Delegatecall

An EVM opcode that invokes code at another address in the caller’s storage context. The called bytecode can read and write the caller’s storage, spend the caller’s Ether, and see the caller’s msg.sender. In effect, delegatecall is a naked eval: whoever controls the target address controls the caller’s state.

The opcode exists to enable library patterns and upgradable proxy contracts, but its semantic reach makes it the sharpest available knife in Solidity. The July 2017 Parity multisig wallet freeze (Parity Multisig) was triggered by an untrusted actor invoking a library’s initializer via delegatecall, taking ownership of the library, and then self-destructing it — rendering every wallet that delegated to it unusable and freezing ~$280M of Ether.

House on Rock - LangSec in Ethereum Classic lists delegatecall with the Fallback Method as examples of implicit behaviour incompatible with LangSec: the call site doesn’t locally express what the code can do.

Tags

#solidity #evm #smart-contracts #langsec

Backlinks

Fallback Method

In Solidity, the unnamed function a contract invokes when it receives a call whose signature doesn’t match any declared method (or when it receives plain Ether). Prior to Solidity 0.6 it was function() { ... }; since 0.6 it is split into fallback() and receive().

Fallback methods are a canonical Solidity foot-gun: they execute code on every unknown call, including calls from untrusted counterparties, and they run in a context where the caller’s identity, the amount of Ether received, and the remaining gas are easy to misreason about. The DAO reentrancy exploit (TheDAO) and several Parity-wallet incidents (Parity Multisig) turned on fallback-method behaviour.

House on Rock - LangSec in Ethereum Classic cites the fallback method as a language design that hides implicit behaviour — the opposite of what a LangSec approach prescribes.

Summary

A LangSec critique of Ethereum aimed at the Ethereum Classic community, framed around the parable of the wise and foolish builders and Philip K. Dick’s “reality is that which, when you stop believing in it, doesn’t go away.” Patterson argues Ethereum was built on sand — an ad-hoc, non-executable yellow-paper semantics; a hand-rolled Solidity parser; a test suite with no coverage for delegatecall or invalid opcodes; a design culture that scorned formal methods until hundred-million-dollar losses forced the issue.

The central technical argument is that the gas mechanism does not do what the yellow paper claims it does. Gavin Wood’s stated purpose — “sidestep the inevitable issues stemming from Turing completeness” — confuses a resource bound (a non-semantic, decidable property) with a safety guarantee (a semantic property that Rice’s theorem makes undecidable in general). Gas cannot show a contract “does nothing malicious”; it can only show it eventually halts. Worse, gas creates an adversarial economic game with direct monetary reward for tricking the accounting, and a perverse incentive for honest developers to omit runtime sanity checks because conditionals cost gas.

Patterson’s prescription for Ethereum Classic: standardise on KEVM (an executable operational semantics in the K framework), fix the VM test suite’s gaps, build languages that don’t hide implicit behaviour (method visibility defaults, fallback methods, delegatecall as naked eval), and invest in developer tools — IDEs, live debuggers, verification — that surface what a contract can actually do. “Code is law” requires the meaning of the code to be unambiguous, executable, and visible.

Key Ideas

Rice’s theorem bounds what gas can mean. Non-trivial semantic properties of arbitrary programs are undecidable; resource bounds are non-semantic. Gas therefore cannot sidestep Turing-completeness-induced safety problems, contrary to the yellow paper.

Gas as adversarial game. The accounting is an attack surface, not a safety property; attackers are paid to win. Honest contract authors are weakly pushed toward removing checks to keep gas costs competitive.

LangSec programmer–machine contract. Inputs must have a formal grammar; two implementations of the same spec must accept/reject identical inputs; semantics must be executable so claims about behaviour can be verified mechanically.

Ad-hoc semantics breeds consensus failures. When the yellow paper and cpp-ethereum disagree, cpp-ethereum wins — the denotational semantics is decorative. Discrepancies between clients have already caused real Ethereum consensus failures.

Test suites are part of software design. Official VM tests have no coverage for invalid opcodes or delegatecall — the exact instruction at the heart of the Parity multisig hacks. “VM tests” is false advertising; downstream VM implementations inherit the blind spot.

Case studies of processing-fluency failure.

DAO: mutual recursion across a defender/attacker code boundary, missed in reviews because reviewers examine functions one at a time (cf. Leveson: accidents emerge from interactions).
Hacker Gold: =+ typed instead of += — a hand-rolled recursive-descent parser caught nothing; a Bison grammar would have surfaced a shift/reduce conflict.
Parity multisig (July 2017): fallback method × delegatecall × public-by-default visibility = naked eval on attacker-controlled payload; $31M drained, $150M saved only by counter-theft.
Parity multisig (Nov 2017): library contract re-initialised by an outsider then suicided, locking $153M in wallets whose code had vanished — “left-pad for multi-million-dollar table stakes.”

KEVM (K framework operational semantics) gives Ethereum an executable semantics; generated interpreter ~20× slower than cpp-ethereum but usable, and supports reachability-based proof of safety/liveness claims.

Cognitive-science constraint. Miller’s 7±2 bounds how much implicit state a programming language can demand before human reasoning fails. Solidity’s implicit defaults (public methods, fallback dispatch, implicit conversions) exceed that budget.

“Worse is better” is unconscionable in a financial system. Sacrificing correctness and completeness to ship first transfers the cost of undefined behaviour onto users.

Connections

Making Smart Contracts Smarter — same semantic gap diagnosis; OYENTE is the symbolic-execution complement to Patterson’s formal-semantics prescription.

Formalise Blockchain Interoperability Patterns — companion move: formalise what was informal.

Security Applications Of Formal Language Theory — the Sassaman/Bratus/Patterson LangSec manifesto this talk operationalises for smart contracts.

The Halting Problems of Network Stack Insecurity — parallel argument that parser/semantics weakness is the root cause of whole vulnerability classes.

Exploit Programming - From Buffer Overflows To Weird Machines — “weird machines” framing applies directly to contracts driven off-spec via delegatecall.

PKI Layer Cake - Kaminsky Patterson Sassaman — Patterson’s earlier demonstration that grammatical discrepancies between implementations are exploitable (SSL CA forgery); same mechanism, different domain.

A Language-Based Approach To Prevent DDoS — language-theoretic remediation as a general pattern.

Operational Semantics, Denotational Semantics, EVM, Solidity, TheDAO, Reentrancy — background concepts.

An Unsolvable Problem of Elementary Number Theory — Church 1936; LangSec’s undecidability heritage behind the Rice’s-theorem argument against gas-as-safety.

Über formal unentscheidbare Sätze der Principia Mathematica und verwandter Systeme I — Gödel 1931; the incompleteness ancestor of the semantic-limit arguments.

Parity Multisig

Two infamous 2017 incidents involving the Parity Wallet multisig contract on Ethereum:

July 2017 — the “hack” (~$30M): a flaw in the wallet’s initWallet function allowed any caller to re-initialise the contract and claim ownership, because initWallet had no access control and could be invoked after deployment via Delegatecall.

November 2017 — the “freeze” (~

280M): a security researcher experimenting with the library contract used `initWallet` to take ownership of the *shared library*, then invoked `selfdestruct` on it. Every deployed wallet that delegated to that library was instantaneously bricked, freezing ~

280M of ETH across hundreds of multisig deployments.

Both incidents turn on the same confluence: Delegatecall as naked eval, missing access controls, and Solidity’s default method visibility. House on Rock - LangSec in Ethereum Classic cites them as emblematic of the language-design failures the LangSec approach is meant to prevent.