Summary

The LevelTwo contract is intended to be used as a new implementation in the Hawk High UUPS upgrade pattern. However, it does not inherit from UUPSUpgradeable, which is required for compatibility with OpenZeppelin's upgrade mechanisms. As a result, any upgrade attempt from LevelOne to LevelTwo will revert with an error.

Vulnerability Details

The OpenZeppelin upgrade functions like upgradeTo() or _upgradeToAndCallUUPS() perform a safety check by calling:

This check only passes if the new implementation inherits UUPSUpgradeable and implements proxiableUUID() properly. Since LevelTwo currently only inherits Initializable, this call will revert, blocking the upgrade.

Impact

• Upgrade from LevelOne → LevelTwo will fail

• Future upgrades (LevelTwo → LevelThree) will also fail unless fixed

Tools Used

• Manual code review

• Remix test deployment with ERC1967Proxy

• Reference to OpenZeppelin UUPSUpgradeable v5.3.0 source code

Recommendations

Update LevelTwo to inherit both base contracts:

This ensures:

• The contract is compatible with UUPS proxies

• The upgrade from LevelOne to LevelTwo succeeds

• LevelTwo remains upgradeable to future versions (e.g., LevelThree)