Owner is not set in the initialize function thereby making all functions marked "onlyOwner" uncallable
Summary
Owner is not set in the initialize function thereby making all functions marked "onlyOwner" uncallable.
Vulnerability Details
The SmartVaultManagerV5 contract is an upgradeable contract that inherits Openzeppelin's OwnableUpgradeable contract.
The initialize function is however left blank without initializing or setting the owner of the contract. What this means is that the contract has no owner.
I'm aware of the protocol stating this in the known vulnerabilities section:
"This is version 5 of an OpenZeppelin upgradeable contract. That is why there is no constructor setting the initial state variables"
However, this is not true. It doesn't matter if the contract is version 5 of Openzeppelin upgradeable contract. Here's an answer on this on Openzeppelin's forum page:
"It has nothing to do specifically with v5.
In a contract which implements OpenZeppelin's upgradability infrastructure (by inheriting it), the constructor initializes only immutable state variables, while all other state variables are initialized in a dedicated function which should be executed after the contract is deployed."
See: https://forum.openzeppelin.com/t/are-openzeppelin-v5-upgradeable-contracts-not-accepting-setting-initial-values-in-constructor/39070
Impact
Functions such as setMintFeeRate, setBurnFeeRate, setSwapFeeRate, and all the other functions marked "onlyOwner" will revert when called.
Tools Used
Manual review.
Recommendations
Call __Ownable_init and set contract's owner.
Lead Judging Commences
uninitialized-variables
informational/invalid
uninitialized-variables
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.