Upgradeable contract FlashSwapRouter.sol cannot be upgraded
Summary
it is impossible to upgrade the FlashSwapRouter.sol contract. This smart contract is a UUPS upgradeable contract, however because the overriden _authorizeUpgrade function contains the notDelegated modifier, it can not be upgraded.
Vulnerability Detail
_authorizeUpgrade is overridden as below:
function _authorizeUpgrade(address newImplementation) internal override onlyOwner notDelegated {}
However, this UUPSUpgradeable OpenZeppelin smart contract only allows upgrades via a proxy:
function upgradeToAndCall(address newImplementation, bytes memory data) public payable virtual onlyProxy {...}
This inconsistency means it is impossible to upgrade the contract.
Impact
This means if the protocol team later wants to update the implementation they are unable to do so, and they are stuck with the current implementation forever.
MadSisyphus
Medium
Upgradeable contract
FlashSwapRouter.solcannot be upgradedSummary
it is impossible to upgrade the
FlashSwapRouter.solcontract. This smart contract is a UUPS upgradeable contract, however because the overriden _authorizeUpgrade function contains the notDelegated modifier, it can not be upgraded.Vulnerability Detail
_authorizeUpgrade is overridden as below:
However, this UUPSUpgradeable OpenZeppelin smart contract only allows upgrades via a proxy:
This inconsistency means it is impossible to upgrade the contract.
Impact
This means if the protocol team later wants to update the implementation they are unable to do so, and they are stuck with the current implementation forever.
Code Snippet
https://github.com/sherlock-audit/2024-08-cork-protocol/blob/main/Depeg-swap/contracts/core/flash-swaps/FlashSwapRouter.sol#L48
Tool used
Manual Review
Recommendation
Remove the
notDelegatedmodifier from_authorizeUpgradeDuplicate of #185