XO-UnitasProxy constructor does not check if selector for initialize function matches selector in logic contract
Summary
The UnitasProxy constructor does not check if the selector for the initialize function matches the selector in the logic contract. This means that an attacker could create a logic contract with a different selector for the initialize function. This would cause the UnitasProxy constructor to fail to initialize the logic contract. This could allow the attacker to gain control of the logic contract and steal funds.
Vulnerability Detail
/**
* @title The proxy contract to make `Unitas` upgradeable
*/
contract UnitasProxy is TransparentUpgradeableProxy {
constructor(
address logic_,
address proxyAdmin_,
Unitas.InitializeConfig memory config_
) TransparentUpgradeableProxy(
logic_,
proxyAdmin_,
abi.encodeWithSelector(Unitas.initialize.selector, config_)
) {}
- The vulnerability is in the `UnitasProxy `constructor. The constructor takes three parameters:
- `logic_`: The address of the logic contract.
- `proxyAdmin_`: The address of the proxy admin.
- `config_`: The configuration for the upgrade.
- so the vulnerability is in the line of code that calls the `TransparentUpgradeableProxy` constructor, this will only work if the `initialize` function in the logic contract has the same selector as the `initialize` function in the `Unitas` contract, there is no guarantee that this will be the case. it's means that it is possible to create a logic contract that has a different selector for the` initialize` function. this would cause the `UnitasProxy` contract to `fail` to `initialize` the logic contract.
## Impact
- An attacker could create a logic contract that has a different selector for the` initialize` function. This would cause the `UnitasProxy` contract to fail to` initialize` the logic contract. This could allow the attacker to gain control of the logic contract and steal funds.
## Code Snippet
- https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/UnitasProxy.sol#L15
## Tool used
Manual Review
## Recommendation
- the `UnitasProxy` constructor should check if the selector for the `initialize` function in the logic contract matches the selector for the `initialize` function in the `Unitas` contract. If the selectors do not match, then the `UnitasProxy` constructor should revert with an error.
XDZIBEC
high
XO-UnitasProxy constructor does not check if selector for initialize function matches selector in logic contract
Summary
UnitasProxy
constructor does not check if the selector for theinitialize
function matches the selector in the logic contract. This means that an attacker could create a logic contract with a different selector for theinitialize
function. This would cause theUnitasProxy
constructor to fail toinitialize
the logic contract. This could allow the attacker to gain control of the logic contract and steal funds.Vulnerability Detail