Plain Cream Kookaburra
Medium
Contract AmirX.sol lacks a constructor that calls _disableInitializers(). This omission is a vulnerability in the context of upgradeable contracts, where not disabling the initializers on the implementation contract can lead to potential misuse and security risks.
When creating an upgradeable contract, the implementation contract (the base version of the contract) should not be directly initialized. However, without _disableInitializers() in a constructor, anyone could call an initializer function directly on the implementation contract and potentially gain control of sensitive functions or data. This could lead to unauthorized control over the contract’s state or business logic.
No response
No response
No response
No response
- Security Risk of Unauthorized Initialization: Without
_disableInitializers(), malicious actors could potentially call an initializer function on the implementation contract, setting themselves as privileged roles (e.g., admin or owner). - Loss of Control: An attacker who gains access to initialize the contract could lock out legitimate administrators or take control over sensitive functions, leading to asset loss or other critical issues within the contract.
No response
According to OpenZeppelin’s documentation, calling _disableInitializers() in the constructor of the implementation contract prevents this issue. It effectively disables any initialization functions for the implementation contract, enforcing that only the proxy instance (the deployed instance) can be initialized. This ensures that the logic contract is protected from being initialized and having its state altered.