Hey all, I wanted to see if its possible for me to recover ETH that I have accumulated in proxy contracts that follow the ERC1167 minimal proxy format.
Some details:
- Every clone delegates to implementation using delegatecall, no selfdestruct function
- Implementation is not upgradable. Contains a function withdrawETH(address, value) , which can only be called by the controller
- Controller also not upgradable. The controller generates proxy contracts using create2 and keeps 2 state variables, clone count and admin address list. Slightly different from other implementations - all admins here share the same clone deployments. So two different admins can call the same clone, (a clone can call a clone too).
- The core function in controller, is that it will send the call data to a # of clones that user inputs. The value of this call is the value of msg.sender divided by the number of clones.
for example: if i call deposit() to WETH contract with 1ETH, and i set clones to 10 starting at index 0, then this will pass the call data to clones 1 to 10 with 0.1ETH as value for each. - There are functions to check / get balances for tokens and ETH, but they are not required for anything ( im hoping this is where i can recover the ETH). in other words, the above function will not check if the clone has 0.1ETH balance
I have thought of some ideas, but im not sure if any of them will work.
- Using re-entrancy, loop the clones to send ETH / deposit into WETH. Something like , clone will keep calling the controller until it runs out of ETH. (i dont quite understand re-entrancy , but i feel like it might work here. When i sim via tenderly, unfortunately not able to get the extra spend to work out)
- Using create2 , deploy a contract at the next index. this contract will delegatecall to implementation, except it will change the calldata to fit withdrawETH function in implementation ( im not sure if this would work, if my controller can call the newest index if it was never created within the controller)
- Find some way to make the clones selfdestruct. implementation and proxys dont have selfdestruct, but i read this might be possible through some loops of delegated calls
i have read that some developers use re entrancy to recover stuck eth, like with makerdao dsproxy. is it possible in my case?