Closed sherlock-admin3 closed 4 months ago
Will address
Escalate
This issue shows no impact. The vulnerability described happens and would be valid when the upgrade functions are exposed, which is not the case as UUPSUpgradeable proxies use the onlyProxy to protect upgradeable functions.
Escalate
This issue shows no impact. The vulnerability described happens and would be valid when the upgrade functions are exposed, which is not the case as UUPSUpgradeable proxies use the onlyProxy to protect upgradeable functions.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Agree on the lack of impact.
There's been a lot of confusion regarding this set of issues, which I believe have been incorrectly reduced to a unique set of duplicates.
Let's hope all these could get addressed.
Agree that this report has no impact and falls down into "Front-running initialisers rule". Planning to accept the escalation and invalidate the report.
Regarding different issue families in the report, will look closer into it a bit later, thank you for noticing.
Agreed with the reasoning of @realfugazzi, this issue can be invalidated.
For Issue #281 and #162 it's borderline low/medium severity issue, I am tending towards low because issues related to breakage of initialize
was considered low in earlier contests.
Result: Invalid Has Duplicates
The protocol team fixed this issue in the following PRs/commits: https://github.com/titlesnyc/wallflower-contract-v2/pull/1
xiaoming90
medium
Uninitialized
TitlesCore
implementation contract can be taken over by an attackerSummary
An attacker could take over the implementation/logic contract of
TitlesCore
, which might impact the proxy.Vulnerability Detail
Per Line 21, the
TitlesCore
contract inherits from theUUPSUpgradeable
contract. TheTitlesCore
contract will contain the logic/implementation, and the UUPS proxy will point its implementation to theTitlesCore
contract address.It was observed that the
TitlesCore
implementation/logic contract is left uninitialized. As a result, an attacker could take over the implementation/logic contract ofTitlesCore
by calling theTitlesCore.initialize
function directly on theTitlesCore
implementation/logic contract, which might impact the proxy.When that happens, the attackers will become the owner of the implementation/logic contract per Line 45 below.
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/TitlesCore.sol#L45
Impact
An attacker could take over the implementation/logic contract of
TitlesCore
, which might impact the proxy.Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/TitlesCore.sol#L45
Tool used
Manual Review
Recommendation
To prevent the implementation contract from being used or taken over, invoke the
initializer
in the constructor to automatically lock theinitializer
on the implementation contract when it is deployed. This is also the recommendation from OpenZeppelin when handling upgradable contracts (https://docs.openzeppelin.com/upgrades-plugins/1.x/writing-upgradeable#initializing_the_implementation_contract).Ensure that this change is also applied to the
TitlesGraph
contract, as it is also an upgradable contract.