Upgradeable Contract Not Initialized
File location:
Summary
The vulnerability was discovered in the 'Nexus.sol' contract which is an upgradeable contract. This contract was not initialized properly, which could allow a malicious user to take over the contract.
Vulnerability Details
Upgradable contracts are initialized via an initializer function rather than a constructor. In the 'Nexus.sol' contract, the initialization function is missing, leaving the contract in an uninitialized state. This can be exploited by malicious users to call the initialization function and initialize the contract with their own parameters, allowing them to take full control of the contract.
Impact
Malicious users can take over contracts, change contract logic, and steal assets managed by those contracts. This can cause significant financial loss and undermine the integrity of the contract.
Tools Used
Inspection manual
Solidity
Recommendations
Code snippet:
Fixed:
Add an 'initialize' function that uses the initializer modifier to ensure the function can only be called once.
Make sure all parent contracts are also initialized correctly in the initialize function.
Use OpenZeppelin's 'Initializable' to help manage the initialization process.
Lead Judging Commences
finding-UUPS-upgradeable-uninitialized
Invalid, this issue cannot occur because there is no `initialize()` function within the `Nexus.sol` implementation contract. All initial contract initialization is performed within the constructor.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.