The AvailBridge contract fails to initialize the implementation contract, creating a potential vulnerability where an attacker could initialize the implementation contract.
Vulnerability Detail
The AvailBridge lacks a constructor but solely implements the initialize function, which is executed via the proxy contract. The concern arises from the fact that the implementation contract remains uninitialized, providing an opportunity for an attacker to initialize it with values of their choice
Impact
Attacker can initialize the implementation contract with the values of his choice.
r0ck3tz
medium
Missing initialization of implementation contract
Summary
The
AvailBridge
contract fails to initialize the implementation contract, creating a potential vulnerability where an attacker could initialize the implementation contract.Vulnerability Detail
The
AvailBridge
lacks a constructor but solely implements theinitialize
function, which is executed via the proxy contract. The concern arises from the fact that the implementation contract remains uninitialized, providing an opportunity for an attacker to initialize it with values of their choiceImpact
Attacker can initialize the implementation contract with the values of his choice.
Code Snippet
https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L87-L104
Tool used
Manual Review
Recommendation
It is recommended to add a constructor add call
_disableInitializers
ofInitializable
contract.