defirisk.co
rubric v1.7.0

UUPS _authorizeUpgrade correctly permissioned

A code & audits factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor verifies that all UUPS (Universal Upgradeable Proxy Standard) implementation contracts define and correctly restrict the _authorizeUpgrade(address) function. Specifically, the function must revert for any caller that is not the designated owner, admin, or timelock controller. An unprotected or absent _authorizeUpgrade() allows any address to point the proxy at a new, attacker-controlled implementation. The assessment is performed by static analysis of the UUPS implementation's _authorizeUpgrade() visibility and access control gate.

**Why it matters** UUPS puts the upgrade authorization logic inside the implementation contract rather than the proxy, which means an incorrectly implemented _authorizeUpgrade() is a complete proxy takeover vector. A publicly callable or improperly gated _authorizeUpgrade() allows any attacker to call upgradeTo() and replace the implementation with one that drains all protocol funds in a single transaction. Approximately four documented hacks in the T-01 inventory involve UUPS authorization failures or related proxy upgrade bugs. As UUPS has become a common pattern in newer DeFi deployments, the authorization gate is a critical checkpoint.

**Green / Yellow / Red** Green: _authorizeUpgrade() is restricted to owner or admin and reverts for all other callers, confirmed by static analysis; the owner/admin itself is a multisig or timelock. Yellow: _authorizeUpgrade() is correctly restricted but the permissioned caller is a single EOA rather than a multisig or timelock. Red: _authorizeUpgrade() is absent from the implementation contract, or it does not revert for non-owner callers.

**Common gray cases** This factor is gray for protocols that do not use UUPS proxy patterns -- e.g., transparent proxy, beacon proxy, or non-upgradeable implementations.

Measurement what to look for #

Determine whether the UUPS implementation defines `_authorizeUpgrade(address)` restricted to owner/admin/timelock (not open to arbitrary callers).

Data & output #

Data source
Slither `suicidal` + `unprotected-upgrade` detectors + source review of `_authorizeUpgrade` implementation
Output format
Green / Yellow / Red
Evidence artifact
Slither output + source excerpt of `_authorizeUpgrade` function
Confidence signal
green = `_authorizeUpgrade` restricted to authorized role; red = `_authorizeUpgrade` open or missing; gray = contract does not use UUPS pattern (N/A) or source unverified

Scored protocols 80 carry this factor #

Protocol RD-F-021
Aave v3 ethereum not_applicable Across Protocol ethereum green Aerodrome Finance base not_applicable Axelar Network ethereum green Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum not_applicable Beefy Finance ethereum not_applicable BENQI avalanche not_applicable BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum not_applicable Chainlink CCIP ethereum not_applicable Circle USYC binance yellow Compound V3 (Comet) ethereum not_applicable Concrete ethereum green Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum not_applicable Curve Finance ethereum not_applicable deBridge ethereum not_applicable Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum not_applicable Ethena ethereum not_applicable ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum not_applicable Fluid ethereum not_applicable Frax Finance ethereum not_applicable GMX v2 (GMX Synthetics) arbitrum not_applicable Hyperlane ethereum not_applicable Hyperliquid arbitrum not_applicable Jito solana not_applicable Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron not_applicable Kamino Lend solana not_applicable Kinetiq hyperliquid not_applicable Lido ethereum green Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc not_applicable Lombard Finance ethereum not_applicable M^0 ethereum yellow Maple Finance ethereum green Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum not_applicable Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum not_applicable Multipli ethereum green Ondo Finance ethereum green OpenEden ethereum green Orca solana not_applicable PancakeSwap bsc not_applicable Pendle Finance ethereum not_applicable Polymarket polygon green QuickSwap polygon gray Raydium solana not_applicable Rocket Pool ethereum not_applicable Sanctum solana not_applicable Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum not_applicable Spiko stellar green Stake DAO ethereum not_applicable StakeWise v3 ethereum green Stargate Finance ethereum not_applicable stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron not_applicable Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum not_applicable Symbiotic ethereum not_applicable Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum not_applicable Veda (BoringVault) ethereum green Venus Protocol bsc not_applicable Wormhole ethereum not_applicable Yearn Finance ethereum not_applicable
0 red · 2 yellow · 16 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-021 category 1 carried 80 critical no