Unintialise upgradeable contract
Summary
The SmartVaultManagerV5 contract inherit ERC721Upgradeable and OwnableUpgradeable upgradeable contracts but are not initialised.
Vulnerability Details
The SmartVaultManagerV5 contract does not invoke ERC721Upgradeable and OwnableUpgradeable initializer during its own initialization. Due to which the state of these upgradeable contracts remain uninitialized.
The issue lies in deviating from correct implementation of upgradeable contracts, refers to OZ’s docs.
Proper implementation of upgradeable contracts is possible only by using initialize function which in turn will call the inherited contract's initializer.
Impact
The absence of initialization call will result in inability to call the initialise functions that are the main logic in the Upgradeable contract.
The result will be owner address will always remain address(0) and use of all onlyOwner based functions will always revert due to lack of owner based role.
This will also impact the ERC721Upgradeable contract based methods _safeMint and tokenURI as they will remain uncallable and will render all functions related to them useless and impacting overall protocol working.
The impact also will impact the contract as it will remain un-upgradeable. Whenever any functionality will be required to upgraded, it would not be possible due to lack of any owner.
Tools Used
Manual code Review
Recommendations
Implement initialize function in the SmartVaultManagerV5.sol as guided in OZ’s docs.
Lead Judging Commences
uninitialized-variables
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.