Hawk High

Summary
In LevelTwo.sol the graduate() function is declared as public reinitializer(2) with no owner-only modifier, so anyone can invoke it and hijack the graduation flow.

Vulnerability Detail
In LevelTwo.sol the function is defined as:
function graduate() public reinitializer(2) {}
Because there’s no onlyOwner (or similar) access control on graduate(), any external caller or contract can call it at will.

Impact
An attacker can trigger the graduation/upgrade logic without being the principal, breaking the intended security model. This is a High-severity issue.

Tools Used
• Forge fuzz testing (forge test --match-contract LevelTwoFuzz --fuzz-runs 1000)
• PoC exploit contract + Forge test (LevelTwoAttack & LevelTwoAttackTest)
• Slither static analysis (no other high-risk findings)
• Mythril on flattened contract (no additional issues)

Recommendations
• Inherit OwnableUpgradeable, call __Ownable_init() in initialize(), and transfer ownership to the principal.
• Change the signature to:
function graduate() public onlyOwner reinitializer(2) { … }
• Write unit/fuzz tests verifying only the principal can call graduate().
• Integrate Slither and Mythril into your CI pipeline to catch missing access controls on future functions.