Description:Description\
The upgradeable proxy contracts StrategyProxy and VirtualRewarderProxy lack a critical validation check in the _setImplementation function to ensure that the newImplementation address contains valid contract code. Specifically, the contract does not include the following requirement:
require(newImplementation.code.length > 0);
This check is essential to verify that the address provided for the new implementation is not empty and contains executable code.
Attack Scenario\
An administrator attempts to upgrade the proxy contract to a new implementation address.
If the new implementation address is set to an address without code (e.g., an address with no deployed contract), the proxy will delegate calls to a non-functional address.
This will cause all function calls to the proxy contract to fail, leading to a complete service disruption.
Add a validation check in the _setImplementation function for upgradeable proxy contracts StrategyProxy and VirtualRewarderProxyto ensure that upgrades are applied only to valid contracts.
This will prevent potential service disruptions and maintain user trust in the system's stability and security.
Github username: -- Twitter username: -- Submission hash (on-chain): 0xa4455f79f69cf7fa5c1309051a07292197f1c5789e1e4e2a0a11e1ab1c326960 Severity: high
Description: Description\ The upgradeable proxy contracts
StrategyProxy
andVirtualRewarderProxy
lack a critical validation check in the_setImplementation
function to ensure that thenewImplementation
address contains valid contract code. Specifically, the contract does not include the following requirement:This check is essential to verify that the address provided for the new implementation is not empty and contains executable code.
Attack Scenario\ An administrator attempts to upgrade the proxy contract to a new implementation address.
If the new implementation address is set to an address without code (e.g., an address with no deployed contract), the proxy will delegate calls to a non-functional address.
This will cause all function calls to the proxy contract to fail, leading to a complete service disruption.
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
Add a validation check in the
_setImplementation
function for upgradeable proxy contractsStrategyProxy
andVirtualRewarderProxy
to ensure that upgrades are applied only to valid contracts.This will prevent potential service disruptions and maintain user trust in the system's stability and security.