Missing ERC20 Metadata Initialization in ZlpVault Contract
Summary
The ZlpVault contract initializes the ERC4626Upgradeable contract without providing the required name and symbol parameters for the ERC20 shares. This results in the vault's shares having empty metadata, breaking ERC20 compliance and potentially causing issues with integrations that rely on these metadata fields.
Vulnerability Details
In the initialize function of the ZlpVault contract, the __ERC4626_init(asset_) function is called without providing the name and symbol parameters. The ERC4626Upgradeable contract inherits from ERC20Upgradeable, which requires these parameters to be set during initialization. The __ERC4626_init function internally calls __ERC20_init, which expects name and symbol to be passed as arguments.
The __ERC20_init function is defined as follows in the ERC20Upgradeable contract:
Since the name and symbol parameters are not provided, the ERC20 shares of the vault will have empty metadata, which is not compliant with the ERC20 standard.
Impact
The vault's shares will not be fully ERC20 compliant, as the name and symbol fields will be empty.
Tools Used
Manual review
Recommendations
To fix this issue, the initialize function should be updated to include the name and symbol parameters when calling __ERC4626_init. The modified function should look like this:
Lead Judging Commences
ERC4626 not properly implemented
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.