**Risk of Denial Of Service** **Severity:** Critical Context: Implementation.sol#L17-L21 ``` function delegatecallContract(address a, bytes calldata _calldata) payable external returns (bytes memory) { (bool success, bytes memory ret) = a.delegatecall(_calldata); require(success); return ret; } ``` The `delegatecallContract` function does not have any access control that prevents it to be called from anyone. It uses a `delegatecall` which is dangerous. What `delegatecall` does is call a function in another contract, which executes in the context of the first contract (here the implementation contract). You could have it call a malicious contract's function that has a `selfdestruct()` in it. Doing that would actually remove the implementation contract's bytecode and make it not usable anymore. It won't be possible to restore the funds that could be in the proxy contract. This is especially true since there is no function in the proxy contract that allows it to change the implementation contract address. **Recommendation**: Since this contract is stateless we should convert the contract into a library and remove the `payable` keyword. Also libraries cannot be `selfdestruct`. ``` library Implementation { function callContract(address a, bytes calldata _calldata) external returns (bytes memory) { (bool success , bytes memory ret) = a.call{value: msg.value}(_calldata); require(success); return ret; } function delegatecallContract(address a, bytes calldata _calldata) external returns (bytes memory) { (bool success, bytes memory ret) = a.delegatecall(_calldata); require(success); return ret; } } ```