Jul 20, 2017 · 1 min read
I would like to see ‘call’ and ‘delegatecall’ disallowed in Solidity unless there is a #pragma at the start of the code saying something like #pragma unsafe. The two biggest exploits (by far), this one and the DAO, have been related to either ‘call’ or ‘delegatecall.’ If these were “off by default” auditing would be easier. I think you’ve slightly misrepresented what happened too. Didn’t the fallback function contain a delegate call which allowed arbitrary code to be executed. It’s my understanding that the attacker entered through the fallback function’s delegatecall. Might be wrong on that.
