Summary

The ERC1967Utils library ignores return values from critical delegate calls during contract upgrades.

Vulnerability Details

Two functions in the ERC1967Utils library ignore return values: upgradeToAndCall ignores the return value from Address.functionDelegateCall(newImplementation,data) on line 72, and upgradeBeaconToAndCall ignores the return value from Address.functionDelegateCall(IBeacon(newBeacon).implementation(),data) on line 162.

Impact

Medium. Ignoring return values from delegate calls during the upgrade process could mask failures, potentially leaving the contract in an inconsistent state. If a delegate call fails silently, the contract might appear to have upgraded successfully while actually being in a broken state.

Tools Used

Slither static analysis tool

Recommendations

• Modify the affected functions to check and handle return values from delegate calls.

• Implement proper error handling for failed delegate calls, with appropriate event emissions or reverts.

• Consider using OpenZeppelin's latest contracts which may have addressed this issue, or submit a pull request if using the latest version.

• Add tests that specifically verify the correct handling of failed delegate calls during upgrades.