Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Missing `_disableInitializers()` in the initialize function.

brene

Summary

The UpgradeBranch contract is vulnerable to reinitialization attacks due to the absence of the _disableInitializers() function call. This allows an attacker to reinitialize the contract, potentially changing the owner and gaining unauthorized control over the contract's upgrade process.

Vulnerability Details

The UpgradeBranch contract inherits the OwnableUpgradeable and Initializable contracts but fails to call the _disableInitializers function as seen in the following code;

contract UpgradeBranch is Initializable, OwnableUpgradeable {
using RootUpgrade for RootUpgrade.Data;
function initialize(address owner) external initializer {
__Ownable_init(owner);
}

Impact

An attacker could re-initialize the contract, setting themselves as the owner and gaining control over the contract's functionality, therefore, critical functions protected by onlyOwner for example _authorizeUpgrade() function could be exploited by the attacker.

Tools Used

Manual Review

Recommendations

Ensure to invoke _disableInitializers function within the contract's constructor to prevent the implementation contract from being initialized.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

UpgradeBranch lacks `_disableInitializers()` in constructor.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.