Wrong classification of `RipplePayMain` as being susceptible to `delegatecall_dangerous`

Question

Wrong classification of `RipplePayMain` as being susceptible to `delegatecall_dangerous`

Opened this issue 2 years ago · 0 comments

If I understand the announcement in README.md correctly, then the examples directory contains contracts that have been manually confirmed to be vulnerable.

Why is RipplePayMain.sol marked as being susceptible to the delegatecall_dangerous weakness? The Solidity file does not contain a single delegatecall instruction.
The corresponding runtime code, RipplePayMain.bin-runtime, seems to contain a DELEGATECALL. However, the byte 0xF4 only occurs in the metadata section and thus cannot be executed. So no possibility for this weakness here either.