The controller variable of UXDToken is immutable, meaning any upgrade to UXDController will break minting/redeeming of UXD.
Vulnerability Detail
UXDController is implemented as an upgradeable contract.
The issue is that in UXDToken, controller is immutable.
If UXDController is upgraded, minting and redeeming functions will not work, as the calls to UXDToken.mint() and UXDToken.burn() will revert because of the onlyController modifier (UXDToken.controller will be the "old" controller address).
joestakey
medium
UXDToken.Controller
should not be immutableSummary
The
controller
variable ofUXDToken
is immutable, meaning any upgrade toUXDController
will break minting/redeeming of UXD.Vulnerability Detail
UXDController
is implemented as an upgradeable contract. The issue is that inUXDToken
,controller
is immutable. IfUXDController
is upgraded, minting and redeeming functions will not work, as the calls toUXDToken.mint()
andUXDToken.burn()
will revert because of theonlyController
modifier (UXDToken.controller
will be the "old" controller address).Impact
UXDController
cannot be upgraded,Code Snippet
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/core/UXDToken.sol#L61-L66 https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/core/UXDToken.sol#L72 https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/core/UXDToken.sol#L83
Tool used
Manual Review
Recommendation
add a
setController
function inUXDToken