Submission Details
Severity:
Misleading graduateAndUpgrade Function Name Conceals Missing UUPS Upgrade Invocation
Summary
The LevelOne::graduateAndUpgradedoes not upgrade to new implementation. Naming the function with the word upgrade can cause confusion because upgradeToAndCallstill needs to be called to upgrade to new implementaion.
Impact
Naming the function graduateAndUpgradeand not upgrading to new implementation may cause confusion.
Tools Used
Manual code review
Recommendations
Either change name of function or call upgradeToAndCallinside the graduateAndUpgradefunction.
function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
if (_levelTwo == address(0)) {
revert HH__ZeroAddress();
}
uint256 totalTeachers = listOfTeachers.length;
uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;
uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION
+ bytes memory initData = abi.encodeWithSignature("graduate()");
- _authorizeUpgrade(_levelTwo);
+ upgradeToAndCall(_levelTwo, initData);
for (uint256 n = 0; n < totalTeachers; n++) {
usdc.safeTransfer(listOfTeachers[n], payPerTeacher);
}
usdc.safeTransfer(principal, principalPay);
}
Updates
Lead Judging Commences
yeahchibyke 7 months ago
Submission Judgement Published Assigned finding tags:
failed upgrade
The system doesn't implement UUPS properly.
Rewards breakdown
nSLOC
243This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.