Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Unprotected Upgrade

reidnermarques123

The LevelOne.sol contract uses the Universal Upgradeable Proxy Standard (UUPS) to allow future upgrades to the smart contract. However, it was not possible to confirm that the _authorizeUpgrade(address) function is implemented with the appropriate restrictions.

Risk: Without the _authorizeUpgrade() function implemented and restricted to an administrative role (e.g. onlyPrincipal), any user can override the contract logic with malicious logic, taking full control of the funds and functionality

// SPDX-License-Identifier: MIT

pragma solidity 0.8.26;

import "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";

import "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";

contract LevelOne is Initializable, UUPSUpgradeable {

address public principal;

function initialize(/* parameters */) public /* without initializer */ {

// ...

principal = msg.sender;

// ...

}

/// @notice Upgrade authorization function without any restriction

function _authorizeUpgrade(address newImplementation) internal override {

// no control: vulnerable!

}

// rest of the contract...

}

// SPDX-License-Identifier: MIT

pragma solidity 0.8.26;

import "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";

import "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";

contract LevelOne is Initializable, UUPSUpgradeable {

address public principal;

/// @notice Can only be executed once

function initialize(/* parameters */) public initializer {

// Initialize state

principal = msg.sender;

// other settings...

}

/// @notice Modifier that allows only the principal (administrator)

modifier onlyPrincipal() {

require(msg.sender == principal, "LevelOne: caller is not principal");

}

/// @notice Protects the upgrade so only the principal can perform it

function _authorizeUpgrade(address newImplementation)

internal

override

onlyPrincipal

{}

// rest of the contract...

}

Updates

Lead Judging Commences

yeahchibyke Lead Judge 2 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

yeahchibyke Lead Judge 2 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.