Improper Use of _authorizeUpgrade() – Upgrade Not Executed in graduateAndUpgrade
Summary
The graduateAndUpgrade function incorrectly attempts to authorize an upgrade by calling _authorizeUpgrade(_levelTwo) manually. However, in the UUPSUpgradeable pattern, _authorizeUpgrade is an internal function meant to be overridden to control access. It is automatically called by OpenZeppelin's internal _upgradeTo() or _upgradeToAndCall() functions, not intended to be called directly. As a result, the contract fails to perform the actual upgrade, and the new implementation is not activated.
Vulnerability Details
_authorizeUpgrade(_levelTwo) is called directly, which does nothing to change the proxy's implementation.
The actual upgrade to
_levelTwodoes not occur.Misleads users into thinking an upgrade has happened, while the logic remains on the old implementation.
Impact
fails to perform the actual upgrade, and the new implementation is not activated.
Tools Used
manual review
Recommendations
Replace the call to _authorizeUpgrade() with a proper upgrade execution
Lead Judging Commences
failed upgrade
The system doesn't implement UUPS properly.
failed upgrade
The system doesn't implement UUPS properly.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.