In the InvestToken contract, the constructor currently includes initialization logic by setting the validator and usde addresses. However, in a proxy context, only _disableInitializers() should be included in the constructor, while all other setup logic should be performed within the initialize function.
Impact
Risk of contract takeover: Failing to follow correct initialization practices may allow unauthorized re-initialization.
Initialization inconsistencies: Setting values in the constructor in a proxy environment can lead to data inconsistencies, affecting contract functionality.
Recommendation
Limit the constructor to _disableInitializers() only, and transfer any other initialization logic to the initialize function.
Example Fix:
Update the constructor:
constructor() {
_disableInitializers();
}
Move initialization of validator and usde to the initialize function:
Github username: -- Twitter username: -- Submission hash (on-chain): 0xdfed1e902f212bf4397711db01e59b980f7f57d3543d83cceb88d7bf75a1cd51 Severity: low
Description: **Security Audit Report: Improper Constructor
Issue Description
In the
InvestToken
contract, the constructor currently includes initialization logic by setting thevalidator
andusde
addresses. However, in a proxy context, only_disableInitializers()
should be included in the constructor, while all other setup logic should be performed within theinitialize
function.Impact
Recommendation
Limit the constructor to
_disableInitializers()
only, and transfer any other initialization logic to theinitialize
function.Example Fix:
Update the constructor:
Move initialization of
validator
andusde
to theinitialize
function:This structure ensures security and correct initialization within a proxy-based deployment.