Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Missing call to _disableInitializers in LevelOne and LevelTwo contracts

teheelaa

Summary

The LevelOne and LevelTwo contracts are missing the _disableInitializers() call in their constructors and initialization functions. This omission could allow malicious actors to re-initialize the contracts after deployment or upgrade, potentially resetting or modifying critical state variables.

Vulnerability Details

An uninitialized contract can be taken over by an attacker. This applies to both a proxy and its implementation contract, which may impact the proxy. To prevent the implementation contract from being used, you should invoke the _disableInitializers() function in the constructor to automatically lock it when it is deployed

Impact

  1. Contract state variables can be reset or modified after initial deployment

  2. Critical parameters like principal, schoolFees, and usdc address can be altered

  3. Contract upgrade security can be compromised

  4. Business logic and financial operations could be disrupted

Tools Used

Foundry, Manual review

Recommendations

  • Add _disableInitializers()in the constructor of both contracts

    /// @custom:oz-upgrades-unsafe-allow constructor
    constructor() {
    _disableInitializers();
    }

  • for LevelOne.sol, modify the initialize function:

    function initialize(address _principal, uint256 _schoolFees, address _usdcAddress) public initializer {
    // existing checks...
    principal = _principal;
    schoolFees = _schoolFees;
    usdc = IERC20(_usdcAddress);
    __UUPSUpgradeable_init();
    _disableInitializers(); // Add this line
    }

  • For LevelTwo.sol, implement proper initialization logic:

    function graduate() public reinitializer(2) {
    // Add initialization logic
    _disableInitializers();
    }


    References

    https://docs.openzeppelin.com/contracts/4.x/api/proxy#Initializable

    https://docs.openzeppelin.com/contracts/4.x/api/proxy#UUPSUpgradeable

    https://docs.openzeppelin.com/upgrades-plugins/1.x/proxies

Additional Notes

  1. The vulnerability affects both the initial deployment and upgrade process

  2. The issue is particularly critical given the financial nature of the contract (handling USDC)

  3. The attack could be executed by any address since there's no protection against re-initialization

  4. This vulnerability could be combined with other attacks to maximize impact

Updates

Lead Judging Commences

yeahchibyke Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

contract can be re-initialized

The system can be re-initialized by an attacker and its integrity tampered with due to lack of `disableInitializer()`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.