First Flight #3: Thunder Loan
First Flight #3
Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Initial owner is not provided for _Ownable_init() function

Prabhas

Summary

Inside the initialize function in ThunderLoan contract when calling _Ownable_init an address of the initial owner should be provided or else it reverts and therefore it becomes impossible to initialize the contract as _Ownable_init reverts if the address provided is 0x0.

Vulnerability Details

As we can see from the openzeppelin docs _Ownable_init function accepts the address as an argument

function __Ownable_init(address initialOwner) internal onlyInitializing {
__Ownable_init_unchained(initialOwner);
}
function __Ownable_init_unchained(address initialOwner) internal onlyInitializing {
if (initialOwner == address(0)) {
revert OwnableInvalidOwner(address(0));
}
_transferOwnership(initialOwner);
}

and the _transferOwnership function reverts if the provided address is 0x0

function transferOwnership(address newOwner) public virtual onlyOwner {
if (newOwner == address(0)) {
revert OwnableInvalidOwner(address(0));
}
_transferOwnership(newOwner);
}

therefore we can't successfully execute the initialize function and can't initialize the contract.

Impact

The contract can't be initialized as the initialize function reverts. It becomes impossible to successfully initialize the contract.

Tools Used

No special tools used, just a manual review.

Recommendations

Please provide the address of the initial owner as an argument while calling _Ownable_init in the initialize function.

Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.