Open hats-bug-reporter[bot] opened 4 months ago
correction in recommendation- ** since it is NOT implemented in cvgControlTower contract
Similar issue instances:
1) CvgCvxStakingPositionService.initialize()
,
2) CvxAssetStakerBuffer.initialize()
and
3) CvxAssetStakingService.initialize()
The control tower is an upgradable contract. These contracts in scope are not yet lively deployed, you cannot look for them on etherscan. With deployment, the tower will be upgraded with the featured addresses.
Github username: @0xRizwan Twitter username: 0xRizwann Submission hash (on-chain): 0xca916796af9d85793f73b7a856f04d53a5880c5856936c40804b610c6b738021 Severity: medium
Description: Description\
CvxRewardDistributor.initialize()
is implemented as:initialize()
function is used to initialize the contract along with state variables.The issue is with the value setting of
cvxConvergenceLocker
andcvxStakingPositionManager
contract addresses. Both the contracts are core part ofCvxRewardDistributor.sol
contract and without it, the contracts various functionalities can not work which would affect the users of protocol.Both contract address of
cvxConvergenceLocker
andcvxStakingPositionManager
is actually fetched fromcvgControlTower
i.e from Convergence Control Tower contract which is one of core contract of Convergence protocol for various setter contract addresses.cvgControlTower
address used inCvxRewardDistributor.sol
as:Reference contract- https://etherscan.io/address/0xB0Afc8363b8F36E0ccE5D54251e20720FfaeaeE7#readProxyContract
If you check the above address on Ethereum mainnet, it does not consist of addresses for both
cvxConvergenceLocker
andcvxStakingPositionManager
, therefore the initialize function will revert or become unresponse or will show an unexpected behaviour. This is due to missing address variables being called from theConvergence Control Tower contract
Impact
Initialize() function will show unexpected behaviour or revert due to calling of unimplemented addresses i.e
cvxConvergenceLocker
andcvxStakingPositionManager
fromcvgControlTower
. This will prevent initialization ofCvxRewardDistributor
contract and would affect the users functionalities.Recommendation to fix\
Do not fetch the address of
cvxConvergenceLocker
andcvxStakingPositionManager
fromcvgControlTower
since it is implemented incvgControlTower
contract.Pass the
cvxConvergenceLocker
andcvxStakingPositionManager
value as address argument in initialize() function similar to_cvx1
.