Summary

The constructor of the contract accepts an implementation address as a parameter and assigns it to the _implementation variable. However, there is no validation check to ensure that the implementation address is not the zero address (address(0)).

Vulnerability Details

This omission creates a vulnerability where an uninitialized or invalid implementation address can be assigned to the contract, leading to the following risks:

Uninitialized Behavior: If the implementation address is the zero address, the contract will store this value as the _implementation. This results in the proxy contract being unable to delegate calls to a valid implementation. This may lead to unexpected and inconsistent behavior.

Inconsistent Functionality: Without a valid implementation address, the proxy contract's intended functionality to delegate calls is effectively disabled, rendering the contract non-functional.

Impact

Malicious actors could exploit the absence of a zero address check to manipulate the proxy contract's behavior, potentially compromising its security.

Tools Used

Manual analysis

Recommendations

Add a validation check in the constructor to ensure that the implementation address is not the zero address (address(0)). This check will prevent uninitialized or invalid addresses from being assigned as the implementation.
constructor(address implementation) {
require(implementation != address(0), "Implementation address cannot be zero");
_implementation = implementation;
}