Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing _disableInitializers() in StabilityPool constructor to prevent uninitialized contracts

shui

Summary

The StabilityPool implementation contract does not disable initializers in its constructor while it use initialize() method which uses initializer modifier.
. It is recommended in OpenZeppelin’s documentation to not leave implementation contract uninitialised as attacker can take advantage of the same and that may affect the proxy contract.

Vulnerability Details

contract StabilityPool is IStabilityPool, Initializable, ReentrancyGuard, OwnableUpgradeable, PausableUpgradeable {
constructor(address initialOwner) {
_initialOwner = initialOwner;
}
}

Even though this contract is meant to be used as an implementation behind a proxy, the implementation contract itself could be initialized by an attacker since it doesn't call _disableInitializers() in its constructor.

Recommended Mitigation

Add _disableInitializers() to the constructor:

/// @custom:oz-upgrades-unsafe-allow constructor
constructor(address initialOwner) {
_disableInitializers();
_initialOwner = initialOwner;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!