2 matches found
Llama Core and Policy implementation not only minimal proxy should not be allowed to be authorized as scripts
Lines of code Vulnerability details Impact authorizeScript function will be used to authorize any contract to be delegatecalled by executor's context. To be qualified as script, it should not access storage but immutable storage, because script's storage layout can be overlapped each other. I...
Delegatecalls to contracts which have different storage layouts will cause unexpected behavor. Whitelisting of delegate-callable targets is required like LlamaCore.authorizeScript().
Lines of code Vulnerability details Impact Delegatecall to targets which have storage access will read/write each other's storage variables. Although slot 0 is protected from modification by delegatecall, reading slot 0 is not protected. Modifying storage slot other than 0 is not protected. It's...