Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Molend Protocol>Medium findings>Owner set for implementation instead of proxy
GeneralOverview
Findings
Medium (2)Owner set for implementation instead of proxyUsing deprecated Chainlink function
Low (1)
Informational (1)
DiscussionRounding issue in Aave poolStable-rate mode borrowing vulnerability in Aave pools
Threat ModelWhat are threat models?ChainlinkSourcesRegistry.sol
Audit ResultsSummary
Category: Business Logic

Owner set for implementation instead of proxy

Medium Severity
Medium Impact
Medium Likelihood

Description

The contract ChainlinkSourcesRegistry is an upgradeable contract inheriting Ownable and VersionedInitializable abstract contracts. The Ownable contract transfers the ownership to the deployer of the contract in the constructor:

constructor() internal {
    address msgSender = _msgSender();
    _owner = msgSender;
    emit OwnershipTransferred(address(0), msgSender);
  }

This would make the deployer as the default owner of the contract. As constructors are not used in proxy-based upgradable contracts, the owner would not be correctly set.

Impact

Owner would not be set correctly, and all the onlyOwner functions will revert.

Recommendations

Use OwnableUpgradeable instead of Ownable and call __Ownable_init in the initialize function.

Remediation

Molend Labs provided the following response:

For ChainlinkSourcesRegistry, actually we are not using it via a proxy, instead the contract is deployed and constructed directly because the logic is quite straightforward and it's only needed by subgraphs so upgrading is unnecessary in our case.

Zellic © 2023Back to top ↑