Improper constructor implementation in a proxy context in InvestToken contract

Github username: -- Twitter username: -- Submission hash (on-chain): 0xdfed1e902f212bf4397711db01e59b980f7f57d3543d83cceb88d7bf75a1cd51 Severity: low

Description: **Security Audit Report: Improper Constructor

Issue Description

In the InvestToken contract, the constructor currently includes initialization logic by setting the validator and usde addresses. However, in a proxy context, only _disableInitializers() should be included in the constructor, while all other setup logic should be performed within the initialize function.

Impact

Risk of contract takeover: Failing to follow correct initialization practices may allow unauthorized re-initialization.
Initialization inconsistencies: Setting values in the constructor in a proxy environment can lead to data inconsistencies, affecting contract functionality.

Recommendation

Limit the constructor to _disableInitializers() only, and transfer any other initialization logic to the initialize function.

Example Fix:

Update the constructor:

constructor() {
    _disableInitializers();
}

Move initialization of validator and usde to the initialize function:

function initialize(
    string calldata _name,
    string calldata _symbol,
    address _initialOwner,
    IValidator _validator,
    IUSDE _usde,
    IYieldOracle _yieldOracle
)
    public
    initializer
{
    __ERC20_init(_name, _symbol);
    __ERC20Pausable_init();
    __ERC20Permit_init(_name);
    __AccessControl_init();
    __UUPSUpgradeable_init();

    validator = _validator;
    usde = _usde;
    yieldOracle = _yieldOracle;
    _grantRole(DEFAULT_ADMIN_ROLE, _initialOwner);
}

This structure ensures security and correct initialization within a proxy-based deployment.

hats-finance / Euro-Dollar-0xa4ccd3b6daa763f729ad59eae75f9cbff7baf2cd