Smart Contract / Delegatecall to Untrusted Callee

Description

Delegatecall to Untrusted Callee is a vulnerability of category Smart Contract (CWE-817). It is related to insecure coding practices that can be seen in the Solidity programming language (SWC). Delegatecall to Untrusted Callee is a vulnerability that occurs when a contract calls an external contract that is not verified or trusted. This can lead to the external contract executing malicious code on the caller’s contract. The OWASP Testing Guide suggests that all external calls should be verified and monitored for any suspicious or malicious behavior.

Risk

The risk of this vulnerability is high as it can lead to the malicious code being executed on the caller’s contract. This malicious code can lead to the caller’s contract being compromised and the data being stolen or modified. Furthermore, the malicious code can be used to launch denial of service attacks on the caller’s contract.

Solution

To prevent this vulnerability from occurring, all external calls should be thoroughly reviewed and verified. All external contracts should be checked for malicious code and any suspicious or malicious behavior should be reported. Furthermore, the external calls should be monitored for any unexpected changes.

Example

// contract A
contract A {
  function f() {
    address target = 0x12345;
    target.delegatecall(msg.data);
  }
}

In the above example, contract A calls an external contract by using delegatecall. This can be a potential security issue as the external contract is not verified and may contain malicious code.

Related incidents

1. The Parity Wallet Bug: In 2017, a vulnerability was discovered in the Parity Wallet that allowed users to call an untrusted contract using the delegatecall function. This led to the theft of 513,774.16 Ether.
2. The BECoin Wallet Hack: In 2018, a vulnerability was discovered in the BECoin wallet that allowed attackers to call an untrusted contract, which resulted in the loss of 1.5 million BECoin tokens.
3. The Bithumb Hack: In 2018, a vulnerability was discovered in the Bithumb exchange that allowed attackers to call an untrusted contract, leading to the loss of $31 million in cryptocurrencies.
4. The CoinDash Hack: In 2017, a vulnerability was discovered in the CoinDash platform that allowed attackers to call an untrusted contract, leading to the loss of $7 million in Ethereum.
5. The DragonEx Hack: In 2019, a vulnerability was discovered in the DragonEx exchange that allowed attackers to call an untrusted contract, resulting in the loss of $6 million in cryptocurrencies.