Most contracts use initialize() functions instead of constructor given the delegatecall proxy pattern. While most of them emit an event in the critical initialize() functions to record the init parameters for off-chain monitoring and transparency reasons.
Impact: The Token contract is initialized but their critical init parameters (name, symbol and etc.) are not logged for any off-chain monitoring.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Lines of code
https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/token/Token.sol#L43
Vulnerability details
Impact
Most contracts use initialize() functions instead of constructor given the delegatecall proxy pattern. While most of them emit an event in the critical initialize() functions to record the init parameters for off-chain monitoring and transparency reasons.
Impact: The Token contract is initialized but their critical init parameters (name, symbol and etc.) are not logged for any off-chain monitoring.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Tools Used
https://github.com/code-423n4/2021-06-pooltogether-findings/issues/68
Recommended Mitigation Steps
Emit an initialised event in Token.sol logging their init parameters.