Last updated: February 06, 2026

SCWE-118: Unauthenticated Beacon Upgrade

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

• CWE-306: Missing Authentication for Critical Function
  https://cwe.mitre.org/data/definitions/306.html

Description

Beacon proxies rely on a beacon address that determines implementation. If the beacon upgrade function lacks proper access control or timelock, an attacker can point all proxies to malicious code, taking over state and funds.

Remediation

• Restrict beacon upgrades to multisig+timelock and emit events on change.
• Validate new implementation bytecode (e.g., initializer disabled, interfaces intact).
• Monitor beacon address changes on-chain with alerts.

Examples

Vulnerable

pragma solidity ^0.8.0;

contract Beacon {
    address public impl;
    function upgradeTo(address newImpl) external { // no auth
        impl = newImpl;
    }
}

Fixed

pragma solidity ^0.8.0;

contract Beacon {
    address public impl;
    address public admin;
    function upgradeTo(address newImpl) external {
        require(msg.sender == admin, "not admin");
        impl = newImpl;
    }
}