Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

H-02. LevelOne UUPS upgrade logic is broken

accessdenied

Summary

The functiongraduateAndUpgrade does not allow updating the address of a UUPS proxy implementation

Vulnerability Details

The function to upgrade a proxy with the Openzeppelin library UUPS is upgradeToAndCall. This function calls _authorizeUpgradeto check the access control.

If the principal upgrade the contract LevelOne by calling this function, the contract UUPS will be upgrade to LevelTwo without calling the function graduateAndUpgrade

If the principal calls instead graduateAndUpgrade

This will not actually change the implementation that the UUPS points to since _authorizeUpgradedoes not change the implementation address stored in the proxy.

Reference: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/proxy/utils/UUPSUpgradeable.sol#L86

Impact

It is not possible to upgrade the proxy while calling the `graduateAndCall` function

Tools Used

Manual analysis

Recommendations

  • Set the function graduateAndUpgradeinternal instead of public

  • Call the function graduateAndUpgradeinside the function _authorizeUpgrade

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

failed upgrade

The system doesn't implement UUPS properly.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.