Platform: Code4rena
Start Date: 03/07/2023
Pot Size: $40,000 USDC
Total HM: 14
Participants: 74
Period: 7 days
Judge: alcueca
Total Solo HM: 9
Id: 259
League: ETH
Rank: 47/74
Findings: 1
Award: $17.52
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xprinc
Also found by: 0x11singh99, 0xAnah, 0xWaitress, 0xkazim, 2997ms, 33audits, 404Notfound, 8olidity, CRIMSON-RAT-REACH, CyberPunks, DanielWang888, Deekshith99, Eeyore, Eurovickk, Inspecktor, JGcarv, John, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Qeew, QiuhaoLi, Rolezn, TheSavageTeddy, Topmark, Trust, Udsen, a3yip6, alexzoid, bigtone, codegpt, erebus, fatherOfBlocks, ginlee, glcanvas, hunter_w3b, josephdara, kaveyjoe, kutugu, mahdirostami, max10afternoon, oakcobalt, peanuts, pfapostol, ptsanev, qpzm, radev_sw, ravikiranweb3, sces60107, seth_lawson, te_aut, twcctop, zhaojie, ziyou-
17.5208 USDC - $17.52
The Well logic contracts do not protect their initializers. An attacker can call the initializer and assume ownership of the logic contract, whereby she can perform privileged operations that trick unsuspecting users into believing that she is the owner of the upgradeable contract.
contract Well is ERC20PermitUpgradeable, IWell, IWellErrors, ReentrancyGuardUpgradeable, ClonePlus { using SafeERC20 for IERC20; using SafeCast for uint256; uint256 constant ONE_WORD = 32; uint256 constant PACKED_ADDRESS = 20; uint256 constant ONE_WORD_PLUS_PACKED_ADDRESS = 52; // For gas efficiency purposes bytes32 constant RESERVES_STORAGE_SLOT = bytes32(uint256(keccak256("reserves.storage.slot")) - 1); function init(string memory name, string memory symbol) public initializer { __ERC20Permit_init(name); __ERC20_init(name, symbol); //... }
Manual
Invoke _disableInitializers in the constructor.
Upgradable
#0 - c4-pre-sort
2023-07-11T13:01:44Z
141345 marked the issue as low quality report
#1 - 141345
2023-07-13T11:06:40Z
lack details on the impact and potential loss
maybe QA is more appropriate
#2 - alcueca
2023-08-04T20:29:38Z
QA is appropriate. Init functions are usually called within the transaction that deploys a contract using a factory.
#3 - c4-judge
2023-08-04T20:29:43Z
alcueca changed the severity to QA (Quality Assurance)
#4 - alcueca
2023-08-05T10:38:38Z
Just make it very clear in the documentation, or include a check that requires the init function to have been called before executing anything else. Adding something in the constructor that disables calling the init function is even better.
#5 - c4-judge
2023-08-05T10:38:47Z
alcueca marked the issue as grade-a