search

sherlock-audit / 2024-06-boost-aa-wallet-judging

3 stars 1 forks source link

Spare Merlot Manatee - Avoid state initialization in the constructor of the implementation contract #486

Closed sherlock-admin2 closed 1 month ago

sherlock-admin2 commented 1 month ago

Spare Merlot Manatee

Low/Info

Avoid state initialization in the constructor of the implementation contract

Summary

In ERC1155Incentive the state variable reward is being initialized in the constructor of the contract rather than cloned and initialized through the initialize() function as described in the protocol's documentation.

Vulnerability Detail

The issue is that it's not a best practice to initialize state in the constructor when it comes to minimal proxy implementation.

Impact

While the impact minimal it would still be a better decision to initialize the whole contract state in the initialize() function

Tool used

VSCode Manual Review

Recommendation

Move the reward state variable initialization from the constructor to the initialize() function

sherlock-admin2 commented 1 month ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/boostxyz/boost-protocol/pull/200