## Implementation contract can be destructed which will lock assets **Severity**: High Context: [`Implementation.sol#L17`](https://github.com/spearbit-audits/writing-exercise/blob/de45a4c5b654710812e9fa29dde6e12526fe4786/contracts/Implementation.sol#L17) As described in the comment, there will be 1 deployed `Implementation` and multiple `Proxy` contracts will be deployed. Since all `Proxy` contracts are using `Implementation` contract, it will be a critical risk if `Implementation` contract can be destructed. Since `Implementation` is also a contract, anyone can call `callContract()`/`delegatecallContract()` directly to the `Implementation` contract. If someone calls `Implementation.delegatecallContract()` with parameters set to call the selfdestructing function, it will end up destructing the `Implementation` contract. Which will freeze all assets deposited in `Proxy` **Recommendation**: Simple suggestion is to change `Implementation` into `library` not `contract` ```diff - contract Implementation { + library Implementation { - function callContract(address a, bytes calldata _calldata) payable external returns (bytes memory) { + function callContract(address a, bytes calldata _calldata) external returns (bytes memory) { (bool success , bytes memory ret) = a.call{value: msg.value}(_calldata); require(success); return ret; } - function delegatecallContract(address a, bytes calldata _calldata) payable external returns (bytes memory) { + function delegatecallContract(address a, bytes calldata _calldata) external returns (bytes memory) { (bool success, bytes memory ret) = a.delegatecall(_calldata); require(success); return ret; } } ``` In solidity, `library` can be deployed as contract, but it does not allow direct calls when function changes the status. Which does not allow calling `callContract()`/`delegatecallContract()` on `Implementation`. Reference link : [Solidity Official Documentation about library call protection](https://docs.soliditylang.org/en/v0.8.15/contracts.html#call-protection-for-libraries)