Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Incorrect ReentrancyGuard Version Used in Upgradeable StabilityPool Contract

nikolaihristov1999

Summary

StabilityPool is not using the correct implementation of the reentrancy guard. The contract should be upgradeable but instead is using the non upgradeable reentrancy guard implementation provided by OpenZeppelin.

Vulnerability Details

The StabilityPool contract is intended to be upgradeable; however, it imports the non-upgradeable version of ReentrancyGuard from OpenZeppelin. This can lead to issues, as the non-upgradeable version does not have the necessary initializers and storage gap reserved for upgradeable contracts, which are essential for upgradeability mechanisms.

Impact

An attacker can call StabilityPool::initialize and pass arbitrary arguments

Tools Used

Manual Review

Recommendations

Inherit the appropriate contract:

-contract StabilityPool is IStabilityPool, Initializable, ReentrancyGuard, OwnableUpgradeable, PausableUpgradeable
+contract StabilityPool is IStabilityPool, Initializable, ReentrancyGuardUpgradeable, OwnableUpgradeable, PausableUpgradeable

and change the import

-import "@openzeppelin/contracts/utils/ReentrancyGuard.sol";
+import "@openzeppelin/contracts-upgradeable/utils/ReentrancyGuardUpgradeable.sol";
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.