Missing constructor with disableInitializers() allows initialization of implementation contract
Description:
The LevelOne and LevelTwo contracts is designed to be used with the UUPS (Universal Upgradeable Proxy Standard) pattern, but it lacks a constructor that calls _disableInitializers(). This is a critical security measure for upgradeable contracts that prevents the implementation contract from being initialized directly.
Attack path:
Attacker identifies that the implementation contract for
LevelOnedoesn't have a constructor with_disableInitializers()Attacker directly calls the
initialize(address _principal, uint256 _schoolFees, address _usdcAddress)function on the implementation contract (not the proxy)Attacker sets themselves as the
principalparameterThe implementation contract is now initialized with the attacker as the principal
Impact:
Attacker can gain principal privileges on the implementation contract
Recommended Mitigation:
Add a constructor to the LevelOne contract and LevelTwo contract that disables initializers:
Lead Judging Commences
contract can be re-initialized
The system can be re-initialized by an attacker and its integrity tampered with due to lack of `disableInitializer()`
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.