Missing _disableInitializers()
summary
we must need to have _disableInitializers() inside the constructor of the LevelOne contract
vulnerability details
-> In UUPS proxies, all state lives in the proxy, while the implementation’s functions must be “initialized” via an external initialize() function rather than a constructor. If _disableInitializers() is not called in the implementation contract’s constructor, anyone can call initialize() directly on the implementation, thereby becoming its “owner” and bypassing the proxy’s access controls.
-> Once an attacker controls the implementation, they can invoke upgradeToAndCall() (protected by the malicious owner role) to delegatecall into a contract containing a selfdestruct opcode, effectively deleting the implementation’s code
. After self-destruction, all proxies pointing to that implementation will have no logic to delegate to, breaking the upgrade path.
Steps To Attack
-
Deploy the UUPS implementation without _disableInitializers() in its constructor.
-
Call initialize(attackerAddress) directly on the implementation contract: the attacker becomes owner.
-
Deploy a malicious upgrade contract with a function that executes selfdestruct(address(proxy)).
-
As “owner,” the attacker calls upgradeToAndCall(maliciousAddress, data) on the proxy, which delegatecalls into the malicious contract and triggers selfdestruct, wiping the implementation
impact - High
likelyhood - High
Recommendations
Lead Judging Commences
contract can be re-initialized
The system can be re-initialized by an attacker and its integrity tampered with due to lack of `disableInitializer()`
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.