# Report ## Improper Implementation of delegatecallContract function **Severity**: High **Context**: [`Implementation.sol#17`](https://github.com/spearbit-audits/writing-exercise/blob/develop/contracts/Implementation.sol#L17) The Implementation contract which only deployed once and used in all proxy contracts as a fixed address that can't change after deployment is vulnerable . In Implementation contract `delegatecallContract(address a, bytes calldata _calldata)` function can called by anyone and can Disable all the proxy contracts by exploiting vulnerability through selfdestrcut Steps to reproduce the attack in implementation contract: The attacker deploy a vulnerable contract with selfdestruct function The delegatecallContract function calls the vulnerable contract contract and it will destroy the implementation contract. Here is an example of attacker contract that can selfdestruct the implementation contract by calling attack() https://github.com/adeshkolte/Solidity-Challenge/tree/main/contracts **Recommendation**: To mitigate this Vulnerability :- * Check if delegatecallContract is being delegate called by another contract ``` contract Implementation { address private immutable originalAddress; constructor() { originalAddress = address(this); } ... function delegatecallContract(address a, bytes calldata _calldata) payable external returns (bytes memory) { require(address(this) != originalAddress, "SCV"); //fixed ... } ... } ``` * convert the implementation contract to library and remove the payable from Function * By creating whitelisting of contracts in implementation contract here we have to recreate Implementation contract to whitelist the contracts only which can call delegatecallcontract() function for example : https://dev.to/emanuelferreira/how-to-create-a-smart-contract-to-whitelist-users-57ki