Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Void Constructor Call in Parent Contract: Potential Code Flaw

grimreaper

Summary

The UsdToken contract calls a parent constructor ERC20(_name, _symbol), but no such constructor is present in the parent ERC20 contract. This creates a misleading assumption that the parent constructor is executed when, in fact, no code is being executed. This is a potential flaw that could lead to unexpected behavior.

Vulnerability Details

Description

In the UsdToken contract, the following constructor call is identified:

constructor(string memory _name, string memory _symbol) ERC20(_name, _symbol) { }

However, the parent ERC20 contract does not have a constructor that accepts _name and _symbol. This leads to:

Misleading code that suggests initialization of the parent contract.
Potentially overlooked initialization logic that should be explicitly handled in the UsdToken contract.

However, the parent ERC20 contract does not have a constructor that accepts _name and _symbol. This leads to:
- Misleading code that suggests initialization of the parent contract.
- Potentially overlooked initialization logic that should be explicitly handled in the UsdToken contract.

Impact

Misleading Code: Developers may incorrectly assume that _name and _symbol are being processed by the parent contract.
Missed Initialization: Key logic expected in the parent constructor might not be executed, leading to incomplete or incorrect contract setup.
Potential Security Risks: If the parent contract requires specific initialization steps, skipping these steps could lead to vulnerabilities.

Tools Used

Remix IDE: To identify constructor calls and validate parent contract structure.
Slither: For static analysis to detect flaws in constructor calls.
Manual Review: To analyze inheritance structure and constructor definitions.

Recommendations

Remove the Void Constructor Call:
If the parent contract ERC20 does not have a constructor accepting _name and _symbol, the call to ERC20(_name, _symbol) should be removed.

// Current Implementation

constructor(string memory _name, string memory _symbol) ERC20(_name, _symbol) { }

// Recommended Fix

constructor(string memory _name, string memory _symbol) {

// Handle initialization explicitly here, if necessary.

}

Add Initialization Logic if Needed:
If _name and _symbol are essential, consider implementing their handling directly within the UsdToken contract or by extending ERC20 with a properly defined constructor.
Verify Parent Contract Requirements:
Ensure that the parent contract does not rely on specific initialization steps that are being skipped.
Review Contract Inheritance:
Check all inherited contracts to confirm their constructors are correctly called or omitted as intended.
Test Thoroughly:
After making changes, test the UsdToken contract to ensure it behaves as expected and integrates seamlessly with the rest of the system.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.