Open hats-bug-reporter[bot] opened 2 weeks ago
After reviewing the reported issue, we have determined that the concern is not relevant to our implementation. Here's why:
EthMultiVault
and AtomWallet
contracts are designed to be used with the proxy pattern. In this pattern, the implementation contracts are never directly interacted with; instead, all interactions occur through the proxy. This ensures that the implementation contracts are not at risk of being taken over._disableInitializers
is not necessary given our controlled environment and usage patterns.In conclusion, the reported issue does not apply to our specific use case and implementation. The proxy pattern and controlled deployment process we use ensure that our contracts are not vulnerable to the concerns raised. Therefore, we consider this issue to be invalid and not a threat to our system's security.
@mihailo-maksa This issue highlights potential non-following of openzeppelin's upgradeable contracts usage as shared here.
While we acknowledge OpenZeppelin's best practice recommendation
Since, you have acknowledged this issue. If the issue is acknowledged then its considered valid. Fixing or not fixing the issue is upto protocol team. Since, the issue highlighted is correct and acknowledged then i think it should be considered as valid.
Github username: -- Twitter username: -- Submission hash (on-chain): 0xe9364c0d760d5791d36efab854149e2b1b84a394584ace46eaf6381c13331ae8 Severity: low
Description: Description\
OpenZeppelin states:
Avoid leaving a contract uninitialized.
An uninitialized contract can be taken over by an attacker. This applies to both a proxy and its implementation contract, which may impact the proxy.
To prevent the implementation contract from being used, you should invoke the
_disableInitializers
function in the constructor to automatically lock it when it is deployed.EthMultiVault.sol
andAtomWallet.sol
does not invoke the_disableInitializers
function in their constructors so affected by this issue.Recommendation\ Add the following code to the affected contracts: