Mysterious Plum Griffin
High
The missing _disableInitializers in the constructor of UUPS contracts will cause potential reinitialization risk as anyone can invoke an initializer on the implementation contract directly.
https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosProfile.sol#L45
https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosReview.sol#L29
https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosVote.sol#L26
https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosDiscussion.sol#L29
https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosAttestation.sol#L59
In UUPS contracts, the _disableInitializers call is missing from the constructor. Without this call, the implementation contract remains uninitialized and can be invoked by anyone to run an initializer function on it.
- The contract must lack
_disableInitializersin the constructor. - The implementation contract must be deployed in a way that allows direct interaction.
- The contract must include at least one
initializerfunction callable externally.
No response
- An external user must attempt to initialize the UUPS implementation contract.
- Contract deployment is public, allowing unauthorized access if initialized.
The protocol suffers potential state corruption or unauthorized configuration changes, which may lead to malfunction or loss of control over contract behavior. The attacker gains control over the initialization process and can modify contract parameters maliciously.
No response
Add _disableInitializers() to the constructor of each UUPS implementation contract to prevent the risk of reinitialization.
constructor() {
_disableInitializers();
}