Anyone can call initialize and set their ownership and a custom weth address. As this contract is upgradeable, not only this can cause problems related to some relevant functions being locked, but also contract can be destroyed as of the upgradeable operations.
Vulnerability Detail
Lack of access control at initialize can destroy upgradeable contracts
Impact
Ownership front-runned and lost, contract being destroyed calling upgradeTo or upgradeToAndCall from UUPSUpgradeable
Deivitto
high
Unprotected
initializein upgradeable contractSummary
Anyone can call initialize and set their
ownershipand a customwethaddress. As this contract is upgradeable, not only this can cause problems related to some relevant functions being locked, but also contract can be destroyed as of the upgradeable operations.Vulnerability Detail
Lack of access control at
initializecan destroy upgradeable contractsImpact
Ownership front-runned and lost, contract being destroyed calling
upgradeToorupgradeToAndCallfrom UUPSUpgradeableCode Snippet
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/core/UXDController.sol#L76-L85
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/rage-trade/RageDnDepository.sol#L63-L78
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/perp/PerpDepository.sol#L98-L128
Tool used
Manual Review
Recommendation
Protect
initializefunctions