The PerpsEngine
inherits an unprotected upgrade()
function from UpgradeBranch
, allowing attackers to replace critical logic and drain funds.
Affected Code:
Proof of concept:
Exploit Scenario:
Attacker deploys malicious contract with liquidateAccounts function that drains funds.
Calls upgrade(newImpl) to replace liquidation logic.
Triggers liquidation to steal collateral.
Theft of All Collateral: Critical severity (CVSS 9.6).
Permanent Protocol Shutdown: Attacker can brick core functions.
Slither (arbitrary-send detector).
Foundry exploit simulation.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.