Project

Summary

When user creates a new DAO using the function MembershipFactory:createNewDaoMembership that creates a new TransparentUpgradeableProxy and the owner of that TransparentUpgradeableProxy is set as proxyAdmin , this proxy admin is also a ProxyAdmin contract , so it will block the upgrading functionality.

Vulnerability Details

User can create a new DAO by calling the function MembershipFactory:createNewDaoMembership() and the parameter for the owner of this contract is passed as proxyAdmin which is a Openzeppelin's ProxyAdmin contract getting created in the constructor of the MembershipFactory contract with owner of that ProxyAdmin as the msg.sender.

If we look at the TransparentUpgradeableProxy constructor, using the initialOwner parameter the new ProxyAdmin is deployed, which is the owner of the TransparentUpgradeableProxy.

So let me explain this complex scenario,

=> Transparent Upgradeable Proxy which sets the admin as ProxyAdmin1 and the admin of the ProxyAdmin1 is ProxyAdmin2 and the owner or the admin of the ProxyAdmin2 is the deployer of the contract MembershipFactory.

So if user wanted to upgrade the implementation contract the call should be go like this
Deployer => ProxyAdmin2 => ProxyAdmin1 => Transparent Upgradeable Proxy

But this call is impossible as there is no way to call ProxyAdmin1 from ProxyAdmin2 contract as ProxyAdmin1 has only 1 function that is

And the function signature passed to the proxy is very different from the function signature used here , function called is upgradeToAndCall with 2 parameters while in ProxyAdmin the function upgradeToAndCall is taking 3 parameters so this call will not be made hence upgradation will not be able to take place.

Impact

TransparentUpgradeableProxy will not work breaking the core functionality of the protocol

Tools Used

Manually

Recommendations

Don't pass ProxyAdmin contract while initializing new TransparentUpgradeableProxy contract.