USE OF `DELEGATECALL` IN BOOL
Summary
The contract uses delegatecall without adequate validation for the vaultDepositController address. This lack of verification creates a potential security risk, as a malicious contract could be invoked, leading to unauthorized actions within the calling contract.
Vulnerable Code Snippet
Findings & Technical Details
In this scenario, the absence of checks on vaultDepositController means any address can be utilized, making the contract vulnerable to exploitation. An attacker could manipulate the address, causing unintended behavior or loss of funds. Additionally, since delegatecall executes the function in the context of the calling contract, any malicious logic in the target contract would affect the original contract's state.
Recommendations
Implement a robust validation mechanism to ensure that vaultDepositController always points to a trusted contract. Consider employing access control modifiers to restrict the ability to change critical addresses.
Line: contracts/linkStaking/CommunityVCS.sol
Line: 110
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.