Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Incorrect Implementation of Upgradeable Contract Pattern

chaossr

Summary

An improperly implemented upgradeable smart contract can compromise its functionality or security. The storage contracts, inheriting from UpgradeableStorage, lacks an initialization function. While the proxy pattern handles upgrades, the storage contract requires proper initialization to correctly set its state upon deployment.

Vulnerability Details

Missing Initialization Function: The CapitalPoolStorage contract, which is meant to be upgradeable, lacks an initialize() function. This is crucial for properly setting up the initial state of an upgradeable contracs.

contract CapitalPoolStorage is UpgradeableStorage {

// @audit No initialize() function

uint256[100] private __gap;

}

Impact

Inability to properly initialize the contract state in upgrades.

Potential storage collisions leading to data corruption or unexpected behavior.

Tools Used

Manual Code Review

Recommendations

To mitigate this risk, the CapitalPoolStorage contract (and other related storage contracts) should include an initialize function that properly sets up the contract's state

contract CapitalPoolStorage is Initializable, UpgradeableProxy {

constructor() {

_disableInitializers();

}

function initialize(address initialOwner) initializer public {

// the implementation code

}

Updates

Lead Judging Commences

0xnevi Lead Judge

about 1 year ago

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.