Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Protocol has upgradeable contracts that cannot be upgraded

sancybars

https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/tokens/MembershipERC1155.sol#L13

The contract does not inherit from `UUPSUpgradeable`, which is necessary for UUPS-style (Universal Upgradeable Proxy Standard) upgradeability. Without this inheritance, Protocol cannot upgrade the upgradeable contract.

The `UUPSUpgradeable` contract in OpenZeppelin's framework provides the `upgradeTo` and `upgradeToAndCall` functions, allowing controlled contract upgrades. It includes authorization checks to ensure that only the authorized upgrade function (commonly an admin or proxy) can execute upgrades.

Impact

Protocol cannot upgrade the upgradeable contract.

Recommendation

Explicitly inherit from `UUPSUpgradeable` to gain access to its protected upgrade functions. Furthermore, ensure that the initialization of `UUPSUpgradeable` happens in the `initialize` function by calling `__UUPSUpgradeable_init`.

Add `UUPSUpgradeable` inheritance and initialization:

import "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
contract MembershipERC1155 is ERC1155Upgradeable, AccessControlUpgradeable, UUPSUpgradeable, IMembershipERC1155 {
// Initialization
function initialize(
string memory name\_,
string memory symbol\_,
string memory uri\_,
address creator\_,
address currency\_
) external initializer {
\_\_ERC1155\_init(uri\_);
\_\_AccessControl\_init();
\_\_UUPSUpgradeable\_init(); // Ensure UUPS initialization
// Other initialization code
}
}
Updates

Lead Judging Commences

0xbrivan2 Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
0xbrivan2 Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.