Malicious Proxy Upgrade Due to Inadequate Authorization in UUPS
Summary
The graduateAndUpgrade function allows the principal to upgrade the contract to any arbitrary implementation without validating the new contract’s integrity. The _authorizeUpgrade function lacks checks on the new implementation, exposing the system to unauthorized upgrades.
Vulnerability Details
In UUPS upgradeable contracts, the _authorizeUpgrade function must enforce strict validation of the new implementation address. However, in LevelOne, this function only checks the caller is the principal but does not validate the newImplementation address. A compromised principal could deploy a malicious contract, leading to fund theft or logic manipulation.
Impact
A malicious or compromised principal can upgrade the contract to a harmful implementation, draining all USDC funds or altering critical logic (e.g., changing score thresholds).
Tools Used
Recommendations
Implement a whitelist or governance mechanism to validate newImplementation in _authorizeUpgrade. Use OpenZeppelin’s UUPSUpgradeable with additional modifiers to ensure only pre-approved contracts are used for upgrades.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.