`removeUpgradeability()` feature is not extended to other upgradeable contracts similar to `Distribution.sol`
Summary
removeUpgradeability() feature is not extended to other upgradeable contracts similar to Distribution.sol
Vulnerability Details
Distribution contract is one of the core contract of Morpheus protocol which is used to distribute the MOR tokens to the stakers. This contract has been provided with removeUpgradeability() feature to remove the upgradeability of contract.
Before, the UUPS upgrade of contract, it will first check whether the upgrade is available and if owner removes the upgradeability of contract by setting it to
isNotUpgradeable = true then the contract wont be able to upgrade in future.
The issue here, this feature is missing in below contracts which are also UUPS upgradeable.
L1Sender.sol
L2MessageReceiver.sol
L2TokenReceiver.sol
It is recommended to check the if the contract is upgradeable or not as similarly done in Distribution contract. This would make all UUPS upgradeable contract inline with each in terms of upgradeablity checking functionality.
Impact
Contracts does not check if the contract is upgradeable or not and there is no function like remove upgradability as done in Distribution contract, Therefore, all UUPS upgradeable contracts should be inline with each other in terms of upgradeability checking so that contracts should not break in future due to missing functionality.
Tools Used
Manual review
Recommendations
Add and modify below functionality to be inline with core contract like Distribution.sol
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.