search

sherlock-audit / 2024-04-titles-judging

9 stars 6 forks source link

threadmodeling - `TitlesCore.createEdition()` will keep reverting until the admin's intervention due to an incomplete initialization #231

Closed sherlock-admin4 closed 4 months ago

sherlock-admin4 commented 4 months ago

threadmodeling

medium

TitlesCore.createEdition() will keep reverting until the admin's intervention due to an incomplete initialization

Summary

The editionImplementation variable is set on the implementation contract but isn't initialized in initialize(). Due to the call to editionImplementation.clone() in createEdition(), this function will revert until the owner or the admin's intervention.

Vulnerability Detail

We can see that editionImplementation is created on the proxy (TitlesCore.sol#L37) and will most likely be the implementation which will be cloned in subsequent Edition creation:

File: TitlesCore.sol
37:     address public editionImplementation = address(new Edition());

However, this value is neither set in TitlesCore's proxy not initialized in initialize (TitlesCore.sol#L44-L49):

File: TitlesCore.sol
44:     function initialize(address feeReceiver_, address splitFactory_) external initializer {
45:         _initializeOwner(msg.sender);
46: 
47:         feeManager = new FeeManager(msg.sender, feeReceiver_, splitFactory_); 
48:         graph = new TitlesGraph(address(this), msg.sender);
49:     }

This means that, the following call will revert until the admin or the owner's intervention (TitlesCore.sol#L79):

File: TitlesCore.sol
79:         edition = Edition(editionImplementation.clone());

Impact

DOS / protocol's unavailability => Medium

Code Snippet

Tool used

Manual Review

Recommendation

Add editionImplementation in initialize(). While it could be argued that the deployment script could be calling setEditionImplementation(), its omission in initialize() actually gives credit to the likelihood of this Denial of Service. Also, the currently available file is empty (Titles.s.sol)

Duplicate of #272