Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Upgrade Allowed Before `sessionEnd`

nem0thefinder

Vulnerability Details

The system currently permits a contract upgrade from LevelOne to LevelTwo even if the sessionEnd has not been reached, which violates the intended design rule that upgrades should only occur after the session is complete.

According to the system specification, upgrades should only be allowed after the session has ended. However, in the current implementation, there is no guard or check in place to prevent upgrades during an active session. This allows a principal to prematurely upgrade the system, potentially bypassing session-related constraints or logic.

Proof of Concept

function test_can_before_sessionEnd() public schoolInSession {
levelTwoImplementation = new LevelTwo();
levelTwoImplementationAddress = address(levelTwoImplementation);
bytes memory data = abi.encodeCall(LevelTwo.graduate, ());
// Assert that session is still in progress
assert(block.timestamp < levelOneProxy.sessionEnd());
// Attempt to upgrade before session end
vm.prank(principal);
levelOneProxy.graduateAndUpgrade(levelTwoImplementationAddress, data);
// Interact with upgraded contract
LevelTwo levelTwoProxy = LevelTwo(proxyAddress);
}

Recommendation

  • Add a check in the graduateAndUpgrade function

    require(block.timestamp >= sessionEnd, "Cannot upgrade before session ends");
Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

can graduate without session end

`graduateAndUpgrade()` can be called successfully even when the school session has not ended

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.