Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Improper Upgradeability Implementation, lack of `__UUPSUpgradeable_init()` on implementation contracts

0xdemon

Summary

Improper upgradeability implementation, lack of __UUPSUpgradeable_init() on implementation contracts

Vulnerability Details

Swan.sol, LLMOracleCoordinator.sol and LLMOracleRegistry.sol are implementation contracts which should be initialized when calling the initialize() function, but this does not happen on the current application

Swan.sol

function initialize(
SwanMarketParameters calldata _marketParameters,
LLMOracleTaskParameters calldata _oracleParameters,
// contracts
address _coordinator,
address _token,
address _buyerAgentFactory,
address _swanAssetFactory
) public initializer {
__Ownable_init(msg.sender);
require(_marketParameters.platformFee <= 100, "Platform fee cannot exceed 100%");
// market & oracle parameters
marketParameters.push(_marketParameters);
oracleParameters = _oracleParameters;
// contracts
coordinator = LLMOracleCoordinator(_coordinator);
token = ERC20(_token);
buyerAgentFactory = BuyerAgentFactory(_buyerAgentFactory);
swanAssetFactory = SwanAssetFactory(_swanAssetFactory);
// swan is an operator
isOperator[address(this)] = true;
// owner is an operator
isOperator[msg.sender] = true;
}

LLMOracleCoordinator.sol

function initialize(
address _oracleRegistry,
address _feeToken,
uint256 _platformFee,
uint256 _generationFee,
uint256 _validationFee
) public initializer {
__Ownable_init(msg.sender);
__LLMOracleManager_init(_platformFee, _generationFee, _validationFee);
registry = LLMOracleRegistry(_oracleRegistry);
feeToken = ERC20(_feeToken);
nextTaskId = 1;
}

LLMOracleRegistry.sol

function initialize(uint256 _generatorStakeAmount, uint256 _validatorStakeAmount, address _token)
public
initializer
{
__Ownable_init(msg.sender);
generatorStakeAmount = _generatorStakeAmount;
validatorStakeAmount = _validatorStakeAmount;
token = ERC20(_token);
}

Impact

This can cause future upgrades might fail or behave unpredictably, potentially leading to loss of funds or contract state

Tools Used

Manual Review

Recommended Mitigation

function initialize(uint256 _generatorStakeAmount, uint256 _validatorStakeAmount, address _token)
public
initializer
{
......
__UUPSUpgradeable_init();
......
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.