Open code423n4 opened 7 months ago
122, 50, 25, 67, 98, 67, 22
Logic contracts cannot rely on code in their constructors, because proxy contracts do not re-execute the logic contract's constructor - only its initializer. Move all code in the constructor to the initializer function.
File: contracts/Balancer.sol /// @audit initConnectedOFT() 122 constructor( 123 address _routerETH, 124 address _router, 125 address _owner 126 ) Owned(_owner) { 127 if (_router == address(0)) revert RouterNotValid(); 128 if (_routerETH == address(0)) revert RouterNotValid(); 129 routerETH = IStargateRouter(_routerETH); 130 router = IStargateRouter(_router); 131: }
File: contracts/tOFT/BaseTOFT.sol /// @audit initMultiSell() 50 constructor( 51 address _lzEndpoint, 52 address _erc20, 53 IYieldBoxBase _yieldBox, 54 string memory _name, 55 string memory _symbol, 56 uint8 _decimal, 57 uint256 _hostChainID, 58 address payable _leverageModule, 59 address payable _strategyModule, 60 address payable _marketModule, 61 address payable _optionsModule 62 ) 63 BaseTOFTStorage( 64 _lzEndpoint, 65 _erc20, 66 _yieldBox, 67 _name, 68 _symbol, 69 _decimal, 70 _hostChainID 71 ) 72 ERC20Permit(string(abi.encodePacked("TapiocaOFT-", _name))) 73 { 74 leverageModule = BaseTOFTLeverageModule(_leverageModule); 75 strategyModule = BaseTOFTStrategyModule(_strategyModule); 76 marketModule = BaseTOFTMarketModule(_marketModule); 77 optionsModule = BaseTOFTOptionsModule(_optionsModule); 78: }
File: contracts/tOFT/modules/BaseTOFTLeverageModule.sol /// @audit initMultiSell() 25 constructor( 26 address _lzEndpoint, 27 address _erc20, 28 IYieldBoxBase _yieldBox, 29 string memory _name, 30 string memory _symbol, 31 uint8 _decimal, 32 uint256 _hostChainID 33 ) 34 BaseTOFTStorage( 35 _lzEndpoint, 36 _erc20, 37 _yieldBox, 38 _name, 39 _symbol, 40 _decimal, 41 _hostChainID 42 ) 43: {}
File: contracts/Vesting.sol /// @audit init() 67 constructor(uint256 _cliff, uint256 _duration, address _owner) { 68 require(_duration > 0, "Vesting: no vesting"); 69 70 cliff = _cliff; 71 duration = _duration; 72 owner = _owner; 73: }
File: contracts/markets/bigBang/BigBang.sol /// @audit init() 98: constructor() MarketERC20("Tapioca BigBang") {}
File: contracts/usd0/BaseUSDO.sol /// @audit initMultiHopBuy() 67 constructor( 68 address _lzEndpoint, 69 IYieldBoxBase _yieldBox, 70 address _owner, 71 address payable _leverageModule, 72 address payable _marketModule, 73 address payable _optionsModule 74 ) BaseUSDOStorage(_lzEndpoint, _yieldBox) ERC20Permit("USDO") { 75 leverageModule = USDOLeverageModule(_leverageModule); 76 marketModule = USDOMarketModule(_marketModule); 77 optionsModule = USDOOptionsModule(_optionsModule); 78 79 transferOwnership(_owner); 80: }
File: contracts/usd0/modules/USDOLeverageModule.sol /// @audit initMultiHopBuy() 22 constructor( 23 address _lzEndpoint, 24 IYieldBoxBase _yieldBox 25: ) BaseUSDOStorage(_lzEndpoint, _yieldBox) {}
other
Lines of code
122, 50, 25, 67, 98, 67, 22
Vulnerability details
Logic contracts cannot rely on code in their constructors, because proxy contracts do not re-execute the logic contract's constructor - only its initializer. Move all code in the constructor to the initializer function.
Assessed type
other