code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/misc/LensV2UpgradeContract.sol#L50

Vulnerability details

Impact

Loss of funds due to skipped checks before transfers
Invalid system state due to assuming conditions not verified
Hiding failed upgrade due to skipped revert/events

Proof of Concept

_upgrade() is missing an onlyOwner modifier By calling _upgrade directly, the owner bypasses:

The onlyOwner check in executeLensV2Upgrade Any pre-upgrade requirements like require(x) Any post-upgrade effects like emitting events This violates expected call flow and assumptions that executeLensV2Upgrade is the entry point. This Can lead to unexpected state if effects are skipped

Tools Used

Manual

Recommended Mitigation Steps

_upgrade should also be marked onlyOwner to prevent bypassing executeLensV2Upgrade.

Assessed type

Other

c4-pre-sort commented 1 year ago

141345 marked the issue as low quality report

141345 commented 1 year ago

invalid

it's internal function

c4-judge commented 1 year ago

Picodes marked the issue as unsatisfactory: Invalid

code-423n4 / 2023-07-lens-findings

The owner can call _upgrade directly, skipping executeLensV2Upgrade. #118