3.5 Delegatecall

The security pitfall is related to the use of delegatecall in contracts where the delegatecall may be made to an address that is user controlled. Remember that in the case of delegatecalls, the calling contract makes a delegatecall to a called contract, where the called contract executes its logic on the state of the calling contract.

So, if the address of the called contract is user controlled, then the user may accidentally or maliciously make this delegatecall to a malicious contract, that can make unauthorized modifications to the state of the calling contract.

Therefore, delegatecalls should be used with extreme care in contracts. All precautions should be used to ensure that the destination addresses for such delegatecalls are trusted.