Attacker Controlled Delegatecall

What it detects

This detector flags delegatecall operations where the called address comes from user input or another untrusted source. If an attacker can choose the callee contract, they can execute arbitrary code in the caller's context and manipulate storage.

Typical symptoms

Delegatecall target is taken directly from a function argument
No validation of the called contract's code or address

Solidity snippet (v0.8.25)

pragma solidity ^0.8.25;

contract UnsafeDelegator {
    function exec(address target, bytes calldata data) external {
        // Attacker controlled delegatecall
        (bool ok, ) = target.delegatecall(data);
        require(ok, "fail");
    }
}

Why it matters on EVM

Delegatecall runs code with the caller's storage and permissions. Letting an attacker choose the target allows them to corrupt state or take over contract ownership.

What it detects​

Typical symptoms​

Solidity snippet (v0.8.25)​

Why it matters on EVM​

What it detects

Typical symptoms

Solidity snippet (v0.8.25)

Why it matters on EVM