Lack of upgrade functionality in `CollectionManager` for `ERC721Bridgeable` contract
Summary
The ERC721Bridgeable contract is designed to be upgradable via the UUPS proxy pattern. However, the owner of the ERC721Bridgeable contract is the CollectionManager contract, which does not have the necessary functionality to perform the upgrade.
Vulnerability Details
The Starklane::withdrawTokens() function triggers the deployment of an ERC721Bridgeable contract via the CollectionManager::_deployERC721Bridgeable() function when the address of the bridged collection on L1 is a zero address.
The CollectionManager contract acts as the deployer and owner of the ERC721Bridgeable contract. However, the CollectionManager contract lacks the necessary functionality to perform upgrades, such as calling the upgradeToAndCall function.
Impact
The upgradable contract ERC721Bridgeable deployed by the bridge cannot be upgraded.
Tools Used
vscode
Recommendations
Implement a function in CollectionManager for the authorized role to upgrade the ERC721Bridgeable contract .
Lead Judging Commences
finding-no-transferOwnership-or-upgrade-for-collections-in-CollectionManager
Likelyhood/Impact: High, it will never (until an upgrade) be able to update or transfer the ownership of any collections created on L1.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.