collateral.sol is an upgradeable contract. Upgradeable contracts should not use the constructor to initialize variables, as these will be set in the contract storage of the implementation contract, instead of the intended contract storage of the proxy contract (more information can be found here: <https://docs.openzeppelin.com/upgrades-plugins/1.x/proxies#the-constructor-caveat>)
However, collateral.sol is using the constructor to set the baseToken and baseTokenDenominator values.
If the contract is using baseToken or baseTokenDenominator, it will point to storage slots in the proxy contract which are used by other variables, resulting in a miscalculation of _collateralMintAmount in deposit() and _baseTokenAmount in withdraw, as theyβre both relying on the baseTokenDenominator variable.
This will result in users receiving too many/few collateral tokens when depositing the underlying base token or withdrawing too many/few when using the withdraw() funtion.
Manual Review
Initialize the baseToken and baseTokenDenominator variables in the initializer instead of the constructor.
The text was updated successfully, but these errors were encountered:
π 1 trust1995 reacted with thumbs down emoji
All reactions