Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Session Flags Not Reset Before Upgrade

jufel

Description: After graduateAndUpgrade completes, the contract does not clear or reset session‐related state variables (inSession) - to allow a fresh 4-week cycle in the upgraded implementation. Currently, none of these flags are reset, so the proxy’s storage carries stale session state into V2.

Impact: Graduation logic in V2 may erroneously think the prior session is still active.

Proof of Concept:

Note: this PoC assumes that the 'Missing UUPS Inheritance in LevelTwo' issue has already been fixed, so that graduateAndUpgrade gets as far as splitting by totalTeachers instead of reverting earlier.

+ import {UUPSUpgradeable} from "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
- contract LevelTwo is Initializable {
+ contract LevelTwo is Initializable, UUPSUpgradeable {
+ constructor() { _disableInitializers(); }
+ function _authorizeUpgrade(address newImplementation) internal override onlyPrincipal {}

After this fix include the following test in the LevelOneAndGraduateTest.t.sol file:

function testSessionFlagsPersist() public schoolInSession {
levelTwoImplementation = new LevelTwo();
levelTwoImplementationAddress = address(levelTwoImplementation);
vm.prank(principal);
levelOneProxy.graduateAndUpgrade(levelTwoImplementationAddress, "");
LevelTwo levelTwoProxy = LevelTwo(proxyAddress);
assertTrue(levelTwoProxy.inSession(), "Session should have been reset");
}

Recommended Mitigation: At end of graduateAndUpgrade:

+ inSession = false;
// Perform the UUPS upgrade
upgradeToAndCall(_levelTwo, data);
Updates

Lead Judging Commences

yeahchibyke Lead Judge 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

session state not updated

`inSession` not updated after during upgrade

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.