Stratax inherits Initializable and is deployed behind a BeaconProxy, but has no constructor calling _disableInitializers(). Anyone can call initialize() on the implementation contract directly and become its owner, gaining access to all onlyOwner functions on that contract.
Upgradeable contracts deployed behind proxies should disable initialization on the implementation to prevent unauthorized access to the implementation's storage.
Stratax has no constructor:
The initializer modifier prevents re-initialization per contract instance. The proxy called initialize() during deployment with its own storage. The implementation contract has separate storage where initialize() was never called.
An attacker calls initialize() directly on the implementation contract address and becomes its owner. They then have access to setFlashLoanFee(), setStrataxOracle(), recoverTokens(), and transferOwnership() on the implementation.
The proxy contracts are unaffected since they use separate storage. But controlling the implementation is a well-known access control violation that OpenZeppelin explicitly warns against.
Likelihood: Medium
The implementation contract address is public on-chain. The attack is a single transaction with no preconditions.
Impact: Medium
The proxy (which holds all funds) is unaffected, so user positions and funds remain safe. The implementation contract has no funds, but an attacker gains control of a contract with valid Aave and 1inch router references. In certain upgrade patterns (UUPS), this could escalate. With BeaconProxy, the beacon owner controls upgrades, not the implementation owner, which limits the blast radius.
Place in test/exploits/Exploit_ImplTakeover.t.sol. Run: forge test --match-contract Exploit_ImplTakeover -vv
Test output:
Key logs:
Add a constructor that calls _disableInitializers() per OpenZeppelin's upgrade safety guidelines. This prevents anyone from calling initialize() on the implementation:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.