Summary

In SDLPoolPrimary.sol the initialize() function does not allow the delegatorPool variable to be set dues to a logic error.

Vulnerability Details

The function initialize in the primary pool will initialize at most once. The first time the function initialize is called, it will call the __SDLPoolBase_init() function since the delegatorPool is equal to address zero. I am assuming that the current logic is versioned to be a consequent upgrade to the already deployed implementation, however the delegatorPool will still not get set as

if (delegatorPool == address(0)) {
__SDLPoolBase_init(_name, _symbol, _sdlToken, _boostController);
} else {
delegatorPool = ccipController;
}

this logic block will attempt to initialize the base again since the delegatorPool is equal to address zero. Unfortunately there is no external function to set the delegatorPool address manually.

Impact

As a consequence the migrate function will be in a state of DOS due to being unable to authenticate.

Tools Used

Manual Review

Recommendations

I would recommend the initializer logic be changed to

if (ccipController == address(0)) {
__SDLPoolBase_init(_name, _symbol, _sdlToken, _boostController);
} else {
delegatorPool = ccipController;
}