[pallet-assets] Reject delegatecall into pallet-assets ERC20 precompile (#11676)

0xRVE · github-actions[bot] · web-flow · commit 9c21405463f4 · 2026-04-09T07:42:11.000Z
There is no legitimate use case for delegatecalling into the asset
precompile. This matches the precedent set by the Storage precompile,
which already enforces a delegatecall check (in the opposite direction —
it *requires* delegatecall).

## Changes

- `lib.rs`: Add `ERR_DELEGATECALL_DENIED` const and `is_delegate_call()`
guard before any dispatch logic
- `tests.rs`: Add `delegatecall_is_rejected` test using the `Caller.sol`
fixture

## Test plan

- [x] `cargo test -p pallet-assets-precompiles` — all 67 tests pass
- [x] `delegatecall_is_rejected` verifies the guard rejects delegatecall
via the `Caller` fixture contract

---------

Co-authored-by: cmd[bot] &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
diff --git a/prdoc/pr_11676.prdoc b/prdoc/pr_11676.prdoc
@@ -0,0 +1,15 @@
+title: '[pallet-assets] Reject delegatecall into pallet-assets ERC20 precompile'
+doc:
+- audience: Runtime Dev
+  description: "There is no legitimate use case for delegatecalling into the asset\
+    \ precompile. This matches the precedent set by the Storage precompile, which\
+    \ already enforces a delegatecall check (in the opposite direction \u2014 it *requires*\
+    \ delegatecall).\n\n## Changes\n\n- `lib.rs`: Add `ERR_DELEGATECALL_DENIED` const\
+    \ and `is_delegate_call()` guard before any dispatch logic\n- `tests.rs`: Add\
+    \ `delegatecall_is_rejected` test using the `Caller.sol` fixture\n\n## Test plan\n\
+    \n- [x] `cargo test -p pallet-assets-precompiles` \u2014 all 67 tests pass\n-\
+    \ [x] `delegatecall_is_rejected` verifies the guard rejects delegatecall via the\
+    \ `Caller` fixture contract"
+crates:
+- name: pallet-assets-precompiles
+  bump: minor
diff --git a/substrate/frame/assets/precompiles/src/lib.rs b/substrate/frame/assets/precompiles/src/lib.rs
@@ -160,6 +160,10 @@ where
 		input: &Self::Interface,
 		env: &mut impl Ext<T = Self::T>,
 	) -> Result<Vec<u8>, Error> {
+		if env.is_delegate_call() {
+			return Err(Error::Revert(Revert { reason: ERR_DELEGATECALL_DENIED.into() }));
+		}
+
 		let asset_id = PrecompileConfig::AssetIdExtractor::asset_id_from_address(address)?.into();
 		let contract_addr = H160::from(*address);
 
@@ -197,6 +201,7 @@ where
 	}
 }
 
+const ERR_DELEGATECALL_DENIED: &str = "Cannot be called via delegatecall";
 const ERR_INVALID_CALLER: &str = "Invalid caller";
 const ERR_BALANCE_CONVERSION_FAILED: &str = "Balance conversion failed";
 
diff --git a/substrate/frame/assets/precompiles/src/tests.rs b/substrate/frame/assets/precompiles/src/tests.rs
@@ -532,6 +532,7 @@ fn approve_zero_on_nonexistent_is_noop(asset_index: u16) {
 alloy::sol! {
 	interface ICaller {
 		function staticCall(address callee, bytes data, uint64 gas) external view returns (bool success, bytes output);
+		function delegate(address callee, bytes data, uint64 gas) external returns (bool success, bytes output);
 	}
 }
 
@@ -626,3 +627,62 @@ fn domain_separator_is_staticcall_compatible(asset_index: u16) {
 		);
 	});
 }
+
+#[test]
+fn delegatecall_is_rejected() {
+	new_test_ext().execute_with(|| {
+		let asset_id = 0u32;
+		let asset_addr = H160::from(set_prefix_in_address(PRECOMPILE_ADDRESS_PREFIX));
+		let deployer = 123456789u64;
+		Balances::make_free_balance_be(&deployer, 1_000_000_000_000_000u64);
+
+		assert_ok!(Assets::force_create(RuntimeOrigin::root(), asset_id, deployer, true, 1));
+		assert_ok!(Assets::mint(RuntimeOrigin::signed(deployer), asset_id, deployer, 1000));
+
+		let (init_code, _) = pallet_revive_fixtures::compile_module_with_type(
+			"Caller",
+			pallet_revive_fixtures::FixtureType::Solc,
+		)
+		.expect("Caller fixture must be compiled");
+		let caller_addr = pallet_revive::Pallet::<Test>::bare_instantiate(
+			RuntimeOrigin::signed(deployer),
+			0u32.into(),
+			TransactionLimits::WeightAndDeposit {
+				weight_limit: Weight::MAX,
+				deposit_limit: u64::MAX,
+			},
+			Code::Upload(init_code),
+			vec![],
+			None,
+			&ExecConfig::new_substrate_tx(),
+		)
+		.result
+		.expect("Caller deployment must succeed")
+		.addr;
+
+		let calldata = ICaller::delegateCall {
+			callee: alloy::primitives::Address::from(asset_addr.0),
+			data: IERC20::totalSupplyCall {}.abi_encode().into(),
+			gas: u64::MAX,
+		}
+		.abi_encode();
+
+		let result = pallet_revive::Pallet::<Test>::bare_call(
+			RuntimeOrigin::signed(deployer),
+			caller_addr,
+			0u32.into(),
+			TransactionLimits::WeightAndDeposit {
+				weight_limit: Weight::MAX,
+				deposit_limit: u64::MAX,
+			},
+			calldata,
+			&ExecConfig::new_substrate_tx(),
+		)
+		.result
+		.expect("outer call must succeed");
+
+		let ret = ICaller::delegateCall::abi_decode_returns(&result.data)
+			.expect("return must decode as (bool, bytes)");
+		assert!(!ret.success, "DELEGATECALL to asset precompile must be rejected");
+	});
+}
