Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-11-PARASPACE-FINDINGS-ISSUES-412
HistoryDec 09, 2022 - 12:00 a.m.

Update initializer library to prevent reentrancy during initialization

2022-12-0900:00:00
Code4rena
github.com
3
vulnerability
proxied contracts
constructor logic
initializer function
high-severity
dependency
known vulnerability
contracts vulnerable
mitigation steps
upgradeable
openzeppelin.
JSON

Lines of code

Vulnerability details

Since proxied contracts do not make use of a constructor, it’s common to move constructor logic to an external initializer function, usually called initialize. It then becomes necessary to protect this initializer function so it can only be called once.

The solution uses:
“@openzeppelin/contracts”: “^4.2.0”,
“@openzeppelin/contracts-upgradeable”: “^4.2.0”,

Proof of Concept

These dependencies have a known high-severity vulnerability:

<https://security.snyk.io/vuln/SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-2320177&gt;

<https://snyk.io/test/npm/@openzeppelin/contracts-upgradeable/4.3.2#SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-2320177&gt;

<https://snyk.io/test/npm/@openzeppelin/contracts/4.0.0#SNYK-JS-OPENZEPPELINCONTRACTS-2320176&gt;

Which makes these contracts vulnerable:

PoolConfigurator.sol#L76.

76: function initialize(IPoolAddressesProvider provider) external initializer {

MockInitializableImplementation.sol#L25.

25: ) external initializer {

WETHGateway.sol#L39.

39: function initialize() external initializer {

WPunkGateway.sol#L57.

57: function initialize() external initializer

Recommended Mitigation Steps

Upgrade @openzeppelin/contracts and @openzeppelin/contracts-upgradeable to version 4.4.1 or higher.

The text was updated successfully, but these errors were encountered:

All reactions

JSON