Closed code423n4 closed 2 years ago
This is not an issue because the variables that are getting a value inside the constructor are immutables, so they are not part of the storage layout of the proxy contract nor implementation.
There is no need to change anything and the impact here described is wrong: parameters FOLLOW_NFT_IMPL
and COLLECT_NFT_IMPL
will have the values passed to LensHub
contructor.
Yeah agreed with Miguel, this is invalid.
As the sponsor has stated, immutables
are stored in the contract's bytecode and not its storage layout.
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/LensHub.sol#L57-L60 https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/LensHub.sol#L32-L33
Vulnerability details
Impact
You will be running your protocol with parameters FOLLOW_NFT_IMPL and COLLECT_NFT_IMPL at zero address.
Proof of Concept
You cannot add constructors in upgradeable contracts because storage variables are inside the proxy. Proxies are unaware of constructors and when you run them you will only initialize storage inside the logic contract. As a rule of thumb, you cannot use immutable variables in upgradeable contracts either, there is a discussion in OpenZeppelin forum about that. https://forum.openzeppelin.com/t/immutable-variables-cannot-be-initialized/7927/4
Recommended Mitigation Steps
I think you have two options to fix this issue .
Solution 1: Move constructor logic to
initialize()
function and remove "immutable" from variablesChange this
For
Remove
Change.
For
Solution 2: You can use constants for those addresses.
This solution is "better" to think variables as immutable if you use a constant instead but I think you need to make many changes in other constructors as well as in your deployment logic