Platform: Code4rena
Start Date: 21/04/2022
Pot Size: $100,000 USDC
Total HM: 18
Participants: 60
Period: 7 days
Judge: gzeon
Total Solo HM: 10
Id: 112
League: ETH
Rank: 43/60
Findings: 1
Award: $159.31
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0x52, 0xDjango, 0xkatana, Dravee, Funen, Kenshin, Ruhum, StyxRave, Tadashi, TerrierLover, TrungOre, antonttc, berndartmueller, catchup, csanuragjain, defsec, dipp, fatherOfBlocks, hake, horsefacts, hubble, jayjonah8, joestakey, kebabsec, kenta, m4rio_eth, oyc_109, pauliax, peritoflores, rayn, remora, robee, securerodd, simon135, sorrynotsorry, sseefried, z3s
159.3125 USDC - $159.31
https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/AddressProvider.sol#L47
In AddressProvider.sol the use of Open Zeppelin upgradeable contracts indicates that AddressProvider.sol should be upgradeable. The problem is that it uses a constructor function which should not be used in upgradeable contracts since it can break upgradeability.
https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/AddressProvider.sol#L47
Manual code review
Consider deleting the constructor function and adding its logic inside the initialize() function.
#0 - chase-manning
2022-04-29T10:47:32Z
This contract is not upgradable.
#1 - gzeoneth
2022-05-07T20:20:36Z
Not sure why you need an initializer if it is not behind proxy. Downgrading to Low / QA regardless.
#2 - JeeberC4
2022-05-09T16:21:22Z
Preserving original title as warden did not submit a QA Report and judge downgraded issue: Constructor function used in upgradeability contract