Missing Initialization of Parent Contracts in ValantisModule
Summary
The ValantisModule contract in ValantisHOTModule.sol inherits from several other contracts, including IArrakisLPModule, IValantisHOTModule, PausableUpgradeable, and ReentrancyGuardUpgradeable. During the security review, it was identified that the initialize function does not include calls to initialize the parent contracts PausableUpgradeable and ReentrancyGuardUpgradeable.
Vulnerability Detail
The initialize function does not call the initialization functions for the inherited PausableUpgradeable and ReentrancyGuardUpgradeable contracts. These functions are crucial for setting up internal state variables and ensuring the proper functionality of pausing mechanisms and reentrancy guards.
Impact
Reentrancy Attacks: Without the initialization of ReentrancyGuardUpgradeable, the contract remains vulnerable to reentrancy attacks, which can result in significant financial losses and unauthorized fund withdrawals.
Ineffective Pausing Mechanism: If PausableUpgradeable is not initialized, the pause functionality may not work correctly. This prevents the contract from being paused during emergencies, leaving it exposed to ongoing attacks or operational issues.
NoOne
high
Missing Initialization of Parent Contracts in
ValantisModuleSummary
The
ValantisModulecontract inValantisHOTModule.solinherits from several other contracts, includingIArrakisLPModule,IValantisHOTModule,PausableUpgradeable, andReentrancyGuardUpgradeable. During the security review, it was identified that theinitializefunction does not include calls to initialize the parent contractsPausableUpgradeableandReentrancyGuardUpgradeable.Vulnerability Detail
The
initializefunction does not call the initialization functions for the inheritedPausableUpgradeableandReentrancyGuardUpgradeablecontracts. These functions are crucial for setting up internal state variables and ensuring the proper functionality of pausing mechanisms and reentrancy guards.Impact
Reentrancy Attacks: Without the initialization of
ReentrancyGuardUpgradeable, the contract remains vulnerable to reentrancy attacks, which can result in significant financial losses and unauthorized fund withdrawals.Ineffective Pausing Mechanism: If
PausableUpgradeableis not initialized, the pause functionality may not work correctly. This prevents the contract from being paused during emergencies, leaving it exposed to ongoing attacks or operational issues.Code Snippet
https://github.com/sherlock-audit/2024-03-arrakis/blob/main/arrakis-modular/src/abstracts/ValantisHOTModule.sol#L107
Tool used
Manual Review
Recommendation
Add
__ReentrancyGuard_init();and__Pausable_init();ininitializefunction.