Upgrade Logic Missing — `graduateAndUpgrade()` Fails to Perform Actual Upgrade
Summary
The graduateAndUpgrade() function is expected to handle contract upgrades. However, it currently only calls _authorizeUpgrade(), which merely performs an access control check. The actual upgrade operation via upgradeToAndCall() is never invoked. Additionally, any new implementation deployed through this function must be implemented proxiableUUID() as required by the UUPS pattern — otherwise, the upgrade will revert.
Vulnerability Details
In the current implementation:
The _authorizeUpgrade() function is defined but left empty:
This is insufficient for an actual upgrade. The missing part is the UUPS upgrade call, typically:
Furthermore, the new implementation contract must implement the proxiableUUID() function:
Impact
The system never upgrades, leaving critical logic unchangeable.
Misleads contract users and stakeholders about the state of the protocol.
Future bug fixes, upgrades, or governance changes become impossible.
Without
proxiableUUID(), even a correct call toupgradeToAndCall()would fail.
Tools Used
Manual source code review
Understanding of UUPSUpgradeable (EIP-1822 + ERC-1967) standards
Recommendations
Replace
_authorizeUpgrade(_levelTwo);with:
Ensure the new implementation includes the following function:
This ensures compatibility with the UUPS upgrade mechanism and allows smooth execution of future upgrades.
Lead Judging Commences
failed upgrade
The system doesn't implement UUPS properly.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.