search

code-423n4 / 2024-07-reserve-validation

0 stars 0 forks source link

BaskedHandler.sol init will revert when upgrading contract #55

Closed c4-bot-6 closed 1 month ago

c4-bot-6 commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/p1/BasketHandler.sol#L108-L131

Vulnerability details

Impact

The upgrade from version 3.4.0 to 4.0.0, will always revert for BasketHandler.sol!

Description

The init function in BasketHandler.sol version 4.0.0 introduces a new storage variable enableIssuancePremium

    // ==== Invariants ====
    // basket is a valid Basket:
    //   basket.erc20s is a valid collateral array and basket.erc20s == keys(basket.refAmts)
    // config is a valid BasketConfig:
    //   erc20s == keys(targetAmts) == keys(targetNames)
    //   erc20s is a valid collateral array
    //   for b in vals(backups), b.erc20s is a valid collateral array.
    // if basket.erc20s is empty then disabled == true

    // BasketHandler.init() just leaves the BasketHandler state zeroed
    function init(
        IMain main_,
        uint48 warmupPeriod_,
        bool reweightable_,
        bool enableIssuancePremium_
    ) external initializer {
        __Component_init(main_);

        assetRegistry = main_.assetRegistry();
        backingManager = main_.backingManager();
        rsr = main_.rsr();
        rToken = main_.rToken();
        stRSR = main_.stRSR();

        setWarmupPeriod(warmupPeriod_);
        reweightable = reweightable_; // immutable thereafter
        enableIssuancePremium = enableIssuancePremium_;

        // Set last status to DISABLED (default)
        lastStatus = CollateralStatus.DISABLED;
        lastStatusTimestamp = uint48(block.timestamp);

        disabled = true;
    }

But then it uses an initializer modifier which will revert for a BasketHandler proxy that was already initialized!

Recommended Mitigation Steps

  1. Use a setter function for the new variable
  2. Or Use a reinitializer(version)

Assessed type

Error