Closed code423n4 closed 1 year ago
UUPSUpgradeable
is a way of using proxy mechanism to have the upgradable functionality of a contract but it's not the sole necessity. The devs opted to the have storage gaps (uint256[46] private __gap;
) in EigenPod contract as this contract is served like a main template for the Pod deployments. Thinking of there will be a number of pod owners, it will not be ideal to update all of them but update the existing pod contract for future deployments.
Invalid assumption.
0xSorryNotSorry marked the issue as low quality report
Invalid because the Sponsor uses BeaconProxy
GalloDaSballo marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/pods/EigenPod.sol#L2-L34
Vulnerability details
Impact
First the
EigenPod.sol
file importsOwnableUpgradeable
andAddressUpgradeable
but doesn't use them. The file only usesReentrancyUpgradeable
but it only helps protect the contract from re-entrancy vulnerability and it does not provide any upgradeability functionality by itself. Therefore, it seems that the EigenPod contract is not upgradeable. If there are any issues or updates needed in the future, the contract would not be upgradeable, and users would have to migrate to a new contract. Specifically, theEigenPodManager.sol
file is closely related toEigenPod.sol
butEigenPodManager
seems correct and upgradeable.Proof of Concept
https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/pods/EigenPod.sol#L2-L34 `` pragma solidity =0.8.12;
import "@openzeppelin-upgrades/contracts/proxy/utils/Initializable.sol"; import "@openzeppelin-upgrades/contracts/access/OwnableUpgradeable.sol"; import "@openzeppelin-upgrades/contracts/security/ReentrancyGuardUpgradeable.sol"; import "@openzeppelin-upgrades/contracts/utils/AddressUpgradeable.sol";
import "../libraries/BeaconChainProofs.sol"; import "../libraries/BytesLib.sol"; import "../libraries/Endian.sol";
import "../interfaces/IETHPOSDeposit.sol"; import "../interfaces/IEigenPodManager.sol"; import "../interfaces/IEigenPod.sol"; import "../interfaces/IDelayedWithdrawalRouter.sol"; import "../interfaces/IPausable.sol";
import "./EigenPodPausingConstants.sol";
/**
Tools Used
Foundry
Recommended Mitigation Steps
If you're looking to make your contract upgradeable, you will need to use additional components provided by the OpenZeppelin Contracts Upgrades library, like
Upgradeable
,UUPSUpgradeable
, or other upgrade patterns.For instance, if you want to use the UUPS (Universal Upgradeable Proxy Standard) pattern, your contract should inherit from
UUPSUpgradeable
:Remember that you also need to implement the
_authorizeUpgrade
function, which is required by theUUPSUpgradeable
contract:Additionally, you'll need to deploy your contract using a Proxy, like
TransparentUpgradeableProxy
orUUPSUpgradeableProxy
.Also since you import
OwnableUpgradeable
andAddressUpgradeable
files, please double-check whether they are needed in the EigenPod contract.Assessed type
Upgradable