Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MadSisyphus - Upgradeable contract AssetFactory.sol cannot be upgraded #256

Closed
sherlock-admin2 opened this issue Sep 10, 2024 · 0 comments
Closed

MadSisyphus - Upgradeable contract AssetFactory.sol cannot be upgraded #256

sherlock-admin2 opened this issue Sep 10, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Sep 10, 2024
edited by sherlock-admin3
Loading

MadSisyphus

Medium

Upgradeable contract AssetFactory.sol cannot be upgraded

Summary

it is impossible to upgrade the AssetFactory.sol contract. This smart contract is a UUPS upgradeable contract, however because the overriden _authorizeUpgrade function contains the notDelegated modifier, it can not be upgraded.

Vulnerability Detail

_authorizeUpgrade is overridden as below:

   function _authorizeUpgrade(address newImplementation) internal override onlyOwner notDelegated {}

However, this UUPSUpgradeable OpenZeppelin smart contract only allows upgrades via a proxy:

function upgradeToAndCall(address newImplementation, bytes memory data) public payable virtual onlyProxy {...}

This inconsistency means it is impossible to upgrade the contract.

Impact

The AssetFactory.sol contract is locked in. This means if the protocol team later wants to update the implementation they are unable to do so, and they are stuck with the current implementation forever.

Code Snippet

https://github.com/sherlock-audit/2024-08-cork-protocol/blob/main/Depeg-swap/contracts/core/assets/AssetFactory.sol#L199

Tool used

Manual Review

Recommendation

Remove the notDelegated modifier from AssetFactory::_authorizeUpgrade

Duplicate of #185
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. labels Sep 14, 2024
@sherlock-admin3 sherlock-admin3 changed the title Dandy Cider Urchin - Upgradeable contract AssetFactory.sol cannot be upgraded MadSisyphus - Upgradeable contract AssetFactory.sol cannot be upgraded Sep 25, 2024
@sherlock-admin3 sherlock-admin3 added the Reward A payout will be made for this issue label Sep 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3