Ownership issues in `GlobalConfigurationBranch` affecting `onlyOwner` functions
Summary
The GlobalConfigurationBranch contract does not call the __Ownable_init function in its initialize method, resulting in the contract being left without an owner. This omission prevents the execution of onlyOwner functions within the contract, potentially hindering critical functionalities that rely on ownership control.
Vulnerability Details
The GlobalConfigurationBranch contract inherits from OwnableUpgradeable but fails to initialize the ownership context by calling __Ownable_init. The initialization function initialize sets configuration variables but omits the call to __Ownable_init, which is necessary to set the owner for the contract.
Here is the relevant part of the GlobalConfigurationBranch contract:
GlobalConfigurationBranch.sol#L133-L139
It is mentioned that the __Ownable_init function is called in the UpgradeBranch contract, which sets the owner for UpgradeBranch. However, this initialization does not affect the GlobalConfigurationBranch contract. Each contract must independently call __Ownable_init to set its own owner.
Impact
The failure to call __Ownable_init in GlobalConfigurationBranch results in the contract having no owner. Consequently, any functions in GlobalConfigurationBranch protected by the onlyOwner modifier cannot be executed. This could lead to issues in managing the contract's configurations and access control mechanisms, potentially leaving the contract in a non-functional or insecure state.
Tools Used
VSCode, manual code review
Recommendations
Modify GlobalConfigurationBranch::initialize() to call __Ownable_init():
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.