Missing _disableInitializers()
Vulnerability details
The PerpetualVault contract is an implementation contract, since this contract uses the initialisation function in place of the constructor, and in tests it is deployed as a logical contract for TransparentUpgradeableProxy. Accordingly, to add a logic contract to a proxy, it must first be deployed. The PerpetualVault contract contains only the initialize function but does not contain a constructor with the _disableInitializers() function.
Impact
The vulnerability is that during contract deployment, attackers could not initialise the logical contract. Although the initialised logical contract would not affect the proxy contract in any way, an attacker could take advantage of the fact that it would force a normal user to interact with the logical contract directly, thereby stealing their funds. This has the potential to damage the reputation of the protocol and the credibility of the protocol due to inexperienced users who are not familiar with proxy contracts and who trust the attacker.
Tools Used
Foundry
Recommended Mitigation Steps
Add a constructor with _disableInitializers() to the PerpetualVault contract thereby safeguarding inexperienced users and following best practices.
Lead Judging Commences
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.