Dria

Summary

UUPSUpgradeable functionality is not initialized in multiple cases within the codebase posing critical issues with upgradeability.

Vulnerability Details

Contracts in the codebase inherits from UUPSUpgradeable, a contract from OpenZeppelin that provides upgradeability features.

This standard requires certain initialization steps to be performed to ensure the contract is properly set up for upgrades.

However during initialization, the __UUPSUpgradeable_init() function is not called within the initialize() functions.

• LLMOracleRegistry:initialize()

• LLMOracleCoordinator:initialize()

• Swan:initialize()

This omission leaves the upgrade mechanism improperly configured.

The UUPSUpgradeable contract relies on an internal function _authorizeUpgrade() to control who can upgrade the contract. Without proper initialization, the upgrade authorization mechanism may not function as intended, potentially preventing upgrades.

Impact

The lack of proper upgradeability setup introduces operational risks, as the contract may not behave as expected during upgrade attempts, leading to potential downtime or service disruptions.

Tools Used

Manual Review

Recommendations

Ensure that the __UUPSUpgradeable_init() function is called within the initialize() function of the PhiNFT1155 contract