The Dedaub team, auditors and creators of the tool https://contract-library.com/, filed a submission via Immunefi for uninitialized implementation contracts for Uniswap V3 vault proxies found in the well-known Ethereum protocol, Harvest Finance.

This critical bug could have led to the self-destruction of the implementation contract, which could have rendered the proxy contracts useless. This is because of the upgradeable proxy pattern used: one with the upgrade logic residing within the implementation contract rather than the proxy.

Dedaub was paid $100,000 by Harvest Finance, and an additional $100,000 from Armor, due to Harvest’s participation in Armor Finance’s bug bounty matching program.

The vulnerability lies in how upgradeToAndCall() works internally with regard to Universal Upgradeable Proxy Standard (UUPS). Apart from changing the implementation address to a new one, it atomically executes any migration/initialization function using DELEGATECALL and the data passed along it. If the initialization function of the new implementation executes the SELFDESTRUCT opcode, the DELEGATECALL caller (the implementation contract) will be destroyed. This happens because updateToAndCall() is using DELEGATECALL, and in the case of calling this function directly, SELFDESTRUCT is executed in the context of the implementation contract.