Medium
The graduateAndUpgrade
function in LevelOne.sol
accepts any non-zero address as the upgrade target without verifying it's a legitimate LevelTwo
implementation. This allows the principal to mistakenly or maliciously upgrade to an incompatible or malicious contract, potentially leading to fund loss, system failure, or permanent contract lockup.
When upgrading from LevelOne
to LevelTwo
, the only validation performed on the target implementation address is a zero-address check:
Phishing Attack: An attacker could send the principal a message claiming to be from the development team, providing a malicious implementation address disguised as the legitimate LevelTwo contract. Since there are no verification checks, the principal could unknowingly upgrade to this malicious contract.
Malicious Principal: A compromised or malicious principal could upgrade to a specially crafted contract designed to:
Redirect future fee payments to their own address
Manipulate the bursary accounting to steal funds
Remove legitimate teachers and replace them with collaborators
Operational Error: Even without malicious intent, the principal could accidentally provide an incorrect address (e.g., a user wallet or a different contract), bricking the entire school system since no verification is performed.
Without proper validation, these scenarios represent significant risks to the system's funds and operational integrity.
Manual code review
Implement proper verification of the upgrade target by:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.