HardhatFoundry
30,000 USDC
View results
Submission Details
Severity: low
Invalid

Lack of constructor initializer and incorrect initialization of `Nexus` contract

https://github.com/Cyfrin/2024-07-biconomy/blob/main/contracts/Nexus.sol#L73-L78

Summary

The UUPS implementation in Nexus contract is incorrect. Protocols using UUPSUpgradeable should initialize their implementation contracts.
The contract is deployed using a proxy pattern whereby the implementation contract is used by the proxy contract for all its logic. The proxy contract will make delegate calls to the implementation contract. This helps to facilitate future upgrades by pointing the proxy contract to a new and upgraded implementation contract.

Vulnerability Details

The vulnerability allows an attacker to take control of an uninitialized implementation contract. This could lead to unauthorized upgrades and potentially malicious control over the contract.

contract Nexus is INexus, BaseAccount, ExecutionHelper, ModuleManager, UUPSUpgradeable {
using ModeLib for ExecutionMode;
using ExecLib for bytes;
using NonceLib for uint256;
. . .
/// @notice Initializes the smart account with the specified entry point.
constructor(address anEntryPoint) {
_SELF = address(this);
require(address(anEntryPoint) != address(0), EntryPointCanNotBeZero());
_ENTRYPOINT = anEntryPoint;
_initModuleManager();
}
. . .

Impact

If exploited, this vulnerability could allow attackers to hijack the proxy's logic by upgrading the implementation contract without permission, leading to potential loss of funds or other malicious actions.

Tools Used

Manual code review

Recommendations

Manually initialize the contracts using the initialize function or constructor method with the initializer modifier so the implementation contract gets initialized automatically upon deployment.

Initial information about this issue: here - Security advisory: Initialize UUPS implementation contracts and here - UUPSUpgradeable Vulnerability Post-mortem

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

finding-UUPS-upgradeable-uninitialized

Invalid, this issue cannot occur because there is no `initialize()` function within the `Nexus.sol` implementation contract. All initial contract initialization is performed within the constructor.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.