Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

[M-2] Unverified Delegatecall in `MarketMakingEngine` contract Forwarding Risks (Proxy Pattern Vulnerability)

0xsnoweth

Summary

The proxy architecture delegates calls to branch contracts without adequate verification, risking storage collisions or malicious delegatecall injection.

Vulnerability Details

Architecture Overview:

RootProxy
|
------------------------------------------------------------------------------------
| | |
UpgradeBranch LookupBranch CreditDelegationBranch

Key Risks:

  1. Unverified Branch Contracts: If branches can be modified post-deployment, they might use incompatible storage layouts

  2. Delegatecall Injection: Missing validation of msg.sender in branch functions could allow unauthorized logic execution

Proof of Concept:
If CreditDelegationBranch contains:

function delegateLiquidity(address target) external {
(bool success,) = target.delegatecall(msg.data); // Arbitrary delegatecall
}

An attacker could execute arbitrary delegatecalls through this function.

Impact

Medium Impact: Storage corruption or limited fund loss

High Likelihood: Common in complex proxy systems

Medium Risk: Depends on branch implementations

Tools Used

Manual pattern analysis

Foundry

Recommendations

  1. Implement strict input validation in all branch functions

  2. Use Diamond Storage pattern for versioned storage

  3. Add delegatecall allowlist:

address[] allowedDelegates;
function _delegate(address impl) internal {
require(isAllowed(impl), "Unauthorized delegate");
impl.delegatecall(msg.data);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.