Closed c4-submissions closed 1 year ago
Uninitialized _paused is false by default. QA at best.
raymondfam marked the issue as low quality report
raymondfam marked the issue as primary issue
raymondfam marked the issue as duplicate of #47
kirk-baird marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/usdy/rUSDY.sol#L109-L147
Vulnerability details
Impact
rUSDY.sol contract inherits PausableUpgradeable contract but does not invoke its initialzers during its own initialization. Due to which the state of PausableUpgradeable contract remain uninitialized.
PausableUpgradeable
initialization is very much important and it looks as below,This initializes the contract in
unpaused
state. Due to this _paused state is not initialized. This breaks the overall functionality with respect toPausableUpgradeable.sol
. Openzeppelin reference can be checked hereIt is to be noted that automated report has made this issue low severity and has some false positives too. The automated report does not mention the impact of non-initialization of
PausableUpgradeable
but it must be notedPausableUpgradeable
intialization is very much required otherwise the contract will not be initialized inunpaused
state.Proof of Concept
https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/usdy/rUSDY.sol#L109-L147
Tools Used
Manual review
Recommended Mitigation Steps
Consider initializing the
PausableUpgradeable
inrUSDY.sol
initialize()
function.For example for understanding:
Assessed type
Other