Sparkn

Summary

The Constructor Caveat leads to bricking of Distributor contract

Vulnerability Details

Distributor.sol will be called through proxy as delegate calls.

In the Distributor.sol, the factoryAddress and stadiumAddress are initialized in the constructor.

As stated by the [ZeppelinOS documentation] (https://blog.openzeppelin.com/proxy-patterns):
If your logic contract relies on its constructor to set up some initial state, that would have to be redone after its linked to the proxy since the proxy’s storage doesn’t know about those values.

Impact

In Solidity, code that is inside a constructor or part of a global variable declaration is not part of a deployed contract’s runtime bytecode. This code is executed only once, when the contract instance is deployed. As a consequence of this, the code within a logic contract’s constructor will never be executed in the context of the proxy’s state. This means that any state changes made in the constructor of a logic contract will not be reflected in the proxy’s state.

Tools Used

Recommendations

Move the code within the constructor to a regular 'initializer' function, and have this function be called whenever the proxy links to this logic contract. Special care needs to be taken with this initialize function so that it can only be called once and use another initialization mechanism since the governance address should be set in the initialize.