Lines of code

Vulnerability details

Impact

rUSDY.sol contract inherits PausableUpgradeable contract but does not invoke its initialzers during its own initialization. Due to which the state of PausableUpgradeable contract remain uninitialized.

File: contracts/usdy/rUSDY.sol

contract rUSDY is
  Initializable,
  ContextUpgradeable,
  PausableUpgradeable,

  // some code



File: contracts/usdy/rUSDY.sol

  function initialize(
    address blocklist,
    address allowlist,
    address sanctionsList,
    address _usdy,
    address guardian,
    address _oracle
  ) public virtual initializer {
    __rUSDY_init(blocklist, allowlist, sanctionsList, _usdy, guardian, _oracle);
  }

  function __rUSDY_init(
    address blocklist,
    address allowlist,
    address sanctionsList,
    address _usdy,
    address guardian,
    address _oracle
  ) internal onlyInitializing {
    __BlocklistClientInitializable_init(blocklist);
    __AllowlistClientInitializable_init(allowlist);
    __SanctionsListClientInitializable_init(sanctionsList);
    __rUSDY_init_unchained(_usdy, guardian, _oracle);
   }

PausableUpgradeable initialization is very much important and it looks as below,

File: contracts/security/PausableUpgradeable.sol

    function __Pausable_init() internal onlyInitializing {
        __Pausable_init_unchained();
    }

    function __Pausable_init_unchained() internal onlyInitializing {
        _paused = false;
    }

This initializes the contract in unpaused state. Due to this _paused state is not initialized. This breaks the overall functionality with respect to PausableUpgradeable.sol. Openzeppelin reference can be checked here

It is to be noted that automated report has made this issue low severity and has some false positives too. The automated report does not mention the impact of non-initialization of PausableUpgradeable but it must be noted PausableUpgradeable intialization is very much required otherwise the contract will not be initialized in unpaused state.

#Proof of Concept

Tools Used

Manual review

Recommended Mitigation Steps

Consider initializing the PausableUpgradeable in rUSDY.sol initialize() function.

For example for understanding:

    function initialize(
       
      // some code

    ) public initializer {
+        __Pausable_init();

      // some code

    }

Assessed type

Other

---

The text was updated successfully, but these errors were encountered:

All reactions