Submission Details
Severity:
Ownable initialization in constructor missing
Summary
LiquidationPoolManager inherits Ownable. However, LiquidationPoolManager does not call the Ownable constructor in the LiquidationPoolManager constructor. This leads to the Ownable functionality being broken.
Vulnerability Details
LiquidationPoolManager inherits Ownable:
contract LiquidationPoolManager is Ownable
However, LiquidationPoolManager does not have a constructor call to Ownable:
constructor(address _TST, address _EUROs, address _smartVaultManager, address _eurUsd, address payable _protocol, uint32 _poolFeePercentage) {
pool = address(new LiquidationPool(_TST, _EUROs, _eurUsd, ISmartVaultManager(_smartVaultManager).tokenManager()));
TST = _TST;
EUROs = _EUROs;
smartVaultManager = _smartVaultManager;
protocol = _protocol;
poolFeePercentage = _poolFeePercentage;
}
Impact
When LiquidationPoolManager is deployed, the Ownable feature is broken.
Tools Used
Manual Review
Recommendations
Add a constructor function call that calls Ownable(msg.sender) to the constructor call:
constructor(address _TST, address _EUROs, address _smartVaultManager, address _eurUsd, address payable _protocol, uint32 _poolFeePercentage) Ownable(msg.sender) {
pool = address(new LiquidationPool(_TST, _EUROs, _eurUsd, ISmartVaultManager(_smartVaultManager).tokenManager()));
TST = _TST;
EUROs = _EUROs;
smartVaultManager = _smartVaultManager;
protocol = _protocol;
poolFeePercentage = _poolFeePercentage;
}
Sources
Updates
Lead Judging Commences
hrishibhat over 1 year ago
Submission Judgement Published Reason: Design choice
Assigned finding tags:
uninitialized-variables
informational/invalid
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
60933 USDC / LOC
17,500 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.