Hawk High

Summary

The upgradeable proxy architecture implemented using ERC1967Proxy is vulnerable due to a mismatch in storage layout between the LevelOne and LevelTwo contracts. This can lead to corrupted storage, undefined behavior, or the loss of critical data when upgrading from LevelOne to LevelTwo.

Vulnerability Details

Root Cause:
Upgradeable contracts using the UUPS or Transparent Proxy pattern must strictly preserve the storage layout between implementations. In this case:

• LevelOne has its own storage structure, including variables such as principal, schoolFees, and likely others.

• LevelTwo introduces new state variables or modifies the order/layout without inheriting LevelOne.

When the proxy is upgraded to point to LevelTwo, the proxy storage remains unchanged, but the new implementation LevelTwo assumes a different layout. This causes variable misalignment and can result in:

• Corrupted logic

• Unauthorized access

• Loss of data

Impact

Corrupted state can:

• Break application logic

• Expose sensitive functions to unauthorized callers (if principal becomes address(0) or another EOA)

• Permanently destroy stored values (e.g., schoolFees)

Tools Used

Manual Review

Recommendations

• Never change the order or type of existing storage variables.

• Use tools like OpenZeppelin’s StorageLayout.sol or openzeppelin-upgrades plugins to visualize and validate layout compatibility.

• Add explicit storage gaps to handle future upgrades.