The upgrade from version 3.4.0 to 4.0.0, will always revert for BasketHandler.sol!
Description
The init function in BasketHandler.sol version 4.0.0 introduces a new storage variable enableIssuancePremium
// ==== Invariants ====
// basket is a valid Basket:
// basket.erc20s is a valid collateral array and basket.erc20s == keys(basket.refAmts)
// config is a valid BasketConfig:
// erc20s == keys(targetAmts) == keys(targetNames)
// erc20s is a valid collateral array
// for b in vals(backups), b.erc20s is a valid collateral array.
// if basket.erc20s is empty then disabled == true
// BasketHandler.init() just leaves the BasketHandler state zeroed
function init(
IMain main_,
uint48 warmupPeriod_,
bool reweightable_,
bool enableIssuancePremium_
) external initializer {
__Component_init(main_);
assetRegistry = main_.assetRegistry();
backingManager = main_.backingManager();
rsr = main_.rsr();
rToken = main_.rToken();
stRSR = main_.stRSR();
setWarmupPeriod(warmupPeriod_);
reweightable = reweightable_; // immutable thereafter
enableIssuancePremium = enableIssuancePremium_;
// Set last status to DISABLED (default)
lastStatus = CollateralStatus.DISABLED;
lastStatusTimestamp = uint48(block.timestamp);
disabled = true;
}
But then it uses an initializer modifier which will revert for a BasketHandler proxy that was already initialized!
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/p1/BasketHandler.sol#L108-L131
Vulnerability details
Impact
The upgrade from version 3.4.0 to 4.0.0, will always revert for BasketHandler.sol!
Description
The
init
function in BasketHandler.sol version 4.0.0 introduces a new storage variable enableIssuancePremiumBut then it uses an
initializer
modifier which will revert for a BasketHandler proxy that was already initialized!Recommended Mitigation Steps
Assessed type
Error