Missing Call to _disableInitializers() UUPSOwnableProxied contract
Summary
The UUPSOwnableProxied contract does not invoke the _disableInitializers() function within its constructor.
This omission can lead to unauthorized initialization of the implementation contract, potentially allowing malicious actors to take ownership and execute destructive actions.
Vulnerability Details
The UUPSOwnableProxied contract does not invoke the _disableInitializers() function within its constructor.
Impact
Malicious actors can initialize the implementation contract and set themselves as the owner.
As the owner, they can call onlyOwner functions, including potentially destructive ones via delegatecall (e.g., triggering selfdestruct).
If selfdestruct is called on the implementation, it could lock assets in the proxy contract indefinitely.
Tools Used
manual review
Recommendations
-
Add Constructor with
_disableInitializers():/// @custom:oz-upgrades-unsafe-allow constructorconstructor() {_disableInitializers();}
Lead Judging Commences
finding-initialize-on-implementation
Likelyhood: Low/Medium Impact: Very low, the attacker can at most run the protocol on their side and lead a phishing campaign with an address deployed by Ark.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.