[H] Lack of contract existence check on delegatecall will result in unexpected behavior
Summary
In _distribute function, there is a low level .call which will delegatecall to the implementation contract.
If the implementation contract is incorrectly set or is self-destructed, the contract may not detect
failed executions.
Vulnerability Details
A delegatecall to a destructed contract will return success as part of the EVM
specification. The solidity documentation includes the following warning:
https://docs.soliditylang.org/en/develop/control-structures.html#error-handling-assert-require-revert-and-exceptions
"The low-level functions call, delegatecall and staticcall return true as their first return value if
the account called is non-existent, as part of the design of the EVM. Account existence must be
checked prior to calling if needed."
Impact
The contract will not throw an error if its implementation is incorrectly set or
self-destructed. It will instead return success even though no code was executed.
Tools Used
Manual Review
Recommendations
Short term, implement a contract existence check before the delegatecall. Document the
fact that suicide and selfdestruct can lead to unexpected behavior, and prevent any
future upgrades from introducing these functions.
Something like this:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.