'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Kinetic Disclosed Report
Audit report Kinetic Audit ContestValidate Implementation Address in Proxy Upgrade
Target
https://github.com/kinetic-market/public-money-market-contracts
Vulnerability Details
Summary
The setImplementation function in the CErc20Delegator contract does not verify whether the new implementation address is a valid contract. As a result, an admin could accidentally or deliberately set an Externally Owned Account (EOA) or zero address as the new implementation, causing subsequent delegate calls to fail and effectively bricking the proxy. While a malicious admin could still deploy harmful code, adding a code-size check is a best practice to prevent accidental misconfiguration and maintain the contract’s operational reliability.
Finding Description
setImplementation accepts any address for the new implementation without validating whether the address contains contract code. If the new address is non-contract (e.g., an EOA, a zero address, or an address without code), future delegatecall operations will fail, rendering the proxy inoperative. This risk stems from an absence of a basic defensive check in the proxy contract. However, it primarily affects operational reliability rather than creating a direct user-exploitable vulnerability, because the admin already retains full power to upgrade to any implementation.
Impact Explanation
Impact: Setting the implementation to a non-contract address breaks delegate calls, halting protocol functionality and potentially locking funds.
Likelihood: Low in well-governed systems, because the admin role is typically secured (via a multi-sig or timelock). Mistakes or malicious actions by the admin remain the main vector, reflecting an operational/governance risk rather than a direct exploit by external parties.
Proof of Concept
A malicious actor or an accidental mistake that sets the implementation address to an EOA causes all delegate calls to fail. For example, if the real implementation returns valid snapshots and pricing data but an EOA is accidentally set, every external call (such as getPrice or getAccountSnapshot) will revert, resulting in total functional disruption.
// Example test demonstrating misconfiguration leading to proxy failure
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.13;
import "forge-std/Test.sol";
interface ICErc20Delegator {
function getAccountSnapshot(address account) external view returns (uint, uint, uint, uint);
function _setImplementation(address implementation_, bool allowResign, bytes memory becomeImplementationData) external;
}
contract TestEOA {
// No code, simulates an externally owned account
}
contract ImplementationAddressValidationTest is Test {
ICErc20Delegator delegator;
TestEOA eoa;
function setUp() public {
// Assume the delegator is deployed and admin is controlled by the test environment.
// The following addresses simulate the environment.
delegator = ICErc20Delegator(vm.addr(1));
eoa = new TestEOA(); // Simulate an EOA-like contract with no operational code
// As the admin, set the new implementation to the EOA address.
vm.prank(vm.addr(1));
// This call should never be allowed if a code size check is implemented.
delegator._setImplementation(address(eoa), false, "");
}
function test_nonContractImplementationBreaksProxy() public {
// This should revert if the delegate call has been broken by a non-contract implementation.
vm.expectRevert();
delegator.getAccountSnapshot(address(0xDEADBEEF));
}
}
Recommendation
Implement a code-size check in the setImplementation function to ensure that the provided address contains contract code.
function _setImplementation(address implementation_, bool allowResign, bytes memory becomeImplementationData) public {
require(msg.sender == admin, "CErc20Delegator::_setImplementation: Caller must be admin");
uint256 codeSize;
assembly { codeSize := extcodesize(implementation_) }
require(codeSize > 0, "New implementation must be a contract");
if (allowResign) {
delegateToImplementation(abi.encodeWithSignature("_resignImplementation()"));
}
address oldImplementation = implementation;
implementation = implementation_;
delegateToImplementation(abi.encodeWithSignature("_becomeImplementation(bytes)", becomeImplementationData));
emit NewImplementation(oldImplementation, implementation);
}
Validation steps
POC listed in summary.
Comments on this report are hidden 
Details 
Participants (3) 
