Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Improper Use of UUPS Upgrade in `graduateAndUpgrade`

thecarrot

Improper Use of UUPS Upgrade in graduateAndUpgrade

Summary

The graduateAndUpgrade() function includes an authorization check for upgrades but does not correctly invoke the upgrade process as defined by the UUPS pattern.

Vulnerability Details

The function _authorizeUpgrade(_levelTwo); only verifies the caller's permission but does not perform the actual upgrade via upgradeTo(_levelTwo). Furthermore, combining upgrade authorization with fund distribution logic violates best practices of upgradeability, which recommend separating upgrade logic from functional code.

Impact

The contract does not actually upgrade to LevelTwo, misleading users and developers. Additionally, if upgrade logic were executed here, combining it with other logic could result in unexpected state if the upgrade fails or is reverted.

Tools Used

Manual code review

Recommendations

Separate the upgrade process into a distinct function:

function upgradeToLevelTwo(address _levelTwo) external onlyPrincipal {
_authorizeUpgrade(_levelTwo);
upgradeTo(_levelTwo);
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

failed upgrade

The system doesn't implement UUPS properly.

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

failed upgrade

The system doesn't implement UUPS properly.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.