Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Unprotected upgrade

ciphermalware

Summary

The LevelOne contract is an upgradeable contract that doesn't properly protect its initialization function, allowing anyone to potentially delete the contract.

Vulnerability Details

The contract inherits from UUPSUpgradeable but doesn't implement proper access controls on the initialization function:

function initialize(address _principal, uint256 _schoolFees, address _usdcAddress) public initializer {
}

While the _authorizeUpgrade function has the onlyPrincipal modifier, the upgrade mechanism itself may be vulnerable due to improper initialization protection.

Impact

The vulnerability allows an attacker to call upgradeToAndCall from the UUPSUpgradeable contract and replace the implementation with a malicious one. Also the attacker can take control of the contract's funds and functionality. Lastly the attacker can effectively delete the contract by upgrading to an implementation with no functionality

Recommendations

Add proper access control to the initialize function

Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
yeahchibyke Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.