Unused `bytes memory` Parameter in `graduateAndUpgrade()` Indicates Incomplete Design
Summary
The graduateAndUpgrade() function includes a bytes memory parameter, but the data is never used within the function body. This could be a sign of incomplete implementation or legacy design artifacts left unintentionally. While it does not directly cause a vulnerability, it introduces confusion, increases the attack surface unnecessarily, and may mislead auditors and developers regarding the function’s actual behavior.
Vulnerability Details
Function signature:
The bytes memory parameter is not used anywhere in the body of the function. Normally, such a parameter would be passed to upgradeToAndCall() as call data, e.g., to initialize state in the new implementation:
Its presence without usage raises several concerns:
Signals unfinished integration with upgrade-related initialization.
Adds unnecessary gas cost when the function is called.
May lead to inconsistent expectations about the upgrade logic.
Impact
Increases attack surface (e.g., if calldata is unintentionally parsed or misused in the future).
Creates a maintenance burden and potential developer confusion.
Possible failure to execute intended initialization in upgrade logic, if forgotten.
Tools Used
Manual code review
Recommendations
If the intention is to call
upgradeToAndCall(), then the function should look like:
Otherwise, remove the
bytes memoryparameter to keep the interface clean and reflective of the actual logic.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.