LevelTwo is not upgradeable — missing UUPSUpgradeable inheritance
Summary
The LevelTwo contract is intended to be used as a new implementation in the Hawk High UUPS upgrade pattern. However, it does not inherit from UUPSUpgradeable, which is required for compatibility with OpenZeppelin's upgrade mechanisms. As a result, any upgrade attempt from LevelOne to LevelTwo will revert with an error.
Vulnerability Details
The OpenZeppelin upgrade functions like upgradeTo() or _upgradeToAndCallUUPS() perform a safety check by calling:
This check only passes if the new implementation inherits UUPSUpgradeable and implements proxiableUUID() properly. Since LevelTwo currently only inherits Initializable, this call will revert, blocking the upgrade.
Impact
-
Upgrade from
LevelOne → LevelTwowill fail -
Future upgrades (
LevelTwo → LevelThree) will also fail unless fixed
Tools Used
-
Manual code review
-
Remix test deployment with
ERC1967Proxy -
Reference to OpenZeppelin UUPSUpgradeable v5.3.0 source code
Recommendations
Update LevelTwo to inherit both base contracts:
This ensures:
The contract is compatible with UUPS proxies
The upgrade from LevelOne to LevelTwo succeeds
LevelTwo remains upgradeable to future versions (e.g., LevelThree)
Lead Judging Commences
failed upgrade
The system doesn't implement UUPS properly.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.