You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA Medium severity issue.RewardA payout will be made for this issue
Upgradeable contract AssetFactory.sol cannot be upgraded
Summary
it is impossible to upgrade the AssetFactory.sol contract. This smart contract is a UUPS upgradeable contract, however because the overriden _authorizeUpgrade function contains the notDelegated modifier, it can not be upgraded.
Vulnerability Detail
_authorizeUpgrade is overridden as below:
function _authorizeUpgrade(addressnewImplementation) internaloverride onlyOwner notDelegated {}
However, this UUPSUpgradeable OpenZeppelin smart contract only allows upgrades via a proxy:
function upgradeToAndCall(addressnewImplementation, bytesmemorydata) publicpayablevirtual onlyProxy {...}
This inconsistency means it is impossible to upgrade the contract.
Impact
The AssetFactory.sol contract is locked in. This means if the protocol team later wants to update the implementation they are unable to do so, and they are stuck with the current implementation forever.
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA Medium severity issue.RewardA payout will be made for this issue
MadSisyphus
Medium
Upgradeable contract
AssetFactory.sol
cannot be upgradedSummary
it is impossible to upgrade the
AssetFactory.sol
contract. This smart contract is a UUPS upgradeable contract, however because the overriden_authorizeUpgrade
function contains thenotDelegated
modifier, it can not be upgraded.Vulnerability Detail
_authorizeUpgrade
is overridden as below:However, this
UUPSUpgradeable
OpenZeppelin smart contract only allows upgrades via a proxy:This inconsistency means it is impossible to upgrade the contract.
Impact
The
AssetFactory.sol
contract is locked in. This means if the protocol team later wants to update the implementation they are unable to do so, and they are stuck with the current implementation forever.Code Snippet
https://github.com/sherlock-audit/2024-08-cork-protocol/blob/main/Depeg-swap/contracts/core/assets/AssetFactory.sol#L199
Tool used
Manual Review
Recommendation
Remove the
notDelegated
modifier fromAssetFactory::_authorizeUpgrade
Duplicate of #185
The text was updated successfully, but these errors were encountered: