Submission Details
Severity:
`MondrianWalletV2::_authorizeUpgrade` allow anyone upgrade the contract
Summary
The function MondrianWalletV2::_authorizeUpgrade don't have a verification to know who can upgrade the contract.
Vulnerability Details
The function MondrianWalletV2::_authorizeUpgrade don't verify if only owner could be upgrade the contract or other actor:
// Needed for UUPS
function _authorizeUpgrade(address newImplementation) internal override{}
Impact
Anyone can upgrade the contract and hack the funds.
Tools Used
Foundry and Solidity
Proof Of Concept
Add the following PoC to test/ModrianWallet2Test.t.sol:
function testZkOnlyAdminCanUpgradeContract() public {
// Arrange
address anonymousUser = makeAddr("anonymousUser");
MondrianWallet2 newImplementation = new MondrianWallet2();
// Act
// User that is not the owner tries to upgrade the contract
vm.prank(anonymousUser);
vm.expectRevert();
UUPSUpgradeable(address(mondrianWallet)).upgradeToAndCall(address(newImplementation), bytes(""));
// User that is the owner tries to upgrade the contract
vm.prank(ANVIL_DEFAULT_ACCOUNT);
UUPSUpgradeable(address(mondrianWallet)).upgradeToAndCall(address(newImplementation), bytes(""));
}
And run: forge test --zksync --system-mode=true --match-test testZkOnlyAdminCanUpgradeContract
Recommendations
Add the modifier onlyOwner:
- function _authorizeUpgrade(address newImplementation) internal override {}
+ function _authorizeUpgrade(address newImplementation) internal override onlyOwner {}
Updates
Lead Judging Commences
bube 11 months ago
Submission Judgement Published Assigned finding tags:
Lack of access control in _authorizeUpgrade
Rewards breakdown
nSLOC
105This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.