First Flight #19: Mondrian Wallet v2
First Flight #19
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can upgrade `MondrianWallet2` contract

yaioxy

Summary

The MondrianWallet2 contract is vulnerable to unauthorized upgrades due to the lack of access control in the _authorizeUpgrade function.

Vulnerability Details

When upgrading a smart contract using the UUPS pattern, the _authorizeUpgrade function needs to be overridden to implement access control for the upgrade process. Although the _authorizeUpgrade function is overridden in the MondrianWallet2 contract, it is missing any access control mechanism, allowing anyone to upgrade the contract.

Since the MondrianWallet2 contract inherits the upgradeToAndCall function from the UUPSUpgradeable contract, a malicious actor can call this function and upgrade the contract to a different implementation.

Poc

function testRandomUserCanUpgradeContract() public {
MondrianWallet2 newImplementation = new MondrianWallet2();
address alice = makeAddr("alice");
// Act
vm.startPrank(alice);
mondrianWallet.upgradeToAndCall(address(newImplementation), "");
vm.stopPrank();
}

Impact

A malicious actor can upgrade the MondrianWallet2 contract to a different implementation.

Tools Used

Foundry

Recommendations

Add the requireFromBootLoaderOrOwner modifier to the _authorizeUpgrade function to ensure that only authorized entities (bootloader or owner) can upgrade the contract.

- function _authorizeUpgrade(address newImplementation) internal override {}
+ function _authorizeUpgrade(address newImplementation) internal override requireFromBootLoaderOrOwner {}
Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of access control in _authorizeUpgrade

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!