Delegatecall

What it detects

This detector simply reports places where a contract uses delegatecall. Delegatecall executes code of another contract within the caller's storage context, which can be risky if the callee is not trusted or immutable.

Typical symptoms

delegatecall opcode present in the source
Contracts rely on external libraries at runtime

Solidity snippet (v0.8.25)

pragma solidity ^0.8.25;

contract UsesDelegatecall {
    function run(address lib, bytes calldata data) external {
        // delegatecall should be carefully audited
        (bool ok, ) = lib.delegatecall(data);
        require(ok, "fail");
    }
}

Why it matters on EVM

Delegatecall can change the caller's state in unexpected ways. It is often the root cause of upgrade or initialization bugs when misused.

What it detects​

Typical symptoms​

Solidity snippet (v0.8.25)​

Why it matters on EVM​

What it detects

Typical symptoms

Solidity snippet (v0.8.25)

Why it matters on EVM