The Upgradeable2Step and Proxy2Step contracts lack checks to verify if the given addresses are contracts.
Vulnerability Detail
The contracts do not check if the provided addresses for implementations are actually contracts. This omission can lead to scenarios where an externally owned account (EOA) is set as the implementation, which would render the proxy unusable.
If an EOA is set as the implementation, it can brick the entire proxy, making it completely non-functional.
Code Snippet
None
Tool used
Manual Review
Recommendation
Use OpenZeppelin's Address contract to implement the Address::isContract function, which verifies if a given address is indeed a contract and not an EOA. It is important to note that this check is only reliable for ensuring an address is a contract, but not the other way around, as a contract can sometimes masquerade as an EOA under specific conditions.
Missing_isContract_Checks
Low/Info issue submitted by petarP1998
Summary
The
Upgradeable2Step
andProxy2Step
contracts lack checks to verify if the given addresses are contracts.Vulnerability Detail
The contracts do not check if the provided addresses for implementations are actually contracts. This omission can lead to scenarios where an externally owned account (EOA) is set as the implementation, which would render the proxy unusable.
https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/proxies/Upgradeable2Step.sol#L10
Impact
If an EOA is set as the implementation, it can brick the entire proxy, making it completely non-functional.
Code Snippet
None
Tool used
Manual Review
Recommendation
Use OpenZeppelin's
Address
contract to implement theAddress::isContract
function, which verifies if a given address is indeed a contract and not an EOA. It is important to note that this check is only reliable for ensuring an address is a contract, but not the other way around, as a contract can sometimes masquerade as an EOA under specific conditions.Reference: OpenZeppelin Address Documentation