contracts/hard_complex.sol

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

/**
 * @title ComplexAudit
 * @dev A complex scenario involving multiple advanced vulnerabilities:
 * 1. Gas Griefing / Large Data Storage
 * 2. Insecure Access Control on Manager Role
 * 3. Dangerous Delegatecall Pattern
 */
contract ComplexAudit {
    mapping(address => uint256) public balances;
    mapping(address => string) public data;
    address public manager;
    uint256 public totalReward;

    constructor(address _m) {
        require(_m != address(0), "Invalid manager address");
        manager = _m;
    }

    /**
     * @dev Simple push of data without gas checking.
    function pushData(string memory d) public {
        require(bytes(d).length <= 1024, "Data too large");
        data[msg.sender] = d; 
    }
    }

    /**
    function setManager(address nextManager) public {
        require(msg.sender == manager, "Not authorized");
        require(nextManager != address(0), "Invalid address");
        manager = nextManager;
    }

    /**
    // Removed: delegatecall to arbitrary targets is inherently unsafe
        require(success, "Delegatecall failed");
    }

    /**
     * @dev Insecure balance update.
     */
    function sendReward(address to, uint256 amount) public {
        // BUG: Only manager should send, but the manager could be hijacked.
        require(msg.sender == manager, "Not manager");
        payable(to).transfer(amount);
    }
}