Calling the initialize function in the constructor() while passing address(0) as parameters will render contract unusable.

Summary

Passing address(0) as parameters when calling the initialize function from the constructor(0) will lock the contract and the right addresses cannot be set again.

Vulnerability Detail

The bug affects; L2StandardBridge.sol, L1StandardBridge.sol, L1crossDomainMessenger.sol and L2crossDomainMessenger.sol and optimismportal2.sol. The initialie() function in these contracts implements the initializer modifier which ensures that the initialize function can only be called once. The bug here is that the initialize function is called in the constructor() using null addresses as parameters and since the initialize function cannot be called again, the contract becomes locked.

Impact

Contracts are initialized with the zero address which renders them unusable.

Code Snippet

constructor(uint256 _proofMaturityDelaySeconds, uint256 _disputeGameFinalityDelaySeconds) {
        PROOF_MATURITY_DELAY_SECONDS = _proofMaturityDelaySeconds;
        DISPUTE_GAME_FINALITY_DELAY_SECONDS = _disputeGameFinalityDelaySeconds;

        initialize({
            _disputeGameFactory: DisputeGameFactory(address(0)),
            _systemConfig: SystemConfig(address(0)),
            _superchainConfig: SuperchainConfig(address(0)),
            _initialRespectedGameType: GameType.wrap(0)
        });
    }

Code Links

https://github.com/sherlock-audit/2024-08-tokamak-network/blob/main/tokamak-thanos/packages/tokamak/contracts-bedrock/src/L1/OptimismPortal2.sol#L153 https://github.com/sherlock-audit/2024-08-tokamak-network/blob/main/tokamak-thanos/packages/tokamak/contracts-bedrock/src/L1/OptimismPortal2.sol#L169

Tool used

Manual Review

Recommendation

Use proper addresses in initializing the contracts instead of the zero address

sherlock-audit / 2024-08-tokamak-network-judging

oxchryston - Calling the initialize function in the constructor() while passing address(0) as parameters will render contract unusable. #72