Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: low
Invalid

Missing _disableInitializers() – Contract Can Be Reinitialized via Proxy

codeaudit0x1

Summary

The LevelOne the contract is upgradeable via UUPS and inherits from Initializable, but fails to call _disableInitializers() in the implementation contract’s constructor. This oversight allows anyone to call initialize() on the implementation contract directly, enabling unauthorized reinitialization and potential takeover of critical roles like principal.

Impact

If deployed behind a proxy, the logic (implementation) contract remains unprotected.

  • An attacker can:

    • Call initialize() on the implementation contract directly.

    • Set themselves as the principal.

    • Call privileged functions like graduateAndUpgrade() and transfer funds.

  • This can lead to a full takeover and loss of all user funds.

Tools Used

Aderyn

Recommendations

Add the following constructor to the LevelOne contract to prevent reinitialization:

/// @custom:oz-upgrades-unsafe-allow constructor
constructor() {
_disableInitializers();
}
This ensures the implementation contract cannot be initialized directly after deployment, which is standard practice in all OpenZeppelin upgradeable contracts.
Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.