Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MadSisyphus - AssetFactory.sol proxy contract cannot be initialized #245

Closed
sherlock-admin3 opened this issue Sep 10, 2024 · 0 comments
Closed

MadSisyphus - AssetFactory.sol proxy contract cannot be initialized #245

sherlock-admin3 opened this issue Sep 10, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin3
Copy link

sherlock-admin3 commented Sep 10, 2024
edited
Loading

MadSisyphus

High

AssetFactory.sol proxy contract cannot be initialized

Summary

The notDelegated modifier in the initialize function in the AssetFactory.sol contract prevents the proxy contract from being initialized. This means that the contract can not be used as it was intended, i.e. as an upgradeable contract to be called via an EIP-1967 proxy.

Vulnerability Detail

The AssetFactory.sol contract implements OpenZeppelin's UUPS (Universal Upgradeable Proxy Standard). It serves as the implementation contract which should be called by an EIP-1967 proxy using delegatecall. This means that contract initialization should happen also via delegatecall and state changes should happen on the proxy contract's state. However, in the AssetFactory.sol contract this is impossible because of the notDelegated modifier.

Impact

The AssetFactory.sol smart contract is unusable, because it cannot be initialized. This prevents Depeg Swaps and Cover Tokens from being created, and since they are some of the most important pillars of the protocol, this makes the whole protocol unusable.

Code Snippet

https://github.com/sherlock-audit/2024-08-cork-protocol/blob/main/Depeg-swap/contracts/core/assets/AssetFactory.sol#L48

Tool used

Manual Review

Recommendation

Remove the notDelegated modifier from the initalize function to allow the proxy contract to be initialized.

contract AssetFactory is IAssetFactory, OwnableUpgradeable, UUPSUpgradeable {
    ...
-     function initialize(address moduleCore) external initializer notDelegated {...}
+     function initialize(address moduleCore) external initializer {...}
}

Duplicate of #185
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. labels Sep 14, 2024
@sherlock-admin3 sherlock-admin3 changed the title Dandy Cider Urchin - AssetFactory.sol proxy contract cannot be initialized MadSisyphus - AssetFactory.sol proxy contract cannot be initialized Sep 25, 2024
@sherlock-admin3 sherlock-admin3 added the Reward A payout will be made for this issue label Sep 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin3