Submission Details
Impact:
Likelihood:
Restrict graduate() to only the owner
Summary
In LevelTwo.sol the graduate() function is declared as public reinitializer(2) with no owner-only modifier, so anyone can invoke it and hijack the graduation flow.
Vulnerability Detail
In LevelTwo.sol the function is defined as:
function graduate() public reinitializer(2) {}
Because there’s no onlyOwner (or similar) access control on graduate(), any external caller or contract can call it at will.
Impact
An attacker can trigger the graduation/upgrade logic without being the principal, breaking the intended security model. This is a High-severity issue.
Tools Used
• Forge fuzz testing (forge test --match-contract LevelTwoFuzz --fuzz-runs 1000)
• PoC exploit contract + Forge test (LevelTwoAttack & LevelTwoAttackTest)
• Slither static analysis (no other high-risk findings)
• Mythril on flattened contract (no additional issues)
Recommendations
• Inherit OwnableUpgradeable, call __Ownable_init() in initialize(), and transfer ownership to the principal.
• Change the signature to:
function graduate() public onlyOwner reinitializer(2) { … }
• Write unit/fuzz tests verifying only the principal can call graduate().
• Integrate Slither and Mythril into your CI pipeline to catch missing access controls on future functions.
Rewards breakdown
nSLOC
243This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.