Open hats-bug-reporter[bot] opened 4 months ago
selfdestruct()
was removed, an initialized implementation is just a contract that's unusable. Since it cannot be destroyed to brick the proxy, this is a non-issue in my opinion.
selfdestruct() was removed, an initialized implementation is just a contract that's unusable. Since it cannot be destroyed to brick the proxy, this is a non-issue in my opinion.
selfdestruct()
's behaviour was changed, but only in compiler versions equal or above to 0.8.24
: Solidity 0.8.24 announcement, and since the contracts use 0.8.23
the selfdestruct()
proxy attack may still be viable. Note that there can be other potential issues if someone initializes the implementation contract.
PoC
no issue here, but yes, security best practice says that it would be to call _disableInitializers
in the constructor.
Github username: -- Twitter username: -- Submission hash (on-chain): 0xfe25a0c906257e4d19f35ede55b581b83d2a1dab4db90ac651fdcffa0cae5626 Severity: low
Description:
Description
OrchestratorFactory_v1.sol
andModuleFactory.sol
are missing_disableInitializers()
call in theconstructor
. An implementation contract can be taken over by an attacker with calling theinit
function which may cause unexpected functionality (it is very dangerous withdelegatecalls
).Recommendation
From openzeppelin's documentation: