Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-02-ETHOS-FINDINGS-ISSUES-821
HistoryMar 07, 2023 - 12:00 a.m.

ReaperBaseStrategyv4 is not Initializable

2023-03-0700:00:00
Code4rena
github.com
5
vulnerability
initialization
state variables
unexpected behavior
mitigation
JSON

Lines of code
<https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos-Vault/contracts/ReaperStrategyGranarySupplyOnly.sol#L62&gt;
<https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos-Vault/contracts/ReaperStrategyGranarySupplyOnly.sol#L19&gt;

Vulnerability details

Impact

ReaperStrategyGranarySupplyOnly calls function __ReaperBaseStrategy_init() from ReaperBaseStrategyv4,
but ReaperBaseStrategyv4 is not Initializable. If the __ReaperBaseStrategy_init function is not called during contract initialization, it can cause critical issues as the state variables initialized in this function won’t be set properly. This can lead to unexpected behavior and vulnerabilities such as reentrancy, funds being stuck in the contract, or even complete loss of funds.

For example, if β€œwant” is not initialized properly, the contract may not be able to interact with the expected token and may result in users’ funds being locked in the contract indefinitely.
Similarly, if roles are not initialized properly, it can result in unauthorized access to sensitive functions or funds.

Recommended Mitigation Steps

Recommended steps: Add Initializable to contract declaration.

abstract contract ReaperBaseStrategyv4 is
    ReaperAccessControl,
    IStrategy,
    UUPSUpgradeable,
    AccessControlEnumerableUpgradeable,
    "Initializable"
{

The text was updated successfully, but these errors were encountered:

All reactions

JSON