Usage of an incorrect version of Ownbale library can potentially malfunction all onlyOwner functions
Summary
The contract uses a non-upgradeable version of the Ownable library, which sets the deployer as the default owner via a constructor. Since upgradeable proxy contracts cannot use constructors, deploying this contract will leave the owner undefined, rendering all onlyOwner functions inaccessible.
Vulnerability Details
In UUPSOwnableProxied.sol, the contract is designed to be deployed as an upgradeable proxy contract although it uses @openzeppelin/contracts/access/Ownable.sol
instead of the upgradeable version, @openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol,
which is incompatible with the proxy pattern due to its reliance on constructors.
Impact
All onlyOwner functions will be permanently inaccessible after deployment, leading to a potential malfunction of critical administrative features.
Tools Used
Manual review
Recommendations
Switch to @openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.