Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

[L-2] Use of non‑upgradeable `ReentrancyGuard` in an upgradeable contract

xkeywordx

Summary

The StabilityPool contract is designed to be upgradeable and inherits from OpenZeppelin’s upgradeable versions of Ownable, Pausable and uses Initializable. However, it imports and uses the non‑upgradeable ReentrancyGuard.

Vulnerability Details

The StabilityPool contract imports @openzeppelin/contracts/utils/ReentrancyGuard.sol the non-upgradable version rather than using @openzeppelin/contracts-upgradeable/utils/ReentrancyGuardUpgradeable.sol. The non‑upgradeable ReentrancyGuard is not designed with storage gaps or initializer patterns necessary for upgradeable contracts. As a result, its storage layout may conflict with that of upgradeable base contracts, leading to unexpected behavior if the contract is upgraded.

There is also another issue in this contract. Its constructor does not call the _disableInitializers() function on the implementation contract which is considered a best practice for proxy contracts.

constructor(address initialOwner) {
_initialOwner = initialOwner;
//@audit the line below is usually a best practice to add to the constructor
// _disableInitializers();
}

Impact

The storage layout of the StabilityPool contract might be corrupted during upgrading.

Tools Used

Manual review

Recommendations

Import and inherit the upgradable version of ReentrancyGuard contract.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.