Initializing of implementation contracts is missing
Summary
The USSD deploys a few contracts in an upgradeable fashion with a proxy pattern. The implementation contracts in such a setup should not be forgotton to be initialized. Depending on the proxy setup this can lead to a severe attack vector.
Vulnerability Detail
The UUSD.sol and USSDRebalancer.sol contracts are deployed with a proxy pattern.
For both contracts the initialize function is used to unitialize the proxy state variables:
What seems to have been overlooked is that it is recommended to define a constructor for this kind of implementation contracts calling the _disableInitializers() function to avoid unexpected initializations.
Impact
Uninitialized contracts can be initialized by anyone. Depending on the proxy setup this can have severe consequences.
Code Snippet
Tool used
Manual Review
Recommendation
Include a constructor in each each upgradeable contract like this:
berlin-101
medium
Initializing of implementation contracts is missing
Summary
The USSD deploys a few contracts in an upgradeable fashion with a proxy pattern. The implementation contracts in such a setup should not be forgotton to be initialized. Depending on the proxy setup this can lead to a severe attack vector.
Vulnerability Detail
The
UUSD.solandUSSDRebalancer.solcontracts are deployed with a proxy pattern.For both contracts the
initializefunction is used to unitialize the proxy state variables:What seems to have been overlooked is that it is recommended to define a constructor for this kind of implementation contracts calling the
_disableInitializers()function to avoid unexpected initializations.Impact
Uninitialized contracts can be initialized by anyone. Depending on the proxy setup this can have severe consequences.
Code Snippet
Tool used
Manual Review
Recommendation
Include a constructor in each each upgradeable contract like this: