hats-finance / Euro-Dollar-0xa4ccd3b6daa763f729ad59eae75f9cbff7baf2cd

Audit competition repository for Euro-Dollar (0xa4ccd3b6daa763f729ad59eae75f9cbff7baf2cd)
https://hats.finance
MIT License
3 stars 2 forks source link

Improper constructor implementation in a proxy context in InvestToken contract #52

Open hats-bug-reporter[bot] opened 3 weeks ago

hats-bug-reporter[bot] commented 3 weeks ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0xdfed1e902f212bf4397711db01e59b980f7f57d3543d83cceb88d7bf75a1cd51 Severity: low

Description: **Security Audit Report: Improper Constructor

Issue Description

In the InvestToken contract, the constructor currently includes initialization logic by setting the validator and usde addresses. However, in a proxy context, only _disableInitializers() should be included in the constructor, while all other setup logic should be performed within the initialize function.

Impact

  1. Risk of contract takeover: Failing to follow correct initialization practices may allow unauthorized re-initialization.
  2. Initialization inconsistencies: Setting values in the constructor in a proxy environment can lead to data inconsistencies, affecting contract functionality.

Recommendation

Limit the constructor to _disableInitializers() only, and transfer any other initialization logic to the initialize function.

Example Fix:

  1. Update the constructor:

    constructor() {
        _disableInitializers();
    }
  2. Move initialization of validator and usde to the initialize function:

    function initialize(
        string calldata _name,
        string calldata _symbol,
        address _initialOwner,
        IValidator _validator,
        IUSDE _usde,
        IYieldOracle _yieldOracle
    )
        public
        initializer
    {
        __ERC20_init(_name, _symbol);
        __ERC20Pausable_init();
        __ERC20Permit_init(_name);
        __AccessControl_init();
        __UUPSUpgradeable_init();
    
        validator = _validator;
        usde = _usde;
        yieldOracle = _yieldOracle;
        _grantRole(DEFAULT_ADMIN_ROLE, _initialOwner);
    }

This structure ensures security and correct initialization within a proxy-based deployment.

AndreiMVP commented 2 weeks ago

Dup of https://github.com/hats-finance/Euro-Dollar-0xa4ccd3b6daa763f729ad59eae75f9cbff7baf2cd/issues/51