Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: low
Invalid

Unused bytes memory parameter in graduateAndUpgrade() (Low/Informational)

hexspectre

Summary

The function graduateAndUpgrade(address _levelTwo, bytes memory) includes a bytes memory parameter that is neither named nor used. This introduces confusion and may be misunderstood as supporting upgrade-and-call functionality.

Vulnerability Details

OpenZeppelin's upgradeToAndCall() uses a similar signature, where the second bytes parameter is used to perform a delegatecall after upgrading. However, in this contract:

  • The bytes parameter is unused,

  • There is no delegatecall logic,

  • It may mislead future developers into thinking post-upgrade calls are supported.

This results in an inconsistent interface that doesn't match its actual behavior.

Impact

This is a code clarity issue rather than a functional bug, but can mislead users or integrators expecting upgrade-and-call behavior.

Tools Used

Manual inspection

Recommendations

If not needed, simplify the function to:

function graduateAndUpgrade(address _levelTwo) public onlyPrincipal
Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.