Summary

The Starklane contract does not invoke the _disableInitializers function, leaving the implementation contract vulnerable to unauthorized initialization. This vulnerability can potentially allow an attacker to take control of the implementation contract and disrupt the proxy's functionality.

Vulnerability Details

The _disableInitializers function is not called, making the implementation contract susceptible to initialization by an attacker.

An attacker can initialize the implementation contract directly, becoming its owner. This ownership allows them to execute functions protected by onlyOwner, including those that could delegatecall a self-destruct opcode, rendering the implementation unusable and preventing proxy upgrades.

Impact

Without invoking _disableInitializers, an attacker can initialize the implementation contract and take control over it.

The attacker could delegatecall a contract containing a self-destruct opcode, destroying the implementation and locking assets within the proxy indefinitely.

Tools Used

Recommendations

Ensure _disableInitializers() is called in the constructor to lock the implementation contract when deployed automatically.

By invoking the _disableInitializers function in the constructor, you can prevent unauthorized initialization of the implementation contract. This measure ensures that even if someone attempts to initialize it directly, they will be unable to gain ownership or execute critical functions, thereby protecting against potential attacks.