sherlock-audit / 2023-04-unitasprotocol-judging

4 stars 3 forks source link

XDZIBEC - XO-UnitasProxy constructor does not check if selector for initialize function matches selector in logic contract #72

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

XDZIBEC

high

XO-UnitasProxy constructor does not check if selector for initialize function matches selector in logic contract

Summary


- The vulnerability is in the `UnitasProxy `constructor. The constructor takes three parameters:
    - `logic_`: The address of the logic contract.
    - `proxyAdmin_`: The address of the proxy admin.
    - `config_`: The configuration for the upgrade.
- so the vulnerability is in the line of code that calls the `TransparentUpgradeableProxy` constructor, this  will only work if the `initialize` function in the logic contract has the same selector as the `initialize` function in the `Unitas` contract, there is no guarantee that this will be the case. it's means that it is possible to create a logic contract that has a different selector for the` initialize` function. this would cause the `UnitasProxy` contract to `fail` to `initialize` the logic contract.
## Impact
- An  attacker could create a logic contract that has a different selector for the` initialize` function. This would cause the `UnitasProxy` contract to fail to` initialize` the logic contract. This could allow the attacker to gain control of the logic contract and steal funds.
## Code Snippet
- https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/UnitasProxy.sol#L15
## Tool used

Manual Review

## Recommendation
- the `UnitasProxy` constructor should check if the selector for the `initialize` function in the logic contract matches the selector for the `initialize` function in the `Unitas` contract. If the selectors do not match, then the `UnitasProxy` constructor should revert with an error.