Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

LevelTwo intends to intialize during graduation

mishoko

Summary

The contract is attempting to use reinitializer(2) during the graduation process, which is incorrect and dangerous.

Vulnerability Details

Current Implementation

function graduate() public reinitializer(2) {}

Issues

  1. Incorrect Timing:

    • Using reinitializer during graduation

    • Should be used during contract deployment/upgrade

    • Graduation is a business logic function, not an initialization function

  2. Missing Initialization:

    • No state initialization

    • No validation

    • No proper state transition

  3. Security Implications:

    • Anyone can call graduate()

    • No access control

    • No validation of upgrade state

Impact

  1. State Corruption:

    • State variables remain uninitialized

    • Contract becomes unusable

    • Potential for state corruption

  2. Upgrade Failure:

    • Upgrade process breaks

    • State transition fails

    • Contract becomes stuck

  3. Security Issues:

    • No validation of upgrade state

    • No proper state transition

    • Potential for unauthorized access

Tools Used

  • Manual code review

  • Initialization timing analysis

  • State transition analysis

Recommendations

  1. Separate Initialization:

function initialize() public reinitializer(2) {
// Initialize state
// Validate inputs
// Set up initial state
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Appeal created

mishoko Submitter
7 months ago
mishoko Submitter
7 months ago
yeahchibyke Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

failed upgrade

The system doesn't implement UUPS properly.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!