytes and length. Update error handling and low-level call.

Apply within this hunk:

-    function requireStackDepth(address addr, bytes32 data) {
-        if (data=='') { throw; }
-        if (!addr.delegatecall(data)){ throw; }
-    }
+    function requireStackDepth(address addr, bytes calldata data) external {
+        require(data.length != 0, "empty data");
+        (bool ok, ) = addr.delegatecall(data);
+        require(ok, "delegatecall failed");
+    }

Add at file top (outside this hunk):

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.25;

}
6 changes: 6 additions & 0 deletions audit_engine/smart_contracts/delegate_call/dc43.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
contract StackDepth {

function dig(uint n) public {
if (!address(this).delegatecall(0x21835af6, n - 1)) throw;
}
Comment on lines +3 to +5
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Legacy throw/delegatecall + missing base case cause compile errors and potential unbounded recursion

Modern compilers reject throw and the legacy delegatecall(0x..., n-1) form; also n-1 underflows at 0, changing behavior across compiler versions.

Apply within this hunk:

-    function dig(uint n) public {
-        if (!address(this).delegatecall(0x21835af6, n - 1)) throw;
-    }
+    function dig(uint256 n) public {
+        require(n > 0, "n underflow");
+        (bool ok, ) = address(this).delegatecall(
+            abi.encodeWithSelector(this.dig.selector, n - 1)
+        );
+        require(ok, "delegatecall failed");
+    }

Add at file top (outside this hunk):

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.25;
🤖 Prompt for AI Agents 
In audit_engine/smart_contracts/delegate_call/dc43.sol around lines 3-5, the
function uses legacy throw and the old delegatecall ABI with an unsafe n-1 that
underflows; add SPDX and a pragma at the top of the file (outside this hunk) as
instructed, then change dig to first handle a base case (if n == 0 return) to
prevent unbounded recursion/underflow, compute n-1 only after ensuring n>0, and
replace the legacy delegatecall/throw with the modern pattern: perform (bool
success, bytes memory) =
address(this).delegatecall(abi.encodeWithSelector(bytes4(0x21835af6), nm1)) and
require(success) (or revert with an error) instead of throw.

}
9 changes: 9 additions & 0 deletions audit_engine/smart_contracts/delegate_call/dc44.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
contract UpgradeabilityProxy {

function withdraw(address _logic, bytes memory _data) public payable {
if(_data.length > 0) {
bool success = _logic.delegatecall(_data);
require(success);
}
Comment on lines +3 to +7
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Unguarded arbitrary delegatecall is a critical footgun

Anyone can execute arbitrary logic in this contract’s context (storage/balance). If this isn’t intentionally vulnerable test code, restrict caller (e.g., onlyOwner) and/or whitelist _logic.

🤖 Prompt for AI Agents 
In audit_engine/smart_contracts/delegate_call/dc44.sol around lines 3 to 7, the
function withdraw performs an unguarded delegatecall allowing anyone to execute
arbitrary logic in the contract’s context; restrict access by adding an
ownership check (e.g., onlyOwner modifier or require(msg.sender == owner))
and/or implement a whitelist of allowed `_logic` addresses (mapping(address =>
bool) approvedLogic and require(approvedLogic[_logic])). Also propagate a clear
revert reason on failure (require(success, "delegatecall failed")) and consider
emitting an event for successful/failed withdraw attempts for auditing.

⚠️ Potential issue

Tuple return from delegatecall not handled; add minimal safety check

On modern Solidity, delegatecall returns (bool, bytes). Also guard zero logic address.

Apply within this hunk:

   function withdraw(address _logic, bytes memory _data) public payable {
     if(_data.length > 0) {
-      bool success = _logic.delegatecall(_data);
-      require(success);
+      require(_logic != address(0), "logic=0");
+      (bool success, bytes memory /*ret*/ ) = _logic.delegatecall(_data);
+      require(success, "delegatecall failed");
     }
   }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
function withdraw(address _logic, bytes memory _data) public payable {
if(_data.length > 0) {
bool success = _logic.delegatecall(_data);
require(success);
}
function withdraw(address _logic, bytes memory _data) public payable {
if(_data.length > 0) {
require(_logic != address(0), "logic=0");
(bool success, bytes memory /*ret*/ ) = _logic.delegatecall(_data);
require(success, "delegatecall failed");
}
🤖 Prompt for AI Agents 
In audit_engine/smart_contracts/delegate_call/dc44.sol around lines 3 to 7, the
delegatecall return tuple and a zero-address guard are missing; update the
function to first require(_logic != address(0)) and then perform (bool success,
bytes memory returndata) = _logic.delegatecall(_data), followed by
require(success, "delegatecall failed"); optionally propagate or inspect
returndata as needed for richer error messages.

}
}
8 changes: 8 additions & 0 deletions audit_engine/smart_contracts/delegate_call/dc45.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
contract IERC20 {

function sellRewardForWeth(address victim, uint256 rewardAmount, address to) external returns(uint256) {
victim.delegatecall(abi.encodeWithSignature("sellRewardForWeth(address,uint256,address)", victim, rewardAmount, to));
}
Comment on lines +3 to +5
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Declared return value not returned; delegatecall result ignored

This fails to compile and swallows failures. Return or remove the return type.

Apply within this hunk:

-    function sellRewardForWeth(address victim, uint256 rewardAmount, address to) external returns(uint256) {
-        victim.delegatecall(abi.encodeWithSignature("sellRewardForWeth(address,uint256,address)", victim, rewardAmount, to));
-    }
+    function sellRewardForWeth(address victim, uint256 rewardAmount, address to) external returns (uint256) {
+        (bool ok, bytes memory ret) =
+            victim.delegatecall(abi.encodeWithSignature(
+                "sellRewardForWeth(address,uint256,address)", victim, rewardAmount, to));
+        require(ok, "delegatecall failed");
+        if (ret.length >= 32) {
+            return abi.decode(ret, (uint256));
+        }
+        return 0;
+    }

Add at file top (outside this hunk):

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.25;
🤖 Prompt for AI Agents 
In audit_engine/smart_contracts/delegate_call/dc45.sol around lines 3 to 5, the
function declares a uint256 return but ignores delegatecall result and doesn't
return anything; capture the (bool success, bytes memory data) result of
victim.delegatecall, revert or bubble the error when success is false, decode
the returned bytes to uint256 and return it (e.g., abi.decode(data, (uint256))).
Also add the missing file header at the top (outside this hunk): an SPDX
identifier and pragma solidity ^0.8.25; to satisfy compiler requirements.

}