Lack of constructor initializer and incorrect initialization of `Nexus` contract
https://github.com/Cyfrin/2024-07-biconomy/blob/main/contracts/Nexus.sol#L73-L78
Summary
The UUPS implementation in Nexus contract is incorrect. Protocols using UUPSUpgradeable should initialize their implementation contracts.
The contract is deployed using a proxy pattern whereby the implementation contract is used by the proxy contract for all its logic. The proxy contract will make delegate calls to the implementation contract. This helps to facilitate future upgrades by pointing the proxy contract to a new and upgraded implementation contract.
Vulnerability Details
The vulnerability allows an attacker to take control of an uninitialized implementation contract. This could lead to unauthorized upgrades and potentially malicious control over the contract.
Impact
If exploited, this vulnerability could allow attackers to hijack the proxy's logic by upgrading the implementation contract without permission, leading to potential loss of funds or other malicious actions.
Tools Used
Manual code review
Recommendations
Manually initialize the contracts using the initialize function or constructor method with the initializer modifier so the implementation contract gets initialized automatically upon deployment.
Initial information about this issue: here - Security advisory: Initialize UUPS implementation contracts and here - UUPSUpgradeable Vulnerability Post-mortem
Lead Judging Commences
finding-UUPS-upgradeable-uninitialized
Invalid, this issue cannot occur because there is no `initialize()` function within the `Nexus.sol` implementation contract. All initial contract initialization is performed within the constructor.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.