Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Submission Details
Severity: low
Valid

Low level call returns true if the address doesn’t exist

Summary

Ethereum low-level functions call, delegatecall, and staticcall. These functions are used to interact with other smart contracts or accounts on the Ethereum blockchain.when you use these functions and the account you are trying to interact with does not exist, the functions will still return true as their first return value. This is by design in the Ethereum Virtual Machine (EVM).

Vulnerability Details

function _distribute(address proxy, bytes calldata data) internal {
(bool success,) = proxy.call(data);
if (!success) revert ProxyFactory__DelegateCallFailed();
emit Distributed(proxy, data);
}

This behavior can have implications, particularly when transferring funds or assets between contracts or accounts. If you attempt to transfer funds to a non-existent account using one of these low-level functions, the function will still return true, indicating that the transaction was successful, even though no actual transfer occurred. This situation can result in funds seemingly "disappearing" since there is no error message or indication of the transfer failure.

Impact

As written in the solidity documentation, the low-level functions call, delegatecall and staticcall return true as their first return value if the account called is non-existent, as part of the design of the EVM. Account existence must be checked prior to calling if needed.

Please find the documentation here: https://docs.soliditylang.org/en/develop/control-structures.html#error-handling-assert-require-revert-and-exceptions

Tools Used

manual Review

Recommendations

Check before any low-level call that the address actually exists, for example before the low level call in the _distribute function you can check that the address is a contract by checking its code size.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.