From 0f39a040eb6f106410558edb42fdf7c5d140fc14 Mon Sep 17 00:00:00 2001
From: Roman <zajic@zajic.net>
Date: Wed, 8 Oct 2025 13:12:55 +1100
Subject: [PATCH] test: show success when unauthorized upgrade after malicious

---
 test/WakuRlnV2.t.sol | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/test/WakuRlnV2.t.sol b/test/WakuRlnV2.t.sol
index 534bb9d..ef326e6 100644
--- a/test/WakuRlnV2.t.sol
+++ b/test/WakuRlnV2.t.sol
@@ -1580,4 +1580,23 @@ contract WakuRlnV2Test is Test {
         // Assert: Funds not drained (invariant: no direct access)
         assertEq(token.balanceOf(address(w)), price); // Still held
     }
+
+    // Test: Demonstrate success of Unauthorized Upgrade Post-Malicious Change
+    function test_UnauthorizedUpgradeAfterMalicious() external {
+        // Deploy malicious impl that allows anyone to upgrade
+        address maliciousImpl = address(new MaliciousImplementation()); // Overrides _authorizeUpgrade to public
+
+        // Owner upgrades to malicious
+        vm.prank(w.owner());
+        w.upgradeTo(address(maliciousImpl));
+
+        // Non-owner attempts further upgrade
+        address newImpl = address(new TestStableToken()); // Arbitrary
+        vm.prank(address(0xdead));
+        w.upgradeTo(newImpl); // Should succeed if malicious allows, but test revert if protected
+
+        // Assert: Bricked or unauthorized (depending on spec; expect revert for safety)
+        vm.expectRevert("Ownable: caller is not the owner");
+        w.upgradeTo(newImpl); // If not overridden
+    }
 }