The controller variable of UXDToken is immutable, meaning any upgrade to UXDController will break minting/redeeming of UXD.
Vulnerability Detail
UXDController is implemented as an upgradeable contract.
The issue is that in UXDToken, controller is immutable.
If UXDController is upgraded, minting and redeeming functions will not work, as the calls to UXDToken.mint() and UXDToken.burn() will revert because of the onlyController modifier (UXDToken.controller will be the "old" controller address).
joestakey
medium
UXDToken.Controllershould not be immutableSummary
The
controllervariable ofUXDTokenis immutable, meaning any upgrade toUXDControllerwill break minting/redeeming of UXD.Vulnerability Detail
UXDControlleris implemented as an upgradeable contract. The issue is that inUXDToken,controlleris immutable. IfUXDControlleris upgraded, minting and redeeming functions will not work, as the calls toUXDToken.mint()andUXDToken.burn()will revert because of theonlyControllermodifier (UXDToken.controllerwill be the "old" controller address).Impact
UXDControllercannot be upgraded,Code Snippet
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/core/UXDToken.sol#L61-L66 https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/core/UXDToken.sol#L72 https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/core/UXDToken.sol#L83
Tool used
Manual Review
Recommendation
add a
setControllerfunction inUXDToken