The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

No initialization in SmartVaultManagerV5 contract

0xbtk

Summary

The SmartVaultManagerV5 contract inherits ERC721Upgradeable & OwnableUpgradeable contracts but does not invoke their individual initialzers during its own initialization. Due to which the state of ERC721Upgradeable & OwnableUpgradeable contracts remain uninitialized.

Vulnerability Details

Smart Vault Manager contract manage vault deployments, controls admin data which dictates behavior of Smart Vaults e.g. fee rates, collateral rates, dependency addresses, managed by The Standard.

SmartVaultManagerV5 implementation:

contract SmartVaultManagerV5 is
ISmartVaultManager,
ISmartVaultManagerV2,
Initializable,
ERC721Upgradeable,
OwnableUpgradeable
{
function initialize() initializer public {}

Importantly, it has no constructor and empty initializer. The issue is that when using upgradeable contracts, it is important to implement an initializer which will call the base contract's initializers in turn.

Since Pool skips the __Ownable_init initialization call, this logic is skipped:

function __Ownable_init() internal onlyInitializing {
__Ownable_init_unchained();
}
function __Ownable_init_unchained() internal onlyInitializing {
_transferOwnership(_msgSender());
}

Therefore, the contract owner stays zero initialized, and this means any use of onlyOwner() will always revert.

List of functions that will always throw:

[!NOTE]
In addition, the ERC721 name and symbol will remain uninitialized, but there will be no impact except for integration issues.

Impact

SmartVaultManagerV5 is unusable as most of it's functions will throw.

Tools Used

Manual review

Recommendations

Consider initializing the ERC721Upgradeable & OwnableUpgradeable contracts in SmartVaultManagerV5.initialize function as follow:

function initialize(string memory name_, string memory symbol_) public initializer {
__Ownable_init();
__ERC721_init(name_, symbol_);
}
Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

informational/invalid

0xbtk Submitter
almost 2 years ago
hrishibhat Lead Judge
almost 2 years ago
hrishibhat Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

informational/invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!