[H-1] Centralized Upgrade Control Allows Total Protocol Takeover (Access Control + Fund Drain)
Summary
The ZlpVault contract inherits upgradeability via OpenZeppelin’s UUPSUpgradeable pattern but grants exclusive upgrade rights to the contract owner. This centralization introduces a single point of failure, enabling malicious logic replacement that could drain funds, disable withdrawals, or manipulate LP rewards.
Vulnerability Details
Affected Code:
The UUPS upgrade pattern is implemented with critical flaws:
-
Single-Point Failure: onlyOwner modifier grants unilateral upgrade rights
-
No Timelock: Immediate execution of upgrades
-
No Governance Oversight: Complete owner discretion
Exploit Scenario:
-
Attacker compromises owner's private key (phishing/social engineering)
-
Deploys malicious implementation contract with selfdestruct or transferAll logic
-
Calls upgradeToAndCall() with malicious contract address
-
Drains all vault assets in one transaction
Proof of Concept:
Impact
High Impact: All LP funds can be stolen (~$X million TVL at risk)
High Likelihood: Single-owner compromise is common attack vector
Critical Risk: Permanent protocol shutdown possible via selfdestruct
Tools Used
Manual Review, Slither, Foundry
Recommendations
Implement TimelockController for upgrade delays:
-
Transition to DAO governance using OpenZeppelin Governor
-
Remove onlyOwner pattern entirely
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.