Use of Upgradeable Proxy Contract Structure allows the logic of the contract to be arbitrarily changed.
This allows the proxy admin to perform malicious actions e.g., taking funds from users’ wallets up to the allowance limit.
This action can be performed by the malicious/compromised proxy admin without any restriction.
Considering that the purpose of this particular contract is for accounting of the Collateral and LongShortTokens, we believe the users’ allowances should not be hold by this upgradeable contract.
Given:
A malicious/compromised proxy admin can just call upgradeToAndCall() on the proxy contract and send all the USDC held by the contract to an arbitrary address.
A smart contract being structured as an upgradeable contract alone is not usually considered as a high severity risk. But given the severe impact (all the funds in the contract and funds in users’ wallets can be stolen), we mark it as a High severity issue.
Consider using the non-upgradeable CollateralToken contract to hold user’s allowances instead.
See also the Recommendation of [WP-H7].
The text was updated successfully, but these errors were encountered:
All reactions