Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Conflicting upgradeability implementation in `StabilityPool`

0xlouistsai

Summary

The contract partially follows OpenZeppelin’s upgradeable pattern by inheriting from OwnableUpgradeable and PausableUpgradeable, but it does not adopt the UUPS or transparent proxy pattern.

Vulnerability Details

Problem description

The contract mixes upgradeability patterns by inheriting from OwnableUpgradeable and PausableUpgradeable, which are designed for OpenZeppelin’s upgradeable contracts, but the contract itself does not inherit the UUPS or transparent proxy pattern from OpenZeppelin. This hybrid approach creates uncertainty about whether the contract is meant to be immutable or upgradeable.

// @audit-issue upgradeability
contract StabilityPool is IStabilityPool, Initializable, ReentrancyGuard, OwnableUpgradeable, PausableUpgradeable {
using SafeERC20 for IERC20;
using SafeERC20 for IRToken;
using SafeERC20 for IDEToken;
using SafeERC20 for IRAACToken;
...

Impact

If it is a proxy contract, then avoid using the upgradeable module. If it is an upgradeable proxy, it should inherit the UUPS or Transparent proxy module.

Tools Used

Manual Review

Recommendations

Use OpenZeppelin’s upgradeable proxy pattern if it is an upgradeable proxy contract

  • Remove the constructor and ensure initialization happens through initialize.

  • Ensure the contract is deployed via an upgradeable proxy.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.