Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Contract can never upgrade due to invalid implementation.

5am

Summary

LevelTwo.sol is incorrectly implemented not UUPS-aware, this means that when upgradeToAndCall(newImplementation) is called, it fails to actually upgrade the contract.

Vulnerability Details

LevelTwo.sol is not aware that it is UUPSUpgradeable and therefore when upgradeToAndCall() is called the function will revert with ERC1967InvalidImplementation.

Impact

This breaks the whole point of having an upgradeable contract and will cause the contract to be stuck in its `LevelOne.sol` forever.

Tools Used

Manual review

Recommendations

+import {UUPSUpgradeable} from "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";

import {Initializable} from "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";

import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";

import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

-contract LevelTwo is Initializable {

+contract LevelTwo is Initializable, UUPSUpgradeable {

using SafeERC20 for IERC20;

address principal;

bool inSession;

uint256 public sessionEnd;

uint256 public bursary;

uint256 public cutOffScore;

mapping(address => bool) public isTeacher;

mapping(address => bool) public isStudent;

mapping(address => uint256) public studentScore;

address[] listOfStudents;

address[] listOfTeachers;

uint256 public constant TEACHER_WAGE_L2 = 40;

uint256 public constant PRINCIPAL_WAGE_L2 = 5;

uint256 public constant PRECISION = 100;

IERC20 usdc;

+ error HH__NotPrincipal_L2();

+ function _authorizeUpgrade(address newImplementation) internal virtual override {

+ if (msg.sender != principal) revert HH__NotPrincipal_L2();

+ }

Updates

Lead Judging Commences

yeahchibyke Lead Judge about 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

failed upgrade

The system doesn't implement UUPS properly.

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.