Anyone can call initialize and set their ownership and a custom weth address. As this contract is upgradeable, not only this can cause problems related to some relevant functions being locked, but also contract can be destroyed as of the upgradeable operations.
Vulnerability Detail
Lack of access control at initialize can destroy upgradeable contracts
Impact
Ownership front-runned and lost, contract being destroyed calling upgradeTo or upgradeToAndCall from UUPSUpgradeable
Deivitto
high
Unprotected
initialize
in upgradeable contractSummary
Anyone can call initialize and set their
ownership
and a customweth
address. As this contract is upgradeable, not only this can cause problems related to some relevant functions being locked, but also contract can be destroyed as of the upgradeable operations.Vulnerability Detail
Lack of access control at
initialize
can destroy upgradeable contractsImpact
Ownership front-runned and lost, contract being destroyed calling
upgradeTo
orupgradeToAndCall
from UUPSUpgradeableCode Snippet
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/core/UXDController.sol#L76-L85
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/rage-trade/RageDnDepository.sol#L63-L78
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/perp/PerpDepository.sol#L98-L128
Tool used
Manual Review
Recommendation
Protect
initialize
functions