No Protection of Uninitialized Implementation Contracts From Attacker
Summary
No Protection of Uninitialized Implementation Contract From Attacker
Vulnerability Detail
In the contract StrategyPassiveManagerVelodrome implements Openzeppelin’s Upgradeable model, uninitialized implementation contract can be taken over by an attacker with initialize function, it’s recommended to invoke the _disableInitializers function in the constructor to prevent the implementation contract from being used by the attacker. However the contract which implements PausableUpgradeable and OwnableUpgradeable do not call _disableInitializers in the constructors
Impact
Uninitialized implementation contract can be taken over by an attacker with initialize function. Conduct a phishing scam at this contract address since it was deployed by the Gamma Team.
no
medium
No Protection of Uninitialized Implementation Contracts From Attacker
Summary
No Protection of Uninitialized Implementation Contract From Attacker
Vulnerability Detail
In the contract
StrategyPassiveManagerVelodrome
implements Openzeppelin’s Upgradeable model, uninitialized implementation contract can be taken over by an attacker with initialize function, it’s recommended to invoke the _disableInitializers function in the constructor to prevent the implementation contract from being used by the attacker. However the contract which implements PausableUpgradeable and OwnableUpgradeable do not call _disableInitializers in the constructorsImpact
Uninitialized implementation contract can be taken over by an attacker with initialize function. Conduct a phishing scam at this contract address since it was deployed by the Gamma Team.
Code Snippet
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L28
Tool used
Manual Review
Recommendation