Unprotected UUPS:_authorizeUpgrade() allows anyone to change the implementation to a malicious one and steal user's funds
Summary
Unprotected UUPS:_authorizeUpgrade() allows anyone to change the implementation to a malicious one and steal user's funds.
Vulnerability Details
The _authorizeUpgrade(), in the Openzeppelin UUPS implementation, is expected to be overriden by the child contract to enforce access control protection on upgradeToAndCall().
In MondrianWalletV2.sol the function is overridden but the onlyOwner modifier is missing, this allows anyone to call it and update the proxy implementation.
A malicious user can exploit this by changing the implementation to a malicious contract that he deployed which, for example, allows only the attacker to execute transactions on the wallet... effectively stealing the user's assets.
Tools Used
Manual review
Recommendations
Add the onlyOwner modifier to _authorizeUpgrade().
Lead Judging Commences
Lack of access control in _authorizeUpgrade
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.