sherlock-admin
commented
8 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because {invalid: initalization == admin task -> invalid}
Closed sherlock-admin2 closed 8 months ago
sherlock-admin
commented
8 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because {invalid: initalization == admin task -> invalid}
r0ck3tz
medium
Missing initialization of implementation contract
Summary
The
AvailBridgecontract fails to initialize the implementation contract, creating a potential vulnerability where an attacker could initialize the implementation contract.Vulnerability Detail
The
AvailBridgelacks a constructor but solely implements theinitializefunction, which is executed via the proxy contract. The concern arises from the fact that the implementation contract remains uninitialized, providing an opportunity for an attacker to initialize it with values of their choiceImpact
Attacker can initialize the implementation contract with the values of his choice.
Code Snippet
https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L87-L104
Tool used
Manual Review
Recommendation
It is recommended to add a constructor add call
_disableInitializersofInitializablecontract.