Closed code423n4 closed 1 year ago
IMO it is probably a good idea that setAdmin cannot set admin to 0, to prevent irrecoverable errors. Owner can still be relinquished by sending to 0x1 or uint160.MAX_INT.
Low risk (e.g. assets are not at risk: state handling, function incorrect as to spec, issues with comments)
maybe valid, but certainly not medium risk.
closing as dupe of #198 which is being used as the wardens QA report.
Agree this is QA, but also a good find! I've updated GIP-0031 to specify the correct way to make it non-upgradeable, it now says:
the upgradeability can be relinquished (by setting the proxy owner to an invalid address) when the community is more confident with the L2 deployment.
Lines of code
https://github.com/code-423n4/2022-10-thegraph/blob/7ea88cc41f17f2d49961aafec7ebe72daeaad3f9/contracts/upgrades/GraphProxy.sol#L104-L107
Vulnerability details
Impact
The proxy admin cannot be relinquished (cannot be set to address zero), which deviates from the proposal
Note: it is reported as the README writes:
Proof of Concept
In the
GraphProxy
's admin is set in theconstructor
and it can be the zero address. And the proxy admin (or owner) can update the implementation by callingGraphProxy::upgradeTo
.The
GraphProxy::setAdmin
will revert if the_newAdmin
is the zero address.The proxy admin cannot fallback to implementation, and there is no function in
L2GraphToken
and its parent contracts to set the proxy owner to the zero address anyway.Thus, unless the proxy owner is set to the zero address in the proxy's constructor, it is not possible to set the proxy owner to zero address, which deviates from the the proposal:
Tools Used
Manual review
Recommended Mitigation Steps
Add a function to renounce the proxy owner.