Summary

The graduateAndUpgrade function allows the principal to upgrade the contract to any arbitrary implementation without validating the new contract’s integrity. The _authorizeUpgrade function lacks checks on the new implementation, exposing the system to unauthorized upgrades.

Vulnerability Details

In UUPS upgradeable contracts, the _authorizeUpgrade function must enforce strict validation of the new implementation address. However, in LevelOne, this function only checks the caller is the principal but does not validate the newImplementation address. A compromised principal could deploy a malicious contract, leading to fund theft or logic manipulation.

https://github.com/CodeHawks-Contests/2025-05-hawk-high/blob/3a7251910c31739505a8699c7a0fc1b7de2c30b5/src/LevelOne.sol#L314

Impact

A malicious or compromised principal can upgrade the contract to a harmful implementation, draining all USDC funds or altering critical logic (e.g., changing score thresholds).

Tools Used

Recommendations

Implement a whitelist or governance mechanism to validate newImplementation in _authorizeUpgrade. Use OpenZeppelin’s UUPSUpgradeable with additional modifiers to ensure only pre-approved contracts are used for upgrades.