Most.sol implements openzeppelin's upgradeable model. The problem is that it's unprotected from an attacker initializing the contract. The uninitialized contract can be taken over by the attacker for example by front-running the original deployer's intialize() call. This applies to both the proxy and its implementation contract.
Do not leave an implementation contract uninitialized. An uninitialized implementation contract can be taken over by an attacker, which may impact the proxy. To prevent the implementation contract from being used, you should invoke the _disableInitializers function in the constructor to automatically lock it when it is deployed:
Github username: @0xfuje Twitter username: 0xfuje Submission hash (on-chain): 0x0cc5d64fcb1309e8ea2a654336ebcb870e364cc55ea00ec7eed9ab765aec8c5b Severity: low
Description:
Description
Most.sol
implements openzeppelin's upgradeable model. The problem is that it's unprotected from an attacker initializing the contract. The uninitialized contract can be taken over by the attacker for example by front-running the original deployer'sintialize()
call. This applies to both the proxy and its implementation contract.See OpenZeppelin's comment in their documentation:
Recommendation
Consider to add
_disableInitializers()
function and the constructor toMost.sol
: