Skip to content

feat: Delegate call and proxy pattern vulnerability detection (CP-118) #14

Description

@Nanle-code

Overview

Proxy and upgrade patterns are ubiquitous in modern DeFi — UUPS, Transparent Proxy, Beacon, and Diamond (EIP-2535). Each introduces unique vulnerabilities around delegatecall, storage layout collisions, and unprotected upgrade functions. ChainProof currently has no coverage for these patterns.

Vulnerability Patterns to Detect

1. Storage Slot Collision

// Proxy.sol
contract Proxy {
    address public implementation; // slot 0

// Implementation.sol
contract Implementation {
    address public owner; // also slot 0 — COLLISION
}

2. Unprotected _authorizeUpgrade

function _authorizeUpgrade(address newImpl) internal override {} // empty body

3. Uninitialized Implementation Contract

initialize() callable by anyone on the implementation directly — attacker sets themselves as owner, then calls selfdestruct. (Parity hack pattern)

4. delegatecall to User-Controlled Address

function execute(address target, bytes calldata data) external {
    target.delegatecall(data); // attacker supplies malicious target
}

5. Function Selector Clashing (Diamond Proxy)

Two facets registering the same 4-byte selector, causing one to shadow the other.

Detection Approach

  1. Identify proxy patterns via storage variable naming heuristic
  2. Detect delegatecall to non-constant address
  3. Check _authorizeUpgrade and upgradeTo for access control guards
  4. Detect storage layout conflicts by enumerating slot 0 in proxy vs implementation
  5. Flag uninitialized implementation contracts

Acceptance Criteria

  • CP-118 rule in packages/core/src/rules/cp118-proxy-delegate.ts
  • All 5 patterns detected with Critical/High severity
  • Proxy pattern auto-detection heuristic
  • Storage slot collision detection
  • Vulnerable UUPS proxy example in examples/contracts/proxy/
  • Secure UUPS proxy with OpenZeppelin pattern in same folder

References

Metadata

Metadata

Assignees

Labels

GrantFox OSSIssue tracked in GrantFox OSSMaybe RewardedIssue may be eligible for a GrantFox rewardOfficial CampaignCampaign: Official CampaignenhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions