Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Loss of UUPS Upgradeability in LevelTwo Implementation

francohacker

Summary

The LevelTwo contract, intended as an upgraded implementation for LevelOne, is critically flawed as it does not inherit from OpenZeppelin's UUPSUpgradeable contract nor does it implement the required _authorizeUpgrade function. If LevelOne were to be upgraded to point to LevelTwo, the proxy contract would lose its ability to be further upgraded, effectively making the system's logic permanent and unchangeable thereafter. This breaks the UUPS upgrade pattern and undermines a core architectural feature of the Hawk High project.

Vulnerability Details

The UUPS (Universal Upgradeable Proxy Standard, EIP-1822) upgrade pattern relies on the implementation contract containing the logic for authorizing upgrades. OpenZeppelin's UUPSUpgradeable contract provides this logic, including an _authorizeUpgrade(address newImplementation) internal function and the necessary storage variables (like proxiableUUID) that the proxy uses to manage upgrades.

LevelOne Contract: Correctly imports and inherits from UUPSUpgradeable. It also has an _authorizeUpgrade function, properly restricted by onlyPrincipal, enabling the principal to authorize future upgrades.
LevelTwo Contract:
- It does not import or inherit from UUPSUpgradeable.
- It does not contain any _authorizeUpgrade function.
- It does not declare or initialize the proxiableUUID storage slot that UUPSUpgradeable uses.

When a UUPS proxy (which LevelOne is deployed behind) is instructed to upgrade, it delegates a call to the current implementation to authorize the upgrade. If the current implementation is LevelOne, its _authorizeUpgrade function is called. If this function succeeds, the proxy updates its implementation address to the new one.

However, if the proxy is upgraded to point to LevelTwo:

The proxy's implementation address now points to LevelTwo.
If a subsequent attempt is made to upgrade the system (e.g., from LevelTwo to a hypothetical LevelThree), the proxy will try to call the upgrade authorization logic within LevelTwo.
Since LevelTwo lacks the _authorizeUpgrade function and the necessary UUPS machinery, any such call will fail (likely revert due to a missing function or incorrect state).

The system will therefore be stuck with LevelTwo as its permanent implementation, unable to receive further bug fixes, feature enhancements, or adaptations.

Impact

The impact of upgrading to an implementation like LevelTwo that breaks the UUPS chain is severe and multifaceted:

Permanent Loss of Upgradeability:
- This is the most direct and critical impact. The primary advantage of using an upgradeable contract pattern is completely negated. The Hawk High school system would be frozen with the LevelTwo logic, regardless of any bugs discovered or new requirements that arise.
Inability to Fix Bugs:
- If critical vulnerabilities or functional bugs are discovered in LevelTwo (or were present in LevelOne and not fixed before this flawed upgrade), there would be no way to deploy a patched version. This could lead to loss of funds, denial of service, or incorrect contract behavior.
Inability to Add Features or Adapt:
- The school's rules, fee structures, or operational model might need to change over time. Without upgradeability, the smart contract system cannot adapt to these evolving needs, rendering it obsolete quickly.
Violation of Project Architecture:
- The project explicitly states it uses UUPSUpgradeable and that "At the end of the school session (4 weeks), the system is upgraded to a new one." This implies an ongoing upgrade path, which LevelTwo's design makes impossible after its deployment.
Erosion of Confidence:
- Stakeholders (principal, teachers, students) rely on the system being maintainable and secure. Discovering that the system has been inadvertently made permanent and unpatchable would severely undermine trust.
Significant Remediation Costs:
- The only way to "fix" this situation after upgrading to such a LevelTwo would be to deploy an entirely new proxy and contract system, and then attempt to migrate all state (students, funds, etc.) from the old, frozen system to the new one. This is a complex, costly, and error-prone undertaking.

Tools Used

manual review

Recommendations

To ensure the continued upgradeability of the Hawk High smart contract system and prevent the permanent loss of this critical feature when upgrading to LevelTwo (or any subsequent version), the following actions are essential:

Ensure LevelTwo Inherits from UUPSUpgradeable:
- The LevelTwo contract (and all future implementations intended for UUPS upgrades) must import and inherit from OpenZeppelin's UUPSUpgradeable contract.
  
  // In LevelTwo.sol
  import {UUPSUpgradeable} from "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
  import {Initializable} from "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol"; // Already present, good.
  
  contract LevelTwo is Initializable, UUPSUpgradeable { // Add UUPSUpgradeable
  // ... rest of the contract code ...
  }
  content_copydownload
  
  Use code with caution.Solidity
Implement _authorizeUpgrade in LevelTwo:
- LevelTwo must provide an _authorizeUpgrade(address newImplementation) internal function. This function should contain the access control logic determining who can authorize the next upgrade (typically, only the principal).
  
  // In LevelTwo.sol
  
  // (Assuming 'principal' is a state variable in LevelTwo,
  // compatible with LevelOne's storage layout for 'principal')
  
  error HH_L2_NotPrincipal(); // Example error for LevelTwo
  
  modifier onlyPrincipal_L2() { // Potentially a new modifier if logic differs
  if (msg.sender != principal) {
  revert HH_L2_NotPrincipal();
  }
  _;
  }
  
  function _authorizeUpgrade(address newImplementation)
  internal
  override // Ensures it's overriding the function from UUPSUpgradeable
  onlyPrincipal_L2 // Or the existing onlyPrincipal if principal logic is identical
  {
  // Optional: Add any specific pre-upgrade checks for LevelTwo if needed
  }
  content_copydownload
  
  Use code with caution.Solidity
- Note on onlyPrincipal: If LevelTwo correctly maintains storage layout compatibility with LevelOne for the principal variable, the same principal address will be carried over. The onlyPrincipal modifier (or a LevelTwo specific version) should reference this state variable.
Call __UUPSUpgradeable_init() in LevelTwo's Initializer (If LevelTwo is deployed as a new proxy):
- While LevelTwo is intended as an upgrade to LevelOne, if for some reason it were ever deployed as the first implementation behind a new proxy, its own initializer (e.g., initializeV2 or similar) would need to call __UUPSUpgradeable_init().
- However, in the context of upgrading LevelOne, the __UUPSUpgradeable_init() (and _initialized state for UUPS) is already handled by LevelOne's initialization. The key is that LevelTwo itself provides the UUPS machinery for the next upgrade.
Maintain Storage Layout Compatibility:
- This is crucial for UUPS upgrades in general and was a separate major vulnerability for LevelTwo. LevelTwo must have a storage layout that is compatible with LevelOne. New state variables can only be appended. Existing variables cannot be reordered or removed without careful consideration and potential data migration strategies (which are complex).
- This recommendation, while distinct, is a prerequisite for any successful UUPS upgrade, including one that preserves upgradeability.
Thorough Pre-Upgrade Review and Testing:
- Before any upgrade is performed on a live system:
  - Static Analysis: Use tools to check for storage layout compatibility and other upgrade-related issues.
  - Code Review: Manually review the LevelTwo contract, specifically focusing on the UUPS implementation details (UUPSUpgradeable inheritance, _authorizeUpgrade function, access controls) and storage layout.
  - Testnet Deployment: Deploy LevelOne, upgrade it to LevelTwo on a testnet, and then attempt a further upgrade from LevelTwo to a hypothetical LevelThree (which also correctly implements UUPS). This will confirm that the upgrade chain is not broken.
  - Verify that only the authorized address (e.g., principal) can initiate the upgrade from LevelTwo onwards.
Educate Developers on UUPS Requirements:
- Ensure all developers working on the Hawk High project understand the critical requirements of the UUPS pattern, especially regarding UUPSUpgradeable inheritance, the _authorizeUpgrade function, and storage layout compatibility.

By strictly adhering to these recommendations, the Hawk High project can ensure that LevelTwo (and all future versions) correctly support the UUPS upgrade mechanism, allowing the system to be maintained, patched, and evolved over time as intended.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.