Delegatecall to Arbitrary Address
Description
An attacker may perform delegatecall() to an arbitrary address, potentially leading to unauthorized access or execution of malicious code.
Examples
Insecure Code
solidity
contract VulnerableContract { function delegate(address contractAddress) public { contractAddress.delegatecall(); } }Secure Code
solidity
contract SecureContract { function delegate(address contractAddress) public { require(contractAddress == authorizedAddress, 'Unauthorized address'); contractAddress.delegatecall(); } }Remediation
Validate and sanitize the input address before performing the delegatecall(). Ensure that the address is authorized and trusted.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0652 |
| Category | Smart Contract |
| Severity | HIGH |
| CWE | CWE-20 |
| Confidence | LOW |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | MODERATE |
| Tags | delegatecall, arbitrary address, input validation |
| OWASP | N/A |