Missing Initializer Lock in `UpgradeBranch` Contract
Summary
The UpgradeBranch contract is an upgradable contract that does not use the constructor to disable initializers. While the initialize function is protected by the initializer modifier, it is a best practice to explicitly disable initializers in the constructor to prevent potential vulnerabilities.
Vulnerability Details
The UpgradeBranch contract inherits from Initializable and OwnableUpgradeable. The initializer modifier does protect the initialize function, ensuring it can only be called once. However, not disabling initializers in the constructor can leave the contract vulnerable to future implementation issues or mistakes in the inheritance hierarchy.
Detailed Explanation
The UpgradeBranch contract currently relies on the initializer modifier to protect the initialize function. However, adding a constructor to explicitly disable initializers is a recommended best practice to provide an extra layer of security and prevent potential initialization issues in the future.
To enhance security, the constructor should call _disableInitializers() to lock the initializer functions.
Impact
Future Implementation Risks: Future changes or additions to the contract's inheritance hierarchy may introduce initialization vulnerabilities if not properly managed.
Tools Used
Manual review
Recommendations
Disable Initializers in Constructor: Implement a constructor that calls
_disableInitializers()to lock the initializer function and prevent potential future initialization vulnerabilities.
Example Fix
Lead Judging Commences
UpgradeBranch lacks `_disableInitializers()` in constructor.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.