Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Unrestricted Upgradeability - ZipVault.sol

jefextar

Summary

The _authorizeUpgrade function is only protected by the onlyOwner modifier, allowing the owner to upgrade the implementation contract to any address.

Vulnerability Details

The _authorizeUpgrade function is only protected by the onlyOwner modifier, which means that the owner of the contract can upgrade the implementation contract to any address. This could potentially allow the owner to upgrade the contract to a malicious implementation, which could steal all the assets from the vault.

Impact

The owner could upgrade the contract to a malicious implementation, potentially stealing all assets from the vault and causing significant financial damage.

Tools Used

Manual code review and analysis.

Recommendations

Implement additional checks in the _authorizeUpgrade function to ensure that the new implementation contract is a valid and trusted contract. Consider using a timelock or a governance mechanism to delay the upgrade and allow users to vote on it.

function _authorizeUpgrade(address newImplementation) internal override onlyOwner {
// Additional checks to ensure newImplementation is valid and trusted
require(newImplementation != address(0), "Invalid implementation address");
// ...Other checks can be added here
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.