No Protection of Uninitialized Implementation Contracts From Attacker #302
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-68
edited-by-warden
🤖_36_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/2fb1e0ec7a52fc06c2e9c8e561bccba84302e4bb/src/PredyPool.sol#L68
https://github.com/code-423n4/2024-05-predy/blob/2fb1e0ec7a52fc06c2e9c8e561bccba84302e4bb/src/base/BaseHookCallbackUpgradable.sol#L13
https://github.com/code-423n4/2024-05-predy/blob/2fb1e0ec7a52fc06c2e9c8e561bccba84302e4bb/src/base/BaseMarketUpgradable.sol#L36
Vulnerability details
Impact
In the contracts that implement
Openzeppelin
’sUpgreadable
model, uninitializedImplementation
contract can be taken over by an attacker withinitialize()
function.Proof of Concept
Scenario:
Proxy
&Implementation
are deployed.Proxy
delegates calls toImplementation.initialize()
which sets theowner
and switchesinitialized
totrue
in the state of theProxy
.Implementation
however is still intact e.gowner
is unset andinitialized
isfalse
.initialize()
directly onImplementation
and sets himself as theowner
.Tools Used
Manual Review
Recommended Mitigation Steps
From Openzeppelin Docs:
Do not leave an implementation contract uninitialized. An uninitialized implementation contract can be taken over by an attacker, which may impact the proxy. To prevent the implementation contract from being used, you should invoke the _disableInitializers function in the constructor to automatically lock it when it is deployed:
Assessed type
Other
The text was updated successfully, but these errors were encountered: