Submission Details
Severity:
`LevelTwo` must inherit from `UUPSUpgradeable` in order to support upgrades
Description: LevelTwo does not inherit from UUPSUpgradeable,
when trying to upgrade the proxy implementation using upgradeToAndCall,
it will revert with Error ERC1967Utils.ERC1967InvalidImplementation
Impact: This will break the contract's upgradeability, preventing proxy upgrade implementation from LevelOne to LevelTwo
Proof of Concept: add following test and run it
function test_cannot_upgrade_to_levelTwo() public {
vm.startPrank(principal);
LevelTwo levelTwo = new LevelTwo();
bytes memory data = abi.encodeCall(LevelTwo.graduate, ());
vm.expectRevert(abi.encodeWithSelector(ERC1967Utils.ERC1967InvalidImplementation.selector, address(levelTwo)));
levelOneProxy.upgradeToAndCall(address(levelTwo), data);
vm.stopPrank();
}
Recommended Mitigation:
Extend UUPSUpgradeable in LevelTwo contract.
+ import {UUPSUpgradeable} from "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
- contract LevelTwo is Initializable {
+ contract LevelTwo is Initializable, UUPSUpgradeable {
...
+ error HH__NotPrincipal();
+ modifier onlyPrincipal() {
+ if (msg.sender != principal) {
+ revert HH__NotPrincipal();
+ }
+ _;
+ }
+ function _authorizeUpgrade(address newImplementation) internal override onlyPrincipal {}
}
Updates
Lead Judging Commences
yeahchibyke 6 months ago
Submission Judgement Published Assigned finding tags:
failed upgrade
The system doesn't implement UUPS properly.
Rewards breakdown
nSLOC
243This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.