Open c4-submissions opened 1 year ago
0xleastwood marked the issue as primary issue
I would argue this is QA because assets/liveness is not impacted in any way but off-chain integration is.
0xleastwood changed the severity to QA (Quality Assurance)
0xleastwood marked the issue as grade-a
elmutt (sponsor) confirmed
0xleastwood removed the grade
Lines of code
https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/AfEth.sol#L72-L75
Vulnerability details
Bug Description
The
AfEth
contract inherits Openzeppelin'sERC20Upgradeable
contract:AfEth.sol#L10
However, its
initialize()
function does not call__ERC20_init()
, which is used to initialize thename
andsymbol
of the contract:ERC20Upgradeable.sol#L55-L62
Therefore, even after
AfEth
is deployed and initialized, itsname()
andsymbol()
functions will still return empty strings.Impact
Any contract that calls
name()
orsymbol()
for theAfEth
contract will get an incorrect empty string in return, as they were never initialized.This could break composability with other contracts, dapps or front-ends, such as Uniswap, which might expect the contract's name or symbol to be a valid string.
Recommended Mitigation
Consider adding a
__ERC20_init()
call in the contract'sinitialize()
function:AfEth.sol#L72-L75
Assessed type
Error