darksnow - _disableInitializers() function missing in contracts AuraSpell, ConvexSpell, CurveSpell. Anyone can take ownership of the implementation contracts #8
_disableInitializers() function missing in contracts AuraSpell, ConvexSpell, CurveSpell. Anyone can take ownership of the implementation contracts
Summary
_disableInitializers() function missing in contracts AuraSpell, ConvexSpell, CurveSpell.
Vulnerability Detail
_disableInitializers() is used in the constructor to prevent initialization of the implementation contract. This function is missing in contracts AuraSpell, ConvexSpell, CurveSpell.
Impact
Anyone can take ownership of the implementation contracts and can potentially use this as an attack vector.
darksnow
high
_disableInitializers() function missing in contracts AuraSpell, ConvexSpell, CurveSpell. Anyone can take ownership of the implementation contracts
Summary
_disableInitializers() function missing in contracts AuraSpell, ConvexSpell, CurveSpell.
Vulnerability Detail
_disableInitializers() is used in the constructor to prevent initialization of the implementation contract. This function is missing in contracts AuraSpell, ConvexSpell, CurveSpell.
Impact
Anyone can take ownership of the implementation contracts and can potentially use this as an attack vector.
Code Snippet
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/spell/AuraSpell.sol#L27-L37
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/spell/ConvexSpell.sol#L27-L37
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/spell/CurveSpell.sol#L27-L37
Tool used
Manual Review
Recommendation
Implement the constructor with oz _disableInitializers() function.