162.md

Scruffy Pastel Antelope

High

Missing _authorizeUpgrade Function

Summary

The BoostStablecoin, MasterAMO, andMinter contracts are vulnerable to unauthorized upgrades due to the absence of the _authorizeUpgrade function, which should restrict upgrade operations to the contract owner or an authorized party. Without this function, the upgradeability mechanism becomes insecure, allowing potential unauthorized actors to upgrade the contract and alter its core functionality.

https://github.com/sherlock-audit/2024-10-axion/blob/c65e662999d0c79439703fc6713814b4ad023e01/liquidity-amo/contracts/BoostStablecoin.sol#L19

https://github.com/sherlock-audit/2024-10-axion/blob/c65e662999d0c79439703fc6713814b4ad023e01/liquidity-amo/contracts/MasterAMO.sol#L22

https://github.com/sherlock-audit/2024-10-axion/blob/c65e662999d0c79439703fc6713814b4ad023e01/liquidity-amo/contracts/Minter.sol#L12

Root Cause

Missing of _authorizeUpgrade function is contracts cause that the contract is going to be upgraded by unauthorized parties, which can also cause loss funds and loss protocol functionality

Internal pre-conditions

No response

External pre-conditions

Attacker upgrade the contracts according to his advantage and he can steal all the funds.

Attack Path

No response

Impact

• Total control over the token's functionality, including minting, burning, and pausing operations.
• Potentially malicious changes to the contract that could harm token holders and the protocol’s integrity.

PoC

No response

Mitigation

Through adding below function we can mitigate the above problem

   function _authorizeUpgrade(address) internal override onlyOwner {}