Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing non-zero address check in _authorizeUpgrade

dustinhuel2

Summary

The _authorizeUpgrade function of Swan contract is responsible for authorizing upgrades to the contract’s implementation when using the UUPS (Universal Upgradeable Proxy Standard) pattern. However, this function currently lacks a check to ensure that newImplementation is a non-zero address, which could lead to vulnerabilities or unintended behaviors in the upgrade process.

Vulnerability Details

Without validating that newImplementation is a non-zero address, _authorizeUpgrade allows the possibility of mistakenly setting the contract’s implementation address to address(0). This could render the proxy contract non-functional, as calls to the proxy would delegate to an empty address, likely resulting in a failure of the contract's core functions.

https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/Swan.sol#L113-L115

Impact

If an upgrade is executed with newImplementation set to address(0), the contract’s proxy may lose functionality entirely. This would impact users relying on the contract’s functions and could lead to a complete loss of operability.

Tools Used

manual

Recommendations

To ensure that only valid addresses can be set as new implementations, add a check for address(0) in the _authorizeUpgrade function.

function _authorizeUpgrade(address newImplementation) internal override onlyOwner {
+ require(newImplementation != address(0), "New implementation cannot be zero address");
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.