Improper Initialization of State Variables in Upgradeable StabilityPool Contract
Summary
The StabilityPool contract, which is designed to be upgradeable, improperly initializes a state variable within its constructor. This practice can lead to issues in upgradeable contracts, as it conflicts with the intended initialization process using the initialize function.
Vulnerability Details
In upgradeable contracts, constructors are not used for initializing state variables. Instead, an initialize function is employed to set up the contract's state. This is because upgradeable contracts rely on proxy patterns where the constructor is only called once during the deployment of the implementation contract, not the proxy.
The StabilityPool contract initializes the _initialOwner state variable inside its constructor. This goes against the upgradeable contract pattern, as this variable will not be initialized when the proxy is set up, potentially leading to incorrect state.
Impact
Contract owner not initialized correctly
Tools Used
Manual
Recommendations
Handle all state initializations within the initialize function. And disable initlizers in constructor
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.