delegatecall() or callcode() to an address controlled by the user allows execution of malicious contracts in the context of the caller’s state. Ensure trusted destination addresses for such calls. (see here)
- Controlled delegateCall -> User-controlled Address
- Malicious Contracts
- Contract State -> Unauthorized Modification
- delegateCall -> Trusted Addresses