Variable assigned initial value in upgradeable contract can break future upgrades
Summary
A variable in the StabilityPool contract is assigned an initial value within the contract scope while the contract is intended to be upgradeable which will be problematic in future upgrades.
Vulnerability Details
The StabilityPool contract inherits from multiple OZ upgradeable contracts with intent to be upgradeable:
But in the scope of the contract, the index variable is assigned an initial value. According to OZ's guidelines for writing upgradeable contracts, this should not be done since:
"This is equivalent to setting these values in the constructor, and as such, will not work for upgradeable contracts. Make sure that all initial values are set in an initializer function as shown below; otherwise, any upgradeable instances will not have these fields set."
Impact
Assigning an initial value to the index storage variable is against OZ's guidelines for writing upgradeable contracts and can create problems for the protocol in the future.
Tools Used
Manual Review
Recommendations
Assign the value in the initializer instead.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.