Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Several `initializer` modifiers will revert if not deployed in the same constructor

n0kto

Description

Several branches need initialization to function correctly. As deployment scripts are not in scope and are due for rework, it's uncertain how the contract will be deployed and initialized.

If the contract is deployed with multiple calls to the upgrade function to add branches, initializer accesses the same struct storage due to EIP7201. The first initializable function sets the boolean to true, preventing any subsequent branch from passing the initializer modifier.

urthermore, deploying the entire contract at once using initializer ultiple times during the constructor is not the expected behavior according to OpenZeppelin documentation.

The comment in the Initializable contract:

/**

* @dev A modifier that defines a protected initializer function that can be invoked at most once. In its scope,

* `onlyInitializing` functions can be used to initialize parent contracts.

@> * Similar to `reinitializer(1)`, except that in the context of a constructor an `initializer` may be invoked any

@> * number of times. This behavior in the constructor can be useful during testing and is not expected to be used in

@> * production.

* Emits an {Initialized} event.

modifier initializer() {

...

}

Risk

Likelyhood: Low

If the contract does not deploy the branches all at once, initialization will fail except for the first one.

According to OpenZeppelin comment, this is not a behavior to use in production.

Impact: Low

Initialization will fail and the protocol will need to deploy again or redeploy the other branches with the reinitializer modifier.

Recommended Mitigation

If deployed separately, use reinitializer(x) with x being the order number where functions are called. If all the branches are deployed at the same time, use reinitializer(1) modifier on one function and onlyInitializing modifier on other functions to initialize.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

`initializer` modifiers will revert if not deployed in the same constructor

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.