PausableUpgradeable is not initialized in EtherFiOracle.sol

hats-bug-reporter[bot] commented 11 months ago

Github username: -- Submission hash (on-chain): 0x1274cbca355a783ecb5177b1555e86a7e05e99e7f0b918f595d14154a3b73e80 Severity: low

Description: Description

PausableUpgradeable is not initialized in EtherFiOracle.sol. In other words, __Pausable_init(); is not called in the initialize function.

Attack Scenario

A similar issue is found in the OpenZeppelin forum.

https://forum.openzeppelin.com/t/defender-pausableupgradeable/7148/3

Documentation also state that Upgradeable Contracts should be initialized.

https://docs.openzeppelin.com/contracts/4.x/upgradeable#usage

Attachments

Add __Pausable_init() to the initialization.

    function initialize(uint32 _quorumSize, uint32 _reportPeriodSlot, uint32 _reportStartSlot, uint32 _slotsPerEpoch, uint32 _secondsPerSlot, uint32 _genesisTime)
        external
        initializer
    {
        __Ownable_init();
        __UUPSUpgradeable_init();
+     __Pausable_init();

https://github.com/hats-finance/ether-fi-0x36c3b77853dec9c4a237a692623293223d4b9bc4/blob/180c708dc7cb3214d68ea9726f1999f67c3551c9/src/EtherFiOracle.sol#L55-L60

How other contracts does it:

https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPlayer.sol#L16-L23

seongyun-ko commented 11 months ago

true, but what __Pausable_init does is to set the variable to false, which is already set to false. and it does not expose any attack vector for protocol fund

0xRizwan commented 11 months ago

@bunbuntigery This is not an issue, It is correctly described by @seongyun-ko

hats-finance / ether-fi-0x36c3b77853dec9c4a237a692623293223d4b9bc4

PausableUpgradeable is not initialized in EtherFiOracle.sol #25