Part 2

Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Submission Details
Severity: high
Invalid

[H-1] Unprotected Upgrade Mechanism in PerpsEngine

Summary

The PerpsEngine inherits an unprotected upgrade() function from UpgradeBranch, allowing attackers to replace critical logic and drain funds.

Vulnerability Details

Affected Code:

// In UpgradeBranch.sol (assumed implementation)
function upgrade(address newImpl) public {
// No access control modifier
implementation = newImpl;
}

Proof of concept:

// Foundry test simulating upgrade attack
function testMaliciousUpgrade() public {
address attacker = 0xBAD...;
PerpsEngine engine = PerpsEngine(deployedAddress);
// Deploy malicious implementation
MaliciousLiquidation impl = new MaliciousLiquidation();
// Unauthorized upgrade
vm.prank(attacker);
engine.upgrade(address(impl));
// Drain funds via hijacked liquidation
engine.liquidateAccount(victim);
assertEq(asset.balanceOf(attacker), 1_000_000e18);
}

Exploit Scenario:

  1. Attacker deploys malicious contract with liquidateAccounts function that drains funds.

  2. Calls upgrade(newImpl) to replace liquidation logic.

  3. Triggers liquidation to steal collateral.

Impact

Theft of All Collateral: Critical severity (CVSS 9.6).

Permanent Protocol Shutdown: Attacker can brick core functions.

Tools Used

Slither (arbitrary-send detector).

Foundry exploit simulation.

Recommendations

// Implement timelock and governance control
function upgrade(address newImpl) public onlyGovernance {
require(block.timestamp >= upgradeTime, "Upgrade locked");
implementation = newImpl;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.