First Flight #3: Thunder Loan
First Flight #3
Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

UUPS proxy missing upgrade logic in OracleUpgradeable meaning that OracleUpgradeable contract can never be upgraded

zxarcs

Summary

OracleUpgradeable contract sounds like it is expected to be upgradable but it is missing upgrade logic and can never be upgraded.

Details

OracleUpgradeable uses UUPS proxy pattern. When an implementation contract uses this pattern, it is expected for that contract to contain both its contract logic and all the code necessary to update the implementation address of the proxy.

OracleUpgradeable contract in src/protocol/OracleUpgradeable.sol, inherits only from Initializable meaning that none of the needed upgrade logic is contained. This means that the contract can not be upgraded despite its name hinting that it is upgradable (i.e. OracleUpgradeable)

Filename

src/protocol/OracleUpgradeable.sol

Permalinks

https://github.com/Cyfrin/2023-11-Thunder-Loan/blob/8539c83865eb0d6149e4d70f37a35d9e72ac7404/src/protocol/OracleUpgradeable.sol#L8

External Sources

https://docs.openzeppelin.com/contracts/4.x/api/proxy#transparent-vs-uups

Impact

OracleUpgradeable contract can not be upgraded

Recommendations

Add necessary upgrade logic. For example, like ThunderLoan contract has.

src/protocol/OracleUpgradeable.sol:

- contract OracleUpgradeable is Initializable {
+ contract OracleUpgradeable is Initializable, OwnableUpgradeable, UUPSUpgradeable {

Also override _authorizeUpgrade

src/protocol/OracleUpgradeable.sol:

+ function _authorizeUpgrade(address newImplementation) internal override onlyOwner { }

Tools Used

  • Manual Audit

  • Foundry

Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.