Reinitialization vulnerability in `UUPSOwnableProxied` contract: risk of unauthorized takeover
Github
https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/UUPSProxied.sol#L14
Summary
The UUPSOwnableProxied contract's functionality can be rendered inoperable, potentially halting the project, due to its vulnerability to reinitialization attacks.
Vulnerability Details
According to OpenZeppelin's docs, leaving a contract uninitialized poses a significant security risk. An uninitialized contract can be taken over by an attacker. This risk applies to both the proxy and its implementation contract. If the implementation contract is not locked, it remains vulnerable to unauthorized reinitialization. To prevent such attacks, it is recommended to invoke the _disableInitializers() function in the constructor. This function ensures that the implementation contract is locked and cannot be initialized again after deployment.
Impact
An attacker could take over the uninitialized contract, changing the owner and gaining control over the contract's state and upgrade process. This could lead to the attacker rendering the contract inoperable or maliciously altering its behavior, effectively halting the project.
Recommendation
Invoke the _disableInitializers() function in the contract's constructor, as recommended by OpenZeppelin, to lock the implementation contract and prevent unauthorized reinitialization attacks. This step is crucial to secure the contract against takeover attempts and ensure its continued, secure operation.
Lead Judging Commences
finding-initialize-on-implementation
Likelyhood: Low/Medium Impact: Very low, the attacker can at most run the protocol on their side and lead a phishing campaign with an address deployed by Ark.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.